They haven’t particularly made a comment on the situation so much as acknowledged it’s happening. They seem to be going with the story that they had nothing to do with it and this is news to them. Hope to hear more from them soon so we can find out more about the situation, how and why this happened, etc.

(The sceptical tone isn’t because of disbelief of Collin, it’s because we don’t know enough about the situation to be able to say Collin is or isn’t telling the truth here.)

  • Alex@lemmy.ml
    link
    fedilink
    arrow-up
    25
    ·
    7 months ago

    Don’t be too hard on Collin. Looking back on the threads it’s fairly clear he’s been the victim of a social engineering attack on an overworked maintainer. People were pressuring him to hand over maintainership while expressing disappointment at the slow pace of development. The off-list contact by Jia must have seemed like a helpful enthusiastic solution to a burnt out developer.

    • 2xsaiko@discuss.tchncs.de
      link
      fedilink
      arrow-up
      24
      ·
      7 months ago

      People were pressuring him to hand over maintainership while expressing disappointment at the slow pace of development.

      Very likely that was part of the attack as well.

        • eveninghere@beehaw.org
          link
          fedilink
          arrow-up
          3
          ·
          7 months ago

          Sorry to hear your situation. I’ve heard a similar story from a friend, where cronies bully one “colleague” after another to push that poor person to the edge. These morons climb the company’s career ladder in that way, hacking the HR evaluation. It’s truly disgusting.

          • haui@lemmy.giftedmc.com
            link
            fedilink
            arrow-up
            3
            ·
            7 months ago

            Thanks for understanding. I didnt imagine a nice comment like this. :)

            In fact it was my company and an employee who I trusted worked behind my back to take over. When that didnt work he took off with company assets.

    • Zoop@beehaw.org
      link
      fedilink
      arrow-up
      7
      ·
      7 months ago

      Poor guy. My heart breaks for him. I hope people are understanding, compassionate, empathetic, and aren’t hateful and harrassing towards him about it, but, realistically… they likely will be hateful and harrass the poor dude, because some people are just sucky, entitled, and rude little jackasses (and I hate it so much and I don’t understand why people behave this way!) I hope he can find a way to handle it all okay. :(

    • communism@lemmy.mlOP
      link
      fedilink
      arrow-up
      5
      ·
      7 months ago

      I agree with that assessment, I’m not accusing Collin of anything. If it is what it seems to be then I feel very bad for him. Just being cautious with wording until things are more settled/until we know more is all.

      • UckyBon@lemmy.world
        link
        fedilink
        arrow-up
        7
        ·
        7 months ago

        I just made a similar comment in another thread here:

        I read a lot about how we should double, triple check all the code. But what we shouldn’t forget is to check up on our people too.

    • Thorned_Rose@kbin.social
      link
      fedilink
      arrow-up
      7
      ·
      7 months ago

      ”Finding a co-maintainer or passing the projects completely to someone else has been in my mind a long time but it’s not a trivial thing to do. For example, someone would need to have the skills, time, and enough long-term interest specifically for this.” - https://www.mail-archive.com/xz-devel@tukaani.org/msg00571.html

      As someone who runs a charity almost completely solo because of a lack of volunteers, I feel this so much in my bones. It’s one thing to say, “Hey folks, I can’t run this on my own, I need help” but it’s another to find people who actually have the level of skill, committent, passion and integrity to contribute in a meaningful way. I can get people putting their hands up but I’ve lost count of the number of people who have then turned around and said, “Oh, actually I realise now I don’t have time for this” or start in great and then just ghost me. It also takes more of my own time and energy, on top of what I’m already doing’ to onboard and train people and it sucks so hard when I do that and then people disappear shortly after - I constantly have to question whether the time it takes to do that will be worth it vs just continuing the struggle by myself.

      When you get consumers being arrogant and demanding, getting angry at you for taking too long to respond to their messages or not work fast enough… it’s soul crushing. Way too many people take volunteer work for granted or assume you’re getting paid for your time and can therefore treat you like a working-class pleb or are plain just fucking rude and entitled. :( APPRECIATE YOUR VOLUNTEERS FOLKS! We need more volunteers, and appreciation. Many hands makes light work.

      • eveninghere@beehaw.org
        link
        fedilink
        arrow-up
        1
        ·
        edit-2
        7 months ago

        Hell… As a researcher maintaining one technology on my own, I feel this. This is another reason one shouldn’t do things for free. There needs to be an incentive. And professionalism in the community. Sadly, both are hard to find…

    • TheHarpyEagle@lemmy.world
      link
      fedilink
      arrow-up
      2
      ·
      7 months ago

      That’s a heartbreaking read, and I can’t imagine how it feels now to know that someone who finally helped lighten the load may be involved with such an egregious breach of trust and safety.

