top | item 39866882

(no title)

Bromeo | 1 year ago

I don't want to read too much into it, but the person (supposedly) submitting the PR seems to work at 1Password since December last year, as per his Linkedin. (And his Linkedin page has a link to the Github profile that made the PR).

discuss

lelandbatey|1 year ago

They're definitely a real person. I know cause that "1Password employee since December" is a person I know IRL and worked with for years at their prior employer. They're not a no-name person or a fake identity just FYI. Please don't be witch hunting; this genuinely looks like an unfortunate case where Jared was merely proactively doing their job by trying to get an externally maintained golang bindings of XZ to the latest version of XZ. Jared's pretty fantastic to work with and is definitely the type of person to be filing PRs on external tools to get them to update dependencies. I think the timing is comically bad, but I can vouch for Jared.

https://github.com/jamespfennell/xz/pull/2

greatjack613|1 year ago

[deleted]

bombcar|1 year ago

If I were trying to compromise supply chains, getting into someplace like 1Password would be high up on the list.

Poor guy, he's probably going to get the third degree now.

switch007|1 year ago

As a 1Password user, I just got rather nervous.

bombcar|1 year ago

Yubikeys starting to look kinda yummy.

returningfory2|1 year ago

Yeah the GitHub account looks really really legitimate. Maybe it was compromised though?

jethro_tell|1 year ago

What looks legit about a gmail address and some stock art for a profile?

ncr100|1 year ago

The 2 GMail accounts are 85% / mainly associated with XZ work, since 2021, per searching for them explicitly via Google.

computerfriend|1 year ago

The PR's two commits are signed by a key that was also used to sign previous commits belonging to that author.