[damagednoob]

Something I've observed as an English speaking immigrant is that in general, the US/UK is very forgiving when it comes to foreigners trying to speak English. Where certain types of phrasing and harsh words would not be tolerated with first language English speakers, the benefit of the doubt is given to 2nd/3rd language speakers because they

1. Might not have the vocabulary to express themselves correctly

2. Not understand the nuance and connotations that their word choices imply

I've seen my colleagues get frustrated in meetings while simulatenously having to assume good intent.

Choosing names like the bad actor(s) did gives them an advantage in this scenario.

[secondcoming]

The English used in the commit messages I’ve seen was pretty much perfect, but unfortunately the repo has been suspended now.

[supriyo-biswas]

A mirror is here[1] for someone who wants to read the commit messages, though as I understand it is insufficient for reproducing the backdoor at compile time because it is missing the m4/ files required for this purpose.

If someone has the additional details to reproduce the backdoor, please let me know and I'll add these files in the repository.

[1] https://github.com/supriyo-biswas/xz-mirror

[IshKebab]

I agree. Either native English or very very good second language. Given the weird laziness of some parts of the attack I'd put my money on native English.

[fluoridation]

It sounds to me like you're trying to seek a correlation too eagerly. It's not obvious whether it's more implausible that he's a lazy Chinese programmer with very good English, or a lazy native English-speaking programmer who wants to pretend to be Chinese.

[IshKebab]

The former is more implausible because Chinese people with that level of English are quite rare, whereas English people able to create a fake Chinese username are not.

[kqr]

I feel like you're making three statistical mistakes at once.

- First, we're not discussing the English level of the general Chinese population, but specifically of the group that's also good at programming. That conditional probability is much higher.

- Even if we did speak of the general Chinese population, that is a lot of people so something rare in that group is true for many people still!

- It's not like everyone in the US has great English either. (Though open source maintainers are again probably more likely to.)

[IshKebab]

> but specifically of the group that's also good at programming. That conditional probability is much higher.

That's the group I was discussing. Higher for sure, but still not high. (Remember we're talking about Chinese nationals, not Chinese ethnicity.)

> so something rare in that group is true for many people still

Yes but we're talking probabilities so the total population size is irrelevant. You're the one making the statistical mistake here.

> It's not like everyone in the US has great English either. (Though open source maintainers are again probably more likely to.)

Answered your own question there.

[int_19h]

There's a lot of Chinese people, though.

And China has been enticing ethnic Chinese who grew up in the West to "come back to the Motherland" with promises of riches for a long time now. Quite a few made the switch, too. I very much doubt that finding a native English speaker is a problem if it's the PRC govt.

It does make it less likely to be Russia, though. Although of course this could always just be subcontracted.