|
|
Subscribe / Log in / New account

Verify the identity of developers

Verify the identity of developers

Posted Apr 1, 2024 0:04 UTC (Mon) by marcH (subscriber, #57642)
In reply to: Verify the identity of developers by calumapplepie
Parent article: A backdoor in xz

> xz has (had?) a website, multiple contributors, maintainers, and more. [...] XZ was and is maintained.

Did you read the news?

> Then we will have 60% of projects continue using XZ for years after it is abandoned. Besides, the idea of projects as a bunch of little silos that all know each other and work together isn't realistic; lots of contributions are drive-by, and lots of contributors are involved in many projects.

I don't get the point you're trying to make here.

In any case adding and managing dependencies is a benefit-risk assessment and it's up to each project to make its own decisions in a decentralized manner; there is simply no alternative besides not making this assessment.

"Decentralized" does not mean "in a vacuum": more popular dependencies are of course more likely to be picked up or forked by someone who really needs them if the current maintainer(s) fail.

to post comments


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds