my only contribution to the xz discourse:
absolutely none of the supply chain stuff we're currently doing, including the things i like, would have stopped this. the only things that can stop this are (1) compulsively treating all code as untrusted, and (2) way, way stronger capability checks and restrictions in running systems. (1) is economically infeasible (the world runs on free labor from OSS), and (2) has had only very limited practical success.
What about using sources from version control instead of from released tarballs?
@robryk single source of releases is a good practice IMO, but isn’t a generalized solution here: the maintainer could just as well have pushed the autoconf changes to a tag on version control.
Sure, it's not a general solution to the "malicious committer" problem, but it _is_ a solution to _this_ attack. (Obviously, if we were doing that, the attacker would choose a different attack, though potentially risking a larger chance of discovery.)
