Xz: A microcosm of the interactions in open source projects

In the end you're only pressured as much as you allow yourself to be pressured.

"I don't feel like it, if it's important to you then feel free to fork".

That's really all that's needed. "I don't feel like it" is all the justification you need.

Some guy just made a compression tool, because some people like doing that kind of thing, or because it was useful for him. He didn't ask to be made "critical infrastructure" or to be responsible for the security of sshd or to have some business depend on it, or anything like that. No one even asked him.

The tiredness or other problems of the developer seems an easy narrative, but did anything actually happen that wouldn't in any understaffed open source project? A contributor shows up and does work for 2 years, I feel most projects would have given the person full project developer status by then.

Enabled by customers who don’t pay or donate.

Occams razor says that those commentators were not in on it; that pressure is common on all projects, there is no need to think that they were part of an attack.

In fact, Occam’s razor says that the malicious code was injected by a compromised account and not a malicious actor who spent years steadily getting into position to attack?

I often debate if I should go into the hacking world, best case I get bug bounties, worst case I get rich and I contribute immoral actions.

I think its far easier to make $3,000,000 as a hacker than a worker/entrepreneur.

Its way easier to find flaws/bugs than to do the entire Capitalism thing correctly.

Then I see that half of these major attacks required social engineering.... Maybe being a hacker is significantly easier. I only need to fool 1 person, there are a lot of people, and merit isnt exactly how everyone got to their position.

Anyway point being: People are amazed by hacking, they shouldn't be, its relatively easy if you are a mere 10 year programmer. Most of us pick relatively moral work, so the number of attacks are small. It is also why we really need to treat security on computers like its no stronger than your home's front door lock. There are too many attack vectors to be perfectly safe.

Well before that: letting a central lib and project to be maintained by a single tires burned out project dev (see xkcd2347)

Here’s the rub: peer pressure counts if done by peers. Users who subscribed to a mailing list only to campaign for a governance change are not peers. Longtime contributors who have earned street cred, can be.

(I guess in the case of xz, Jia Tan has earned the cred before going rogue; the one-off “maintainer needs to be replaced” campaigners, however, haven’t.)

Here's the deliciousness:

Let's take on face value that it was the Chinese, and that China is communist. I mean, "Kumar" and "Tan"? Maybe it wasn't, but it doesn't matter for my purposes:

They took an overworked peon of the capitalist enemy that provides a ...

... do I even need to expound? well it's fun ...

... collectively and idealistically produced common operating system "for the people"

... that is exploited and neglected by the rich and powerful, to a degree that society, not just computers, overall society operates on this operating system, and the profits from that are hoovered up by the powerful.

The communists attacked the exploited proletariat to get to the enemy. And they are forcing the enemy capitalists to either pay the proletariat properly (they won't) or continue to be vulnerable to the growing communist power in the far east.

That's what this distills so well, within a political/ideological conflict that has now spanned 100 years: capitalism vs communism.

To wit, a proper functioning capitalist system to reward market value for produced value would properly pass compensation to this poor soul, and incentivize others to help him. Barring that, a proper functioning government would recognize the public good of this and provide support to the core infrastructure software to enable other private enterprise to produce tax revenue.

THOSE AREN'T HAPPENING, so the Communists can attack this with impunity and in perpetuity.

Here's the thing folks, we've been living in, as they used to say "uninteresting times". Post-WWII Pax Americana, even the Cold War was basically peace, has been cranking for 80 years now.

People, that is coming to an end:

- Russia / China are destabilizing demographically and simultaneously becoming militant and totalitarian

- Global Warming will ramp up the pressure on populations, food shortages, production

- The US will likely retreat to a more regional focus as production is onshored, regionalized (or at least centralized to our hemisphere)

There's going to be more state conflict, the Ukraine war is just the beginning. The world stakes are rising.

You dont need to wonder. Any long term maintainer of even semi popular open source projects will tell you that engaging with the peanut gallery is completely counter productive.

Engage with people that have earned it in your eyes, whether by contributing to your project via code, assets, bug triage, writing a good and effortful bug report, whatever. Just ignore what the larger internet has to say about you and your creations.

Even writing it down here I'm worried I sound like I'm trying to curate a closed community of ego-boosting yes men.

