On-demand
In late March, a developer discovered a hack of epic proportions hiding in a widely used open source file compression tool called xz util, or xz/liblzma, affecting Linux users everywhere.
This hack was sophisticated, not just in a technical sense, but in a social sense, as well. Why? Because the hacker spent years gaining the trust of xz utils’ solo maintainer by contributing good pull requests until the maintainer trusted him enough to hand over the keys to the whole project, giving him the ability to potentially compromise millions of xz users around the world.
But it wasn’t just those operating in the Linux space that were affected; xz is also buried deep in the Nodejs and Python ecosystems as well. Many maintainers have reported hours lost the weekend the attack was uncovered.
Following this attack, everyone has questions: How did this happen? What could be done to prevent an attack like this in the future? Is the next xz utils backdoor hiding in plain sight? What do we need to change based on what we have learned?
On Friday, April 12, we gathered together a group of individuals uniquely qualified to answer these questions: Jordan Harband, maintainer of hundreds of open source packages in the Nodejs space; Gary Gregory, a prolific maintainer in the Java space; Alex Clark, maintainer of Python’s Pillow; Val Karpov, maintainer of Mongoose; and Seth Larson, maintainer of urllib3.
The conversation, moderated by Tidelift VP of product Lauren Hanford and CTO Jeremy Katz, was fascinating and is available on-demand now.
50 Milk St, 16th Floor, Boston, MA 02109
