Technologist vs spy: the xz backdoor debate
lcamtuf.substack.com
Well — we just witnessed one of the most daring infosec capers of my career. Here’s what we know so far: some time ago, an unknown party evidently noticed that liblzma (aka xz) — a relatively obscure open-source compression library — was a dependency of

Thought this was a good read exploring some how the “how and why” including several apparent sock puppet accounts that convinced the original dev (Lasse Collin) to hand over the baton.

  • speaker_hat@lemmy.one
    151·
    11 months ago

    What if the unexpected SSH latency hadn’t been introduced, this backdoor would live?

    I wonder how many OSS projects include backdoors that doesn’t appear in performance checks