this post was submitted on 31 Mar 2024
109 points (97.4% liked)

Open Source

31095 readers
482 users here now

All about open source! Feel free to ask questions, and share news, and interesting stuff!

Useful Links

Rules

Related Communities

Community icon from opensource.org, but we are not affiliated with them.

founded 5 years ago
MODERATORS
top 12 comments
sorted by: hot top controversial new old
[–] [email protected] 3 points 7 months ago (2 children)

This is how one attracts and invites Jia Tan and Hans Jansen types.

[–] [email protected] 2 points 7 months ago (1 children)

Is Hans you are refering to the guy on fdroid or someone else ?

[–] [email protected] 2 points 7 months ago (1 children)

Of the xz/liblzma backdoor incident.

[–] [email protected] 1 points 7 months ago

Oh i only remembered jia tan so thought it was fdroid one.

[–] [email protected] 3 points 7 months ago (1 children)

this isnt worth the time, it's not a dependency of a huge piece of software

[–] [email protected] 2 points 7 months ago (1 children)

Malicious account holders with a long term goal need to build reputation. It doesn't matter much that such an app isn't a dependency of other software.

[–] [email protected] 5 points 7 months ago (1 children)

Practically every FOSS project is actively looking for volunteers/maintainers all of the time. More contributors are not problematic.

The xz problem was that they socially engineered the main dev into giving them the keys to the kingdom.

[–] [email protected] 3 points 7 months ago (1 children)

Making one a maintainer (with merge and possibly even direct commit/push permissions) is handing them a key to the kingdom. Recruiting a maintainer out of the blue without them being already contributor and long term participant in the project is questionable.

[–] [email protected] 1 points 7 months ago (1 children)

I believe that the bad actor was a contributor for several years before becoming a maintainer

[–] [email protected] 2 points 7 months ago (1 children)

Apparently not, you can check commits in https://git.tukaani.org/?p=xz.git;a=summary the first authored commit was 2022-01-28, then long time nothing until 2022-06-10, the first merge as committer was 2022-12-16.

[–] [email protected] 1 points 7 months ago

Interesting! I'd not realised it was so recent

[–] [email protected] 8 points 7 months ago

I'm glad they're looking. I quite like Quillpad, it works nicely with my simple set up.