Thoughts of Our Group Projects

Our team had three meetings this week, one in-person in Wednesday’s class and other two online. For this week, our group explored two issues from github. For the gif animation bug, Brad requested for working on this 5 days ago, but he haven’t been assigned to this one till now. For the other text alignment issue, Robin shared his understanding in the comments. We are also trying to find some issues in this projects, as Rodin suggests that this projects seems does not support displaying Chinese characters, but as I researched that it is related to the font in this project. If we add a open source font that supports Chinese characters, then it is ok to display.

Does Open Source Mean Secure?

There is a huge incident in the open source community this Friday, the XZ Utils backdoor. The developer, JiaT75(Jia Tan), created an account in 2021. Then in April 2022, Jia Tan submitted a patch, and someone else requested Lasse Collin to add Jia Tan as a maintainer to XZ. In 2023, Jia Tan already gained trust completely, so he merged his code and started his malicious injection. After that, some mysterious accounts requested to add the vulnerable version of xz-utils in Debian. Until this Friday, Andres Freund, discovered this backdoor by accident.

From this incident, I have some thoughts about open source projects. First, I think open source does not mean “secure”. As we can see from this example, even open source software can also be maliciously injected. However, compared with closed source software, at least we have access to the source code, so open source is still more secure than closed source.

Second, as a widely used open source software, XZ is only maintained by very few developers. This is not an isolated scenario, many widely used open source software is only maintained by several developers. These developers invest their passion and time without expecting anything in return. So if someone wants to inject malicious code into these projects, as Jia Tan did, it is possible that other open source software already had the backdoor.

Finally, such an action will cause great damage to the open source community, it will cause the distrust of maintainers to developers. Maintainers may be suspicious of the developer’s motives for their behavior, even though they might be positive.