Rob Landley

Oh goddess. The gnu/coreutils developers have been looped into the thread "GNU Coding Standards, automake, and the recent xz-utils backdoor" and their first suggestion was "we should use -lzstd instead of -lxz".

https://lists.gnu.org/archive/html/coreutils/2024-04/msg00000.html

Sigh, I didn't expect an easy acknowledgement that "autoconf is useless" can be sung to "every sperm is sacred" because Upton Sinclair's "difficult to get a man to understand something when his salary depends on not understanding it" but s/money/tribalism/

Re: GNU Coding Standards, automake, and the recent xz-utils backdoor

Apr 3, 2024 at 10:16amWeb
Show threadRob LandleyApr 3, 2024

I'm weird in that "a child of 5 could understand this, fetch me a child of 5" is central to my design philosophy in busybox/toybox/aboriginal/mkroot but in general, if you put your ear to the side of the project and hear the Katamari Damacy theme song, something is wrong.

Open source outlasts things like OS/2 or Windows XP because they don't go bankrupt, the same people can continue to work on the codebase after switching employers, and you can't force "end of life" on things with users.

Show threadRob LandleyApr 3, 2024

And the "peer review" aspect of the xz thing _did_ work as designed in this case. Somebody found it while it was still in distro pre-releases. As soon as it was exposed to wider audience it got taken apart and poked at.

Everybody's freaking out because it wasn't GUARANTEED to be found. Sure. But it was found, and fairly quickly, and that guy wasn't uniquely qualified to find it. (If he hadn't nobody would have!)

Assume Jia Tan had gotten hired at Apple instead. How do you know he _wasn't_?

Show threaddr2chaseApr 3, 2024

@landley So, agreed about the autoconf, agreed about the open-vs-closed, but my best theory of how this guy got caught is that he was rushed, and made a mistake that slowed down ssh enough that somebody noticed. The rest of this was very, very crafty. Without that mistake that someone noticed, we would be in a bad place.

And therefore, I'm a little worried that there might already be another one of these deployed, waiting. This one was designed to "wait".

Show threadRob LandleyApr 3, 2024

@dr2chase Which is why things like Google's "project zero" and all the ex-veracode people I follow on here do important work re-examining stuff that's already shipped.

And why a diverse ecosystem with multiple compilers and multiple C libraries with multiple command line utility sets running on multiple architectures is a good thing.

It's a pity Red Hat Enterprise charges an arm and a leg for advertising but doesn't get _mentioned_ as a solution despite being the target (systemd-only exploit).

Show threaddr2chaseApr 3, 2024
@landley C is a disaster, we should have started retiring it back in 1988. Same for autoconf.
Show threadi.grokApr 3, 2024

@landley of course there's no guarantee, even with a process

But if someone were digging around in MS Windows binaries and by sheer chance found a backdoor, would we call that a win for closed source software peer review?

I wouldn't.

It's not even like he found it in the sources! (at first)

Show threadKevin Karhan Apr 3, 2024

@landley why am I not surprised of that?
Just like I see people shitting on #systemd about it when #xz is literally the one thing one cannot blame it for...
https://infosec.space/@kkarhan/112206692463157328

Like it makes my blood boil getting talked smack when it's not me who fecked up, so I imagine @pid_eins feeling the same:

At least if one wants to be angry at him, be angry for valid reasons or better yet: Make something better!

Kevin Karhan :verified: (@[email protected])

@[email protected] @[email protected] been there - dome that even before #systemd was concieved! https://infosec.space/@kkarhan/112206480057943081

Infosec.Space
Show threadKevin Karhan Apr 3, 2024
@landley @pid_eins
Because if #SysVinit was good he'd likely not made systemd nor would any other #Unix-esque OS that isn't a tiny embedded distro that can handle just using an #init file use basically their primitive systemd-predecessor like #launchD (#macOS), & #SMF (#Solaris & #illumos) instead...
https://www.youtube.com/watch?v=o_AIw9bGogo
Show threadKevin Karhan Apr 3, 2024

@landley @pid_eins
Speaking of valid criticism:
The #Stallmanists and "#GPLv3 Fanboys" are a literal net negative as their nonchalant attitude about bricking userspace with minor updates, and complete disregard to the fact that not everything is #AGPLv3-compatible #FLOSS but that #CCSS also exists and thus "just recompile it!" is not an option, showed me.

