XZ almost happened again

Seems like pattern is clear and same as used to XZ full article on the link


I think there is a lot to be said of just how whimsically we use code and hide behind the banner of “It’s Open Source”. These types of attacks will not stop now, and there are so many dormant projects on the web, more is bound to happen.

As a consultant, I was always careful of what projects needed to have to be allowed onto our internal projects. Random, low participation and contribution, history meant a lot. There were hard a fast rules as to what I would allow.

I saw a video from a YouTuber - The Primeagen on how many npm projects were dormant and years out of date. The number is staggering. It was highlighted that many people put things together for job interviews or resumes, some are meant to be abandoned. More discernment should be used.

1 Like

Writing high quality and widely useful software often gets little weight in academic hiring and promotion decisions. A “mission-critical” R package written as part of a PhD project once went missing. I couldn’t reach the developer, so did contact his PhD advisor – the last he had heard, the author of the package was driving a taxi.

I agree with the importance of vetting the packages used in a project. Some high-quality software, however, stands the test of time but doesn’t get ongoing support even at the most basic level needed to deal with changes in build and packaging systems. We need more scrutiny of the actual code in addition to indirect indicators like participation and contribution.

I would like to see more software subjected to the sort of peer-review we see in academia. Peer review is not perfect, but “open source peer reviewed” would make takeover attempts harder.

1 Like

There is JOSS:

It’s more limited to research software, but it’s a start.