- cross-posted to:
- cybersecurity@sh.itjust.works
- cross-posted to:
- cybersecurity@sh.itjust.works
They haven’t particularly made a comment on the situation so much as acknowledged it’s happening. They seem to be going with the story that they had nothing to do with it and this is news to them. Hope to hear more from them soon so we can find out more about the situation, how and why this happened, etc.
(The sceptical tone isn’t because of disbelief of Collin, it’s because we don’t know enough about the situation to be able to say Collin is or isn’t telling the truth here.)
Sorry but if the maintainer says it didnt know? Sounds fishy. Or just a bad maintainer.
You realise that this comment is exactly part of the problem of why this happened, right? 🤦🏻♀️
Do you think being maintainer makes you some kind of all knowing being? That’s not how that works. You write code and review code of others.
If there are multiple maintainers, you may obviously not even notice what another maintainer is doing; then you wouldn’t need multiple maintainers with write access if you could handle it all by yourself.
I suggest you read a little in how the backdoor was implemented. It wasn’t as obvious as you think. I personally don’t think the owner had anything to do with it.
Who’s paying him? Seriously:
If I were the co-maintainer of a project I wouldn’t suspect that the person who had been actively contributing for over 2 years had injected malicious code into a binary file to distribute in the tarballs. “Jia Tan” had already gained Collin’s trust by then