this post was submitted on 30 Mar 2024
1583 points (97.7% liked)

linuxmemes

21225 readers
42 users here now

Hint: :q!


Sister communities:


Community rules (click to expand)

1. Follow the site-wide rules

2. Be civil
  • Understand the difference between a joke and an insult.
  • Do not harrass or attack members of the community for any reason.
  • Leave remarks of "peasantry" to the PCMR community. If you dislike an OS/service/application, attack the thing you dislike, not the individuals who use it. Some people may not have a choice.
  • Bigotry will not be tolerated.
  • These rules are somewhat loosened when the subject is a public figure. Still, do not attack their person or incite harrassment.
  • 3. Post Linux-related content
  • Including Unix and BSD.
  • Non-Linux content is acceptable as long as it makes a reference to Linux. For example, the poorly made mockery of sudo in Windows.
  • No porn. Even if you watch it on a Linux machine.
  • 4. No recent reposts
  • Everybody uses Arch btw, can't quit Vim, and wants to interject for a moment. You can stop now.

  • Please report posts and comments that break these rules!

    founded 1 year ago
    MODERATORS
    top 50 comments
    sorted by: hot top controversial new old
    [–] CameronDev@programming.dev 197 points 7 months ago (2 children)

    To be fair, we only know of this one. There may well be other open source backdoors floating around with no detection. Was heartbleed really an accident?

    [–] lemmyreader@lemmy.ml 100 points 7 months ago (1 children)

    True. And the "given enough eyeballs, all bugs are shallow" is a neat sounding thing from the past when the amount of code lines was not as much as now. Sometimes it is scary to see how long a vulnerability in the Linux kernel had been there for years, "waiting" to be exploited.

    [–] RecluseRamble@lemmy.dbzer0.com 73 points 7 months ago (2 children)

    Still far better than a proprietary kernel made by a tech corp, carried hardly changed from release to release, even fewer people maintain, and if they do they might well be adding a backdoor themselves for their government agency friends.

    [–] Vilian@lemmy.ca 19 points 7 months ago

    true, opensource can be flawed, but it's certain less flawed than a closed source alternatives

    load more comments (1 replies)
    [–] xenoclast@lemmy.world 35 points 7 months ago

    Yeah he didn't find the right unmaintained project. There are many many many cs undergrads starting projects that will become unmaintained pretty soon.

    [–] CodexArcanum@lemmy.world 171 points 7 months ago (7 children)

    I've gotten back into tinkering on a little Rust game project, it has about a dozen dependencies on various math and gamedev libraries. When I go to build (just like with npm in my JavaScript projects) cargo needs to download and build just over 200 projects. 3 of them build and run "install scripts" which are just also rust programs. I know this because my anti-virus flagged each of them and I had to allow them through so my little roguelike would build.

    Like, what are we even suppose to tell "normal people" about security? "Yeah, don't download files from people you don't trust and never run executables from the web. How do I install this programming utility? Blindly run code from over 300 people and hope none of them wanted to sneak something malicious in there."

    I don't want to go back to the days of hand chisling every routine into bare silicon by hand, but i feel l like there must be a better system we just haven't devised yet.

    [–] Killing_Spark@feddit.de 31 points 7 months ago (4 children)

    Debian actually started to collect and maintain packages of the most important rust crates. You can use that as a source for cargo

    load more comments (4 replies)
    [–] MeanEYE@lemmy.world 28 points 7 months ago

    Which is why you shouldn't do that. Dependency nightmare is a real problem many developers face. More to the point they impose it on you as well if you are by any reason forced to use their software. Well established libraries are gateway to this. People are getting out of their way to complicate lives to themselves and massive amount of others just so they could avoid writing a function or two. Biggest absurdity I like to point out to people is the existence of is-number NPM package, which does that. It has 2300 dependent projects on it!!! Manifest file for said package is bigger than the source. And the author had the hubris to "release it under MIT". How can you claim copyright on num - num === 0?

    On all the projects I manage I don't allow new dependencies unless they are absolutely needed and can't be easily re-implemented. And even then they'd have to be already in the Debian respository since it's a good and easy way to ensure quick fixes and patching should it be needed. Sometimes alternative to what we wanted to use already is in repo, then we implement using different approach. We only have few Python modules that are not available in repo.

    Managing project complexity is a hard thing and dependencies especially have a nasty habit of creeping up. I might be too rigid or old-school or whatever you want to call it, but hey at least we didn't get our SSH keys stolen by NPM package.

    [–] wolf@lemmy.zip 26 points 7 months ago (6 children)

    THIS.

    I do not get why people don't learn from Node/NPM: If your language has no exhaustive standard library the community ends up reinventing the wheel and each real world program has hundreds of dependencies (or thousands).

    Instead of throwing new features at Rust the maintainers should focus on growing a trusted standard library and improve tooling, but that is less fun I assume.

    load more comments (6 replies)
    [–] RegalPotoo@lemmy.world 19 points 7 months ago* (last edited 7 months ago) (1 children)

    It's a really wicked problem to be sure. There is work underway in a bunch of places around different approaches to this; take a look at SBoM (software bill-of-materials) and reproducible builds. Doesn't totally address the trust issue (the malicious xz releases had good gpg signatures from a trusted contributor), but makes it easier to spot binary tampering.

    [–] wizzim@infosec.pub 12 points 7 months ago* (last edited 7 months ago)

    +1

    Shameless plug to the OSS Review Toolkit project (https://oss-review-toolkit.org/ort/) which analyze your package manager, build a dependency tree and generates a SBOM for you. It can also check for vulnerabilitiea with the help of VulnerableCode.

    It is mainly aimed at OSS Compliance though.

