yossarian (1.3.6.1.4.1.55738)Mar 29, 2024

my only contribution to the xz discourse:

absolutely none of the supply chain stuff we're currently doing, including the things i like, would have stopped this. the only things that can stop this are (1) compulsively treating all code as untrusted, and (2) way, way stronger capability checks and restrictions in running systems. (1) is economically infeasible (the world runs on free labor from OSS), and (2) has had only very limited practical success.

Show threadRiley S. Faelan
@yossarian That's not entirely true. The anti-bullying efforts that many, although not yet enough, free software projects have been deploying would have had a chance of mitigating the fake social pressure to admit malevolent code parts of the attack.
Mar 30, 2024 at 8:41pmWeb