[mapasj]

I’m guessing the original maintainer of xz handed responsibilities to Jia Tan without ever seeing him/her or at least sharing a phone call. Is that common to only communicate only through email/github? I guess some maintainers of open source projects will be more cautious after this story.

[CaptainOfCoit]

> Is that common to only communicate only through email/github?

Absolutely. I've both taken over libraries as a maintainer and given away the responsibility of maintaining a library after only communicating via text, and having no idea who the "real" person is.

> I guess some maintainers of open source projects will be more cautious after this story.

Which is completely the wrong takeaway. It's not the maintainer who is responsible for what people end up pulling into their project, it's up to the people who work on the project. Either you trust the maintainer, or you don't, and when you start to depend on a library, you're implicitly signing up for updating yourself on who you are trusting. For better or worse.

[account42]

Trusting the maintainer als means trusting that they won't hand over the project to someone untrustworthy. It is the maintainers responsibility to honor that trust if they want their software to be used in the first place.

[Gigachad]

That’s basically how it is right now. Millions of companies freeloading off the work of unpaid open source developers. Unsurprisingly they sometimes leave and it causes problems.

[cjk2]

This. I've had my buggy shit accepted into at least three open source projects so far with little to no verification.

[secondcoming]

What difference would a phone call have made? How would it have added any confidence as to the intentions of the person whatsoever?

[hk__2]

> Is that common to only communicate only through email/github?

Yes. I’ve joined half a dozen open-source projects of various sizes (from 100 to 30k stars on GitHub) without ever calling anyone; written communication is the standard.

[bogwog]

Sure, but handing over maintainership is a different situation from accepting a few PRs

[saalweachter]

Have you ever interacted with a volunteer organization?

If you show up for a tea & cookies meet-and-greet and aren't careful, they'll nominate you for chair just because no one else wants it, and "showed up once to a scheduled event" is a higher bar than half the other members have met in while.

[mardifoufs]

I don't think he ever fully gave up his "top maintainer" status or gave away the repo. He just let Jian have defacto maintainership because no one else was really contributing

[supriyo-biswas]

If you’re being berated by multiple people as to your speed of delivery, then it is not unexpected for them to be convinced that they are somehow the problem, and transfer the project to whoever they feel at the time is the best choice without thinking through their decisions.

However, knowing a person personally doesn’t necessarily solve the problem.

I used to work on an open source project a long time ago (under a pseudonym) that I do not wish to name here for reasons that’ll become clear shortly. The lead programmer had a co-maintainer who the lead seemed to have known quite well.

The co-maintainer constantly gaslit me, and later, other maintainers, belittled them, criticized them for the smallest of bugs etc. (and not in a Linus Torvalds way, where the rants are educational if you remove the insults) until they left; and was egged on by the lead maintainer as they agreed with the technical substance of these arguments.

Many years later, the co-maintainer attempted a hostile takeover of the project, which did not go as expected, and soon after, multiple private correspondences with other people became public where it became clear that the co-maintainer always wanted to do this, and gaslighting other maintainers was just part of this goal. All of this, despite the fact that the two of them knew each other.

[LudwigNagasena]

He wouldn’t be able to do more than that if publicity were expected from core maintainers. Maybe he is trying to do the exact same thing with another project at this very moment.

[thinkingemote]

They did communicate off list and non publicly, that's as much as we know at the moment.

As an open source developer he might have received donations too from the adversary - it's reasonably common for devs to get donations to "say thanks". He might have had voice chats with them, who knows. The emails might be with LEO at the moment but I think its in the public interest for all communications to be released.

[netol]

It is unfortunate that Lasse Collin has been silent about what he knows about him

[imglorp]

If LEO is involved, they wouldn't be disclosing evidence to avoid the public interacting with suspects or possibly leapfrogging them and tipping off someone new.

In this case the public would benefit from knowing quickly who are the bad actors and what other projects they touched.

[netol]

This makes sense

[dralley]

Can we not dogpile Lasse after his vacation was ruined by this. He has much bigger concerns right now than trying to export and sanitize his entire communication history with Jia.

[netol]

I have a lot of respect for xz's original author, I just didn't think about the legal stuff, and that sounds quite reasonable to me now.

Personally, I find it hard to subscribe to certain theories, such as the possibility of Lasse being impersonated or involved in the incident. But that doesn't mean we should dismiss them outright at this stage. (And I'm sorry if you don't like to hear that, saying this is not comfortable for me either).

[account42]

Lamenting the lack of public information is a far cry from dogpiling on the guy.

[blindfolded_go]

For his own personal safety, he might not want to get on the bad side of whatever (powerful) actor was behind this exploit.

[thiht]

What does it change? Assuming that either:

- Jia Tan was initially a trustworthy actor that subsequently became malicious (maybe they were paid or compromised somehow)

- Jia Tan was always malicious, but played the long game by starting with legitimate contributions/intent for 1-2 years

How would meeting them for real have any impact?

[saulpw]

If you look at their early commit history, "Jia Tan" was always a devious actor.

It's easy to think that they would just have made a video call, but it is a lot harder to lie convincingly over sync videochat than over async text. And a lot harder still to lie in person, and esp over multiple meetings.

Not to say it's impossible, people get scammed in person all the time! But it raises the bar, for sure.

[2OEH8eoCRo0]

Our goodwill is being used against us.

Suppose you have a chat with them and see that they're Chinese. What are your next actions? If you exclude them then that's racist right?

I don't have answers

[yogorenapan]

Adding on to that, it might be difficult to differentiate between people from China vs Taiwan/Singapore/etc and since people are generally anonymous online, they can use any name they want

[otherme123]

I guess the blame is on the people who decide to depend on a very small (by team size at least) project: https://xkcd.com/2347/ . While having plenty of safer alternatives.

Lets suppose I create a personal and hobby project. Suddenly RedHat, Debian, Amazon, Google... you name it, decide to put my project as a fundamental dependency of their toolchain, without giving me at least some support in the form of trustable developers. The more cautious I would be is to shut down the project entirely or abandon it, but more probably I would have fallen to Jia Tan tricks.

Also, the phone call and even a face to face meeting wouldn't give you extra security. In what scenario a phone conversation with Jia would expose him, or would make you suspicious enough to not delegate?

[mi_lk]

> While having plenty of safer alternatives

What are xz's safer alternatives? And how do you make sure of that?

[edward28]

Zstd because Facebook is looking out for our best interests.

[wiredfool]

Yes, pretty much.