It highlighted some pretty glaring weaknesses in OSS as well. Over worked maintainers, unvetted contributers, etc etc.
The XZ thing seems like we got “lucky” more than anything. But that type of attack may have been successful already or in progress elsewhere. It’s not like people are auditing every line of every open source tool/library. It takes really talented devs and researchers to truly audit code.
I mean, I certainly couldn’t do it for anything semi advanced, super clever, or obfuscated the way the XZ thing was.
But I agree, that the fact we could audit it at all is a plus. The flip side is: an unvetted bad actor was able to publish these changes because of the nature of open source. I’m not saying bad actors can’t weasel their way into Microsoft, but that’s a much higher bar in terms of vetting.