A few days ago, a vulnerability in xz-utils named CVE-2024-3094 was discovered, and since then the open source community as well as security pundits fall over themselves and each other to provide the best analysis of this incident. Don’t worry, this post isn’t another one of those. Because while all the speculation about what motivates such a long-term attack is fun, the underlying issue is way, way simpler. In a tweet1, Heather Adkins of Google posted an “unpopular opinion: if your hob...
