I have been following the XZ backdoor vulnerability story with interest. Not just because I use Linux and therefore it affects the technology I rely on, but also because I’m interested in the people and processes that underpin open source software, and software development in general.
Linux has relied on volunteer contributions from the start, and in general that fosters a collective sense of responsibility for delivering a great product that meets the needs of the people who use it. But there is also a risk that there won’t be sufficiently skilled volunteers to do what needs to be done, or that the expectations of users cannot be reasonably delivered by volunteers who are likely to also be juggling a paid job and family responsibilities.
This issue has highlighted those risks, but also been a great example of a community coming together to quickly fix an issue in a way a commercial organisation probably never would. By working in public, being transparent, and delivering value quickly, the community has proved that this development and support model can work, but also that there are lessons we can learn about culture, contributor burn out, and how we can continue to release value at pace whilst at the same time maintaining the integrity of the product.
I don’t have answers, but it’s good to see people pulling together, and I do think we’re probably living through history right now.
I also think the standard is being set for documentation related to this kind of issue. These are the pages I’ve bookmarked in relation to this, either to keep up to speed with developments, or to highlight what good practice looks like when it comes to being curious enough to shine a light on things that don’t look right: