CINXE.COM

<!DOCTYPE html><html lang="en" prefix="og:http://ogp.me/ns#"><head><meta name="viewport" content="width=device-width, initial-scale=1"/><script defer="" data-cfasync="false" src="https://cdn.kit.com/pages/js/runtime-838763a89775b3f11d2a.js"></script><script defer="" data-cfasync="false" src="https://cdn.kit.com/pages/js/creator-profile-v2-post-6a5316716701f8698eee.chunk.js"></script><script data-cfasync="false">window.props = {"pageTitle":"Post","currentPageId":null,"currentPageType":"post","templateName":"hudson","properties":{"cardColor":"#ffffff","buttonText":"Subscribe","accentColor":"#5678ff","bodyTextColor":"#373f45","backgroundColor":"#f3f6f9","bodyFontFamily":"Charter, Georgia, Times, 'Times New Roman', serif","bodyFontWeight":400,"buttonTextColor":"#ffffff","headingTextColor":"#373f45","headingFontFamily":"Charter, Georgia, Times, 'Times New Roman', serif","headingFontWeight":700,"backgroundTextColor":"#373f45"},"data":{"bio":"A once-per-month newsletter discussing topics important to senior-level software engineers, with a particular focus on frontend technology and leadership.","name":"Human Who Codes Newsletter","byline":"Nicholas C. Zakas","imageUrl":"https://embed.filekitcdn.com/e/2dCejp6yj6tBWKNzNYcedy/jEXCgZYDxkeevYrvt2o4fK","seoVersion":5,"navigationName":"Human Who Codes LLC","seoImage":"https://functions-js.convertkit.com/cp-social-image?accent=%235678ff&account=343082&avatar=https%3A%2F%2Fembed.filekitcdn.com%2Fe%2F2dCejp6yj6tBWKNzNYcedy%2FjEXCgZYDxkeevYrvt2o4fK&bg=%23f3f6f9&byline=Nicholas+C.+Zakas&headline=Human+Who+Codes+Newsletter&version=5","seoFavicon":"https://pages.convertkit.com/templates/favicon.ico"},"pages":[{"pageType":"posts","displayName":"Posts","url":"/profile/posts","id":665335,"data":{}}],"accountId":343082,"profileUrl":"https://newsletter.humanwhocodes.com/profile","siteKey":"0x4AAAAAAAYy1pe6L_wKYCMp","canonicalUrl":"https://newsletter.humanwhocodes.com/posts/human-who-codes-newsletter-open-source-takeovers","poweredByUrl":"https://kit.com/features/forms?utm_campaign=poweredby&utm_content=newsletter_feed&utm_medium=referral&utm_source=dynamic","rebrand":true,"post":{"id":5492968,"title":"Human Who Codes Newsletter - Open Source Takeovers","slug":"human-who-codes-newsletter-open-source-takeovers","status":"published","readingTime":5,"campaignCompletedAt":"2024-05-07T13:00:20.000Z","publishedAt":"2024-05-07T13:00:20.000Z","orderByDate":"2024-05-07T13:00:20.000Z","timeAgo":"10 months","thumbnailUrl":"https://embed.filekitcdn.com/e/2dCejp6yj6tBWKNzNYcedy/7aXmyMiXV5URxEC1d6UbaK","thumbnailAlt":null,"path":"posts/human-who-codes-newsletter-open-source-takeovers","url":"https://newsletter.humanwhocodes.com/posts/human-who-codes-newsletter-open-source-takeovers","isPaid":null,"introContent":"Thoughts on Open Source Takeovers This past month saw one of the most well-planned open source software supply chain attacks in history. A program called xz Utils, which provides lossless data compression for most Linux distributions, was found to have a backdoor that affected sshd. As Ars Technica reported, “Anyone in possession of a predetermined encryption key could stash any code of their choice in an SSH login certificate, upload it, and execute it on the backdoored device.” There are no...","campaignId":15044293,"publicationId":11569084,"metaDescription":null},"content":"\n<table><tbody><tr><td>\n<h1>Thoughts on Open Source Takeovers</h1>\n<p></p>\n<p>This past month saw one of the most well-planned open source software supply chain attacks in history. A program called xz Utils, which provides lossless data compression for most Linux distributions, was found to have a backdoor that affected sshd. As <a href=\"https://arstechnica.com/security/2024/04/what-we-know-about-the-xz-utils-backdoor-that-almost-infected-the-world/\" target=\"_blank\">Ars Technica reported</a>, “Anyone in possession of a predetermined encryption key could stash any code of their choice in an SSH login certificate, upload it, and execute it on the backdoored device.” There are no reports of the backdoor being used, but the story behind how the backdoor landed is something straight out of a spy novel.</p>\n<p><strong>The story starts in 2021</strong> when a GitHub user named JiaT75 is created. Later that year, they successfully <a href=\"https://github.com/libarchive/libarchive/pull/1609\" target=\"_blank\">landed a commit </a>to libarchive (a C library for reading and writing archive files) that replaces a call to safe_fprintf() with one to fprint(). Even though this was a bit suspicious, it was merged without comment. Later comments seem to agree that the change is benign, but also pointless. This appears to be a trial run to see how difficult it would be to land code in a widely-used project.</p>\n<p><strong>JiaT75’s first contribution</strong> to xz Utils happens in February 2022 by submitting a patch to the mailing list. Someone named Jigar Kumar then joins the mailing list and accuses Lasse Collin, the xz Utils maintainer, of not properly maintaining the project. He <a href=\"https://www.mail-archive.com/xz-devel@tukaani.org/msg00565.html\" target=\"_blank\">urges Collin</a> to merge the patch quickly. Several others also joined the mailing list around the same time to agree with Jigar. All of this was with the intention of <a href=\"https://www.mail-archive.com/xz-devel@tukaani.org/msg00566.html\" target=\"_blank\">putting pressure on Collin</a> to have someone help maintain xz Utils.</p>\n<p><strong>In January of 2023,</strong> JiaT75 landed their first <a href=\"https://github.com/tukaani-project/xz/pull/7\" target=\"_blank\">pull request without outside review</a>, indicating that they now have gained the trust of Collin and have commit access. From that point on, JiaT75 makes a series of contributions to further cement control of the project. The first is a pull request to oss-fuzz <a href=\"https://github.com/JiaT75/oss-fuzz/commit/6403e93344476972e908ce17e8244f5c2b957dfd\" target=\"_blank\">changing the contact email address</a> from Collin to JiaT75, which is followed up with <a href=\"https://github.com/google/oss-fuzz/pull/10667\" target=\"_blank\">other changes</a> to oss-fuzz designed specifically to avoid detecting the backdoor code when it is introduced.</p>\n<p><strong>Once the backdoor landed</strong> and the new releases were published, Jiat75 went out about <a href=\"https://news.ycombinator.com/item?id=39866275\" target=\"_blank\">pressuring Linux distros</a> to upgrade their version of xz Utils to the malicious versions. Many did. It was only through accident that the backdoor was discovered before it could be exploited.</p>\n<p><br />This represents a multi-year plan to take control of xz Utils specifically to introduce this backdoor. It used what we all know is the weak point of open source: that most projects are maintained by single, unpaid people who do so in their spare time. So much of our infrastructure is made up of projects like xz Utils, and maintainers of those projects are susceptible to social pressures around their responsibilities. It appears that JiaT75 got access specifically due to the mailing list messages from people like Jigar Kumar who badmouthed, blamed, and shamed Collin. It’s no wonder that Collin gave access to the one lifeline he had, the one person who was taking the time to commit patches, JiaT75.