if you're looking at the lzma thing and trying to figure out if you should be concerned, and if you can do anything about it:

the answers are definitely yes, and probably not much, respectively

this is one of those 'off the charts' sorts of scenarios, because the impact isn't just the vulnerability itself (a remote ssh backdoor on some systems), it's that it was seemingly inserted intentionally into this library which exists on every linux distro by one of the maintainers of the library, in signed commits, with very thorough attempts to obfuscate it, and with what appears to be active efforts to mask side effects when they were noticed.

so even if your system did not fit the criteria that we believe are necessary to trigger that backdoor and/or you have reverted to an older version that didn't have the final piece, you are still running code written by the person who intentionally added that backdoor.

i received a DM earlier. i am not going to call out the person who DM'd me, but i am going to publicly share my response, because it is important. the context is @drewdevault@fosstodon.org's blog post earlier today about RMS. the person DMing me suggests for the "proper" place for this discussion was in the FSF channels and with RMS himself.

my response is this, verbatim:


"no. if we cannot discuss issues like this in places not directly controlled by the people at the root of the issue - e.g. in this instance, RMS and people sympathetic to him - then the reality is that we cannot discuss them at all.

we cannot restrict the discussion of difficult topics to forums controlled by people who might rather not have those topics talked about. there is a power imbalance, whether or not that power is used.

is free speech still free speech if, whether by rule or by cultural norm, you are only to criticize a king from within his castle, surrounded by his guards, with only the audience of himself and those who have chosen to be in that environment? even if the guards take no action against you, and allow you to freely speak your mind, there is no question in that situation that you do not hold the power, and you are at the mercy of those who do.

and, ever so frequently, they do exercise the power to silence or eject you, and if we do as you suggest, you are left with no acceptable avenue in which to exercise your right to speak.

you must be able to criticize the king in your home, or in the tavern, or on the streets, or wherever you choose, in places where his guards have no power. you must be able to do this with other people who would not have chosen to subject themselves to the king's court. you must be able to loudly proclaim his faults, so that those who would never have had reason to find themselves in his castle may hear, and understand.

the king will not dethrone himself because someone entered his court and made a good point. he will dethrone himself because crowds of people outside his court are making their opinions known, and he knows that if he does not, the castle he worked so hard to build will fall with him inside."

open source software projects and standards organizations need more people willing to say "no. fuck you" to corporate entities, sponsors, and other bad actors putting on a polite face.

i think the reason linux works so well is precisely because the maintainers will happily tell a corporation off and reject huge amounts of work out of hand, if they aren't actually making things better. much as they may try, you cannot buy your way into making linux do something for you. you can buy insurance that it will continue to exist, and you can buy labor to submit improvements that benefit you, but your money will not afford you any lenience, and it will not direct attention to your own goals

i wish i could see more of the same elsewhere

remember folks: tech is politics. you cannot keep one out of the other. they are inseparable.

the technical problems you choose to solve, and the way you choose to solve them, are an expression of politics.

building open source software indicates that you think information should be free, which is a political stance. building closed source software indicates that you think information should be controlled, which is a political stance.

building software that discriminates against people of color is a racist action and reflects upon you as such, regardless of your intent in building that software (hint: that's how racism works everywhere else, too)

building software which can be used to remove control from the masses and give it to corporations and rich people, indicates that you think that corporations and rich people should amass power, and regular folks should not have freedom.

it does not matter if a company for whom you work paid you to do that thing, or if your intentions were good, or if you were only trying to see if a particular technical challenge could be solved. technical problems are political problems. business needs and decisions are political ones.

if there is a mismatch between the politics you express via your actions, and those you express via your words, the actions are the ones people will care about, not the words. you cannot fix bad actions by saying good words.

do good actions.