Sven Slootweg (soft-deprecated) @joepie91@pixie.town
- Future new account
- @joepie91@slightly.tech
- Matrix
- @joepie91:pixie.town
- Pronouns
- they/them, he/him, whatever, it's not like I have any idea either 🙃
In the process of moving to @joepie91. This account will stay active for the foreseeable future! But please also follow the other one.
Technical debt collector and general hype-hater. Early 30s, non-binary, ND, poly, relationship anarchist, generally queer.
- No alt text (request) = no boost.
- Boosts OK for all boostable posts.
- DMs are open.
- Flirting welcome, but be explicit if you want something out of it!
- The devil doesn't need an advocate; no combative arguing in my mentions.
Sometimes horny on main (behind CW), very much into kink (bondage, freeuse, CNC, and other stuff), and believe it or not, very much a submissive bottom :p
My spoons are limited, so I may not always have the energy to respond to messages.
Strong views about abolishing oppression, hierarchy, agency, and self-governance - but I also trust people by default and give them room to grow, unless they give me reason not to. That all also applies to technology and how it's built.
Joined Aug 2019
@mcfly (Which can be a real cost; some developers are going to insist on dubious programming practices, and that means simply not being able to use or distribute their work.)
@mcfly $customer auditing involves everything that is part of the release, so also test files - an eval on anything related to a binary file would definitely be considered something that warrants suspicion and probably rejection.
Like, it's just a general rule of "if it's in the release, it must be explainable and possible to reason about". Google dependencies frequently get rejected because they do not meet this standard...
I think that that one rule alone - "anything that cannot be explained, cannot be accepted" - would prevent most attempts at backdoors, to be honest. At the cost of not tolerating needlessly bad code.
@mcfly I was thinking through whether this code would have made it through the dependency auditing process at $customer, and my conclusion was "no, it would not" - they have a policy that code that we cannot understand will never be approved, and this is basically why that policy exists...
Sven Slootweg (soft-deprecated)
boosted
The fun* part will be figuring out how to prove other stuff hasn't been backdoored. While fighting the cops and spooks who want to be able to backdoor things without us noticing.
Sven Slootweg (soft-deprecated)
boosted
Not the specific library, but the idea that compromising underpaid and burnt out open source maintainers is easier and cheaper than hacking a server.
Sven Slootweg (soft-deprecated)
boosted
Why is there always exactly one lemon in a bag that suddenly decides to become a biohazard.
Sven Slootweg (soft-deprecated)
boosted
https://boehs.org/node/everything-i-know-about-the-xz-backdoor
I have begun a post explaining this situation in a more detailed writeup. This is updating in realtime, and there is a lot still missing.
Sven Slootweg (soft-deprecated)
boosted
Does everyone understand how much luck was involved in this exploit in #xz being discovered so quickly? And, what it tells us about the attacker?
This was a subtle and sophisticated attack implemented over _years_. The attacker was made a co-maintainer two years ago, and they made numerous innocuous-looking and seemingly unrelated changes over that time, sometimes through a second account, that eventually added up to a backdoor. Along with many innocent commits, too. #Linux
*ponders about how anti-virus software tends to all use the same FOSS archival libraries to quietly and automatically extract untrusted archives for scanning*
@technomancy @alilly My understanding is that the release tarball was easier to work with in some way because it needed less dependencies or something.
The details are unclear to me but I guess the release tarball came with some stuff pre-generated? (Which, uh, yeah)
Sven Slootweg (soft-deprecated)
boosted
Just finished writing my lengthy paper on how "Many eyes make all bugs shallow", time to check what's happening on the internet today
Sven Slootweg (soft-deprecated)
boosted
Yeah, whoever wrote that liblzma backdoor knew what they were doing. This isn't amateur work.
More thoughts on #xz: it seems that the bootstrap code for the backdoor was hiding in difficult-to-understand code. I hope this prompts people to start taking code readability seriously as a security factor.
It's much harder to hide malicious code in code that's easy to understand.
About the #xz backdoor: please do *not* assume that if your SSH server is not affected, you are not affected by it at all.
A lot about this situation is still unclear, but what *is* clear is that this wasn't a drive-by attack - this was clearly a well-prepared long-term engagement, across many commits and messages by potentially multiple accounts.
That makes it very plausible that there are other backdoors that haven't been found yet, and that might affect you under different circumstances.
There's not much you can concretely do about that yet, but you should carefully watch developments around this situation.
Sven Slootweg (soft-deprecated)
boosted
nixos users: tracking issue for the xz exploit rollback is https://github.com/NixOS/nixpkgs/pull/300028
Sven Slootweg (soft-deprecated)
boosted
I could take a "LMAO TOLD YOU SO" approach here but really I'm just sad. I really did enjoy working on the github CLI and the copilot feature violated all the values I tried to bring to that project. It's also a great object lesson in the downfall of GH culture under MSFT.
Sven Slootweg (soft-deprecated)
boosted
I guess the "copilot for github cli" launched. i can't bring myself to look at it but friends tell me it's as unreliable as i predicted.
this is the feature i quit over. i wasn't thrilled in general with working at GH at that point but being told i had no choice but to accept/support shoving copilot into the GitHub CLI is the actual event that pushed me out.
I gave plenty of warning that that was my line in the sand and they crossed it.
Sven Slootweg (soft-deprecated)
boosted
just got back from my month-long trip to the middle of nowhere, can’t wait to update my Fedora system and check out the latest enhancements to my favourite data compression library 💻🐺
Sven Slootweg (soft-deprecated)
boosted
ACAB
"it is a mistake to rush to impose the individual ethical responsibility that the corporate structure deflects. this is the temptation of the ethical which, as žižek has argued, the capitalist system is using in order to protect itself in the wake of the credit crisis — the blame will be put on supposedly pathological individuals, those "abusing the system", rather than on the system itself."
— mark fisher, "capitalist realism: is there no alternative?"
- Future new account
- @joepie91@slightly.tech
- Matrix
- @joepie91:pixie.town
- Pronouns
- they/them, he/him, whatever, it's not like I have any idea either 🙃
In the process of moving to @joepie91. This account will stay active for the foreseeable future! But please also follow the other one.
Technical debt collector and general hype-hater. Early 30s, non-binary, ND, poly, relationship anarchist, generally queer.
- No alt text (request) = no boost.
- Boosts OK for all boostable posts.
- DMs are open.
- Flirting welcome, but be explicit if you want something out of it!
- The devil doesn't need an advocate; no combative arguing in my mentions.
Sometimes horny on main (behind CW), very much into kink (bondage, freeuse, CNC, and other stuff), and believe it or not, very much a submissive bottom :p
My spoons are limited, so I may not always have the energy to respond to messages.
Strong views about abolishing oppression, hierarchy, agency, and self-governance - but I also trust people by default and give them room to grow, unless they give me reason not to. That all also applies to technology and how it's built.
Joined Aug 2019
