Zack's Kernel News

Zack's Kernel News

Article from Issue 284/2024

Zack Brown reports on developer trust.

Developer Trust

In recent days, the infamous "XZ backdoor" has the entire open source world reconsidering its development practices. Essentially, a bad actor joined an open source project, submitted some good patches to gain the trust of the developers, and eventually submitted some cleverly hidden security holes that were actually accepted into the project. It was only when a regular user noticed some odd timing behaviors in the tool and decided to track down the issue that the whole thing came to light.

The open source project was not the Linux kernel, but the tool came very close to being included in many Linux distributions. From there of course, it would have been inside the foundational infrastructure of the entire Internet and almost every corporate network within the known universe.

It's absolutely not the first time this has been attempted, and, of course, there could be any number of similar backdoors that have not yet been discovered. The whole experience has been a wake-up call for the open source world to re-examine their code review practices. For example, one reason the XZ backdoor was able to make it into the project was because the maintainer was overworked and burnt out. So the issue is about more than simply expecting everyone to work harder. We'll be seeing the true effects of this wake-up call for years to come.


Use Express-Checkout link below to read the full article (PDF).

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy Linux Magazine

Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Lockdown Mode

    Lockdown mode makes your Linux system more secure and even prevents root users from modifying the kernel.

  • HookSafe Protects Kernel from Rootkits

    A research group in the computer sciences faculty at North Carolina State University has written a prototype to prevent rootkits from manipulating kernel object hooks to do their damage.

  • Kernel News

    Chronicler Zack Brown reports on the latest news, views, dilemmas, and developments within the Linux kernel community.

  • Kernel News

    Chronicler Zack Brown reports on the NOVA filesystem, making system calls userspace only, and extending module support to plain executables. 

  • Kernel News

    New NDS32 port, landlock versus seccomp, new features from Intel, loading and unloading security modules after bootup, and splitting up security projects.

comments powered by Disqus
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters

Support Our Work

Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.

Learn More