Browse Source

Links

master
David Larlet 7 months ago
parent
commit
2e7a3591ea
Signed by: David Larlet <david@larlet.fr> GPG Key ID: 3E2953A359E7E7BD

+ 203
- 0
cache/2024/14da9039de50c54f159f333ea3dc73f1/index.html View File

@@ -0,0 +1,203 @@
<!doctype html><!-- This is a valid HTML5 document. -->
<!-- Screen readers, SEO, extensions and so on. -->
<html lang="en">
<!-- Has to be within the first 1024 bytes, hence before the `title` element
See: https://www.w3.org/TR/2012/CR-html5-20121217/document-metadata.html#charset -->
<meta charset="utf-8">
<!-- Why no `X-UA-Compatible` meta: https://stackoverflow.com/a/6771584 -->
<!-- The viewport meta is quite crowded and we are responsible for that.
See: https://codepen.io/tigt/post/meta-viewport-for-2015 -->
<meta name="viewport" content="width=device-width,initial-scale=1">
<!-- Required to make a valid HTML5 document. -->
<title>Bullying in Open Source Software Is a Massive Security Vulnerability (archive) — David Larlet</title>
<meta name="description" content="Publication mise en cache pour en conserver une trace.">
<!-- That good ol' feed, subscribe :). -->
<link rel="alternate" type="application/atom+xml" title="Feed" href="/david/log/">
<!-- Generated from https://realfavicongenerator.net/ such a mess. -->
<link rel="apple-touch-icon" sizes="180x180" href="/static/david/icons2/apple-touch-icon.png">
<link rel="icon" type="image/png" sizes="32x32" href="/static/david/icons2/favicon-32x32.png">
<link rel="icon" type="image/png" sizes="16x16" href="/static/david/icons2/favicon-16x16.png">
<link rel="manifest" href="/static/david/icons2/site.webmanifest">
<link rel="mask-icon" href="/static/david/icons2/safari-pinned-tab.svg" color="#07486c">
<link rel="shortcut icon" href="/static/david/icons2/favicon.ico">
<meta name="msapplication-TileColor" content="#f7f7f7">
<meta name="msapplication-config" content="/static/david/icons2/browserconfig.xml">
<meta name="theme-color" content="#f7f7f7" media="(prefers-color-scheme: light)">
<meta name="theme-color" content="#272727" media="(prefers-color-scheme: dark)">
<!-- Is that even respected? Retrospectively? What a shAItshow…
https://neil-clarke.com/block-the-bots-that-feed-ai-models-by-scraping-your-website/ -->
<meta name="robots" content="noai, noimageai">
<!-- Documented, feel free to shoot an email. -->
<link rel="stylesheet" href="/static/david/css/style_2021-01-20.css">
<!-- See https://www.zachleat.com/web/comprehensive-webfonts/ for the trade-off. -->
<link rel="preload" href="/static/david/css/fonts/triplicate_t4_poly_regular.woff2" as="font" type="font/woff2" media="(prefers-color-scheme: light), (prefers-color-scheme: no-preference)" crossorigin>
<link rel="preload" href="/static/david/css/fonts/triplicate_t4_poly_bold.woff2" as="font" type="font/woff2" media="(prefers-color-scheme: light), (prefers-color-scheme: no-preference)" crossorigin>
<link rel="preload" href="/static/david/css/fonts/triplicate_t4_poly_italic.woff2" as="font" type="font/woff2" media="(prefers-color-scheme: light), (prefers-color-scheme: no-preference)" crossorigin>
<link rel="preload" href="/static/david/css/fonts/triplicate_t3_regular.woff2" as="font" type="font/woff2" media="(prefers-color-scheme: dark)" crossorigin>
<link rel="preload" href="/static/david/css/fonts/triplicate_t3_bold.woff2" as="font" type="font/woff2" media="(prefers-color-scheme: dark)" crossorigin>
<link rel="preload" href="/static/david/css/fonts/triplicate_t3_italic.woff2" as="font" type="font/woff2" media="(prefers-color-scheme: dark)" crossorigin>
<script>
function toggleTheme(themeName) {
document.documentElement.classList.toggle(
'forced-dark',
themeName === 'dark'
)
document.documentElement.classList.toggle(
'forced-light',
themeName === 'light'
)
}
const selectedTheme = localStorage.getItem('theme')
if (selectedTheme !== 'undefined') {
toggleTheme(selectedTheme)
}
</script>

<meta name="robots" content="noindex, nofollow">
<meta content="origin-when-cross-origin" name="referrer">
<!-- Canonical URL for SEO purposes -->
<link rel="canonical" href="https://www.404media.co/xz-backdoor-bullying-in-open-source-software-is-a-massive-security-vulnerability/">

<body class="remarkdown h1-underline h2-underline h3-underline em-underscore hr-center ul-star pre-tick" data-instant-intensity="viewport-all">


<article>
<header>
<h1>Bullying in Open Source Software Is a Massive Security Vulnerability</h1>
</header>
<nav>
<p class="center">
<a href="/david/" title="Aller à l’accueil"><svg class="icon icon-home">
<use xlink:href="/static/david/icons2/symbol-defs-2021-12.svg#icon-home"></use>
</svg> Accueil</a> •
<a href="https://www.404media.co/xz-backdoor-bullying-in-open-source-software-is-a-massive-security-vulnerability/" title="Lien vers le contenu original">Source originale</a>
<br>
Mis en cache le 2024-04-04
</p>
</nav>
<hr>
<p>A previously unknown contributor to the popular open-source Android app store F-Droid repeatedly pressured its developers to push a code update that would have introduced a new vulnerability to the software, in what one of the developers described on Mastodon as a “similar kind of attempt as the Xz backdoor.”&nbsp; </p>
<p>As the fallout of the Xz backdoor continues to rock the open source software community, people woking on open source software are realizing (and reiterating) that a culture in which people often feel entitled to constant updates and additional features from volunteer coders presents a pretty large attack surface.</p>
<p>In the case of the Xz backdoor, a malicious actor was able to pressure the owner of a widely-used Linux compression utility called Xz Utils into making them a trusted maintainer of the project. They did this in part by arguing that the owner was letting the community of users down because they weren’t pushing new features and updates often enough, in the eyes of this malicious coder. You can <a href="https://www.404media.co/the-xz-backdoor-highlights-the-vulnerability-of-open-source-software-and-its-strengths/"><u>read our full rundown here</u></a></p>
<p>Tuesday, Hans-Christoph Steiner, a longtime developer of F-Droid, explained that a very similar situation nearly led F-Droid to push an update that would have introduced a security vulnerability into the product three years ago: “Three years ago, F-Droid had a similar kind of attempt as the Xz backdoor,” he <a href="http://mastodon.social/@eighthave@librem.one/112194828834023399?ref=404media.co"><u>posted on Mastodon</u></a>. “A new contributor submitted a merge request to improve the search, which was oft requested but the maintainers hadn't found time to work on.&nbsp; There was also pressure from other random accounts to merge it. In the end, it became clear that it added a SQL injection vulnerability. In this case, we managed to catch it before it was merged.&nbsp; Since similar tactics were used, I think it’s relevant now.”</p>
<p>Other open source developers and security experts have pointed to the dynamic of bullying and the general reliance on a small number of volunteer developers. They explained that it’s a problem across much of the open source software ecosystem, and is definitely a problem for the large tech companies and infrastructure who rely on these often volunteer-led projects to build their for-profit software on top of.&nbsp;</p>
<div class="kg-card kg-callout-card kg-callout-card-grey"><div class="kg-callout-emoji">💡</div><div class="kg-callout-text"><b><strong style="white-space: pre-wrap;">Do you know anything else about another incident of bullying leading to a vulnerability in the FOSS community? I would love to hear from you. Using a non-work device, you can message me securely on Signal at +1 202 505 1702. Otherwise, send me an email at jason@404media.co.</strong></b></div></div>
<p>Glyph, the founder of the Twisted python networking engine open source project, <a href="http://mastodon.social/@glyph/112180922900094371?ref=404media.co"><u>said the Xz Utils pressure campaign should</u></a> “cause an industry-wide reckoning with the common practice of letting your entire goddamn product rest on the shoulders of one overworked person having a slow mental health crisis without financially or operationally supporting them whatsoever. I want everyone who has an open source dependency to read <a href="https://www.mail-archive.com/xz-devel@tukaani.org/msg00567.html?ref=404media.co"><u>this message</u></a>.”&nbsp;</p>
<p>They then linked to an email in the Xz Utils listserv that shows a likely sockpuppet account arguing “Progress will not happen until there is new maintainer … The current maintainer lost interest or doesn't care to maintain anymore. It is sad to see for a repo like this.”</p>
<!--kg-card-begin: html-->
<div class="outpost-pub-container" data-btn-notsupporter></div>
<!--kg-card-end: html-->
<p>Meredith Whitaker, the president of Signal, <a href="http://mastodon.social/@Mer__edith@mastodon.world/112202731731986740?ref=404media.co"><u>said</u></a> “I keep brooding on the way the xz backdoor was enabled in significant part via weaponizing the FOSS [free and open source software culture of shitty behavior and abuse.”</p>
<p>“What is striking is that the uncool, mean standards of FOSS conduct that many of us have decried for years, and that many defended as authentic, tough, etc., ended up not just being exclusionary loser behavior, but a significant attack surface.”</p>
<p>In the case of F-Droid, Steiner <a href="https://gitlab.com/fdroid/fdroidclient/-/merge_requests/889?ref=404media.co"><u>linked to the GitLab thread where a specific potential update was discussed</u></a>. This thread shows how a pressure campaign can potentially compromise an open source project.&nbsp;</p>
<p>In that thread, the now-banned developer who wanted to push code that would have added a vulnerability repeatedly demanded that their new feature be integrated into the live product immediately. As Steiner said, the new feature would have changed how people searched for apps on F-Droid. The potentially malicious user argued “the search results are pretty unusable currently,” and proposed new code. Over the course of months, that user kept writing things like “do we want to merge now?,” meaning push the code live and “I’d really like for this to get into the next release.”&nbsp;</p>
<p>When other users, including Steiner, pointed out that they still needed to review the code, tweak it, or make adjustments to improve its functionality, the original user became angry, and other users backed the original poster.&nbsp;</p>
<p>One other user, for example, argued “I’d like to get this merged for a release soon … is this perfect? No, but it doesn’t need to be. It just needs to be better than what we have now.”&nbsp;</p>
<p>“The second big reason why I think this should be merged soon, is about encouraging new contributors,” the person arguing for inclusion added. “And not by saying ‘we welcome contributions’ and then never allowing any changes because they are not perfect. If people never get anything merged they'll most likely never spend any more time diving deeper into the codebase and tackling more complex tasks later on.”</p>
<p>The original poster wrote “at risk of sounding rude, I believe that this is a great change as it stands, and we have spent too long debating alternative implementations that I am not going to work on (I have a full-time job, and I will not spend my time on work that I believe to be worse than what I have already made). Please consider leaving new details to a future discussion or change and merging what we have now.”</p>
<p>Steiner argued that the code wasn’t ready to go, and that pushing it could “break things for many 10s of thousands of users.”</p>
<p>“I haven't seen any evidence that there is a sudden crisis caused by bad search. It’s been that way since the beginning. So we have time to get this right,” Steiner wrote.</p>
<p>The original poster continued to pressure Steiner and other maintainers of the code, and eventually wrote “nah man, I’m tired of this … I'm not coming back to this project until I see that contributions made in good faith are welcomed instead of fought every step of the way.”</p>
<p>When Steiner was finally able to audit the code, he found that it would have introduced a vulnerability that would have allowed for SQL injections, which is a very basic type of hack that could have crashed the app and would have also potentially introduced other problems. Steiner wrote at the time that he was unsure whether this was actively malicious or just sloppy, but noted that it was a “security risk” either way.&nbsp;</p>
<p>“I wonder if this was an attempt to insert a SQL injection vuln? Or am I just paranoid?,” he wrote. “Anyone know anything about the original submitter?”</p>
<p>Steiner wrote this week that the original coder deleted their account as soon as F-Droid’s maintainers attempted to review the code, and that he thinks that the user’s behavior, as well as “all the attention from random new accounts” has led him to believe “it could be a deliberate attempt to insert the vuln.”&nbsp;</p>
<p>In this case, the vulnerability ultimately wasn’t pushed to a live product, but it’s a very specific example of the types of pressures and culture that open source projects are constantly dealing with. (An aside: While on the F-Droid forum, I happened to also see <a href="https://forum.f-droid.org/t/scandal-behavior-of-hans-christoph-steiner-again/4723?ref=404media.co"><u>two long threads</u></a> in which a user said Steiner was acting with “<a href="https://forum.f-droid.org/t/skandala-sinteno-de-projekt-estro-hans-christoph-steiner-skandaliczne-zachowanie-administratora-projektu-hans-christoph-steiner-scandal-behave-of-admin-hans-christoph-steiner/3771/2?ref=404media.co"><u>scandal behavior</u></a>” and deep bias because F-Droid had failed to properly implement official support for the constructed artificial language Esperanto into the app; Steiner repeatedly explained that Android itself did not support Esperanto and that was the issue.)</p>
<p>Regardless of intent, Steiner wrote that “clear communication definitely suffers when maintainers are overloaded, stressed out and feel ganged up on. I think that's another key takeaway from this current incident. For a well resourced actor, it is not too hard to social engineer themselves into a trusted position when projects get into that position. That happens all too often, unfortunately.”</p>
</article>


