Bullying in Open Source Software Is a Massive Security Vulnerability
Bullying in Open Source Software Is a Massive Security Vulnerability
The Xz backdoor and a near miss on the F-Droid app store show how the entitled attitude of some people in the open source community can be used to push malicious or insecure code.
meanwhile Linus hounding down the google devs for making stupid pull requests
Do you have some context for this? I'm out of the loop.
Years ago, Linus Torvalds, creator of Linux, was notoriously mean to people who submitted bad code.
Like he would straight up call it absolute dogshit and say they should feel ashamed, he'd call them fucking morons, on one occasion I believe he even told someone to kill themselves.
In the years since, though, he's said that he's found the abrasive authority figure schtick doesn't really work and has the unfortunate side effect of making others involved adversarial too, or will hasten the notorious FOSS developer burnout, and he has changed to a much warmer and friendlier way of working, and been quite apologetic about his past attitude.
I'll allow it.
The trick is to stop giving af about demands from random assholes. Using software doesn't entitle anyone to updates. Part of the point of open source is if you want it to be different, the source code is available for you to do that.
Yup. I've contributed to a number of FOSS projects (including lemmy) and try to always observe the proper etiquette. That means (IMO):
- read through the contribution guidelines and follow them to a T
- check for feedback at least once/day
- allow at least two days for initial feedback, and gradually back off (so bump after 2 days, bump again after another 3-4 days)
- if there's no feedback after a week, bring it up on another channel (IRC, Matrix, email, etc)
- never demand anything, always ask how to help
None of that is written down anywhere, but to me it's common sense. If you don't want to do that, fork the project and maintain it yourself. Maybe they'll pull your changes in if they're good.
Well, it's fun that they mention F-Droid, because the maintainers are bullies who bully their contributors and generally act very unpleasant. They like to make new rules on the spot.
I abandoned using the project altogether, not someone I want to support.
Seems to me like they've done a pretty good job keeping their store free of malicious apps, I've never heard of any breaches like I have of every other store including Snap and Flatpak.
Maybe they're pissing some people off in the process, but maybe it's the right people to piss off. They've been able to hold it together in the FOSS app space better than most.
I would simply deal with these bullies by telling them to fuck off and fork their own thing instead of bugging me to push an update on the main. This feels nore like it should be happening to closed source things where the only way to get a thing in it is to beg the dev.
Naturally closed source for profit software is so much better and would never contain anything malicious.
We know this for certain because the PR department affirmed us that there is nothing malicious or illegal within their code. There internal investigations found no proof of hacking from external sources, All code changes where done with the full legal permission of our Ceo and Overlord Marz Kucherberg (tm)
This comment said:
Naturally closed source for profit software is so much better and would never contain anything malicious.
We know this for certain because the PR department affirmed us that there is nothing malicious or illegal within their code. There internal investigations found no proof of hacking from external sources, All code changes where done with the full legal permission of our Ceo and Overlord Marz Kucherberg (tm)
No need to be so defensive... unless you you the F-Droid team they are writing about. Are you?
Either way it is just whataboutism aimed at a strawman. No one is saying proprietary software is better.
Not sure why its still showing for you but i removed my comment seconds after posting as i misread and didnt know this was about bulling. I firmly stand against bullies of any kind.
Ever since the xz thing i have noticed a general increase in articles and clickbait titles spreading fear about open source software in general, its started to feel like intentional propaganda, for this post it was unwarranted.
Ps: please do confirm if my comments is removed by now on your end, i suspect comments may not always continue to sync between lemmy servers after the first initial postings.
It's probably far more common than most people realize. Open source software doesn't automatically make it secure, and in many cases can be less secure than closed source as it's just one or two people doing it for free.
Much easier to be tempted to do something wrong or to get others to help in and take the weight off.
in many cases can be less secure than closed source as it's just one or two people doing it for free.
Absurd take. How could having the source closed possibly enhance the security?
Closed source software has the exact same bullying issue, the difference is instead of the bullies being random people on the internet, they are managers with power over you. They are at least as likely to make you do something dangerous as the randoms, but they don't have to try as hard to hide it.
It's not the same, but it can be.
Bullying in closed source software is a company culture issue. Bullying in open source software can come from anywhere, and a good CoC won't necessarily fix it because outside community members can just bully from different accounts. But that also means bad company culture can't be fixed as easily as playing whack-a-mole in a FOSS project.
I mean you can see the source code. You'll know if anyone does something weird if you have two braincells.Edit: Clown here move along.
How do you qualify the security of a closed source code when you can't verify it?
I'd bet on for-profit motive over passion-project when it comes to being tempted to do something wrong.