We are now at t+26h. Please compare how much we knew about the xz-attack after less than a day with what we know about the chain of events of giant outage yesterday.
If something similar had been caused by an OSS component, we would see congress discussing a ban on open software in critical infrastructure already.
Security vulnerabilities are a big deal in the tech world, but no one really cares outside of that. The CrowdStrike bug was big because it was user-facing and shut down systems. The truth is we haven’t seen any user-facing bugs from open source software to compare CrowdStrike to.