Is open-source software ethical?
I had this idea mulling in the back of my head for a few weeks but I didn’t know exactly how I wanted to write about it. Then over the weekend, we learned of a major vulnerability in Linux which had been detected and mitigated. The “xz” project had introduced a vulnerability that would’ve allowed for Linux computers to be taken over by a malicious actor.
This was not an accident. From what people have gathered over the last few days, the account JiaT75 took over the project several years ago and slowly built a series of commits and fixes in order to gather a positive reputation. They then exploited this trust to introduce malicious changes and then push to get these changes upstreamed into stable versions of Linux.
The true identity of this person is unknown. Some speculate they were a state actor playing a long con. It might’ve been an attempt to compromise low-security IoT devices and create a silent botnet. We may never know for sure.
Thankfully, this happened to be caught a few days ago by Andres Freund and brought to the attention of the community before it reached stable versions. If he hadn’t, there may have been disruptions across every sector of society. Computers are in basically everything these days, from your car to your microwave.
