Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

The whole XZ drama reminds me of this[1], in another words, verify the identity of open source maintainer/s and question their motive for joining the open source project. Also reminded me of the relevant XKCD meme[2].

Speaking of obfuscation; I'm not a programmer but I did some research in Windows malware RE and what stuck with me is that every code that is obfuscated or every code that is unused is automatically suspicious. There is no purpose for obfuscated code in the open source non-profit software project and there is no purpose for extra code that is unused. Extra/redundant code is most likely junk code meant to confuse the reverse engineer when s/he is debugging the binary.

[1] https://lwn.net/Articles/846272/ [2] https://xkcd.com/2347/



> verify the identity of open source maintainer/s and question their motive for joining the open source project.

This kind of goes against the whole "free" thing.


Anybody is free to contribute if s/he is contributing in a good will but what happens if you don't know who they are and what are their motives? You can look at the their track record for example, that's another way to determining their credibility. In another words you need to establish trust somehow.

Idk if this specific individual that backdoored XZ had a track record of contributing to other open source projects(in a good will) or if s/he just out of the blue starting contributing to this project. I read somewhere that somebody else recommended him or vouched for him. Somebody needs to fill me in with the details.


Just because you know the identity of an individual, doesn't mean they are trustworthy. They might be compromised, or they might be willfully doing it for their own personal gain, regardless of their existing reputation (or even, leveraging their existing reputation - bernie madoff was a well known and well respected investment banker).




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: