this post was submitted on 31 Mar 2024
109 points (97.4% liked)
Open Source
31095 readers
482 users here now
All about open source! Feel free to ask questions, and share news, and interesting stuff!
Useful Links
- Open Source Initiative
- Free Software Foundation
- Electronic Frontier Foundation
- Software Freedom Conservancy
- It's FOSS
- Android FOSS Apps Megathread
Rules
- Posts must be relevant to the open source ideology
- No NSFW content
- No hate speech, bigotry, etc
Related Communities
Community icon from opensource.org, but we are not affiliated with them.
founded 5 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
Malicious account holders with a long term goal need to build reputation. It doesn't matter much that such an app isn't a dependency of other software.
Practically every FOSS project is actively looking for volunteers/maintainers all of the time. More contributors are not problematic.
The xz problem was that they socially engineered the main dev into giving them the keys to the kingdom.
Making one a maintainer (with merge and possibly even direct commit/push permissions) is handing them a key to the kingdom. Recruiting a maintainer out of the blue without them being already contributor and long term participant in the project is questionable.
I believe that the bad actor was a contributor for several years before becoming a maintainer
Apparently not, you can check commits in https://git.tukaani.org/?p=xz.git;a=summary the first authored commit was 2022-01-28, then long time nothing until 2022-06-10, the first merge as committer was 2022-12-16.
Interesting! I'd not realised it was so recent