We all know about the xz backdoor. Big news, very scary, got really lucky, etc.
Legitimate question: is what Jia Tan did illegal?
Ignoring that “Jia Tan” is probably a team and will never likely be caught, etc, is it illegal to deliberately plant a backdoor into software? Jia Tan was an authorized maintainer of the repo. All of their changes were made in the open (except that one .m4 file, but post-build tarball modification isn’t uncommon in open source).
No question, actually exploiting the backdoor would violate any number of laws, but the more I think about it, the more I think embedding the backdoor, while shady as hell and certainly unethical, may have been perfectly legal, even by US CFAA standards.
If you don’t think it’s legal, what law did they violate? Is it illegal to add unwanted features to code you legitimately maintain? What about undocumented features? What about bugs? Where is the line?
I see people talking about the FBI going after him, etc, but I’m not even sure what they’d charge him with.
