Hacker News new | ask | show | jobs
by lucianbr 195 days ago
How does anyone "control" an OSS project in the sense that you are talking about, so the ability to insert backdoors or activate kill-switches? Maybe Linus controls Linux, but can he "flick a switch and kill" any running kernels? He might be able to insert backdoors, but will they go unnoticed? Would anyone be forced to install them? Just patch the code to remove the backdoor.

I feel that you wrote some words that only seem to make sense if we don't think about them too much.
3 comments
LexiMax 195 days ago
> How does anyone "control" an OSS project in the sense that you are talking about, so the ability to insert backdoors or activate kill-switches?

A government can control a piece of open source software the same way a big tech company does - with economies of scale. In other words, by throwing more money, resources, and warm bodies at their open source projects than anybody else.

The code itself might be under an open license, but project governance is free to remain self-interested and ignorant of the needs of the "community."

Any pull request accepted from outside isn't a mutual exchange of developer labor for the benefit of all, but the company successfully tricking an outside developer into doing free work for them.

Any pull request that runs counter to the interests of the company can and will be ignored or rejected, no matter how much effort was put into it or how much it would benefit other users.

Any hostile forks are going to be playing a catch-up game, as community efforts cannot outpace the resources of most large companies.

link
notpushkin 195 days ago
As long as upstream is open source, forks can just keep syncing. At some point, the upstream will then usually switch to open core, or some sort of delayed open source, but often that leads to people leaving for the open forks, hopefully donating to them, too.

(Gentle reminder to subscribe to donate to a FOSS project or two that you use.)

link
LexiMax 194 days ago
Which projects are you referring to here?

Because in my experience, the projects that I can think of that switch to open core are those that are started by smaller businesses when a large multinational tech company starts to mess with their revenue streams.

In that case, I don't fault them in the slightest. As a matter of fact, I think these days it's now a sucker's bet to build a company around an open source product. Free software? Maybe. Source available or open core from the start? Possibly. A fully permissive license that in the outside chance my product is successful, suddenly puts me in competition with Amazon and Microsoft, so they can kill my business with my own software? Forget about it.

link
notpushkin 194 days ago
Yeah, I don’t fault them either. It’s a shitty situation to find yourself in. That said... they went with a permissive license, so they knew what they’re getting into.

I think the main reason they do that is because AGPL is a turnoff for a noticeable chunk of corporate users, and you do want those users. Dual licensing should work here in theory, and does work in practice for some – no idea why we don’t see it more often. (I have a project-not-quite-startup-anymore [1] under AGPL, but I do keep around a CLA for outside contributors just in case.)

[1]: https://lunni.dev/

link
rocqua 195 days ago
Linux is not a smart target. But OpenOffice, nextcloud, postfix, those are much easier targets for developer coercion to compromise widely installed software that is important for "linux on the desktop". Ah and ofcourse also the desktop environments, and perhaps systemD are all in a privileged position with much less eyes on.
link
al_borland 195 days ago
The thought was that the government would effectively become the largest employer of OSS developers who would then be compelled to follow directions or be out of a job. Would there be enough independent developers to review millions of lines of code, patch out any back doors, or fork and maintain an entirely separate projects, since none of the government protects can be trusted?

Could the government also dictate the operating system and software people use to make sure it is the state sponsored one? If I’m not mistaken some similar actions have happened in N Korea and China.

I’m not saying this is an inevitable outcome, but just trying to think of worst case scenarios. A lot of terrible things have started with good intentions.

link
p2detar 195 days ago
> Would there be enough independent developers to review millions of lines of code, patch out any back doors, or fork and maintain an entirely separate projects, since none of the government protects can be trusted

That’s not far from how it is right now in OSS, even without governments in the chain. For example: how the xz back door was found: https://en.wikipedia.org/wiki/XZ_Utils_backdoor

link
lolc 195 days ago
You're saying that a state can upstream patches with planted backdoors. Thruth is, this is possible in all software. It's not specific to state-sponsored open source software. So your scenario is a reality whether you want it or not. And open source is not particularily vulnerable either. People forget this.

Now a lot of people would be angry if my state decided to spend money on security flaws. I imagine an elected representative try to explain how they wanted to misspend funds allocated to improve software and plant flaws instead. That would not go down well here or in Germany. Try to hire people for this in Germany and see how long you last till your little op is public.

link