> 2) Is there no legal recourse to this? We're talking about someone who managed to root any linux server that stays up-to-date.

Any government which uses GNU/Linux in their infrastructure can pitch this as an attempt to backdoor their servers.

The real question is: will we ever even know who was behind this? If it was some mercenary hacker intending to resell the backdoor, maybe. But if it was someone working with an intelligence agency in US/China/Israel/Russia/etc, I doubt they'll ever be exposed.

Reflecting on the idea of introducing a validation structure for software contributions, akin to what RPKI does for BGP routing, I see significant potential to enhance security and accountability in software development.

Such a system could theoretically bring greater transparency and responsibility, particularly in an ecosystem where contributions come from all corners.

Implementing verifiable identity proofs for contributors might be challenging, but it also presents an opportunity to bolster security without compromising privacy and the freedom to contribute under pseudonyms.

The accountability of those accepting pull requests would also become clearer, potentially reducing the risk of malicious code being incorporated.

Of course, establishing a robust validation chain for software would require the commitment of everyone in the development ecosystem, including platforms like GitHub. However, I view this not as a barrier but as an essential step towards evolving our approach to security and collaboration in software development.

The actual inclusion code was never in the repo. The blobs were hidden as lzma test files.

So you review would need to guess from 2 new test files that those are, decompressed, a backdoor and could be injected which was never in the git history.

This was explicitly build to evade such reviews.

> The blobs were hidden as lzma test files.

OK, that is absolutely devious.

I suppose you think the maintainers shouldn’t have scrutinized those files? Please tell me it’s a joke.

The person who added the malicious blobs and signed the compromized archives was literally a maintainer of the project.

Ok, go ahead and scrutinize those files without looking at the injection code that was never in the repo? Can you find anything malicious? Probably not - it looks like random garbage which is what it was claimed to be.

"Jia Tan" was not a contributor, but a maintainer of the project. The key point here is that this is a multi-year project of infiltrating the xz project and gaining commit access.

In a large tech company (including ones I have worked at), sometimes you have policy where every change has to be code reviewed by another person. This kind of stuff isn't possible when the whole project only has 1-2 maintainers. Who's going to review your change other than yourself? This is the whole problem of OSS right now that a lot of people are bringing up.

I maintain a widely used open source project myself. I would love it if I could get high quality code review for my commits similar to my last workplace lol, but very very few people are willing to roll up their sleeves like that and work for free. Most people would just go to the Releases page and download your software instead.

>How did this get accepted into main repos while flying under the radar? When I do a code review, I try to understand the actual code I'm reviewing. Call me crazy I guess!

And? You never do any mistakes? Google "underhanded C contest"