this post was submitted on 09 Apr 2024
28 points (96.7% liked)
Rust
5979 readers
109 users here now
Welcome to the Rust community! This is a place to discuss about the Rust programming language.
Wormhole
Credits
- The icon is a modified version of the official rust logo (changing the colors to a gradient and black background)
founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
I'm going to be honest, I'm getting a little tired of hearing everyone's thoughts on the xz backdoor. It's discouraging and sucks when every detail of the project which, keep in mind, was maintained by one person who fell victim to a social engineering attack, is scrutinized. It makes me concerned about anyone depending on any of my projects.
Especially the comments on things such as the build scripts, which this kind of article seems to gravitate towards. If the build scripts were tiny and checked then the attack vector would have just been different, I'm not even too sure the language mattered. The attack was social engineering, after that it was pretty much project agnostic. xz was targeted cause the maintainer was done working on it and it was heavily depended on.
I think this article has a more thoughtful take than most I have read on the subject. In particular, I agree that we need to move away from the bazaar model and back towards the cathedral model, at least for critical software (he suggests smaller projects being adopted into larger, better funded and maintained consolidations). Another key observation is that a lack of activity does not mean a project is abandoned - it may just be feature complete. The flip side of that is, I think, that it is okay for projects to say "this is done" and resist the urge to expand into new areas and add endless complexity and dubious features.