Am 30.03.2024 um 08:56 schrieb Lucas Nussbaum <lu...@debian.org>: > Yes. In that specific case, the original xz maintainer (Lasse Collin) > was socially-pressed by a likely fake person (Jigar Kumar) to do the > "right thing" and hand over maintenance. > https://www.mail-archive.com/xz-devel@tukaani.org/msg00566.html
In his reply to that mail Lasse writes in https://www.mail-archive.com/xz-devel@tukaani.org/msg00567.html: > It's also good to keep in mind that this is an unpaid hobby project. This reminds me of https://xkcd.com/2347/ - and I think that’s getting a more common threat vector for FLOSS: pick up some random lib that is widely used, insert some malicious code and have fun. Then also imagine stuff that automates builds in other ways like docker containers, Ruby, Rust, pip that pull stuff from the network and installs it without further checks. I hope (and am confident) that Debian as a project will react accordingly to prevent this happening again. But as a society (that is widely using FLOSS) I would also hope that our developers will get proper funding instead of requiring them to maintain such software in their spare time. -- Ciao... // Web: http://blog.windfluechter.net Ingo \X/ XMPP/Jabber: i...@jhookipa.net gpg pubkey: http://www.juergensmann.de/ij_public_key.asc
