The outside threat was actually perpetrated from the inside.
There was no due diligence done on the new administrator.
The assumption was made that anyone looking to associate themselves with the project had good intentions. Clearly this was an unfounded assumption --- one that could easily apply in other cases as well.
The article contains a rehashing of the xz attack, but also contains a discussion of for-profit open source/source available software.
The argument in the article, that there are greater threats to FOSS than security vulnerabilities, is reasonable.
I'd add that some large software companies have an incentive to make security vulnerabilities seem as scary as possible, because it makes them seem like they are doing important work. Seems like a viable approach to lobbying for laws that could lead to excess regulatory capture.
Kinda tired that redis, the company, is seen as the creators of redis and that they are in their right to fight the big Bad hyperscalars. The irony is, redis the company would not have existed in the first place with their current license choice, because they, Garantia data, started out as a third party.
There was no due diligence done on the new administrator.
The assumption was made that anyone looking to associate themselves with the project had good intentions. Clearly this was an unfounded assumption --- one that could easily apply in other cases as well.