The XZ hack

roalonso

After (as many) reviewing the XZ hack episode details, y the dire potential implications, would it passed unnoticed, I really wonder; shouldn't ALL the dependencies of critical libraries like OpenSSH and others, be elevated to some special status? it seems to me that those cases really need a different treatment when it comes to new releases.

I confess I'm not completely familiar with the new releases process when it comes to this particular libraries, but it really feels that something is missing here, specially with dependencies that rely on the work and goodwill of a single maintainer. If the human factor IS the weakest part of the security chain, there should be definitely more resource and attention directed to support this people, and this subject overall