IMO the only way we can have a chance against backdoors like #xz is to start taking least privilege seriously. It’s insane that a compression library should ever have root privs. That ultimately means being able to control privilege at a finer grain than an OS process.
To put this another way: rather than asking “how can we make third party dependencies more trustworthy?”, we should be asking “how can we remove third party dependencies from the trust base?” #xz
Follow
You can't fight overwhelming complexity with more complexity.