There's this weird trend that's been happening for some time now that tries to make non-fully-open groups look wrong, but honestly, has anything ever actually been done by such open groups? As far as I can tell, "closed community" is a necessary (but not sufficient) condition for any kind of quality creative output (this includes individual projects as single-person closed group). Having a core of creators surrounded by distinct group of fans and secondary contributors is a natural organization that forms spontaneously.

My layperson’s opinion is that anything to do with gaming is particularly riddled with people that interact poorly with maintainers. Again, purely my opinion: gamer culture invites a particular sort of Dunning-Kruger-prone ‘power user’ type. Every gamer community carries with it a corpus of baseless, fictitious, technical information. “The developers didn’t do this because x”, “it’s ridiculous that they didn’t just y”, “They just aren’t listening to users!”

I’m not much of a gamer at all. But the once in a blue moon where I dip my toes in, it’s not that long before I’m met with a forum post or reddit comment making some technical assertion that sounds incredibly presumptuous if not downright incredibly unlikely.

The points you make aren't unreasonable.

It is necessary to establish clear boundaries of what can and can't be provided by the maintainers. If not done at an earlier stage of the project, the support burden becomes too much to bear at which point the maintainer transfers ownership, and the project suffers from catastrophic consequences such as the xz backdoor we're talking about here, or other cases where the project mostly stalls and serves as an ego-boosting platform for the new maintainer, as was the case with PhantomJS[6] before it was shut down.

This can also happen in your life, where a "friend" sees that you possess a certain skill, and then gradually tries to push an inordinate amount of their personal work related to this field onto you.

Personally, I think it's best to use an approach with extremely clear communication as to what the maintainer can and cannot provide. This can be seen, for example, in yt-dlp[1], where the consumer is clearly informed upfront that not providing detailed information as requested will lead them to block said consumer; or sqlite where their position regarding contributed patches[2] and support[3] is similarly made clear.

Having a shouty BDFL like Torvalds can also help improve code quality[4] and questionable contributions[5], though it is better that the shouty BDFL makes statements that are professional and do not show as much aggression; so for example, "Mauro, shut the fuck up"[7] would become "Mauro, your response is completely unbecoming for a Linux kernel maintainer, and is not in line with the promise of not breaking userspace."

[1] https://github.com/yt-dlp/yt-dlp/issues/new?assignees=&label...

[2] https://www.sqlite.org/copyright.html

[3] https://www.sqlite.org/support.html

[4] https://www.theregister.com/2024/01/29/linux_6_8_rc2/

[5] https://cse.umn.edu/cs/linux-incident

[6] https://github.com/ariya/phantomjs/issues/14541

[7] https://lkml.org/lkml/2012/12/23/75

Usually, I try to use projects in languages I work with so if the issue is not important enough for me to make a PR, then it’s not important enough. One thing I wish were possible is to sponsor an issue. I don’t usually sponsor open source projects, but I would likely sponsor a lot of issues just to speed up resolution. I think this could move a lot of projects in the right direction. Depending on difficulty, the maintainer could define a budget to have it in the roadmap with a reasonable timeline defined by them, maybe measured in quarters.

I've been thinking about contributing to some open source projects, and starting a couple of things of my own, and the community aspect is a significant downside for me, and I say that as somebody who was quite active in several open source projects and things like the IETF years ago.

I'm not saying the community shouldn't be there, it's just that the barrier to entry is so low, that people can "contribute" with very little effort, that's become a significant problem as Internet usage (and acceptance of shit-posting trolls as just being a cost of anything online), so the signal/noise ratio is awful and we end up in an easy slide to controversy and spite and the good actors wanting to walk away.

I think this is why I don't do social media any more. I think it's why I'm not on the mailing lists I once was, or have interest in discord or a great many open community sites. It's just exhausting. HN, slashdot and some group chats in Signal with people I have known for many years is the closest I get to anything like that any more.

I've thought about doing some blogging without comments and a means to contact me directly another way privately. I've thought about making contributions to other projects with my only conversations being about my own commits, but that doesn't work for leading my own projects if I want to be "nice".

I think leading a project for me might involve _not_ letting others contribute to my version without clearing some arbitrary bar. No mailing list, no discord, no developer community. That doesn't feel optimal on some metrics, but it might be optimal for the metrics I care about.

I'm always surprised at how much developers and maintainers will willingly put up with. For example, if you visit the Matrix feed for the Asahi Linux project, you'll see hoards of trolls and time-wasters that are regularly engaged by Asahi team members who are giving them the benefit of the doubt, when they really should be removing those posts without comment or acknowledgement.

