On March 29th, Andres Freund dropped a bombshell on the oss-security mailing list: recent XZ Utils source code tarball releases made by Jia Tan were released with a backdoor. Thankfully, for multiple reasons, Alpine was not impacted by this backdoor, despite the recent source code tarball releases being published in Alpine edge.
  • paradox2011@lemmy.ml
    0·
    7 months ago

    I thought this was a really good point regarding situations where a github issue or other channel of communication is being used to pester or make demands of a maintainer. I hadn’t thought about it from this perspective.

    Let the maintainer deal with it publicly, and reach out privately if you are concerned about the situation. Otherwise, even if you are concerned about burnout or the maintainer overworking, you may wind up advocating for a threat actor to become a maintainer of something.