The xz backdoor code is clever, but it isn't out of reach of private hacker groups. I've seen similar backdoors that pwn the entire system due to messy shared library dependencies, and infecting sshd indirectly is a fairly common tactic.
Folks also need to stop pointing fingers at every committer that has a vaguely Chinese or Russian name.
I've also already seen this event leading to projects becoming skeptical about contributions from Chinese folks. That would severely negatively impact the ecosystem - a great many open source contributions come from China. The same can be said for Russians, too. If you catch projects taking so-called "precautions" like this, remind them that they're making unfounded, racist assumptions.
If you're worried about citizens of a particular country secretly sabotaging your open source projects, you should probably consider banning all US citizens. The NSA and CIA love to play long term backdoor games.
See how absurd that sounds?
@astraleureka I'm sorry, I thought the entire point of "open source" was that it's vastly easier to audit than closed source/most proprietary software. Isn't the discovery of this backdoor a good thing, because it means the open source model is working? (To catch threats and weaknesses in a collaboratively developed system?)
Maybe I'm underinformed, but if it took a long time to be discovered then maybe FOSS community needs to be more aggressive & thorough with auditing FOSS software.
@itsmeholland@mastodon.social @astraleureka@social.treehouse.systems
I'm not sure you've thought that idea through. I don't think most people have ever audited the packages installed on their systems; they might lack the time to do so, or the knowledge (unfamiliarity with the programming language; not knowing about certain vulnerabilities).
"Given enough eyeballs, all bugs are shallow" may well be true, but from an individual standpoint, even the most legendary of filesystem developers is probably not going to be useful in auditing libreoffice.
@lofty @astraleureka I'm not really talking about individual auditing, that doesn't seem possible or if it is, it's not sensible. It has to be community-driven and collaborative, like any large FOSS project.
@itsmeholland @astraleureka
It's not that it took long to discover, it's that it took an incredibly lucky coincidence, and a mistake on the attacker's part.
There could be 50 more backdoors like this that we don't know about and there's no reason for them to be caught.
Part of the problem is that some parts of open-source software (eg. build scripts) are often hard to audit despite being open-source (this is fixable).
Another part is insufficient amount of people wants to audit software.
@wolf480pl @astraleureka that's what I suspected. As I mentioned in another comment, I'm not a dev, i wouldn't call myself a power-user either, tho I'm a bit more adept than a complete noob. I'm just a user, so I'm not intending to chastise the FOSS community which I love & appreciate. But I think your right: it's A LOT of stuff to go thru, nobody really wants to do it (i don't!) so there's a lot of packages & dependencies that ppl are relying on "just working." But as you said, it's fixable.
@wolf480pl @astraleureka i think sometimes FOSS is held to a different standard than other software, especially during times where general interest is high. If people are seriously considering switching from the comfort & perceived safety of Windows & Mac, they want FOSS to be BETTER & EASIER than their current option. For a long time, this seemed impossible. You had to be a dev to use Linux.
@wolf480pl @astraleureka It's getting better, but problems like these spook people, & it should motivate the community to be even better. Not inspire doomerism about the viability of the FOSS model/philosophy, or arbitrary restrictions on who can contribute, etc. Just my 2 cents as a user & appreciator of FOSS.
@itsmeholland @astraleureka
I think many people complaining about this aren't saying "FOSS is not viable, proprietary software is better", they're saying "FOSS is not viable, proproetary software is just as bad, we've created a hell".
And considering the immense manpower required to do things right vs how many ppl want to work on FOSS, how they're overworked, and how we struggle to pass knowledge to new developers... yikes!
@wolf480pl @astraleureka absolutely, we live in a hellworld of poor technology infrastructure. :(