The original maintainer of the xz Utils package, which was backdoored and almost distributed to production Linux systems, is yet to make any public comment about the incident, saying he first needs to understand the situation thoroughly.
Lasse Collin, who handed over maintenance of the software to someone who had an account named Jia Tan, said he planned to write an article detailing how the backdoor was implanted and the lessons to be learnt from it.
The presence of the backdoor was caught by Microsoft software engineer Andres Freund, a PostGreSQL developer, who noticed that logins with SSH were taking up a lot of CPU cycle and also generating valgrind errors.
That Freund noticed it before the long Easter weekend was lucky. Veteran Debian developer Russell Coker attributed the discovery to the way free software was developed.
{loadposition sam08}"I think that how quickly this was discovered shows the benefits of free software," he told iTWire. "A lot of effort was put into this attack and it's all gone to waste because the backdoor was found before it got into a full release of any distribution."
Dan Draper, the founder and chief executive of CipherStash, a company that works on encryption-in-use solutions for enterprise data security, said it appeared that Collins had burnt out and Jia Tan was the only one to offer to help.
"In my view, this vulnerability could easily have gone for some time without detection, but because of its widespread use and open source codebase it was picked up relatively quickly (under three weeks)," he said.
"Contrast this to the SolarWinds supply chain attack of 2020 which reportedly took around seven months to detect and that was only after the vulnerability had been used in an attack against FireEye."
Draper said: "A blunt assessment might conclude that open-source code is easier to compromise, but significantly harder for attackers to keep a vulnerability hidden than its closed-source cousin."
Projects with a single or handful of maintainers were common in the open-source world, he noted, with many of them being extremely important.
"The 'Ring' cryptography library, for example, is maintained by Brian Smith and used by 163,000 developers with more than 100 million downloads. Ring has had contributions from hundreds of developers, most of them reviewed and accepted into the main codebase by Smith himself. While Smith is highly respected in the community, this attack begs the question: what if Smith himself was compromised?" Draper asked.
However, he said, with Ring, it was probable (though certainly not guaranteed) that such an attack would be picked up because of the sheer number of developers using and contributing to it.
Draper said those who were of the view that the xz Utils incident meant open source software should be avoided were off the mark.
"I still believe that an open-source approach is, generally, a more secure path because it makes hiding malicious behaviour very hard," he explained.
"When issues are detected, an army of developers and researchers rally around it, sharing notes and collaborating on a fix resulting in a rapid and transparent response.
"Closed source commercial software is almost never patched as quickly and, even if it is, the company behind it tends to keep details to themselves for fear of recrimination."
Draper said the the xv Utils incident has exposed the achilles heel of open-source software: "the trustworthiness, capability and reliability of project maintainers."
Detailing the case of Linux - which has an army of developers and financial contributions - Draper said most open-source projects were the exact opposite.
"This is despite virtually all commercial software products relying on open source software in some way or another," he said. "The MacOS, Windows, Android and iOS operating systems all heavily rely on open-source components and tooling.
"As do the world's biggest web companies from Google and Facebook to the millions of tiny start-ups across the globe. The modern developer truly stands upon the shoulders of giants, but the giants are underpaid and underappreciated."
Draper said the corporate world should pay the dues it owed to open-source software.
"Investing in open-source software allows maintainers to give projects their full attention, rather than as an oft-neglected side-interest," he pointed out.
"Experienced corporate employees should not only consume this brand of software, but actively contribute to it. They should provide mentorship, guidance and stand in for maintainers when they need a break.
"Sponsoring projects or individual developers is already possible on platforms like GitHub and I encourage every organisation using open source software today, to consider sponsoring some of the projects they use."