mastodon.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
The original server operated by the Mastodon gGmbH non-profit

Administered by:

Server stats:

336K
active users

I am a bit concerned by all the focus on small-ish projects with overwhelmed maintainers. There indeed are a lot of problems in that area.

But I am certain that lots of experienced OSS devs can think of a few large and crucial projects where they fairly easily could have hidden something small in a larger change. Without a lot of prior contributions to the project.

@AndresFreundTec yeah. I’m surprised there isn’t more focus on compression libraries and code in tar files, too. There’s specific areas which are risky, but a lot of discussion revolves around ‘this is unmanageable’ before anybody has tried to, er, manage it.

AndresFreundTec

@GossiTheDog I think there are a few people looking into that.

If I were the team behind "jia", I'd have looked at getting into dissimilar projects, not the same project multiple times, not multiple compression libs. But of course there are other actors...

The scariest areas I can think of are, in that order, compilers / binutils, buildsystems, "build executors" like make/ninja.

@AndresFreundTec @GossiTheDog The 'waf' build system encourages shipping a minified 'binary' of the build system in tree.

Samba includes a full copy of the upstream tree instead and we carefully check the import at review but honestly the upstream source is not much more understandable.

@abartlet @GossiTheDog I think, if anything, that makes it easier to attack. A central copy of the buildsystem in a distro will receive much more review than a copy in some package. Particularly if the copy is minified, which makes it harder to actually find differences.

@AndresFreundTec @GossiTheDog Exactly. Samba is at a halfway point with our copy because we find we are sensitive to the exact version used but it is a weak point.

I do wish upstream waf would ditch the minify idea however.

@AndresFreundTec @abartlet @GossiTheDog to extend your list:
- "universal" standard libraries like boost.
- I always stress that gnulib is well-maintained, because I really think it is, I trust the people, but horrible, horrible code that nobody should include. Yet, most shell utilities on GNU/Linux do.
- libpcre and
- things that get linked into everything that authenticates (i.e., runs privileged).
- The PAM landscape is… not in good shape
- nsswitch's maybe also an interesting thing.

@AndresFreundTec @abartlet @GossiTheDog True, but verifying the copy matches upstream shouldn't be particularly hard unless you use a minification tool that isn't reproducible, in which case, what's wrong with you?

@AndresFreundTec there's definitely some people looking at it, but I don't think it's had as much debate as I imagined (e.g. the tar files thing).

And yeah, there's definitely other areas of attack. But part of me thinks even the known-knowns haven't been exhaustively looked at.