The xz GitHub repo (github.com) is currently disabled, so unless you already have your own clone you can’t see who authored the offending commit (github.com).
I’m curious who it was. Their commits to the repo were not hard to get past review. All they did was add some binary test files, which is normal for that project. The question is how was this person able to gain access to the build process to inject the script that enabled the exploit?
This could raise questions about the security of open source projects. Some of them have little support and funding and will take contributions from anyone.
The [xz GitHub repo](https://github.com/tukaani-project/xz) is currently disabled, so unless you already have your own clone you can’t see who authored the [offending commit](https://github.com/tukaani-project/xz/commit/cf44e4b7f5dfdbf8c78aef377c10f71e274f63c0).
I’m curious who it was. Their commits to the repo were not hard to get past review. All they did was add some binary test files, which is normal for that project. The question is how was this person able to gain access to the build process to inject the script that enabled the exploit?
This could raise questions about the security of open source projects. Some of them have little support and funding and will take contributions from anyone.
(post is archived)