</p>\n<p><br />We should think long and hard about how open source projects are maintained. A backdoor in a small dependency that gets included on a large number of computers becomes a massive problem. It’s a massive problem because the project has only one maintainer who feels burned out and is pressured to turn it over to someone who “cares.” This could happen to any number of open source projects that we all rely on, and it’s a clear message that the way we treat open source needs to change. Relying on volunteers to secure the open source supply chain will not work when facing years-long social engineering attacks designed to get access to widely-used projects.</p>\n<p>Right now, I don’t have an answer for what needs to change. I just know that something does. </p>\n<h2>Key Takeaways</h2>\n<ul>\n<li><span>xz Utils was infiltrated by a malicious actor who spent time gaining trust in order to get access to its source control.</span></li>\n<li><span>This was a multi-year attack designed to isolate the previous maintainer in order to introduce a backdoor that would then be included in most Linux distributions.</span></li>\n<li><span>This incident exposes how insecure the open source supply chain is when we rely so much on volunteer maintainers who are often unpaid and unappreciated.</span></li>\n</ul>\n<h2>More on Open Source Takeovers</h2>\n<p>📝 <a href=\"https://openjsf.org/blog/openssf-openjs-alert-social-engineering-takeovers\" target=\"_blank\">Open Source Security (OpenSSF) and OpenJS Foundations Issue Alert for Social Engineering Takeovers of Open Source Projects</a> by Robin Ginn and Omkhar Arasaratnam<br />In the wake of the XZ Utils incident, the OpenJS and OpenSSF Foundations have been on the lookout for other potential takeover attempts. This blog post shares some of their experiences.</p>\n<p>📝 <a href=\"https://boehs.org/node/everything-i-know-about-the-xz-backdoor\" target=\"_blank\">Everything I know about the XZ backdoor</a> by Evan Boehs<br />In the wake of the XZ Utils incident, the OpenJS and OpenSSF Foundations have been on the lookout for other potential takeover attempts. This blog post shares some of their experiences.</p>\n<p>🎬 <a href=\"https://www.youtube.com/watch?v=bS9em7Bg0iU&list=LL&index=2&pp=gAQBiAQB\" target=\"_blank\">Linux got wrecked by backdoor attack</a> by Fireship<br />A five-minute overview of how the XZ takeover occurred, how it was found, and what this means for open source in general.</p>\n<hr />\n<table><tbody><tr>\n<td><div><table><tbody><tr><td><figure><a href=\"http://leanpub.com/understanding-javascript-promises\" target=\"_blank\"></a></figure></td></tr></tbody></table></div></td>\n<td></td>\n<td><div>\n<h2>Understanding JavaScript Promises</h2>\n<p>I just updated my e-book, <em>Understanding JavaScript Promises</em>, for 2024! It now includes information about Promise.withResolvers() and a whole new chapter on using and creating abortable functions. </p>\n<table><tbody><tr><td><a href=\"http://leanpub.com/understanding-javascript-promises\" target=\"_blank\">Buy the E-book</a></td></tr></tbody></table>\n\n</div></td>\n</tr></tbody></table>\n<hr />\n<h2>Stuff I've Enjoyed this Month</h2>\n<p>📚 <a href=\"https://geni.us/coaching-perf-page\" target=\"_blank\">Coaching for Performance</a> by Sir John Whitmore<br />This is a fantastic book about how to take a coaching perspective towards leadership. Instead of directing others, coaching is about helping them find their own way and their own success. Highly recommended for anyone in a leadership position.</p>\n<p>📚 <a href=\"https://geni.us/grow-small-biz-page\" target=\"_blank\">How to Grow Your Small Business</a> by Donald Miller<br />This book is targeted at those who are running small businesses and provides a great operating system for running your business. This covers everything from managing your staff, to marketing, to sales, to cash flow, and everything in between.</p>\n<p>🎬 <a href=\"https://www.youtube.com/watch?v=yXTFOeGly9o&list=LL&index=1&pp=gAQBiAQB\" target=\"_blank\">Bun 1.1: Bundows is here</a> by Bun<br />This short video explains the Bun v1.1 release which (finally) includes support for Windows. The Bun folks are doing some really innovative things and I'm excited to finally try it out for myself.</p>\n<p>📝 <a href=\"https://blog.tidelift.com/paying-maintainers-the-howto\" target=\"_blank\">Paying Maintainers: The How-To</a> by Luis Villa<br />Written by the folks behind Tidelift, this is a deep-dive article on the intricacies of paying open source maintainers and why it may be difficult. This is one of the few insightful articles on the topic and is highly recommended for anyone involved in open source</p>\n<p>📝 <a href=\"https://deno.com/blog/how-we-built-jsr\" target=\"_blank\">How We Built JSR</a> by Luca Casonato<br />JSR, the new npm alternative from the folks behind Deno, is now live and serving JavaScript packages. This post explains how it is built and deployed in detail.</p>\n<hr />\n<h2>What I'm Working On</h2>\n<p>🏠 <strong>Real Estate: </strong>There was a lot of rain around my properties, and so the basement of one house flooded. This was surprising because I do have a sump pump in the basement, but it was attached to a GFCI outlet that tripped and the pump never went on. A bit of a mess but thankfully there was no significant damage. We replaced the outlet and pumped the water of the basement. Just another fun landlord story! Follow <a href=\"https://www.instagram.com/p/CoIYSVlOy4J/?utm_source=ig_web_copy_link\" target=\"_blank\">my Instagram</a> for real estate photos.</p>\n<p>📝<strong> Writing:</strong> I wrote a blog post explaining <a href=\"https://humanwhocodes.com/blog/2024/04/backing-up-my-life-synology-nas\" target=\"_blank\">how I use a Synology NAS to back up my whole life</a>. If you use a public cloud as your only source of data (i.e., Google Drive), you'll want to read this.</p>\n<p>💻<strong> Standards:</strong> I put together a <a href=\"https://github.com/nzakas/proposal-write-once-const\" target=\"_blank\">proposal</a> to change the JavaScript const declaration so it is write-once instead of requiring initialization. At this point, I'm just waiting to hear back from a TC39 member to see if there's any chance they'd accept this proposal. I've received good feedback so far so I'm hopeful.</p>\n<p>💻<strong> Open Source:</strong> I submitted my <a href=\"https://github.com/nodejs/undici/pull/3105\" target=\"_blank\">first pull request</a> to Undici, which is the package that powers the Node.js native fetch() function. I had spent an hour trying to track down an obscure error and decided to submit a pull request to make the error message more easily understandable.