Is xz actually an open source success story?
It’s been just over two weeks since we all learned about a backdoor that had been slowly and carefully placed in the xz-utils library over a period of multiple years (if you’ve been under a rock and need the TL;DR, start here with my co-founder Luis Villa’s post).
In that time, there’s been a ton of analysis both of the payload which would have been used for a future attack as well as the social factors which led up to the trusting of the malicious actor who went by the name “Jia Tan.” And there have been a lot of discussions about broad, big picture questions about open source and supply chain security and what needs to change in a post-xz world. In fact, I joined five of our favorite maintainers for a discussion on exactly that topic last Friday that is worth a watch.
There’s a well-worn saying in open source that, “given enough eyeballs, all bugs are shallow.” It’s a bit of a riff on a quote from Supreme Court Justice Louis Brandeis in 1913 that “sunlight is the best disinfectant” as a way to enshrine the importance of transparency. And open source is transparent in that people can actually look at changes, reason about them, and provide improvements or alternatives.
