Richard Stallman Was Right and What Happened in XZ Wasn't a "Linux" or Free Software Problem, It Was Social Engineering (This Happens in Proprietary Software Too and, in This Case, It Was Enabled by Microsoft's Proprietary Social Control Media Disguised as 'Codeforge')
The truth isn't convenient to snakeoil vendors and charlatans who speak of "secure" boot while using proprietary GitHub (controlled by NSA)
THE Web - and even Geminispace - is already full of articles on this topic (we caught and collected about 100 so far; obviously there's lots more, not only in English). We've had plenty of time to assess and digest the facts, not the drama, and we want to remind readers that Richard Stallman (RMS) used to include in his talks (over 10 years ago) a section on how people who worked for Microsoft in Asia put back doors in the code and then got caught. It is possible more existed and never got caught.
RMS was right. He spoke about back doors well before the Edward Snowden NSA and GCHQ leaks. Techrights already included links to such RMS talks in 2008. Maybe even 2007. This is well documented, both in text and in videos.
So headlines such as this are misleading:
No, it's not a "FOSS" or "Open Source" issue; "This also happens in proprietary software, but unreported to us," as the above says. They try to cover this up and we cannot see commit details/author, so who the heck knows the full, ugly truth? The PR people? Whose task is to belittle or hide embarrassments?
An associate of ours insists that the xz incident was essentially social engineering; "other projects have lone developers, meaning that the code is more vulnerable because only a single person needs to be replaced / cancelled to get at the repository."
We don't suppose that in the sea/ocean of hundreds if not thousands of blog posts people will notice, but in the first day of us writing about it the primary article got 1618 non-bot reads and in the sister site 1696 non-bot reads. Sadly the loudest and best funded sites get more visibility. The crowd in Phoronix Forums shouts down pro-Linux people now (we saw that!); Phoronix itself plays a considerable role in pro-Microsoft propaganda and some of the FUD, including the above (Phoronix increasingly sucks basically).
When it comes to xz, we've reached the point of topic fatigue, so no matter how important or valuable a contribution people have to this issue, not many people will pay attention anymore due to the volume and the perception that consensus about it is old and settled.
Our associate explains that Microsoft is "hyping xz to FUD the open source development model in general and the resulting software specifically. Though there is a problem: Debian failed to drop xz when the number of active developers on it went down to 1."
"A well-practiced preventative method would have stopped the bug in its tracks. Do like OpenBSD does and have two other developers review and audit each patch. So that sets the minimum level at 3 for any project to stay in use. Simply put, the mistake is also technical as xz is an inferior archival format compared to other compression methods. So three strikes there."
We will once again write regarding the xz incident (it's hyped up for several reasons) when the dust 'settles', but having seen several sites that borrow from old tactics ("heartbleed"), that might take weeks. "Log4j" (or Shell) was still mentioned years after it had been patched and the Linux Foundation gleefully participated in the FUD. Yes, for years! Remember what they're trying to sell (clue: not Linux).
An associate thinks it'll be a few days before it is timely to "analyze the xz incident", but maybe that's optimistic. "Mostly it is the reaction and spin which should be examined," he said. We still collect links and we will use those later (we add many "Ed" or editorial comments along the way, so it is annotated a bit).
For the time being people can see the editorial comments... (these comments try to rebut key points, repeatedly, in few words) █