</p>\n<p>💻<strong> ESLint:</strong> After a lot of work by a lot of people, ESLint v9.0.0 has been officially released! This is very exciting because it lays the groundwork for a lot of future plans. </p>\n</td></tr></tbody></table>\n\n","recentPosts":[{"id":7999060,"title":"Human Who Codes Newsletter - People Skills","slug":"human-who-codes-newsletter-people-skills","status":"published","readingTime":4,"campaignCompletedAt":"2025-02-04T14:08:04.000Z","publishedAt":"2025-02-04T14:08:04.000Z","orderByDate":"2025-02-04T14:08:04.000Z","timeAgo":"27 days","thumbnailUrl":"https://embed.filekitcdn.com/e/2dCejp6yj6tBWKNzNYcedy/7aXmyMiXV5URxEC1d6UbaK","thumbnailAlt":"","path":"posts/human-who-codes-newsletter-people-skills","url":"https://newsletter.humanwhocodes.com/posts/human-who-codes-newsletter-people-skills","isPaid":null,"introContent":"Thoughts on People Skills roles that require more interaction with our colleagues and customers. It’s at that point where a software engineering role shifts from primarily code-based to primarily people-based, and all of a sudden, it’s a different job. Previously, transitioning to a people-focused role took over five years and typically involved several promotions. However, with the advent of AI in software engineering, this timeline is shortening significantly. Companies once hired mediocre...","campaignId":18133907,"publicationId":14686127,"metaDescription":""},{"id":7699863,"title":"Human Who Codes Newsletter - Debuggability","slug":"human-who-codes-newsletter-debuggability","status":"published","readingTime":4,"campaignCompletedAt":"2025-01-07T14:03:02.000Z","publishedAt":"2025-01-07T14:03:02.000Z","orderByDate":"2025-01-07T14:03:02.000Z","timeAgo":"about 2 months","thumbnailUrl":"https://embed.filekitcdn.com/e/2dCejp6yj6tBWKNzNYcedy/7aXmyMiXV5URxEC1d6UbaK","thumbnailAlt":"","path":"posts/human-who-codes-newsletter-debuggability","url":"https://newsletter.humanwhocodes.com/posts/human-who-codes-newsletter-debuggability","isPaid":null,"introContent":"Thoughts on Debuggability In the early days of web browsers, there were no developer tools. From Netscape to Internet Explorer, and the first version of Firefox, if something wasn’t aligning properly or your JavaScript wasn’t behaving as expected, there was little you could do. The browser provided no additional information. Everything changed with the arrival of Firebug, the first real developer tool for web applications. As a Firefox plugin, it exposed the inner workings of a web browser to...","campaignId":17807155,"publicationId":14355468,"metaDescription":""},{"id":7424198,"title":"Human Who Codes Newsletter - Chrome","slug":"human-who-codes-newsletter-chrome","status":"published","readingTime":5,"campaignCompletedAt":"2024-12-03T14:13:53.000Z","publishedAt":"2024-12-03T14:13:53.000Z","orderByDate":"2024-12-03T14:13:53.000Z","timeAgo":"3 months","thumbnailUrl":"https://embed.filekitcdn.com/e/2dCejp6yj6tBWKNzNYcedy/7aXmyMiXV5URxEC1d6UbaK","thumbnailAlt":"","path":"posts/human-who-codes-newsletter-chrome","url":"https://newsletter.humanwhocodes.com/posts/human-who-codes-newsletter-chrome","isPaid":null,"introContent":"Thoughts on Chrome That ruling stated that Google had an illegal monopoly on search and excluded competition by paying other browsers to feature Google search as their default search engine. Subsequently, the U.S. Department of Justice requested that a judge force Google to sell off its own browser, Chrome, as well as stop all exclusive search deals (among other concessions). This represents the most significant legal loss for a tech company in the United States since Microsoft was ordered to...","campaignId":17414865,"publicationId":13960466,"metaDescription":null}],"newsletter":{"formId":2233218,"productId":null,"productUrl":null,"featuredPostId":null,"subscribersOnly":false},"isPaidSubscriber":false,"isSubscriber":false,"originUrl":"https://newsletter.humanwhocodes.com/posts/human-who-codes-newsletter-open-source-takeovers","creatorProfileName":"Human Who Codes Newsletter","creatorProfileId":43379}</script><link rel="stylesheet" href="https://cdn.kit.com/pages/css/creator-profile-v2-post-c7c69a58526ff77fc131.css"/><link rel="stylesheet" href="https://cdn.kit.com/pages/css/shared-aabe47d19e6f5769d797.css"/><title>Human Who Codes Newsletter - Open Source Takeovers</title><meta property="og:url" content="https://newsletter.humanwhocodes.com/posts/human-who-codes-newsletter-open-source-takeovers"/><meta property="og:title" content="Human Who Codes Newsletter - Open Source Takeovers"/><meta property="og:description" content=""/><meta property="og:image" content="https://embed.filekitcdn.com/e/2dCejp6yj6tBWKNzNYcedy/7aXmyMiXV5URxEC1d6UbaK"/><meta property="og:image:alt"/><meta property="og:type" content="article"/><meta name="twitter:card" content="summary_large_image"/><style> .content h1, .content h2, .content h3, .content h4, .content h5 { font-family: Charter, Georgia, Times, 'Times New Roman', serif !important; } .content p, .content li { font-family: Charter, Georgia, Times, 'Times New Roman', serif !important; } </style></head><body><div id="root"><style> .font-heading { font-family: Charter, Georgia, Times, 'Times New Roman', serif; } .font-weight-heading { font-weight: 700; } .font-body { font-family: Charter, Georgia, Times, 'Times New Roman', serif; } .font-weight-body { font-weight: 400; } .color-heading { color: #373f45; } .color-body { color: #373f45; } .color-button { color: #ffffff; } html, .bg-page { background-color: #f3f6f9; } .bg-card { background-color: #ffffff; } .bg-accent { background-color: #5678ff; } .content-max-width { max-width: 840px; } .opacity-80 { opacity: 0.8; } .hover\:opacity-90:hover { opacity: 0.9; } .border-accent { border-color: #5678ff; } .hover\:border-accent:hover { border-color: #5678ff; } .border-body, .border-body > :not(template) ~ :not(template) { border-color: #373f451a } .button:hover { background-color: #373f451a; } .button:disabled { color: #373f4599; background-color: transparent; } .text-8 { font-size: 2rem; } .share-button { background-color: #373f450d; } .hover\:bg-highlight:hover { background-color: #00000008 } .line-clamp-3 { overflow: hidden; display: -webkit-box; -webkit-box-orient: vertical; -webkit-line-clamp: 3; } .line-clamp-4 { overflow: hidden; display: -webkit-box; -webkit-box-orient: vertical; -webkit-line-clamp: 4; } .heading-line-height { line-height: undefined; } .body-line-height { line-height: undefined; } @media (min-width: 640px) { .sm\:line-clamp-2 { overflow: hidden; display: -webkit-box; -webkit-box-orient: vertical; -webkit-line-clamp: 2; } .sm\:line-clamp-3 { overflow: hidden; display: -webkit-box; -webkit-box-orient: vertical; -webkit-line-clamp: 3; } } .color-badge { fill: #373f45; } .recommendations-form { --active-checkbox: #5678ff; } </style><style> .bg-post-intro { background: linear-gradient( to bottom, #ffffff00, #ffffff 90% ) } </style><div class="page page-post w-full sm:pt-16 sm:px-16 bg-page"><div class="flex flex-col lg:flex-row max-w-6xl w-full mx-auto gap-4"><div class="sidebar flex flex-col gap-4 flex-1 px-4 pt-4 sm:px-0 sm:pt-0"><div class="flex flex-row gap-4 lg:flex-wrap items-center"><a class="back-button flex items-center justify-center hover:bg-black hover:bg-opacity-10 w-8 h-8 rounded sm:-ml-12 self-start" href="/posts"><svg xmlns="http://www.w3.org/2000/svg" width="24" height="24" fill="currentColor" viewBox="0 0 24 24" class="fill-current inline-block overflow-visible w-6 h-6" name="arrow-left" style="color:black"><path d="M7.821 13.292H19a.97.97 0 0 0 .712-.287.97.97 0 0 0 .288-.713.97.97 0 0 0-.288-.712.97.97 0 0 0-.712-.288H7.82l4.902-4.899q.3-.3.287-.7a1 1 0 0 0-.312-.7 1.06 1.06 0 0 0-.7-.287.92.92 0 0 0-.7.288l-6.603 6.598q-.15.15-.213.325a1.1 1.1 0 0 0-.062.375q0 .2.062.375a.9.9 0 0 0 .213.325l6.602 6.599a.93.93 0 0 0 .688.275q.413 0 .713-.275.3-.3.3-.713 0-.412-.3-.712z"></path></svg></a><div class="creator-image w-6 h-6 flex-shrink-0 sm:w-24 sm:h-24"><img alt="profile" src="https://embed.filekitcdn.com/e/2dCejp6yj6tBWKNzNYcedy/jEXCgZYDxkeevYrvt2o4fK" class="h-full w-full rounded-full object-cover object-center"/></div><div class="grid"><h1 class="creator-name font-heading font-weight-heading color-heading text-base sm:text-2xl overflow-hidden break-words whitespace-pre-wrap">Human Who Codes Newsletter</h1></div></div><div class="hidden sm:block"><div class="grid"><p class="creator-bio font-body font-weight-body color-body text-sm overflow-hidden break-words whitespace-pre-wrap">A once-per-month newsletter discussing topics important to senior-level software engineers, with a particular focus on frontend technology and leadership.