hdante
Joe Cooper πΊπ¦ πThe abusive behavior that was being used to manipulate Lasse Collin into bringing on more maintainers for #xz went unnoticed because abusive behavior in Open Source communities is so pervasive. In context, we can clearly see it was part of an orchestrated operation. Out of context, it looks like just another asshole complaining about stuff they have no right to complain about. https://robmensching.com/blog/posts/2024/03/30/a-microcosm-of-the-interactions-in-open-source-projects/
This is a classic technique, used by cops and spooks worldwide. Good cop, bad cop. Cause pain (emotional or otherwise) to break the subject down, then provide a path that removes the pain, if the target just does what you want them to do...just this one little thing, and all the pain goes away. Insidious stuff, but especially here. A volunteer who's been doing this critical work for over a decade unpaid, targeted because of the criticality of the work and because it was done by a lone volunteer.
okanogen VerminEnemyFromWithin@swelljoe
"First pressure, then the reward. The friendship" direct quote describing first a Russia spy, then British one, from here:
https://youtu.be/NRdgPzYbvWo?si=zRXGY6b09UnJEjQ3
"First pressure, then the reward. The friendship" direct quote describing first a Russia spy, then British one, from here:
https://youtu.be/NRdgPzYbvWo?si=zRXGY6b09UnJEjQ3
Smiley's People - The turning of Grigoriev
Kevin Karhan 
@swelljoe sadly, your assessment is true and not an easy jump to conclusions like people do by just looking at a specific username...
I wish you were wrong tho - for the benefit of everyone...
gkrnours@swelljoe the "off list" remark makes me think it was part of the attack. Why helping off list? Helping on the mailing list will give future people access to the same help and it builds reputation. Pretending work is being done off list is an easy way to gain trust.
Also yeah, hindsight help
James@swelljoe So these are potential targets for zero day or places where zero days might be inserted? I could see the bitchy/snarky comments being a script to get someone to say screw of you do it.
@James in this case "Jia Tan" who volunteered to "help" around the same time as all the complaining was happening made a bunch of mostly legitimate commits, but also eventually built in a backdoor. It was quite well-hidden, and passed through most of the checks that might catch sloppier or less well-planned attacks (the `ifunc` patch was clearly to provide a plausible excuse for disabling sanitizers). They spent almost two years taking more control of the project and inserting the backdoor.
LR@lritter @James that's not NSA tactics. I'm not saying the US government doesn't spy or compromise security, just that they have so much more capability and are limited by law in how directly they can be involved in stuff like this. This feels more like Russia (or one of their eastern European friends), China, or North Korea. And it doesn't have to be a state...it seems likely someone was paid for it, since it was so long in the making, but we can't even know that based on what's public so far.
π Lascapi β@swelljoe thank you for sharing that.
That's sad π
That's sad π
Luke Miller
philtor πΊπ¦π»@swelljoe This feels like the inflection point where open source has lost its innocence.
@philtor that happened when tech companies built themselves into the biggest and most powerful organizations in the world by exploiting the commons and used it for surveillance. But, this is pretty bad, too. I'm shook about it, thinking back on the countless interactions with assholes in the communities I'm involved in. Were they just a regular asshole or were they part of an operation? Hard to know, but my tolerance for assholes going forward will be much lower. I'm charging up my banhammer.
dangoπ‘
@swelljoe @philtor big and powerful tech companies seem to understand better than most "if you don't pay for it, there's no guarantees". I've personally seen at least some open source funding make the budget by the reasoning of "an unfunded project that we rely on is a security vulnerability". one problem tho is they're still squeamish about individuals vs "foundations"
@dango_ @philtor sure, they hire OSS developers and they donate a little money. But, we're less free in many ways than we were when the free software movement began, tied into all these surveillance systems with no realistic way to opt out. I can't work without allowing Google into my daily life, for instance. Google is far more effective at the surveillance game than whatever state (or whoever) funded this attack.
LukefromDC@swelljoe @dango_ @philtor I do keep Google's servers all the way out of my life, since I have the option to do so. I don't shop online and so can get away with treating most of the commercial/monetized Internet as broken.
If someplace cannot be found without say, Google Maps, I will not attempt to go there. Same with Snitchbook and Instacrap: no accounts and their servers blocked.
@swelljoe yeah, I guess what I mean by 'innocence' here is that there's a level of trust we tended to have in a lot of OSS communities that we can't have anymore. We have to be much more guarded now in the wake of this event. We might even need things like background checks before people can contribute to certain projects
Matt Palmer@swelljoe
Isn't this exactly how Red Hat kneecaps every alternative to Systemd and every aspect of that bloatware?
The community is HUNGRY! DEMANDING!
Isn't this exactly how Red Hat kneecaps every alternative to Systemd and every aspect of that bloatware?
The community is HUNGRY! DEMANDING!
Tripop
hambier@swelljoe Wow, that's disheartening to read.
And by pure coincidence the first user in that thread makes a comeback to the devel list in March 2024 and enquires what it would take to start contributing.
https://www.mail-archive.com/xz-devel@tukaani.org/msg00669.html
Aaron W. Swenson@swelljoe Holy motherforking shirt balls! That's just so appalling. So many of those peoples should be ashamed of themselves.
James Oh
Sibshops@swelljoe Now that this is public there are going to be copycats now.
This kind of utility should have been sandboxed in a snap or flatpack.
Ubuntu's snaps are unfortunately looking kind of good right now.
@Sibshops I would be stunned if this is the first. This has been a known attack vector for some time (Poul Henning-Kamp did a talk on it more than a decade ago, and many others have written about it). This just happens to be one that was discovered and captured a lot of attention for a variety of reasons. Sometimes it's caught it code review of a PR and since it is always designed to look like an innocent mistake, it might not raise any alarms even if it didn't succeed.
@Sibshops other times it isn't caught and gets deployed for months or years. This one is clearly intentional but it's only clear after analysis of the totality of the attackers commits. Any one looked pretty harmless. Also, I suspect there's a lot of this in proprietary software that we'll never know about. Getting past one code reviewer and some automated tests in a company is a lot easier than getting past everyone in the world who might want to have a look. At least in the long term.
Tech Support 
@swelljoe Really gross but I can see how this could play out the same way every day in hundreds of projects, the vitriol that some os projects get from users is awful, so it doesn't even seem like it would be out of place or raise eyebrows
πππππ 
I recognize this behavior from users that I used to have when I run several free online services a couple of years back.
Or even just helping out projects maintaining servers and infrastructure for free.
It is sad
Christian ThΓ€ter@swelljoe I am worried that this now leads to more problems for 'Lone Wolf' projects. People won't let other people in because of fear, burning out sooner.
What we need is actually the contrary. More eyes looking on code. Put, the burden on more shoulders. Let other committers in *early* in a project lifecycle. I presume that *most* people don't have ill intent. Even if something bad happens it can be found and fixed *when enough people looking at the code*.
@cehteh I mean, nothing is good about this situation. We were reminded of lots of worrying things about the OSS ecosystem.
I don't think it's anything new, though. I mean, we didn't learn about this vector of attack from this event, we knew it was possible (likely, inevitable, even). And, we're kind of preaching to the choir in saying this isn't a sustainable or healthy way to make software. But, the solutions require sustained support at a scale that's not possible for small projects.
@cehteh you're absolutely right that becoming more insular and closed off to outside contributions isn't the solution. But, having to be ever vigilant against hostile actors adds to the stress of the already mostly thankless job of maintaining software on a shoestring for years.
Variety@swelljoe wouldn't the right thing to do if there are patches but the maintaner(s) can't include them right now, be to fork the project?
@Variety "the right thing" is situational. But, forking _is_ one of the rights one has as an Open Source user, while heaping abuse on the lone volunteer maintainer isn't.
And, in this case, if the maintainer had felt empowered to say, "I'll get to it when I can, if you can't wait, fork off." maybe this would have been prevented. But, that's not actually what people who threaten to fork want. If they were capable and really needed it for their own work, they'd just do it and merge back later.
Yann Sionneau@swelljoe This is so spot-on!
Thanks!
Thanks!
pancake 
@swelljoe a must read