This is a collection of links and quotes from the many articles published on the topic of the recent XZ Utils attack. There is no original research here.
- Andres Freund’s email to Openwall mail list, that publicly disclosed the vulnerability
- Bash Obfuscation Explained from gynvael.coldwind.pl
- two pieces by Russ Cox: Timeline of the xz open source attack and The xz attack shell script
- Filippo Valsorda’s thread on Bluesky
I found Russ Cox’s Timeline of the xz open source attack to be particularly informative on the social / human aspects of the operation. Here is an excerpt:
2022-05-27: Jigar Kumar sends pressure email to patch thread. “Over 1 month and no closer to being merged. Not a surprise.”
2022-06-07: Jigar Kumar sends pressure email to Java thread. “Progress will not happen until there is new maintainer. XZ for C has sparse commit log too. Dennis you are better off waiting until new maintainer happens or fork yourself. Submitting patches here has no purpose these days. The current maintainer lost interest or doesn’t care to maintain anymore. It is sad to see for a repo like this.”
There were also pieces published explaining the problem to the general audience like this one by The Economist.