What about "yet giving the ability to give advice require deeper proof of expertise and understanding of the life of maintainers?"
Said otherwise. Fuck off.
>>> yet granting someone administrative access to the source code as a maintainer requires a higher level of earned trust, and it is not given away as a “quick fix” to any problem.
I will have to do a proper take down later because this is a looooot of shit.
I will simply repeat my advice from last time. It is ok to step down when you are not helping. It is even better for everyone. Sometimes we are not equipped to do a job. It is the responsible and self respecting things to recognise it and step down when it happens.
@Di4na lmao. "Pay attention to how interactions make you feel. Interactions that create self-doubt, feelings of inadequacy, of not doing enough for the project, etc. might be part of a social engineering attack."
This just in: OpenSSF declares OpenSSF scorecard to possibly be a social engineering attack
This is the single thing published about xz by an org that seems to have actually done the work.
If you want a voice to amplify, the @sovtechfund seems to be the only one that listened to maintainers'. So please go read it and amplify it. Let's try to make visible orgs that are humble and do the work.
And thank you to everyone at the @sovtechfund for doing this work, like this. ♥️ It helps so much.
So we have it now. Rust solved a large number of the safety problems of the system language level. Not everything ofc, but still. Lot of them. And it is actually being adopted.
So I have a question for my cybersecurity/infosec crowd.
Have you introspected why 3 decades of yelling about that stuff got no results, 3 decades of sanitisers and fuzzers barely moved the needle, but Rust slam dunked it?
Where is the retrospective of what went wrong? Where are the learnings?
i am genuinely interested. It is a domain I keep being surprised not finding discussions about. And I feel like I must be missing. I am probably not looking in the right place.
So I am asking the internet to do its magic and point me to these places please :)
@Di4na We should recognise the possibility that it may have simply been random factors that caused the adoption of Rust where other solutions didn't take off; that there wasn't something specific Rust did right or the others did wrong.
@Di4na I have read them. The Synopsys and Tidelift reports don't share your conclusion. You pulled numbers from each, smashed them together in a dodgy way and made a poor conclusion.
"So, nearly 60% of all code being actively shipped in an app or product in the wild is hobbyist-maintained open-source."
That's simply not supported by the reports you cited.
Look, I'm all for paying OSS maintainers. But in a piece where you tell people to sit down and shut up, maybe have more sound conclusions.
OH: I want to make a "go fuck yourself openssf" badge
I am sure this is how you educate maintainers and get traction with them. I mean, I am not a security expert nor someone the OpenSSF would choose to listen to or pay, so I am obviously not knowledgeable about this. You should definitely listen to them. They obviously know how to make the OpenSource ecosystem more secure.
Whoever wrote, reviewed, and approved this at the OpenSSF.
Consider leaving the organization. I am not joking. You have no idea what you are talking about; you know nothing about Open Source, and you seem to know nothing about Security, either.
Even less all these things combined. Just. Leave. Resign. It is ok to realize you are not the right person for that position. It happened to me before.
In the spirit of the late Dr. Cook, what is surprising about the #xz attacks is not that it happened. It is that these kinds of attacks are astonishingly rare!
You want the funniest one? Until the past couple of years, the attackers could have just... Released a new autotools version. No need to convince the previous maintainer or anything.
Because there was none. If they had showed up to release a new version, everything using autotools would be infected. And it would probably be easier to hide.
This was... Actually not that impressive of an attack?
I am sure we will all talk about how this was doing all the "secure" stuff properly, got caught by Valgrind, and the right thing to do was to disable the check.
Because we built tools to find out, and then tools to explore and fix, the problem that are so unergonomic.
That when we need them, the only good, right and logical step to do is to disable them. Because noone can understand what to do with the report.
I am sure we are definitely going to talk about that.
Or of how Autotools is such an antiquated sedimented code base that none of what was happening felt out of place.
And that noone was really able to model what it was doing.
I am sure we will talk about these systemic contributors to this. I mean, they definitely are not impacting others and will never come up in the future cases of this kind of stuff.
I am sure. It is really a trust problem. Or a burnout problem. And I mean. Yep it is.
But maybe other things could be changed too there. Maybe
In the light of the xz stuff, I will recommend, again, that people try to internalise this before responding.
Your model of how this whole stuff work is probably not useful. Accept it, even if you are supposed to be really good at this. Sit this one down. Don't say your hot takes. Come talk to me instead and let's talk. Please.
And if you really want to do a hot take or come up with a solution, please start by reading this and using the framework i offer at the end. I implore you.