</p></div></div><div class="grid"><button id="form-submit-button" class="subscribe-button font-body font-semibold bg-accent color-button sm:flex-0 font-sans font-normal text-sm md:text-base rounded lg:self-start py-2 px-3 inline-block text-center truncate" style="min-width:50px">Subscribe</button></div><div class="hidden lg:block border-t border-gray-400 border-opacity-25 py-4"><div class="share-buttons flex items-center gap-4"><span class="color-body font-body font-semibold text-sm break-normal">Share</span><a class="text-center text-base flex justify-center align-center share-button button color-body w-10 h-10 rounded-full p-3 transition transition-colors ease-in-out duration-200" href="https://x.com/intent/tweet/?text=&url=https://newsletter.humanwhocodes.com/posts/human-who-codes-newsletter-open-source-takeovers"><span class="sr-only"></span><svg aria-hidden="true" focusable="false" data-prefix="fab" data-icon="x-twitter" class="svg-inline--fa fa-x-twitter fa-w-16 " role="img" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 512 512"><path fill="currentColor" d="M389.2 48h70.6L305.6 224.2 487 464H345L233.7 318.6 106.5 464H35.8L200.7 275.5 26.8 48H172.4L272.9 180.9 389.2 48zM364.4 421.8h39.1L151.1 88h-42L364.4 421.8z"></path></svg></a><a class="text-center text-base flex justify-center align-center share-button button color-body w-10 h-10 rounded-full p-3 transition transition-colors ease-in-out duration-200" href="https://facebook.com/sharer/sharer.php?u=https://newsletter.humanwhocodes.com/posts/human-who-codes-newsletter-open-source-takeovers"><span class="sr-only"></span><svg aria-hidden="true" focusable="false" data-prefix="fab" data-icon="facebook" class="svg-inline--fa fa-facebook fa-w-16 " role="img" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 512 512"><path fill="currentColor" d="M512 256C512 114.6 397.4 0 256 0S0 114.6 0 256C0 376 82.7 476.8 194.2 504.5V334.2H141.4V256h52.8V222.3c0-87.1 39.4-127.5 125-127.5c16.2 0 44.2 3.2 55.7 6.4V172c-6-.6-16.5-1-29.6-1c-42 0-58.2 15.9-58.2 57.2V256h83.6l-14.4 78.2H287V510.1C413.8 494.8 512 386.9 512 256h0z"></path></svg></a><a class="text-center text-base flex justify-center align-center share-button button color-body w-10 h-10 rounded-full p-3 transition transition-colors ease-in-out duration-200" href="mailto:?subject=&body=Visit%20the%20link%20at%20https%3A%2F%2Fnewsletter.humanwhocodes.com%2Fposts%2Fhuman-who-codes-newsletter-open-source-takeovers"><span class="sr-only"></span><svg aria-hidden="true" focusable="false" data-prefix="fas" data-icon="envelope" class="svg-inline--fa fa-envelope fa-w-16 " role="img" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 512 512"><path fill="currentColor" d="M502.3 190.8c3.9-3.1 9.7-.2 9.7 4.7V400c0 26.5-21.5 48-48 48H48c-26.5 0-48-21.5-48-48V195.6c0-5 5.7-7.8 9.7-4.7 22.4 17.4 52.1 39.5 154.1 113.6 21.1 15.4 56.7 47.8 92.2 47.6 35.7.3 72-32.8 92.3-47.6 102-74.1 131.6-96.3 154-113.7zM256 320c23.2.4 56.6-29.2 73.4-41.4 132.7-96.3 142.8-104.7 173.4-128.7 5.8-4.5 9.2-11.5 9.2-18.9v-19c0-26.5-21.5-48-48-48H48C21.5 64 0 85.5 0 112v19c0 7.4 3.4 14.3 9.2 18.9 30.6 23.9 40.7 32.4 173.4 128.7 16.8 12.2 50.2 41.8 73.4 41.4z"></path></svg></a></div></div></div><div class="w-full"><div class="sm:rounded-lg bg-card post-container flex flex-col w-full py-4 px-4 sm:px-12 relative"><div class="p-2"><h1 class="post-title font-heading font-weight-heading color-heading text-4xl sm:text-5xl mb-4">Human Who Codes Newsletter - Open Source Takeovers</h1><div class="post-meta font-body font-semibold color-body flex flex-row gap-4 items-center text-xs"><span>Published 10 months ago • 5 min read</span></div><hr class="my-6 sm:my-8 color-body opacity-25"/><div class="content font-body font-weight-body" style="color:#373f45 !important"> <table cellpadding="0" cellspacing="0" style="width:100%;margin:0 auto"><tbody><tr><td> <h1 class="">Thoughts on Open Source Takeovers</h1> <p class=""></p> <p class="">This past month saw one of the most well-planned open source software supply chain attacks in history. A program called xz Utils, which provides lossless data compression for most Linux distributions, was found to have a backdoor that affected sshd. As <a href="https://arstechnica.com/security/2024/04/what-we-know-about-the-xz-utils-backdoor-that-almost-infected-the-world/" target="_blank" rel="noopener noreferrer">Ars Technica reported</a>, “Anyone in possession of a predetermined encryption key could stash any code of their choice in an SSH login certificate, upload it, and execute it on the backdoored device.” There are no reports of the backdoor being used, but the story behind how the backdoor landed is something straight out of a spy novel.</p> <p class=""><strong>The story starts in 2021</strong> when a GitHub user named JiaT75 is created. Later that year, they successfully <a href="https://github.com/libarchive/libarchive/pull/1609" target="_blank" rel="noopener noreferrer">landed a commit </a>to libarchive (a C library for reading and writing archive files) that replaces a call to safe_fprintf() with one to fprint(). Even though this was a bit suspicious, it was merged without comment. Later comments seem to agree that the change is benign, but also pointless. This appears to be a trial run to see how difficult it would be to land code in a widely-used project.</p> <p class=""><strong>JiaT75’s first contribution</strong> to xz Utils happens in February 2022 by submitting a patch to the mailing list. Someone named Jigar Kumar then joins the mailing list and accuses Lasse Collin, the xz Utils maintainer, of not properly maintaining the project. He <a href="https://www.mail-archive.com/xz-devel@tukaani.org/msg00565.html" target="_blank" rel="noopener noreferrer">urges Collin</a> to merge the patch quickly. Several others also joined the mailing list around the same time to agree with Jigar. All of this was with the intention of <a href="https://www.mail-archive.com/xz-devel@tukaani.org/msg00566.html" target="_blank" rel="noopener noreferrer">putting pressure on Collin</a> to have someone help maintain xz Utils.