<hr>

<footer>
<p>
<a href="/david/" title="Aller à l’accueil"><svg class="icon icon-home">
<use xlink:href="/static/david/icons2/symbol-defs-2021-12.svg#icon-home"></use>
</svg> Accueil</a> •
<a href="/david/log/" title="Accès au flux RSS"><svg class="icon icon-rss2">
<use xlink:href="/static/david/icons2/symbol-defs-2021-12.svg#icon-rss2"></use>
</svg> Suivre</a> •
<a href="http://larlet.com" title="Go to my English profile" data-instant><svg class="icon icon-user-tie">
<use xlink:href="/static/david/icons2/symbol-defs-2021-12.svg#icon-user-tie"></use>
</svg> Pro</a> •
<a href="mailto:david%40larlet.fr" title="Envoyer un courriel"><svg class="icon icon-mail">
<use xlink:href="/static/david/icons2/symbol-defs-2021-12.svg#icon-mail"></use>
</svg> Email</a> •
<abbr class="nowrap" title="Hébergeur : Alwaysdata, 62 rue Tiquetonne 75002 Paris, +33184162340"><svg class="icon icon-hammer2">
<use xlink:href="/static/david/icons2/symbol-defs-2021-12.svg#icon-hammer2"></use>
</svg> Légal</abbr>
</p>
<template id="theme-selector">
<form>
<fieldset>
<legend><svg class="icon icon-brightness-contrast">
<use xlink:href="/static/david/icons2/symbol-defs-2021-12.svg#icon-brightness-contrast"></use>
</svg> Thème</legend>
<label>
<input type="radio" value="auto" name="chosen-color-scheme" checked> Auto
</label>
<label>
<input type="radio" value="dark" name="chosen-color-scheme"> Foncé
</label>
<label>
<input type="radio" value="light" name="chosen-color-scheme"> Clair
</label>
</fieldset>
</form>
</template>
</footer>
<script src="/static/david/js/instantpage-5.1.0.min.js" type="module"></script>
<script>
function loadThemeForm(templateName) {
const themeSelectorTemplate = document.querySelector(templateName)
const form = themeSelectorTemplate.content.firstElementChild
themeSelectorTemplate.replaceWith(form)

form.addEventListener('change', (e) => {
const chosenColorScheme = e.target.value
localStorage.setItem('theme', chosenColorScheme)
toggleTheme(chosenColorScheme)
})

const selectedTheme = localStorage.getItem('theme')
if (selectedTheme && selectedTheme !== 'undefined') {
form.querySelector(`[value="${selectedTheme}"]`).checked = true
}
}

const prefersColorSchemeDark = '(prefers-color-scheme: dark)'
window.addEventListener('load', () => {
let hasDarkRules = false
for (const styleSheet of Array.from(document.styleSheets)) {
let mediaRules = []
for (const cssRule of styleSheet.cssRules) {
if (cssRule.type !== CSSRule.MEDIA_RULE) {
continue
}
// WARNING: Safari does not have/supports `conditionText`.
if (cssRule.conditionText) {
if (cssRule.conditionText !== prefersColorSchemeDark) {
continue
}
} else {
if (cssRule.cssText.startsWith(prefersColorSchemeDark)) {
continue
}
}
mediaRules = mediaRules.concat(Array.from(cssRule.cssRules))
}

// WARNING: do not try to insert a Rule to a styleSheet you are
// currently iterating on, otherwise the browser will be stuck
// in a infinite loop…
for (const mediaRule of mediaRules) {
styleSheet.insertRule(mediaRule.cssText)
hasDarkRules = true
}
}
if (hasDarkRules) {
loadThemeForm('#theme-selector')
}
})
</script>
</body>
</html>

+ 14
- 0
cache/2024/14da9039de50c54f159f333ea3dc73f1/index.md
File diff suppressed because it is too large
View File


