In my tiny stupid brain I always have the idea that every developer cares about security practices as much as they care about their “product”. So I need to remind myself that those are in practice 2 completely different areas and most of the time security is an afterthought. That’s why I find funny to read the FOSS/linux bros so exited for finding malicious code
Oof. The backstory of xz's takeover is super sad and it's a wakeup call, def not a cause for celebration. We're just lucky it had side effects that triggered a diligent dev's spidey sense before it did real damage.
Project Zero is the most laudable thing Google's done with its money, and i'm making a todo to find a Linux/FOSS-focused team that needs donations and is well positioned to catch or prevent situations like this. Clearly there are gaps.
Add comment