Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
The Git repositories of XZ projects are available on GitHub again (github.com/tukaani-project)
100 points by stux on April 9, 2024 | hide | past | favorite | 16 comments


The actual maintainers of the repo seem to take the position that all "Jia Tan" commits are backdoor-free unless proven otherwise, so most of his commits still stay (as they* did a LOT of actual, real work on the repo).

I am curious what people think about that. It's still around 30k lines of code made by a known malicious entity, looking at git blame. However it seems mostly fine?

* plural "they" ;)


>I am curious what people think about that.

If someone wants something done right, FSVO right, they can do it themselves.


Wanting to do something right is permission to do so in a world of standards but not in a world of free reference implementation in lieu of a standard.


I'm surprised that this implementation of xz written by... well... random people has been adopted so widely. I would've expected a more 'industrial' implementation managed by Google or Meta or something, but there isn't one.


Compression algorithm implementations are not for everyone.

The math and algorithms behind it are fun to learn but hard. And then you need to implement it both performant and correct.

Only a few people build up the algorithmic background to do this. And the gains once an implementation is there are marginal (optimizations).

The only larger one seems to be zstd, and I haven't wrapped my head around ANS/tANS...


I'm still baffled xz took off so massively in the first place. The USP seems to be existing LZMA compression but made significantly more fragile and prone to never decompressing again.


This is very much the well-known reality.


I notice that user JiaT75 is still the second biggest contributor of the project. Interesting that his account is still alive.


Having your code reverted only decreases your contribution metric in the sense that the denominator grows but it's someone else's (the reverter's) numerator: it's based on commits, not git blame.


yeah, so maybe Jia should get maintainer rights after all /s


You are all quick judging here, let's not forget presumption of innocence


I think that's what got xz into trouble in the first place.


Nice try rvnx... or should I say... JiaTan! /sarc


I doubt that the NSA would condemn themselves. So it could be that they stay innocent forever.

Intriguing that Microsoft didn't disclose the IPs, intriguing that the actors use mostly American services, some obscure American VPN as well, etc.


>> let's not forget presumption of innocence

Are you trying to be sarcastic?


Edit: nvm, dupe of https://news.ycombinator.com/item?id=39984512




Consider applying for YC's Summer 2026 batch! Applications are open till May 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: