Maintainer panel: Hear from maintainers in a post-xz utils backdoor world

A few weeks ago, a very sinister, sophisticated hack was uncovered in an obscure but ubiquitous Linux library called xz utils. 

Though not unusual for someone to try to hack a popular open source project like xz (see: eventstream, colors.js in the past), what was especially disturbing about this attack was that the hacker, under the name Jia Tan, posed as a benevolent contributor for years, slowly gaining the solo, unpaid maintainer’s trust, until he handed over the keys to the project.

This caused shivers throughout the entire open source community. 

This attack was especially scary for maintainers who depend on community contributions to keep their projects going. Not only did this hacker pose as a helpful contributor, but they also created multiple accounts, using some to actually bully the maintainer, who said he was suffering from mental health issues, into accepting Jia Tan’s contributions. 

In light of this entire xz utils backdoor situation, we think it’s especially important to hear directly from maintainers themselves, who support  open source infrastructure which, according to a Harvard study, is a worth $8.8 trillion.

On April 12, we gathered together a group of maintainers representative of the Java, Javascript, and Python communities to hear how they were faring in the wake of the xz backdoor. 

• How did this xz utils backdoor affect their projects? Spoiler alert: many package managers, like npm, and some Python libraries used xz to unpack their projects.
• Will this horror story change the way they vet contributors to their projects? And, if so, will this have lasting effects on the diversity of contributors?
• Succession planning is rarely something that’s discussed in the open source world but should we be talking about it more? What are responsible ways to handle it?
• And more!

In this chat, moderated by Tidelift VP of product Lauren Hanford and CTO Jeremy Katz,  you’ll hear from Jordan Harband, maintainer of hundreds of open source packages in the Nodejs space; Gary Gregory, a prolific maintainer in the Java space; Alex Clark, maintainer of Python’s Pillow; Val Karpov, maintainer of Mongoose; and Seth Larson, maintainer of urllib3.

You should check out the entire discussion because it’s especially vital we hear directly from open source maintainers as we think about how we are going to stop hacks like this one in the future.