Email or username:

Password:

Forgot your password?
All posts Evan's posts Post Back to profile
Top-level
Evan Boehs

boehs.org/node/everything-i-kn

I have begun a post explaining this situation in a more detailed writeup. This is updating in realtime, and there is a lot still missing.

#security #xz #linux

29 March at 19:06 | Open on social.coop
13 comments
Evan Boehs
Glyph

@eb I really hope that this causes an industry-wide reckoning with the common practice of letting your entire goddamn product rest on the shoulders of one overworked person having a slow mental health crisis without financially or operationally supporting them whatsoever. I want everyone who has an open source dependency to read this message mail-archive.com/xz-devel@tuka

29 March at 20:43 | Open on mastodon.social
Geoffrey Thomas

@glyph @eb I'm frustrated that big tech's efforts to increase core library security are "your project is too popular, you must use 2FA" and "the best reverse engineers in the world will find your bugs and put you on a 90 day disclosure deadline" and not "here is $100K/year and benefits to keep doing what you're doing at your own pace."

29 March at 20:48 | Open on mastodon.social
David Zaslavsky

@geofft @glyph @eb I'm certainly not disputing that it's a real problem that that doesn't happen more often, but isn't there some precedent for big tech companies hiring people to work on specific open source projects? So it's not totally unheard of

29 March at 20:57 | Open on techhub.social
Luis Villa

@diazona @geofft @glyph @eb there’s a lot of precedent for hiring maintainers of top-level programs whose brand (for lack of a better term) has reached the level of awareness of a C-level with a hiring budget. Collectively pooling money to help the projects C-levels have never heard of… has a much weaker track record. We’ve been trying to tackle it at Tidelift for a while and suffice to say I’ve definitely had a lot of “but it can’t happen to me” conversations.

29 March at 21:01 | Open on social.coop
Geoffrey Thomas

@luis_in_brief @diazona @glyph @eb Yeah that resonates with my experience. People like GvR get hired (which is great!) but there's a whole dependency stack underneath. Their maintainers often have a strong résumé to get hired for a normal big tech job at a company that uses the language/ecosystem/etc. but not necessarily for maintaining the project as their job. Sometimes the job is even "build something similar for an internal non-OSS ecosystem."

29 March at 21:15 | Open on mastodon.social
Glyph

@geofft @luis_in_brief @diazona @eb there are layers and layers to this. Famous maintainers get hired more than critical maintainers. And maintenance is important but how do you pay for the commons of *new* projects? The tidelift model gets us part of the way there, because these costs need to be aggregated and there needs to be some kind of oversight, but even if they were universally adopted (and that is far from true) there are so many missing pieces

29 March at 21:22 | Open on mastodon.social
Luis Villa

@glyph @geofft @diazona @eb “Famous maintainers get hired more than critical maintainers.” Owwwwwwww.

29 March at 21:34 | Open on social.coop
rugk

@eb not mentioned, is, AFAIK the story that xz has been proposed for the Linux kernel: hachyderm.io/@effigies@mas.to/

30 March at 0:34 | Open on chaos.social
rugk
Evan Boehs

@rugk that’s already noted, thanks for letting me know though :)

31 March at 0:50 | Open on social.coop
rugk
Evan Boehs

@rugk yeah I’ve seen that floating around for a while and I just haven’t had an opportunity to fully understand the implications of it

31 March at 0:55 | Open on social.coop
Go Up