Possibly linux@lemmy.zip to Linux@lemmy.mlEnglish · 8 months agoXZ backdoor in a nutshelllemmy.zipimagemessage-square162fedilinkarrow-up11.23Karrow-down110 cross-posted to: linux
arrow-up11.22Karrow-down1imageXZ backdoor in a nutshelllemmy.zipPossibly linux@lemmy.zip to Linux@lemmy.mlEnglish · 8 months agomessage-square162fedilink cross-posted to: linux
minus-squareAmju Wolf@pawb.sociallinkfedilinkEnglisharrow-up31·8 months agoPackages or dependencies with only one maintainer that are this popular have always been an issue, and not just a security one. What happens when that person can’t afford to or doesn’t want to run the project anymore? What if they become malicious? What if they sell out? Etc.
minus-squareslazer2au@lemmy.worldlinkfedilinkEnglisharrow-up17·8 months agoWhat if the repository becomes stupid and takes a package away from a developer and said developer deletes his other packages. See leftpad.
Packages or dependencies with only one maintainer that are this popular have always been an issue, and not just a security one.
What happens when that person can’t afford to or doesn’t want to run the project anymore? What if they become malicious? What if they sell out? Etc.
What if the repository becomes stupid and takes a package away from a developer and said developer deletes his other packages. See leftpad.
https://xkcd.com/2347