Open source maintainer Val Karpov discusses the xz hack and anonymous contributions in open source
HTML-код
- Опубликовано: 13 май 2024
- Shortly after the xz utils backdoor hack was uncovered, Tidelift gathered together a group of open source maintainers across the Javascript, Java, and Python ecosystems to hear not only how the xz hack impacted their work (spoiler alert: this attack reverberated across ALL ecosystems, not just in the Linux OS!), but also how it made them feel.
In this clip, we hear from open source maintainer, Val Karpov. Val maintains Mongoose, an ODM (Object Data Modeling) library for MongoDB. Here he discusses the importance of anonymous open source contributions and why the xz utils incident has complicated this foundational attribute of open source.
You can watch the entirety of the panel on-demand here: explore.tidelift.com/c/life-a...
Learn more about xz: tidelift.com/resources/xz-bac...
Transcript:
I think one of the questions that comes up related to this is anonymity and open source contributions. I believe, very firmly, that anonymous contributions, especially small, anonymous contributions are good. The ability for anyone to contribute to an open source project is absolutely one of the core features of open source. And I worry sometimes that hacks like this will create a situation where you need to just KYC to just make a quick docs fix or fix a null pointer exception, like something trivial. And I worry that attacks like this will justify behavior like that. 
Наука
