So, a backdoor was discovered in a piece of compression software, which provides a widely distributed library used all over in the Linux system. I'm nor going to do a deep dive of the tech side of the issue now.
Instead, I want to talk about the perception that open source software is less secure. A few people have chimed in on this, and some even suggest that proprietary or closed source software is *more" secure.
In the case of xz, the main software was basically complete, leaving things like bug fixes, minor features and cleanup, which aren't so sexy but are critical to staying active as a project. This made it challenging to attract and retain contributors, and indeed it seems there was one main steward who was doing this as a hobby, leading to them being stretched thin and stressed. As his nerves were running down, an interested community member started to contribute, eventually building some goodwill and agreeing to take over at least some of the stewardship of the project. This was a relief to the current steward, who was a bit burned out.
This "new community" member, however, was in reality a threat actor, and had managed to become trusted and take over the project before injecting some nastiness into it. What I don't understand is the stance that this is an open source issue. There are many examples of things like Android apps getting popular, growing a decent installed base and then basically going into maintenance mode, which isn't exciting. So small developers or small companies sell their app, and the buyers release a few innocent updates before adding crypto miners or other malware.
The lesson we should draw here is that any project which is less than a couple main contribitors is susuptible to something like this, and not that open source is an issue. That no matter how USED a tool is, the health of a project should be looking at how big the active contributor pool is, and how robust it is.
Now, I do think open source has a funding issue. I'd say for large and well used projects, having some of the companies who benefit from the software make contributions to its ongoing maint in one way or another make sense. Would our xz steward have been less stressed if he'd had a few thousand dollars pushed his way? It would have given him options, like hiring someone to help either at his day duties (to free up time) or giving tasks bounties, while conserving his time for review and co-ordination.
There are other gaps, like publicly repeatable builds which would have exposed files the attacker injected which are not in the source control system. This contained the actual backdoor.
In this case, the issue was uncovered by a single annoyed tech person who felt there was a small slowdown in the overall flow that the tool was part of, and started digging.