Lessons Learned From the xz Backdoor

Cheers from Portugal. YouTube recommended this video since I've watched some on the subject, and I loved it.
Well put argument, editing and graphics, and having the courage to point that the solution is to have Conversations about the subject to properly solve issues like this. :)

JoseEncarnacao

I think "don't talk about your mental health issues" would be better received with some more limitations. It's not that you can't talk about them online. It's that you don't want to link them with your developer account.

That said, in this case, the reason he mentioned them was that they were bullying him, and he felt the need to explain himself. That's very hard to deal with. I very much think empowering developers by letting them know it's okay to ban people who are mean is a better strategy. Be nice, or be banned.

ZipplyZane

If Lasse is Theoden and Jia is Grima, who's Gandalf? What could shine a light on these situations and heal the harried king?

jamesarthurkimbell

It's disgusting how even multibillion dollar companies depend on free software from often single person projects who put in years of work without any form of kudos. Yes at least some of these companies do contribute back to open source, but far too many keystone projects are simply taken for granted, like the ssh libraries.

bart

I admit I don't know if those things will work. I think it is a double edged sword. On one hand open source is good for the community to look for flaws and improve the project. But at scale it becomes a risk and difficult to keep bad actors from doing this very thing. This one was a two year operation where confidence was built over a long enough period of time that it was not suspected to be nefarious. And the threat actors will only get better at doing this as they learn what project managers are looking for to stop them.

rationalbushcraft

1:32 understayement of the century..

To be even possible to.

mkDaniel

luckily I still have a computer or 2 that runs on LhARC compression on the majority of its software (just in case). Quick everyone switch to huffman v2. Maybe put AI tools to use to scrape the backend of these code commits and do validation screening on that. Could reduce some of the labor on the human element

RarefiedError

i don't think that keeping your mental health conditions secret will help. if someone is looking for a weakness they will probe personally and likely easily find what they need to exploit by just getting to know them personally. keeping your mental health a secret is not a solution to this issue.

ttrev

It's very problematic if only one person works on a project. The source code should be more systematically read. My idea is, that an expert asks laymen to work on a file. The layman could the expert tell, that something is wrong with the code, for example a comment is badly written, or a test is missing.
Make it easier for people to work on open source projects.

Hofer

Good suggestios.
How do you know in you have the bad version of xz?

cbbcbb

The real question is, was it the first time?

CaribouDataScience

There are pros and cons. Reason people live different area of the world which not easy to standards it. Plus there are people working part time or hobbies. As well there are people work in big tech and low tech. To expose their id which could lean to attack by bad apples. Plus with the history system to make sure the git access is not easy task plus there are 10000 users commit is not easy job for one or many people. Lastly there are many libs which is a lot of core or sub devs.

darknetworld