      I think this is why I can’t get behind Linus-style takedowns, even if the prospective maintainer has made bad a mistake. Entitled consumers make things hard enough already with direct access to the developers, they don’t need any help getting burned out.

    • haui@lemmy.giftedmc.com
      link
      fedilink
      arrow-up
      2
      ·
      7 months ago

      Damn. The amount of unpaid work for something so crucial to todays communication is staggering. I always make sure to pass parts if the donations I receive (not a lot) upstream.

      I have the horrible feeling that very few people who use FOSS software and could actually donate some money at least dont do this. Do we have any numbers for this?

      • eveninghere@beehaw.org
        link
        fedilink
        arrow-up
        1
        ·
        7 months ago

        I am starting to believe that we shouldn’t rely on this type of labor product in the first place. Something as critical as OpenSSH should be (and possibly is) funded by the users and also NOT use third party libs because it’s dangerous, as this incidence showed. FOSS is free not as in beer.

        • haui@lemmy.giftedmc.com
          link
          fedilink
          arrow-up
          0
          ·
          7 months ago

          I‘m not sure what you‘re suggesting. Every piece of FOSS software is made by someone and the a lot of it builds on top of some upstream thing. Otherwise everyone would have to rebuild from scratch and FOSS would break down. Or am I missing your point?

          Also, you cant make every 16 yr old user pay for a foss product. Companies must be made to pay for foss and downstream teams must be made to send parts of their income upstream, no matter if they make enough.

            • haui@lemmy.giftedmc.com
              link
              fedilink
              arrow-up
              0
              ·
              7 months ago

              Mate, we are discussing on two different threads. Chill out. Maybe I didnt get your point so feel free to elaborate or leave it. Your choice.

              • abbenm@lemmy.ml
                link
                fedilink
                arrow-up
                0
                ·
                edit-2
                7 months ago

                Mate, we are discussing on two different threads. Chill out. Maybe I didnt get your point so feel free to elaborate or leave it.

                I think it would be really good if all of us on the internet agreed to a rule, which is that if you mischaracterize someone or misread them, it’s not that weird for them to want you to not do that. So I don’t think it’s fair to response to a comment correctly noting they are being mischaractized by going out of your way to try and make it about their emotions/mental state.

              • eveninghere@beehaw.org
                link
                fedilink
                arrow-up
                0
                ·
                7 months ago

                Yes. I simply think I already wrote what I needed to. The answer to your question is there. I guess it takes time to see my point.

                • ReversalHatchery@beehaw.org
                  link
                  fedilink
                  English
                  arrow-up
                  0
                  ·
                  7 months ago

                  You only said 2 things:

                  • we shouldn’t rely on free software made by free labor, and we need to say goodbye to some 60-70% or more of the software we use
                  • important software shouldn’t reuse code already made, they should reinvent the wheel and in the process introduce unique vulnerabilities and spend orders of magnitude more time doing that

                  None of these make sense in my opinion

  • ouch@lemmy.world
    link
    fedilink
    arrow-up
    8
    ·
    edit-2
    7 months ago

    Nothing so far seems to indicate Lasse Collin knew what was going on.

    I feel sorry for him. Must suck working on an open source project for free and then get sucked into something nefarious like this. He must be under tremendous stress.

  • SteefLem@lemmy.world
    link
    fedilink
    arrow-up
    0
    arrow-down
    12
    ·
    7 months ago

    Sorry but if the maintainer says it didnt know? Sounds fishy. Or just a bad maintainer.

    • Thorned_Rose@kbin.social
      link
      fedilink
      arrow-up
      11
      ·
      7 months ago

      You realise that this comment is exactly part of the problem of why this happened, right? 🤦🏻‍♀️

    • aksdb@lemmy.world
      link
      fedilink
      arrow-up
      6
      ·
      7 months ago

      Do you think being maintainer makes you some kind of all knowing being? That’s not how that works. You write code and review code of others.

      If there are multiple maintainers, you may obviously not even notice what another maintainer is doing; then you wouldn’t need multiple maintainers with write access if you could handle it all by yourself.

    • RageAgainstTheRich@lemmy.world
      link
      fedilink
      arrow-up
      5
      ·
      7 months ago

      I suggest you read a little in how the backdoor was implemented. It wasn’t as obvious as you think. I personally don’t think the owner had anything to do with it.

    • communism@lemmy.mlOP
      link
      fedilink
      arrow-up
      5
      ·
      7 months ago

      If I were the co-maintainer of a project I wouldn’t suspect that the person who had been actively contributing for over 2 years had injected malicious code into a binary file to distribute in the tarballs. “Jia Tan” had already gained Collin’s trust by then

    • jarfil@lemmy.world
      link
      fedilink
      arrow-up
      5
      arrow-down
      1
      ·
      7 months ago

      Who’s paying him? Seriously:

      • If nobody is, then we got our value’s worth.
      • If someone is, then we should look at who, how much, and why.