I believe this masochistic behaviour stems from a combination of both general optimism and dedication to a particular cause. The more that developers are passionate about what they are doing, the more they are willing to engage with the peanut gallery.

Boomer hat: it's just toxic positivity, and the frustrating trend lately of assuming that everyone is equally skilled when writing software. Everyone's input is valid, or else you're just being negative and overly critical.

I'm not saying everyone need to be Linus Torvalds circa 2012, but I do think more people need to be a bit less precious and sensitive, especially when receiving direct communication about their abilities.

You don't need ego-boosting yes men, you just need to work with more experienced folks, and that's okay. But the problem is that there is an army of people online who will take offense to that, and I don't know what the solution is. Best of luck.

Thank, you for participating in the open source community by sharing your opinion. Your contribution is valuable but not consistent with the direction we are currently going in at this time. Please don't let this stop you for further participation.

There's a natural belief that unless someone is egregiously out of line, all discussion around a project from users is allowed, even encouraged.

I mean sure, but how do you intend to stop people? You can't stop them from setting up a forum somewhere.

This is why github discussions is useful though. A feature request in a ticket is something that needs to be handled. A feature request in a discussion is just some users talking about stuff they think would be cool.

Thanks for writing this! Your comment and the article have prompted me to explicit the social contract for my Open-Source project: https://github.com/cljoly/.github/pull/4/files#diff-eca12c0a...

With a personal repo I maintain, I once had someone look me up on linked in, and then file a support ticket with my employer demanding I reply to his issue on github. He was asking for handholding following a clearly documented process and ignored all the warnings.

Needless to say, I did not assist him in any way and closed the issue as wontfix.

I've also had people demand that I expand the narrow scope of my project to cover a whole class of devices with completely different APIs, instead of the sole focus on the series from the same manufacturer of devices I own and use. Closed as wontfix as well with a clear statement that I will not be expanding the scope, but am more than happy to link to their project covering it.

Apologies in advance for the swear words, but this deserves swear words.

WHO FUCKING GRANDSTANDS ENDLESSLY ABOUT CYBERTHREATS AND THE NEED FOR BETTER SECURITY?

WHO FUCKING SITS ON BILLIONS IF NOT TRILLIONS OF DOLLARS IN FUNDING?

That would be the FUCKING GOVERNMENTS OF THE FIRST WORLD. Whose modern economies increasingly rest on open source to a degree they possibly don't understand.

Yes I understand part of this comes from funding from another part of these governments. Oh well, cat and mouse. Once we wrung our hands over these governments having power over these. Well, these days we are facing far more totalitarian state threats and totalitarian wannabes in the private sector.

Government save me, as the less totalitarian option!

Linux and BSD the operating systems should UNQUESTIONABLY be funded to the degree of multiple billions per year by, I'll just put it, "NATO". Here's the true value of open source in this model: it is the perfect public record, unlike untold other aspects of government output.

You must produce public vetted code in Linux/BSD.

This person should not have been "a person". This should have been 5 people, funded likely at least 10-50k/year for their roles.

The described "hit" by the intel services of course is frighteningly easy. But what is most horrid is that this poor person is being subject to very common abuse that comes from non-state-actor manipulation. The article says it:

"this is where our software comes from" -- this poor dude that is trying to help and being abused by state actors on one hand, and ridden thanklessly and for no monetary or fame benefit by massively deep pocketed corporations, governments, and billionaires.

For all of Linus's famous swearing abilities, he hasn't used it to address this publicly. He should be dressing down all corporations and governments at this point that need Linux. There isn't a "going back" from Linux at this point to some closed source option.

Linus and Linux have massive sway here. They could threaten to stop work on the kernels.

I guess fundamentally, this makes me angry because this is basically bullying the nerd in high school to get his homework/answers. The nerds need to realize their power here.

Other vulnerabilities snuck through the commit chain? I get that, usual spy stuff. They actually kind of messed up here. Usually it is within the "cordiality" of things, just quietly ride the overworked unpaid nerd to benefit. Here they inadvertently exposed the real truth of everything: the hidden contempt we treat these people with as a society.

Help in maintainship how?

Pay.

Collin gives his thoughts on both PRs and essentially says they just need more cross-arch testing with a focus on performance. The requester could absolutely help by doing some of those tests and providing back the results. Seems very straightforward to me what Collin is needing help with.

