Does everyone understand how much luck was involved in this exploit in #xz being discovered so quickly? And, what it tells us about the attacker?

This was a subtle and sophisticated attack implemented over _years_. The attacker was made a co-maintainer two years ago, and they made numerous innocuous-looking and seemingly unrelated changes over that time, sometimes through a second account, that eventually added up to a backdoor. Along with many innocent commits, too. #Linux

This was someone's job, someone paid for all that time devoted to the project, and it would have been incredibly powerful if it'd gone undetected long enough to make it into major Linux distros stable releases. How many other exploits are there in popular libraries maintained by one or two people? I have to assume far more than I would have guessed yesterday.

@noplasticshower that's an idiotic take. Given the same dedication to the problem, an attacker could get a job in industry and do the same kind of attack spread over several years. And, we wouldn't know about it, because some random PostgreSQL developer wouldn't have access to all the source to figure it out. I am 100% certain proprietary software is more exploitable via this kind of attack than Open Source.