This, each company needs to take some amount of responsibility for the stack that they use. A company that I worked for, sponsored upstream maintainers, sometimes for implementing specific functionality, sometimes without any specific goal. If more companies did this for their open source stacks, open source development would be much better funded.

Of course, it will always be hard to detect very sophisticated attacks from actors that can play the long game. But if maintenance is not just a hobby, PRs can receive more attention, and if it's not an added workload besides a day job, there is less churn/burn-out which can be used for malicious actors to take over a project.

Agreed, 100%. And yet: In a comment on Slashdot one guy said that his company had "thousands" of machines running Linux, and he was "proud" to have never paid a penny for it. I called him a parasite: open-source brings an immense value to his company, and he should support it.

My comment got a lot of hate, which I just don't understand. Sure, OSS licenses say you can do whatever you want. However, there is surely some ethical obligation to support something that your entire business depends on?

I don't agree with “usually” there, I think it is an exception rather than the rule.

Where it happens, it tends to be higher profile, top-level, visible, projects that get this treatment from the commercial bodies that rely on them. The smaller projects that they might depend upon are likely to stay less visible, less thanked, and unsupported by those using them (directly or indirectly). What has happened with xzutils is a very good example of this and the potential dangers the situation poses.

I don't know how we should address this. It certainly isn't the responsibility of people like Collin to address, unless of course they want to take on that responsibility.

> if there isn't enough demand or support they simply stop working on it and that's it

Sometimes even if there is enough demand they stop, as is their right, when other priorities come up in their life (or they simply lose interest). A “community” using their stuff does not, and should not, automatically make them beholden to that community.

Honestly the problem feels Like it is capitalism itself … which is weird.

Thus if the license says ‘you don’t have to pay money to use this, nor do you have to do anything at all’ it’s no wonder it gets used for nothing in return. Stallman was obviously right with the GPL keeping the source free instead of end users.

Of course HN is not the place to discuss politics so in some way it is probably for the best that these questions remain unanswered. It would be better still for those muhhh capitalism - and for that matter muhhh whatever-ism - remarks to remain unwritten since they are not supposed to be discussed here anyway.

[1] e.g. https://news.ycombinator.com/item?id=39866101

This is the purpose of licensing and you're describing a failure in the popular licenses that were popularized by the FSF and similar groups.

We have been indoctrinated. It is not always appropriate to give away your source code for free to everyone, and corporations without the moral qualms that individual developers have are happy to take advantage of their naive licensing.

We, as developers, need licenses that are less liberal, such that when corporations use our code, we are properly compensated for the value we have provided to them.

I think this means a deep rethinking of how we license software, and reopening ourselves to the possibility that proprietary licensing is not always bad.

I wrote a little article about that: https://littlegreenviper.com/miscellany/problems-and-solutio...

This is good but I don’t think it’s enough to cover stuff like this which is deep in the stack and probably doesn’t have enough demand to warrant the trouble of direct funding (thinking of how many organizations make it easier to buy a $50k support contract than a $50 open source donation). I’ve been wondering if you could get companies to pay to something like the Linux Foundation, Apache, etc. for a general maintainer group tasked with basically taking something like Debian’s popcon and going down the list of things which aren’t well-established projects to pick up maintenance work.

There could be a lot of variables to the rating, like the size of the team, the language, the testing methodology, etc.

The board would need to be supported by end-users, and big steps would need to be taken to ensure true independence.

It would have to be carefully done, though, and likely immensely unpopular with the HN crowd.

> Size of team

3, with no outside contributions accepted into the core.

> The language

C

Those two, presumably, would end up being heavily weighted towards having a low score.

> Testing methodology

Here they’d probably get some points back based on their ~10:1 test lines vs code ratio.

Just because the kidz doan' like it, does not mean it's bad.

1 is the loneliest number (have to be an old fart to get that), but big teams can be a problem (Camel is a horse designed by committee). I'd say the experience and track record of the principals are a big factor (see "Linux" and "Git").

3 people are easy to evaluate, have been on the project forever, and presumably know what they`re doing.

