Lasse Collin, the other xz maintainer, has acknowledged the backdoor

afterthoughts, 1 month ago

The endgame is going to be those who rely on this software paying to maintain it.

FrankTheHealer, 2 months ago

Can someone give me a TLDR please

Vendetta9076, 1 month ago

Its best you actually find an info dump on the situation as it’s not really something that can be tldr’d

Xy_lemmy, 1 month ago

This is as much tldr I could find. boehs.org/…/everything-i-know-about-the-xz-backdo…

prex, 2 months ago

Just a reminder - I’m sure we have all seen it: https://xkcd.com/2347/

Murdoc, 1 month ago

I hadn’t seen that particular one before, so thanks! I guess I was one of the lucky 10,000.

prex, 1 month ago

Thanks for commenting. I’m going to keep posting these.

The lucky 10000 is such a wonderful concept.

spacedogroy, 2 months ago

I think if you read through this and take it at face value, there is a pretty clear picture of what happened: robmensching.com/…/a-microcosm-of-the-interaction…

digdilem, 2 months ago

Reading that made me sad, angry and scared. Great article, but terrifying.

haui_lemmy, 2 months ago

Damn. The amount of unpaid work for something so crucial to todays communication is staggering. I always make sure to pass parts if the donations I receive (not a lot) upstream.

I have the horrible feeling that very few people who use FOSS software and could actually donate some money at least dont do this. Do we have any numbers for this?

eveninghere, 2 months ago

I am starting to believe that we shouldn’t rely on this type of labor product in the first place. Something as critical as OpenSSH should be (and possibly is) funded by the users and also NOT use third party libs because it’s dangerous, as this incidence showed. FOSS is free not as in beer.

digdilem, 2 months ago

Good luck with that.

Commercial and closed source software is no safer, and may even be using the same foss third-party libs under the hood that you’re trying to avoid. Just because foss licences generally require you to disclose you’re using them, it doesn’t mean that’s what actually happens.

And even if, by some miracle, they have a unique codebase - how secure is that? Even if an attacker can’t reach the source, they can still locate exploits and develop successful attacks against it.

At its core, all software relies upon trust. I don’t know the answer to this, and we’ll be here again soon enough.

eveninghere, 2 months ago

I’m not saying that they should go closed source.

Your part on using foss third-party libs also makes no sense because my theoretical assumption is that they’re not used.

Your argument bent my logic for the sake of making it weaker. Please counter my argument without altering it, and I indeed admit it’s imperfect. But this particular lineage of comments is not constructive at all.

digdilem, 2 months ago

In what way did I bend your logic? I found your logic quite twisted to start with, and don’t think I did alter it further.

Also - not constructive? But you’re the one that’s being negative. I’m merely trying to point out that you’ll have a very hard job not relying on foss as it stands today. Where we go from here is a much bigger question, but we’ve all got very used to having free software and, as I said, even if we all start paying huge amounts of money for the alternative, that doesn’t mean it’ll be safer. In fact, I rather suspect it’ll be less safe, as issues like this then have a commercial interest in not disclosing security problems. (As evidenced already in numerous commercial security exploits that were known and hidden)

eveninghere, 1 month ago (edited 1 month ago)

Learn to read. Or learn logic. I’m just sincerely suggesting you to do those because I don’t have the opinion you think I have.

abbenm, 1 month ago

In what way did I bend your logic?

Well for starters, the person above was pretty explicitly NOT advocating for reliance on third party libs, and perhaps more importantly, they were not in any way suggesting reliance on closed source software. In essence, diametrically the opposite of everything you were talking about.

I think your confusion came in their phrasing of not relying on “labor product.” I took them to mean, not relying on people committing their free labor to sustain FOSS. I think you must have read that as not supporting FOSS.

Also - not constructive? But you’re the one that’s being negative.

