but also what the xz debacle shows: open source software is really hard to secretly backdoorbecause some rando will be like “huh, this command is taking 0.5 seconds longer than it used to, let me check what’s going on here”like can you believe that tha...

skye@toot.cat

people actually do that. if the code is available, they are going to look at it for any number of unpredictable reasons.

skye@toot.cat

@quasar how so?

quasar@social.translunar.academy

@skye like, most engineers that arent red hat, microsoft whatever would see a 100x increase in latency and think "whatever, not my problem, im not paid enough for that"

irenes@mastodon.social

@quasar @skye it was one of the core postgres people, so probably also just an unusually diligent person on all fronts

quasar@social.translunar.academy

@irenes @skye huh, i thought it was some red hat person

irenes@mastodon.social

@quasar @skye that was the first public announcement of it, early this morning, but the discoverer tooted about it shortly after

irenes@mastodon.social

@quasar @skye behind the scenes the postgres person realized this was an inside attack of some sort and ignored the usual practice of reporting the bug to the xz project, instead reporting it to security people at distros (presumably mostly redhat), so that disclosure could be handled in a coordinated way. that was a particularly sharp move.

irenes@mastodon.social

@quasar @skye we're tired though, please don't take our word on details of this nature right now. we were very careful about fact check on our remarks earlier today but it's been a long day and we can't keep that up forever...

skye@toot.cat

@irenes @quasar oh what’s their @?

irenes@mastodon.social

@skye @quasar https://mastodon.social/@AndresFreundTec/112180083704606941

skye@toot.cat

oh god my point is not “open source always secure” it’s “open source much harder to secretly backdoor than closed source”