Thought this was a good read exploring some how the “how and why” including several apparent sock puppet accounts that convinced the original dev (Lasse Collin) to hand over the baton.

  • Ephera@lemmy.ml
    link
    fedilink
    arrow-up
    131
    ·
    9 months ago

    Pretty bad is also that it intersects with another problem: Bus factor.

    Having just one person as maintainer of a library is pretty bad. All it takes is one accident and no one knows how to maintain it.
    So, you’re encouraged to add more maintainers to your project.

    But yeah, who do you add, if it’s a security-critical project? Unless you happen to have a friend that wants to get in on it, you’re basically always picking a stranger.

    • umbrella@lemmy.ml
      link
      fedilink
      arrow-up
      45
      arrow-down
      3
      ·
      edit-2
      9 months ago

      honestly these people should be getting paid if a corporation wants to use a small one-man foss project for their own multibillion software. the lawyer types in foss could put that in GPLv5 or something whenever we feel like doing it.

      also hire more devs to help out!

      • taladar@sh.itjust.works
        link
        fedilink
        arrow-up
        24
        arrow-down
        3
        ·
        9 months ago

        If you think people are going to be trustworthy just because they are getting paid you are naive.

        • umbrella@lemmy.ml
          link
          fedilink
          arrow-up
          13
          arrow-down
          2
          ·
          edit-2
          9 months ago

          not trustworthy per se but maybe less overworked and inclined to review code more hastily, or less tired and inclined to have the worse judgement that makes such a project more vulnerable to stuff like this.

          these people maintain the basis of our entire software infrastructure thanklessly for us in between the full time jobs they need to survive, this has to change.

          as for trust in foss projects, the community will often notice bad faith code just like they just did (and very quickly this time, i might add!)

          • taladar@sh.itjust.works
            link
            fedilink
            arrow-up
            3
            ·
            9 months ago

            I guess you are using trust in a different way here. Trust in competency can vary with both volunteer and paid workers, everyone makes mistakes though. Trust that someone doesn’t do something deliberately malicious is a different matter though.

      • Dunstabzugshaubitze@feddit.de
        link
        fedilink
        arrow-up
        6
        arrow-down
        3
        ·
        9 months ago

        i can’t see how paying someone would have changed anything in this scenario.

        this seems to be a long running campaign to get someone into a position where they could introduce malicious code. the only thing different would have been that the bad actor would have been paid by someone.

        this is not to say, that people working on foss should not be paid. if anything we need more people actively reviewing code and release artifacts even if they are not a contributor or maintainer of a piece of software.

        • xionzui@sh.itjust.works
          link
          fedilink
          arrow-up
          6
          ·
          9 months ago

          i can’t see how paying someone would have changed anything in this scenario.

          we need more people actively reviewing code and release artifacts

          I think you’ve answered your own question there

          • Dunstabzugshaubitze@feddit.de
            link
            fedilink
            arrow-up
            2
            arrow-down
            3
            ·
            9 months ago

            no, the solution is not to pay someone to have someone to blame if shit happens.

            there are a bus load of people involved on the way from a git repo to actuall stuff running on a machine and everyone in that chain is responsible to have an eye on what stuff they are building/packaging/installing/running and if something seems off, it’s their responsibility to investigate and communicate with each other.

            attacks like this will not be solved by paying someone to read source code, because the code in the repo might not be what is going to run on a machine or might look absolutely fine in a vacuum or will be altered by some other part in the chain. and even if you have dedicated code readers, you cant be sure that they are not compromised or that their findings will reach the people running/packaging/depending on the software.

            • xionzui@sh.itjust.works
              link
              fedilink
              arrow-up
              3
              ·
              9 months ago

              Of course you can’t be sure anyone involved, paid or not, isn’t compromised. But if you want more human effort put into a project, people need a reason to do so. Complaining that volunteer contributors don’t spend enough of their time and effort with no compensation isn’t going to solve anything. Maybe AI tools will make that work more available in the near future.

        • Serinus@lemmy.world
          link
          fedilink
          arrow-up
          5
          ·
          9 months ago

          If my job didn’t pay me, I would have certainly burned out years ago. For one, I’d need another job.

    • DigitalDilemma@lemmy.ml
      link
      fedilink
      arrow-up
      22
      ·
      9 months ago

      I think bus factor would be a lot easier to cope with than a slowly progressing, semi-abandoned project and a White Knight saviour.

      In a complete loss of a sole maintainer, then it should be possible to fork and continue a project. That does require a number of things, not least a reliable person who understands the codebase and is willing to undertake it. Then the distros need to approve and change potentially thousands of packages that rely upon the project as a dependency.

      Maybe, before a library or any software gets accepted into a distro, that distro does more due diligence to ensure it’s a sustainable project and meets requirements like a solid ownership?

      The inherited debt from existing projects would be massive, and perhaps this is largely covered already - I’ve never tried to get a distro to accept my software.

      Nothing I’ve seen would completely avoid risk. Blackmail upon an existing developer is not impossible to imagine. Even in this case, perhaps the new developer in xz started with pure intentions and they got personally compromised later? (I don’t seriously think that is the case here though - this feels very much state sponsored and very well planned)

      It’s good we’re asking these questions. None of them are new, but the importance is ever increasing.

      • taladar@sh.itjust.works
        link
        fedilink
        arrow-up
        6
        ·
        9 months ago

        Maybe, before a library or any software gets accepted into a distro, that distro does more due diligence to ensure it’s a sustainable project and meets requirements like a solid ownership?

        And who is supposed to do that work? How do you know you can trust them?

        • DigitalDilemma@lemmy.ml
          link
          fedilink
          arrow-up
          2
          ·
          9 months ago

          Fair point.

          If the distro team is compromised, then that leaves all their users open too. I’d hope that didn’t happen, but you’re right, it’s possible.