Yesterday’s discovery of the xz backdoor was an accident. But what a fortunate accident it was. The actor (or actors, we don’t yet know) had been diligent in their efforts for a long time, and only very recently started putting all the pieces together in what ended up being discovered yesterday. The backdoor is incorrectly being called an “ssh backdoor”; this is a bit misleading. OpenSSH does not use xz itself, but Linux distribution maintainers linked xz into sshd when building it (ostensibly f...