Well after the XZ attack, I was thinking how common this can be. Good to know that at least im not the only one and others inside the community are wondering about this. I hope someone is smart or lucky enough to find a solution to at least be able to lessen the impact of these attacks. I still wonder how many more of these are there, and my question is because of these attacks, isn’t open source more prone to these compared to closed sourced software? Usually the argument for open source is because everyone can read the code, its less vulnerable but now because everyone can write the code and have big incentives to do malicious stuff, doesn’t it make open source worse?
Many open source projects just don't get enough attention for the 'many eyes' benefit of OSS to occur. Many projects are neglected and poorly maintained, with little participation from the users.
I don't think OSS is particularly special though. If a state actor threw cash around they could find folks at many big companies to do their bidding. In my experience, commercial software reviews are susceptible to the same sorts of attacks as those listed in the article("please review my change ASAP because it needs to go into the next release before the deadline!").
I don't know what to do about this. You could subject approved submitters to better background checks. You can improve automated threat detection and code analysis. You can switch to safer-by-default languages that make backdoors and malicious behavior more obvious.
I wonder if the same issue exists in other engineering fields? Has anyone ever bribed an engineer to make a bridge or a water supply less robust?
Ah, misunderstood, you mean something like a sneaky sabotage? Hm, don't recall any, the payoff seems to be too small and unpredictable? But I think there were cases of "poisoning" the design of some weapons
The problem is, we don't know. I've seen PRs that could be curious students, or it could be a first try to see if we are paying attention. It's really easy these days to produce a halfway decent looking PR for someone in their first year of uni and my worry is that an increased volume of low to medium quality contributions will lead to maintainer fatigue. Depending on the project, that may be the point where pressure can be applied to share maintainership.