</p> <p class=""><strong>In January of 2023,</strong> JiaT75 landed their first <a href="https://github.com/tukaani-project/xz/pull/7" target="_blank" rel="noopener noreferrer">pull request without outside review</a>, indicating that they now have gained the trust of Collin and have commit access. From that point on, JiaT75 makes a series of contributions to further cement control of the project. The first is a pull request to oss-fuzz <a href="https://github.com/JiaT75/oss-fuzz/commit/6403e93344476972e908ce17e8244f5c2b957dfd" target="_blank" rel="noopener noreferrer">changing the contact email address</a> from Collin to JiaT75, which is followed up with <a href="https://github.com/google/oss-fuzz/pull/10667" target="_blank" rel="noopener noreferrer">other changes</a> to oss-fuzz designed specifically to avoid detecting the backdoor code when it is introduced.</p> <p class=""><strong>Once the backdoor landed</strong> and the new releases were published, Jiat75 went out about <a href="https://news.ycombinator.com/item?id=39866275" target="_blank" rel="noopener noreferrer">pressuring Linux distros</a> to upgrade their version of xz Utils to the malicious versions. Many did. It was only through accident that the backdoor was discovered before it could be exploited.</p> <p class=""><br>This represents a multi-year plan to take control of xz Utils specifically to introduce this backdoor. It used what we all know is the weak point of open source: that most projects are maintained by single, unpaid people who do so in their spare time. So much of our infrastructure is made up of projects like xz Utils, and maintainers of those projects are susceptible to social pressures around their responsibilities. It appears that JiaT75 got access specifically due to the mailing list messages from people like Jigar Kumar who badmouthed, blamed, and shamed Collin. It’s no wonder that Collin gave access to the one lifeline he had, the one person who was taking the time to commit patches, JiaT75.</p> <p class=""><br>We should think long and hard about how open source projects are maintained. A backdoor in a small dependency that gets included on a large number of computers becomes a massive problem. It’s a massive problem because the project has only one maintainer who feels burned out and is pressured to turn it over to someone who “cares.” This could happen to any number of open source projects that we all rely on, and it’s a clear message that the way we treat open source needs to change. Relying on volunteers to secure the open source supply chain will not work when facing years-long social engineering attacks designed to get access to widely-used projects.</p> <p class="">Right now, I don’t have an answer for what needs to change. I just know that something does. </p> <h2 class="">Key Takeaways</h2> <ul class="unordered_list" style="list-style-position:inside"> <li class="list_item"><span>xz Utils was infiltrated by a malicious actor who spent time gaining trust in order to get access to its source control.</span></li> <li class="list_item"><span>This was a multi-year attack designed to isolate the previous maintainer in order to introduce a backdoor that would then be included in most Linux distributions.</span></li> <li class="list_item"><span>This incident exposes how insecure the open source supply chain is when we rely so much on volunteer maintainers who are often unpaid and unappreciated.</span></li> </ul> <h2 class="">More on Open Source Takeovers</h2> <p class="">📝 <a href="https://openjsf.org/blog/openssf-openjs-alert-social-engineering-takeovers" trigger-id="4421997" target="_blank" rel="noopener noreferrer">Open Source Security (OpenSSF) and OpenJS Foundations Issue Alert for Social Engineering Takeovers of Open Source Projects</a> by Robin Ginn and Omkhar Arasaratnam<br>In the wake of the XZ Utils incident, the OpenJS and OpenSSF Foundations have been on the lookout for other potential takeover attempts. This blog post shares some of their experiences.</p> <p class="">📝 <a href="https://boehs.org/node/everything-i-know-about-the-xz-backdoor" target="_blank" rel="noopener noreferrer">Everything I know about the XZ backdoor</a> by Evan Boehs<br>In the wake of the XZ Utils incident, the OpenJS and OpenSSF Foundations have been on the lookout for other potential takeover attempts. This blog post shares some of their experiences.</p> <p class="">🎬 <a href="https://www.youtube.com/watch?v=bS9em7Bg0iU&list=LL&index=2&pp=gAQBiAQB" target="_blank" rel="noopener noreferrer">Linux got wrecked by backdoor attack</a> by Fireship<br>A five-minute overview of how the XZ takeover occurred, how it was found, and what this means for open source in general.</p> <hr style="margin-top:48px;margin-bottom:48px"> <table class="ck-layout-block ck-layout-stack" width="100%" border="0" cellpadding="0" cellspacing="0" bgcolor="#ffffff" style="background-color:#ffffff;padding:0px 0px 0px 0px;margin:24px 0px 24px 0px;overflow:hidden;background-size:cover;background-position:center"><tbody><tr> <td as="td" class="ck-column ck-column-stack ck-column-1" width="50%" style="background-size:cover;background-position:center;box-sizing:border-box;vertical-align:top"><div style="padding:0px 0px 0px 0px"><table width="100%" border="0" cellspacing="0" cellpadding="0" style="text-align:center;table-layout:fixed;float:none" class="email-image"><tbody><tr><td align="center"><figure style="margin-top:0;margin-bottom:0;margin-left:0;margin-right:0;max-width:100%;width:100%"><a style="display:block" href="http://leanpub.com/understanding-javascript-promises" target="_blank" rel="noopener noreferrer" trigger-id="4440601"><img src="https://embed.filekitcdn.com/e/2dCejp6yj6tBWKNzNYcedy/7aXmyMiXV5URxEC1d6UbaK" alt="" width="100%" height="auto" style="width:100%;height:auto;object-fit:contain"></a></figure></td></tr></tbody></table></div></td> <td style="padding-left:30px"></td> <td as="td" class="ck-column ck-column-2" width="50%" style="background-size:cover;background-position:center;box-sizing:border-box;vertical-align:middle"><div style="padding:0px 0px 0px 0px"> <h2 style="margin-top:0;margin-bottom:0;color:#000000" class="">Understanding JavaScript Promises</h2> <p style="margin-top:8px;margin-bottom:8px;color:#4d4d4d" class="">I just updated my e-book, <em>Understanding JavaScript Promises</em>, for 2024! It now includes information about Promise.withResolvers() and a whole new chapter on using and creating abortable functions. </p> <table width="100%"><tbody><tr><td align="center"><a class="email-button" href="http://leanpub.com/understanding-javascript-promises" target="_blank" rel="noopener noreferrer" style="border-color:#0077e6;background-color:#0077e6;box-sizing:border-box;border-style:solid;color:#ffffff;display:inline-block;text-align:center;text-decoration:none;padding:12px 20px;margin-top:8px;margin-bottom:8px;font-size:16px;border-radius:4px 4px 4px 4px" trigger-id="4440595">Buy the E-book</a></td></tr></tbody></table>  </div></td> </tr></tbody></table> <hr style="margin-top:48px;margin-bottom:48px"> <h2 class="">Stuff I've Enjoyed this Month</h2> <p class="">📚 <a href="https://geni.us/coaching-perf-page" target="_blank" rel="noopener noreferrer">Coaching for Performance</a> by Sir John Whitmore<br>This is a fantastic book about how to take a coaching perspective towards leadership. Instead of directing others, coaching is about helping them find their own way and their own success. Highly recommended for anyone in a leadership position.