@shansterable In the case of #xz it is a well planned, nefarious code change that has been introduced into old but very common software (xz) by people who worked for two years to gain the trust of the community.
The code change manipulates the login mechanism (think password) of extremely common software (sshd) for remote access to servers in a way yet not understood.
This was found by accident and (maybe just) before it was rolled out to thousands of systems.
Does that make sense?
@chris
Here's what I'm getting from the lorem ipsum:
Some coder moles buddied up to set some clever booby traps that some tinkerer found by accident before it was proliferated broadly.
The xz programming community is super bummed out because they trusted the moles and because the moles have reminded them that open source software will always be subject to "buddied-up coder mole risk."
Is that the jist?
I think that's true, but also:
This software underpins a LOT of other software, which means the potential scope of the problem isn't just this one piece of software, but everything that relied on it, which includes (obviously, since it was detected there) OpenSSH, but also tons of other software (like the Linux kernel).
Analysis so far as I've seen (haven't looked hard) points to specifically OpenSSH being targeted, rather than other dependents. Still, everyone who depends on this library (which is a lot more people than just the xz programming community) is going to double-check a lot of stuff because of this find.
Plus, it is going to make folks in the open-source software (OSS) community just a bit more paranoid. It might be unjust if anyone thinks of this as being unique to OSS, since SolarWinds had a not-too-dissimilar issue not too long ago (this is different at least in that we can see exactly when the change was made and what it was, in public)
