2024-03-09 20:45:02
@… The good news is that open source also means you can fork the project and merge the PR, even if that isn’t what the core maintainers want :)
@… The good news is that open source also means you can fork the project and merge the PR, even if that isn’t what the core maintainers want :)
You know.... in 20 years of working on computers and specifically in Linux/Unix environments many things have changed, but many things haven't.
One thing that hasn't changed is the prevalence of insufferably arrogant maintainers of open source software who immediately assume you're an idiot rather than there being something wrong with their software or the implementation of it.
That said, it is always slightly pleasing to show them that actually, they're wrong.…
Oof. This article offers common Bad Advice about #OpenSource!
https://www.techradar.com/pro/stop-blaming-maintainers-for-open-source-risks
You know.... in 20 years of working on computers and specifically in Linux/Unix environments many things have changed, but many things haven't.
One thing that hasn't changed is the prevalence of insufferably arrogant maintainers of open source software who immediately assume you're an idiot rather than there being something wrong with their software or the implementation of it.
That said, it is always slightly pleasing to show them that actually, they're wrong.…
There's been a ton of conversation about the xz exploit, but the real reason this kind of thing could even happen is because of *human* vulnerability, not a technology vulnerability. So we have to take a deep look at how we truly support the people who make open source happen. Here's the real, substantive investment @… has been providing:
SINBAD: Saliency-informed detection of breakage caused by ad blocking
Saiid El Hajj Chehade (EPFL), Sandra Siby (Imperial College London), Carmela Troncoso (EPFL)
https://arxiv.org/abs/2405.05196
Honestly, the worst effect of the xz/sshd exploit is the evaporation of trust in #OpenSource.
There's this new prolific contributor. I haven't looked in great detail, but they're seemingly doing great work. All pull requests are nicely annotated as to ease review. Really, everything you could wish for. But what if it's a bad actor trying to quickly build trust?
Then this contributor kindly pings assignee a week after filing the PR. Well, nothing wrong with that. It makes sense. But then, what if it's a bad actor trying to pressure maintainers?
Or perhaps it's just a great, well-organized #Gentoo contributor.
The Reddit user is discussing the XZ Utils backdoor case, where Jai Tan's email was untraceable even in breached databases, and all his communication was through a foreign VPN. The user is asking if anyone has investigated the profiles of other maintainers/contributors for potential backdoors. https://reddit.com/r/cybersecurity/comments/1bvtvz0/
I feel this strongly, as a dilettante #FOSS coder.
Modern mature software can be inherently complicated. PostgreSQL is a deep RDBMS that has been under development since the 80s. Writing new code for that is hard, especially in C. The only FOSS projects I‘m in at all active in are all Perl (i.e. ‘dilletante’) but they are also big and arcane. E.g. there are parts of
"As some of the dust around the xz backdoor is slowly starting to settle, we’ve been getting a pretty clear picture of what, exactly, happened, and it’s not pretty... I’m suggesting the idea of setting up a foundation – or whatever legal entity makes sense – that is dedicated to helping maintainers who face the kinds of problems like the maintainer of xz did." Open source is about more than just code:
ehhh I only just now learned from an 18h-old video that I need to sign up for the #PyCon maintainers summit (it wasn’t an option when I bought my ticket and the summit page doesn’t mention it and only links to the CfP) and now it’s… sold out???
paying maintainers
Useful explainer from @…, inc a morsel of dry comedy:
"Don’t people do this work for the love of open source?
"In our experience, open source maintainers often start projects for non-monetary reasons... But... no maintainers started their project because of the love of ensuring it complies wth your company’s definition of enterprise secure software development practices for no pay for the rest of their lives."
#OpenSource #software #money
Cloud cos should create a joint open source maintainers group, well funded, experienced developers etc. ready to hire long term maintainers
Their remit should be to fork every project who goes source available or closed source at the last FOSS commit and maintain it properly as a going concern.
This will either stop this shit or ensure ongoing stewardship.
Should be trivial budget wise given what they make from these code bases.
