All this talk about #xzorcist over the weekend, I want to also point out that it's important to remember that the "software supply chain" largely does not exist in regards to open source, because most people have no real relationship other than parasitic consumption with the project.
There's A LOT going on (analysis, discussion, vendor notices, etc...) related to the ongoing xz/liblzma compromise so I created a "link roundup" which centralizes and buckets a lot of the awesome links and threads I've seen flying around.
Most of my feed on the #xzorcist#xz mess is solution-eering on ideas for paying maintainers. It implies the way to fix this is to simply pay people for their time.
I am not seeing something else though. Has anyone actually asked the maintainer what they want? What if that answer was not money? What if it was "I don't want to do this anymore?"
Regardless of the answer this time around, we should be prepared to boldly face these types of answers too.
The original maintainer of #xz (Lasse) just fixed another affected piece of code that sabotaged library sandboxing and was, of course, also introduced by the malicious contributor Jia Tan.
Presumably, along with all of us making sure our products and services are safe #xzorcist , the offence teams at the other governments will be busy going through the #xz backdoor to understand how to exploit it -and then seeing if there any interesting targets that are vulnerable before the weekend is over. Busy weekend for all of us on call.
It's important to note how critical it was caught now: all the commercial distributions are making releases over the next 12-18 months: Red Hat with RHEL 10 in May 2025, SUSE with SLE 16 in fall 2025, and Canonical with Ubuntu 24.04 in April. It was key to infect their upstreams (Fedora, openSUSE, Debian) now.