+ 367
- 0
cache/2024/8ffe1e30cd3dd6446468bd6d03550457/index.html View File

@@ -0,0 +1,367 @@
<!doctype html><!-- This is a valid HTML5 document. -->
<!-- Screen readers, SEO, extensions and so on. -->
<html lang="en">
<!-- Has to be within the first 1024 bytes, hence before the `title` element
See: https://www.w3.org/TR/2012/CR-html5-20121217/document-metadata.html#charset -->
<meta charset="utf-8">
<!-- Why no `X-UA-Compatible` meta: https://stackoverflow.com/a/6771584 -->
<!-- The viewport meta is quite crowded and we are responsible for that.
See: https://codepen.io/tigt/post/meta-viewport-for-2015 -->
<meta name="viewport" content="width=device-width,initial-scale=1">
<!-- Required to make a valid HTML5 document. -->
<title>ongoing by Tim Bray · OSQI (archive) — David Larlet</title>
<meta name="description" content="Publication mise en cache pour en conserver une trace.">
<!-- That good ol' feed, subscribe :). -->
<link rel="alternate" type="application/atom+xml" title="Feed" href="/david/log/">
<!-- Generated from https://realfavicongenerator.net/ such a mess. -->
<link rel="apple-touch-icon" sizes="180x180" href="/static/david/icons2/apple-touch-icon.png">
<link rel="icon" type="image/png" sizes="32x32" href="/static/david/icons2/favicon-32x32.png">
<link rel="icon" type="image/png" sizes="16x16" href="/static/david/icons2/favicon-16x16.png">
<link rel="manifest" href="/static/david/icons2/site.webmanifest">
<link rel="mask-icon" href="/static/david/icons2/safari-pinned-tab.svg" color="#07486c">
<link rel="shortcut icon" href="/static/david/icons2/favicon.ico">
<meta name="msapplication-TileColor" content="#f7f7f7">
<meta name="msapplication-config" content="/static/david/icons2/browserconfig.xml">
<meta name="theme-color" content="#f7f7f7" media="(prefers-color-scheme: light)">
<meta name="theme-color" content="#272727" media="(prefers-color-scheme: dark)">
<!-- Is that even respected? Retrospectively? What a shAItshow…
https://neil-clarke.com/block-the-bots-that-feed-ai-models-by-scraping-your-website/ -->
<meta name="robots" content="noai, noimageai">
<!-- Documented, feel free to shoot an email. -->
<link rel="stylesheet" href="/static/david/css/style_2021-01-20.css">
<!-- See https://www.zachleat.com/web/comprehensive-webfonts/ for the trade-off. -->
<link rel="preload" href="/static/david/css/fonts/triplicate_t4_poly_regular.woff2" as="font" type="font/woff2" media="(prefers-color-scheme: light), (prefers-color-scheme: no-preference)" crossorigin>
<link rel="preload" href="/static/david/css/fonts/triplicate_t4_poly_bold.woff2" as="font" type="font/woff2" media="(prefers-color-scheme: light), (prefers-color-scheme: no-preference)" crossorigin>
<link rel="preload" href="/static/david/css/fonts/triplicate_t4_poly_italic.woff2" as="font" type="font/woff2" media="(prefers-color-scheme: light), (prefers-color-scheme: no-preference)" crossorigin>
<link rel="preload" href="/static/david/css/fonts/triplicate_t3_regular.woff2" as="font" type="font/woff2" media="(prefers-color-scheme: dark)" crossorigin>
<link rel="preload" href="/static/david/css/fonts/triplicate_t3_bold.woff2" as="font" type="font/woff2" media="(prefers-color-scheme: dark)" crossorigin>
<link rel="preload" href="/static/david/css/fonts/triplicate_t3_italic.woff2" as="font" type="font/woff2" media="(prefers-color-scheme: dark)" crossorigin>
<script>
function toggleTheme(themeName) {
document.documentElement.classList.toggle(
'forced-dark',
themeName === 'dark'
)
document.documentElement.classList.toggle(
'forced-light',
themeName === 'light'
)
}
const selectedTheme = localStorage.getItem('theme')
if (selectedTheme !== 'undefined') {
toggleTheme(selectedTheme)
}
</script>

<meta name="robots" content="noindex, nofollow">
<meta content="origin-when-cross-origin" name="referrer">
<!-- Canonical URL for SEO purposes -->
<link rel="canonical" href="https://www.tbray.org/ongoing/When/202x/2024/04/01/OSQI">

<body class="remarkdown h1-underline h2-underline h3-underline em-underscore hr-center ul-star pre-tick" data-instant-intensity="viewport-all">


<article>
<header>
<h1>ongoing by Tim Bray · OSQI</h1>
</header>
<nav>
<p class="center">
<a href="/david/" title="Aller à l’accueil"><svg class="icon icon-home">
<use xlink:href="/static/david/icons2/symbol-defs-2021-12.svg#icon-home"></use>
</svg> Accueil</a> •
<a href="https://www.tbray.org/ongoing/When/202x/2024/04/01/OSQI" title="Lien vers le contenu original">Source originale</a>
<br>
Mis en cache le 2024-04-04
</p>
</nav>
<hr>
<p itemprop="description">I propose the formation of one or more “Open Source Quality Institutes”. An OSQI is a public-sector organization that
employs software engineers. Its mission would be to improve the quality, and especially safety, of popular
Open-Source software.</p>

<p id="p-5" class="p1"><span class="h2">Why?</span> ·
The
<a href="https://en.wikipedia.org/wiki/XZ_utils_backdoor">XZ-Utils backdoor</a> (let’s just say <b>#XZ</b>) launched the train
of thought that led me
to this idea. If you read the story, it becomes obvious that the key vulnerability wasn’t technical, it was the fact that a
whole lot of Open-Source software is on the undermaintained-to-neglected axis, because there’s no business case for paying people
to take care of it. Which is a problem, because there is a <em>strong</em> business case for paying people to attack it.</p>

<p>There are other essential human activities that lack a business case, for example tertiary education,
potable water quality, and financial regulation. For these, we create non-capitalist constructs such as Universities and
Institutes and Agencies, because society needs these things done even if nobody can make money doing them.</p>

<p>I think we need to be paying more attention to the quality generally, and safety especially, of the Open-Source software
that has become the underlying platform for, more or less, our civilization. Thus OSQI.</p>

<p id="p-6" class="p1"><span class="h2">They’re out to get us</span> ·
For me, the two big lessons from <b>#XZ</b> were first, the lack of resources supporting crucial Open-Source infrastructure,
but then and especially, the
demonstration that the attackers are numerous, skilled <em>and patient</em>. We already knew about numerous and skilled but this
episode, where
the attacker was already well-embedded in the project
<a href="https://www.mail-archive.com/xz-devel@tukaani.org/msg00562.html">by May 2022</a>, opened a few eyes, including
mine.</p>

<p>The advantage, to various flavors of malefactor, of subverting core pieces of Open-Source infrastructure, is
incalculable. <b>#XZ</b> was the one we caught; how many have we missed?</p>

<p id="p-7" class="p1"><span class="h2">What’s OSQI?</span> ·
It’s an organization created by a national government. Obviously, more nations than one could have an OSQI.</p>

<p>The vast majority of the staff would be relatively-senior
software
engineers, with a small percentage of paranoid nontechnical security people
(see
<a href="OSQI#p-21">below</a>). You could do a lot with as few as 250 people, and
the burdened cost would be trivial for a substantial government.</p>

<p>Since it is a matter of obvious fact that every company in the
world with revenue of a billion or more is existentially dependent on Open Source, it would be reasonable to impose a levy of,
say, 0.1% of revenue on all such companies, to help support this work. The money needn’t be a problem.</p>

<p id="p-8" class="p1"><span class="h2">Structure</span> ·
The selection of software packages that would get OSQI attention would be left to the organization, although there would be
avenues for anyone to request coverage. The engineering organization could be relatively flat, most people giving individual
attention to individual projects, then also ad-hoc teams forming for tool-building or crisis-handling when something like
<b>#XZ</b> blows up.</p>

<p id="p-10" class="p1"><span class="h2">Why would anyone work there?</span> ·
The pay would be OK; less than you’d make at Google or Facebook, but a decent civil-service salary. There would be no
suspicion that your employer is trying to enshittify anything; in fact, you’d start work in the morning confident that you’re
trying to improve the world. The default work mode would be remote, so you could live somewhere a not-quite-Google salary would
support a very comfortable way of life. There would be decent vacations and benefits and
(<em>*gasp*</em>) a pension.</p>

<p>And there is a certain class of person who would find everyday joy in peeking and poking and polishing
Open-Source packages that are depended on by millions of programmers and (indirectly) billions of humans. A couple of decades
ago I would have been one.</p>

<p>I don’t think recruiting would be a problem.</p>

<p>So, what are OSQI’s goals and non-goals?</p>

<p id="p-11" class="p1"><span class="h2">Goal: Safety</span> ·
This has to come first. If all OSQI accomplishes is the foiling of a few <b>#XZ</b>-flavor attacks, and life becoming harder
for people making them, that’s just fine.</p>

<p id="p-12" class="p1"><span class="h2">Goal: Tool-building</span> ·
I think it’s now conventional wisdom that Open Source’s biggest attack surfaces are dependency networks and build
tools. These are big and complex problems, but let’s be bold and set a high bar:</p>

<blockquote><p>Open-Source software should be built deterministically, verifiably, and reproducibly, from signed source-code
snapshots. These snapshots should be free of generated artifacts; every item in
the snapshot should be human-written and human-readable.</p>
</blockquote>
<p>For example: As
<a href="https://mastodon.social/@kornel">Kornel</a> said,
<a href="https://mastodon.social/@kornel/112187783363254917">Seriously, in retrospect, #autotools itself is a massive
supply-chain security risk.</a> No kidding! But then everyone says “What are you gonna do, it’s wired into everything.”</p>

<p>There are alternatives; I know of
<a href="https://cmake.org">CMake</a> and
<a href="https://mesonbuild.com">Meson</a>. Are they good enough? I don’t know. Obviously, GNU AutoHell can’t be swept out of
all of the fœtid crannies where it lurks and festers, but every project from which it is scrubbed will present less
danger to the world.
I believe OSQI would have the scope to make real progress on this front.</p>

<p id="p-13" class="p1"><span class="h2">Non-goal: Features</span> ·
OSQI should never invest engineering resources in adding cool features to Open-Source packages (with the possible exception
of build-and-test tools). The Open-Source community is bursting with new-features energy, most coming from people who either
want to scratch their own itch or are facing a real blockage at work. They are way better positioned to make those improvements
than anyone at OSQI.</p>

<p id="p-23" class="p1"><span class="h2">Goal: Maintenance</span> ·
Way too many deep-infra packages grow increasingly unmaintained as people age and become busy and tired and sick and dead. As I
was writing this, a
<a href="https://github.com/libexpat/libexpat/blob/R_2_6_2/expat/Changes">plea for help</a> came across my radar from Sebastian
Pipping, the excellent but unsupported and unfunded maintainer of
<a href="https://github.com/libexpat/libexpat/tree/R_2_6_2">Expat</a>, the world’s most popular XML parser.</p>

<p>And yeah, he’s part of a trend, one that notably included the now-infamous
<a href="https://en.wikipedia.org/wiki/XZ_Utils">XZ-Utils</a> package.</p>

