[wannacboatmovie]

Your argument is a model that does no vetting of contributors whatsoever, which resulted in the catastrophe that is the topic of discussion, is better than a hypothetical company which is full of compromised developers that have free reign to commit to the source tree with no oversight? That sounds extremely contrived.

[adolph]

If you are positing that government infiltration of companies is hypothetical and not a real threat, here is an example of compromised corporate staff:

https://en.wikipedia.org/wiki/Saudi_infiltration_of_Twitter

[chgs]

This wasn’t a contributor to OpenSSH, it was a deep level supply chain attack - something that closed source commercial companies are not immune to.

Given how much closed source companies love BSD/apache/etc licenses where they can simply use these low level libraries and charge for stuff on the top I’m not sure how they would be immune from such an attack.

The risk from this was highlighted in xkcd back in 2020

https://xkcd.com/2347/

[wannacboatmovie]

Moving the goalposts and splitting hairs. The fact remains the open source model allowed an imaginary person, operating on behalf of a threat actor, to obtain privileged commit access to a widely used open source project without any vetting whatsoever. Let me repeat that. They were given control of the repo without even verifying this person exists. To do this at a commercial company you actually have to show up and interview which is an order of magnitude more difficult than creating an anonymous Gmail account and be given the keys to the kingdom.

[anthk]

You are the one who moved the goalpost here. Vanilla OpenSSH doesn't link against xz, period. Not even the portable versions as LibreSSL does for OpenSSL.

If distros randomly patch OpenSSH because of SystemD, it's their problem.