XZ Utils backdoor - Wikipedia

Today, we launched the Open Source Pledge. Virtually all companies use Open Source software 1, making the Open Source ecosystem crucial to virtually all of the technology we use. That Open Source software is created and supported by maintainers. But the companies that use Open Source software almost never pay the maintainers anything. This means that the maintainers end up doing a huge amount of work for free, often as a second shift after their dayjob so that they can pay the bills, leaving them burned out and overworked, and leaving the projects they maintain at risk of serious security issues.

Threshold-based Reproducible Builds pluggable transport using your trusted rebuilders - kpcyrd/repro-threshold

Sharing things I learned something interesting from. Unlike my curated and maintained links, these are more more one and done resources.

Secure Your Janky Systems, 2024 Edition Over the past year, I've been pentesting various systems, diving into a variety of web apps, mobile apps, IoT devices, desktop apps, and the occasional Active Directory network. Some were...

A brief story of how I got into Open Source

Six years, a prototype, and a brief multi-layered descent into “wronger and wronger” design—what does it take to land a major architectural change in Postgres? In Episode 31 of Talking Postgres, An...

Virtualization, tools and tips

Achieving Data Freedom Through Open Source and Rust

Open source components are getting compromised a lot more often. I did some counting, with a combination of searching, memory, and AI assistance, and we had two in 2026-Q1 ( trivy, axios), after four in 2025 ( shai-hulud, glassworm, nx, tj-actions), and very few historically [1]: Earlier attacks were generally compromises of single projects, but some time around Shai-Hulud in 2025-11 there sta

The future will have a lot more open-source software, written by machines but funded by people, giving better experiences and greater freedom to the consumer.

644 strangers in your package.json. The XZ backdoor was caught by one engineer noticing half a second of latency. Next time it might be 50 milliseconds. Next time it might be no perceptible drift at all.

Effective upstream-downstream relationship and Blink case study

Read That Before You Trust Anything by Microsoft Once Again

The Open Source Endowment provides truly sustainable funding for critical open source software through a community-driven endowment model.

How I structure five Obsidian vaults, enforce atomic notes through templated creation flows, and use frontmatter properties to turn notes into queryable databases.

I'm converting a Ram Promaster into a mobile vacation and hacking-mobile.

An opinion on the trend of content creators promoting Tmux and Zellij for desktop environments – and why these setups may miss the point.

For enterprise software, the software supply chain presents some of the biggiest risks today to data privacy and security.

In March there was a particularly nasty supply chain attack targeting Aqua Security and their tools, including the widely used Trivy security scanner, which later spread to other projects. The attack was carried out by a threat actor named TeamPCP and began by exploiting an insecure GitHub Actions workflow that utilised the pull_request_target trigger – a type known to be dangerous and easily misused. Using this, they stole a Personal Access Token granting wider access to the aquasecurity org.

Welcome to the Bytecode Alliance

Sharing things I learned something interesting from. Unlike my curated and maintained links, these are more more one and done resources.

Blog about geeky stuff

With the version 2.2.0 of pcsc-lite I just released (see New version of pcsc-lite: 2.2.0) the recommanded tool to configure and build pcsc-lite is now meson. Problems with autoconf/automake The chang

I was interviewed on NPR Planet Money about my small role in the Jia Tan / xz / ssh backdoor. NPR journalist Jeff Guo interviewed me for a whole 2 hours, and I was on the program (very edited) for …

I was interviewed on Veritasium about the rise of Linux and the XZ hack.

When the PostgreSQL project makes a release, the primary artifact of that is the publication of a source code tarball. That represents the output of all the work that went into the creation of the PostgreSQL software up to the point of the release. The source tarball is then used downstream by packagers to make binary packages (or file system images or installation scripts or similar things), or by some to build the software from source by hand.

I learn how to draw a triangle with a GPU, and then trace the code to find out how the graphics system works (or doesn't), looking at Mesa3D, GLFW, …

Dependencies are a huge supply chain security risk; the more of them you have, and the more often you update, the bigger the attack surface.

explain xkcd is a wiki dedicated to explaining the webcomic xkcd. Go figure.

The XZ Utils backdoor, discovered last week, and the Heartbleed security vulnerability ten years ago, share the same ultimate root cause. Both of them, and in fact all critical infrastructure open source projects, should be fixed with the same solution: ensure baseline funding for proper open source maintenance.\n

A transcript of from the second PostgreSQL Extension Mini Summit, “Implementing an Extension Search Path”, by Peter Eisentraut.

How to secure critical open-source code against memory safety exploits by automating code hardening at scale

Open source spent thirty years winning the cost argument. AI is making that irrelevant. What replaces it (the agency argument) is still open.

Where do we go when the internet dies?

Hacking, hardware, software, and general curiosities of computing machinery! Docendo discumus.

This article is a small case study on introducing the Meson build tool into a legacy Autotools and Gnulib centric code base, i.e. the GNU Datamash project. With Meson, the result builds twice as fast and configures one order of magnitude faster while only requiring a few hundred lines …

In multiplication, to get a non-zero product, all factors must be greater than 0.If one factor is 0, nothing else matters.

Software and digital security should rely on verification, rather than trust. I want to strongly encourage more users and consumers of software to verify curl. And ideally require that you could do at least this level of verification of other software components in your dependency chains. Attacks are omnipresent With every source code commit and … Continue reading Don’t trust, verify →

Open source communities depend on a fundamental assumption that is no longer true: the presumption of good faith actors. The hosts serving free and open source code are scraped relentlessly, denying service to developers. Once that code has been assimilated into various models it is washed of all attribution and license information, denying rights of the developers. Some subset of users then feel empowered, emboldened, I’m not sure what exactly by these models and lob massive thousand line changes back at the developers. Nearly every technology has the possibility to be used for positive and negative effects, but free and open source communities are being harmed from multiple directions right now.

La Maison-Blanche demande un audit sur la sécurité des logiciels open source. Partie 2/3 : audit automatique des projets.

A few people (and multi-billion dollar companies!) have asked for my response to the xz backdoor. The fwupd metadata that millions of people download every day is a 9.5MB XML file -- which thankfully is very compressible. This used to be compressed as gzip by the LVFS, making it a 1.6MB download for end-users, but...

On supply chain attacks, the cost of trust, and why free software is not the same as safe software

Open source taught us to share code. Let's share experience and good judgement instead.

curl, open source and networking

A malicious backdoor was discovered in xz library that implements LZMA compression. xz, among many other places, is used, indirectly, in sshd. My attempt to explain what happened.

This post is a start of a series I've planned about how packaging currently works in Python, what's wrong with it, and how to cope with the problems. But before I get into the meat of it, I want to ta

Research report on Fediverse microblogging server governance: risks and mitigations, moderation, server leadership, federated diplomacy, and governance tooling.

Danish software design

Project compromises have common root causes we can mitigate: phishing, control handoff, and unsafe GitHub Actions triggers.

A blog about making culture. Since 1999.

As the lack of updates might suggest, I’ve taken a break from my Tenchu: Stealth Assassins reverse-engineering/decompilation project. There’s a bunch of reasons for that and some of them are possibly relevant for whatever readership I have, so I figured I might as well write about them here.

A few busted upgrades and the heavy-handed push of a software packaging solution has ruined Ubuntu for me.