XZ Utils
-
Not sure whether this is a Leslie, but looks serious enough https://www.wired.com/story/xz-backdoor-everything-you-need-to-know/ Yet another case for Closed Source, isn't it?
-
Not sure whether this is a Leslie, but looks serious enough https://www.wired.com/story/xz-backdoor-everything-you-need-to-know/ Yet another case for Closed Source, isn't it?
It's an argument against big companies relying to OSS projects without sponsoring them. If there's only one maintainer, who's doing it in their spare time, and lots of angry people demanding "urgrentz!!!1!eleventy!" fixes, then the temptation to let someone else take over is going to be very strong. For example, this support ticket for FFMPEG[^]. Nine days after posting it, some twerp from Microsoft decided to chase it, adding:
Quote:
Hi, This is a high priority ticket and the FFmpeg version is currently used in a highly visible product in Microsoft. We have customers experience issues with Caption during Teams Live Event. Please help,
The bug tracker is manned by unpaid volunteers, and Microsoft have refused to sponsor the project, or pay for a support contract. :sigh: (I'd have been inclined to suggest they post their question on one of Microsoft's own myriad support/feedback systems, where getting a non-canned response within nine days would be a miracle! Either that, or tell them to try running
sfc /scannow, some variant ofdism, and if it still didn't work, to format and reinstall their computer, and create a new user account. Because that's *always* the solution according to Microsoft!)
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer
-
Not sure whether this is a Leslie, but looks serious enough https://www.wired.com/story/xz-backdoor-everything-you-need-to-know/ Yet another case for Closed Source, isn't it?
And it affects/ed a tiny fraction of the Linux world - only "bleeding edge" releases. If anything, that is an argument for using LTS releases in production.
Software rusts. Simon Stephenson, ca 1994. So does this signature. me, 2012
-
Not sure whether this is a Leslie, but looks serious enough https://www.wired.com/story/xz-backdoor-everything-you-need-to-know/ Yet another case for Closed Source, isn't it?
If closed is compromised they have a bunch of reasons to never tell you. It's kind of amazing to me really that they were able to get even this far. They must've had some pretty good misleading commit messages. It's pretty slick... only building into release balls and not in the actual source. That bit is sexy even if your soul isn't as black as your hat.
-
Not sure whether this is a Leslie, but looks serious enough https://www.wired.com/story/xz-backdoor-everything-you-need-to-know/ Yet another case for Closed Source, isn't it?
Amarnath S wrote:
Yet another case for Closed Source, isn't it?
I would argue the opposite. Closed source backdoors just aren't found. Not like this dude was the first person to ever think of being sneaky. Edit: I should say, not against closed source for business use (if the business can be trusted), but for stuff like an OS or something the entire world uses (like AI) I think it's great.
Jeremy Falcon
-
And it affects/ed a tiny fraction of the Linux world - only "bleeding edge" releases. If anything, that is an argument for using LTS releases in production.
Software rusts. Simon Stephenson, ca 1994. So does this signature. me, 2012
Peter_in_2780 wrote:
If anything, that is an argument for using LTS releases in production.
Which is why I only use Debian for Linux servers.
Jeremy Falcon
-
Amarnath S wrote:
Yet another case for Closed Source, isn't it?
I would argue the opposite. Closed source backdoors just aren't found. Not like this dude was the first person to ever think of being sneaky. Edit: I should say, not against closed source for business use (if the business can be trusted), but for stuff like an OS or something the entire world uses (like AI) I think it's great.
Jeremy Falcon
-
Quote:
if the business can be trusted
And what is the measure, to who one can trust ;) ;P :laugh:
-
It's an argument against big companies relying to OSS projects without sponsoring them. If there's only one maintainer, who's doing it in their spare time, and lots of angry people demanding "urgrentz!!!1!eleventy!" fixes, then the temptation to let someone else take over is going to be very strong. For example, this support ticket for FFMPEG[^]. Nine days after posting it, some twerp from Microsoft decided to chase it, adding:
Quote:
Hi, This is a high priority ticket and the FFmpeg version is currently used in a highly visible product in Microsoft. We have customers experience issues with Caption during Teams Live Event. Please help,
The bug tracker is manned by unpaid volunteers, and Microsoft have refused to sponsor the project, or pay for a support contract. :sigh: (I'd have been inclined to suggest they post their question on one of Microsoft's own myriad support/feedback systems, where getting a non-canned response within nine days would be a miracle! Either that, or tell them to try running
sfc /scannow, some variant ofdism, and if it still didn't work, to format and reinstall their computer, and create a new user account. Because that's *always* the solution according to Microsoft!)
