Conversation

Notices

1. Embed this notice
   Evan B🥥ehs (eb@social.coop)'s status on Saturday, 30-Mar-2024 04:50:43 JST Evan B🥥ehs

   Unfolding now: https://news.ycombinator.com/item?id=39865810

   - https://www.openwall.com/lists/oss-security/2024/03/29/4
   - https://github.com/tukaani-project/xz/commit/cf44e4b7f5dfdbf8c78aef377c10f71e274f63c0

   An incredibly technically complex #backdoor in xz (potentially also in libarchive and elsewhere) was just discovered. This backdoor has been quietly implemented over years, with the assistance of a wide array of subtly interconnected accounts:

   - https://github.com/tukaani-project/xz/commit/ee44863ae88e377a5df10db007ba9bfadde3d314
   - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1067708
   - https://github.com/jamespfennell/xz/pull/2

   The timeline on this is going to take so long to unravel

   #security #linux

   • 13 barn owls in a trenchcoat, clacke, Tobias Hellgren and GreenSkyOverMe (Monika) repeated this.
   • Embed this notice
     Evan B🥥ehs (eb@social.coop)'s status on Saturday, 30-Mar-2024 04:50:42 JST Evan B🥥ehs

     in reply to

     https://boehs.org/node/everything-i-know-about-the-xz-backdoor

     I have begun a post explaining this situation in a more detailed writeup. This is updating in realtime, and there is a lot still missing.

     #security #xz #linux

     Haelwenn /элвэн/ :triskell: and clacke like this.
     GreenSkyOverMe (Monika) repeated this.
   • Embed this notice
     Glyph (glyph@mastodon.social)'s status on Saturday, 30-Mar-2024 07:55:51 JST Glyph

     in reply to

     @eb I really hope that this causes an industry-wide reckoning with the common practice of letting your entire goddamn product rest on the shoulders of one overworked person having a slow mental health crisis without financially or operationally supporting them whatsoever. I want everyone who has an open source dependency to read this message https://www.mail-archive.com/xz-devel@tukaani.org/msg00567.html

     Haelwenn /элвэн/ :triskell: and clacke like this.
     Haelwenn /элвэн/ :triskell:, Polychrome :blabcat:, pettter and GreenSkyOverMe (Monika) repeated this.
   • Embed this notice
     Evan B🥥ehs (eb@social.coop)'s status on Saturday, 30-Mar-2024 07:55:53 JST Evan B🥥ehs

     in reply to

     Holy shit.

     Haelwenn /элвэн/ :triskell: and clacke like this.
     pettter, clacke and GreenSkyOverMe (Monika) repeated this.
   • Embed this notice
     Geoffrey Thomas (geofft@mastodon.social)'s status on Saturday, 30-Mar-2024 08:00:48 JST Geoffrey Thomas

     in reply to

     • Glyph

     @glyph @eb I'm frustrated that big tech's efforts to increase core library security are "your project is too popular, you must use 2FA" and "the best reverse engineers in the world will find your bugs and put you on a 90 day disclosure deadline" and not "here is $100K/year and benefits to keep doing what you're doing at your own pace."

     clacke and Polychrome :blabcat: like this.
   • Embed this notice
     Glyph (glyph@mastodon.social)'s status on Saturday, 30-Mar-2024 08:02:45 JST Glyph

     in reply to

     @eb "I never thought a sophisticated APT would backdoor *my* volunteer-maintained infrastructure that I got for free" sobs entire industry who voted for the "volunteer-maintained infrastructure that I get for free with no defense against sophisticated APTs" party

     Haelwenn /элвэн/ :triskell: and clacke like this.
   • Embed this notice
     Luis Villa (luis_in_brief@social.coop)'s status on Saturday, 30-Mar-2024 08:04:49 JST Luis Villa

     in reply to

     • Glyph
     • David Zaslavsky
     • Geoffrey Thomas

     @diazona @geofft @glyph @eb there’s a lot of precedent for hiring maintainers of top-level programs whose brand (for lack of a better term) has reached the level of awareness of a C-level with a hiring budget. Collectively pooling money to help the projects C-levels have never heard of… has a much weaker track record. We’ve been trying to tackle it at Tidelift for a while and suffice to say I’ve definitely had a lot of “but it can’t happen to me” conversations.

