The XZ fiasco is totally unfixable

A lot of people are focusing on the technical details of the infamous XZ vulnerability that has been almost planted worldwide through Linux. Focusing on the technical details and filling up the feeds with a lot of analysis about the techniques is a smart way to exorcise the fear, but that is the not-so-interesting part. The most interesting part is that such vulnerability changed forever the perception of open source and its security, and it had multiple people raise their eyebrows, including myself. Many people are underestimating the devastating impact of this attack and its consequences. Where it matters, all the bells rang, and red alerts have been triggered.

Only God knows how many vulnerabilities like that have been planted in the ecosystem over the years in the very same way. And I'm not even talking about how fishy the discovery looks: someone working on PostgreSQL decided to micro-benchmark the SSH service, noticing a 500ms delay when the password was wrong, then deciding to debug the whole service. ?? Why not??

The only thing that matters is not what the vulnerability did, but how it was planted. Someone with absolutely no past history and whom nobody knew was able to build his credibility by engineering his way into a social buildup made of a few contributions and a lot of exposition. In just 2 years, he was able to exploit the mental issues of the mantainer of one of the most used libraries in the Linux ecosystem, and he was able to become the de-facto sole responsible for that project upon which thousands of companies, including megacorps, depend. He targeted one of the hundreds of building blocks that are basically maintained as a hobby by lone developers, that no-one cares to compensate for their huge work, even if it's important, because that's how big corps exploit open-source developers by turning them into underpaid mules. The whole Linux eco-system is built upon such cases, this is not an exception; this is by design.?

Not only the rogue developer (who's probably not a single person) was able to become a maintainer of such a project, but he was also able to use cross- and self-references, including other fake accounts, that he completely made-up online to create a social pressure campaign to push his code into the main repositories by using the very same technique and the "reputation" he built online. Nobody ever saw him or her, nobody knew his actual name (and since it looked Chinese, he was not Chinese, folks), where he lived, where he worked, what he was doing, if he was working full time as a developer or if he was just a hobbist, etc. A full ghost engineered his way up to the top without even bothering to attack the most important projects — not even his target project — but one of the thousands of side projects made of thin ice upon which a whole ecosystem relies by design.

The security of a whole ecosystem running hundreds of billions of dollars of business is basically broken, and it is not fixable because that's how it works by design. The anonimity and mental issues of maintainers are the norm for folks who are not compensated for their work, but they are "paid" by exposition, credits, pats on their backs, and some blog posts, and they struggle to stay relevant, thus being constantly treathened to be replaced by another Mr. Nobody that will be consumed until he breaks up.?

This is astonishing, and I can tell you this drama cannot be fixed by buring this fiasco into a lot of blog posts of people trying to dissert about clever analysis to stay relevant themselves as well and gain a little exposition while the elephant in the room destroys everything.

Folks, this is totally unfixable, and this fiasco cannot be buried under the carpet. This is a total red alert.