XZ Backdoor: Times, damned times, and scams
There has been a recent backdoor found in the xz/liblzma tarball. In what is likely one of the largest breaches of trust in the free software ecosystem, this backdoor is likely to have been put in by Jia Tan, a long-time maintainer of xz. Throughout his tenure as a maintainer, Jia remained relatively mysterious — as is not uncommon in the community, little beyond his name (which is likely a lie) is known about him. Generally, anonymity in the free software sphere is a good thing: software is inherently based on accomplishment and merit, and there is no reason to know anything about a person’s identity. However, in this case, where someone built up the trust of a community for years and then abused it, it is interesting to see who they are. Luckily for us, Jia’s activity does provide some metadata which we can potentially use to learn more about him. So here’s an analysis on what we can learn from his work patterns and time zone.
What is to be learned from times? The conditions under which software is created! Think about the wide range of things that time patterns tell us about — there are people who are paid to do code and those who work on it as a hobby. Those in some areas code during different times as others. There are holidays, sleep schedules, and work-life balance— code is not exempt from these. Understanding when someone codes helps us understand why and where they are coding for. Figuring these out can give us a much better idea about why and who did this.
