"FOSS has thousands of eyes on it" is incorrect, as anyone sensible knows. There are 'individual maintainers in the wilds of Nebraska' responsible for critical infrastructure, and yes, that is crazy.

But the closed source, proprietary, licensed other choice is even crazier.

The point about FLOSS is that the source is verifiable and auditable, you can verify a build, you can make and distribute changes without legal repercussions. It boils down to who bothers to audit the source. That is not the writer's problem: it is the problem for the person or organisation choosing to use it. Some prefer to pay money to commercial offerings to 'make the problems go away'. The major problem is that they don't. You might not be allowed to view the source, or if you are, you can;t distribute changes, or accept changes from anyone other than the copyright holder - who might charge for them, or not even make them available. You can't verify that the binary you are running can be built from the source you might be permitted to see.
Open source/FLOSS does not magically resolve all bugs. That is a fairy tale. But anyone can review the code. Anyone can verify the build. You can take responsibility for the code you run. If you don't want to do that, pay someone else to to the audit and other heavy lifting. But don't pretend commercial software is any better.

FLOSS is not perfect. But it gives you the freedom to check and remedy things far, far in advance of non-free software. The fact that people might not do it enough is a people problem, not a FLOSS problem. You have been given the keys to the kingdom: it is up to you to use them.

his changes aren't backdoor (at least in libarchive).

The scary part of libarchive is it depends on xz-utils as well.



And my fellow security collegues from Dragon Sector did analyze and found out there is already in that exploit extension system to keep loading new payloads (possibly, not affecting SSH but something else).

It is not "too many different package managers" causing the failure. It is the software build process itself not being deterministic and reproducible for most projects/languages/compilers/platforms etc. that makes auditing hard. Take this latest xz repo exploit as an example. The "source" tarball published for download is not reproducible from the git. The hidden malware is put in out of band. This kind of trick *shouldn't* be able to happen in the first place.

Why are you asking me? It's not my job. That's literally the job of intelligence agencies.

I don't even understand why he still has his account up.

This is what I'm getting at. Instead of making a copy of the source, you have people just grabbing the tarball because it's faster and easier without verifying it actually matched the git source. No one vetted it. No one checked anything.

I once again, think this comes down to the workload present day packagers are under. Too many software packages, too many competing repositories and types of package systems, everyone spread out thin.
You know that's not what I said, or implied. This isn't someone installing a random piece of software on their computer. It's a critical component of the operating system being compromised. Since apparently most of the distribution packagers were just grabbing the pre-made tarballs without checking anything, it's really not any different then "random windows shareware", is it?
​

well yes its more complex than Day-1 CVEs in browsers and glibc.

its a fact the opensource community is unter attack also all phoronix.com forum members are under attack...

i say this for many months now... there are still naive fools who claim that we are not unter attack and everything is fine.

people only see the truth about windows 11 if they install W10Privacy and read what they can turn off or on in the options.

´LOL people like Avis are truely naive fools.

I still disagree in the helpfulness of reducing packaging format for this matter. Compiling / building mountains of software libraries / projects is tedious. The only way to manage such back-end work without dying from fatigue is to automate them as much as possible. Even if we ban innovation in software packaging and force everyone to choose between Debian vs. Red Hat, this attack can still happen and will still happen.

We weren't aware the tarball can mismatch the git source maliciously. Now we do. So the next step is to make sure this can't happen by making such source tarball be created programmatically and deterministically from the git source. Remove such out of band attack. This is the proper solution for Git front-end platforms such as Github and Gitlab.

Oh come on, we definitely knew that some random archive uploaded to Git could definitely be completely different than the posted source. Just no one cared enough to check. I do agree that any downloadable source archive should be created directly from the source on Git and some kind of checksum system implemented.

However if no one vets the source on Git, it doesn't really matter.

We need less duplication of effort and more inspection and vetting. Every little thing on the KML is vetted and inspected by multiple people before being accepted. I'm not saying we need that level of thoroughness for every application, but "core" libraries to an OS that are allowed to "touch" anything involving authentication, encryption, log-in, etc... should be fully vetted.

Yeah, but they give us high comedy like


I still remember the height of the "nothing to hide nothing to fear" days, TBH, nothing actually changed there, they are just quieter than they used to be.
I don't think OSS is special tbh, Its just like those countries that actually put their corrupt politicians in jail - they aren't more corrupt, it's just more visible.

Rasberybery Pis used to have default Pi/Pi user/pass logins, now every ssh server that goes online will log a thousand plus failed Pi logins a day.