Show newer

Really what we need is Universal Basic Income.

But if our governments want to secure the software supply chain, developers need to be paid for their time, as do contributors, and their support folks.

You cannot quantify all of the work, and sometimes those dependencies do not change for years. So much like with support, a stipend is needed.

Its insurance really.

But I'd prefer UBI.

thankfully not friends with people like the second one anymore but yeah this tracks lol

@freakazoid I think that under current circumstances, this is a very risky thing to propose - it is likely going to lead to "good governance" being defined by business goals, ie. "has an institutional structure" (with all of the bias towards privileged folks that that implies).

Letting this kind of situation emerge naturally by consistently funding maintainers is an approach that's much less likely to translate into unwanted second-order effects, IMO.

tech, xz falloff, open source sustainability 

people who love what they are doing so much that they are doing it for free in their free time instead of resting or having fun or making money or spending time with people they love, despite corporate bullshit, despite shitty laws, despite shitty attacks on them, despite LLM spam, despite ungrateful jerks, despite mental and physical issues.

I don't know peeps but I think this "capitalism" thing doesn't deliver somehow

Show thread
The thing that I think annoys me the most about the whole xz thing is all the hand wringing about “software supply chain”. We are not your supply chain. If any other industry had a supply chain wherein every single link said “no warranty either express or implied” in big block caps they’d shit themselves. Yes I think folks maintaining critical parts of the system should be looked after but also maybe we should all just lower our expectations a bit?

If "boiling the oceans to run the server farms" isn't number one on your "existential risks to humanity posed by AI" then you can stop talking about existential risks to humanity forever thanks

To get ahead of the predictable marketing pitches from capitalist vultures:

No, automated vulnerability detection and "AI" will *not* solve 'supply chain problems' and especially not backdoors like the xz one. The technology is incapable of doing that, on a very fundamental level.

Anyone trying to sell you on automated stuff as the solution, is lying to your face and trying to scam you.

@trysdyn @vyr I'm actually quite concerned about the second-order effects that this incident is going to have in the current discourse climate...

@vyr There were people trying to reach maintainers with ye olde "What's the status of this??" 20min after the news hit oss-sec.

You know the kind. Meatsona in a polo avatar, talking about supply chains and audits and critical business need to someone who objectively has not a single reason to care.

@trysdyn the other takeaway for today is that if you're a project maintainer, you can get a foreign intelligence agency to do a bunch of scutwork for you on their dime, provided you catch the exploit when it comes

@etherbloom @lunabee @iliana All the while, somewhat ironically, Github is almost certainly depending on xz too (and so could have just paid the maintainer a salary)

"what did we learn today?"

if you're going to backdoor your own software and your repo is on github, you should have a public mirror elsewhere because github will just disable your repo without understanding the consequences

"what?"

what?

@iliana I would not at all be surprised if it were due to something like a national security letter, in this case

pretty interesting that github has only one hammer to respond to incidents like this and it's "block access to the repository so that nobody can see the source code history" apparently

(if i'm being generous, this might be to prevent dogpiling. but it sure does make all the commit references in the oss-security email this morning useless)

After seeing how the XZ maintainer's burnout and mental health decline was exploited to the potential detriment of the whole world, we're totally going to be supporting our developers more, right guys? We're totally going to fund critical OSS and pay maintainers enough to hire on other maintainers to take the burden off of them and reduce burnout, right? Right?

Inevitably, a vuln caused by maintainer burnout and underresourcing is going to spark more arguments about how to pay maintainers (hopefully sustainably).

As a former maintainer, things I would have liked to consider working on projects full-time include:
- a steady paycheque in line with industry salaries
- guaranteed for at least 2 years of employment
- with healthcare & other benefits
- and I can't be the only maintainer.

One thing that the xz compromise also shows; simply having more eyes on something doesn’t make things inherently more secure.

Multiple distributions pulled the vulnerable xz updates. I doubt anyone really vetted the changes. I don’t blame distribution maintainers for that, they do a lot of work typically for free. But a lot of people have bought into the idea that getting your packages through a distro’s official channels somehow makes you safer. It probably helps with unexpected issues due to misaligned dependencies, but it does little for attacks like these.

In truth we got lucky that one person noticed some odd behaviour and decided to investigate.

@tomasekeli The toot is deliberately simplified; the unstated context is "... within the trust model that corporations typically operate in" (which is based on reputation and popularity, and that is where 'insufficiently supported maintainers' are the #1 risk factor).

There are other types of supply chain compromises, but they are often effectively prevented by existing mechanisms already; it's specifically this one that is near-completely immune to those mechanisms.

also in general if your advice to the average server owner is “audit every piece of every piece of code you’ll ever run” then it seems very possible you’ve lost your sense of scale and perspective

Show older
Pixietown

Small server part of the pixie.town infrastructure. Registration is closed.