What we need to take away from the XZ Backdoor (openSUSE News)

Dirk Mueller has posted alengthy analysis of the XZ backdoor on the openSUSE News site, with afocus on openSUSE's response.

Debian, as well as the other affected distributions like openSUSEare carrying a significant amount of downstream-only patches toessential open-source projects, like in this case OpenSSH. Withhindsight, that should be another Heartbleed-level learning for thework of the distributions. These patches built the essential stepsto embed the backdoor, and do not have the scrutiny that theylikely would have received by the respective upstreammaintainers. Whether you trust Linus Law or not, it was not evengiven a chance to chime in here. Upstream did not fail on theusers, distributions failed on upstream and their users here.