I think they are right. You took the exact opposite of what they said and “corrected” them for it, which is irritating as hell. And now you’re doubling down, which is worse. I would be irritated too!

BCsven, 1 month ago (edited 1 month ago)

A side note. Proprietary closed source software totally uses opensource components. They may or may not disclose it, and they have to offer up what they used, however they are often making the disclosure a fine print item. We support a large proprietary software, we see the memos come through about what bug fixes or opensource library has an issue or vulner. The customers can aign up for this also, but I bet 99% of them don’t sign up. And if they were polled on if the software if it was open/closed I’m sure they would say closed only

haui_lemmy, 2 months ago

I‘m not sure what you‘re suggesting. Every piece of FOSS software is made by someone and the a lot of it builds on top of some upstream thing. Otherwise everyone would have to rebuild from scratch and FOSS would break down. Or am I missing your point?

Also, you cant make every 16 yr old user pay for a foss product. Companies must be made to pay for foss and downstream teams must be made to send parts of their income upstream, no matter if they make enough.

eveninghere, 2 months ago

I suggest you read my comment again.

haui_lemmy, 2 months ago

Mate, we are discussing on two different threads. Chill out. Maybe I didnt get your point so feel free to elaborate or leave it. Your choice.

eveninghere, 2 months ago

Yes. I simply think I already wrote what I needed to. The answer to your question is there. I guess it takes time to see my point.

ReversalHatchery, 2 months ago

You only said 2 things:

• we shouldn’t rely on free software made by free labor, and we need to say goodbye to some 60-70% or more of the software we use
• important software shouldn’t reuse code already made, they should reinvent the wheel and in the process introduce unique vulnerabilities and spend orders of magnitude more time doing that

None of these make sense in my opinion

eveninghere, 2 months ago

I was talking about third party dependencies, which you missed. It’s fair to say that was my poor writing, but my point still stands.

abbenm, 1 month ago

we shouldn’t rely on free software made by free labor, and we need to say goodbye to some 60-70% or more of the software we use

Again I’m just reading along, and as a person who cares about, you know, the principle of charity, I don’t see how you can possibly think that’s the most charitable interpretation of what they said. I took them to mean we should do what we can to ensure these projects have financial resources to continue, not that we should “say goodbye” to them.

And here’s the crazy thing: I’m not even saying I agree. I just think it’s possible to address a face value version of what they’re talking about without taking unnecessary cheap shots.

christian, 1 month ago

But being charitable to the person you’re responding to, they twice said explicitly that they didn’t understand what was being said and asked for elaboration and both times got a reply that more or less suggested that they didn’t understand because they’re illiterate. At some point the reaction becomes understandable.

edit: different poster from the first two, but I think they were sympathizing with the other person

abbenm, 1 month ago

That’s where the not that weird idea comes into play. It’s not that weird to not want to be misrepresented - that’s an entirely different thing from trolling, or strawmanning, or seeking out inflammatory topics on purpose. It’s a natural and understandable reaction, and we shouldn’t respond to it by deciding it’s ok to retaliate with increasingly less fair characterizations of their statements.

ReversalHatchery, 1 month ago

I took them to mean we should do what we can to ensure these projects have financial resources to continue, not that we should “say goodbye” to them.

They have said this:

Something as critical as OpenSSH should be (and possibly is) funded by the users and also NOT use third party libs because it’s dangerous, as this incidence showed.

Emphasis mine.

abbenm, 1 month ago (edited 1 month ago)

And again, that’s not even within an country mile of being a good faith attempt at charitable interpretation, for several reasons.

You’re twisting their words into some sort seemingly overnight goodbye to all software relying on third party libs. A more normal way of taking that is envisioning a more gradual progression to some future state of affairs, where to the greatest extent possible we’ve worked to create an ecosystem that meets our needs. An ecosystem that’s build on a secure foundation of known and overseen libraries that conform to the greatest extent possible to the FOSS vision. Ideally you don’t just say goodbye, you work to create ersatz replacements, which there’s a rich tradition of in the FOSS world.

Your other point was even worse:

important software shouldn’t reuse code already made, they should reinvent the wheel and in the process introduce unique vulnerabilities

Somehow, you decided that putting words in their mouth about going out of their way to solve the problem only with worst-case-scenario bad software development practices (e.g. lets go ahead and create unique vulnerabilities and never re-use code) is a reasonable way of reading them, which is completely nuts. FOSS can and does re-use code, and should continue to do so to the extent possible. And like all other software, strive to avoid vulnerabilities with their usual procedures. That’s not really an argument against anything specific to their suggestion so much as its an argument against developing any kind of software at any point in time - new games, new operating systems, re-implementations seeking efficiency and security, etc. These all face the same tradeoffs with efficient code usage and security. Nothing more or less than that is being talked about here.

abbenm, 1 month ago

Mate, we are discussing on two different threads. Chill out. Maybe I didnt get your point so feel free to elaborate or leave it.

I think it would be really good if all of us on the internet agreed to a rule, which is that if you mischaracterize someone or misread them, it’s not that weird for them to want you to not do that. So I don’t think it’s fair to response to a comment correctly noting they are being mischaractized by going out of your way to try and make it about their emotions/mental state.

haui_lemmy, 1 month ago

Whatever your reason for injecting yourself into this conversation is, youre out of line.

Theharpyeagle, 2 months ago

That’s a heartbreaking read, and I can’t imagine how it feels now to know that someone who finally helped lighten the load may be involved with such an egregious breach of trust and safety.

I think this is why I can’t get behind Linus-style takedowns, even if the prospective maintainer has made bad a mistake. Entitled consumers make things hard enough already with direct access to the developers, they don’t need any help getting burned out.

Thorned_Rose, 2 months ago

”Finding a co-maintainer or passing the projects completely to someone else has been in my mind a long time but it’s not a trivial thing to do. For example, someone would need to have the skills, time, and enough long-term interest specifically for this.” - https://www.mail-archive.com/xz-devel@tukaani.org/msg00571.html

As someone who runs a charity almost completely solo because of a lack of volunteers, I feel this so much in my bones. It's one thing to say, "Hey folks, I can't run this on my own, I need help" but it's another to find people who actually have the level of skill, committent, passion and integrity to contribute in a meaningful way. I can get people putting their hands up but I've lost count of the number of people who have then turned around and said, "Oh, actually I realise now I don't have time for this" or start in great and then just ghost me. It also takes more of my own time and energy, on top of what I'm already doing' to onboard and train people and it sucks so hard when I do that and then people disappear shortly after - I constantly have to question whether the time it takes to do that will be worth it vs just continuing the struggle by myself.

When you get consumers being arrogant and demanding, getting angry at you for taking too long to respond to their messages or not work fast enough.... it's soul crushing. Way too many people take volunteer work for granted or assume you're getting paid for your time and can therefore treat you like a working-class pleb or are plain just fucking rude and entitled. :( APPRECIATE YOUR VOLUNTEERS FOLKS! We need more volunteers, and appreciation. Many hands makes light work.

eveninghere, 2 months ago (edited 2 months ago)

Hell… As a researcher maintaining one technology on my own, I feel this. This is another reason one shouldn’t do things for free. There needs to be an incentive. And professionalism in the community. Sadly, both are hard to find…

Thorned_Rose, 2 months ago

Actually being paid is one of the biggest reasons for a lack in volunteers (the other is people working more than they used to). So many volunteers have been replaced with paid workers. Many charities aren't volunteer run organisations anymore but run more like not-for-profit businesses. As a result it's harder to get funding and donations. And people are less interested in volunteering unless they can be paid for it.

