Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://nerdculture.de/users/tynstar/statuses/112203684363171810">Jens Bannmann (tynstar@nerdculture.de)'s status on Wednesday, 03-Apr-2024 19:35:08 JST</a><a href="https://nerdculture.de/@tynstar" title="tynstar@nerdculture.de"><img src="https://gnusocial.jp/avatar/97169-48-20230210234918.webp" width="48" height="48" alt="Jens Bannmann" style="position: absolute; left: 0; top: 0;">Jens Bannmann</a><div><ul><li></ul></div></section><article><p>Any experienced C developers among my followers? <a href="https://nerdculture.de/tags/BoostsWelcome" rel="tag">#BoostsWelcome</a>.</p><p>Expat, arguably the world's most popular <a href="https://nerdculture.de/tags/XML" rel="tag">#XML</a> parser, is understaffed and without funding. As <a href="https://nerdculture.de/tags/xz" rel="tag">#xz</a> has shown, situations like this are dangerous.</p><p>Last month, maintainer Sebastian Pipping put up a plea for help at <a href="https://github.com/libexpat/libexpat/blob/R_2_6_2/expat/Changes" rel="nofollow noreferrer">https://github.com/libexpat/libexpat/blob/R_2_6_2/expat/Changes</a></p><p>(I would help myself, but my C skills barely surpass "Hello, World".)</p><p>Found via <a href="https://cosocial.ca/@timbray">@timbray</a> - <a href="https://cosocial.ca/@timbray/112203547801373427" rel="nofollow noreferrer">https://cosocial.ca/@timbray/112203547801373427</a></p><p><a href="https://nerdculture.de/tags/libexpat" rel="tag">#libexpat</a><br><a href="https://nerdculture.de/tags/SoftwareSupplyChainSecurity" rel="tag">#SoftwareSupplyChainSecurity</a> <a href="https://nerdculture.de/tags/OpenSource" rel="tag">#OpenSource</a> <a href="https://nerdculture.de/tags/OpenSourceMaintainer" rel="tag">#OpenSourceMaintainer</a> <br><a href="https://nerdculture.de/tags/C" rel="tag">#C</a></p></article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/2894925#notice-5753751">In conversation</a><time datetime="2024-04-03T19:35:08+09:00" title="Wednesday, 03-Apr-2024 19:35:08 JST">Wednesday, 03-Apr-2024 19:35:08 JST</time> <span>from <span><a href="https://nerdculture.de/@tynstar/112203684363171810" rel="external" title="Sent from nerdculture.de via ActivityPub">nerdculture.de</a></span></span><a href="https://nerdculture.de/@tynstar/112203684363171810">permalink</a><h4>Attachments</h4><ol><li><label><a rel="external" href="https://gnusocial.jp/attachment/2454275">Untitled attachment</a></label><br></li><li><article><header><div>No result found on File_thumbnail lookup.</div><h5><a href="https://cosocial.ca/@timbray/112203547801373427#libexpat">Tim Bray (@timbray@cosocial.ca)</a></h5><div> from <span>Tim Bray</span></div></header><div>I think the #xz incident is teaching us that our infrastructure is dangerously fragile in the face of well-organized/funded attackers. The response isn’t “try harder” or “donate to your OSS project”, it needs to be institutional, professional, and at scale. So, here’s my proposal, called “OSQI”, aimed at starting a how-to discussion: https://www.tbray.org/ongoing/When/202x/2024/04/01/OSQI</div><footer></footer></article></li></ol></footer></blockquote>

Corresponding Notice

Embed this notice
Jens Bannmann (tynstar@nerdculture.de)'s status on Wednesday, 03-Apr-2024 19:35:08 JSTJens Bannmann
- Tim Bray
Any experienced C developers among my followers? #BoostsWelcome.
Expat, arguably the world's most popular #XML parser, is understaffed and without funding. As #xz has shown, situations like this are dangerous.
Last month, maintainer Sebastian Pipping put up a plea for help at https://github.com/libexpat/libexpat/blob/R_2_6_2/expat/Changes
(I would help myself, but my C skills barely surpass "Hello, World".)
Found via @timbray - https://cosocial.ca/@timbray/112203547801373427
#libexpat
#SoftwareSupplyChainSecurity #OpenSource #OpenSourceMaintainer
#C
In conversationWednesday, 03-Apr-2024 19:35:08 JST from nerdculture.depermalink
Attachments
1. Untitled attachment
2. No result found on File_thumbnail lookup.
  Tim Bray (@timbray@cosocial.ca)
  from Tim Bray
  I think the #xz incident is teaching us that our infrastructure is dangerously fragile in the face of well-organized/funded attackers. The response isn’t “try harder” or “donate to your OSS project”, it needs to be institutional, professional, and at scale. So, here’s my proposal, called “OSQI”, aimed at starting a how-to discussion: https://www.tbray.org/ongoing/When/202x/2024/04/01/OSQI

Public

Embed Notice

HTML Code

Corresponding Notice