Free software's not-so-eXZellent adventure
Free software's not-so-eXZellent adventure
Posted Apr 2, 2024 20:50 UTC (Tue) by pebolle (guest, #35204)In reply to: Free software's not-so-eXZellent adventure by cen
Parent article: Free software's not-so-eXZellent adventure
Perhaps that will happen.
The scenario that I'd prefer is for the XZ software to be dropped everywhere. It's cost/benefit ratio is by now dismal. And also for its original maintainer to be told to switch to activities not involving software. Because his name will be tainted in that field forever.
Posted Apr 2, 2024 21:04 UTC (Tue)
by corbet (editor, #1)
[Link] (18 responses)
OTOH I would surely understand if he concluded that he wanted to switch to goat farming or something equally far removed after having had this experience.
Posted Apr 2, 2024 21:22 UTC (Tue)
by pebolle (guest, #35204)
[Link] (17 responses)
Being not particularly sharp I could certainly fall prey to such a campaign.
The point is that Lasse Collin was a maintainer of a project that was subjected to an exceptionally serious exploit. Isn't that enough to tell him to shift his spare time activities?
Posted Apr 2, 2024 21:33 UTC (Tue)
by Wol (subscriber, #4433)
[Link]
In that case, shouldn't we ALL drop working on Linux and move to other activities - ESPECIALLY YOU, seeing as you admit you would easily fall prey to a similar attack?
Have you heard the saying "once bitten, twice shy"? I'd actually think Lasse SHOULD work on more similar projects, if he wants too - he's unlikely to get caught the same way twice. Although if he did want to give up, I wouldn't be surprised.
At the end of the day, punishing people for making mistakes is extremely counter-productive. Let's not go there ...
Cheers,
Posted Apr 2, 2024 21:33 UTC (Tue)
by Sesse (subscriber, #53779)
[Link] (7 responses)
Why? “I don't want unlucky maintainers”? Or would you tell basically everyone in the FOSS world who would plausibly have fallen for the same ruse to do the same? (There wouldn't be a lot of maintainers around then.)
Posted Apr 2, 2024 21:53 UTC (Tue)
by pebolle (guest, #35204)
[Link] (6 responses)
I don't want maintainers publicly declaring their incapability to maintain their project (because of "mental health issues") .
> Or would you tell basically everyone in the FOSS world who would plausibly have fallen for the same ruse to do the same? (There wouldn't be a lot of maintainers around then.)
If they had fallen for the same ruse the honourable thing would be to say: "I messed up big time. I'm sorry. I won't be doing FOSS any more."
Posted Apr 2, 2024 21:57 UTC (Tue)
by mb (subscriber, #50428)
[Link]
This is really uncalled for.
Posted Apr 2, 2024 22:00 UTC (Tue)
by Sesse (subscriber, #53779)
[Link]
Why?
> If they had fallen for the same ruse the honourable thing would be to say: "I messed up big time. I'm sorry. I won't be doing FOSS any more."
So will the world be better off for that? Do you think the average security of FOSS packages will increase if the xz maintainer goes away? Who should maintain the package in their stead? And how do these standards differ from e.g. zlib's situation? (zlib was recently de facto supplanted by zlib-ng, led by a virtually unknown maintainer. I happen to know them and know that they are trustworthy, but how would you distinguish them from Jia Tan without that knowledge?)
Posted Apr 2, 2024 22:04 UTC (Tue)
by corbet (editor, #1)
[Link] (1 responses)
How about we stop here; you've said your piece, and it is quite clear that others disagree with you. I suspect that discussing this idea further will not bring much joy to anybody.
Posted Apr 2, 2024 23:22 UTC (Tue)
by viro (subscriber, #7872)
[Link]
Note: I've no idea what condition Lasse had, but your claim is generic enough to have the above fit it. And when read that way, you do come across as a really vile piece of work. Self-righteous references to honourable behaviour and lovely uses of passive voice ("be told ...") only strengthen that impression.
Posted Apr 3, 2024 10:40 UTC (Wed)
by farnz (subscriber, #17727)
[Link]
Would you prefer that the maintainer hid their issues, and was blackmailed by a malicious entity into putting their code in place for them, hiding the very existence of Jia Tan?