</p> <p class="">📚 <a href="https://geni.us/grow-small-biz-page" target="_blank" rel="noopener noreferrer">How to Grow Your Small Business</a> by Donald Miller<br>This book is targeted at those who are running small businesses and provides a great operating system for running your business. This covers everything from managing your staff, to marketing, to sales, to cash flow, and everything in between.</p> <p class="">🎬 <a href="https://www.youtube.com/watch?v=yXTFOeGly9o&list=LL&index=1&pp=gAQBiAQB" target="_blank" rel="noopener noreferrer">Bun 1.1: Bundows is here</a> by Bun<br>This short video explains the Bun v1.1 release which (finally) includes support for Windows. The Bun folks are doing some really innovative things and I'm excited to finally try it out for myself.</p> <p class="">📝 <a href="https://blog.tidelift.com/paying-maintainers-the-howto" target="_blank" rel="noopener noreferrer">Paying Maintainers: The How-To</a> by Luis Villa<br>Written by the folks behind Tidelift, this is a deep-dive article on the intricacies of paying open source maintainers and why it may be difficult. This is one of the few insightful articles on the topic and is highly recommended for anyone involved in open source</p> <p class="">📝 <a href="https://deno.com/blog/how-we-built-jsr" target="_blank" rel="noopener noreferrer">How We Built JSR</a> by Luca Casonato<br>JSR, the new npm alternative from the folks behind Deno, is now live and serving JavaScript packages. This post explains how it is built and deployed in detail.</p> <hr> <h2 class="">What I'm Working On</h2> <p class="">🏠 <strong>Real Estate: </strong>There was a lot of rain around my properties, and so the basement of one house flooded. This was surprising because I do have a sump pump in the basement, but it was attached to a GFCI outlet that tripped and the pump never went on. A bit of a mess but thankfully there was no significant damage. We replaced the outlet and pumped the water of the basement. Just another fun landlord story! Follow <a href="https://www.instagram.com/p/CoIYSVlOy4J/?utm_source=ig_web_copy_link" trigger-id="3596952" target="_blank" rel="noopener noreferrer">my Instagram</a> for real estate photos.</p> <p class="">📝<strong> Writing:</strong> I wrote a blog post explaining <a href="https://humanwhocodes.com/blog/2024/04/backing-up-my-life-synology-nas" trigger-id="4421966" target="_blank" rel="noopener noreferrer">how I use a Synology NAS to back up my whole life</a>. If you use a public cloud as your only source of data (i.e., Google Drive), you'll want to read this.</p> <p class="">💻<strong> Standards:</strong> I put together a <a href="https://github.com/nzakas/proposal-write-once-const" trigger-id="4427970" target="_blank" rel="noopener noreferrer">proposal</a> to change the JavaScript const declaration so it is write-once instead of requiring initialization. At this point, I'm just waiting to hear back from a TC39 member to see if there's any chance they'd accept this proposal. I've received good feedback so far so I'm hopeful.</p> <p class="">💻<strong> Open Source:</strong> I submitted my <a href="https://github.com/nodejs/undici/pull/3105" trigger-id="4421964" target="_blank" rel="noopener noreferrer">first pull request</a> to Undici, which is the package that powers the Node.js native fetch() function. I had spent an hour trying to track down an obscure error and decided to submit a pull request to make the error message more easily understandable.</p> <p class="">💻<strong> ESLint:</strong> After a lot of work by a lot of people, ESLint v9.0.0 has been officially released! This is very exciting because it lays the groundwork for a lot of future plans. </p> </td></tr></tbody></table>  </div><div class="post-subscribe-form rounded bg-page p-8 md:p-12 mt-4"><div class="grid"><h1 class="creator-name font-heading font-weight-heading color-heading text-2xl text-center overflow-hidden break-words whitespace-pre-wrap">Human Who Codes Newsletter</h1></div><div class="grid"><p class="creator-byline font-heading font-weight-heading color-heading opacity-80 text-base mb-4 text-center overflow-hidden break-words whitespace-pre-wrap">Nicholas C. Zakas</p></div><div class="grid"><p class="creator-bio font-body font-weight-body color-body text-sm mb-4 text-center overflow-hidden break-words whitespace-pre-wrap">A once-per-month newsletter discussing topics important to senior-level software engineers, with a particular focus on frontend technology and leadership.</p></div><form class="form subscribe-form flex flex-col sm:flex-row leading-8 rounded gap-2" method="POST" action="/posts"><input id="email" name="email_address" type="email" placeholder="Email Address" class="color-body flex-1 font-sans text-base w-full p-2 px-4 email-input rounded border border-gray-200 outline-none focus:shadow-outline" required="" value=""/><div class="grid"><button id="form-submit-button" class="subscribe-button font-body font-semibold bg-accent color-button sm:flex-0 font-sans font-normal text-sm md:text-base rounded hover:opacity-90 transition-opacity duration-300 py-2 px-3 inline-block text-center truncate" style="min-width:200px">Subscribe</button></div></form></div><div class="font-heading font-weight-heading color-heading pt-6">Read more from Human Who Codes Newsletter</div><div class="flex flex-col divide-y border-body"><div><div class="post-preview flex flex-col sm:flex-row gap-4 sm:gap-6 py-4 sm:py-6"><div class="post-thumbnail relative w-full sm:w-48 sm:h-48 pb-1/2 sm:pb-0 sm:flex-shrink-0"><a href="https://newsletter.humanwhocodes.com/posts/human-who-codes-newsletter-people-skills"><img src="https://embed.filekitcdn.com/e/2dCejp6yj6tBWKNzNYcedy/7aXmyMiXV5URxEC1d6UbaK" class="absolute object-cover object-center h-full w-full sm:h-48 rounded" alt=""/></a></div><div class="flex flex-col sm:flex-1 justify-center gap-4 overflow-hidden break-words"><div><a href="https://newsletter.humanwhocodes.com/posts/human-who-codes-newsletter-people-skills"><h3 class="post-title font-heading font-weight-heading color-heading text-2xl leading-8 hover:underline line-clamp-3 sm:line-clamp-2">Human Who Codes Newsletter - People Skills</h3></a></div><p class="post-intro font-body font-weight-body color-body text-sm leading-6 line-clamp-4 sm:line-clamp-2">Thoughts on People Skills roles that require more interaction with our colleagues and customers. It’s at that point where a software engineering role shifts from primarily code-based to primarily people-based, and all of a sudden, it’s a different job. Previously, transitioning to a people-focused role took over five years and typically involved several promotions. However, with the advent of AI in software engineering, this timeline is shortening significantly. Companies once hired mediocre...