Seems like pattern is clear and same as used to XZ full article on the link
3 Likes
I think there is a lot to be said of just how whimsically we use code and hide behind the banner of âItâs Open Sourceâ. These types of attacks will not stop now, and there are so many dormant projects on the web, more is bound to happen.
As a consultant, I was always careful of what projects needed to have to be allowed onto our internal projects. Random, low participation and contribution, history meant a lot. There were hard a fast rules as to what I would allow.
I saw a video from a YouTuber - The Primeagen on how many npm projects were dormant and years out of date. The number is staggering. It was highlighted that many people put things together for job interviews or resumes, some are meant to be abandoned. More discernment should be used.
1 Like
Writing high quality and widely useful software often gets little weight in academic hiring and promotion decisions. A âmission-criticalâ R package written as part of a PhD project once went missing. I couldnât reach the developer, so did contact his PhD advisor â the last he had heard, the author of the package was driving a taxi.
I agree with the importance of vetting the packages used in a project. Some high-quality software, however, stands the test of time but doesnât get ongoing support even at the most basic level needed to deal with changes in build and packaging systems. We need more scrutiny of the actual code in addition to indirect indicators like participation and contribution.
I would like to see more software subjected to the sort of peer-review we see in academia. Peer review is not perfect, but âopen source peer reviewedâ would make takeover attempts harder.
1 Like
There is JOSS:
Itâs more limited to research software, but itâs a start.