at the moment we have to accept we can’t please everyone. if people bully maintainers, they can gtfo and fork. same if you get bullied by maintainers, just fork and forget. maybe join with likeminded people if it’s too much work.
Meredith Whitaker, the president of Signal, said “I keep brooding on the way the xz backdoor was enabled in significant part via weaponizing the FOSS [free and open source software culture of shitty behavior and abuse.”
“What is striking is that the uncool, mean standards of FOSS conduct that many of us have decried for years, and that many defended as authentic, tough, etc., ended up not just being exclusionary loser behavior, but a significant attack surface.”
Emphasis mine.
A software economy based around sharing and openness is not compatible with whatever the fuck you want it to be. If you want decent, secure software, provided for free, then be a decent human.
I recently found out one my favourite FOSS projects was abandoned due to bullying. It was a small project and very fresh so it obviously came with some bugs and issues which is a given. The maintainer gave up only few months after because of all the negativity.
The latest one was LSPatch. Did so much for me. Last message from the maintainer was something along the lines of ‘Seems like people are not happy with the project so I’m dropping it’.
I’d actually broaden the concern. Like, having sockpuppet accounts bullying a maintainer is one form of attack, but more-broadly, social engineering is, I think, a real concern.
My understanding is that it’s considered likely that there was a national intelligence agency behind the xz attack. Point is, if they did it once, it’s probably in the toolkit, and will come up again. Not just from them, but from other organizations who will study attacks and see what works.
The problem with being an open-source developer is that you don’t spend your days trying to figure out counters to social engineering attempts. On the other side, you’ve got people who may well be spending a lot of time, reading papers, throwing around theories on just how to best pull this sort of thing off. The result is that one side is a novice, and the other has a lot of expertise and time to create a plan.
And the problem isn’t just how to counter social engineering attempts, but how to do so without being too corrosive to the open-source development community. Like, right now there’s a certain level of reliance on trust. If there isn’t any trust, it’s gonna be harder to do open-source development.
In both the potential F-Droid attack mentioned and at least some of the people with the Jia Tan/xz attack, some sockpuppets were used that had little history. It might increase the cost of an attack to take into account someone’s history. But…then, the Jia Tan attack also had a very considerable amount of effort put into creating a false persona, the one that actually did the commits.
I love Lemmy, but the harassment and sock puppet accounts is a huge fucking issue. It seems like some of the main instances are just tankies who won’t allow anybody else to have an enjoyable time
Social engineering is one of the most underestimated attack vectors. It doesn’t matter how cryptographically secure your system is if you can just ask for access.
Perhaps this speaks to a larger issue— how much bullying exists in the FOSS community, and what can the community - at large - do to address it, or even begin to bring awareness to it?
This argument that it’s a security vulnerability isn’t a terrible one (it’s certainly very logical and quite irrefutable), but I think there are others to be made for addressing this issue.
yeah, i think any project needs effective leadership. without it disagreements can fester into conflict and bullying becomes a bad way of resolving or beating those you are in conflict with
Add comment