Well, it's been 2/3 of a year since the xz attack.
Is software safer now?
Serious question.
What improvements have we made?
=> More informations about this toot | More toots from rsc@hachyderm.io
@rsc I know it triggered some projects to move away from autotools (typically meson instead) but that's all I've seen really change.
Like I'm not seeing much more people/projects than before care about subjects like reproducibility of artifacts, source auditing, or bootstrapping.
=> More informations about this toot | More toots from lanodan@queer.hacktivis.me
@rsc personally I really like this take:
"In any other course of life, this is not normal behavior and it would not be tolerated. Open source has gotten to the point that normal behavior is so toxic that literal state actors posing as toxic people on mailing lists went undetected and could have brought upon an international security incident upon us."
https://www.youtube.com/watch?v=bf_6EVTlZOY
=> More informations about this toot | More toots from leon_p_smith@ioc.exchange
@leon_p_smith This was a great talk. Thanks.
=> More informations about this toot | More toots from rsc@hachyderm.io
@rsc I've not seen a whole lot of progress. A few focused improvements in systemd's dependencies and openssh merged a few improvements. While good, they aren't really anything systemic.
But perhaps I'm just a pessimistic^Wrealistic grump and not seeing the full picture.
=> More informations about this toot | More toots from AndresFreundTec@mastodon.social
@rsc I guess it did help to push postgres to finally have release tarballs that do not contain generated files that aren't in the repository (we historically included e.g. bison output in release tarballs).
=> More informations about this toot | More toots from AndresFreundTec@mastodon.social
@rsc I doubt few has the overview to speak up for what we as a community have done (or not). I know I have tightened processes and worked on reproducibility and verifying releases in my little project. I don't think I'm alone.
=> More informations about this toot | More toots from bagder@mastodon.social
@rsc I got a lot more aggressive about moderation. Mean people get gone faster from the forums and issue trackers I manage. But, the systemic changes need resources and I haven't seen any evidence that corporations that profit from open source have done anything to help. At least not in the form that actually helps (money directly to project maintainers and developer time spent specifically on improving the ecosystem rather than on specific features the corporation needs).
=> More informations about this toot | More toots from swelljoe@mas.to
@rsc if OSS were a "supply chain", then there would be money and/or reciprocal effort flowing in the the direction of the suppliers. There isn't, by and large, so I don't think maintainers are obligated to take on the task of securing the supply chain beyond whatever suits their own purposes. It's up to the people who profit from it to step up and do their part.
=> More informations about this toot | More toots from swelljoe@mas.to
@rsc With respect to supply chain attacks, and especially the social attack surface, I don't think so. Other metrics might give different results, as the recent paper from the android team hints at (higher than expected drop of memory corruption bugs since the introduction of memory safe languages). But just looking at the number, severity and root causes of some of the issues recently reported by software security vendors alone suggest: no, software is not safer.
=> More informations about this toot | More toots from oec@mathstodon.xyz
@rsc I think the drafting of the EU’s Cyber Resilience Act (CRA) predates xz, but it puts the liability squarely on the person who imports an open-source project into a commercial offering. This is what provides an economic incentive to fund the expensive vetting required to secure software. We can’t all be freeloading on charitable efforts like Google Project Zero forever.
https://berthub.eu/articles/posts/eu-cra-what-does-it-mean-for-open-source/
=> More informations about this toot | More toots from fazalmajid@vivaldi.net
@rsc No. But the incident has raised awareness, if not for everybody at least for some people. It's going to take a while still, but there's more momentum behind efforts like reproducible builds and bootstrapping. This is still unmerged, but the PoC works: https://lore.kernel.org/all/20240819160309.2218114-1-vegard.nossum@oracle.com/
I'd like to think we're getting there, if slowly.
=> More informations about this toot | More toots from vegard@mastodon.social This content has been proxied by September (3851b).Proxy Information
text/gemini