</p><div class="post-meta font-body font-semibold color-body flex flex-row gap-4 items-center text-xs"><span>27 days ago • 4 min read</span></div></div></div></div><div><div class="post-preview flex flex-col sm:flex-row gap-4 sm:gap-6 py-4 sm:py-6"><div class="post-thumbnail relative w-full sm:w-48 sm:h-48 pb-1/2 sm:pb-0 sm:flex-shrink-0"><a href="https://newsletter.humanwhocodes.com/posts/human-who-codes-newsletter-debuggability"><img src="https://embed.filekitcdn.com/e/2dCejp6yj6tBWKNzNYcedy/7aXmyMiXV5URxEC1d6UbaK" class="absolute object-cover object-center h-full w-full sm:h-48 rounded" alt=""/></a></div><div class="flex flex-col sm:flex-1 justify-center gap-4 overflow-hidden break-words"><div><a href="https://newsletter.humanwhocodes.com/posts/human-who-codes-newsletter-debuggability"><h3 class="post-title font-heading font-weight-heading color-heading text-2xl leading-8 hover:underline line-clamp-3 sm:line-clamp-2">Human Who Codes Newsletter - Debuggability</h3></a></div><p class="post-intro font-body font-weight-body color-body text-sm leading-6 line-clamp-4 sm:line-clamp-2">Thoughts on Debuggability In the early days of web browsers, there were no developer tools. From Netscape to Internet Explorer, and the first version of Firefox, if something wasn’t aligning properly or your JavaScript wasn’t behaving as expected, there was little you could do. The browser provided no additional information. Everything changed with the arrival of Firebug, the first real developer tool for web applications. As a Firefox plugin, it exposed the inner workings of a web browser to...</p><div class="post-meta font-body font-semibold color-body flex flex-row gap-4 items-center text-xs"><span>about 2 months ago • 4 min read</span></div></div></div></div><div><div class="post-preview flex flex-col sm:flex-row gap-4 sm:gap-6 py-4 sm:py-6"><div class="post-thumbnail relative w-full sm:w-48 sm:h-48 pb-1/2 sm:pb-0 sm:flex-shrink-0"><a href="https://newsletter.humanwhocodes.com/posts/human-who-codes-newsletter-chrome"><img src="https://embed.filekitcdn.com/e/2dCejp6yj6tBWKNzNYcedy/7aXmyMiXV5URxEC1d6UbaK" class="absolute object-cover object-center h-full w-full sm:h-48 rounded" alt=""/></a></div><div class="flex flex-col sm:flex-1 justify-center gap-4 overflow-hidden break-words"><div><a href="https://newsletter.humanwhocodes.com/posts/human-who-codes-newsletter-chrome"><h3 class="post-title font-heading font-weight-heading color-heading text-2xl leading-8 hover:underline line-clamp-3 sm:line-clamp-2">Human Who Codes Newsletter - Chrome</h3></a></div><p class="post-intro font-body font-weight-body color-body text-sm leading-6 line-clamp-4 sm:line-clamp-2">Thoughts on Chrome That ruling stated that Google had an illegal monopoly on search and excluded competition by paying other browsers to feature Google search as their default search engine. Subsequently, the U.S. Department of Justice requested that a judge force Google to sell off its own browser, Chrome, as well as stop all exclusive search deals (among other concessions). This represents the most significant legal loss for a tech company in the United States since Microsoft was ordered to...</p><div class="post-meta font-body font-semibold color-body flex flex-row gap-4 items-center text-xs"><span>3 months ago • 5 min read</span></div></div></div></div></div></div></div><div class="footer flex flex-col sm:flex-row gap-4 items-center flex-wrap justify-center sm:justify-between py-6"><div class="share-buttons flex items-center gap-4"><span class="color-body font-body font-semibold text-sm break-normal">Share this post</span><a class="text-center text-base flex justify-center align-center share-button button color-body w-10 h-10 rounded-full p-3 transition transition-colors ease-in-out duration-200" href="https://x.com/intent/tweet/?text=&url=https://newsletter.humanwhocodes.com/posts/human-who-codes-newsletter-open-source-takeovers"><span class="sr-only"></span><svg aria-hidden="true" focusable="false" data-prefix="fab" data-icon="x-twitter" class="svg-inline--fa fa-x-twitter fa-w-16 " role="img" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 512 512"><path fill="currentColor" d="M389.2 48h70.6L305.6 224.2 487 464H345L233.7 318.6 106.5 464H35.8L200.7 275.5 26.8 48H172.4L272.9 180.9 389.2 48zM364.4 421.8h39.1L151.1 88h-42L364.4 421.8z"></path></svg></a><a class="text-center text-base flex justify-center align-center share-button button color-body w-10 h-10 rounded-full p-3 transition transition-colors ease-in-out duration-200" href="https://facebook.com/sharer/sharer.php?u=https://newsletter.humanwhocodes.com/posts/human-who-codes-newsletter-open-source-takeovers"><span class="sr-only"></span><svg aria-hidden="true" focusable="false" data-prefix="fab" data-icon="facebook" class="svg-inline--fa fa-facebook fa-w-16 " role="img" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 512 512"><path fill="currentColor" d="M512 256C512 114.6 397.4 0 256 0S0 114.6 0 256C0 376 82.7 476.8 194.2 504.5V334.2H141.4V256h52.8V222.3c0-87.1 39.4-127.5 125-127.5c16.2 0 44.2 3.2 55.7 6.4V172c-6-.6-16.5-1-29.6-1c-42 0-58.2 15.9-58.2 57.2V256h83.6l-14.4 78.2H287V510.1C413.8 494.8 512 386.9 512 256h0z"></path></svg></a><a class="text-center text-base flex justify-center align-center share-button button color-body w-10 h-10 rounded-full p-3 transition transition-colors ease-in-out duration-200" href="mailto:?subject=&body=Visit%20the%20link%20at%20https%3A%2F%2Fnewsletter.humanwhocodes.com%2Fposts%2Fhuman-who-codes-newsletter-open-source-takeovers"><span class="sr-only"></span><svg aria-hidden="true" focusable="false" data-prefix="fas" data-icon="envelope" class="svg-inline--fa fa-envelope fa-w-16 " role="img" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 512 512"><path fill="currentColor" d="M502.3 190.8c3.9-3.1 9.7-.2 9.7 4.7V400c0 26.5-21.5 48-48 48H48c-26.5 0-48-21.5-48-48V195.6c0-5 5.7-7.8 9.7-4.7 22.4 17.4 52.1 39.5 154.1 113.6 21.1 15.4 56.7 47.8 92.2 47.6 35.7.3 72-32.8 92.3-47.6 102-74.1 131.6-96.3 154-113.7zM256 320c23.2.4 56.6-29.2 73.4-41.4 132.7-96.3 142.8-104.7 173.4-128.7 5.8-4.5 9.2-11.5 9.2-18.9v-19c0-26.5-21.5-48-48-48H48C21.5 64 0 85.5 0 112v19c0 7.4 3.4 14.3 9.2 18.9 30.6 23.9 40.7 32.4 173.4 128.7 16.8 12.2 50.2 41.8 73.4 41.4z"></path></svg></a></div><div><a href="https://kit.com/features/forms?utm_campaign=poweredby&utm_content=newsletter_feed&utm_medium=referral&utm_source=dynamic" class="color-badge p-2 flex items-center justify-center transition-transform transform scale-100 hover:scale-105 duration-300" target="_blank" rel="noopener noreferrer"><svg width="172" height="40" viewBox="0 0 172 40" xmlns="http://www.w3.org/2000/svg"><path d="M102.919 17.9569C102.919 18.3602 103.376 18.4139 103.537 18.0645C104.128 16.6666 105.096 15.6182 106.978 15.6182C109.048 15.6182 109.989 17.043 109.989 19.301V29.4354C109.989 29.5967 109.881 29.7043 109.72 29.7043H105.983C105.822 29.7043 105.714 29.5967 105.714 29.4354V20.9139C105.714 19.7311 105.284 19.1666 104.397 19.1666C103.483 19.1666 102.919 19.7311 102.919 20.9139V29.4354C102.919 29.5967 102.811 29.7043 102.65 29.7043H98.9134C98.7521 29.7043 98.6445 29.5967 98.6445 29.4354V10.5645C98.6445 10.4032 98.7521 10.2957 98.9134 10.2957H102.65C102.811 10.2957 102.919 10.4032 102.919 10.5645V17.9569Z"></path><path d="M89.3315 15.9139C89.8423 15.9139 89.9767 15.672 90.0305 15.0537L90.2186 12.473C90.2186 12.3118 90.353 12.2042 90.5143 12.2042H93.767C93.9283 12.2042 94.0358 12.3118 94.0358 12.473V15.6451C94.0358 15.8064 94.1434 15.9139 94.3047 15.9139H96.8315C96.9928 