this post was submitted on 13 Jun 2024
739 points (97.9% liked)
Technology
59446 readers
3622 users here now
This is a most excellent place for technology news and articles.
Our Rules
- Follow the lemmy.world rules.
- Only tech related content.
- Be excellent to each another!
- Mod approved content bots can post up to 10 articles per day.
- Threads asking for personal tech support may be deleted.
- Politics threads may be removed.
- No memes allowed as posts, OK to post as comments.
- Only approved bots from the list below, to ask if your bot can be added please contact us.
- Check for duplicates before posting, duplicates may be removed
Approved Bots
founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
It highlighted some pretty glaring weaknesses in OSS as well. Over worked maintainers, unvetted contributers, etc etc.
The XZ thing seems like we got "lucky" more than anything. But that type of attack may have been successful already or in progress elsewhere. It's not like people are auditing every line of every open source tool/library. It takes really talented devs and researchers to truly audit code.
I mean, I certainly couldn't do it for anything semi advanced, super clever, or obfuscated the way the XZ thing was.
But I agree, that the fact we could audit it at all is a plus. The flip side is: an unvetted bad actor was able to publish these changes because of the nature of open source. I'm not saying bad actors can't weasel their way into Microsoft, but that's a much higher bar in terms of vetting.