Points for Collin for letting his holiday take precedence over this mess.
Don’t forget that he made xz for free, as a hobby project, and likely got duped by “Jia Tan” same as everybody else did. He’s not obligated to solve this on any particular timeline.
Xz is not a business, so if your business got in trouble because a single solo hobby dev was a bit too trustful, it’s your job, and not his, to mitigate the problem.
I understand what you are saying and for open source community to have a good reputation and keep its standards high, these important packages have to start being actually maintained by the enterprises that depend on these. Most of businesses use Linux for their servers mainly Ubuntu/Debian and its just crazy for them to be vulnerable in such ways. Imagine how many other places backdoors can be installed even right now, and many of them won’t be visible and wont have performance issues like this one. 0.5s is a big deal in software and if it was 50ms or 5ms no one would have known this possibly for years. I wonder how safe the software we use actually is.
I'm sorry but no. If you are responsible for the worst backdoor in recent computing history (which is probably a criminal act in nature), then you do have a responsibility to explain what went down. Maybe he can take a couple days to write it but I think more than that would be irresponsible. Collin is partially responsible because he gave the keys to Jia Tan. I don't want to burn him at the stake since he's a victim too but I think it's reasonable to expect him to help clean up this mess and at least help us fill in the gaps and understand what happened.
Think about it this way. Say you are volunteering for a non-profit. You obviously don't have to do it and could just chill at home instead. But once you have agreed to say take a volunteer shift on Saturday, you are obligated to show up. Obviously no one can really stop you from skipping, but it would look bad on you and may get you banned from the non-profit. Along the same token, you obviously shouldn't steal from the non-profit, or say randomly beat up the customers/clients. If you accidentally set the building on fire which ends up killing 5 people, I would also assume you would help in some fashion to clean up.
Just because you are doing things for free does not mean you don't have social responsibility for your actions. You don't have to work, but just saying "oh my software ends up compromising everyone's computer? sorry not my problem" is seriously misunderstanding your role (I'm not saying that Collin is doing that). Similarly, if I just randomly slapped you in the face, I might have done it for free, but you would also probably be pretty pissed at me and expect an apology.
Just want to point out that this isn't a typical "demand underpaid open source developers to work 24/7" issue here. This is a unique circumstance where his action has directly resulted in this happening. I feel bad for him being guilt-tripped to add a maintainer after reading through the old threads two years ago, and as I said I don't want to burn him at the stake, just saying that saying he has no responsibility to help at all is really a bad take.
Lasse has been active and answering questions on IRC over the last day or so. He says he'll be sharing more information on the XZ site in the days or weeks to come.
He's doing fine, by the way, and mentions that the messages of support are appreciated but not necessary.
He's more focused now on figuring out what happened, how he missed it, and deciding a plan of action for cleaning things up.
(paraphrasing from conversations in the public channels)
the discussion here is very different from previous discussions because it focuses on the role of the maintainer and not the incident itself. so no, we haven't already discussed this.
We sure do, and this is a good thing. Some even here don't take care of themselves enough (including, but not limited to, taking proper breaks and other time for themselves).
Yes, Lesse, there are many people who rely on this project and it is sad to see it fall into its current state. You must hand it over to someone who knows what they are doing. Now!
[+] [-] skrebbel|1 year ago|reply
Don’t forget that he made xz for free, as a hobby project, and likely got duped by “Jia Tan” same as everybody else did. He’s not obligated to solve this on any particular timeline.
Xz is not a business, so if your business got in trouble because a single solo hobby dev was a bit too trustful, it’s your job, and not his, to mitigate the problem.
[+] [-] michelsedgh|1 year ago|reply
[+] [-] bayindirh|1 year ago|reply
Also, I'm on the same page with you. Block the malicious actor, continue sipping your coffee.
[+] [-] xign|1 year ago|reply
Think about it this way. Say you are volunteering for a non-profit. You obviously don't have to do it and could just chill at home instead. But once you have agreed to say take a volunteer shift on Saturday, you are obligated to show up. Obviously no one can really stop you from skipping, but it would look bad on you and may get you banned from the non-profit. Along the same token, you obviously shouldn't steal from the non-profit, or say randomly beat up the customers/clients. If you accidentally set the building on fire which ends up killing 5 people, I would also assume you would help in some fashion to clean up.
Just because you are doing things for free does not mean you don't have social responsibility for your actions. You don't have to work, but just saying "oh my software ends up compromising everyone's computer? sorry not my problem" is seriously misunderstanding your role (I'm not saying that Collin is doing that). Similarly, if I just randomly slapped you in the face, I might have done it for free, but you would also probably be pretty pissed at me and expect an apology.
Just want to point out that this isn't a typical "demand underpaid open source developers to work 24/7" issue here. This is a unique circumstance where his action has directly resulted in this happening. I feel bad for him being guilt-tripped to add a maintainer after reading through the old threads two years ago, and as I said I don't want to burn him at the stake, just saying that saying he has no responsibility to help at all is really a bad take.
[+] [-] junon|1 year ago|reply
He's doing fine, by the way, and mentions that the messages of support are appreciated but not necessary.
He's more focused now on figuring out what happened, how he missed it, and deciding a plan of action for cleaning things up.
(paraphrasing from conversations in the public channels)
[+] [-] seba_dos1|1 year ago|reply
[+] [-] klausa|1 year ago|reply
[+] [-] thinkingemote|1 year ago|reply
Poor guy will go through more stress now even more than that created and imposed on him over 2 years by the attacker.
If anything we should encourage him to look back at his mental health as not being his fault and that we need to protect ourselves.
[+] [-] chgs|1 year ago|reply
For what?
[+] [-] alecco|1 year ago|reply
https://news.ycombinator.com/item?id=39874466
[+] [-] em-bee|1 year ago|reply
[+] [-] oger|1 year ago|reply
[+] [-] richdodd|1 year ago|reply
[+] [-] derpderp119|1 year ago|reply
[deleted]
[+] [-] bayindirh|1 year ago|reply
Also, you can do whatever you want on that period of time. Which is marvelous in itself.
[+] [-] guessmyname|1 year ago|reply
[+] [-] dspillett|1 year ago|reply
Work to live, don't live to work.
[+] [-] Macha|1 year ago|reply
Never mind someone using an open source project "supplied as is"
[+] [-] supposemaybe|1 year ago|reply
[deleted]
[+] [-] masklinn|1 year ago|reply
That is literally what led to this mess in the first place, Lasse was social-engineered / bullied in handing out maintainership to a malicious actor.
[+] [-] publius_0xf3|1 year ago|reply
--
Jigar Kumar
[+] [-] nolist_policy|1 year ago|reply
People who want new features should switch to other projects like zstd.
[+] [-] ikekkdcjkfke|1 year ago|reply
[+] [-] Beijinger|1 year ago|reply
[deleted]