Possibly linux to Linux@lemmy.mlEnglish · 9 months agoXZ backdoor in a nutshellimagemessage-square152fedilinkarrow-up11.23Karrow-down110 cross-posted to: [email protected]
arrow-up11.22Karrow-down1imageXZ backdoor in a nutshellPossibly linux to Linux@lemmy.mlEnglish · 9 months agomessage-square152fedilink cross-posted to: [email protected]
minus-squareAmju Wolf@pawb.sociallinkfedilinkEnglisharrow-up31·9 months agoPackages or dependencies with only one maintainer that are this popular have always been an issue, and not just a security one. What happens when that person can’t afford to or doesn’t want to run the project anymore? What if they become malicious? What if they sell out? Etc.
minus-squareslazer2au@lemmy.worldlinkfedilinkEnglisharrow-up17·9 months agoWhat if the repository becomes stupid and takes a package away from a developer and said developer deletes his other packages. See leftpad.
Packages or dependencies with only one maintainer that are this popular have always been an issue, and not just a security one.
What happens when that person can’t afford to or doesn’t want to run the project anymore? What if they become malicious? What if they sell out? Etc.
What if the repository becomes stupid and takes a package away from a developer and said developer deletes his other packages. See leftpad.
https://xkcd.com/2347