Post Syndicated from corbet original https://lwn.net/Articles/967866/

A common theme in early-days anti-Linux FUD was that, since anybody can
contribute to the code, it cannot be trusted. Over two decades later, one
rarely hears that line anymore; experience has shown that free-software
communities are not prone to shipping overtly hostile code. But, as the backdooring of XZ has reminded us, the
embedding of malicious code is, unfortunately, not limited to the
proprietary realm. Our community will be busy analyzing this incident for
some time to come, but clear conclusions may be hard to come by.