| Rich Freeman via plug on 3 Apr 2024 02:08:41 -0700 |
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
| Re: [PLUG] XZ scanner |
On Tue, Apr 2, 2024 at 10:24 PM Steve Litt via plug <plug@lists.phillylinux.org> wrote: > > Rich Freeman via plug said on Tue, 2 Apr 2024 18:43:44 -0400 > > >On Tue, Apr 2, 2024 at 4:47 PM Steve Litt via plug > ><plug@lists.phillylinux.org> wrote: > > 2) Nobody I knew wrote bubble sorts for production code. I certainly know people who have done so. There are a LOT of developers out there, and half of them are below average. Just imagine how much code is going into projects right now straight from ChatGPT without any editing... > >> >Even on something like the kernel or > >> >a browser I bet you could slowly work your contributors in such that > >> >they become the majority of eyeballs in a single subsystem and > >> >become trusted to get code far enough along the QA process that it > >> >doesn't get as much close attention. > >> > >> Yes. This is what happens when software gets big, ugly, entangled, > >> and poorly designed. > > > >Uh, how would you fix Linux or any of the modern browsers so that they > >aren't "poorly designed?" > > How would your $1M/year gang of professionals fix these things? The > Linux kernel is what it is: We just need to trust the crew for that, I think you misunderstood my post. The $1M/yr gang of professions is there to make Linux LESS secure, by sneaking lots of pseudonyms into the project by doing helpful things at first, and then once enough are trusted you can start having them sneak in exploits. I see 94 subsystems in the Linux docs whose maintainer status is "odd fix" - ie they don't have time for anything serious but they can look at the occasional patch. Any/many of those could be replaced by a nefarious actor most likely if they started doing serious work. You could probably work your way into bigger subsystems with a bit more effort. That might not even be needed if you can just get a foothold in enough minor ones. This would all be under the radar. You wouldn't have 10 people suddenly show up being super helpful and committed despite a lack of a known corporate affiliation. Instead you'd have 1000 people slowly roll in who are in reality 10 human beings with 100 sock puppet accounts each. They would all be overworked volunteers who can just do little things here and there, but they'd all be helpful and would get in. They wouldn't appear to have anything to do with each other, but they could take over entire mailing list threads and review each other's work and so on. I'm just pointing out that when projects are dominated by pseudonymous volunteers it isn't necessarily that hard for somebody to sneak in a conspiracy. Look at the first season of Survior - when an alliance of three players basically decided who was voted off for the entire season. Everybody was just playing "the way they were supposed to" and not colluding, so a very small group voting as a block could swing the entire thing. Of course that only worked for the first season since after that everybody and their uncle was backstabbing each other in the way the show became famous for... -- Rich ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug