Free software's not-so-eXZellent adventure

Posted Apr 2, 2024 17:35 UTC (Tue) by willy (subscriber, #9762)
Parent article: Free software's not-so-eXZellent adventure

I don't think it's just a matter of guarding against Evil Comaintainers. There's a big assumption in our processes that the Founder of a project is trustworthy. It's worked fairly well so far because, well, most people are fundamentally good. But good people can be turned (gambling debts, moral hazards, appeals to patriotism).

Agreed that Free Software is in no worse a situation than Binary Software, so there's no reason to grumble about the development model. Arguably it's the responsibility of the distributions to get changes coming from upstream, but realistically there isn't the developer time to do that (can you imagine trying to verify all the changes between gcc-11 and gcc-12?)

I don't have a solution here. Just agreeing that there are a lot of attack vectors.

Free software's not-so-eXZellent adventure

Posted Apr 4, 2024 5:56 UTC (Thu) by rgmerk (guest, #167921) [Link]

There's a big assumption in our processes that the Founder of a project is trustworthy. It's worked fairly well so far because, well, most people are fundamentally good. But good people can be turned (gambling debts, moral hazards, appeals to patriotism).

Indeed, founders are people subject to the full range of human frailties. To take an extreme but pertinent example, Hans Reiser's crime may not directly relate to his software contributions, but it was heinous.

I don't have a solution either, other than the general observation that single points of failure are bad and to be avoided if at all possible.