Xz

In this episode, Josh and Otto dive into the world of Debian packaging, exploring the challenges of supply chain security and the importance of transparency in open source projects. They discuss Otto’s blog post about the XZ backdoor and how it’s a nearly impossible attack to detect. Otto does a great job breaking down an incredibly complex problem into understandable pieces. Episode Links Otto Could the XZ backdoor have been detected with better Git and Debian packaging practices? This episode is also available as a podcast, search for “Open Source Security” on your favorite podcast player. ...

Josh and Kurt embark on a thought experiment to discuss how a commercial entity would handle something like the xz incident. It was very specific and difficult to understand. It’s easy to claim just because source code being available doesn’t matter. But the reality is when source code is needed, it can make a huge difference for everyone working together, just like we saw with xz. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_456_What_if_XZ_happened_to_a_company_The_openness_of_open_source.mp3 Show Notes Lindt admits chocolate may not be ‘expertly crafted’ in class-action lawsuit battle Mitchell & Webb - Needlessly ambiguous terms

Josh and Kurt talk about the recent events around XZ. It’s only been a few days, and it’s amazing what we already know. We explain a lot of the basics we currently know with the attitude much of these details will change quickly over the coming week. We can’t fix this problem as it stands, we don’t know where to start yet. But that’s not a reason to lose hope. We can fix this if we want to, but it won’t be flashy, it’ll be hard work. ...