Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
some_furry 4 days ago

Shoring up the security of FOSS is not "killing FOSS slowly".

Closed source software doesn't get to benefit from the goodwill of the open source software community, which includes independent security researchers as well as orgs like P0.

I guess our disagreement can be distilled down to one question:

Why would an emphasis on closed source products help FOSS, and why would an emphasis on FOSS help closed source?

Because this seems backwards to me. Maybe it makes sense in public relations where vibes are more important than substance and nobody thinks for more than 100 milliseconds?

mananaysiempre 4 days ago | parent [-]

It depends on the maintainer, some of them have indeed found themselves unwilling to continue their work in part because of Project Zero.

> I just stepped down as libxslt maintainer and it's unlikely that this project will ever be maintained again. It's even more unlikely with Google Project Zero, the best white-hat security researchers money can buy, breathing down the necks of volunteers.

https://gitlab.gnome.org/GNOME/libxml2/-/issues/913

tptacek 4 days ago | parent [-]

I know it's hard to believe this given the circumstances --- that maintainer has a very good reason for stepping back, absolutely no shade to give there --- but GPZ is doing a service for these projects. The vulnerabilities they find are there whether or not Google or anybody else steps up on the implementation side. They are simple facts of the software, and it's difficult, expensive, and important to uncover those facts.

mananaysiempre 4 days ago | parent [-]

Both can be true at the same time, I think. It’s true that the vulnerabilities exist regardless of whether anyone’s reporting them, and that it’s better to know about them than not. It’s also true that almost any course of action that makes a project effectively stop existing does it a disservice, and that includes vulnerability reporting.

I’ve not really made up my mind about what happened with libxml2, to be clear. Perhaps in this world some projects really are vulnerable enough that they deserve to die. But as we see, this can entail essentially punishing people who decide to take up e.g. parsers as a hobby. And not doing that is something I feel I value higher than even security of the software ecosystem as a whole.

some_furry 3 days ago | parent [-]

There seems to be a missing component:

Some open source software becomes critical infrastructure for a large part of the Internet, and that comes with a lot of responsibility that the maintainer didn't necessarily want to sign up for. Especially when it's unpaid labor with the demands of a large tech company hammering down on them.

How can we better support the people that run these projects? How can we take pressure off of them if they don't want it?

There isn't a one-size-fits-all solution here, I don't think. But I'm sure some combination of fund open source development and fork load-bearing projects that do not wish to be encumbered is going to be necessary for a lot of the community.