You’re right to think that “since it’s open source, people can see what it’s doing and would right away notice something malicious” is bullshit, cause it pretty much is. I sure as hell don’t spend weeks analyzing the source code of every third party open source package or program that I use. But just like with close-source software, there’s a much bigger story of trust and infrastructure in play.

For one, while the average Joe Code isn’t analyzing the source of every new project that pops up, there are people whose job is literally that. Think academic institutions, and security companies like Kaspersky. You can probably argue that stuff like that is underfunded, but it definitely exists. And new projects that gain enough popularity to matter, and don’t come from existing trusted developers are gonna be subject to extra scrutiny.

For two, in order for a malicous (new) project to be a real problem, it has to gain enough popularity to reach its targets, and the open source ecosystem is pretty freakin’ huge. There’s two main ways that happens: A) it was developed, at least partially, by an established, trusted entity in the ecosystem, and B) it has to catch the eye of enough trusted or influential entities to gain momentum. On point B, in my experience, the kind of person who takes chances on small, unknown, no-name projects is just naturally the “exceptionally curious” type. “Hmm, I need to do X, I wonder what’s out there already that could do it. Hey, here’s something. Is it worth using? I wonder how they solved X. Lemme take a look…”

For three, the open source ecosystem relies heavily on distribution systems, stuff like GitHub, NuGet, NPM, Docker, and they take on a big chunk of responsibility for the security and trustability of the stuff they distribute. They do things like code scanning, binary validation, identity verification, and of course punitive measures taken against identified bad actors (I.E. banning).

All that being said, none of the above is perfect, and malicious actor absolutely do still manage to implant malware in open source software that we all rely on. The hope is that with all of the above points, as well as all the ones I’ve missed, that the odds of it happening are rare, and that when it DOES happen, it’s way easier to identify and correct the problems than when we have to trust a private party to do it behind closed doors.

Great recent example, from last year: https://www.akamai.com/blog/security-research/critical-linux-backdoor-xz-utils-discovered-what-to-know

Me, I see this story as rather uplifting. I think it shows that the ecosystem we have in place does a pretty good job of controlling even the worst malicious actors, cause this story involves just about the worst kind of malicous actor you could imagine. They spent a full 2 years doing REAL open source work to develop that community trust I talked about, as well as maintaining a small army of fake accounts submitting support requests, to put pressure on the project to add more maintainers, resulting in a VERY sophisticated, VERY severe backdoor being added. And they still got found out relatively quickly.

Not really, not on its own. It can GET demanding depending on how big you go with building stuff.

True, but if it’s good for users, it should be the rule for ALL apps

Easy: no one. It’s not about who asked, it’s about who paid.

How do you go about doing otherwise?

A little off-topic: anyone else read this as “BCA Chefs”, initially?

So, you’re a tech nerd who wants an addictive game?

Factorio.

Also Satisfactory, but I’m not sure how well it runs on Linux. Fairly sure Factorio will run on just about anything

Windows 11 has ads NOW, in the enterprise install I’m provided at work.

Not one single mention in the article of what an “RCS message” is.

Boy do I hate articles that just assume you know all the context you need.

Every few years, the landscape of good file explorers on Play Store shuffles up. Currently, CX seems to be the way to go.

Did anyone really think that making UEFI systems the equivalent of a mini OS was a good idea? Or having them be accessible to the proper OS? Was there really no pushback, when UEFI was being standardized, to say “images that an OS can write to are not critical to initializing hardware functionality, don’t include that”? Was that question not asked for every single piece of functionality in the standard?

deleted by creator

As someone with 0 investment in this whole ecosystem, I saw and perused this article like a week ago, and my immediate impression was “Why is this guy constantly saying ‘Wayland breaks XXXXX’? Wayland isn’t breaking anything, it’s new tech. Wayland has certain features, or it doesn’t or doesn’t yet. The only folks breaking anything are those swapping use of X with Wayland, within various apps or tech stacks, potentially prematurely, where Wayland doesn’t yet have the full set of features needed.”

Whoever this is seems to have a really poor understanding of long-term software development, despite being way more invested in it than I am.

Fun read.

So, is the implication here that ONLY Microsoft keys can be in the db, and thus they’re the ultimate authority on who gets signed? Does Microsoft somehow own the UEFI standard?

Relatedly, can anyone elaborate on their reason for refusing to sign GRUB? I’m not following just from that short quote.

FromSoft made DAVE THE DIVER? :P

What the hell is an immutable OS?

So, wait, they’re seriously going to make this function MORE annoying than it already is?!