xz, Tidelift, and paying the maintainers
April 5, 2024
Late last week, a developer noticed some unusual behavior on their computer, investigated it, and uncovered a hack of epic scope, in an obscure but important library called xz. The attack was technically sophisticated, but perhaps worse it was socially sophisticated. The attackers took advantage of a maintainer over a long period of time to slowly, but steadily, win his trust—and then subvert the security mechanisms that he had previously put in place.
Everyone involved with technology should read this. And the lesson to take away is not “open source is risky and dangerous” but rather “all of us, and most egregiously massive corporations have extracted huge value from open source without recognising that value, leading to the sorts of vectors”.
We have to do better.