The original maintainer of #xz (Lasse) just fixed another affected piece of code that sabotaged library sandboxing and was, of course, also introduced by the malicious contributor Jia Tan.
I was considering replying to this comment on the “please update xz package” bugreport earlier with that the discussion is not irrelevant and that it’s the maintainer’s responsibility on new upgrades to check for new legal issues and “other hidden gems”.
I didn’t because I didn’t want to bother going in with an annoyed self-righteous “user”.
Now it turns out all three of the involved ones were “string + number @ freemailer” #JiaT75 sockpuppets, so it’s probably okay I didn’t bother.
Not that I blame Sebastian — it was very well hidden, and even my usual diffing between old and new version would not have found it.
I do take away from this to also check the diff between VCS repo at the time of the release and release tarball. Perhaps also between branch and tag if they, like Apache Tomcat, introduce extra commits there.
Szybka historyjka, co działo się w ciągu ostatnich kilkunastu godzin (czy raczej kilkunastu miesięcy?) w świecie open-source.
Istnieje sobie otwartoźródłowy projekt o nazwie “xz” autorstwa Lasse Collin[1].
Od około dwóch lat jednym ze współtwórców tego projektu jest użytkownik o pseudonimie “JiaT75”[2].