Backdoors

To be fair, we only know of this one. There may well be other open source backdoors floating around with no detection. Was heartbleed really an accident?

I've gotten back into tinkering on a little Rust game project, it has about a dozen dependencies on various math and gamedev libraries. When I go to build (just like with npm in my JavaScript projects) cargo needs to download and build just over 200 projects. 3 of them build and run "install scripts" which are just also rust programs. I know this because my anti-virus flagged each of them and I had to allow them through so my little roguelike would build.

Like, what are we even suppose to tell "normal people" about security? "Yeah, don't download files from people you don't trust and never run executables from the web. How do I install this programming utility? Blindly run code from over 300 people and hope none of them wanted to sneak something malicious in there."

I don't want to go back to the days of hand chisling every routine into bare silicon by hand, but i feel l like there must be a better system we just haven't devised yet.

Weaponized Autism. Less than a second in lag. I love our community.

everytime this happens i become unexplainably happy.

There's just something about a community doing it's fucking job that gets me so normal feeling.

Getting noticed because of a 300ms delay at startup by a person that is not a security researcher or even a programmer after doing all that would be depressing honestly.

I love free software community. This is one of the things free software was created. The community defends its users.

opensourceautists win!

The problem I have with this meme post is that it gives a false sense of security, when it should not.

Open or closed source, human beings have to be very diligent and truly spend the time reviewing others code, even when their project leads are pressuring them to work faster and cut corners.

This situation was a textbook example of this does not always happen. Granted, duplicity was involved, but still.

i feel like the mental gymnastics should end with a rake step

Immediately noticed even though the packages have been out for over a month?

Easily could have stolen a ton of information in that month.

It is pretty funny, I bet he's kicking himself right now for it.

I just updated xz in my system. Thanks Lemmy!

What did i miss?

Ever wondered why ${insert_proprietary_software_here} takes so long to boot?

related blog - https://robmensching.com/blog/posts/2024/03/30/a-microcosm-of-the-interactions-in-open-source-projects/

@lemmyreader

Eh, autism jokes are not funny. Ableism isn't funny.

The only real downside on the open source side is that the fix is also public, and thus the recipe how to exploit the backdoor.

If there's a massive CVE on a closed source system, you get a super high-level description of the issue and that's it.

If there's one on an open source system, you get ready-made "proof of concepts" on github that any script kiddy can exploit.

And since not every software can be updated instantly, you are left with millions of vulnerable servers/PCs and a lot of happy script kiddies.

See, for example, Log4Shell.