He absolutely has not.
He absolutely has not.
There are two big problems with the point that you’re trying to make:
There are many open source projects being run by organizations with as much (often stronger) governance over commit access as a private corporation would have over its closed source code base. The most widely used projects tend to fall under this category, like Linux, React, Angular, Go, JavaScript, and innumerable others. Governance models for a project are a very reasonable thing to consider when deciding whether to use a dependency for your application or library. There’s a fair argument to be made that the governance model of this xz project should have been flagged sooner, and hopefully this incident will help stir broader awareness for that. But unlike a closed source code base, you can actually know the governance model and commit access model of open source software. When it comes to closed source software you don’t know anything about the company’s hiring practices, background checks, what access they might provide to outsourced agents from other countries who may be compromised, etc.
You’re assuming that 100% of the source code used in a closed source project was developed by that company and according to the company’s governance model, which you assume is a good one. In reality BSD/MIT licensed (and illegally GPL licensed) open source software is being shoved into closed source code bases all the time. The difference with closed source software is that you have no way of knowing that this is the case. For all you know some intern already shoved a compromised xz into some closed source software that you’re using, and since that intern is gone now it will be years before anyone in the company notices that their software has a well known backdoor sitting in it.
Which is exactly the position that the Rust for Linux devs have understood and accepted for themselves, and yet they still get yelled at (literally, in public, on recordings) by C Linux devs for existing.
Oh and they get snidely told that introducing the Rust language must be a mistake because suggestions to introduce other languages to the kernel turned out to be mistakes and obviously Rust is the same as all those other languages according to C developers who, by their own admission, have never used or learned anything about Rust beyond a superficial glance at some of its syntax (again this was recorded from a public event).