Changelog News

Who in the world is Jia Tan?

Apr 1, 2024

Discover the backdoor in LibLZMA affecting OpenSSH, supply chain attack targeting XZ, mysterious GitHub user Gia Tan, struggles of project maintainers finding successors, and unsustainable small OSS libraries.

09:53

Creator website

AI Summary

AI Chapters

Episode notes

Podcast summary created with Snipd AI

Quick takeaways

The discovery of a backdoor in LibLZMA exposes vulnerabilities in open-source software supply chain.

Debate on unpaid maintainers highlights challenges in sustaining interest and community involvement in foundational OSS libraries.

Deep dives

The Uncovered Backdoor in LibLZMA (XZ)

The big story discussed in the podcast revolves around the discovery of a backdoor in LibLZMA, known as XZ, a compression library used by open SSH. The backdoor was identified by a Microsoft researcher on Debian installations, leading to significant CPU usage during SSH logins. The incident highlighted the exploit nature, deployment methods, industry implications, and community responses. The maintainer of XZ, Lassie Colin, found the backdoor in versions 5.6.0 and 5.6.1, indicating a supply chain attack with potentially severe consequences for Glib C based systems.

Introduction

2min

Exploring a Supply Chain Attack and AI-Powered Auto Fix for Code Debugging

3min

Unveiling the Mystery of GitHub User Gia Tan and the Attack Process

2min

Challenges of Passing on Projects and Unsustainability of Small OSS Libraries

3min

The big story right now is the recently uncovered backdoor in liblzma (aka XZ) – a relatively obscure compression library that happens to be a dependency of OpenSSH.

This incident is noteworthy for so many reasons: the exploit itself, how it was deployed, how it was found, what it says about our industry & how the community reacted. Let’s dig in!

View the newsletter

Join the discussion

Changelog++ members support our work, get closer to the metal, and make the ads disappear. Join today!

Sponsors:

Sentry – AI-powered Autofix debugs & fixes your code in minutes. Give it a try… oh, and don’t forget to use code CHANGELOG when you sign up for Sentry to get $100 off their team plan. ✊
Tailscale – Adam loves Tailscale! Tailscale is programmable networking software that’s private and secure by default. It’s the easiest way to connect devices and services to each other, wherever they are. Secure, remote access to production, databases, servers, kubernetes, and more. Try Tailscale for free for up to 100 devices and 3 users at changelog.com/tailscale, no credit card required.

Featuring:

Jerod Santo – GitHub, LinkedIn, Mastodon, X

Remember Everything You Learn from Podcasts

Save insights instantly, chat with episodes, and build lasting knowledge - all powered by AI.

Changelog News

Who in the world is Jia Tan?

Podcast summary created with Snipd AI

Quick takeaways

Deep dives

The Uncovered Backdoor in LibLZMA (XZ)

Debate on Unhealthy Relationship Between Unpaid Maintainers and Companies

Remember Everything You Learn from Podcasts