undefined | Better HN

0 pointswashingupliquid1mo ago0 comments

It makes it sound even worse, cherry picking language like "not interested" as if the OpenBSD folks should shoulder blame for not being altruistic enough.

It reeks of trashing your benefactor, who gave you well-written free software, which you then made insecure with your own patches.

If you remove the roof of your car with a chainsaw and are inevitably injured later, is it the car manufacturer's fault they didn't offer that model as a convertible from the factory?

The better question is why are people still trying to assign blame all these years later? The IT world dodged a bullet but has moved on (and likely didn't learn from their mistakes as supply chain attacks are steadily increasing).

0 comments

2 comments · 2 top-level

striking1mo ago

Okay. You could see it that way. Or you could read what the author wrote about who is to blame:

> No one person or team really made a mistake here, but with the benefit of hindsight it's clear the attackers perceived that the left hand of Debian/Fedora SSH did not know what the right hand of xz-utils was doing.

with OpenBSD not even being mentioned here

debazel1mo ago

I guess it's up to interpretation, but I read it the complete opposite way, as in Linux distributions should not think so highly of themselves as to expect OpenBSD to conform and adapt to their mess, and OpenBSD rightfully should not be expected to "give a flying Fedora about Linux".

1 more reply

j / k navigate · click thread line to collapse