This is sad news. I feel really bad for the developer who got bullied into letting the backdoor dev onto the team. News like this has got to really sting.
Announcement
Collapse
No announcement yet.
Fwupd Switches From XZ To Zstd Compression: More Trust & Slightly Better Performance
Collapse
X
-
Originally posted by Robust0522 View PostIt's a sad story. Lasse Collin developed and maintained Xz as an open source compression tool for well over a decade until mental health issues set in. His reward is to be remembered as the guy who allowed a malicious actor to introduce a backdoor into the software which could easily not have been caught. Not a great advertisement for being an open source maintainer.
- Likes 8
Comment
-
Originally posted by Robust0522 View PostIt's a sad story. Lasse Collin developed and maintained Xz as an open source compression tool for well over a decade until mental health issues set in. His reward is to be remembered as the guy who allowed a malicious actor to introduce a backdoor into the software which could easily not have been caught. Not a great advertisement for being an open source maintainer.
And a whole lot of other repos. Open source relies on the good nature of people and is easily exploitable.
Not to say that they won't catch any wrongdoings. But whatcha gonna do about it? Anonymous acconts...
This will happen again and again and again. We'll be ever so lucky to catch them before they cause more harm.
- Likes 3
Comment
-
Originally posted by Weasel View PostZSTD is more trustworthy? What in the world?!? You're telling me you're trusting mfing Facebook more?
xz just happened to be the target. I bet there are a lot more out there in the wild.
Malicious operators have almost nothing to loose. Esp. if they're state sponsored.
Risk of getting caught. Almost zero.
- Likes 5
Comment
-
Originally posted by varikonniemi View Postxz should be abandoned. Upstream malaiciousness alone is kind of unforgivable, but from what i have read the format itself is poorly and overly engineered.
Throwing a dedicated, talented and struggling developer together with a malicious, year-long planned, targeted and potentially state-actor based attack is not only wrong, but also obnoxious fud.
(I agree with Theo on that one: https://www.youtube.com/watch?v=0pT-dWpmwhA)
That being said, it is nice to see zstd adoption.
- Likes 6
Comment
Comment