Something I've observed as an English speaking immigrant is that in general, the US/UK is very forgiving when it comes to foreigners trying to speak English. Where certain types of phrasing and harsh words would not be tolerated with first language English speakers, the benefit of the doubt is given to 2nd/3rd language speakers because they

1. Might not have the vocabulary to express themselves correctly

2. Not understand the nuance and connotations that their word choices imply

I've seen my colleagues get frustrated in meetings while simulatenously having to assume good intent.

Choosing names like the bad actor(s) did gives them an advantage in this scenario.

Since we're reading tea leaves:

They also used a sock puppet with a seemingly German name (Hans Jansen). However "Hans" has not been a popular baby name in German speaking countries for many decades. You'd expect any "Hans" to be over 70 or 80 by now. Unless they are American, like Hans Niemann.

This could be a cultural oversight on the attacker's side, which points towards any culture that has a wide spread belief that typical German names are Hans or Fritz. From my experience, that is especially true for English speaking countries, mainly because of stereotypes displayed in Hollywood WWII movies. I wouldn't be surprised if cultural perception of Germany was different in China.

Edit: some clarifications

100% this. I don’t know why this obvious angle is being ignored. The other puppet accounts had Indian and German names - it’s very clear they were trying to obscure their real origins.

Seeing an Asian (any part of Asia) name wouldn’t give me any pause in the slightest. I don’t want to start anything here, but aren’t they disproportionately represented in the American software industry as compared to their percentage of the population?

What would raise my hackles would be someone with a name that codes western who had grammatical idiosyncrasies common to ESL Asians.

If I were a chinese hacker trying to do something evil, why on earth would I use a chinese handler/username?

1) Why not?

2) You'd likely want a relatively common-sounding name, I suppose. Chinese names are relatively common-sounding.

According to a comment on another thread it is not a mainland Chinese name, so that might still be chosen to mislead in a more subtle way. https://news.ycombinator.com/item?id=39869047

Western and Chinese are not the only possibilities, it could be a Russian, or Indian or pretty much anywhere else that engages in intelligence gathering operation.

At the end of the day this is such low hanging fruit that I don’t think that it’s even worth paying attention to. This was almost certainly a state actor and this detail would be blindingly obvious to all state actors capable of pulling this off. You could choose to try to dissect the 10 dimensional game of chess involved in picking fake names, or you could focus your attention on more meaningful heuristics.

While all of this is of course quite serious, we also need to remember that these types of things are actually fairly rare. Last major one was that JS event-stream thing, and that was in 2018 (5 and a half years ago).

I don't think this is really a structural problem requiring these kind of sweeping changes; it's just an occasional rare incident.

No. <https://geekfeminism.fandom.com/wiki/Who_is_harmed_by_a_%22R...>

Reputation works with pseudonymous identities too, and those have security upsides (eg can't be as easily pressed into service of others by extortion or rubber hose). And of course privacy is a value in itself.

As much as I support the privacy of maintainers I do feel like this is necessary to raise the bar for these types of social engineering attacks.

However that would've likely done little to impede this attack if it is backed by organized crime or by a state as is being speculated. It is trivially easy for those types of actors to simply use a stolen identity or create an entirely plausible one out of thin air.

Humans can always be compromised. This specific case can only be solved by improved tooling, workflows, visibility, runtime environments and so on.

The most consequential (rightly or wrongly) technologists of our time are failing to properly think about trust.

It is implicit in your statement that you know some "proper" way to think about trust. If it is the case, please do share with us your thoughts on trust.

A few minutes reflection on “who can I trust” would lead one to discard the extremely egalitarian ethos built up around open source software. But casting out meritless ankle-biters will immediately lead to being attacked as an unreconstructed egotist who needs to be hung from the neareat Code Of Conduct

The most consequential (rightly or wrongly) technologists of our time are failing to properly think about trust.

Because that's an insanely hard problem that's outside our area of expertise.

Consider how much money governments spend on all the red tape they add to increase trust. If there was naturally perfect objective alignment and trust I bet any infrastructure project would cost about 10% of what it does.

I think the biggest problems come from single points of failure. This wouldn't be as problematic if _everyone_ didn't use the same libraries. I guess you could argue that's similar to trust.

