Conversation

Notices

1. Embed this notice
   AndresFreundTec (andresfreundtec@mastodon.social)'s status on Thursday, 04-Apr-2024 01:55:32 JST AndresFreundTec

   I am a bit concerned by all the focus on small-ish projects with overwhelmed maintainers. There indeed are a lot of problems in that area.

   But I am certain that lots of experienced OSS devs can think of a few large and crucial projects where they fairly easily could have hidden something small in a larger change. Without a lot of prior contributions to the project.

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Thursday, 04-Apr-2024 01:55:32 JST Kevin Beaumont

     in reply to

     @AndresFreundTec yeah. I’m surprised there isn’t more focus on compression libraries and code in tar files, too. There’s specific areas which are risky, but a lot of discussion revolves around ‘this is unmanageable’ before anybody has tried to, er, manage it.

   • Embed this notice
     AndresFreundTec (andresfreundtec@mastodon.social)'s status on Thursday, 04-Apr-2024 03:34:26 JST AndresFreundTec

     in reply to

     • Kevin Beaumont

     @GossiTheDog I think there are a few people looking into that.

     If I were the team behind "jia", I'd have looked at getting into dissimilar projects, not the same project multiple times, not multiple compression libs. But of course there are other actors...

     The scariest areas I can think of are, in that order, compilers / binutils, buildsystems, "build executors" like make/ninja.

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Thursday, 04-Apr-2024 03:34:26 JST Kevin Beaumont

     in reply to

     @AndresFreundTec there's definitely some people looking at it, but I don't think it's had as much debate as I imagined (e.g. the tar files thing).

     And yeah, there's definitely other areas of attack. But part of me thinks even the known-knowns haven't been exhaustively looked at.