     Haelwenn /элвэн/ :triskell: and clacke like this.
   • Embed this notice
     David Zaslavsky (diazona@techhub.social)'s status on Saturday, 30-Mar-2024 08:04:50 JST David Zaslavsky

     in reply to

     • Glyph
     • Geoffrey Thomas

     @geofft @glyph @eb I'm certainly not disputing that it's a real problem that that doesn't happen more often, but isn't there some precedent for big tech companies hiring people to work on specific open source projects? So it's not totally unheard of

   • Embed this notice
     Geoffrey Thomas (geofft@mastodon.social)'s status on Saturday, 30-Mar-2024 08:05:40 JST Geoffrey Thomas

     in reply to

     • Glyph
     • Luis Villa
     • David Zaslavsky

     @luis_in_brief @diazona @glyph @eb Yeah that resonates with my experience. People like GvR get hired (which is great!) but there's a whole dependency stack underneath. Their maintainers often have a strong résumé to get hired for a normal big tech job at a company that uses the language/ecosystem/etc. but not necessarily for maintaining the project as their job. Sometimes the job is even "build something similar for an internal non-OSS ecosystem."

     Haelwenn /элвэн/ :triskell: and clacke like this.
   • Embed this notice
     Luis Villa (luis_in_brief@social.coop)'s status on Saturday, 30-Mar-2024 08:06:26 JST Luis Villa

     in reply to

     • Glyph
     • David Zaslavsky
     • Geoffrey Thomas

     @diazona @geofft @glyph @eb I increasingly wonder if we aren’t due for some “defragging” of a lot of core infra, with many projects pooled together, maintained, and funded more collectively, like Ruby Together.

     Haelwenn /элвэн/ :triskell: and clacke like this.
   • Embed this notice
     Luis Villa (luis_in_brief@social.coop)'s status on Saturday, 30-Mar-2024 08:07:13 JST Luis Villa

     in reply to

     • Glyph
     • David Zaslavsky
     • Geoffrey Thomas

     @geofft @diazona @glyph @eb yup. Or they get hired with the promise that they’ll get 20% time to work on it, and that goes away for reasons (sometimes good, sometimes bad), or…. Etc etc

     Haelwenn /элвэн/ :triskell: and clacke like this.
   • Embed this notice
     Luis Villa (luis_in_brief@social.coop)'s status on Saturday, 30-Mar-2024 08:08:02 JST Luis Villa

     in reply to

     • Glyph
     • David Zaslavsky
     • Geoffrey Thomas

     @glyph @geofft @diazona @eb “Famous maintainers get hired more than critical maintainers.” Owwwwwwww.

     clacke likes this.
     clacke repeated this.
   • Embed this notice
     Glyph (glyph@mastodon.social)'s status on Saturday, 30-Mar-2024 08:08:03 JST Glyph

     in reply to

     • Luis Villa
     • David Zaslavsky
     • Geoffrey Thomas

     @geofft @luis_in_brief @diazona @eb there are layers and layers to this. Famous maintainers get hired more than critical maintainers. And maintenance is important but how do you pay for the commons of *new* projects? The tidelift model gets us part of the way there, because these costs need to be aggregated and there needs to be some kind of oversight, but even if they were universally adopted (and that is far from true) there are so many missing pieces

     clacke likes this.
     Haelwenn /элвэн/ :triskell: repeated this.
   • Embed this notice
     Rich Felker (dalias@hachyderm.io)'s status on Saturday, 30-Mar-2024 08:12:22 JST Rich Felker

     in reply to

     • Glyph
     • Luis Villa
     • David Zaslavsky
     • Geoffrey Thomas

     @geofft @glyph @luis_in_brief @diazona @eb A relationship with a critical FOSS dependency maintainer is very clearly classifiable as independent contractor, and SHOULD or even MUST be for the sake of project integrity. There should be no reason to need US work authorization.

     Haelwenn /элвэн/ :triskell: likes this.
   • Embed this notice
     Geoffrey Thomas (geofft@mastodon.social)'s status on Saturday, 30-Mar-2024 08:12:23 JST Geoffrey Thomas

     in reply to

     • Glyph
     • Luis Villa
     • David Zaslavsky

     @glyph @luis_in_brief @diazona @eb Yes, e.g., what if the current maintainer is genuinely unavailable/uninterested? As may well have happened with xz even with a job offer.

     Funding a new maintainer is by itself defensible, but doing so will drastically change both the pressure on the current maintainer and the choice of who becomes maintainer (e.g. there's now a bias in favor of those who have US work authorization).

