They haven’t particularly made a comment on the situation so much as acknowledged it’s happening. They seem to be going with the story that they had nothing to do with it and this is news to them. Hope to hear more from them soon so we can find out more about the situation, how and why this happened, etc.

(The sceptical tone isn’t because of disbelief of Collin, it’s because we don’t know enough about the situation to be able to say Collin is or isn’t telling the truth here.)

  • Alex@lemmy.ml
    link
    fedilink
    arrow-up
    0
    ·
    7 months ago

    Don’t be too hard on Collin. Looking back on the threads it’s fairly clear he’s been the victim of a social engineering attack on an overworked maintainer. People were pressuring him to hand over maintainership while expressing disappointment at the slow pace of development. The off-list contact by Jia must have seemed like a helpful enthusiastic solution to a burnt out developer.

    • communism@lemmy.mlOP
      link
      fedilink
      arrow-up
      0
      ·
      7 months ago

      I agree with that assessment, I’m not accusing Collin of anything. If it is what it seems to be then I feel very bad for him. Just being cautious with wording until things are more settled/until we know more is all.

      • UckyBon@lemmy.world
        link
        fedilink
        arrow-up
        0
        ·
        7 months ago

        I just made a similar comment in another thread here:

        I read a lot about how we should double, triple check all the code. But what we shouldn’t forget is to check up on our people too.

  • ouch@lemmy.world
    link
    fedilink
    arrow-up
    0
    ·
    edit-2
    7 months ago

    Nothing so far seems to indicate Lasse Collin knew what was going on.

    I feel sorry for him. Must suck working on an open source project for free and then get sucked into something nefarious like this. He must be under tremendous stress.

    • aksdb@lemmy.world
      link
      fedilink
      arrow-up
      0
      ·
      7 months ago

      Do you think being maintainer makes you some kind of all knowing being? That’s not how that works. You write code and review code of others.

      If there are multiple maintainers, you may obviously not even notice what another maintainer is doing; then you wouldn’t need multiple maintainers with write access if you could handle it all by yourself.

    • communism@lemmy.mlOP
      link
      fedilink
      arrow-up
      0
      ·
      7 months ago

      If I were the co-maintainer of a project I wouldn’t suspect that the person who had been actively contributing for over 2 years had injected malicious code into a binary file to distribute in the tarballs. “Jia Tan” had already gained Collin’s trust by then

    • RageAgainstTheRich@lemmy.world
      link
      fedilink
      arrow-up
      0
      ·
      7 months ago

      I suggest you read a little in how the backdoor was implemented. It wasn’t as obvious as you think. I personally don’t think the owner had anything to do with it.

    • jarfil@lemmy.world
      link
      fedilink
      arrow-up
      0
      ·
      7 months ago

      Who’s paying him? Seriously:

      • If nobody is, then we got our value’s worth.
      • If someone is, then we should look at who, how much, and why.