People were pressuring him to hand over maintainership while expressing disappointment at the slow pace of development.

Very likely that was part of the attack as well.

I agree with that assessment, I’m not accusing Collin of anything. If it is what it seems to be then I feel very bad for him. Just being cautious with wording until things are more settled/until we know more is all.

”Finding a co-maintainer or passing the projects completely to someone else has been in my mind a long time but it’s not a trivial thing to do. For example, someone would need to have the skills, time, and enough long-term interest specifically for this.” - https://www.mail-archive.com/xz-devel@tukaani.org/msg00571.html

As someone who runs a charity almost completely solo because of a lack of volunteers, I feel this so much in my bones. It’s one thing to say, “Hey folks, I can’t run this on my own, I need help” but it’s another to find people who actually have the level of skill, committent, passion and integrity to contribute in a meaningful way. I can get people putting their hands up but I’ve lost count of the number of people who have then turned around and said, “Oh, actually I realise now I don’t have time for this” or start in great and then just ghost me. It also takes more of my own time and energy, on top of what I’m already doing’ to onboard and train people and it sucks so hard when I do that and then people disappear shortly after - I constantly have to question whether the time it takes to do that will be worth it vs just continuing the struggle by myself.

When you get consumers being arrogant and demanding, getting angry at you for taking too long to respond to their messages or not work fast enough… it’s soul crushing. Way too many people take volunteer work for granted or assume you’re getting paid for your time and can therefore treat you like a working-class pleb or are plain just fucking rude and entitled. :( APPRECIATE YOUR VOLUNTEERS FOLKS! We need more volunteers, and appreciation. Many hands makes light work.

Damn. The amount of unpaid work for something so crucial to todays communication is staggering. I always make sure to pass parts if the donations I receive (not a lot) upstream.

I have the horrible feeling that very few people who use FOSS software and could actually donate some money at least dont do this. Do we have any numbers for this?

Reading that made me sad, angry and scared. Great article, but terrifying.

That’s a heartbreaking read, and I can’t imagine how it feels now to know that someone who finally helped lighten the load may be involved with such an egregious breach of trust and safety.

I think this is why I can’t get behind Linus-style takedowns, even if the prospective maintainer has made bad a mistake. Entitled consumers make things hard enough already with direct access to the developers, they don’t need any help getting burned out.

I hadn’t seen that particular one before, so thanks! I guess I was one of the lucky 10,000.

Its best you actually find an info dump on the situation as it’s not really something that can be tldr’d

This is as much tldr I could find. https://boehs.org/node/everything-i-know-about-the-xz-backdoor

You realise that this comment is exactly part of the problem of why this happened, right? 🤦🏻‍♀️

Do you think being maintainer makes you some kind of all knowing being? That’s not how that works. You write code and review code of others.

If there are multiple maintainers, you may obviously not even notice what another maintainer is doing; then you wouldn’t need multiple maintainers with write access if you could handle it all by yourself.

I suggest you read a little in how the backdoor was implemented. It wasn’t as obvious as you think. I personally don’t think the owner had anything to do with it.

Who’s paying him? Seriously:

• If nobody is, then we got our value’s worth.
• If someone is, then we should look at who, how much, and why.

If I were the co-maintainer of a project I wouldn’t suspect that the person who had been actively contributing for over 2 years had injected malicious code into a binary file to distribute in the tarballs. “Jia Tan” had already gained Collin’s trust by then