On Sat, Mar 30, 2024 at 09:58:22AM +0100, Ingo Jürgensmann wrote: > > Yes. In that specific case, the original xz maintainer (Lasse Collin) > > was socially-pressed by a likely fake person (Jigar Kumar) to do the > > "right thing" and hand over maintenance. > > https://www.mail-archive.com/xz-devel@tukaani.org/msg00566.html > > In his reply to that mail Lasse writes in > https://www.mail-archive.com/xz-devel@tukaani.org/msg00567.html: > > > It's also good to keep in mind that this is an unpaid hobby project. > > > This reminds me of https://xkcd.com/2347/ - and I think that’s getting a more > common threat vector for FLOSS: pick up some random lib that is widely used, > insert some malicious code and have fun. Then also imagine stuff that > automates builds in other ways like docker containers, Ruby, Rust, pip that > pull stuff from the network and installs it without further checks. > > I hope (and am confident) that Debian as a project will react accordingly to > prevent this happening again. How?
-- WBR, wRAR
signature.asc
Description: PGP signature
