[ting0]

https://boehs.org/node/everything-i-know-about-the-xz-backdo...

This is the scariest part to me:

> A pull request (https://github.com/jamespfennell/xz/pull/2) to a go library by a 1Password employee is opened asking to upgrade the library to the vulnerable version

[2OEH8eoCRo0]

People are always trying to bump versions because it's (usually) an easy contribution.