[jdsalaro]

> Just because you don't get paid for it doesn't mean it's not an incredibly valuable part of your contribution to the good of your neighbors. Keep up the excellent work, everyone.

Precisely, I truly do not understand how these people witness a potentially catastrophic event of such proportions and instead of asking "dear God, I wonder how many backdoors there are in the Windows operating system that we don't know and will never find out about!?! Thankfully Linux and its ecosystem can be somewhat audited!". Instead they go full blown "please make it go away, if it's visible by us it means it's terrible and dangerous! FOSS is insecure!"

I've said it once[1] and I'll say it again: FOSS delivered both on its pitfalls and its strengths.

Moreover, and I'll never get tired of repeating this:

Although this might be indeed a FOSS-exclusive or FOSS-adjacent kind of risk that ultimately materialized, as some would like to call it, it’s nevertheless also an issue where checks and balances that are only intrinsically possible in FOSS worked as expected and needed. Yes, there was an element of luck in the discovery of CVE-20240-3094, but it is undeniable source code availability and other FOSS customs tipped the scale in the community’s favor.

[1] https://jdsalaro.com/note/xz-liblzma-linux-backdoor-foss-pit...

[xg15]

> Instead they go full blown "please make it go away, if it's visible by us it means it's terrible and dangerous! FOSS is insecure!"

The cynicist in me fears this is how a large part of politics operates:

A lingering problem that is highly visible is bad: Then the public is expecting you to find a solution, and if you don't, it will reflect negatively on your public image, chances of reelection, etc.

In contrast, a massive crisis or catastrophe that occurs (seemingly) out of nowhere is actually good (as long as you aren't affected yourself), because it allows you to appear as the hero, rally people behind a common cause, access a massive amount of additional resources and funding, push through bills for completely unrelated political goals as long as you can somehow relate them to the catastrophe, etc.

This means there is a massive political incentive to push problems under the rug: As long as no one knows the problem is there, all is fine - and if the problem should unexpectedly blow up, that's fine too, because then there will be a "crisis" that you can politically benefit from.

[AstralStorm]

And then some enterprising <insert enemy here> compromises all your infrastructure with a bug they found and nobody else spotted.

The visible bugs get fixed. Invisible ones get used and exploited.

[TZubiri]

But open sourceness in no way contributed to this being found, it was not in the source code.

If something like this happened in windows, it could be found in the same way, and the culprit could be identified and charged with crimes.

Just take the L for FOSS instead of trying a UNO reverse card

[wolverine876]

> But open sourceness in no way contributed to this being found, it was not in the source code.

Where was it? The explanation I saw included obsfucated code. ?

[jdsalaro]

Disregard the comment you're replying to, they're either misinformed or deliberately inaccurate in their assessment.

The backdoor consisted of a combination of publicly visible code and binary blob test files available in the project's repository as well as obfuscated build scripts which were contained only in the released tarballs, tucked away, which, nevertheless, were also publicly accessible, decompressable and auditable[1]

[1] https://gynvael.coldwind.pl/?lang=en&id=782

[konstantinua00]

it was hidden in tests, so it didn't appear if you press "download source" button and build yourself / start crawling through each line of code, iirc

in some sense, exact specifics of the attack were discovered because norm of open source is even more open than the gpl-and-co require

[wolverine876]

So discovering the exploit absolutely depended on FOSS. If the vulnerability was in a Oracle product, nobody outside Oracle would have access to their tests (and publishing the bug would be a legal issue).