You keep using that term “mental gymnastics”. I’m not sure it means what you think it does.
this post was submitted on 03 Jun 2025
1434 points (99.3% liked)
linuxmemes
25504 readers
1379 users here now
Hint: :q!
Sister communities:
Community rules (click to expand)
1. Follow the site-wide rules
- Instance-wide TOS: https://legal.lemmy.world/tos/
- Lemmy code of conduct: https://join-lemmy.org/docs/code_of_conduct.html
2. Be civil
- Understand the difference between a joke and an insult.
- Do not harrass or attack users for any reason. This includes using blanket terms, like "every user of thing".
- Don't get baited into back-and-forth insults. We are not animals.
- Leave remarks of "peasantry" to the PCMR community. If you dislike an OS/service/application, attack the thing you dislike, not the individuals who use it. Some people may not have a choice.
- Bigotry will not be tolerated.
3. Post Linux-related content
- Including Unix and BSD.
- Non-Linux content is acceptable as long as it makes a reference to Linux. For example, the poorly made mockery of
sudoin Windows. - No porn, no politics, no trolling or ragebaiting.
4. No recent reposts
- Everybody uses Arch btw, can't quit Vim, <loves/tolerates/hates> systemd, and wants to interject for a moment. You can stop now.
5. 🇬🇧 Language/язык/Sprache
- This is primarily an English-speaking community. 🇬🇧🇦🇺🇺🇸
- Comments written in other languages are allowed.
- The substance of a post should be comprehensible for people who only speak English.
- Titles and post bodies written in other languages will be allowed, but only as long as the above rule is observed.
6. (NEW!) Regarding public figures
We all have our opinions, and certain public figures can be divisive. Keep in mind that this is a community for memes and light-hearted fun, not for airing grievances or leveling accusations. - Keep discussions polite and free of disparagement.
- We are never in possession of all of the facts. Defamatory comments will not be tolerated.
- Discussions that get too heated will be locked and offending comments removed.
Please report posts and comments that break these rules!
Important: never execute code or follow advice that you don't understand or can't verify, especially here. The word of the day is credibility. This is a meme community -- even the most helpful comments might just be shitposts that can damage your system. Be aware, be smart, don't remove France.
founded 2 years ago
MODERATORS
still funny
Is this about XZ?
Meanwhile my NixOS install had a failure to mount an encrypted swap at boot costing me 1 and a half minutes of downtime on every boot that only took 30 seconds to fix but 6 months to get around to.
Immediately get noticed
Realistically, though, we are only aware of that one because it was noticed in that unlikely scenario and then widely reported. For all we know, most open source backdoors are alive and well in our computers, having gone unnoticed for years.
Evidence suggests this isn't the case.
We know of so many more closed source backdoors despite them being harder to notice in practice. Either before they became a problem or after they have been used in an attack. So we know backdoors can get noticed even without access to source code.
Meanwhile we have comparatively fewer backdoor type findings in major open source software, despite and thanks to increased scrutiny. So many people want to pad their resume with "findings" and go hit up open source software relentlessly. This can be obnoxious because many of the findings are flat out incorrect or have no actual security implications, but among the noise is a relatively higher likelihood that real issues get noticed.
The nature of the xz attack shows the increased complexity associated with attempting to back door open source. Sneaking a malicious binary patch into test data, because the source code would be too obvious, and having to hide asking the patch in an obfuscated way in build scripts that would only apply in theory under specific circumstances. Meanwhile the closed source backdoors have frequently been pretty straightforward but still managed to ship and not be detected.
Even if we failed to detect unused backdoors, at some point someone would actually want to use their backdoor, so they should be found at some point.
I'm not sure how you can provide evidence that one thing has fewer unknown unknowns than another thing.
By relative volume of the known things. It's not a guarantee, but it's highly suggestive that the more observable instances of something, the more not yet observed instances of the same thing are out there.
There are factors that can knock that out of balance, like not having access to source code making things harder to find, but those confounding factors would hide more on the closed source side than the open source side.
Yup.
But in open source it CAN be noticed, by anyone determined enough to dig into its side effects.
