XZ
Ahh, it's that beautiful spontaneous time of year. A major public security incident has occured in opensource. All of the epidemiologist's of 2020 suddenly emerge from their chrysalis once more as a beautiful incarnation of a security expert. The hot takes flow more freely than cocaine at a Liberal party event. My share portfolio doubled in value due to taking a long position on popcorn futures.
It's now been nearly 2 weeks since this glorious event, and the hot takes have started to settle.
Some of these include, but are not limited to:
- The original maintainer burnt out, so we should pay maintainers through some kind of sovereign fund (but don't say tax, that's a bad word).
- Automake should be shot into the sun because it's so easy to hide backdoors in it.
- There need to be more code reviewers in opensource, that would have caught it.
- We have normalised abuse in opensource, so no alarms were raised when sock puppet accounts abused people.
- C is bad, so we should all use Rust, even though I'm pretty sure we could just stuff unlabeled binaries into Rust just as easily.
- That we need more regulation of opensource projects.
- Systemd was the cause of the issue since it was linked for sd-notify (and the documentation of how to do this with a unix socket is a one line footnote which no one can find forcing developers to link to libsystemd in the first place), meaning we should renew calls that systemd is an bad.
The clownshoes award certainly goes to this take though
- Somehow the redis license change caused this and was a warning ahead of the XZ incident?
Or my favourite, absolutely nuclear take:
- GPG would have prevented this by having the new maintainers ID verified by keysigning parties.
But I realised I have my own blog. So it's time for me to post my hot take.
🔥
Our industry is so immature, that people think there is one magic root cause that can be fixed, rather than admit there are multiple contributing factors.
Incidents like XZ don't happen due to a single cause. They are a series of failures that range from social to technical, and this combination of factors lead to the events that transpired.
And yet, we reward people who stand up and yell their single hot take, as though if this one persons emotional outburst was accepted universally we would resolve all problems and our world would leap ahead in time by decades.
We reward this thinking because it's easy. It's a clear, simple and emotional message that cuts through. (I'm sure it does good things for the authors ego as well when clicks flow).
But our world isn't simple. There isn't one magic cure.
As an industry we need to stop looking for root causes.
We need to look at all the contributing social and technical factors, and address them all even if they are just incremental steps. Because as we improve each of these small parts, the whole of opensource improves.
Except GPG. That key signing party goop is just copium, and wouldn't solve anything.