In any case, I agree technologist aren't thinking about it because the only way to extract massive amount of wealth is by centralization/monopoly. Hard problem though, the appropriate amount of redundancy is hard to know.

So I see software as a form of literacy. And we treat some literacy as “fun” (most books) yet privilege some literacy (law, a DMV policy manual).

Laws are highly regulated. The DMV policy manual is, like most government day to day policy, run through “managers” who report to a elected official (ie it can be very well written and considered or made up on the good after a bad newspaper headline)

Anyway I think I am saying there is likely to be a consolidation of FOSS - where we spend a fortune trying to bring it under some “approved and controlled” process.

We can call that trust.

I am not sure.

Agreed, which is why IMO ssh in production is a terrible idea that reveals even worse problems.

A server with ssh generally implies there is a shell, and cli tools, and an administration model that involves humans connecting to servers to manually update them in place like pets.

Having a full workstation-optimized distro like ubuntu or debian with hundreds of packages constantly shifting and updating as a critical production server is wildly high risk in terms of both reliability and security.

I understand this is how most sysadmins were taught but it is a 70s unix mainframe mindset from a time before security was a thing and everyone on the internet was a good actor.

Only a workstation or dev server should have tools for humans like ssh installed.

Production servers should be hardened immutable appliance kernels with read only root filesystems that verify and run signed containers, or run a tiny shim init system in a couple hundred lines that spawns a single application specific binary you trust.

No production systems I launch today even have xz installed, or a package manager, or a shell.

This wasn't a vulnerability in openssh though, this was from systemd, where I think your point in fact is stronger.

Why should VCs back oss infrastructure directly? It doesn't help the VCs and only creates perverse incentives for the oss projects.

The SaaS/cloud/etc. companies themselves should fund the projects they depend on. They actually know what those are and don't have to force their own monetization/growth models onto the projects.

Well, in this case it's even worse. The "community" here in all likelihood was overrun with sock puppets of a malicious state-level actor.

As someone who has a community who follows my stuff and demands more....

I somewhat get it.

I became the central spot for this particular product. I get occasional emails from people saying the did this same thing, but on a smaller scale. I have scale, so I can do things much bigger than anyone else.

I have a million people using this, vs a startup who has ~100.

(Btw, I'm barely profitable, I was selling to frugal people...)

This line in light of what we know now makes me think that while OP has a point about open source, this thread and others like it definitely were sockpuppets trying to goad Collin into transferring maintainership quickly.

I by default distrust any statement that claims to speak on behalf of some community.

I do not use or recommend security through obscurity.

Such things can always be automatically discovered.

https://github.com/eliemoutran/KnockIt

Any effort spent on setups like this is likely better spent removing the need for having ssh at all by moving to immutable appliance distros be they specialized like homeassistant or general purpose like TalosOS.

Well, it appears that it would be as safe as any other vulnerable server behind port knocking. Although there's still the possibility that the backdoor is doing something we aren't aware of yet. So yeah, it's as "safe" as you consider port knocking to be.

That said, just make sure you aren't using the backdoored versions. I don't see how you can reasonably skip this step.

theyre much harder to add if people use a buildsystem from the last, idk, 20 years

I don't think this kind of backdoor is that widespread. But intentional vulnerabilities for sure are.

Given how all participants in the discussion were very focused on transferring ownership to the attacker I'd treat everyone in the entire e-mail thread with suspicion. I would not be surprised if Dennis Ens, the one who started the thread in the first place, was also a sock puppet of Jia Tan.

I don’t agree with speculating like this, but I also can help wonder how many participants in this thread are the same person.

It genuinely looks like we’re seeing a demonstration of supply chain psyops in retrospect.

Worthwhile noting: It happened in the open, archived for the world to see at any time! The attacker needed to be extra careful not to raise suspicion, both acutely and for accumulated evidence in history. Of course, easy to say "Hindsight is 20/20", but we can probably agree in actual hindsight, we easily see a lot of suspicious acts around the issue. An individual incident may be chance, but as a whole things become clear more easily.

So, I think there is a teachable moment here: When something seems just a tiny bit fishy, do a background check, investigate. You may not catch all something, but you probably won't miss everything.

Now, looking at the level of sophistication and risk sneaking people and code into open infrastructure, imagine chances of getting caught infiltrating a large company writing closed source binary blobs for drivers, firmware, ...

Also the authors of these messages never interacted on that mailing list before or after. They only turned up to put pressure on the original maintainer.