<p>And so I think one useful task for OSQI would be taking over (ideally partial) maintenance duties for a lot of Open-Source projects
that have a high ratio of adoption to support. In some cases it would have to take a lower-intensity form, let’s call it “life
support”, where OSQI deals with vulnerability reports but flatly refuses to address any requests for features no matter how
trivial, and rejects all PRs unless they come from someone who’s willing to take on part of the maintenance load.</p>

<p>One benefit of having paid professionals doing this is that they will blow off the kind of social-engineering harassment that
the <b>#XZ</b> attacker inflicted on the XZ-Utils maintainer (see
<a href="https://research.swtch.com/xz-timeline">Russ Cox’s excellent timeline</a>) and which is unfortunately too common in the
Open-Source world generally.</p>

<p id="p-14" class="p1"><span class="h2">Goal: Benchmarking</span> ·
Efficiency is an aspect of quality, and I think it would be perfectly reasonable for OSQI to engage in
benchmarking and optimization. There’s a non-obvious reason for this: <b>#XZ</b> was unmasked when a Postgres specialist noticed
performance problems.</p>

<p>I think that in general, if you’re a bad person trying to backdoor an Open-Source package, it’s going to
be hard to do without introducing performance glitches. I’ve
<a href="/ongoing/When/202x/2021/05/15/Testing-in-2021#p-13">long advocated</a> that unit and/or integration tests should
include a benchmark or two, just to avert well-intentioned performance regressions; if they handicap bad guys too, that’s a
bonus.</p>

<p id="p-15" class="p1"><span class="h2">Goal: Education and evangelism</span> ·
OSQI staff will develop a deep shared pool of expertise in making Open-Source software safer and better, and
specifically in detecting and repelling multiple attack flavors. They should share it! Blogs, conferences, whatever. It even
occurred to me that it might make sense to structure OSQI as an educational institution; standalone or as a grad college of
something existing.</p>

<p>But what I’m talking about isn’t refereed JACM papers, but what my Dad, a Professor of Agriculture, called “Extension”:
Bringing the results of research directly to practitioners.</p>

<p id="p-16" class="p1"><span class="h2">Non-goal: Making standards</span> ·
The world has enough standards organizations. I could see individual OSQI employees pitching in, though, at the IETF or IEEE
or W3C or wherever, with work on Infosec standards.</p>

<p>Which brings me to…</p>

<p id="p-17" class="p1"><span class="h2">Non-goal: Litigation</span> ·
Or really any other enforcement-related activity. OSQI exists to fix problems, build tools, and share lessons. This is going
to be easier if nobody (except attackers) sees them as a threat, and if staff don’t have to think about how their work and
findings will play out in court.</p>

<p>And a related non-goal…</p>

<p id="p-18" class="p1"><span class="h2">Non-goal: Licensing</span> ·
The intersection between the class of people who’d make good OSQI engineers and those who care about Open-Source
licenses is, thankfully, very small. I think OSQI should accept the license landscape that exists and work hard to avoid
thinking about its theology.</p>

<p id="p-19" class="p1"><span class="h2">Non-goal: Certification</span> ·
Once OSQI exists, the notion of “OSQI-approved” might arise. But it’d be a mistake;
OSQI should be an <em>engineering</em> organization; the cost (measured by required bureaucracy) to perform certification would
be brutal.</p>

<p id="p-20" class="p1"><span class="h2">Goal: Transparency</span> ·
OSQI can’t afford to have any secrets, with the sole exception of freshly-discovered but still-undisclosed
vulnerabilities. And when those vulnerabilities are disclosed, the story of their discovery and characterization needs to be
shared entirely and completely. This feels like a bare-minimum basis for building the level of trust that will be
required.</p>

<p id="p-21" class="p1"><span class="h2">Necessary paranoia</span> ·
I discussed above why OSQI might be a nice place to work. There will be a downside, though; you’ll lose a certain amount of
privacy. Because if OSQI succeeds, it will become a super-high-value target for our adversaries. In the natural course of
affairs, many employees would become committers on popular packages, increasing their attractiveness as targets for bribes or
blackmail.</p>

<p>I recall once, a very senior security leader at an Internet giant saying to me “We have thousands of engineers, and my job
requires me to believe that at least one of them also has another employer.”</p>

<p>So I think OSQI needs to employ a small number of paranoid traditional-security (not Infosec) experts to keep an eye on their
colleagues, audit their finances, and just be generally suspicious. These people would also
worry about OSQI’s physical and network security. Because attackers gonna attack.</p>

<p id="p-22" class="p1"><span class="h2">Pronunciation</span> ·
Rhymes with “bosky”, of course. Also, people who work there are OSQIans. I’ve grabbed “osqi.org” and will cheerfully donate it
in the long-shot case that this idea gets traction.</p>

<p id="p-24" class="p1"><span class="h2">Are you serious?</span> ·
Yeah. Except for, I no longer speak with the voice of a powerful employer.</p>

<p>Look: For
better or for worse, Open Source won. <i>[Narrator: Obviously, for better.]</i> That means it has become crucial civilizational
infrastucture, which governments should actively support and maintain, just like roads and dams and power grids.</p>

<p>It’s not so much that OSQI, or something
like it, is a good idea; it’s that <em>not</em> trying to achieve these goals, in 2024, is dangerous and insane.</p>
</article>


<hr>

<footer>
<p>
<a href="/david/" title="Aller à l’accueil"><svg class="icon icon-home">
<use xlink:href="/static/david/icons2/symbol-defs-2021-12.svg#icon-home"></use>
</svg> Accueil</a> •
<a href="/david/log/" title="Accès au flux RSS"><svg class="icon icon-rss2">
<use xlink:href="/static/david/icons2/symbol-defs-2021-12.svg#icon-rss2"></use>
</svg> Suivre</a> •
<a href="http://larlet.com" title="Go to my English profile" data-instant><svg class="icon icon-user-tie">
<use xlink:href="/static/david/icons2/symbol-defs-2021-12.svg#icon-user-tie"></use>
</svg> Pro</a> •
<a href="mailto:david%40larlet.fr" title="Envoyer un courriel"><svg class="icon icon-mail">
<use xlink:href="/static/david/icons2/symbol-defs-2021-12.svg#icon-mail"></use>
</svg> Email</a> •
<abbr class="nowrap" title="Hébergeur : Alwaysdata, 62 rue Tiquetonne 75002 Paris, +33184162340"><svg class="icon icon-hammer2">
<use xlink:href="/static/david/icons2/symbol-defs-2021-12.svg#icon-hammer2"></use>
</svg> Légal</abbr>
</p>
<template id="theme-selector">
<form>
<fieldset>
<legend><svg class="icon icon-brightness-contrast">
<use xlink:href="/static/david/icons2/symbol-defs-2021-12.svg#icon-brightness-contrast"></use>
</svg> Thème</legend>
<label>
<input type="radio" value="auto" name="chosen-color-scheme" checked> Auto
</label>
<label>
<input type="radio" value="dark" name="chosen-color-scheme"> Foncé
</label>
<label>
<input type="radio" value="light" name="chosen-color-scheme"> Clair
</label>
</fieldset>
</form>
</template>
</footer>
<script src="/static/david/js/instantpage-5.1.0.min.js" type="module"></script>
<script>
function loadThemeForm(templateName) {
const themeSelectorTemplate = document.querySelector(templateName)
const form = themeSelectorTemplate.content.firstElementChild
themeSelectorTemplate.replaceWith(form)

form.addEventListener('change', (e) => {
const chosenColorScheme = e.target.value
localStorage.setItem('theme', chosenColorScheme)
toggleTheme(chosenColorScheme)
})

const selectedTheme = localStorage.getItem('theme')
if (selectedTheme && selectedTheme !== 'undefined') {
form.querySelector(`[value="${selectedTheme}"]`).checked = true
}
}

const prefersColorSchemeDark = '(prefers-color-scheme: dark)'
window.addEventListener('load', () => {
let hasDarkRules = false
for (const styleSheet of Array.from(document.styleSheets)) {
let mediaRules = []
for (const cssRule of styleSheet.cssRules) {
if (cssRule.type !== CSSRule.MEDIA_RULE) {
continue
}
// WARNING: Safari does not have/supports `conditionText`.
if (cssRule.conditionText) {
if (cssRule.conditionText !== prefersColorSchemeDark) {
continue
}
} else {
if (cssRule.cssText.startsWith(prefersColorSchemeDark)) {
continue
}
}
mediaRules = mediaRules.concat(Array.from(cssRule.cssRules))
}

// WARNING: do not try to insert a Rule to a styleSheet you are
// currently iterating on, otherwise the browser will be stuck
// in a infinite loop…
for (const mediaRule of mediaRules) {
styleSheet.insertRule(mediaRule.cssText)
hasDarkRules = true
}
}
if (hasDarkRules) {
loadThemeForm('#theme-selector')
}
})
</script>
</body>
</html>

+ 200
- 0
cache/2024/8ffe1e30cd3dd6446468bd6d03550457/index.md View File

@@ -0,0 +1,200 @@
title: ongoing by Tim Bray · OSQI
url: https://www.tbray.org/ongoing/When/202x/2024/04/01/OSQI
hash_url: 8ffe1e30cd3dd6446468bd6d03550457
archive_date: 2024-04-04
og_image: https://www.tbray.org/ongoing/misc/podcast-default.jpg
description:
favicon: https://www.tbray.org/favicon.ico
language: en_US

<p itemprop="description">I propose the formation of one or more “Open Source Quality Institutes”. An OSQI is a public-sector organization that
employs software engineers. Its mission would be to improve the quality, and especially safety, of popular
Open-Source software.</p>

