rob, 1 month ago @wouterj @jaapio Regardless of whether the maintainer is paid or if there is a team of maintainers, humans trust people that they think they know. Hence, a project is likely to trust someone who’s been around the project for a while. Similarly, a company is likely to trust a senior dev who’s been around a while. xz is as much a social engineering attack as it is a technical one.
@wouterj @jaapio Regardless of whether the maintainer is paid or if there is a team of maintainers, humans trust people that they think they know.
Hence, a project is likely to trust someone who’s been around the project for a while.
Similarly, a company is likely to trust a senior dev who’s been around a while.
xz is as much a social engineering attack as it is a technical one.