Lakabd.com

XZ/liblzma Backdoor

My “Personal” take on the xz/liblzma backdoor found yesterday (29/03/2024)

This unfortunate accident negatively impacts the reputation of the open source community, but most importantly it unveils one of the issues regarding the current OSS (Open Source Software) model. Many of the products built today are based on tens if not hundreds of open source projects completely free of charge. A lot of businesses take from the community to never give back.

This model cannot be very sustainable, especially for small/medium OSS projects, and we are seeing this today in Xz, a core component in many systems. The library was targeted because of lack of support. Not sufficient active support from the community (especially those benefiting from the project) means that it’s less likely that the project will be well maintained. Even though the Xz backdoor we are witnessing today was very well disguised and came from a co-maintainer. This basically leads to OSS being targeted as attack vectors and poisoning all the community.

No one thinks of the huge value OSS are bringing us in the current digitalized world. Until one day, when every company that is building its products based on OSS finds itself in a really bad position because of a maintainer somewhere in the world, who - as usual - is doing all his maintenance work voluntarily, is not feeling well - physically or financially (as we live in very capitalist world) - to later dump his role and put everything at risk. I don’t mean in any way that this is exactly what happened for XZ, but I’m just wondering if there was a more sustainable model for maintainers and major contributors to live from their OSS, the scenarios that brought this attack to life could’ve been avoided.

The current model needs to be changed and more care should be taken for all important open source projects, either through licensing or government regulations… to basically protect everyone, because every damage can’t be anything but collateral.

Also, the backdoor was discovered merely by HAZARD after more than a month of its release. And as of now, no one knows if there is any other backdoor in the XZ repo or other repos to which the attacker(s) have contributed. On Github, the accounts of the two maintainers have been suspended and the XZ repo was disabled (kudos to all yocto CIs failing out there!).

A.L