<p id="p-5" class="p1"><span class="h2">Why?</span> ·
The
<a href="https://en.wikipedia.org/wiki/XZ_utils_backdoor">XZ-Utils backdoor</a> (let’s just say <b>#XZ</b>) launched the train
of thought that led me
to this idea. If you read the story, it becomes obvious that the key vulnerability wasn’t technical, it was the fact that a
whole lot of Open-Source software is on the undermaintained-to-neglected axis, because there’s no business case for paying people
to take care of it. Which is a problem, because there is a <em>strong</em> business case for paying people to attack it.</p>

<p>There are other essential human activities that lack a business case, for example tertiary education,
potable water quality, and financial regulation. For these, we create non-capitalist constructs such as Universities and
Institutes and Agencies, because society needs these things done even if nobody can make money doing them.</p>

<p>I think we need to be paying more attention to the quality generally, and safety especially, of the Open-Source software
that has become the underlying platform for, more or less, our civilization. Thus OSQI.</p>

<p id="p-6" class="p1"><span class="h2">They’re out to get us</span> ·
For me, the two big lessons from <b>#XZ</b> were first, the lack of resources supporting crucial Open-Source infrastructure,
but then and especially, the
demonstration that the attackers are numerous, skilled <em>and patient</em>. We already knew about numerous and skilled but this
episode, where
the attacker was already well-embedded in the project
<a href="https://www.mail-archive.com/xz-devel@tukaani.org/msg00562.html">by May 2022</a>, opened a few eyes, including
mine.</p>

<p>The advantage, to various flavors of malefactor, of subverting core pieces of Open-Source infrastructure, is
incalculable. <b>#XZ</b> was the one we caught; how many have we missed?</p>

<p id="p-7" class="p1"><span class="h2">What’s OSQI?</span> ·
It’s an organization created by a national government. Obviously, more nations than one could have an OSQI.</p>

<p>The vast majority of the staff would be relatively-senior
software
engineers, with a small percentage of paranoid nontechnical security people
(see
<a href="OSQI#p-21">below</a>). You could do a lot with as few as 250 people, and
the burdened cost would be trivial for a substantial government.</p>

<p>Since it is a matter of obvious fact that every company in the
world with revenue of a billion or more is existentially dependent on Open Source, it would be reasonable to impose a levy of,
say, 0.1% of revenue on all such companies, to help support this work. The money needn’t be a problem.</p>

<p id="p-8" class="p1"><span class="h2">Structure</span> ·
The selection of software packages that would get OSQI attention would be left to the organization, although there would be
avenues for anyone to request coverage. The engineering organization could be relatively flat, most people giving individual
attention to individual projects, then also ad-hoc teams forming for tool-building or crisis-handling when something like
<b>#XZ</b> blows up.</p>

<p id="p-10" class="p1"><span class="h2">Why would anyone work there?</span> ·
The pay would be OK; less than you’d make at Google or Facebook, but a decent civil-service salary. There would be no
suspicion that your employer is trying to enshittify anything; in fact, you’d start work in the morning confident that you’re
trying to improve the world. The default work mode would be remote, so you could live somewhere a not-quite-Google salary would
support a very comfortable way of life. There would be decent vacations and benefits and
(<em>*gasp*</em>) a pension.</p>

<p>And there is a certain class of person who would find everyday joy in peeking and poking and polishing
Open-Source packages that are depended on by millions of programmers and (indirectly) billions of humans. A couple of decades
ago I would have been one.</p>

<p>I don’t think recruiting would be a problem.</p>

<p>So, what are OSQI’s goals and non-goals?</p>

<p id="p-11" class="p1"><span class="h2">Goal: Safety</span> ·
This has to come first. If all OSQI accomplishes is the foiling of a few <b>#XZ</b>-flavor attacks, and life becoming harder
for people making them, that’s just fine.</p>

<p id="p-12" class="p1"><span class="h2">Goal: Tool-building</span> ·
I think it’s now conventional wisdom that Open Source’s biggest attack surfaces are dependency networks and build
tools. These are big and complex problems, but let’s be bold and set a high bar:</p>

<blockquote><p>Open-Source software should be built deterministically, verifiably, and reproducibly, from signed source-code
snapshots. These snapshots should be free of generated artifacts; every item in
the snapshot should be human-written and human-readable.</p>
</blockquote>
<p>For example: As
<a href="https://mastodon.social/@kornel">Kornel</a> said,
<a href="https://mastodon.social/@kornel/112187783363254917">Seriously, in retrospect, #autotools itself is a massive
supply-chain security risk.</a> No kidding! But then everyone says “What are you gonna do, it’s wired into everything.”</p>

<p>There are alternatives; I know of
<a href="https://cmake.org">CMake</a> and
<a href="https://mesonbuild.com">Meson</a>. Are they good enough? I don’t know. Obviously, GNU AutoHell can’t be swept out of
all of the fœtid crannies where it lurks and festers, but every project from which it is scrubbed will present less
danger to the world.
I believe OSQI would have the scope to make real progress on this front.</p>

<p id="p-13" class="p1"><span class="h2">Non-goal: Features</span> ·
OSQI should never invest engineering resources in adding cool features to Open-Source packages (with the possible exception
of build-and-test tools). The Open-Source community is bursting with new-features energy, most coming from people who either
want to scratch their own itch or are facing a real blockage at work. They are way better positioned to make those improvements
than anyone at OSQI.</p>

<p id="p-23" class="p1"><span class="h2">Goal: Maintenance</span> ·
Way too many deep-infra packages grow increasingly unmaintained as people age and become busy and tired and sick and dead. As I
was writing this, a
<a href="https://github.com/libexpat/libexpat/blob/R_2_6_2/expat/Changes">plea for help</a> came across my radar from Sebastian
Pipping, the excellent but unsupported and unfunded maintainer of
<a href="https://github.com/libexpat/libexpat/tree/R_2_6_2">Expat</a>, the world’s most popular XML parser.</p>

<p>And yeah, he’s part of a trend, one that notably included the now-infamous
<a href="https://en.wikipedia.org/wiki/XZ_Utils">XZ-Utils</a> package.</p>

<p>And so I think one useful task for OSQI would be taking over (ideally partial) maintenance duties for a lot of Open-Source projects
that have a high ratio of adoption to support. In some cases it would have to take a lower-intensity form, let’s call it “life
support”, where OSQI deals with vulnerability reports but flatly refuses to address any requests for features no matter how
trivial, and rejects all PRs unless they come from someone who’s willing to take on part of the maintenance load.</p>

<p>One benefit of having paid professionals doing this is that they will blow off the kind of social-engineering harassment that
the <b>#XZ</b> attacker inflicted on the XZ-Utils maintainer (see
<a href="https://research.swtch.com/xz-timeline">Russ Cox’s excellent timeline</a>) and which is unfortunately too common in the
Open-Source world generally.</p>

<p id="p-14" class="p1"><span class="h2">Goal: Benchmarking</span> ·
Efficiency is an aspect of quality, and I think it would be perfectly reasonable for OSQI to engage in
benchmarking and optimization. There’s a non-obvious reason for this: <b>#XZ</b> was unmasked when a Postgres specialist noticed
performance problems.</p>

<p>I think that in general, if you’re a bad person trying to backdoor an Open-Source package, it’s going to
be hard to do without introducing performance glitches. I’ve
<a href="/ongoing/When/202x/2021/05/15/Testing-in-2021#p-13">long advocated</a> that unit and/or integration tests should
include a benchmark or two, just to avert well-intentioned performance regressions; if they handicap bad guys too, that’s a
bonus.</p>

<p id="p-15" class="p1"><span class="h2">Goal: Education and evangelism</span> ·
OSQI staff will develop a deep shared pool of expertise in making Open-Source software safer and better, and
specifically in detecting and repelling multiple attack flavors. They should share it! Blogs, conferences, whatever. It even
occurred to me that it might make sense to structure OSQI as an educational institution; standalone or as a grad college of
something existing.</p>

<p>But what I’m talking about isn’t refereed JACM papers, but what my Dad, a Professor of Agriculture, called “Extension”:
Bringing the results of research directly to practitioners.</p>

<p id="p-16" class="p1"><span class="h2">Non-goal: Making standards</span> ·
The world has enough standards organizations. I could see individual OSQI employees pitching in, though, at the IETF or IEEE
or W3C or wherever, with work on Infosec standards.</p>

<p>Which brings me to…</p>

<p id="p-17" class="p1"><span class="h2">Non-goal: Litigation</span> ·
Or really any other enforcement-related activity. OSQI exists to fix problems, build tools, and share lessons. This is going
to be easier if nobody (except attackers) sees them as a threat, and if staff don’t have to think about how their work and
findings will play out in court.</p>

<p>And a related non-goal…</p>

<p id="p-18" class="p1"><span class="h2">Non-goal: Licensing</span> ·
The intersection between the class of people who’d make good OSQI engineers and those who care about Open-Source
licenses is, thankfully, very small. I think OSQI should accept the license landscape that exists and work hard to avoid
thinking about its theology.</p>

<p id="p-19" class="p1"><span class="h2">Non-goal: Certification</span> ·
Once OSQI exists, the notion of “OSQI-approved” might arise. But it’d be a mistake;
OSQI should be an <em>engineering</em> organization; the cost (measured by required bureaucracy) to perform certification would
be brutal.</p>

<p id="p-20" class="p1"><span class="h2">Goal: Transparency</span> ·
OSQI can’t afford to have any secrets, with the sole exception of freshly-discovered but still-undisclosed
vulnerabilities. And when those vulnerabilities are disclosed, the story of their discovery and characterization needs to be
shared entirely and completely. This feels like a bare-minimum basis for building the level of trust that will be
required.</p>

