❌ DittoApr 3, 2024

Could you have a #union representing #OpenSource maintainers? How would that work?

Would a #nonprofit (or several of them) be a replacement for a union: doing both maintainer #verification / #clearance, and simultaneously representing #developers and #maintainers for good #sponsorship/ #funding?

How could #politics and #badactors be avoided?

Show thread❌ DittoApr 4, 2024

#bullying in #OpenSource to insert #vulnerabilities - not just #xz but #fdroid (foiled attempt)

https://www.404media.co/xz-backdoor-bullying-in-open-source-software-is-a-massive-security-vulnerability/

Bullying in Open Source Software Is a Massive Security Vulnerability

The Xz backdoor and a near miss on the F-Droid app store show how the entitled attitude of some people in the open source community can be used to push malicious or insecure code.

404 Media
Show thread❌ Ditto

#SnakeYAML default usage assumed trusted input, and had a more restricted constructor.

There was a very long issue thread with multiple people arguing with the developer (some civil and making good points, some not so much) about making the default secure (assume untrusted input).

My thoughts reading the thread:
1. Rather than arguing with the developer, use the secure constructor work with scanner tooling to resolve positive.

https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in

#opensource #xz #opsec #cve
(continued)

CVE-2022-1471 (vulnerability in deserialization)

[https://nvd.nist.gov/vuln/detail/CVE-2022-1471](https://nvd.nist.gov/vuln/detail/CVE-2022-1471) CVE-2022-1471 was reported about a day ago and it says > SnakeYaml's Constructor\(\) class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization. ‌

Apr 4, 2024 at 6:46amWeb
Show thread❌ DittoApr 4, 2024

2. Help developer by offering patch, documentation, and collaboration. One person in the thread did that. Most did not.

2. Is tricky. It's also being used by bullies to pressure maintainers to let them insert backdoors. But it can also be done constructively by smoothening communication, understanding concerns and perception misalignments, and supporting.

(Continued)

Show thread❌ DittoApr 4, 2024

Nobody needs to make code changes for free. Corporate pressure does not make it ok to #bully #opensource developers.

#Bullies are there in companies too, but at least those they bully get paid. It still sucks (I've gotten my fair share of people bullying me at my job through the years), but it's part of the job, and standing up to them (during work hours, not counting my own mental anguish) is also part of work.

#opensource developers do not get paid, and shouldn't be subject to that.