It doesn't matter if it's a team working for a state actor. You'd still be pissed your 2 year project failed so close to the finish line.

Not if this is one of a few dozen or few hundred similar ongoing operations. The risk is always there, they have to expect some amount of failure. Open source software is constantly being probed for vulnerabilities in every way possible, from random commits to high level members of committees for standards. Every operation is one in a grab bag of disposable and deniable efforts.

I also am a little biased and assume being burned in state-sponsored acts is similar to the no-blame culture of breaking infrastructure in tech :) because by all accounts this compromise was extremely well done, until it wasn't.

Also, we can't be sure the compromise wasn't intentionally telegraphed to cause some other action (using a different library) on purpose.

>Not if this is one of a few dozen or few hundred similar ongoing operations. The risk is always there, they have to expect some amount of failure.

That actually makes me think it's not happening at a larger scale, since we'd likely have heard of at least a few similarly elaborate cases being uncovered by now. If not during the attempt itself, then at least at some later point in time.

Either almost all of these operations remain undetected, because they are even more sophisticated and much of the world's software ecosystem has been secretly compromised for years or there aren't actually that many such operations.

They might even get a kick out of people discussing how clever their hack was. A rare bit of public acknowledgement, in a way.

So what? The nature of the project matters. Seriously F all of the people who worked on it however many or few it was.

It's one thing to attack a target, it's quite another to try to give yourself a master key to every rpm or deb linux box in the world.

Unrelated note: I had always thought "nonplussed" was basically a synonym for something like "bewildering confusion." But the way you used it in this context suggested the exact opposite. It turns out that "nonplussed" has also come to mean "unperturbed": https://en.wiktionary.org/wiki/nonplussed

Quite confusing, because the two different meanings are nearly opposite to one another.

See also: https://www.merriam-webster.com/grammar/nonplussed

> Quite confusing, because the two different meanings are nearly opposite to one another.

It's pretty easy to see where the innovative sense came from: "plussed" doesn't mean anything, but "non" is clearly negative. So when you encounter the word, you can tell that it describes (a) a reaction in which (b) something doesn't happen. So everyone independently guesses that it means failing to have much of a reaction, and when everyone thinks a word means something, then it does mean that thing.

You see the same thing happen with "inflammable", where everyone is aware that "in" means "not" and "flame" means "fire". (Except that in the original sense, in is an intensifying prefix rather than a negative prefix. This doesn't occur in many other English words, although "inflammation" and "inflamed" aren't rare. Maybe "infatuate".)

That's pretty much what my second link is about. :-)

Wow, now I need to go figure what source material I misinterpreted to thoughtlessly use this word incorrectly. Thanks!