Post Syndicated from original https://lwn.net/Articles/919588/

The PyTorch
compromise that happened right at the end of 2022 was rather ugly, but
its impact was not widespread—seemingly, at least. The incident does
highlight some of
the perils of relying on an external “supply chain” for the components that
are used to build one’s software. It also would appear to be another
case of “security researchers” run amok, though perhaps that part of the story
is only meant to cover the tracks—or ass—of the perpetrator.