This https://arxiv.org/abs/2404.00640 has been replaced.
link: https://scholar.google.com/scholar?q=a
Lots of discussion on xz about paying maintainers, or even the government stepping in, and none asking, hey you, highly profitable Linux Vendor, what are *you* doing to prevent this in *your* product?
xz is not a random leaf package, it's a core OS component. The industry already pays a lot of money to Red Hat Canonical Suse AWS Azure Oracle... to ship a secure OS.
If this was Windows, MS would take the hit. PR teams would be activated. But it's Linux, so vendors can make …
I feel this strongly, as a dilettante #FOSS coder.
Modern mature software can be inherently complicated. PostgreSQL is a deep RDBMS that has been under development since the 80s. Writing new code for that is hard, especially in C. The only FOSS projects I‘m in at all active in are all Perl (i.e. ‘dilletante’) but they are also big and arcane. E.g. there are parts of
xkcd joked about it (https://xkcd.com/2347/) back in 2020, but the xz-utils backdoor proves that having underpaid/overwhelmed volunteers maintaining critical software is a national security risk. Governments* around the world probably view these maintainers as a vulnerability, just like any other security v…
Finally pulled the trigger on this o7
https://github.com/NixOS/nixpkgs/pull/307283
Also a thought to all the honest Chinese maintainers in the world. Your government sucks hard and you are probably paying the consequences now.
I've recently come across two socially responsible French conglomerates of software developers, organized as either a cooperative or some other egalitarian business forms, and I wanted to make a huge shoutout to them.
Please visit their websites and, if you want and can, hire them for your next projects.
(Disclaimer: I'm not associated with either, I just find these organizations not only remarkable, but also necessary and fundamental.)
-
For anyone who has missed it: One of the maintainers of xz/liblzma (& libarchive?) has apparently been backdooring it for a couple of years. Fortunately it seems to only target Debian-based distros!? So once again I luck out with my oblivious computing choices, having almost everything personally and professionally either EL-based or BSD-based
#InfoSec
Pokémon Go Players Invent Fake Beaches on Real Maps to Catch Rare Wigletts https://www.404media.co/pokemon-go-players-invent-fake-beaches-on-real-maps-to-catch-rare-wigletts/
holy hell Github - this is bad
heads up repo maintainers on Github - you may want to disable interactions for now
The last thing any OSS maintainer needs is their project getting a strike because some bad actor chose their repo 😤
https://infosec.exchange/@BleepingComp
@… did you think about adding some "support" button to the website so people could donate money as a "thank you"? I'm mostly thinking of devices maintainers.
I think what you do is massive for no-waste culture. Congrats!
I know nobody wants to admit it, but security shit shows like heartbleed, log4shell, or xzgate are kinda exciting times to live thru. 🤓
Also I’m afraid it’s the only way to prove the problems we’ve been droning about for years are real and not made up by greedy maintainers.
Single-token vs Two-token Blockchain Tokenomics
Aggelos Kiayias, Philip Lazos, Paolo Penna
https://arxiv.org/abs/2403.15429 https://a…
I always feel bad for the open source maintainers for popular or heavily used projects. People demanding things fixed or insulting the devs for not doing xyz or implementing their ideas. They deserve so much more than what they are receiving. #Programmers
Florian Westphal stepped down as #Linux' #netfilter maintainer
"'"I do not feel that I'm up to the task anymore.
I hope this to be a temporary emergency measure, but for now I'm sure this is the best course of action for me."'"
Lightweight Syntactic API Usage Analysis with UCov
Gustave MonceLaBRI, Thomas CouturouLaBRI, Yasmine HamdaouiLaBRI, Thomas DegueuleLaBRI, Jean-R\'emy FalleriLaBRI, IUF
https://arxiv.org/abs/2402.12024
Blockchain Bribing Attacks and the Efficacy of Counterincentives
Dimitris Karakostas, Aggelos Kiayias, Thomas Zacharias
https://arxiv.org/abs/2402.06352 ht…
Florian Westphal stepped down as #Linux' #netfilter maintainer
"'"I do not feel that I'm up to the task anymore.
I hope this to be a temporary emergency measure, but for now I'm sure this is the best course of action for me."'"
This https://arxiv.org/abs/2401.14635 has been replaced.
initial toot: https://mastoxiv.page/@arXiv_csCR_…