Reading about this xz backdoor story from the outside as a person who is still learning much about the technical ins and outs, but as a psychologist it is just overwhelming to imagine a maintainer in this position and all of the feelings of pressure and skill based identity and social isolation that must be involved.
Imho psychology has a duty to show up for technology practitioners and work for them just like we see and work for the well-being of emergency workers, healthcare providers.
@grimalkina Really appreciate you doing this work.
Here's a question I think about a lot: What's the rate of occupational burnout in software engineering?
Is it more common than in similar professions? Do we talk about it more?
Amongst my circles it sometimes feels omnipresent but I have no idea if that's "real" or just an artifact of who I happen to know. I don't know if anyone's even done surveys on the topic.
The continued resilience of the RIPE community during the COVID-19 pandemic has helped the Internet keep running. This hasn't been easy, but we're in it together! Vesna Manojlovic draws a parallel between universal human needs and OSI model networking abstraction layers.
This is my life right now
@grimalkina Thanks for this. I've been an Open Source maintainer for a major project, I had my project attacked, and I did burn out doing so from community abuse, so I sadly speak with a tiny bit of experience, along with my overall experience as a software engineer and technical executive.
(1/n)
@grimalkina
A difficulty with software work is that it begins by dealing with code and it evolves into dealing with people. For professional work, that tends to happen at milestones that are more or less predictable, i.e. promotions.
For Open Source, the timing of that transition is unpredictable and uncontrollable. The worst that can happen is to have no users, because the efforts go to waste, but the worst that can happen is to have users, because now you have to deal with them.
(2/n)
@grimalkina Another very messy aspect of Open Source is related to time-frames and people's priorities. Open Source licenses are forever, but people's involvement is not, at least not automatically.
Chances are, original authors of Open Source want to do good, and they express that by releasing code. Over time, though, it's not about code, it's about people, which becomes a potentially toxic situation. However, the underlying desire to do good keeps maintainers from saying "no".
(3/n)
@grimalkina That has me wondering, should Open Source leaders set better expectations that authorship of code and stewardship of a successful Open Source project are two very different roles, that require different skills, such that people who did the first part well might not be ready for the second part?
In turn, should we work to recruit people who are good at the second part, even if the first part isn't as interesting to them?
(4/n)
@grimalkina I'll be happy to discuss that a lot more in private, if you'd like to hear from my experiences.
(5/5)
@grimalkina Worse, what‘s apparently going down in the community already again.
The original maintainer was apparently on a vacation and got this all dropped on them after years of basically thankless work… and then a social engineering attack including sockpuppets making pressure to have more maintainers on the project.
It‘s a sad, damning state of affairs about the psychological health of OSS maintenance.
From: @mmeier
https://social.mei-home.net/@mmeier/112185416457113560
@[email protected] Yeah. I just saw somebody complaining about the fact that the original maintainer, being on vacation at the moment and still having made a commit or two, hasn't set up commit signing yet, and that that should really be the first thing on said maintainer's mind right now. That really switched me from yesterday's "Hey, I think this was overall handled pretty nicely" straight back to pessimism.
@mrcompletely @grimalkina @mmeier worse, to me it seems like there were compounding failures here.
The attacker tried to get his malicious code past an OSS fuzzer system by argueing with a 2015 bug that hadn‘t been resolved in 2023…
But is it surprising this "small fish" doesn‘t get fished when people are under pressure and underpaid? Where do you take the psychological security to treat small issues significantly?
From: @Sevoris
https://mastodon.social/@Sevoris/112183791413962910
@mrcompletely @grimalkina @mmeier nothing in the exploit chain to me screams "that one big fish". It was a dozen tiny failures that almost enabled this.
Safety engineers would probably have a field day argueing that this is precisely how systems fail, ultimately- tiny individual problems that "lign up the holes".
But where do you take the psychological health and energy from to address all of that? There‘s so many tiny issues everywhere…
@grimalkina @Sevoris @mrcompletely @mmeier
Trauma-informed maintainer support ❤️❤️❤️
@grimalkina the part that stood out to me was that the decision from the poor maintainer to hand over the maintainership to the malicious actor was… expedited by a slew of psyops abuse from various sockpuppet accounts that were *absolutely indistinguishable* from the demands that OSS maintainers of popular packets get on a routine basis.
e.g.: https://www.mail-archive.com/xz-devel@tukaani.org/msg00568.html
@grimalkina @analogist It's so horrible. It's no wonder the maintainer reported struggling with mental health issues for years. Who wouldn't?
To attack someone for years and erode their mental health and then slowly slip into their source code and plant sleeping exploits deep in the software supply chain is unreal. But it appears to legitimately be happening, and repeatedly.
I truly agree here. Psychological protection needs to happen
Yeah. I've been trying to think about some practical things we technologists can do for each other, and made some suggestions in https://www.harihareswara.net/posts/2023/user-support-equanimity-potential-cross-project-tools-practices-open-source/ , and hope this incident can spur some more creative and substantial effort. Then again, I'm thinking about the past 10 years, post-Heartbleed, and that doesn't feed optimism.
Good heavens yes, to all of that.
I don't wonder that the angry martyr unix admin trope is a reaction to that toxic environment.
@grimalkina Unrelated to this xz backdoor story, I'd love to see psychologists step-up to help tech workers realize their worth and to help them unify as a labor force.
The default tech personality is a highly isolated introvert. And the default business playbook is to pit these workers against each other and milk them for all they're worth.
@grimalkina oh my. I totally agree and also...
: points at pilots: :points at the state of safety-2:
Happy to talk about it but uh. You are going to join the renegades if you keep going ;)
We do have cookies though.
@grimalkina to get an idea of where we are at...
Richard Marr
Cat Hicks
@
Nat Bennett
Vesna Manojlović
Scott Williams 🐧
Eljorgeabides
Teixi
Mitja Podreka
@
Sevoris
Mr. Completely
Jeremy Kahn
James Wu
Hazel Weakly
Sumana Harihareswara
Ringo De Smet
Julia Rez
Jevin Sweval
Glyph
Luis Villa
Paul de Raaij
Michael Darweesh ☑️
Thomas Depierre
Sean
aeva
madmax