[dralley]

>Meanwhile the XZ backdoor was found in Sid, Arch and pre-releases of Fedora and openSuse. It never actually made it into any numbered release of Fedora, openSuse, Ubuntu, Debian, Red Hat or Suse distro. It's actually a pretty big win and the system worked as intended.

I would maybe not go quite that far. That it got caught was mostly a confluence of lucky breaks and accidents. The second version of the exploit would likely have not been detected if not for the fact that the first version of the exploit had a couple of programming mistakes that attracted some attention to itself.

[dismalaf]

The entire thesis behind the open source security model is to have lots of eyes on the code/program, since more eyes = more likelihood of catching it. Even if you say it's accidental, let's say the odds of catching it are 0.00001. Repeat that enough times and you get 1.

It was caught before any distro released with it. The system worked.

[dralley]

If one of the Debian or Fedora developers had immediately caught on to what they were looking at when their attention was drawn to it by the failures, I would say the system worked. It's certainly true that open source saved the day here, but that's maybe different from saying "the system" worked. It easily could have gone unnoticed, or been noticed a few weeks later.

[dismalaf]

It could have also been noticed earlier. Maybe it was luck it was detected so late?