C shouldn`t be a problem per se -- again, it`s been around a lot, and while it makes it easy to bork pointers, it`s not a meme language that we don`t know much about

This would probably ruffle too many feathers from the GNU old-timers, but I really dont see any other option. We are way past the tinkering-in-the-basement days of Linux/BSD hackers when most of us just wanted a cheap Unix box to play around with or to avoid Windows. A massive percentage of the civilian (and other) infrastructure is built on the shoulders of unpaid hobbyists. There is already massive liability at the social and corporate level. Time to deal with it.

EDIT: Ok, sounds like I have to describe this better: 1) you (governments) force commercial providers to assume liability for security issues and exploits and force disclosure, etc, 2) their insurance premiums go up, 3) to reduce premiums they only use checked/secured software, 4) that means maintainers of at least the critical pieces of software get paid via the (new) channel of risk reduction. Doesnt apply to all OSS, doesnt even apply to all distros. But it creates an audit trail and potentially actual compensation for maintainers.

As for throwing money at the maintainers, honestly, it’s complicated. A lot of people aren’t doing open source work for the money. Money too often comes with strings, requirements to prioritize what the funder wants to prioritize, pressure to perform consistently, it becomes an actual job.

Not only does this turn off a lot of the types of folks who make the best contributions to these projects, but it bends the priorities toward what would make the most money for the funder. And as this article points out, real security investments often fall by the wayside when profit is involved.

So yes, companies should encourage their workers to contribute to these projects, donate money to the foundations that fund them, hire important maintainers and give them carte blanche to work on open source. But we have to be careful. Making it all completely transactional is directly contradictory to what drives a lot of the contributions.

Yes, the devil is in the details, but I think the basic concept is worth exploring

In that particular project, we're all just Paying It Back (not forward), but other projects could likely benefit from the participation of Grumpy Old Farts.

And obviously a non-insured piece of code that assumes no liability whatsoever can still be free and maintained via IRC, same as it ever was. I dont see how this "kills all open source".

This is an attempt to shift costs onto open source developers. Which, aside from being totally unjust, won't work. There's a legal expression "you can't squeeze blood out of a stone". Shifting costs onto people that can't carry those costs doesn't work for the same reason supporting a skyscraper with a toothpick doesn't work. The toothpick breaks, and when the skyscraper lies collapsed on the floor, nobody blames the toothpick. Hell, they might say the toothpick was heroic: trying to save the situation, sacrificing itself, screaming, and when nobody helped, not the government, not the owners, not ... the building collapsed and all the damage was done.

But it's even more stupid than just that. As soon as this gets introduced, and some company makes a security fix. They of course, for GPL or AGPL software, have to release their fixes. This will then make them liable for any other security problems in that same software. After all, they'll be the last ones releasing that software after the government implemented this law.

So how will you even do this, without making software fixes effectively illegal? Achieving the exact opposite of what such a law tries to achieve ... But of course, you can't have this discussion with people just looking to keep "their" free stuff but trying to shift the rest of the costs.

Second HN story from the link above, Dec 2023, https://news.ycombinator.com/item?id=38787005

  The Debian project has completed a general-resolution vote, adopting a statement expressing concern about the Cyber Resilience Act (CRA) pending in the European Union.

  Even if only "commercial activities" are in the scope of CRA, the Free Software community - and as a consequence, everybody - will lose a lot of small projects. CRA will force many small enterprises and most probably all self employed developers out of business because they simply cannot fulfill the requirements imposed by CRA. Debian and other Linux distributions depend on their work. If accepted as it is, CRA will undermine not only an established community but also a thriving market. CRA needs an exemption for small businesses and, at the very least, solo-entrepreneur.

But we (mostly) don't even pay open source developers to write the code ... who is offering to pay them for this insurance?

Besides, this was a highly sophisticated actor. Someone willing to create several layers of loaders and invest long amounts of time into getting xz excluded from certain checks. Anyone with such sophisticated spy craft could have fooled the insurance companies also.

On the other hand, you can already buy software, where the vendor takes some kind of liability: just buy Windows, AIX, or one of the commercial Linux offerings. Same for software libraries: there are commercial offerings that come with (limited) liability from the vendor. It’s even possible to create software to stronger standards. But outside of some very specific industries (aerospace, automotive, nuclear, defense, …) there doesn’t seem to be a market for that.