<p id="p-21" class="p1"><span class="h2">Necessary paranoia</span> ·
I discussed above why OSQI might be a nice place to work. There will be a downside, though; you’ll lose a certain amount of
privacy. Because if OSQI succeeds, it will become a super-high-value target for our adversaries. In the natural course of
affairs, many employees would become committers on popular packages, increasing their attractiveness as targets for bribes or
blackmail.</p>

<p>I recall once, a very senior security leader at an Internet giant saying to me “We have thousands of engineers, and my job
requires me to believe that at least one of them also has another employer.”</p>

<p>So I think OSQI needs to employ a small number of paranoid traditional-security (not Infosec) experts to keep an eye on their
colleagues, audit their finances, and just be generally suspicious. These people would also
worry about OSQI’s physical and network security. Because attackers gonna attack.</p>

<p id="p-22" class="p1"><span class="h2">Pronunciation</span> ·
Rhymes with “bosky”, of course. Also, people who work there are OSQIans. I’ve grabbed “osqi.org” and will cheerfully donate it
in the long-shot case that this idea gets traction.</p>

<p id="p-24" class="p1"><span class="h2">Are you serious?</span> ·
Yeah. Except for, I no longer speak with the voice of a powerful employer.</p>

<p>Look: For
better or for worse, Open Source won. <i>[Narrator: Obviously, for better.]</i> That means it has become crucial civilizational
infrastucture, which governments should actively support and maintain, just like roads and dams and power grids.</p>

<p>It’s not so much that OSQI, or something
like it, is a good idea; it’s that <em>not</em> trying to achieve these goals, in 2024, is dangerous and insane.</p>

+ 238
- 0
cache/2024/b4d0d377662e30cef4e944448d41338c/index.html View File

@@ -0,0 +1,238 @@
<!doctype html><!-- This is a valid HTML5 document. -->
<!-- Screen readers, SEO, extensions and so on. -->
<html lang="en">
<!-- Has to be within the first 1024 bytes, hence before the `title` element
See: https://www.w3.org/TR/2012/CR-html5-20121217/document-metadata.html#charset -->
<meta charset="utf-8">
<!-- Why no `X-UA-Compatible` meta: https://stackoverflow.com/a/6771584 -->
<!-- The viewport meta is quite crowded and we are responsible for that.
See: https://codepen.io/tigt/post/meta-viewport-for-2015 -->
<meta name="viewport" content="width=device-width,initial-scale=1">
<!-- Required to make a valid HTML5 document. -->
<title>Everything I know about the XZ backdoor (archive) — David Larlet</title>
<meta name="description" content="Publication mise en cache pour en conserver une trace.">
<!-- That good ol' feed, subscribe :). -->
<link rel="alternate" type="application/atom+xml" title="Feed" href="/david/log/">
<!-- Generated from https://realfavicongenerator.net/ such a mess. -->
<link rel="apple-touch-icon" sizes="180x180" href="/static/david/icons2/apple-touch-icon.png">
<link rel="icon" type="image/png" sizes="32x32" href="/static/david/icons2/favicon-32x32.png">
<link rel="icon" type="image/png" sizes="16x16" href="/static/david/icons2/favicon-16x16.png">
<link rel="manifest" href="/static/david/icons2/site.webmanifest">
<link rel="mask-icon" href="/static/david/icons2/safari-pinned-tab.svg" color="#07486c">
<link rel="shortcut icon" href="/static/david/icons2/favicon.ico">
<meta name="msapplication-TileColor" content="#f7f7f7">
<meta name="msapplication-config" content="/static/david/icons2/browserconfig.xml">
<meta name="theme-color" content="#f7f7f7" media="(prefers-color-scheme: light)">
<meta name="theme-color" content="#272727" media="(prefers-color-scheme: dark)">
<!-- Is that even respected? Retrospectively? What a shAItshow…
https://neil-clarke.com/block-the-bots-that-feed-ai-models-by-scraping-your-website/ -->
<meta name="robots" content="noai, noimageai">
<!-- Documented, feel free to shoot an email. -->
<link rel="stylesheet" href="/static/david/css/style_2021-01-20.css">
<!-- See https://www.zachleat.com/web/comprehensive-webfonts/ for the trade-off. -->
<link rel="preload" href="/static/david/css/fonts/triplicate_t4_poly_regular.woff2" as="font" type="font/woff2" media="(prefers-color-scheme: light), (prefers-color-scheme: no-preference)" crossorigin>
<link rel="preload" href="/static/david/css/fonts/triplicate_t4_poly_bold.woff2" as="font" type="font/woff2" media="(prefers-color-scheme: light), (prefers-color-scheme: no-preference)" crossorigin>
<link rel="preload" href="/static/david/css/fonts/triplicate_t4_poly_italic.woff2" as="font" type="font/woff2" media="(prefers-color-scheme: light), (prefers-color-scheme: no-preference)" crossorigin>
<link rel="preload" href="/static/david/css/fonts/triplicate_t3_regular.woff2" as="font" type="font/woff2" media="(prefers-color-scheme: dark)" crossorigin>
<link rel="preload" href="/static/david/css/fonts/triplicate_t3_bold.woff2" as="font" type="font/woff2" media="(prefers-color-scheme: dark)" crossorigin>
<link rel="preload" href="/static/david/css/fonts/triplicate_t3_italic.woff2" as="font" type="font/woff2" media="(prefers-color-scheme: dark)" crossorigin>
<script>
function toggleTheme(themeName) {
document.documentElement.classList.toggle(
'forced-dark',
themeName === 'dark'
)
document.documentElement.classList.toggle(
'forced-light',
themeName === 'light'
)
}
const selectedTheme = localStorage.getItem('theme')
if (selectedTheme !== 'undefined') {
toggleTheme(selectedTheme)
}
</script>

<meta name="robots" content="noindex, nofollow">
<meta content="origin-when-cross-origin" name="referrer">
<!-- Canonical URL for SEO purposes -->
<link rel="canonical" href="https://boehs.org/node/everything-i-know-about-the-xz-backdoor">

<body class="remarkdown h1-underline h2-underline h3-underline em-underscore hr-center ul-star pre-tick" data-instant-intensity="viewport-all">


