Sven Slootweg @joepie91@pixie.town
- Website
- http://cryto.net/~joepie91/
- Matrix
- @joepie91:pixie.town
- Pronouns
- they/them, he/him, whatever, it's not like I have any idea either 🙃
Technical debt collector and general hype-hater. Early 30s, non-binary, ND, poly, relationship anarchist, generally queer.
- No alt text (request) = no boost.
- Boosts OK for all boostable posts.
- DMs are open.
- Flirting welcome, but be explicit if you want something out of it!
- The devil doesn't need an advocate; no combative arguing in my mentions.
Sometimes horny on main (behind CW), very much into kink (bondage, freeuse, CNC, and other stuff), and believe it or not, very much a submissive bottom :p
My spoons are limited, so I may not always have the energy to respond to messages.
Strong views about abolishing oppression, hierarchy, agency, and self-governance - but I also trust people by default and give them room to grow, unless they give me reason not to. That all also applies to technology and how it's built.
Joined Aug 2019
Do you want to stop "supply chain compromises" as a company? Here's a very simple way to do so: pay a stipend to a maintainer of something you depend on.
You don't really need dependency tracking tools. You don't need to exactly parcel out the 'right' proportionate amount of money to every maintainer. All of that operational complexity is unnecessary.
It doesn't even matter *which* maintainer you pick, as long as it's one who isn't receiving a stipend yet, and you pay them enough to constitute a salary.
It will cost you exactly one developer salary. If every able company does this, the problem of supply chain compromises is solved tomorrow.
All you need to do is simply *do it*, and talk about it so that other companies will too.
Sven Slootweg
boosted
My heart goes out to xz. A single maintainer, who was clearly in a rough place with mental health, screaming out to the world for some help and additional contributions, and somebody shows up wanting to help. Could you imagine how happy that maintainer was? They were no longer alone.
And it turns out the only reason somebody wanted to help them was nefarious. I can’t imagine how they feel right now as everyone is blaming them. I hope they’re ok.
And it turns out the only reason somebody wanted to help them was nefarious. I can’t imagine how they feel right now as everyone is blaming them. I hope they’re ok.
Sven Slootweg
boosted
@aral Quite by accident, I have found that some managers respond to describing quality checks and safety inspections as 'the paperwork that keeps the CTO out of prison' can change attitudes in several layers in the company in one go. Most project managers seem to realise that if the CTO is going to be incarcerated, they are going down with them.
@hierarchon @iliana Oh yeah, I don't doubt that there are edgecases where this *would* have helped. There are some of those for most things.
What bothers me more is the outsized importance that people tend to place on it - for a while, everybody and their dog was talking loudly about how post-install scripts should be disallowed, as if that will solve all the dependency security issues overnight...
@noplasticshower@zirk.us @swelljoe (I get paid for auditing open-source dependencies, actually)
@hierarchon @iliana Thought in a similar vein: it makes no sense to get all suspicious about post-install scripts in a package manager; the purpose of the package manager is literally *to install software. That will run on the system.*
The malicious code could be anywhere, whether you allow post-install scripts or not really isn't going to matter...
Sven Slootweg
boosted
most of my personal reactions to the xz thing today have been "this is almost the perfect crime and it's incredible it was caught this early"
@mcfly (Which can be a real cost; some developers are going to insist on dubious programming practices, and that means simply not being able to use or distribute their work.)
@mcfly $customer auditing involves everything that is part of the release, so also test files - an eval on anything related to a binary file would definitely be considered something that warrants suspicion and probably rejection.
Like, it's just a general rule of "if it's in the release, it must be explainable and possible to reason about". Google dependencies frequently get rejected because they do not meet this standard...
I think that that one rule alone - "anything that cannot be explained, cannot be accepted" - would prevent most attempts at backdoors, to be honest. At the cost of not tolerating needlessly bad code.
@mcfly I was thinking through whether this code would have made it through the dependency auditing process at $customer, and my conclusion was "no, it would not" - they have a policy that code that we cannot understand will never be approved, and this is basically why that policy exists...
Sven Slootweg
boosted
The fun* part will be figuring out how to prove other stuff hasn't been backdoored. While fighting the cops and spooks who want to be able to backdoor things without us noticing.
Sven Slootweg
boosted
Not the specific library, but the idea that compromising underpaid and burnt out open source maintainers is easier and cheaper than hacking a server.
Sven Slootweg
boosted
Why is there always exactly one lemon in a bag that suddenly decides to become a biohazard.
Sven Slootweg
boosted
https://boehs.org/node/everything-i-know-about-the-xz-backdoor
I have begun a post explaining this situation in a more detailed writeup. This is updating in realtime, and there is a lot still missing.
Sven Slootweg
boosted
Does everyone understand how much luck was involved in this exploit in #xz being discovered so quickly? And, what it tells us about the attacker?
This was a subtle and sophisticated attack implemented over _years_. The attacker was made a co-maintainer two years ago, and they made numerous innocuous-looking and seemingly unrelated changes over that time, sometimes through a second account, that eventually added up to a backdoor. Along with many innocent commits, too. #Linux
*ponders about how anti-virus software tends to all use the same FOSS archival libraries to quietly and automatically extract untrusted archives for scanning*
@technomancy @alilly My understanding is that the release tarball was easier to work with in some way because it needed less dependencies or something.
The details are unclear to me but I guess the release tarball came with some stuff pre-generated? (Which, uh, yeah)
Sven Slootweg
boosted
Just finished writing my lengthy paper on how "Many eyes make all bugs shallow", time to check what's happening on the internet today
Sven Slootweg
boosted
Yeah, whoever wrote that liblzma backdoor knew what they were doing. This isn't amateur work.
- Website
- http://cryto.net/~joepie91/
- Matrix
- @joepie91:pixie.town
- Pronouns
- they/them, he/him, whatever, it's not like I have any idea either 🙃
Technical debt collector and general hype-hater. Early 30s, non-binary, ND, poly, relationship anarchist, generally queer.
- No alt text (request) = no boost.
- Boosts OK for all boostable posts.
- DMs are open.
- Flirting welcome, but be explicit if you want something out of it!
- The devil doesn't need an advocate; no combative arguing in my mentions.
Sometimes horny on main (behind CW), very much into kink (bondage, freeuse, CNC, and other stuff), and believe it or not, very much a submissive bottom :p
My spoons are limited, so I may not always have the energy to respond to messages.
Strong views about abolishing oppression, hierarchy, agency, and self-governance - but I also trust people by default and give them room to grow, unless they give me reason not to. That all also applies to technology and how it's built.
Joined Aug 2019
