oce 🐆

Eating your foot’s dry skin in public should help restore your balance.

For reference: https://youtube.com/watch?v=Rhj8sh1uiDY

mv: cannot move 'a' to 'b': Device or resource busy

A lot of straw man arguments. Overall, I think we agree on the value of open source.

Personally, I prefer to have my monitor at 45° because I like to follow the 3 courses “service à la Russe” code structure. The entrée and the desert of my code are light and short, while the main course in the middle has the longest lines.

I think some of this data is actually available for open source projects by scanning public repositories, although it would be a lot of work to collect it.

You have provided no valuable argument except “believe my experience”, so I am answering with an equally weak one. Provide me some good quality study and I will be happy to change my mind. I recognize this lack of enlightening information is pretty aligned with closed source philosophy.

So a gentle troll then.

Have you not used the internet for the past 5 years or is it a troll?

That’s a good point, but wasn’t the micro benchmarking possible, published and analyzed because it is open source? Also the vulnerability analysis, impact analysis and fix can be peer reviewed by more yes.

In this case, downgrading to the not affected version. If there’s no possible downgrade, stopping the compromised system until it is fixed.
Keeping the vulnerable system up because you think nobody else should know is a bet, I don’t think it’s sound. State actors are investing a lot to find and exploit those vulnerabilities, in this case probably even funded the implementation of the vulnerability, so I think you should assume that any vulnerability you discover is already used.

No I don’t think you said I was entirely wrong, that part was clear enough.

My issue is more with your argument from authority and personal experience. It is very easy to be biased by personal experience, especially when it brings good money.

access controls and supply chain management and traditional security mechanisms.

So I’ll put my personal experience too (which is also a low value argument). From the outside it may seem this is well done in big companies. But the reality is that this is often a big mess and security often depends on some guy, if any, actually having some standards and enforcing them, until they leave because the company doesn’t value those tasks. But since it’s closed source, nobody knows about it. With open source, there’s more chance more people will look at this system and find issues.
I don’t doubt some ultra sensitive systems like nuclear weapons have a functional closed source security process because the government understands the risk well enough. But I think there are way more closed source systems, at lower danger level but which still impacts people’s security, that are managed with a much lower standard than if they were open-sourced.

Then please explain why the reasons specified here are false belong that argument from authority.

Crowd sourcing vulnerability analysis and detection doesn’t make open source software inherently more secure.

It does, because many more eyes can find issues, as illustrated by this story.

Closed source isn’t inherently bad, but it’s worse than open source in many cases including security.

I think you’re the only one here thinking publishing PoC is bad.

If your security relies on hidden information then it’s at risk of being broken at any time by someone who will find the information in some way. Open source security is so much stronger because it works independently of system knowledge. See all the open source cryptography that secures the web for example.
Open source poc and fix increases awareness of issues and helps everyone to make progress. You will also get much more eyes to verify your analysis and fix, as well as people checking if there could other consequences in other systems. Some security specialists are probably going to create techniques to detect this kind of sophisticated attack in the future.
This doesn’t happen with closed source.
If some system company/administrator is too lazy to update, the fault is on them, not on the person who made all the information available for your to understand and fix the issue.

Yeah, I agree but I know some companies will have stupid thoughts like “a company employee is less likely to do that” or “at least we have an employment contract to back us up legally”.

Certainly, that’s why I said organization to be vague.

The malicious changes were submitted by JiaT75, one of the two main xz Utils developers with years of contributions to the project.

“Given the activity over several weeks, the committer is either directly involved or there was some quite severe compromise of their system,” Freund wrote. “Unfortunately the latter looks like the less likely explanation, given they communicated on various lists about the ‘fixes’” provided in recent updates. Those updates and fixes can be found here, here, here, and here. https://arstechnica.com/security/2024/03/backdoor-found-in-widely-used-linux-utility-breaks-encrypted-ssh-connections/

That really sucks. This kind of thing can make people and companies lose trust in open source. I wonder if we will learn the reason behind that. I would guess the developer was paid a lot of money by some organization to risk ruining his reputation like that.

Haskell is paved with bad installations.

From copy left to cop piglet.

I don’t understand your initial point. He’s talking about what you get when you buy a new PC. If you buy an Apple PC, you’ll get Apple spyware. It doesn’t imply anything about some Apple buyers putting Linux on their PCs