Seems like the usual story of some lone maintainer maintaining a popular project and losing their time and energy.
The post doesn't spell it out but I wonder if they implied there's a suspicion that the person doing the pressuring there is also another sock puppet of JiaT75 as some scheme of getting access to xz. That would seem particularly cruel; take advantage of a tired maintainer with mental health issues to use their project to smuggle security exploits to the world.
Regardless, be nice to people who are doing "unpaid hobby projects" your work depends on. Reading the thread made me sad.
> The post doesn't spell it out but I wonder if they implied there's a suspicion that the person doing the pressuring there is also another sock puppet of JiaT75 as some scheme of getting access to xz
You can get the user's e-mail by clicking the "Reply via e-mail to" on the page. It matches the <firstname><lastname><number>@protonmail.com of the other sockpuppets, and the PGP key for the account was made 1 day prior to their first communication on that mailing list.
The backdoor targets OpenSSH. The reason it's added to xz is that because of a complex dependency chain, it ends up being compiled to build OpenSSH. As far as I can tell, the payload doesn't get deployed into anything else.
It's worrisome for sure.. the original maintainer mentions longterm mental health issues, "but also due to some other things"
My worry would be "other things" they didn't mention can include deliberate acts of sabotage by said unknown agency. Devs can have health issues or other problems come up with themself or family in their personal lives, but also intelligence agents can tamper with people covertly in different ways such as deliberately causing various kind of accidents or contaminations/poisonings.
In any case; they could only have to disrupt the developer's life for a few months to persuade them that they need to step down to put one of their confederates at the head of the project, I begin to worry for All developers' safety now if you are the sole maintainer of a key project critical system daemons may link against.
Doubt the target is archiving software itself - presumably the reason these libraries got picked is because they already have high penetration across many layers of the stack which would ensure the backdoor has wide coverage.
Dunno, seems too amateur. An intelligence agency should be able to come up with more plausible sockpuppet names and email addresses even if in this case it didn't matter.
Ah I see, I wondered where the heck is a reply e-mail, I didn't see any reply email spelled out anywhere and didn't notice the button, I thought maybe the archive site deliberately wanted to hide the email adderesses.
Kinda looks like everyone in the thread might be sock puppet? ...except for the xz maintainer. Oof.
Assuming the original maintainer wasn't in on the con, someone should check on him. Apparently, he already got issues and being gaslit, manipulated and deceived on this level for years, considering the potential consequences and harm caused/barely averted, the unwanted attention, possibly police investigation following... all that may be a bit much.
He replied that he is in holiday and will check in after Easter. And that he and Jia's GH accounts are inaccessible. More details too, but that's the crux as I understand it.
Seems like the usual story of some lone maintainer maintaining a popular project and losing their time and energy.
The post doesn't spell it out but I wonder if they implied there's a suspicion that the person doing the pressuring there is also another sock puppet of JiaT75 as some scheme of getting access to xz. That would seem particularly cruel; take advantage of a tired maintainer with mental health issues to use their project to smuggle security exploits to the world.
Regardless, be nice to people who are doing "unpaid hobby projects" your work depends on. Reading the thread made me sad.