I am getting tired of reading about the #xz #security issue as if it is all about issues within #opensource. It is much bigger than that, and those takes conflate the problem with the solution.
So I wrote "The xz issue isn't about Open Source" here: https://changelog.complete.org/archives/10642-the-xz-issue-isnt-about-open-source
The xz Issue Isn’t About Open Source
You’ve probably heard of the recent backdoor in xz. There have been a lot of takes on this, most of them boiling down to some version of: The problem here is with Open Source Software. I want…The Changelog
Matt Campbell
in reply to John Goerzen • • •Several good points, but this part seems a bit naive:
> anybody that’s interested — anybody at all — can dive in and ask “why” and trace it down to root causes.
It's more accurate to say anyone who's interested, has the necessary skills, *and* is being paid to do so or has enough spare time. I point this out because it's common to have problems in FOSS that remain unsolved until someone steps up and funds a solution.
John Goerzen
in reply to Matt Campbell • • •