<article>
<header>
<h1>Everything I know about the XZ backdoor</h1>
</header>
<nav>
<p class="center">
<a href="/david/" title="Aller à l’accueil"><svg class="icon icon-home">
<use xlink:href="/static/david/icons2/symbol-defs-2021-12.svg#icon-home"></use>
</svg> Accueil</a> •
<a href="https://boehs.org/node/everything-i-know-about-the-xz-backdoor" title="Lien vers le contenu original">Source originale</a>
<br>
Mis en cache le 2024-04-04
</p>
</nav>
<hr>
<p><em>Please note: This is being updated in real-time. The intent is to make sense of lots of simultaneous discoveries regarding this backdoor. last updated: 5:30 EST, on April 2nd</em></p>
<p><em>Update: The GitHub page for xz has been suspended.</em></p>
<h3 id="2021" tabindex="-1">2021</h3>
<p>JiaT75 (Jia Tan) creates their GitHub account.</p>
<p>The first commits they make are not to xz, but they are deeply suspicious. Specifically, they open a PR in libarchive: <a href="https://github.com/libarchive/libarchive/pull/1609">Added error text to warning when untaring with bsdtar</a>. This commit does a little more than it says. It replaces <code>safe_fprint</code> with an unsafe variant, potentially introducing another vulnerability. The code was merged without any discussion, and <s><a href="https://github.com/libarchive/libarchive/blob/master/tar/read.c#L374-L375">lives on to this day</a></s> (<a href="https://github.com/libarchive/libarchive/pull/2101">patched</a>). libarchive should also be considered compromised until proven otherwise.</p>
<h3 id="2022" tabindex="-1">2022</h3>
<p>In April 2022, Jia Tan submitted a patch via a mailing list. The contents of the patch are not relevant, but the events that follow are. A new persona — <em>Jigar Kumar</em> — enters, and begins <a href="https://www.mail-archive.com/xz-devel@tukaani.org/msg00565.html">pressuring</a> for this patch to be merged.</p>
<p>Soon after, <em>Jigar Kumar</em> <a href="https://www.mail-archive.com/xz-devel@tukaani.org/msg00566.html">begins</a> pressuring <em>Lasse Collin</em> to add another maintainer to XZ. In the fallout, there is much to learn about mental health in open source.</p>
<p>Three days after the emails pressuring <em>Lasse Collin</em> to add another maintainer, JiaT75 makes their first commit to xz: <a href="https://git.tukaani.org/?p=xz.git;a=commitdiff;h=aa75c5563a760aea3aa23d997d519e702e82726b">Tests: Created tests for hardware functions.</a>. Since this commit, they become a regular contributor to xz (they are currently the second most active). It’s unclear exactly when they became trusted in this repository.</p>
<p><em>Jigar Kumar</em> is <a href="https://www.mail-archive.com/search?l=xz-devel@tukaani.org&amp;q=Kumar&amp;x=0&amp;y=0">never seen again</a>. Another account — <a href="https://www.mail-archive.com/search?l=xz-devel@tukaani.org&amp;q=from:%22Dennis+Ens%22">Dennis Ens</a> also participates in pressure, with a similar name+number formatted email. This account is also never seen outside of xz discussion, and neither have any associated accounts that have been discovered.</p>
<article class="mastodon-embed"><div><img src="https://files.mastodon.social/accounts/avatars/000/023/457/original/ad501ceca43dd473.png"><div><strong><a href="https://mastodon.social/@glyph/112180922900094371">Glyph</a></strong> <sup>@glyph@mastodon.social</sup></div></div><p></p><p><span class="h-card" translate="no"><a href="https://social.coop/@eb" class="u-url mention">@<span>eb</span></a></span> I really hope that this causes an industry-wide reckoning with the common practice of letting your entire goddamn product rest on the shoulders of one overworked person having a slow mental health crisis without financially or operationally supporting them whatsoever. I want everyone who has an open source dependency to read this message <a href="https://www.mail-archive.com/xz-devel@tukaani.org/msg00567.html" target="_blank" rel="nofollow noopener noreferrer" translate="no"><span class="invisible">https://www.</span><span class="ellipsis">mail-archive.com/xz-devel@tuka</span><span class="invisible">ani.org/msg00567.html</span></a></p><p></p><p><sup>Mar 29, 2024, 20:43</sup> <sup>624 retoots</sup></p></article>
<h3 id="2023" tabindex="-1">2023</h3>
<p>JiaT75 merges their first commit <a href="https://github.com/tukaani-project/xz/pull/7">on Jan 7, 2023</a>, which gives us a good indication of when they fully gain trust.</p>
<p>In March, the primary contact email in Google’s oss-fuzz is <a href="https://github.com/JiaT75/oss-fuzz/commit/6403e93344476972e908ce17e8244f5c2b957dfd">updated</a> to be Jia’s, instead of <em>Lasse Collin</em>.</p>
<p>Testing infrastructure that will be used in this exploit is committed. Despite <em>Lasse Collin</em> being attributed as the author for this, <em>Jia Tan</em> committed it, and it was originally written by <em>Hans Jansen</em> in June:</p>
<p><em>Hans Jansen</em>’s account was seemingly made specifically to create this pull request. There is very little activity before and after. They will later push for the compromised version of XZ to be included in Debian.</p>
<p>In July, <a href="https://github.com/google/oss-fuzz/pull/10667">a PR</a> was opened in oss-fuzz to disable ifunc for fuzzing builds, due to issues introduced by the changes above. This appears to be deliberate to mask the malicious changes that will be introduced soon. Also, JiaT75 opened an <a href="https://github.com/llvm/llvm-project/issues/63957">issue</a> about a warning in clang that, while indeed incorrect, drew attention to ifuncs.</p>
<h3 id="2024" tabindex="-1">2024</h3>
<p>A pull request for Google’s <a href="https://github.com/google/oss-fuzz/pull/11587">oss-fuzz is opened</a> that changes the URL for the project from <a href="http://tukaani.org/xz/">tukaani.org/xz/</a> to <a href="http://xz.tukaani.org/xz-utils/">xz.tukaani.org/xz-utils/</a>. <a href="http://tukaani.org">tukaani.org</a> is hosted at <code>5.44.245.25</code> in Finland, at <a href="https://www.zoner.fi/">this</a> hosting company. The <code>xz</code> subdomain, meanwhile, points to GitHub pages. This furthers the amount of control Jia has over the project.</p>
<p>A commit containing the final steps required to execute this backdoor is added to the repository:</p>
<h4 id="the-discovery" tabindex="-1">The discovery</h4>
<p>An email is sent to the oss-security mailing list: <a href="https://www.openwall.com/lists/oss-security/2024/03/29/4">backdoor in upstream xz/liblzma leading to ssh server compromise</a>, announcing this discovery, and doing it’s best to explain the exploit chain.</p>
<article class="mastodon-embed"><p></p><p>I was doing some micro-benchmarking at the time, needed to quiesce the system to reduce noise. Saw sshd processes were using a surprising amount of CPU, despite immediately failing because of wrong usernames etc. Profiled sshd, showing lots of cpu time in liblzma, with perf unable to attribute it to a symbol. Got suspicious. Recalled that I had seen an odd valgrind complaint in automated testing of postgres, a few weeks earlier, after package updates.</p><p>Really required a lot of coincidences.</p><p></p><p><sup>Mar 29, 2024, 18:32</sup> <sup>858 retoots</sup></p></article>
<p>A <a href="https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27">gist</a> has been published with a great high-level technical overview and a “what you need to know”</p>
<p>In addition to the gist and the email above, several analysis attempts have begun emerging:</p>
<h4 id="a-sudden-push-for-inclusion" tabindex="-1">A sudden push for inclusion</h4>
<p>A request for the vulnerable version to be included in Debian is opened by Hans:</p>
<p>This request was opened the <a href="https://salsa.debian.org/hjansen">same week</a> Hans’ Debian GitLab account was created. The account created a few similar “update” requests in various low-traffic repositories to build credibility, after asking for this one.</p>
<p>Several other, suspicious, anonymous name+number accounts with little former activity also push for its inclusion, including <em>misoeater91</em> and <em>krygorin4545</em>. <em>krygorin4545</em>’s PGP key was made 2 days before joining the discussion.</p>
<blockquote><p>Also seeing this bug. Extra valgrind output causes some failed tests for me. Looks like the new version will resolve it. Would like this new version so I can continue work.</p></blockquote>
<blockquote><p>I noticed this last week and almost made a Valgrind bug. Glad to see it being fixed.<br>Thanks Hans!</p></blockquote>
<p>The Valgrind bugs mentioned were <em>introduced</em> by this malicious injection, as noted in the email to OSS-Security:</p>
<blockquote><p>Subsequently the injected code (more about that below) caused valgrind errors and crashes in some configurations, due to the stack layout differing from what the backdoor was expecting. These issues were attempted to be worked around in 5.6.1:</p></blockquote>
<p>A <a href="https://github.com/jamespfennell/xz/pull/2">pull request</a> to a go library by a 1Password employee is opened asking to upgrade the library to the vulnerable version, however, it was all unfortunate timing. 1Password reached out by email referring me to this <a href="https://github.com/jamespfennell/xz/pull/2#issuecomment-2027836356">comment</a>, and everything seems to check out.</p>
<p>A Fedora contributor <a href="https://news.ycombinator.com/item?id=39866275">states</a> that <em>Jia</em> was pushing for its inclusion in Fedora as it contains “great new features”</p>
<p><em>Jia Tan</em> also <a href="https://bugs.launchpad.net/ubuntu/+source/xz-utils/+bug/2059417">attempted</a> to get it into Ubuntu days before the beta freeze.</p>
<p>A few hours after all this came out, GitHub suspended JiaT75’s account. Thanks? They also banned the repository, meaning people can no longer audit the changes made to it without resorting to mirrors. Immensely helpful, GitHub. They also <a href="https://github.com/JiaT75?tab=following">suspended</a> <em>Lasse Collin</em>’s account, which is completely disgraceful.</p>
<p>Lasse has begun reverting changes introduced by Jia, <a href="https://git.tukaani.org/?p=xz.git;a=commitdiff;h=f9cf4c05edd14dedfe63833f8ccbe41b55823b00">including</a> one that <a href="https://git.tukaani.org/?p=xz.git;a=commitdiff;h=328c52da8a2bbb81307644efdb58db2c422d9ba7">added</a> a sneaky period to disable the sandbox. They also have published a FAQ that begins to explain the situation: <a href="https://tukaani.org/xz-backdoor/">XZ Utils backdoor</a></p>
<h3 id="osint" tabindex="-1">OSINT</h3>
<p>Various people have reached out to me regarding discoveries about the identity of Jia. Some of this has been incorporated in the timeline, but other stuff is “timeless” so I’m putting it here:</p>
<h4 id="irc" tabindex="-1">IRC</h4>
<p>I received an email that clarified a few points and provided new insight into the situation.</p>
<p>“Jia Tan” was present on the #tukaani IRC channel on Libera.Chat. A /whois revealed their connecting IP and activity on March 29th.</p>
<pre><code>[libera] -!- jiatan [~jiatan@185.128.24.163]
[libera] -!- was : Jia Tan
[libera] -!- hostname : 185.128.24.163
[libera] -!- account : jiatan
[libera] -!- server : tungsten.libera.chat [Fri Mar 29 14:47:40 2024]
[libera] -!- End of WHOWAS
</code></pre>
<p>Running a Nmap on the IP shows a lot of open ports, which probably indicates a proxy, hosting provider, or something of the sort. The IP is from Singapore.</p>
<p>Further research shows that this IP belongs to Witopia VPN, so it’s not entirely indicative of a region. Given the timezone, however, I feel like proximity becomes plausible.</p>
<h4 id="important-notes-on-linkedin" tabindex="-1">Important notes on LinkedIn</h4>
<p>I have received a few emails alerting me to a LinkedIn of somebody named <em>Jia Tan</em>. Their bio boasts of <em>large-scale vulnerability management</em>. They claim to live in California. Is this our man? The commits on JiaT75’s GitHub are set to +0800, which would not indicate presence in California. UTC-0800 would be California. Most of the commits <a href="https://play.clickhouse.com/play?user=play#U0VMRUNUIHRvSG91cihjcmVhdGVkX2F0KSBBUyBob3VyLCBjb3VudCgqKSBGUk9NIGdpdGh1Yl9ldmVudHMgV0hFUkUgYWN0b3JfbG9naW49J0ppYVQ3NScgR1JPVVAgQlkgaG91ciBPUkRFUiBCWSBob3Vy">were made</a> between UTC 12-17, which is awfully early for California. In my opinion, there is no sufficient evidence that the LinkedIn being discussed is our man. I think identity theft is more likely, but I am of course open to more evidence.</p>
<h4 id="discoveries-in-the-git-logs" tabindex="-1">Discoveries in the Git logs</h4>
<p>I received an email from <a href="https://github.com/minhuw">Minhu Wang</a> who investigated the Git log, and found one instance where Jia’s username was different:</p>
<pre class="language-bash"><code class="language-bash">$ <span class="token function">git</span> shortlog <span class="token parameter variable">--summary</span> <span class="token parameter variable">--numbered</span> <span class="token parameter variable">--email</span> <span class="token operator">|</span> <span class="token function">grep</span> jiat0218@gmail.com
<span class="token number">273</span> Jia Tan <span class="token operator">&lt;</span>jiat0218@gmail.com<span class="token operator">&gt;</span>
<span class="token number">2</span> jiat75 <span class="token operator">&lt;</span>jiat0218@gmail.com<span class="token operator">&gt;</span>
<span class="token number">1</span> Jia Cheong Tan <span class="token operator">&lt;</span>jiat0218@gmail.com<span class="token operator">&gt;</span></code></pre>
<p>They found this particularly interesting as <code>Cheong</code> is new information. I’ve now learned from another source that <em>Cheong</em> isn’t Mandarin, it’s Cantonese. This source theorizes that Cheong is a variant of the 張 surname, as “eong” matches Jyutping (a Cantonese romanisation standard), and “Cheung” is pretty common in Hong Kong as an official surname romanisation. A third source has alerted me that “Jia” is Mandarin (as Cantonese rarely uses <code>J</code> and especially not <code>Ji</code>). The <code>Tan</code> last name is <em>possible</em> in Mandarin but is most common for the Hokkien Chinese dialect pronunciation of the character 陳 (Cantonese: Chan, Mandarin: Chen). It’s most likely our actor just mashed plausible-sounding Chinese names together.</p>
<p>Furthermore, an <a href="https://rheaeve.substack.com/p/xz-backdoor-times-damned-times-and">independent analysis</a> of commit timings concludes that the perpetrator worked “Office Hours” in a UTC+02/03 timezone. It’s particularly notable that they worked through the Lunar New Year, and did not work on some notable Eastern European holidays, including Christmas and New Year. I have, however, been presented with a differing view, which you can read <a href="https://lunduke.locals.com/post/5467061/xz-backdoor-i-did-a-more-thorough-analysis-and-i-changed-my-mind-again-specifically-i-compar">here</a>.</p>
</article>


