The XZ Utils backdoor is a symptom of a larger problem | Ariadne's Space
On March 29th, Andres Freund dropped a bombshell on the oss-security mailing list: recent XZ Utils source code tarball releases made by Jia Tan were released with a backdoor. Thankfully, for multiple reasons, Alpine was not impacted by this backdoor, despite the recent source code tarball releases being published in Alpine edge. But what lessons do we need to learn from this incident?
As a community of hackers, we have built an exhaustive commons of free software released under various free licenses such as the GPL and the Apache 2.0 license. Software packages in this commons have taken over the corporate world, because it enabled more rapid innovation by allowing developers to focus more on the business logic of their applications, rather than low-level details. This has been overall a good thing for society: from the open commons we have spawned a whole world of applications which have become the foundational bedrock of modern society. It can certainly be argued that the invention of FOSS licensing models has been as revolutionary for the digital economy as the steam engine was for industry.
There is one problem, however – when we take software from the commons, we are like raccoons digging through a dumpster to find something useful. There is no “supply chain” in reality, but there is an effort by corporations which consume software from the commons to pretend there is one in order to shift the obligations related to ingesting third-party code away from themselves and to the original authors and maintainers of the code they are using.
/cdn.vox-cdn.com/uploads/chorus_asset/file/25544672/Jones_drives_the_solar_car_across_the_finish_line_at_the_Portofino_Hotel.jpg)
