Don’t forget that he made xz for free, as a hobby project, and likely got duped by “Jia Tan” same as everybody else did. He’s not obligated to solve this on any particular timeline.
Xz is not a business, so if your business got in trouble because a single solo hobby dev was a bit too trustful, it’s your job, and not his, to mitigate the problem.
Software may have backdoors, I'm not convinced this couldn't have happened if a large company was managing the product. AFAICT, open source software has a better security track record, in general.
IMHO, if it is anyone's job to look for and prevent these kinds of backdoors, it's probably companies like RedHat and Canonical. They bundle the tools with their products and they charge money for support.
>Most of businesses use Linux for their servers mainly Ubuntu/Debian
Businesses should calculate with the risks, and also, use Long Term Support versions of software, not unstable bleeding edge fresh from the oven ones. Which they do. And so they were not vulnerable at all.
Google does that with Project Zero but few companies are wealthy enough to afford that. The way out is economic, not technical: insurance, and mutualizing the cost of security audits. I wrote up my ideas on the subject here:
This is supposed to be what services such as Tidelift provide - companies pay them, and OSS maintainers sign up with them for funding (and other support? unsure). But it's tough to apply this through the whole OSS ecosystem. To me, this should be what Canonical's support contracts should be for. They're perfectly positioned to help mediate these types of issues.
Also, I'm on the same page with you. Block the malicious actor, continue sipping your coffee.
Think about it this way. Say you are volunteering for a non-profit. You obviously don't have to do it and could just chill at home instead. But once you have agreed to say take a volunteer shift on Saturday, you are obligated to show up. Obviously no one can really stop you from skipping, but it would look bad on you and may get you banned from the non-profit. Along the same token, you obviously shouldn't steal from the non-profit, or say randomly beat up the customers/clients. If you accidentally set the building on fire which ends up killing 5 people, I would also assume you would help in some fashion to clean up.
Just because you are doing things for free does not mean you don't have social responsibility for your actions. You don't have to work, but just saying "oh my software ends up compromising everyone's computer? sorry not my problem" is seriously misunderstanding your role (I'm not saying that Collin is doing that). Similarly, if I just randomly slapped you in the face, I might have done it for free, but you would also probably be pretty pissed at me and expect an apology.
Just want to point out that this isn't a typical "demand underpaid open source developers to work 24/7" issue here. This is a unique circumstance where his action has directly resulted in this happening. I feel bad for him being guilt-tripped to add a maintainer after reading through the old threads two years ago, and as I said I don't want to burn him at the stake, just saying that saying he has no responsibility to help at all is really a bad take.
He has no responsibility to help at all.
All of the work done is that of a donation. Everyone who used xz did so for their benefit. Collin may feel a personal duty to work in the interests of the users of xz, but that's their exclusive choice. Any claim otherwise is on par with saying required-donation.
> "oh my software ends up compromising everyone's computer? sorry not my problem" is seriously misunderstanding your role (I'm not saying that Collin is doing that).
Then why mention it at all? But even if you did want to say that, that's true! You don't blame the victim of some abuse. Everyone, you included (assuming you use xz in anyway) were lied to. Just because Collin was lied to first, and most, doesn't change the fact the person who did all of the important work was also lied to and betrayed.
> Similarly, if I just randomly slapped you in the face, I might have done it for free, but you would also probably be pretty pissed at me and expect an apology.
Personally I'd be neither pissed, nor would I expect an apology. Shitty people are gonna be shit. But your mistake is blaming Collin for 'introducing' you to the person that slapped you in the face. But you're arguing as if Collin should have known this guy was a shitbag, and should hold the icepack while you berate them for making the mistake of trying to help other people... wtf?!
This us vs ourselves toxicity needs to stop. It's not us vs us. It's not even us vs the them. It's us vs the problem, us vs the malicious. The person writing the code is the good guy here.
No it won't. Unless you have obligations.
> Along the same token, you obviously shouldn't steal from the non-profit, or say randomly beat up the customers/clients.
That's unrelated, to say the least. You obviously shouldn't steal from anyone nor beat up anyone, that's not related to this specific case at all.
> Just because you are doing things for free does not mean you don't have social responsibility for your actions.
No. No one forced the society to use the work that somebody was doing for free. And if society decided that it's fine to use it, it's on the society to take the associated risks. Everything else is a good will of the maintainer.
I would say it's definitely the most interesting one we know about so far :)
Dissect "worst backdoor EVAR". Why is it bad?
Is it because thousands of companies and millions of users depend on it?
On one guy on holiday working for free!
When we are essentially in two cold wars currently with ICBM nuclear powers?
Linux is the battleground of cyber warfare, which is being funded by nations probably in the hundreds of billions of dollars. A trillion dollars or more of economic activity runs on it
Windows? Come on, even buggier and less secure, and far less transparent.
Monetary support of Linux maintainers is now a national security concern. You can't have hundred billions for attack and zero dollars for defense, that is a stupid strategy.
Poor guy will go through more stress now even more than that created and imposed on him over 2 years by the attacker.
If anything we should encourage him to look back at his mental health as not being his fault and that we need to protect ourselves.
For what?
He's doing fine, by the way, and mentions that the messages of support are appreciated but not necessary.
He's more focused now on figuring out what happened, how he missed it, and deciding a plan of action for cleaning things up.
(paraphrasing from conversations in the public channels)