I think the idea this was HUMINT operation by a state sponsored intelligence service is more likely.

It's not an either/or proposition. I definitely think it was state sponsored, AND one method used was social engineering a burned out maintainer.

Steve Jobs said that someone needs to be the keeper and maintainer of the vision. I think that’s the key to the making of anything great over the long run: there needs to be a Benevolent Dictator For Life who has the vision, competence, energy, passion, and caring to consistently iterate the thing well.

The best case scenario for a project that loses its BDFL(s) is to hold on maybe as decently as Apple has under Tim Cook. They haven’t done anything truly innovative since Jobs died in my opinion — they just figured out more ways to apply the combination of a multitouch display, compact computer, and sensors; but they’ve iterated well on everything they produce and have held on to their lead in terms of hardware, user experience, and ecosystem cohesion.

In short: someone very competent has to care a lot about the project for the right reasons, and continue driving it forward. If the old guard is rotating out, someone has to step up.

If no one steps up, then leeches of various types will attach themselves to the project and simultaneously milk it for value and kill it.

1) Debian includes this downstream patch, also.

2) A potential explanation for "why now" is that systemd DID prevent these dependencies from loading automatically in a patch one month ago [0], and the patches to lzma enabling the backdoor merged a few days later, followed by (as we know) an immediate and somewhat heavy push to get distros to upgrade driven by sockpuppets. It could be a total coincidence, or it could be that the attacker jumped to pull the trigger before the window of vulnerability started closing on them

[0] https://github.com/systemd/systemd/pull/31550#issuecomment-1...

I think it's a bit cheap to blame systemd here, and systemd does not equate directly to Red Hat either.

“here are three interns doing two years in gov.uk. They will help for the next 2 years

Having temp workers come and go into all kinds of various open source projects.. does that help? :)

Agreed it’s a decent way to create a “map” of vulnerable projects. But it’s over-fitting the MO of adversaries - plugging an arbitrary hole.

Why not play into the strengths of OSS instead of trying to replicate frictionous trust models from elsewhere?

Like, listen to ourselves. We are admitting here that open source software is not feasible to audit? Like did we just accept that an adversary can basically smuggle exploit payloads in plain sight?

Can we at least try to simplify and reduce the messiness of checked in generated code, irreproducible builds, and magical binary blobs, conditional compilation, “ifuncs”? Wtf? Granted I’m not a domain expert in this area, but I’m horrified by all the complexity for what I understand to be a compression library.

I would much rather play whack-a-mole with obscurity, which as a side effect is great for software quality overall.

Are you suggesting to ask a state actor to demonstrate commitment before participating in the discussion? :)

I mean, the idea of commitment -> privilege isn’t bad. But it’s got nothing to offer in the story of xz.

What would that magic number achieve? Having basic coding ability can be checked by looking at the user's repos and contributions. But the primary attacker had pretty good skills, and the other commenters (the attacker's sockpuppets) could also demonstrate some skills.

The "users are mean" story is something that we can all do something about, and, honestly, I prefer stories with morals that most of us can actually put into practice.

That would stop a nation state or other nefarious actor because? This isn't spam that works in volume

Deny by default anything from a State that's hostile to American interests.

This is all due to the ongoing attempt to convert FOSS into an obligation. The original idea behind FOSS was to code to scratch your itch and then leave it out there for anyone to find, modify and use. Instead we now treat FOSS code like commercial projects with performance goals and expectations.

Why? My guess is that this new culture is promoted to extract free labor from hobby developers. Take for example, Github. It has a bot to close stale issues after a given interval of inactivity. But what if the issue was valid and unresolved? What's the problem in leaving it open for someone interested to take it up? But what GH wants to promote is a culture where open issues are considered as bad performance on the maintainer's side. It indirectly prompts the maintainers to take open issues too seriously.

As a maintainer of a security-oriented open source library, the paranoia of "is this person trying to help or to exploit?"

That's an excellent mind set when reviewing code, no matter security or not. But especially for security. How could this be wrong? What are the corner cases? How could anyboy break this? What do we need to test? That kind of scrutiny is crucial for keeping the quality of your code base high, no matter who posts the PR.

It mentions something not being reported

This has been reported and discussed from the start, even in the initial report. Also it's not a Linux specific patch or issue, rather a patch used by some Linux distros for tighter systemd integration.