Tim Kelloggi don’t understand how people see the xz incident and conclude that open source is insecure. That level of social engineering could easily have worked on a company as well, but it was detected *because* it was open source. All other mechanisms failed, and it was just some random guy poking around that discovered it. That kind of scrutiny doesn’t happen on closed source systems
i also find it mildly funny that even the attackers could write bug-free code
Noel Miller 
@kellogh This makes me conclude that we need more funding from companies that benefit from open source code. The fact that xz is only maintained by 1 or 2 developers and is used in as important utilities as OpenSSH is troubling. It doesn't make me worry about open source, it just shows weaknesses in the infrastructure we depend on.
Fingel@dogphilosopher @kellogh Is it surprising that it's only maintained by 1 or 2 developers? For the most part, it's finished software. A small compression library that barely ever changes just doesn't need more than one developer. What would a larger team do all day?
@Fingel @dogphilosopher insert exploits, obvs
Chris Cunningham@dogphilosopher @kellogh what it shows is that it's turtles all the way down though. ten years ago the worry was about openssh and tzdb - now it's anything that even gets to touch those, which in this case was a temporary optimisation through two layers of indirection in the init system. people blame systemd for this as if the previous world where _everything_ was unreadable shell scripts being run suid root was somehow less vulnerable
Evert Pot@kellogh something can be insecure even if something else exists that's more insecure or insecure in a different way.
*sigh*Ber nard@kellogh I've witnessed how dev teams deal with access tokens and private keys for git repos. Assume breach is a completely logical position.
What are the odds of anyone detecting malicious activity in any of those private repos...
What are the odds of anyone detecting malicious activity in any of those private repos...
@kellogh although it obviously wasn't meant like that and I'm sure he's taken it all in his stride, had a nice profile boost, and saved the day: I can't help but feel a twinge of something every time a principal engineer who carried out a heroic feat of detective work here is described almost like a dog who found a trophy in a bush
Andrew "Ace" Arsenault@kellogh Agreed.
The fact that xz was found so early is a testament to the security benefits of open source.
Crazy-to-Bike@kellogh
Most people still don't understand the benefit and operating principle of open source 🤷
Most people still don't understand the benefit and operating principle of open source 🤷
LisPi
Ben Aveling@kellogh Counterpoint: all software is insecure, all workplaces are insecure, all social structures are insecure.
Just differently so.
Just differently so.
Ellie@kellogh Or may even be contractually forbidden (Oracle)
sortius@kellogh I'm also not comfortable with the "by chance" aspect of the find, despite what the person who found it says.
Open source is full of quirky, obsessive, neurodiverse, people who will say "that little thing that doesn't bother other people, it bothers me, so I'm going to fix it". In corporate environments they beat that out of you very quickly (or you resign)
R. L. Dane 
Closed source project manager:
"No thanks, we already have a back door."
Emily S@kellogh heck if you pull of the social engineering part right at the beginning they'll even pay you to install backdoors in their software.
I'm not a professional coder by any stretch, so I recognize I'm coming at this with an unknown-to-me ignorance factor, but these types of issues seem to signal an issue with the sheer complexity of software in general, and particularly with the large number of dependencies some projects have (not that xz itself is necessarily super complex or part of a giant chain of dependencies, but factors seem to point in that direction.)
Martin Seeger@kellogh Long term this incident will hurt closed source software more than OSS. It will take a bit of time but everyone will figure out, that you (with the shown amount of effort) also can get commercial software manipulated and it will be much harder to detect.
Andreas Voit@kellogh You only have to look at Microsoft at the moment. The company says the attacks are not wild and it was no big deal that their root keys were distributed. Apart from Microsoft's internal staff, no one currently has any information about Microsoft's security.
HowToPhil@kellogh It's the same reason people see a car beached on that hump in the middle of a roundabout and think that makes roundabouts dangerous... they don't understand that what they're seeing is the safety measures working. That beached car is one that would have hit other humans. That found exploit is one that would have gone unfound.
Claudius Link@kellogh
Just remember the Solarwinds incident.
It was much easier for the attacker, took less time, and was only detected after the fact
Just remember the Solarwinds incident.
It was much easier for the attacker, took less time, and was only detected after the fact
fedops 💙💛
grimmware@kellogh I think it's a good sign that not paying and supporting open source maintainers is insecure.
I think there's an unspoken opinion amongst most private companies that consume FOSS libraries that the F is for "Free" as in "labor".
The question now is whether the story that "many eyes making bugs shallow" applies to the social and economic problems of the maintainers too - I think there's a strong chance here that the community is going to continue to fail in the same way simply because nobody's going to volunteer to pony up the cash or time to support maintainers and lend some up-front scrutiny to code.
Which is all to say that I agree the transparency here is what prevented this from being worse, but I'm inclined to believe this will happen again and that the current economy of free labor is going to reach an inflection point whereby the pressures of maintaining software in such a high demand and adversarial environment is going to cause many projects to dry up.
Ingo Wichmann@kellogh who knows which proprietary appliance or paas did already pull the manipulated xz code?
Proprietary software today is also based on open-source.
Proprietary software today is also based on open-source.