What I hate the most about this situation is that there are likely worse backdoors present in tons of open source projects that haven’t been caught yet. This person only got busted because he was sloppy. Even as sloppy as he was, it still went unnoticed for years in a widely-used package. Too many open source packages are maintained under similar circumstances – mainly by one person, often with burnout/stress related mental health issues that develop after a few years of running such a project by yourself, with no real ongoing investment or support back from the wider community, so then when literally anybody shows up they’re just grateful for the help and can’t bring themselves to scrutinize every commit from a stranger the way they should. This setup is itself a kind of vulnerability.
What I hate the most about this situation is that there are likely worse backdoors present in tons of open source projects that haven’t been caught yet. This person only got busted because he was sloppy. Even as sloppy as he was, it still went unnoticed for years in a widely-used package. Too many open source packages are maintained under similar circumstances – mainly by one person, often with burnout/stress related mental health issues that develop after a few years of running such a project by yourself, with no real ongoing investment or support back from the wider community, so then when literally anybody shows up they’re just grateful for the help and can’t bring themselves to scrutinize every commit from a stranger the way they should. This setup is itself a kind of vulnerability.