If you work in the tech sector you’ve almost certainly already seen the story about the planted security vulnerability discovered in xz. Most of the discussion I’ve seen around this so far has been suggesting that this is a problem that open source software presents, implying that for profit, closed source software is different.

Of course this is yet another reminder of how creators and maintainers of open source software tools are not being supported to continue their work, especially by the companies that use their software. But there’s another important dimension: we really only learned about this story because xz is an open source software project.

Andres Freund is a software engineer who discovered this vulnerability seemingly by chance. He is very humble about it, but his expertise as a software developer primed him to notice the problem and to report it in a responsible way. Are large corporations immune to bad actors planting security vulnerabilities in closed source proprietary software? Nope. In fact, these vulnerabilities are valuable.

The difference is when this happens in closed source software we hear about it as a critical vulnerability after the fact. The exploit is patched and life (hopefully) moves on. But we very rarely hear about how the bug was created, or have any window in on how or why it happened.

The difference with open source software is, well, it’s open. Freund and others like Evan Boehs were able to examine the public Github repository, and try to piece together what happened.

Sadly, Microsoft’s reaction to the news was to remove the GitHub repository from the public web. This means that all this evidence is now hidden from view.

Freund’s email to the oss-security discussion list contained links to the GitHub repository:

Now these are now all broken. However it’s heartening to see that someone had the foresight to archive these using the Internet Archive’s Wayback Machine’s Save Page Now feature: