Cat HicksMar 30, 2024

Reading about this xz backdoor story from the outside as a person who is still learning much about the technical ins and outs, but as a psychologist it is just overwhelming to imagine a maintainer in this position and all of the feelings of pressure and skill based identity and social isolation that must be involved.

Imho psychology has a duty to show up for technology practitioners and work for them just like we see and work for the well-being of emergency workers, healthcare providers.

Show threadSevorisMar 30, 2024

@grimalkina Worse, what‘s apparently going down in the community already again.

The original maintainer was apparently on a vacation and got this all dropped on them after years of basically thankless work… and then a social engineering attack including sockpuppets making pressure to have more maintainers on the project.

It‘s a sad, damning state of affairs about the psychological health of OSS maintenance.

From: @mmeier
https://social.mei-home.net/@mmeier/112185416457113560

Michael (@[email protected])

@[email protected] Yeah. I just saw somebody complaining about the fact that the original maintainer, being on vacation at the moment and still having made a commit or two, hasn't set up commit signing yet, and that that should really be the first thing on said maintainer's mind right now. That really switched me from yesterday's "Hey, I think this was overall handled pretty nicely" straight back to pessimism.

Meier's Mastodon
Show threadMr. CompletelyMar 30, 2024
@Sevoris @grimalkina @mmeier exactly - seems like this was primarily a psychological exploit designed to target a vulnerable individual - I feel terrible for them
Show threadSevoris

@mrcompletely @grimalkina @mmeier worse, to me it seems like there were compounding failures here.

The attacker tried to get his malicious code past an OSS fuzzer system by argueing with a 2015 bug that hadn‘t been resolved in 2023…

But is it surprising this "small fish" doesn‘t get fished when people are under pressure and underpaid? Where do you take the psychological security to treat small issues significantly?

From: @Sevoris
https://mastodon.social/@Sevoris/112183791413962910

Mar 30, 2024 at 4:28pmIceCubesApp
Show threadSevorisMar 30, 2024

@mrcompletely @grimalkina @mmeier nothing in the exploit chain to me screams "that one big fish". It was a dozen tiny failures that almost enabled this.

Safety engineers would probably have a field day argueing that this is precisely how systems fail, ultimately- tiny individual problems that "lign up the holes".

But where do you take the psychological health and energy from to address all of that? There‘s so many tiny issues everywhere…

Show threadMr. CompletelyMar 30, 2024
@Sevoris @grimalkina @mmeier insightful. my experience as an engineering manager with some big legacy codebases that are potential targets is that in a normal well run system, minimally two but really three holes have to align to cause a significant failure, which is a kind of safety culture adage going back to NASA at least. In an even more carefully secured system, the number of holes required to be in conjunction goes up; but as you're pointing out, the number of small holes is very large
Show threadCat HicksMar 30, 2024
@Sevoris @mrcompletely @mmeier "how can we help people recover and heal once they have been at the center of something like this" feels like a very important and immediate question and yet so often left out
Show threadJeremy KahnMar 30, 2024

@grimalkina @Sevoris @mrcompletely @mmeier

Trauma-informed maintainer support ❤️❤️❤️

Show threadMr. CompletelyMar 30, 2024
@grimalkina @Sevoris @mmeier bless you for making this kind of thing your work, I've been in this field for a long time and while I think a lot of the reason I've gotten pretty far ahead is that I'm often the one eyed person in the kingdom of the blind when it comes to emotional intelligence - until this most recent generation of coders, maybe - it's always been kind of a lonely trip, with few peers and NO bosses who really understand and value an empathetic human centered view
Show threadCat HicksMar 30, 2024
@mrcompletely @Sevoris @mmeier I can imagine that's been really lonely but really important. It's people like you that I try most to learn from and amplify as we can with the expertise we have access to. Bridges needed for us all. 🙏
Show threadMr. CompletelyMar 30, 2024
@grimalkina @Sevoris @mmeier I feel like the industry is bifurcating in this regard. Many companies are doubling down on heartless, quantified, impersonal management while overall and particularly at the worker peer level - again, imo mostly due to the under 30ish contingent, whom I largely adore - the culture is getting healthier, wiser, more caring. A strange situation that seems destined for a chaotic phase transition of some kind