This is a collection of links and quotes from the many articles published on the topic of the recent XZ Utils attack. There is no original research here.

I found Russ Cox’s Timeline of the xz open source attack to be particularly informative on the social / human aspects of the operation. Here is an excerpt:

2022-05-27: Jigar Kumar sends pressure email to patch thread. “Over 1 month and no closer to being merged. Not a surprise.”

2022-06-07: Jigar Kumar sends pressure email to Java thread. “Progress will not happen until there is new maintainer. XZ for C has sparse commit log too. Dennis you are better off waiting until new maintainer happens or fork yourself. Submitting patches here has no purpose these days. The current maintainer lost interest or doesn’t care to maintain anymore. It is sad to see for a repo like this.”

There were also pieces published explaining the problem to the general audience like this one by The Economist.