#SolarWinds wrote a blog post a in 2019 about how #FLOSS is dangerous because anyone can push malicious code to FLOSS projects:
The irony could not be sweeter.
Yeah, supply chain attacks can happen anywhere. Open source , if anything, allows you to be more careful!
@feoh @rysiek @cguess I thought the same thing when I saw a product that managed SSH logins. An agent runs (as root) on all your servers and you get a short term certificate (1 day) from the 3rd party provider to log in. When you revoke someone's access, you don't have to search all servers for their SSH keys. My comment was that the 3rd party has root everywhere.
Seems like LDAP/Kerberos would just as easily solve this problem...
SolarWinds on supply chain attacks
@erosdiscordia @rysiek @cguess Neither was having "solarwinds123" as a password to their update server, if the source of this Reuters article is to be believed: https://mobile.reuters.com/article/amp/idUSKBN28Q07P
Also, if you've ever seen commercially developed closed-source code, you'll know that it will be much harder to take over maintenance of some escrowed software than doing the same for abandoned open source code.
I find it very strange that some (solarwinds among them) seem to talk about Open Source projects as if they are a google docs document where the general public has write permissions.
"When you reach in the drawer for a clean fork, you could be pulling out a dirty utensil."
Sorry don't you check that the fork is clean? That's completely not true. Putting malicious code into open source software is much harder due the numbers of people that can check it and bug fix.
Server run by the main developers of the project It is not focused on any particular niche interest - everyone is welcome as long as you follow our code of conduct!