{"id":55786,"date":"2024-04-06T16:12:14","date_gmt":"2024-04-06T16:12:14","guid":{"rendered":"https:\/\/www.threatshub.org\/blog\/what-can-be-done-to-protect-open-source-devs-from-next-xz-backdoor-drama\/"},"modified":"2024-04-06T16:12:14","modified_gmt":"2024-04-06T16:12:14","slug":"what-can-be-done-to-protect-open-source-devs-from-next-xz-backdoor-drama","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/what-can-be-done-to-protect-open-source-devs-from-next-xz-backdoor-drama\/","title":{"rendered":"What can be done to protect open source devs from next xz backdoor drama?"},"content":{"rendered":"

Kettle<\/span> It’s been about a week since the shock discovery of a hidden and truly sophisticated backdoor in the xz software library that ordinarily is used by countless systems.<\/p>\n

An infected machine would have allowed someone with knowledge of the backdoor to gain remote control over the box via its SSH daemon. Though the dependency \u2013 poisoned by a rogue contributor<\/a> \u2013 made its way into some bleeding-edge or to-be-officially-released Linux distros, such as Debian Unstable, Fedora 40, and Fedora Rawhide, it was spotted and thwarted before being widely deployed, which could have been a disaster.<\/p>\n

Is this an example of open source fragility<\/a> or strength? What can we do about securing popular bits of code that end up in tons of applications and servers? Do multi-billion-dollar corporations that feed off free work done by others need to step up and help here? Our Kettle series<\/a> is back for our journos to discuss exactly this, which you can watch below.<\/p>\n

Joining the show this week is Thomas Claburn, who covered the xz near-fiasco for us; The Register<\/em>‘s cybersecurity editor Jessica Lyons; our editor Chris Williams; and your host Iain Thomson. This episode was produced by Brandon Vigliarolo.<\/p>\n

As well as replaying our chat in the player above, you can listen via your favorite podcast distributor: RSS and MP3<\/a>, Apple<\/a>, Amazon<\/a>, Spotify<\/a>, and YouTube<\/a>. And feel free to share your views too in the comments. \u00ae<\/p>\n