    (I am a contributor)

    [–] acockworkorange@mander.xyz 14 points 7 months ago (2 children)

    Do you really need to download new versions at every build? I thought it was common practice to use the oldest safe version of a dependency that offers the functionality you want. That way your project can run on less up to date systems.

    [–] baseless_discourse@mander.xyz 39 points 7 months ago* (last edited 7 months ago) (2 children)

    Most softwares do not include detailed security fixes in the change log for people to check; and many of these security fixes are in dependencies, so it is unlikely to be documented by the software available to the end user.

    So most of the time, the safest "oldest safe" version is just the latest version.

    load more comments (2 replies)
    [–] treadful@lemmy.zip 24 points 7 months ago (3 children)

    Okay, but are you still going to audit 200 individual dependencies even once?

    load more comments (3 replies)
    load more comments (2 replies)
    [–] KillingTimeItself@lemmy.dbzer0.com 111 points 7 months ago

    everytime this happens i become unexplainably happy.

    There's just something about a community doing it's fucking job that gets me so normal feeling.

    [–] hash0772@sh.itjust.works 99 points 7 months ago

    Getting noticed because of a 300ms delay at startup by a person that is not a security researcher or even a programmer after doing all that would be depressing honestly.

    [–] mariusafa@lemmy.sdf.org 91 points 7 months ago (1 children)

    I love free software community. This is one of the things free software was created. The community defends its users.

    load more comments (1 replies)
    [–] unreachable@lemmy.world 69 points 7 months ago (1 children)

    ~~opensource~~autists win!

    [–] SinkingLotus@lemmy.world 39 points 7 months ago

    Opensautists

    [–] CosmicCleric@lemmy.world 60 points 7 months ago* (last edited 7 months ago) (1 children)

    The problem I have with this meme post is that it gives a false sense of security, when it should not.

    Open or closed source, human beings have to be very diligent and truly spend the time reviewing others code, even when their project leads are pressuring them to work faster and cut corners.

    This situation was a textbook example of this does not always happen. Granted, duplicity was involved, but still.

    [–] GamingChairModel@lemmy.world 12 points 7 months ago* (last edited 7 months ago) (5 children)

    100%.

    In many ways, distributed open source software gives more social attack surfaces, because the system itself is designed to be distributed where a lot of people each handle a different responsibility. Almost every open source license includes an explicit disclaimer of a warranty, with some language that says something like this:

    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.

    Well, bring together enough dependencies, and you'll see that certain widely distributed software packages depend on the trust of dozens, if not hundreds, of independent maintainers.

    This particular xz vulnerability seems to have affected systemd and sshd, using what was a socially engineered attack on a weak point in the entire dependency chain. And this particular type of social engineering (maintainer burnout, looking for a volunteer to take over) seems to fit more directly into open source culture than closed source/corporate development culture.

    In the closed source world, there might be fewer places to probe for a weak link (socially or technically), which makes certain types of attacks more difficult. In other words, it might truly be the case that closed source software is less vulnerable to certain types of attacks, even if detection/audit/mitigation of those types of attacks is harder for closed source.

    It's a tradeoff, not a free lunch. I still generally trust open source stuff more, but let's not pretend it's literally better in every way.

    load more comments (5 replies)
    [–] Draegur@lemm.ee 42 points 7 months ago (3 children)

    i feel like the mental gymnastics should end with a rake step

    [–] veganpizza69@lemmy.world 42 points 7 months ago (4 children)

    It's about the complex rationalizations used to create excuses (pretexts).

    The original is this:

    [–] johannesvanderwhales@lemmy.world 10 points 7 months ago

    Alright I won't argue about that specific version's point, but this is basically a template for constructing a strawman argument.

    load more comments (3 replies)
    load more comments (2 replies)
    [–] DingoBilly@lemmy.world 39 points 7 months ago (4 children)

    Immediately noticed even though the packages have been out for over a month?

    Easily could have stolen a ton of information in that month.

    [–] mlg@lemmy.world 43 points 7 months ago (2 children)

    Yeah but tbf it was deployed on mostly rolling release and beta releases.

    No enterprise on prod is worried because they're still on RHEL 6 /s

    [–] kopasz7@lemmy.world 18 points 7 months ago (3 children)

    Why the /s? We are migrating our host to RHEL7 since months.

    load more comments (3 replies)
    [–] DingoBilly@lemmy.world 12 points 7 months ago

    Yeah they got lucky. But shows how susceptible systems are. Really makes you wonder how many systems are infected with similar - this wouldn't be the first back door that's live in Linux systems.

    load more comments (3 replies)
    [–] pete_the_cat@lemmy.world 32 points 7 months ago

    It is pretty funny, I bet he's kicking himself right now for it.

    [–] yum@lemmy.eco.br 30 points 7 months ago (3 children)

    I just updated xz in my system. Thanks Lemmy!

    load more comments (3 replies)
    [–] JCreazy@midwest.social 22 points 7 months ago (2 children)
    [–] luves2spooge@lemmy.world 47 points 7 months ago (1 children)
    [–] seaQueue@lemmy.world 31 points 7 months ago

    Openssh backdoor via a trojan'ed release of liblzma

    [–] the_seven_sins@feddit.de 20 points 7 months ago (1 children)

    Ever wondered why ${insert_proprietary_software_here} takes so long to boot?

    [–] sus@programming.dev 19 points 7 months ago

    because AbstractTransactionAwarePersistenceManagerFactoryProxyBean needs to spin up 32 electron instances (one for each thread) to ensure scalability and robustness and then WelcomeSolutionStrategyExecutor needs to parse 300 megabytes of javascript to facilitate rendering the "welcome" screen

    [–] heyfrancis@mastodon.social 14 points 7 months ago (1 children)
    load more comments (1 replies)
    load more comments
    view more: next ›