<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=705633339897683&amp;ev=PageView&amp;noscript=1">


Life as a maintainer after the xz utils backdoor hack

The explosive details about the recent xz utils backdoor hack, in which a volunteer open source maintainer was manipulated over a period of years until they gave commit access to their project, have sent shudders across all open source communities.
But it was particularly scary for open source maintainers, who now have new threats they have to consider, including how to maintain trust with those they collaborate with, often over the Internet without ever having met face to face.

We spoke with five prominent maintainers working in the Javascript, Java, and Python ecosystems to hear directly from them about what life as a maintainer will look like in a world after the xz utils hack.


Webinar starts in:

Fill out the form below to watch this panel:

In late March, a developer discovered a hack of epic proportions hiding in a widely used open source file compression tool called xz util, or xz/liblzma, affecting Linux users everywhere.  

This hack was sophisticated, not just in a technical sense, but in a social sense, as well. Why? Because the hacker spent years gaining the trust of xz utils’ solo maintainer by contributing good pull requests until the maintainer trusted him enough to hand over the keys to the whole project, giving him the ability to potentially compromise millions of xz users around the world.

But it wasn’t just those operating in the Linux space that were affected; xz is also buried deep in the Nodejs and Python ecosystems as well. Many maintainers have reported hours lost the weekend the attack was uncovered.

Following this attack, everyone has questions: How did this happen? What could be done to prevent an attack like this in the future? Is the next xz utils backdoor hiding in plain sight? What do we need to change based on what we have learned?

On Friday, April 12, we gathered together a group of individuals uniquely qualified to answer these questions: Jordan Harband, maintainer of hundreds of open source packages in the Nodejs space; Gary Gregory, a prolific maintainer in the Java space; Alex Clark, maintainer of Python’s Pillow; Val Karpov, maintainer of Mongoose; and Seth Larson, maintainer of urllib3.

The conversation, moderated by Tidelift VP of product Lauren Hanford and CTO Jeremy Katz, was fascinating and is available on-demand now.