top | item 39873764

(no title)

> Facebook engineer and therefore have vetted

Haven’t nation state actors openly infiltrated high level companies? This would provide a false sense of security imo. If anything, we need better testing and behavior heuristics for incoming code.

discuss

b112|1 year ago

One thing missing here.

I develop cool thing X. Now, 100 minor things depend upon it.

Suddenly, Facebook (or anyone of that size!) starts using it, and decides to vet the maintainer/author.

Who says anyone has to cooperate? It's his software. He wrote it. Don't like it?

Well tough!

Now obviously Facebook could author a replacement. It could fork and maintain.

But the very nerve that Facebook(or anyone!) would insist upon a security audit of the anonymous author would be very, very strange.

Next up, I lend a neighbour my lawn mower, after he comes begging to borrow it. Oh but wait! My neighbour now wants me to sign a libabilty form, and also undergo a security check, all so he can borrow my lawnmower!

The hell?!?!

Hoping this illustrates my point. The project author owes nothing to anyone.

And it gets more wacky, if there are 100 companies demanding audits. What? Demand?!

This is where distros are the strong point. They aren't perfect, but they catch a lot of stuff on their own. And maintainers of different distros often backchannel, support each other in this.

In terms of some government org "vetting" people? Way to take the last vestiges of free software, and hacking, and turn it into a gatekeeping, bureaucratic nightmare. I guess one will need credentials, government id, a 10 year security check, to be fingerprinted, and so on? Security clearances work like that, and that's how you vet someone.

darnir|1 year ago

This exact thing happened to me. I maintain a fairly popular free software project. A few years ago, I received an email from a nasa.gov domain claiming that they want to use the project internally and are auditing all their suppliers. They wanted documentation on me and on how I audit my supply chain for the project. Not cool. I don't have time for these shenanigans in my personal time.

buffet_overflow|1 year ago

Agreed that the vetting of private people would be invasive and not a good use of resources. It would also not work for recently compromised accounts.

I’m also personally torn on how much we want giant private companies controlling more and more of the core compute infrastructure and software.

In an ideal world, the code and software itself would be automatically analyzed for malicious use cases in release and deployment pipelines, but that’s a magic hand wavy kind of ask of a huge magnitude and complexity.

bdd8f1df777b|1 year ago

And in this case Facebook did author a replacement--zstd. It just didn't get popular enough. And even when it does get popular, it won't replace all usages of xz, only some of them.