Possibly linux@lemmy.zip to Linux@lemmy.mlEnglish · 1 year agoXZ backdoor in a nutshelllemmy.zipimagemessage-square157fedilinkarrow-up11.23Karrow-down110
arrow-up11.22Karrow-down1imageXZ backdoor in a nutshelllemmy.zipPossibly linux@lemmy.zip to Linux@lemmy.mlEnglish · 1 year agomessage-square157fedilink
minus-squareAmju Wolf@pawb.sociallinkfedilinkEnglisharrow-up31·1 year agoPackages or dependencies with only one maintainer that are this popular have always been an issue, and not just a security one. What happens when that person can’t afford to or doesn’t want to run the project anymore? What if they become malicious? What if they sell out? Etc.
minus-squareslazer2au@lemmy.worldlinkfedilinkEnglisharrow-up17·1 year agoWhat if the repository becomes stupid and takes a package away from a developer and said developer deletes his other packages. See leftpad.
Packages or dependencies with only one maintainer that are this popular have always been an issue, and not just a security one.
What happens when that person can’t afford to or doesn’t want to run the project anymore? What if they become malicious? What if they sell out? Etc.
What if the repository becomes stupid and takes a package away from a developer and said developer deletes his other packages. See leftpad.
https://xkcd.com/2347