We’d still be using MS-DOS.

Yes I know the stories of “insurance made steam boilers safer”. And it’s true. But it also stopped innovation in the space before Charles Parsons came along and ignored the whole thing (military industrial aristocracy)

I think the answer sits somewhere in “have less stuff”.

We have millions of lines of code in all walks of life and Inswear we are orders of magnitude over engineered in almost all cases.

If you work for a large company try counting how many different ETL solutions exist, CSV uploaders, data lakes, warehouses and so on

Then imagine having one library to do it.

Somehow we need to get there for … everything

The closest metaphor is cars I think. And yes you can argue that innovation in cars has slowed down but also a 'minimum floor' of safety and efficiency forced by governments and insurers has made new entrants more likely. I.e. you shouldn't need to only trust Oracle, SAP with your business because then, erm, you'd have exactly the current situation in enterprise software...

Ok, I can blow your mind.

You can start your own software projects and offer them with warranty. And people can join you, if they want.

Certainly not for a few € of donations.

Isn't that pretty much the way the world works now? What needs to be fixed?

For the past 10-15 years there has been a strong culture of never writing code when a library on GitHub or NPM already exists, which has, in large part, contributed to this. In many cases using existing battle tested code is the right thing, but it was taken to an extreme where the avoidance of pulling down a bunch of random open source packages with questionable stability and longevity was often maligned as not invented here syndrome.

Now many of those packages are unmaintained, the job hopping SWEs who added them to the codebase are long gone, and the chickens are coming home to roost. The pendulum will probably swing too far in the other direction, but thoughtful companies will find the right balance.

“…comes as-is, without warranties and without any commitment for future work. Complaints will get your feature request deprioritised, may get you banned, and will look silly to any potential employer googling your name”.

Also, let’s make it a meme to call out unreasonable behaviour: stop Jigar-Kumaring!

This wouldn't be entirely without downside though, as there could be a risk that the project ends up getting steered by whoever has the most money, which may be at odds with what the broader community gets from the project. That's difficult to avoid whenever Open Source developers get paid, unfortunately. If it were limited to bug-fixes I think the risk would be slim. I'm not sure if any projects have tried this.

Being pseudo-anonymous filters out alot of credible threats though.

Also, this backdoor was discovered by sheer chance. How many of those backdoors are still to be discovered? We should be checking all source code present in a standard Linux server right now, but all I can see is complacency because this single attempt was caught.

From the article:

  ..the fix for this was already in train before the XZ issue was highlighted, and long before the Github issue. The fix stopped the XZ backdoor into SSH, but hadn’t yet rolled out into a release of systemd.

  I believe there’s a good chance the threat actor realised this, and began rapidly accelerated development and deployment, hence publicly filing bug reports to try to get Ubuntu and such to upgrade XZ, as it was about to spoil several years of work. It also appears this is when they started making mistakes.

Since keeping such backdoor hidden in plain sight is extremely hard and required tons of preparation and social engineering spanning multiple projects, the answer is probably a function of number of those already discovered. As we don't discover years-old similar backdoors every now and then and had discovered this one pretty quickly, this might very well be the very first one that came this far.

Also, what's "sheer chance" for an individual is "enough eyeballs" for a collectivity.

I don't think Andres is in serious danger, unless he is a persistent threat to the bad actors. It's true that we owe him big time for discovering the backdoor. But it could have been someone else before him. And it may be someone else the next time. Too much depends on chance for anyone to justify targeting him. They risk blowing their cover by doing that just to satisfy their ego.

Devin AI working Upwork jobs blew minds, but it succeeded for a reason. Upwork and similar sites are plagued by low quality contractors who do little more than glue together code written by better engineers. It was never a hard formula to copy.

Outsourcing programming work to the lowest cost and quality to third-party libraries is leading to inevitable results.

Obviously, the next leap will be sophisticated supply chain attacks based upon poisoning AI.

e.g. The difficulty curve for writing apps went down a bit when iOS became popular, but nowadays iOS 17 is probably more complex than Snow leopard was in 2009 so there aren’t any low hanging fruit left for the median SWE.