It's the reason why I demand everything to be statically linked binaries in @OS1337, because I think people should also "own" the dependencies and take responsibility.

  • Ideally this would push developers to building lean, clean and well-maintained as well as -maintainable applications.
Show threadKevin Karhan Apr 3, 2024

@landley @pid_eins @OS1337

And being able to list all the dependencies for OS/1337 is not just interesting but also vital to making things reproducible and auditable to the point that people don't have to trust me or @SweetAIBelle or anyones' scripts but could essentially do it step-by-step manually (potentially on an aorgapled system) as @w84death showcased with #Floppinux...

https://archive.org/details/floppinux-manual/

#OS1337

FLOPPINUX 0.1.0 Manual : Krzysztof Krystian Jankowski : Free Download, Borrow, and Streaming : Internet Archive

Floppinux - An Embedded 🐧Linux on a Single 💾Floppy - MANUALFree tutorial / workshop on creating embedded Linux distribution from scratch in just few...

Internet Archive
Show threadKevin Karhan Apr 3, 2024

@landley @pid_eins @SweetAIBelle

As a matter of fact, I literally had to document how to basically setup an entire payment provider's backend infrastructure from scratch with just a few configuration files and database backups at hand because a competitior went belly up and the one person at @BaFin who went #ToldYaSo on their superiors and colleagues that held them down not jist smelled blood but also caused a lot of heads to roll and panic to spread...

Amd.yes, that documentation had to be written down so detailed yet simple that even an absolute #TechIlliterate could do it just by following the instructions step-by-step.

And apparently that put the regulators well at ease too, cuz their.busoness is thiriving...

Show threadKevin Karhan Apr 3, 2024

@landley @SweetAIBelle so yeah, I think #transparency is something #FLOSS can and should deliver more by virtue of enabling #ReproducibleBuilds and -Setups!

We expect #Reproduceability in #mechanics, #electronics and any other #engineering as well, and we should do that with #Software, #Hardware and #Firmware too because it not just removes the need to #trust but also allows for longer support...

So instead of demanding a #remote-#updateable shite that can literally enable maliciois actors to "Hastings" drivers, @EU_Commission should've rather demanded #ReproduceableFirmware and that all the componemts, design and Software to be #OpenSource'd permissively to enshure #LongTermSupport and #compatibility and ease of testing for anyone from Users amd 1st party service centers to 3rd Party repair shops to Historic Vehicle owners...

Show threadKevin Karhan Apr 3, 2024
@landley @SweetAIBelle sorry fornmy #rant that went off the rails tho...
Show threadSweetAI Belle Apr 3, 2024

@kkarhan @landley
No worries.

Main thing with xz was a bunch of places relying on a library that was maintained by one person in their spare time without compensation and no support from anyone other then the person sabotaging it, and the same situation, hopefully minus the sabotage, is all over FOSS. It's a big problem...

Show threadKevin Karhan Apr 3, 2024

@SweetAIBelle @landley
I know...
And sadly the only thing regulators seem.to think of is trying to legally corcumvent the provided as is - clauses instead of i.e. makibg public funds to suplort underfunded FLOSS that happens to be part of their supply chain...

Not to mention, legally none of these #FLOSS projects are legally #suppliers in that they have no contractual obligations whatsoever.

Or as some people might say: "If you want warranties, buy a toaster [or an #Enterprise #Linux #Subscription]!"

What's more saddening is that #CCSS integrating blatant #Govware #Backdoors and snitching on #Customers like #Apple does for the "P.R." #China doesn't even get people to shrug yet still they continue Fanboying & Fangirling said Corporation!
https://www.youtube.com/watch?v=Ev9_oDHNf-4

Whereas if #Regulators like @EU_Commission and @bsi had any teeth and took their Jobs seriously, they would've banned all the #GFAMs and #PRISM collaborators for their illegal #espionage faster than the #USA is banning #TikTok as it violates their #cyberfacist #hegemonial rule!

It's saddening, sickening and disgusting at the same time...

How Tim Cook Surrendered Apple to the Chinese Government

YouTube