A backdoor in xz

Posted Apr 2, 2024 16:12 UTC (Tue) by GNUtoo (guest, #61279)
In reply to: A backdoor in xz by rra
Parent article: A backdoor in xz

> This is exactly why I find the library model interesting: there's a feedback loop. Corporate products, services, and infrastructure that use free software vote with their choices. We figure out some way to count those choices (I know, I know, complexity of the software should be a factor, how to do this is very inobvious, insert vigorous hand-waving here), and an appropriate percentage of the revenues of those companies go to the maintainers of that software. If companies stop using their software, they stop getting money. If more companies use their software, they get more money.

The issue here is the side effects. For instance what would prevent companies from writing extremely used software with poor security track record and try to get money to fix things after the fact when the design is bad, or that even bigger foundations than the design is bad (use cases impossible to secure, etc).

And if it somehow works it could also make very secure software that go in conflict with freedom or other things we care about (like inclusiveness, making old hardware continue to work, etc).

A slightly better approach would be to look at the NLnet approach and somehow adapt it for improving security maintenance.

Micro-grants for small period of time are probably not ideal to fund long term maintenance, so that could probably be adapted/changed, along with the metrics to decide when not to pay (it's probably easier to look if a specific task is done than assert the usefulness of maintenance tasks), but the fact that highly competent people decide what to fund and not to fund and have a strategic vision for FLOSS is probably something that we need.

This could avoid the most problematic perverse incentives, and the cost here would probably be the subjectivity of the people that decide what to fund or not to fund, and here having diverse people could help but probably won't fix everything.

But at least it would be better than the other models mentioned here before.

A backdoor in xz

Posted Apr 3, 2024 13:17 UTC (Wed) by mathstuf (subscriber, #69389) [Link]

> The issue here is the side effects. For instance what would prevent companies from writing extremely used software with poor security track record and try to get money to fix things after the fact when the design is bad, or that even bigger foundations than the design is bad (use cases impossible to secure, etc).

First, to me, would be the interesting question of how a "poor security track record" ended up "extremely used" under the regulation threat looming. Besides that…if it is FOSS, who says the company gets the contract? Even if not, there could be some source escrow (something I would love to see for "critical" software). Either way, a bidding process can help with prices. Allow the "core maintainer" entity to usurp the lowest bid with, say, 10% overhead if they way to do it themselves and retain "power", but that can help curb gouging at least. Also allow bids to create a compatible replacement. Not that procurement doesn't have collusion, greased hands, and other situations, but it is at least something familiar.