mastodon.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
The original server operated by the Mastodon gGmbH non-profit

Administered by:

Server stats:

380K
active users

Dmitry Borodaenko

It's ok to summarily block people spreading FUD and conspiracy theories about .

Still accurate.

Context of the day: openwall.com/lists/oss-securit

"openssh does not directly use liblzma. However debian and several other distributions patch openssh to support systemd notification, and libsystemd does depend on lzma."

No, systemd is not the root cause. The root cause is the sorry state of funding FOSS that leaves even core system components crumbling under tech debt.

We already had that conversation after Heartbleed. We still haven't solved it.

www.openwall.comoss-security - backdoor in upstream xz/liblzma leading to ssh server compromise

@angdraug yes please block me summarily since systemd artificially raise complexity by several magnitudes and the result is this.
It is not "systemd itself" causing the mess but it's down the line systemd caused or brought upon us.
It is extremely hard now to separate or pick security contexts since systemd pulls all in so components interacting with it need to pull 'em all in or die.
It's not good.

@angdraug systemd is not the root cause in this case - it's a problematic component though. luckily it's still possible to run systems without it.

@mxey @angdraug

Which was superseded by OpenSSF, which doesn't replace the purpose at all.

@Foxboron @mxey Indeed. The story of CII and OpenSSF underlines how much this is still not a solved problem.

Tech is $9T (trillion) per year market with double digit profit margins. And all we got for "core infrastructure" is $4M over 6 years? As in, 0.0000074%?

@angdraug @mxey

OpenSSF writing to the White House about supply chain, and doesn't even mention the problem of paying maintainers?

It's just veryvery bad.

@Foxboron @mxey To be fair, paying maintainers is not a problem the goverment can solve by itself. It doesn't have the money and it doesn't have the leverage to control the private spending by the industry. At best, it can create a system of incentives.

And it should, as it's done with the electronics supply chain and with climate crisis (EVs, renewables). It's a decades long game, and USG is so paralyzed by fascists it can't even fund the easiest political slam dunk in history: Ukraine aid.

@angdraug @mxey

Tax returns if employees can contribute selflessly to FOSS projects.

Literally the easiest thing they can do.

@Foxboron @mxey That actually already exists in the U.S., it's called 501(c)3 tax-exempt non-profit organization. This how most donation supported projects operate. And it is nowhere near enough, their combined budgets are still many orders of magnitude below what's required to make free software sustainable.