Joe Cooper πŸ‡ΊπŸ‡¦ πŸ‰Mar 30, 2024
The abusive behavior that was being used to manipulate Lasse Collin into bringing on more maintainers for #xz went unnoticed because abusive behavior in Open Source communities is so pervasive. In context, we can clearly see it was part of an orchestrated operation. Out of context, it looks like just another asshole complaining about stuff they have no right to complain about. https://robmensching.com/blog/posts/2024/03/30/a-microcosm-of-the-interactions-in-open-source-projects/
A Microcosm of the interactions in Open Source projects | RobMensching.com

Originally a thread on Twitter about the xz/liblzma vulnerability, when I finished typing it, I realized I had a real world slice of Open Source interaction that deserved more attention.

Show threadSibshopsMar 31, 2024

@swelljoe Now that this is public there are going to be copycats now.

This kind of utility should have been sandboxed in a snap or flatpack.

Ubuntu's snaps are unfortunately looking kind of good right now.

Show threadJoe Cooper πŸ‡ΊπŸ‡¦ πŸ‰
@Sibshops I would be stunned if this is the first. This has been a known attack vector for some time (Poul Henning-Kamp did a talk on it more than a decade ago, and many others have written about it). This just happens to be one that was discovered and captured a lot of attention for a variety of reasons. Sometimes it's caught it code review of a PR and since it is always designed to look like an innocent mistake, it might not raise any alarms even if it didn't succeed.
Mar 31, 2024 at 2:54amWeb
Show threadJoe Cooper πŸ‡ΊπŸ‡¦ πŸ‰Mar 31, 2024
@Sibshops other times it isn't caught and gets deployed for months or years. This one is clearly intentional but it's only clear after analysis of the totality of the attackers commits. Any one looked pretty harmless. Also, I suspect there's a lot of this in proprietary software that we'll never know about. Getting past one code reviewer and some automated tests in a company is a lot easier than getting past everyone in the world who might want to have a look. At least in the long term.
Show threadLukefromDCMar 31, 2024
@swelljoe @Sibshops The ONE defense against this does in fact require access to source code: audit or potential audit by mutually opposing parties that hate each other too much to conspire to hide something