Email or username:

Password:

Forgot your password?
Michał Górny

I suppose everyone and their grandmother is now using the xz/sshd exploit to further their own agenda, so I am going to take this opportunity to further mine as well.

1. #Autotools are a bad build system. If configure scripts are completely unreadable, there should be no surprise that people won't notice obfuscated malicious code in there, provided that everything else is obfuscated by design.

2. Static linking and vendoring is bad. Do you know why the prompt #security response was possible? Because we just had to revert to older liblzma. We didn't have to check, patch and re-release hundreds of projects. It wouldn't be this easy with #RustLang and cargo.

3. You can blame #OpenSource for being underfunded and open to abuse in core system packages. However, no IT project can be resilient to a sufficiently powerful bad actor, and that it happened to xz is just an incident. Corporate projects aren't resilient to it, neither is proprietary, closed-source software.

So, embrace #Meson, embrace dynamic linking, embrace distribution packaging and donate to open source developers.

#Gentoo

4 comments
Haelwenn /элвэн/ :triskell:
@mgorny In fact I'm glad it was a fairly recent xz release because otherwise we'd have to patch a ton of things because de-vendoring is hard (like kernel isn't de-vendored so some people checked it's copy of xz).
DELETED

@mgorny About the Open Source part: I cannot see, how the attract would be found, had it been closed source. It's clearly showing, that Open Source is working.

Benjamin Kwiecień 🇵🇸

@mgorny I built a project using meson once and it was pretty cool

Diego Elio Pettenò

@mgorny I'm the Autotools Mythbuster author and I endorse of this message!

(Obfuscated malware in configure scripts has been a scare story of mine for a while, so funny seeing it happen in reality.)

Go Up