     I'm curious if either Tidelift or the commercial distros have norms for this.

     clacke likes this.
   • Embed this notice
     Luis Villa (luis_in_brief@social.coop)'s status on Saturday, 30-Mar-2024 16:28:04 JST Luis Villa

     in reply to

     • Glyph
     • Geoffrey Thomas

     @geofft @glyph @eb (sobs in Tidelift)

     clacke likes this.
   • Embed this notice
     Geoffrey Thomas (geofft@mastodon.social)'s status on Saturday, 30-Mar-2024 16:28:07 JST Geoffrey Thomas

     in reply to

     • Glyph
     • Luis Villa

     @luis_in_brief @glyph @eb I should try harder to figure out what a Tidelift is and how to convince my employer to sign up. But also... IMO Microsoft or Google (whom I am subtooting) etc. can singlehandedly employ all the maintainers of `ldd sshd` and that would get results that fractionally paying for the commons never will.

     Like this should be the job of a distro, and RH/SUSE/Canonical/Oracle kinda do this, but clearly none of them actually saved their customers (or the world) from this.

     clacke likes this.
   • Embed this notice
     clacke (clacke@libranet.de)'s status on Saturday, 30-Mar-2024 16:28:31 JST clacke

     in reply to

     @eb Great summary of all other summaries, thank you. This is the link I'm sharing to others.

     It's a con heist worthy of a movie script. Amazing and sad.

   • Embed this notice
     Sylvhem (sylvhem@eldritch.cafe)'s status on Sunday, 31-Mar-2024 22:48:52 JST Sylvhem

     in reply to

     @eb “As I have hinted in earlier emails, Jia Tan may have a bigger role in the project in the future. He has been helping a lot off-list and is practically a co-maintainer already. :-)”

     https://www.mail-archive.com/xz-devel@tukaani.org/msg00571.html

     This is really sad. I’m feeling bad for Lasse Collin.

     clacke likes this.
   • Embed this notice
     rugk (rugk@chaos.social)'s status on Sunday, 31-Mar-2024 22:48:57 JST rugk

     in reply to

     @eb aner news, another subtle thing fixed: https://chaos.social/@danderson@hachyderm.io/112185746040563778

     clacke likes this.
   • Embed this notice
     Luis Villa (luis_in_brief@social.coop)'s status on Monday, 01-Apr-2024 01:16:22 JST Luis Villa

     in reply to

     • Sumana Harihareswara
     • benwis 🦀

     @benwis @brainwane we do, though sadly not a ton of customer demand yet so not a ton of money going into that ecosystem yet.

     clacke likes this.
   • Embed this notice
     benwis 🦀 (benwis@hachyderm.io)'s status on Monday, 01-Apr-2024 01:16:28 JST benwis 🦀

     in reply to

     • Sumana Harihareswara
     • Glyph
     • Luis Villa
     • David Zaslavsky
     • Dirkjan Ochtman
     • Geoffrey Thomas

     @luis_in_brief @eb @brainwane @glyph @geofft @diazona @djc

     Does Tidelift support Rust projects?

   • Embed this notice
     Luis Villa (luis_in_brief@social.coop)'s status on Monday, 01-Apr-2024 01:16:30 JST Luis Villa

     in reply to

     • Sumana Harihareswara
     • Glyph
     • David Zaslavsky
     • Dirkjan Ochtman
     • Geoffrey Thomas
     • benwis 🦀

     @eb @benwis @brainwane @glyph @geofft @diazona @djc you’re thinking of Back Your Stack, probably.

     On a more sustainable (read: commercial) basis, I co-founded https://tidelift.com to do exactly this.

   • Embed this notice
     Evan B🥥ehs (eb@social.coop)'s status on Monday, 01-Apr-2024 01:16:32 JST Evan B🥥ehs

     in reply to

     • Sumana Harihareswara
     • Glyph
     • Luis Villa
     • David Zaslavsky
     • Dirkjan Ochtman
     • Geoffrey Thomas
     • benwis 🦀

     @benwis @brainwane @luis_in_brief @glyph @geofft @diazona @djc there’s some website (I forget what it is) that basically you pay x amount of dollars and it audits your entire dependency tree and attempts to pay maintainers proportionally. Unfortunately iirc it was kinda flawed but I think it’s a solid idea

     clacke repeated this.
   • Embed this notice
     benwis 🦀 (benwis@hachyderm.io)'s status on Monday, 01-Apr-2024 01:16:33 JST benwis 🦀

     in reply to

     • Sumana Harihareswara
     • Glyph
     • Luis Villa
     • David Zaslavsky
     • Dirkjan Ochtman
     • Geoffrey Thomas

     @brainwane @luis_in_brief @glyph @geofft @diazona @eb @djc How to monetize open source is such an interesting question.

