Conversation

Notices

1. Embed this notice
   Marc Rogers ? ?? ⚠️ (cj@chaos.social)'s status on Saturday, 06-Apr-2024 20:17:32 JST Marc Rogers ? ?? ⚠️

   in reply to

   But none of this is really new is it? None of it applies to just OSS. This isn’t an OSS problem, its a problem with people, processes and technology :)

   • clacke likes this.
   • Embed this notice
     Marc Rogers ? ?? ⚠️ (cj@chaos.social)'s status on Saturday, 06-Apr-2024 20:17:33 JST Marc Rogers ? ?? ⚠️

     in reply to

     Defence needs to be in-depth. Detection of human and technical red flags. Full adoption development processes that cryptographically prove committer identity and which use technology to ensure code is verified, examined and tested.

   • Embed this notice
     Marc Rogers ? ?? ⚠️ (cj@chaos.social)'s status on Saturday, 06-Apr-2024 20:17:35 JST Marc Rogers ? ?? ⚠️

     in reply to

     Let’s not forget we have struggled to solve human risks for a long time. We have worked to perfect offensive HUMINT for even longer. There is no magical solution to a Dev being coerced, forced or bought.

   • Embed this notice
     Marc Rogers ? ?? ⚠️ (cj@chaos.social)'s status on Saturday, 06-Apr-2024 20:17:36 JST Marc Rogers ? ?? ⚠️

     in reply to

     If we want to have nice things we also have to protect OSS. It’s passion projects originally written by hobbyists that power your portable game systems or drive your cars. Eliminate them and you eliminate innovation.

   • Embed this notice
     Marc Rogers ? ?? ⚠️ (cj@chaos.social)'s status on Saturday, 06-Apr-2024 20:17:37 JST Marc Rogers ? ?? ⚠️

     in reply to

     If we want to prevent future incidents like this we also have to recognise that this was as much a human cantered operation as it was a technical one.

   • Embed this notice
     Marc Rogers ? ?? ⚠️ (cj@chaos.social)'s status on Saturday, 06-Apr-2024 20:17:38 JST Marc Rogers ? ?? ⚠️

     in reply to

     So while I agree that projects which become “critical” do need extra defences. I just don’t believe its’s the developers problem. It’s whoever is using that software in a critical way’s problem.

   • Embed this notice
     Marc Rogers ? ?? ⚠️ (cj@chaos.social)'s status on Saturday, 06-Apr-2024 20:17:39 JST Marc Rogers ? ?? ⚠️

     in reply to

     Supporting good development practices, funding projects and reinforcing the OSS community are all things that we should be doing already - and are still largely failing at.

   • Embed this notice
     Marc Rogers ? ?? ⚠️ (cj@chaos.social)'s status on Saturday, 06-Apr-2024 20:17:40 JST Marc Rogers ? ?? ⚠️

     in reply to

     The OSS community is not responsible for how their code is used. Hobby and passion projects are not corporations, they generally aren’t even businesses and they certainly aren’t your employees.

   • Embed this notice
     Marc Rogers ? ?? ⚠️ (cj@chaos.social)'s status on Saturday, 06-Apr-2024 20:17:41 JST Marc Rogers ? ?? ⚠️

     Theres a lot of talk about what the OSS community needs to do to prevent future interference. Suggestions like restricting code updates to devs with “good reputations”, even going so far as sating once a project is “critical” in some way it should be taken over or restricted.