Just listened to #PlanetMoney episode about the #XZ security incident...
Includes a brief, seemingly accessible introduction to #OpenSource
Though they talked a lot about the weakness of relying on arbitrary overworked underappreciated maintainers basically keeping "The Internet" working...
They did not apparently point out that that same open model was part of what allowed the issue to be discovered in the first place...
The further you dig, the farther the #history goes, so we settled on starting in 1906, then the 90's, then #Slackware. This is the history of #Xz that culminated into a " #hack " that would have rocked the world if not for one intrepid #SQL#developer.
@ph0lk3r und @jrt haben die Entstehung der #xz-Backdoor nochmals mit dem nötigen Abstand beleuchtet und ziehen einige Lehren daraus.
Insbesondere empfehlen sie die möglichst durchgängige Verwendung von signierten #git-Commits, ein Punkt der bei mir ⬆️⬆️⬆️ fehlte.
Ich setze die auch an einigen Stellen durchgängig ein, aber bisher nur an Stellen, wo keine Rebases oder Squashes nötig sind. Ich vermute, die verlieren die Signaturen, beim Rebase auch, wenn man es selbst macht? https://research.hisolutions.com/2024/04/xz-backdoor-eine-aufarbeitung/
Was wissen wir eigentlich über «Jia Tan»? Ich habe mich mal auf eine Spurensuche begeben. Und dabei herausgefunden, dass man mit der Sicherheitslücke wohl mehrere Milliarden hätte verdienen können.
Who should be software packaging is a tough problem, I can see the value in #linux distros pushing for better changes downstream, encouraging upstream to change (double click in #KDE) but then I see cases like KeepassXC where the Debian package is now by default broken, actively damaging the reputation of upstream but then I remember #XZ where upstream was left unchecked and hid bad code in plain sight and I go back around in a circle.
Again the FOSS world has proven to be vigilant and proactive in finding bugs and backdoors, IMHO. The level of transparency is stellar, especially compared to proprietary software companies. What the FOSS world has accomplished in 24 hours after detection of the backdoor code in #xz deserves a moment of humbleness. Instead we have flamewars and armchair experts shouting that we must change everything NOW. Which would introduce even more risks. Progress is made iteratively. Learn, adapt, repeat.
Three years ago, #FDroid had a similar kind of attempt as the #xz#backdoor. A new contributor submitted a merge request to improve the search, which was oft requested but the maintainers hadn't found time to work on. There was also pressure from other random accounts to merge it. In the end, it became clear that it added a #SQLinjection#vuln. In this case, we managed to catch it before it was merged. Since similar tactics were used, I think its relevant now
The abusive behavior that was being used to manipulate Lasse Collin into bringing on more maintainers for #xz went unnoticed because abusive behavior in Open Source communities is so pervasive. In context, we can clearly see it was part of an orchestrated operation. Out of context, it looks like just another asshole complaining about stuff they have no right to complain about. https://robmensching.com/blog/posts/2024/03/30/a-microcosm-of-the-interactions-in-open-source-projects/
Kuba berichtet über die xz-Sicherheitslücke, durch die sich fast eine Hintertür zu Servern auf der ganzen Welt auftat. Marta erzählt von einem Artikel über Generationenschiffe und interstellare Reisen, durch den sich anthropologische Abgründe auftun. Außerdem rätseln wir, was es mit einem mysteriösen Musikstück auf sich hat und werfen einen Blick auf und durch Fisheye-Objektive.
@martinsteiger Es gibt etliche Gründe, wieso einige Projekte Audacity vor ein paar Jahren geforkt haben. U.a. die Erosion sowohl von Privatsphäre als auch GPL.
Ein bisschen davon sieht man hier zusammengefasst. Und dass sich Leute engagieren.
Die #OpenSource#Community besteht aus Menschen und so sprachen wir in der letzte Folge über #XZ – Angreifer “Jia Tan” und der furchtbare Angriff auf OpenSource
I am also pleased to say the official build servers for Debian produced a bit-for-bit identical .deb as my local build on bookworm amd64. Yay #ReproducibleBuilds yay!
After the #XZ attack, I have a suggestion for all #software forges (#Forgejo, #GitHub, #Gitea, #Sourceforge, etc.):
Have some way to visualize binary files better, including diffs to such files. Cuz now, we have basically nothing except byte counters.
Since they're binary files, it must be as generic as possible. But even some rendering or analysis is better than nothing.
The idea is to expose weird patterns in binary files that could be a sign of an attack.
https://discuss.coding.social/t/unionize-free-software-found-software-guilds/59 the recent #XZ disaster has prompted me to reread my own article from two years ago next month on "Free Software Unions". While I'd put some of the details in there differently today, I think the core point still stands: that free software maintainers are vulnerable to exploitation, both from Big Tech and, as is now evident, malicious attackers. And that the only way to protect them is to join into mutual support, solidarity groups.