   • Embed this notice
     Sumana Harihareswara (brainwane@social.coop)'s status on Monday, 01-Apr-2024 01:16:35 JST Sumana Harihareswara

     in reply to

     • Glyph
     • Luis Villa
     • David Zaslavsky
     • Geoffrey Thomas

     @luis_in_brief @glyph

     I am way overdue in finishing and publishing my negative review of Eghbal's "Working in Public" but one of my critiques is that she basically concludes that maintainers need to become famous and use Substack/Patreon to crowdfund (from individual donors) in order to sustain their work. Which really doesn't fit what we have found in critical FLOSS infrastructure IMO.

     @geofft @diazona @eb

   • Embed this notice
     Luis Villa (luis_in_brief@social.coop)'s status on Monday, 01-Apr-2024 01:16:46 JST Luis Villa

     in reply to

     • Sumana Harihareswara
     • Glyph
     • David Zaslavsky
     • Dirkjan Ochtman
     • Geoffrey Thomas
     • benwis 🦀

     @eb @benwis @brainwane @glyph @geofft @diazona @djc Thanks! admittedly on a day like today, mostly I'm focused on how many projects we can't yet cover.

     So, yeah, send people our way!

     clacke likes this.
   • Embed this notice
     Evan B🥥ehs (eb@social.coop)'s status on Monday, 01-Apr-2024 01:16:47 JST Evan B🥥ehs

     in reply to

     • Sumana Harihareswara
     • Glyph
     • Luis Villa
     • David Zaslavsky
     • Dirkjan Ochtman
     • Geoffrey Thomas
     • benwis 🦀

     @luis_in_brief @benwis @brainwane @glyph @geofft @diazona @djc oh that’s sick, it’s so funny that you never know who you’re speaking to on here lol. Congrats on how successful tidelift has been :)

   • Embed this notice
     Sumana Harihareswara (brainwane@social.coop)'s status on Monday, 01-Apr-2024 01:17:00 JST Sumana Harihareswara

     in reply to

     • Paul Barker

     @pbarker Thanks! That is motivating and I appreciate you telling me. It'll expand on

     my comment in https://www.metafilter.com/191414/Free-as-in-free-puppy-not-free-as-in-free-beer

     and

     https://www.harihareswara.net/posts/2022/what-you-miss-by-only-checking-github/

     clacke likes this.
   • Embed this notice
     Paul Barker (pbarker@social.afront.org)'s status on Monday, 01-Apr-2024 01:17:02 JST Paul Barker

     in reply to

     • Sumana Harihareswara

     @brainwane I dropped you a follow because I am *very* interested in reading a critique like that when it is published!

     clacke likes this.
     clacke repeated this.
   • Embed this notice
     Sumana Harihareswara (brainwane@social.coop)'s status on Monday, 01-Apr-2024 01:17:07 JST Sumana Harihareswara

     in reply to

     • Glyph
     • Luis Villa
     • Thomas Depierre
     • David Zaslavsky
     • Geoffrey Thomas

     @Di4na

     If you have an unfinished or unpublished draft review I would very much like to read it. My own critique will/would expand on what I wrote in https://www.harihareswara.net/posts/2022/what-you-miss-by-only-checking-github/ as well as my comment at the top of https://www.metafilter.com/191414/Free-as-in-free-puppy-not-free-as-in-free-beer .

     @luis_in_brief @glyph @geofft @diazona @eb

     clacke likes this.
   • Embed this notice
     Thomas Depierre (di4na@hachyderm.io)'s status on Monday, 01-Apr-2024 01:17:08 JST Thomas Depierre

     in reply to

     • Sumana Harihareswara
     • Glyph
     • Luis Villa
     • David Zaslavsky
     • Geoffrey Thomas

     @brainwane @luis_in_brief @glyph @geofft @diazona @eb yep i never published my own review because of that. The Road and Bridges report was great. The book felt like a massive PR piece for GitHub sponsor feature and a way to hide the problem.

     clacke likes this.
   • Embed this notice
     irenes (irenes@mastodon.social)'s status on Monday, 01-Apr-2024 09:22:19 JST irenes

     in reply to

     • Glyph
     • Peter Brett

     @krans @glyph @eb we're very proactive-death-of-the-author about this. the FSF has failed to provide ideological leadership due to RMS's top-down style, but many of the ideals are good ones and it's the job of the current generation to renew the movement if we want our children to be able to enjoy its fruits the way we did

     Haelwenn /элвэн/ :triskell: and clacke like this.
   • Embed this notice
     Peter Brett (krans@mastodon.me.uk)'s status on Monday, 01-Apr-2024 09:22:20 JST Peter Brett

     in reply to

     • Glyph
     • irenes

     @irenes @glyph @eb I thought it was called "free software" because users are allowed to do whatever they want to with it including modifications, not because it's provided free of charge.