Proprietary software? You file a regression bug that startup takes 500ms longer, and it might get looked at.
Also, backdoors that are discovered in open source software improve automated software auditing.
Yeah, you open a bug like that in proprietary software and it will immediately get rationalized away as having no business case to address, likely with a person with zero direct development responsibility writing a bs explanation like the small impact was due to a number of architectural changes.
Speaking as someone with years of exposure to business managed issue handling.
500ms longer, and it might get looked at.
Why would you even lie to the poor fellow like that? 🤣 lol
load more comments
(2 replies)
Wait, that references something that actually happened?
edit This?
Yes, this particular incident.
https://en.wikipedia.org/wiki/XZ_Utils_backdoor
In February 2024, a malicious backdoor was introduced to the Linux build of the xz utility within the liblzma library in versions 5.6.0 and 5.6.1 by an account using the name "Jia Tan".[b][4] The backdoor gives an attacker who possesses a specific Ed448 private key remote code execution through OpenSSH on the affected Linux system. The issue has been given the Common Vulnerabilities and Exposures number CVE-2024-3094 and has been assigned a CVSS score of 10.0, the highest possible score.[5]
Microsoft employee and PostgreSQL developer Andres Freund reported the backdoor after investigating a performance regression in Debian Sid.[8] Freund noticed that SSH connections were generating an unexpectedly high amount of CPU usage as well as causing errors in Valgrind,[9] a memory debugging tool.[10]
Thats not really how open source works. If you use an open source tool like say, nano. It has been looked at and improved for many years by many people who have worked up an understanding of the code.
I realize that this can only be natively understood by a programmer.
What we (I) do when we work at open source projects is reading through the code for so long until we "get it". It means we start to understand what does what. If you want so change something, you must locate it, finding out what it is not. The chance that someone stumbles across something that then sparks a full blown investigation isnt that low. Of course you can hide something in extremely long and boring code but its alas automatically tested by most software shops.
In short: we dont do this since yesterday and opeb source is so many universes better than closed source is a truth that only a fool would disregard.
Are you sure?
All I'm saying is leftPad, if you still remember.
As a programmer I do not believe you when you claim that you read through all the code of all the libraries you include.
Especially with more hardcore dependencies (like OpenSSL), hardly anyone reads through that.
load more comments
(14 replies)
load more comments
(6 replies)
load more comments
(10 replies)
Also, many proprietary softwares rely on open source libraries. So unless they catch, patch, and do not contribute those fixes, proprietary will be at least as vulnerable as the oss they depend on.
load more comments
(2 replies)
Open source and proprietary software development have very different goals. Open source is generally about making software that's useful. Proprietary software's goal is to make money by any means necessary. Viewing it from that angle, open source devs and the community are more motivated to keep an eye out for backdoors. While proprietary software, they won't give a fuck until something affects their bottom line. Just because of that, I feel safer using open source software in general.
The sad part is is that you're right.
And the reason that it's sad is that most of the individual veneers on proprietary projects deeply about a project itself and have the same goals as they do with open source software, which is just to make something that's useful and do cool shit.
Yep, the business itself can force them not take care of problems or force them to go in directions that are counter to their core motivations.
load more comments
(1 replies)
This is why open source, total transparency, radical free speech and democracy is the one and only way. Because if there's even one little shadow there will be a scorpion hiding in it.
radical free speech
If that includes calling company money "free speech" (which the US does) I don't agree. I'm also not ok with holocaust denial and Naziism.
Second to last thing is punishable by fine in most of Europe, last one is… on the rise…
Company free speech is allowed, but there’s laws to keep them from being total asshats
Company free speech is allowed, but there’s laws to keep them from being total asshats
"Things" shouldn't have free speech - only people. It's just such a corrupt, dumb thing.
As a non-native English speaker, I’ve assumed it meant that companies can put anything they want in their contracts
No it's basically that companies can put money into politics.
There was a court case called the 'Citizens United v FEC' that ended up ruling in favor of corporations; It said corporations and organizations and unions can 'donate' as much money as they want to political candidates i.e. legalized bribery.
load more comments
(10 replies)
load more comments
(6 replies)
view more: next ›