From: rich@example.invalid   
      
   Sam  wrote:   
   > Henrik Carlqvist writes:   
   >   
   >> Yes, this was even more sneaky. A malicious user has spent a couple of   
   >> years to gain the trust to become co-maintainer of project xz. This   
   >> malicious user "Jia Tan" could sign his commits and release packages with   
   >> GPG keys probably built only for the purpose of a fake "Jia Tan" account.   
   >   
   > Someone dug up ample evidence that "Jia Tan" is a composite entity.   
      
   Given the two year confidence game in building up trust in order to   
   become a "maintainer" to then insert the very hidden backdoor, "Jia   
   Tan" looks a lot like an "attacker(s) for hire" and in reality looks   
   like a state sponsored individual/group operating for pay.   
      
   While possible, it seems unlikely that any single individual would be   
   both a suffiently good "confidence man" to run the two year op to gain   
   privledge, and also simultaneously be enough of an elete hacker to so   
   effectively obfscuate the trojan horse deep in the XZ distribution   
   tarball.  The obsfucation level itself is nearly to the level of Ken   
   Thompson's "Reflections on Trusting Trust" [1].  The fact that having   
   both in a single individual is unlikely implies a composite "entity" as   
   the one responsible.   
      
      
      
   [1] https://www.cs.cmu.edu/~rdriley/487/papers/Thompson_1984_Ref   
   ectionsonTrustingTrust.pdf   
      
   --- SoupGate-Win32 v1.05   
    * Origin: you cannot sedate... all the things you hate (1:229/2)