     The founders of the Free Software movement were Libertarians, not Socialists (unfortunately).

     I guess we were talking at cross purposes — sorry.

     clacke repeated this.
   • Embed this notice
     irenes (irenes@mastodon.social)'s status on Monday, 01-Apr-2024 09:22:21 JST irenes

     in reply to

     • Glyph
     • Peter Brett

     @krans @glyph @eb sure. well, so the reason we personally call the thing we do "free software" is precisely to highlight the point that our own goal in publishing stuff without charge is very much to work towards a world without that problem, by creating something that exists as far outside it as we can manage (not all the way - obviously we have the free time to do that because of our other privileges)

   • Embed this notice
     irenes (irenes@mastodon.social)'s status on Monday, 01-Apr-2024 09:22:22 JST irenes

     in reply to

     • Glyph

     @glyph @eb please note that we are ALSO no fans of the "subsume free software into capitalism" solution that corporate and statist rhetoric has been pushing for a couple years now

   • Embed this notice
     Peter Brett (krans@mastodon.me.uk)'s status on Monday, 01-Apr-2024 09:22:22 JST Peter Brett

     in reply to

     • Glyph
     • irenes

     @irenes @glyph @eb It's tricky to avoid the challenge that arises from the problem that (1) producing free software is work and (2) the workers live in a capitalist society and (3) the workers therefore need to pay for food and shelter.

     Verily, there is no ethical consumption under capitalism.

     clacke likes this.
   • Embed this notice
     Peter Brett (krans@mastodon.me.uk)'s status on Monday, 01-Apr-2024 10:11:11 JST Peter Brett

     in reply to

     • Glitzersachen.de

     @glitzersachen No. I think the project was a tasty target because it was barely maintained (due to capitalism) and no-one was actually looking at the code being submitted in detail (also because of capitalism).

     clacke likes this.
   • Embed this notice
     Glitzersachen.de (glitzersachen@hachyderm.io)'s status on Monday, 01-Apr-2024 10:11:12 JST Glitzersachen.de

     in reply to

     • Glyph
     • irenes
     • Peter Brett

     @krans @irenes @glyph @eb

     Do you think he inserted the backdoor for money?

   • Embed this notice
     irenes (irenes@mastodon.social)'s status on Monday, 01-Apr-2024 10:11:19 JST irenes

     in reply to

     • Glyph
     • Peter Brett
     • Richard Stallman
     • Shamar

     @Shamar @rms @krans @glyph @eb that's a good analysis. we do agree that, like, any complete statement of values should have more than one thing on it, or at least more elaboration of what they mean in-context.

     we'll take a look at the license. we do think the work to be done is more social than legal, we suspect copyright law as a tool for change has gone about as far as it can.

     clacke likes this.
   • Embed this notice
     shamar@qoto.org's status on Monday, 01-Apr-2024 10:11:20 JST Shamar

     in reply to

     • Glyph
     • irenes
     • Peter Brett
     • Richard Stallman

     @irenes

     I think @rms did a huge error basing what was a hacker¹ movement on the value of freedom alone.

     #Freedom (like #Communion) is a totalizant value, a value that can blind people from other important values, so much that it's the foundational value of #Capitalism (much like what #Communion was for #Comunism).

     As we can all see that #FreeSoftware lost its political goals, being used much more to reduce human freedom than to increase it (#Google and #Facebook would not exists without exploiting huge amount of developers' work donated as Free Software, much like #GitHub #Copilot / #CopyALot), we should really move to something different.

     Years ago I wrote the #HackingLicense ² to this aim, a (network) #copyleft license (and a shrink-wrap contract) that has been used successfully in a couple of projects.

     It doesn't forbid commercial use of the covered works and even share the copyright with the users that comply with the license itself, BUT contractually impose a complete reciprocity, as any work that benefit in any way from the covered work must be distributed in the same way.

     IOW, if you use my work under the Hacking License, I can use and distribute your work under the same terms. Even if it's a LLM, or a software including its output.

     I'm not sure the Hacking License is the best tool to get back freedom, communion and #Curiosity, but at least it's a step in the right direction.

     ¹ http://www.tesio.it/2020/09/03/not_all_hackers_are_americans.html
     ² http://www.tesio.it/documents/HACK.txt

     @krans @glyph @eb

   • Embed this notice
     irenes (irenes@mastodon.social)'s status on Monday, 01-Apr-2024 10:11:21 JST irenes

     in reply to

     • Glyph
     • Peter Brett

     @krans @glyph @eb but you're right, of course, it's a valid point. we just don't think trying to coin a new term would be useful, if anything it would be a distraction from the cultural work that matters