It's a vicious cycle and I'm watching more and more local, community organisations get eaten up by massive, centralised non-profits; and more and more local volunteer organisatns struggling to get off the ground. 😞

stsquad, 2 months ago

Don’t be too hard on Collin. Looking back on the threads it’s fairly clear he’s been the victim of a social engineering attack on an overworked maintainer. People were pressuring him to hand over maintainership while expressing disappointment at the slow pace of development. The off-list contact by Jia must have seemed like a helpful enthusiastic solution to a burnt out developer.

Zoop, 2 months ago

Poor guy. My heart breaks for him. I hope people are understanding, compassionate, empathetic, and aren’t hateful and harrassing towards him about it, but, realistically… they likely will be hateful and harrass the poor dude, because some people are just sucky, entitled, and rude little jackasses (and I hate it so much and I don’t understand why people behave this way!) I hope he can find a way to handle it all okay. :(

communism, 2 months ago

I agree with that assessment, I’m not accusing Collin of anything. If it is what it seems to be then I feel very bad for him. Just being cautious with wording until things are more settled/until we know more is all.

UckyBon, 2 months ago

I just made a similar comment in another thread here:

I read a lot about how we should double, triple check all the code. But what we shouldn’t forget is to check up on our people too.

2xsaiko, 2 months ago

People were pressuring him to hand over maintainership while expressing disappointment at the slow pace of development.

Very likely that was part of the attack as well.

haui_lemmy, 2 months ago

Definitely sounds like it. This happened to me in a real company as well. It was butal.

eveninghere, 2 months ago

Sorry to hear your situation. I’ve heard a similar story from a friend, where cronies bully one “colleague” after another to push that poor person to the edge. These morons climb the company’s career ladder in that way, hacking the HR evaluation. It’s truly disgusting.

haui_lemmy, 2 months ago

Thanks for understanding. I didnt imagine a nice comment like this. :)

In fact it was my company and an employee who I trusted worked behind my back to take over. When that didnt work he took off with company assets.

eveninghere, 2 months ago

Indeed, ugh, can I go on because it’s too personal to me.

My personal feeling is that the high-level management of such companies are indeed crony-ists. To this type of morons, companies are just assets that are to be cracked down and shared by their prestigious celebrity network or whatever.

Well, this is a biased view, but I’m gonna soon find out how much this applies to my employer…

henfredemars, 2 months ago

The top self-selects for the skill of climbing ladders.

haui_lemmy, 2 months ago

That doesn’t sound too great. I hope you all are going to be okay.

lemmyreader, 2 months ago

Archived version : web.archive.org/web/…/xz-backdoor/

ouch, 2 months ago (edited 1 month ago)

Nothing so far seems to indicate Lasse Collin knew what was going on.

I feel sorry for him. Must suck working on an open source project for free and then get sucked into something nefarious like this. He must be under tremendous stress.

SteefLem, 2 months ago

Sorry but if the maintainer says it didnt know? Sounds fishy. Or just a bad maintainer.

jarfil, 2 months ago

Who’s paying him? Seriously:

• If nobody is, then we got our value’s worth.
• If someone is, then we should look at who, how much, and why.

aksdb, 2 months ago

Do you think being maintainer makes you some kind of all knowing being? That’s not how that works. You write code and review code of others.

If there are multiple maintainers, you may obviously not even notice what another maintainer is doing; then you wouldn’t need multiple maintainers with write access if you could handle it all by yourself.

Thorned_Rose, 2 months ago (edited 2 months ago)

You realise that this comment is exactly part of the problem of why this happened, right? 🤦🏻‍♀️

communism, 1 month ago

If I were the co-maintainer of a project I wouldn’t suspect that the person who had been actively contributing for over 2 years had injected malicious code into a binary file to distribute in the tarballs. “Jia Tan” had already gained Collin’s trust by then

RageAgainstTheRich, 2 months ago

I suggest you read a little in how the backdoor was implemented. It wasn’t as obvious as you think. I personally don’t think the owner had anything to do with it.