<hr>

<footer>
<p>
<a href="/david/" title="Aller à l’accueil"><svg class="icon icon-home">
<use xlink:href="/static/david/icons2/symbol-defs-2021-12.svg#icon-home"></use>
</svg> Accueil</a> •
<a href="/david/log/" title="Accès au flux RSS"><svg class="icon icon-rss2">
<use xlink:href="/static/david/icons2/symbol-defs-2021-12.svg#icon-rss2"></use>
</svg> Suivre</a> •
<a href="http://larlet.com" title="Go to my English profile" data-instant><svg class="icon icon-user-tie">
<use xlink:href="/static/david/icons2/symbol-defs-2021-12.svg#icon-user-tie"></use>
</svg> Pro</a> •
<a href="mailto:david%40larlet.fr" title="Envoyer un courriel"><svg class="icon icon-mail">
<use xlink:href="/static/david/icons2/symbol-defs-2021-12.svg#icon-mail"></use>
</svg> Email</a> •
<abbr class="nowrap" title="Hébergeur : Alwaysdata, 62 rue Tiquetonne 75002 Paris, +33184162340"><svg class="icon icon-hammer2">
<use xlink:href="/static/david/icons2/symbol-defs-2021-12.svg#icon-hammer2"></use>
</svg> Légal</abbr>
</p>
<template id="theme-selector">
<form>
<fieldset>
<legend><svg class="icon icon-brightness-contrast">
<use xlink:href="/static/david/icons2/symbol-defs-2021-12.svg#icon-brightness-contrast"></use>
</svg> Thème</legend>
<label>
<input type="radio" value="auto" name="chosen-color-scheme" checked> Auto
</label>
<label>
<input type="radio" value="dark" name="chosen-color-scheme"> Foncé
</label>
<label>
<input type="radio" value="light" name="chosen-color-scheme"> Clair
</label>
</fieldset>
</form>
</template>
</footer>
<script src="/static/david/js/instantpage-5.1.0.min.js" type="module"></script>
<script>
function loadThemeForm(templateName) {
const themeSelectorTemplate = document.querySelector(templateName)
const form = themeSelectorTemplate.content.firstElementChild
themeSelectorTemplate.replaceWith(form)

form.addEventListener('change', (e) => {
const chosenColorScheme = e.target.value
localStorage.setItem('theme', chosenColorScheme)
toggleTheme(chosenColorScheme)
})

const selectedTheme = localStorage.getItem('theme')
if (selectedTheme && selectedTheme !== 'undefined') {
form.querySelector(`[value="${selectedTheme}"]`).checked = true
}
}

const prefersColorSchemeDark = '(prefers-color-scheme: dark)'
window.addEventListener('load', () => {
let hasDarkRules = false
for (const styleSheet of Array.from(document.styleSheets)) {
let mediaRules = []
for (const cssRule of styleSheet.cssRules) {
if (cssRule.type !== CSSRule.MEDIA_RULE) {
continue
}
// WARNING: Safari does not have/supports `conditionText`.
if (cssRule.conditionText) {
if (cssRule.conditionText !== prefersColorSchemeDark) {
continue
}
} else {
if (cssRule.cssText.startsWith(prefersColorSchemeDark)) {
continue
}
}
mediaRules = mediaRules.concat(Array.from(cssRule.cssRules))
}

// WARNING: do not try to insert a Rule to a styleSheet you are
// currently iterating on, otherwise the browser will be stuck
// in a infinite loop…
for (const mediaRule of mediaRules) {
styleSheet.insertRule(mediaRule.cssText)
hasDarkRules = true
}
}
if (hasDarkRules) {
loadThemeForm('#theme-selector')
}
})
</script>
</body>
</html>

+ 19
- 0
cache/2024/b4d0d377662e30cef4e944448d41338c/index.md
File diff suppressed because it is too large
View File


+ 6
- 0
cache/2024/index.html View File

@@ -308,12 +308,18 @@
<li><a href="/david/cache/2024/c2a852eced710f481135a1f61cb67a26/" title="Accès à l’article dans le cache local : Why should a company? · Applied Cartography">Why should a company? · Applied Cartography</a> (<a href="https://jmduke.com/posts/microblog/why-should-a-company/" title="Accès à l’article original distant : Why should a company? · Applied Cartography">original</a>)</li>
<li><a href="/david/cache/2024/b4d0d377662e30cef4e944448d41338c/" title="Accès à l’article dans le cache local : Everything I know about the XZ backdoor">Everything I know about the XZ backdoor</a> (<a href="https://boehs.org/node/everything-i-know-about-the-xz-backdoor" title="Accès à l’article original distant : Everything I know about the XZ backdoor">original</a>)</li>
<li><a href="/david/cache/2024/2cbc47f0ebded9d54fe6163fa4ea0667/" title="Accès à l’article dans le cache local : Where I’m at on the whole CSS-Tricks thing">Where I’m at on the whole CSS-Tricks thing</a> (<a href="https://chriscoyier.net/2024/02/28/where-im-at-on-the-whole-css-tricks-thing/" title="Accès à l’article original distant : Where I’m at on the whole CSS-Tricks thing">original</a>)</li>
<li><a href="/david/cache/2024/8ffe1e30cd3dd6446468bd6d03550457/" title="Accès à l’article dans le cache local : ongoing by Tim Bray · OSQI">ongoing by Tim Bray · OSQI</a> (<a href="https://www.tbray.org/ongoing/When/202x/2024/04/01/OSQI" title="Accès à l’article original distant : ongoing by Tim Bray · OSQI">original</a>)</li>
<li><a href="/david/cache/2024/e8748af541273328d9aa9f1aeb1087b2/" title="Accès à l’article dans le cache local : Redeployment Part Three">Redeployment Part Three</a> (<a href="https://brr.fyi/posts/redeployment-part-three" title="Accès à l’article original distant : Redeployment Part Three">original</a>)</li>
<li><a href="/david/cache/2024/55477786fc56b6fc37bb97231b634d90/" title="Accès à l’article dans le cache local : Fabrique : concept">Fabrique : concept</a> (<a href="https://www.quaternum.net/2023/06/02/fabrique-concept/" title="Accès à l’article original distant : Fabrique : concept">original</a>)</li>
<li><a href="/david/cache/2024/14da9039de50c54f159f333ea3dc73f1/" title="Accès à l’article dans le cache local : Bullying in Open Source Software Is a Massive Security Vulnerability">Bullying in Open Source Software Is a Massive Security Vulnerability</a> (<a href="https://www.404media.co/xz-backdoor-bullying-in-open-source-software-is-a-massive-security-vulnerability/" title="Accès à l’article original distant : Bullying in Open Source Software Is a Massive Security Vulnerability">original</a>)</li>
<li><a href="/david/cache/2024/d9c30865dde8c88394ba054836a18ae3/" title="Accès à l’article dans le cache local : Designing a JavaScript Plugin System">Designing a JavaScript Plugin System</a> (<a href="https://css-tricks.com/designing-a-javascript-plugin-system/" title="Accès à l’article original distant : Designing a JavaScript Plugin System">original</a>)</li>
<li><a href="/david/cache/2024/6b26bff7f4772cf8fb78878ff4f9594f/" title="Accès à l’article dans le cache local : command center: Simplicity">command center: Simplicity</a> (<a href="https://commandcenter.blogspot.com/2023/12/simplicity.html" title="Accès à l’article original distant : command center: Simplicity">original</a>)</li>

Loading…
Cancel
Save