What can be done to protect open source devs from next xz backdoor drama?
What happened, how it was found, and what your vultures have made of it all
Kettle It's been about a week since the shock discovery of a hidden and truly sophisticated backdoor in the xz software library that ordinarily is used by countless systems.
An infected machine would have allowed someone with knowledge of the backdoor to gain remote control over the box via its SSH daemon. Though the dependency – poisoned by a rogue contributor – made its way into some bleeding-edge or to-be-officially-released Linux distros, such as Debian Unstable, Fedora 40, and Fedora Rawhide, it was spotted and thwarted before being widely deployed, which could have been a disaster.
Is this an example of open source fragility or strength? What can we do about securing popular bits of code that end up in tons of applications and servers? Do multi-billion-dollar corporations that feed off free work done by others need to step up and help here? Our Kettle series is back for our journos to discuss exactly this, which you can watch below.
Joining the show this week is Thomas Claburn, who covered the xz near-fiasco for us; The Register's cybersecurity editor Jessica Lyons; our editor Chris Williams; and your host Iain Thomson. This episode was produced by Brandon Vigliarolo.
As well as replaying our chat in the player above, you can listen via your favorite podcast distributor: RSS and MP3, Apple, Amazon, Spotify, and YouTube. And feel free to share your views too in the comments. ®