Does everyone understand how much luck was involved in this exploit in #xz being discovered so quickly? And, what it tells us about the attacker?
This was a subtle and sophisticated attack implemented over years. The attacker was made a co-maintainer two years ago, and they made numerous innocuous-looking and seemingly unrelated changes over that time, sometimes through a second account, that eventually added up to a backdoor. Along with many innocent commits, too. #Linux
