Sven Slootweg (soft-deprecated) @joepie91@pixie.town
- Future new account
- @joepie91@slightly.tech
- Matrix
- @joepie91:pixie.town
- Pronouns
- they/them, he/him, whatever, it's not like I have any idea either 🙃
In the process of moving to @joepie91. This account will stay active for the foreseeable future! But please also follow the other one.
Technical debt collector and general hype-hater. Early 30s, non-binary, ND, poly, relationship anarchist, generally queer.
- No alt text (request) = no boost.
- Boosts OK for all boostable posts.
- DMs are open.
- Flirting welcome, but be explicit if you want something out of it!
- The devil doesn't need an advocate; no combative arguing in my mentions.
Sometimes horny on main (behind CW), very much into kink (bondage, freeuse, CNC, and other stuff), and believe it or not, very much a submissive bottom :p
My spoons are limited, so I may not always have the energy to respond to messages.
Strong views about abolishing oppression, hierarchy, agency, and self-governance - but I also trust people by default and give them room to grow, unless they give me reason not to. That all also applies to technology and how it's built.
Joined Aug 2019
xz
@eater xz is a part of *the build process itself* in many cases - extracting source archives, that sort of thing. So it could have affected the source of other applications at any point in that process, in a way that's impossible to trace back.
So anything that has come into contact with xz at any point in its build or distribution process, while this new maintainer was involved, is now suspect. That's... a double-digit percentage of packages on a typical system, I suspect.
xz, gloating
@syn Yes, but not for the specific purpose of knowing what packages to rebuild if a backdoor were ever discovered
Sven Slootweg (soft-deprecated)
boosted
1am infodumping about optical fibers is completely normal and neurotypical, innit?
politiek
@WH Tja. Zo iemand hadden we dus min of meer, in Sylvana Simons, maar dat is geen witte vrouw die voor gevestigde belangen opkomt, en dus werd die in de media en publieke opinie geheel kapot gemaakt.
Deze tactiek werkt alleen maar op deze schaal als je je privileges al mee hebt en niet te ver van de gevestigde orde afligt. Wel radicaal klinken maar vooral niet radicaal zijn, zeg maar.
xz, gloating
@syn (It's kind of hard to classify these things because Nix is in a category of software where "benefits we didn't anticipate" are expected as a category, it's just not known which benefits they will be)
xz, gloating
@syn Yes, though arguably an accidental one, sort of - it's not really what the dependency system was *designed* for afaik, just a consequence of the design choices
xz
It occurs to me that a lot of distros probably have a lot of already-built packages that involved one of the suspicious xz versions in their build process, and I don't know that they all have the tooling to track which packages need to be rebuilt...
Do you want to stop "supply chain compromises" as a company? Here's a very simple way to do so: pay a stipend to a maintainer of something you depend on.
You don't really need dependency tracking tools. You don't need to exactly parcel out the 'right' proportionate amount of money to every maintainer. All of that operational complexity is unnecessary.
It doesn't even matter *which* maintainer you pick, as long as it's one who isn't receiving a stipend yet, and you pay them enough to constitute a salary.
It will cost you exactly one developer salary. If every able company does this, the problem of supply chain compromises is solved tomorrow.
All you need to do is simply *do it*, and talk about it so that other companies will too.
Sven Slootweg (soft-deprecated)
boosted
My heart goes out to xz. A single maintainer, who was clearly in a rough place with mental health, screaming out to the world for some help and additional contributions, and somebody shows up wanting to help. Could you imagine how happy that maintainer was? They were no longer alone.
And it turns out the only reason somebody wanted to help them was nefarious. I can’t imagine how they feel right now as everyone is blaming them. I hope they’re ok.
And it turns out the only reason somebody wanted to help them was nefarious. I can’t imagine how they feel right now as everyone is blaming them. I hope they’re ok.
Sven Slootweg (soft-deprecated)
boosted
@aral Quite by accident, I have found that some managers respond to describing quality checks and safety inspections as 'the paperwork that keeps the CTO out of prison' can change attitudes in several layers in the company in one go. Most project managers seem to realise that if the CTO is going to be incarcerated, they are going down with them.
@hierarchon @iliana Oh yeah, I don't doubt that there are edgecases where this *would* have helped. There are some of those for most things.
What bothers me more is the outsized importance that people tend to place on it - for a while, everybody and their dog was talking loudly about how post-install scripts should be disallowed, as if that will solve all the dependency security issues overnight...
@noplasticshower@zirk.us @swelljoe (I get paid for auditing open-source dependencies, actually)
@hierarchon @iliana Thought in a similar vein: it makes no sense to get all suspicious about post-install scripts in a package manager; the purpose of the package manager is literally *to install software. That will run on the system.*
The malicious code could be anywhere, whether you allow post-install scripts or not really isn't going to matter...
Sven Slootweg (soft-deprecated)
boosted
most of my personal reactions to the xz thing today have been "this is almost the perfect crime and it's incredible it was caught this early"
@mcfly (Which can be a real cost; some developers are going to insist on dubious programming practices, and that means simply not being able to use or distribute their work.)
@mcfly $customer auditing involves everything that is part of the release, so also test files - an eval on anything related to a binary file would definitely be considered something that warrants suspicion and probably rejection.
Like, it's just a general rule of "if it's in the release, it must be explainable and possible to reason about". Google dependencies frequently get rejected because they do not meet this standard...
I think that that one rule alone - "anything that cannot be explained, cannot be accepted" - would prevent most attempts at backdoors, to be honest. At the cost of not tolerating needlessly bad code.
@mcfly I was thinking through whether this code would have made it through the dependency auditing process at $customer, and my conclusion was "no, it would not" - they have a policy that code that we cannot understand will never be approved, and this is basically why that policy exists...
Sven Slootweg (soft-deprecated)
boosted
The fun* part will be figuring out how to prove other stuff hasn't been backdoored. While fighting the cops and spooks who want to be able to backdoor things without us noticing.
Sven Slootweg (soft-deprecated)
boosted
Not the specific library, but the idea that compromising underpaid and burnt out open source maintainers is easier and cheaper than hacking a server.
Sven Slootweg (soft-deprecated)
boosted
Why is there always exactly one lemon in a bag that suddenly decides to become a biohazard.
- Future new account
- @joepie91@slightly.tech
- Matrix
- @joepie91:pixie.town
- Pronouns
- they/them, he/him, whatever, it's not like I have any idea either 🙃
In the process of moving to @joepie91. This account will stay active for the foreseeable future! But please also follow the other one.
Technical debt collector and general hype-hater. Early 30s, non-binary, ND, poly, relationship anarchist, generally queer.
- No alt text (request) = no boost.
- Boosts OK for all boostable posts.
- DMs are open.
- Flirting welcome, but be explicit if you want something out of it!
- The devil doesn't need an advocate; no combative arguing in my mentions.
Sometimes horny on main (behind CW), very much into kink (bondage, freeuse, CNC, and other stuff), and believe it or not, very much a submissive bottom :p
My spoons are limited, so I may not always have the energy to respond to messages.
Strong views about abolishing oppression, hierarchy, agency, and self-governance - but I also trust people by default and give them room to grow, unless they give me reason not to. That all also applies to technology and how it's built.
Joined Aug 2019