That's the alternative direction that you're opening up if maintainers can't talk about their problems without being forced to stand down - and I contend that it's worse to have a maintainer open to blackmail (so we cannot, after the fact, determine how far back we need to go in the commit history to predate the malicious comaintainer) than to have a malicious actor obtain comaintainership under their own identity (where we can at least assume that while Jia Tan's changes must be treated as probably malicious, the previous maintainer's commits can be treated as well-intended).
Posted Apr 2, 2024 21:39 UTC (Tue)
by mb (subscriber, #50428)
[Link]
No? What is wrong with you? Seriously?
Posted Apr 2, 2024 21:49 UTC (Tue)
by chris_se (subscriber, #99706)
[Link] (5 responses)
So anybody who ever trusted the wrong person should be seen as a pariah? And in your eyes that should last forever? I'm just speechless at this horrible view of the world you are espousing here.
Posted Apr 2, 2024 22:06 UTC (Tue)
by pebolle (guest, #35204)
[Link] (4 responses)
My horrible view of the world is that if you screw up big time, and yes, this is screwing up big time, you take responsibility. In this case by retracting from this field.
Posted Apr 3, 2024 0:10 UTC (Wed)
by JoeBuck (subscriber, #2330)
[Link]
That's a foolish way to manage people. Someone who's been burned by such a sophisticated operation is more likely to be cautious in the future than some arrogant person who is convinced that he cannot be conned, and the project needs a capable, experienced maintainer.
But ideally he'd get help from someone who is paid by a company that depends on this library. Probably 20% time would suffice to take the load off, and the employer can vouch for the person.
Posted Apr 3, 2024 5:57 UTC (Wed)
by ebee_matteo (subscriber, #165284)
[Link]
Fun fact! 80% of businesses fail within 20 years.
https://clarifycapital.com/blog/what-percentage-of-busine...
If also 80% of business owner who have "screwed up" to the point of closing down then "retracted from the field", I don't think humanity would get much done.
My point goes with the old adage: errare humanum est. Learning from one mistakes is what matters.
As a FOSS contributor and maintainer with a treatable mental illness, and having known a big amount of likewise people over the years, I take deep exception with your stance.
Maybe showing empathy and understanding that it is hard for one person to contrast state-sponsored attempts spanning years (look at SolarWinds too, Cisco WebEx, Zoom...) would mean less time spent on forums, and more time doing code reviews.
The real problem is that everybody uses FOSS software even for commercial products, but very few companies invest time to contribute back, especially when it comes to security reviews.
Therefore, I would like to applaud Collin for his courage to state his condition publicly and being so transparent about it.
If you are reading this, a big hug goes out to you! You are not alone!
Posted Apr 4, 2024 2:40 UTC (Thu)
by draco (subscriber, #1792)
[Link]
Posted Apr 5, 2024 7:57 UTC (Fri)
by LtWorf (subscriber, #124958)
[Link]
Posted Apr 4, 2024 16:54 UTC (Thu)
by jschrod (subscriber, #1646)
[Link]
You should "shift your spare time activities" to something else.
Posted Apr 2, 2024 22:15 UTC (Tue)
by cesarb (subscriber, #6266)
[Link] (1 responses)
> Perhaps that will happen.
It's already happening, and it's been happening for a while, independent of the present events.
The reason is the existence of ZSTD, which at its higher settings has nearly the same compression ratio as XZ, but with much better decompression speed. Many uses of LZMA/XZ have been gradually migrating to ZSTD; newer uses will probably skip GZIP and LZMA and go straight to ZSTD.
Of course, compatibility means that a LZMA/XZ decoder will still be necessary for a long time, for things which had used a LZMA/XZ encoder in the past (and this includes systemd, for its journal format, since users might still want to read log files which were encoded using LZMA, even when newer logs are being written using ZSTD).
Posted Apr 2, 2024 23:44 UTC (Tue)
by cozzyd (guest, #110972)
[Link]
I think that is somewhat harsh with regard to Lasse Collin. Perhaps you are sharp enough that you would never fall prey to a focused social-engineering campaign like that; I'm not at all sure that I am.
Switching fields
Switching fields
Switching fields
Wol
Switching fields
Switching fields
Switching fields
The xz maintainer does not deserve this.
Switching fields
I have a sense that this subthread could go bad quickly.
Switching fields
Switching fields
Switching fields
Switching fields
Switching fields
Switching fields
Switching fields
Switching fields
Switching fields
Switching fields
Switching fields
Free software's not-so-eXZellent adventure
Free software's not-so-eXZellent adventure