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer
Richard Deeming wrote:
For example, this support ticket for FFMPEG[^]. Nine days after posting it, some twerp from Microsoft decided to chase it, adding: Quote: Hi, This is a high priority ticket and the FFmpeg version is currently used in a highly visible product in Microsoft. We have customers experience issues with Caption during Teams Live Event. Please help, The bug tracker is manned by unpaid volunteers, and Microsoft have refused to sponsor the project, or pay for a support contract. :sigh:
That is appalling. I can well understand projects moving to not-entirely-open-source licences when companies can't understand paying for software without a price tag. I like the Clippy artwork that someone added below that: https://i.imgflip.com/8ldz0m.jpg[^]
-
Not sure whether this is a Leslie, but looks serious enough https://www.wired.com/story/xz-backdoor-everything-you-need-to-know/ Yet another case for Closed Source, isn't it?
Wait, you're telling me someone who actually knows how to recognize security issues actually checked OS code? That has to be rare.
There are no solutions, only trade-offs.
- Thomas SowellA day can really slip by when you're deliberately avoiding what you're supposed to do.
- Calvin (Bill Watterson, Calvin & Hobbes) -
Quote:
if the business can be trusted
And what is the measure, to who one can trust ;) ;P :laugh:
Exactly.... I should probably put an asterisk besides that bit... :laugh: * You know what get when you assume though?
Jeremy Falcon
-
It's an argument against big companies relying to OSS projects without sponsoring them. If there's only one maintainer, who's doing it in their spare time, and lots of angry people demanding "urgrentz!!!1!eleventy!" fixes, then the temptation to let someone else take over is going to be very strong. For example, this support ticket for FFMPEG[^]. Nine days after posting it, some twerp from Microsoft decided to chase it, adding:
Quote:
Hi, This is a high priority ticket and the FFmpeg version is currently used in a highly visible product in Microsoft. We have customers experience issues with Caption during Teams Live Event. Please help,
The bug tracker is manned by unpaid volunteers, and Microsoft have refused to sponsor the project, or pay for a support contract. :sigh: (I'd have been inclined to suggest they post their question on one of Microsoft's own myriad support/feedback systems, where getting a non-canned response within nine days would be a miracle! Either that, or tell them to try running
sfc /scannow, some variant ofdism, and if it still didn't work, to format and reinstall their computer, and create a new user account. Because that's *always* the solution according to Microsoft!)
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer
-
It's an argument against big companies relying to OSS projects without sponsoring them. If there's only one maintainer, who's doing it in their spare time, and lots of angry people demanding "urgrentz!!!1!eleventy!" fixes, then the temptation to let someone else take over is going to be very strong. For example, this support ticket for FFMPEG[^]. Nine days after posting it, some twerp from Microsoft decided to chase it, adding:
Quote:
Hi, This is a high priority ticket and the FFmpeg version is currently used in a highly visible product in Microsoft. We have customers experience issues with Caption during Teams Live Event. Please help,
The bug tracker is manned by unpaid volunteers, and Microsoft have refused to sponsor the project, or pay for a support contract. :sigh: (I'd have been inclined to suggest they post their question on one of Microsoft's own myriad support/feedback systems, where getting a non-canned response within nine days would be a miracle! Either that, or tell them to try running
sfc /scannow, some variant ofdism, and if it still didn't work, to format and reinstall their computer, and create a new user account. Because that's *always* the solution according to Microsoft!)
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer
Richard Deeming wrote:
and Microsoft have refused to sponsor the project, or pay for a support contract.
To be fair Microsoft has 200,000+ employees. So there certainly is no single person keeping track of this nor making the decisions. And then as far as it goes who exactly made the request for support from Microsoft and who refused it? I can see some very low level manager just not wanting to fill out the paperwork.