15.9139 97.1004 16.0214 97.1004 16.1827V18.387C97.1004 18.5483 96.9928 18.6558 96.8315 18.6558H94.009V25.2956C94.009 26.344 94.6004 26.6128 95.2724 26.6128C95.81 26.6128 96.4014 26.4247 96.8853 26.129C97.0735 26.0214 97.2079 26.0752 97.2079 26.2902V28.844C97.2079 28.9784 97.1541 29.0859 97.0466 29.1666C96.267 29.6505 95.1649 29.973 93.9552 29.973C91.724 29.973 89.7348 28.9515 89.7348 25.8333V18.6558H88.6057C88.4444 18.6558 88.3369 18.5483 88.3369 18.387V16.1827C88.3369 16.0214 88.4444 15.9139 88.6057 15.9139H89.3315Z"></path><path d="M87.21 29.4355C87.21 29.5968 87.1025 29.7043 86.9412 29.7043H83.2047C83.0434 29.7043 82.9358 29.5968 82.9358 29.4355V16.1828C82.9358 16.0215 83.0434 15.914 83.2047 15.914H86.9412C87.1025 15.914 87.21 16.0215 87.21 16.1828V29.4355ZM85.0326 14.6505C83.6079 14.6505 82.6401 13.629 82.6401 12.3387C82.6401 11.0484 83.6079 10 85.0326 10C86.4305 10 87.3982 11.0484 87.3982 12.3387C87.3982 13.629 86.4305 14.6505 85.0326 14.6505Z"></path><path d="M74.694 15.9139C74.8553 15.9139 74.9628 15.9946 74.9897 16.1559L75.9843 22.4731L76.2262 24.1666C76.28 24.543 76.7101 24.543 76.737 24.1666C76.8176 23.5752 76.8714 23.0107 76.9789 22.4462L77.8929 16.1559C77.9198 15.9946 78.0273 15.9139 78.1886 15.9139H81.4682C81.6563 15.9139 81.737 16.0215 81.7101 16.2096L78.9144 29.4623C78.8875 29.6236 78.78 29.7043 78.6187 29.7043H74.6133C74.452 29.7043 74.3445 29.6236 74.3176 29.4623L73.0811 22.7688L72.7854 20.9139C72.7585 20.672 72.4897 20.672 72.4628 20.9139L72.1671 22.7957L71.0649 29.4623C71.0381 29.6236 70.9305 29.7043 70.7692 29.7043H66.7907C66.6295 29.7043 66.5219 29.6236 66.495 29.4623L63.7262 16.2096C63.6993 16.0215 63.78 15.9139 63.9682 15.9139H67.7585C67.9198 15.9139 68.0273 15.9946 68.0542 16.1559L68.995 22.4462C69.1026 23.0107 69.1832 23.629 69.2639 24.1935C69.3445 24.5967 69.694 24.6236 69.7746 24.1935L70.0434 22.5L71.1456 16.1559C71.1725 15.9946 71.28 15.9139 71.4413 15.9139H74.694Z"></path><path d="M50.4272 15.9139C50.938 15.9139 51.0724 15.672 51.1262 15.0537L51.3143 12.473C51.3143 12.3118 51.4487 12.2042 51.61 12.2042H54.8627C55.024 12.2042 55.1315 12.3118 55.1315 12.473V15.6451C55.1315 15.8064 55.2391 15.9139 55.4004 15.9139H57.9272C58.0885 15.9139 58.1961 16.0214 58.1961 16.1827V18.387C58.1961 18.5483 58.0885 18.6558 57.9272 18.6558H55.1047V25.2956C55.1047 26.344 55.6961 26.6128 56.3681 26.6128C56.9057 26.6128 57.4971 26.4247 57.981 26.129C58.1692 26.0214 58.3036 26.0752 58.3036 26.2902V28.844C58.3036 28.9784 58.2498 29.0859 58.1423 29.1666C57.3627 29.6505 56.2606 29.973 55.0509 29.973C52.8197 29.973 50.8305 28.9515 50.8305 25.8333V18.6558H49.7014C49.5401 18.6558 49.4326 18.5483 49.4326 18.387V16.1827C49.4326 16.0214 49.5401 15.9139 49.7014 15.9139H50.4272Z"></path><path d="M43.2139 10.5645C43.2139 10.4032 43.3214 10.2957 43.4827 10.2957H47.2192C47.3805 10.2957 47.4881 10.4032 47.4881 10.5645V25.2957C47.4881 26.1828 47.6493 26.6129 48.3752 26.6129C48.6171 26.6129 48.859 26.5591 49.0741 26.5053C49.2623 26.4516 49.3967 26.4516 49.3967 26.6666V29.1397C49.3967 29.2741 49.3429 29.4086 49.2354 29.4623C48.5633 29.7311 47.7031 29.9731 46.7891 29.9731C44.3967 29.9731 43.2139 28.6021 43.2139 25.8333V10.5645Z"></path><path d="M41.7105 29.4355C41.7105 29.5968 41.603 29.7043 41.4417 29.7043H37.7051C37.5439 29.7043 37.4363 29.5968 37.4363 29.4355V16.1828C37.4363 16.0215 37.5439 15.914 37.7051 15.914H41.4417C41.603 15.914 41.7105 16.0215 41.7105 16.1828V29.4355ZM39.5331 14.6505C38.1084 14.6505 37.1406 13.629 37.1406 12.3387C37.1406 11.0484 38.1084 10 39.5331 10C40.9309 10 41.8987 11.0484 41.8987 12.3387C41.8987 13.629 40.9309 14.6505 39.5331 14.6505Z"></path><path d="M31.9331 27.6344C31.9331 27.2311 31.5299 27.1505 31.3686 27.5268C30.7235 29.0053 29.6213 30 27.5514 30C25.4009 30 24.4062 28.3871 24.4062 26.129V16.1828C24.4062 16.0215 24.5138 15.9139 24.6751 15.9139H28.4116C28.5729 15.9139 28.6804 16.0215 28.6804 16.1828V24.7849C28.6804 25.9677 29.1106 26.5322 29.9976 26.5322C30.9116 26.5322 31.4761 25.9677 31.4761 24.7849V16.1828C31.4761 16.0215 31.5837 15.9139 31.745 15.9139H35.4815C35.6428 15.9139 35.7503 16.0215 35.7503 16.1828V29.4354C35.7503 29.5967 35.6428 29.7043 35.4815 29.7043H32.2019C32.0407 29.7043 31.9331 29.5967 31.9331 29.4354V27.6344Z"></path><path d="M10.0247 29.7043C9.86339 29.7043 9.75586 29.5967 9.75586 29.4354V10.5645C9.75586 10.4032 9.86339 10.2957 10.0247 10.2957H16.9602C20.5354 10.2957 22.5784 11.7204 22.5784 14.758C22.5784 17.3118 20.7236 18.7365 19.1645 19.1129C18.7881 19.1666 18.7881 19.6236 19.1913 19.7043C21.6107 20.2419 23.1161 21.5322 23.1161 24.3548C23.1161 27.4193 20.9924 29.7043 17.1483 29.7043H10.0247ZM15.8311 26.6129C17.6591 26.6129 18.5462 25.5107 18.5462 23.9516C18.5462 22.258 17.6591 21.3172 15.8311 21.3172H14.2989V26.6129H15.8311ZM15.7236 18.3333C17.2559 18.3333 18.1967 17.4731 18.1967 15.7526C18.1967 14.1935 17.2559 13.3871 15.643 13.3871H14.2989V18.3333H15.7236Z"></path><g clip-path="url(#clip0_838_7217)"><path d="M130.115 18.3222C135.563 19.3772 137.254 24.4236 137.298 29.4992C137.299 29.6134 137.207 29.7066 137.093 29.7066H130.235C130.122 29.7066 130.03 29.6152 130.029 29.5018C130.009 25.564 129.371 22.089 125.472 21.939C125.355 21.9346 125.259 22.0278 125.259 22.1444V29.5012C125.259 29.6146 125.167 29.7066 125.053 29.7066H118.194C118.081 29.7066 117.989 29.6146 117.989 29.5012V10.7558C117.989 10.6424 118.081 10.5504 118.194 10.5504H125.053C125.167 10.5504 125.259 10.6424 125.259 10.7558V17.7778C125.259 17.882 125.343 17.9664 125.447 17.9664C125.53 17.9664 125.603 17.9126 125.627 17.8334C127.394 12.043 130.694 10.587 136.052 10.5512C136.166 10.5504 136.259 10.6428 136.259 10.7566V17.7612C136.259 17.8746 136.167 17.9666 136.054 17.9666H130.149C130.05 17.9666 129.97 18.047 129.97 18.1462C129.97 18.2322 130.031 18.306 130.115 18.3224V18.3222ZM162.244 28.3556C162.244 28.5078 162.16 28.6478 162.025 28.7188C161.38 29.0584 159.385 30 157.103 30C152.41 30 148.961 28.055 148.895 22.7118H148.893V18.1718C148.893 18.0584 148.985 17.9664 149.098 17.9664H154.146C154.245 17.9664 154.326 17.8858 154.326 17.7864C154.326 17.7002 154.264 17.6264 154.18 17.6098C150.231 16.826 148.408 14.5512 148.345 10.756C148.343 10.6432 148.433 10.5504 148.546 10.5504H155.958C156.071 10.5504 156.163 10.6424 156.163 10.7558V14.3584C156.163 14.4718 156.255 14.5638 156.368 14.5638H161.218C161.331 14.5638 161.423 14.6558 161.423 14.7692V17.761C161.423 17.8744 161.331 17.9664 161.218 17.9664H156.368C156.255 17.9664 156.163 18.0584 156.163 18.1718V21.8338C156.163 23.1276 156.956 23.5542 158.01 23.5542C159.662 23.5542 161.291 22.8094 161.945 22.4718C162.082 22.4012 162.244 22.5006 162.244 22.6544V28.3552V28.3556ZM139.245 29.5012V18.1714C139.245 18.058 139.337 17.966 139.45 17.966H146.309C146.423 17.966 146.515 18.058 146.515 18.1714V29.5012C146.515 29.6146 146.423 29.7066 146.309 29.7066H139.45C139.337 29.7066 139.245 29.6146 139.245 29.5012ZM138.857 13.4918C138.857 15.4202 140.218 16.9836 142.832 16.9836C145.447 16.9836 146.808 15.4202 146.808 13.4918C146.808 11.5634 145.447 10 142.832 10C140.218 10 138.857 11.5634 138.857 13.4918Z"></path></g><defs><clipPath id="clip0_838_7217"><rect width="44.2553" height="20" transform="translate(117.989 10)"></rect></clipPath></defs></svg></a></div></div></div></div></div></div></body></html>