We start with some short commentary on a few things that piqued Alex’ interest, and then we move to the main topic: the xz backdoor.
For a few years, a malicious actor managed to gain enough credibility in the xz / libxzma project to gain maintainer status, which they then used to try and push an obfuscated backdoor into virtually every Linux distribution and in many projects that use this open source library.
The story is spectacular, and Alex is reviewing and commenting the whole thing.
New video published every Saturday, 4.45 am UTC. Comment on this video on YouTube, or contact us at tdws[at]mozaicworks[dot]com.
Links:
- Tim Ottinger on story points and time https://twitter.com/tottinge/status/1775270985857745398?s=09
- Question about what is a domain model https://twitter.com/CFDevelop/status/1775298084219797679
- Attack vector due to LLMs hallucinating inexistent packages https://techhub.social/@Techmeme/112197346383654222
- xz backdoor history visualized https://twitter.com/fr0gger_/status/1774342248437813525?s=09
- xz backdoor timeline https://boehs.org/node/everything-i-know-about-the-xz-backdoor
- Open source maintainers owe you nothing https://mikemcquaid.com/open-source-maintainers-owe-you-nothing/
- xkcd on modern digital infrastructure https://xkcd.com/2347/