XZ Utils backdoor
tukaani.org

They haven’t particularly made a comment on the situation so much as acknowledged it’s happening. They seem to be going with the story that they had nothing to do with it and this is news to them. Hope to hear more from them soon so we can find out more about the situation, how and why this happened, etc.

(The sceptical tone isn’t because of disbelief of Collin, it’s because we don’t know enough about the situation to be able to say Collin is or isn’t telling the truth here.)

  •  ReversalHatchery   ( @ReversalHatchery@beehaw.org ) English
    13 months ago

    I took them to mean we should do what we can to ensure these projects have financial resources to continue, not that we should “say goodbye” to them.

    They have said this:

    Something as critical as OpenSSH should be (and possibly is) funded by the users and also NOT use third party libs because it’s dangerous, as this incidence showed.

    Emphasis mine.

    •  abbenm   ( @abbenm@lemmy.ml ) 
      13 months ago

      And again, that’s not even within an country mile of being a good faith attempt at charitable interpretation, for several reasons.

      You’re twisting their words into some sort seemingly overnight goodbye to all software relying on third party libs. A more normal way of taking that is envisioning a more gradual progression to some future state of affairs, where to the greatest extent possible we’ve worked to create an ecosystem that meets our needs. An ecosystem that’s build on a secure foundation of known and overseen libraries that conform to the greatest extent possible to the FOSS vision. Ideally you don’t just say goodbye, you work to create ersatz replacements, which there’s a rich tradition of in the FOSS world.

      Your other point was even worse:

      important software shouldn’t reuse code already made, they should reinvent the wheel and in the process introduce unique vulnerabilities

      Somehow, you decided that putting words in their mouth about going out of their way to solve the problem only with worst-case-scenario bad software development practices (e.g. lets go ahead and create unique vulnerabilities and never re-use code) is a reasonable way of reading them, which is completely nuts. FOSS can and does re-use code, and should continue to do so to the extent possible. And like all other software, strive to avoid vulnerabilities with their usual procedures. That’s not really an argument against anything specific to their suggestion so much as its an argument against developing any kind of software at any point in time - new games, new operating systems, re-implementations seeking efficiency and security, etc. These all face the same tradeoffs with efficient code usage and security. Nothing more or less than that is being talked about here.