Skip to main content

I am getting tired of reading about the #xz #security issue as if it is all about issues within #opensource. It is much bigger than that, and those takes conflate the problem with the solution.

So I wrote "The xz issue isn't about Open Source" here: changelog.complete.org/archive…


The xz Issue Isn’t About Open Source

You’ve probably heard of the recent backdoor in xz. There have been a lot of takes on this, most of them boiling down to some version of: The problem here is with Open Source Software. I want…
The Changelog
#opensource #security #xz
in reply to John Goerzen

Matt Campbell
Matt Campbell

Several good points, but this part seems a bit naive:

> anybody that’s interested — anybody at all — can dive in and ask “why” and trace it down to root causes.

It's more accurate to say anyone who's interested, has the necessary skills, *and* is being paid to do so or has enough spare time. I point this out because it's common to have problems in FOSS that remain unsolved until someone steps up and funds a solution.

in reply to Matt Campbell

John Goerzen
John Goerzen
@matt True points, and those are some of the legitimate things people are raising that I alluded to. I was thinking in the sense of freedom -- what are we allowed to do. With Windows, even if one has the ability and time, they don't have the source code or the ability to modify it, so it is highly unlikely they could have discovered this sort of thing.
@Matt Campbell