It's also very possible that the account was compromised and taken over. A two years long con with real useful work is a lot of patience and effort vs. just stealing a weakly protected account. I wonder if MFA shouldn't be a requirement for accounts that contribute to important OSS projects.

That was a review of someone else's work? https://github.com/tukaani-project/xz/pull/86

Yeah I saw that - I wouldn't bet on them being in the US but who knows. Maybe they just really love CRC32 ;) And introducing backdoors (if it that was them not an account takeover).

The full name "Jia Cheong Tan" doesn't sound like Mainland China. The name and actions could be intentionally misleading though.

https://news.ycombinator.com/item?id=39867737

Remember that agencies like NSA, GCHQ etc will always use false flags in their code, even when it doesn’t have as high risk of exposure as a backdoor in public has.

Looking at the times of commits shouldn’t be given much value at all. A pretty pointless endeavour.

But the actual interactions with Github are done between 12.00 UTC and 18.00 UTC

https://news.ycombinator.com/item?id=39870925

https://play.clickhouse.com/play?user=play#U0VMRUNUIHRvSG91c...

My git commits are sometimes in UTC, depending on which computer I make them from. Sometimes my laptop just switches timezones depending on whether I'm using wifi or LTE. I wouldn't put much weight on the timezone.

The time stamp of a git commit depends on the system clock of the computer the commit was checked in. This cannot be checked by github & co (except that they could reject commits which have time stamps in the future).

I assume you mean UTC+8... that covers about 20% of the earth's population, besides China it includes parts of Russia, a bunch of SEA and Western Australia.

We shouldn't rule it out, but it seems unlikely to me.

This is more reckless than any backdoor I can think of by a US agency . NSA backdoored Dual EC DRBG, which was extremely reckless, but this makes that look careful and that was the Zenith of NSA recklessness. The attackers here straight up just cowboy'd the joint. I can't think of any instance in which US intelligence used sock puppets on public forums and mailinglists to encourage deployment of the backdoored software and I maintain a list of NSA backdoors: https://www.ethanheilman.com/x/12/index.html

It just doesn't seem like their style.

Just so I understand, you're alleging that a U.S. agency was, among other things, submitting patches for a mainland Chinese home-grown CPU architecture (Loongson)?

Maybe https://www.law.cornell.edu/uscode/text/18/1030#a_5 ?

> knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer;

Yes, but there was also little pressure to really build the WOT. People, like myself, did it because it was fun, but no one really relied on it. This could change, but it is still far from certain if it'd work given enough pressure.

Chain/web was typo, corrected, thanks.

I know of the key party issues. But there is some value to knowing how far removed from me and people I trust the project authors are.