Many people have already covered the malicious backdoor in xz (CVE-2024-3094). If you're looking for a technical overview, this is not what you will find here.
Here's the chain of events:
- A Well-meaning open-source developer maintains a library.
- Said Developer experiences burnout.
- Said Developer is pressured to add another maintainer.
- Said Developer takes a break from being online.
- The maintainer they were pressured to add, inserts a backdoor into source distributions.
The level of technical sophistication of the backdoor is interesting to many people and raised a lot of alarm bells about how we handle redistribution; However, I'm much more worried about a different facet of what happened here. Technical people tend to be good at solving technical problems, and we'll find ways to harden the technical sides of supply chains.
Capitalizing on open-source burnout cannot remain a viable strategy. It's been demonstrated as a viable social engineering attack vector. It is up to the community to actively reject the pressuring of maintainers to add contributors, and to reject statements that express entitlement. This should have been the stance before for the sake of the mental health of those carrying the weight of the communities that rely on open-source software. Unfortunately, it seems to take a catastrophe for people to be willing to address mental health adjacent issues.
Every user not thoroughly rejected when they express entitlement is now a demonstrable security risk.
Each time external pressure is expressed from those who are not trusted to add contributors, especially those with special levels of trust, there is now a demonstrable security risk.
If you don't like what that means for a bus factor, fork it or contribute. Build trust organically. We as a community cannot allow the strain on maintainers from "entitled" users to continue.
If you weren't willing to take that stance when it was about the mental health of open-source maintainers, now is the time to do it because you can't afford the security hazard it poses to everyone.
Top comments (0)