• CameronDev@programming.dev
    link
    fedilink
    arrow-up
    3
    ·
    7 months ago

    To be fair, we only know of this one. There may well be other open source backdoors floating around with no detection. Was heartbleed really an accident?

    • lemmyreader@lemmy.mlOP
      link
      fedilink
      English
      arrow-up
      1
      ·
      7 months ago

      True. And the “given enough eyeballs, all bugs are shallow” is a neat sounding thing from the past when the amount of code lines was not as much as now. Sometimes it is scary to see how long a vulnerability in the Linux kernel had been there for years, “waiting” to be exploited.

      • RecluseRamble@lemmy.dbzer0.com
        link
        fedilink
        arrow-up
        1
        ·
        7 months ago

        Still far better than a proprietary kernel made by a tech corp, carried hardly changed from release to release, even fewer people maintain, and if they do they might well be adding a backdoor themselves for their government agency friends.

    • xenoclast@lemmy.world
      link
      fedilink
      arrow-up
      1
      ·
      7 months ago

      Yeah he didn’t find the right unmaintained project. There are many many many cs undergrads starting projects that will become unmaintained pretty soon.

  • Codex@lemmy.world
    link
    fedilink
    arrow-up
    2
    ·
    7 months ago

    I’ve gotten back into tinkering on a little Rust game project, it has about a dozen dependencies on various math and gamedev libraries. When I go to build (just like with npm in my JavaScript projects) cargo needs to download and build just over 200 projects. 3 of them build and run “install scripts” which are just also rust programs. I know this because my anti-virus flagged each of them and I had to allow them through so my little roguelike would build.

    Like, what are we even suppose to tell “normal people” about security? “Yeah, don’t download files from people you don’t trust and never run executables from the web. How do I install this programming utility? Blindly run code from over 300 people and hope none of them wanted to sneak something malicious in there.”

    I don’t want to go back to the days of hand chisling every routine into bare silicon by hand, but i feel l like there must be a better system we just haven’t devised yet.

    • wolf@lemmy.zip
      link
      fedilink
      English
      arrow-up
      2
      ·
      7 months ago

      THIS.

      I do not get why people don’t learn from Node/NPM: If your language has no exhaustive standard library the community ends up reinventing the wheel and each real world program has hundreds of dependencies (or thousands).

      Instead of throwing new features at Rust the maintainers should focus on growing a trusted standard library and improve tooling, but that is less fun I assume.

        • wolf@lemmy.zip
          link
          fedilink
          English
          arrow-up
          2
          ·
          7 months ago

          Easily, just look at the standard libraries of Java/Python and Golang! :-P

          To get one thing out of the way: Each standard library has dark corners with bad APIs and outdated modules. IMHO it is a tradeoff, and from my experience even a bad standard library works better than everyone reinvents their small module. If you want to compare it to human languages: Having no standard library is like agreeing on the English grammar, but everyone mostly makes up their own words, which makes communication challenging.

          My examples of missing items from the Rust standard library (correct me, if I am wrong, not a Rust user for many reasons):

          • Cross platform GUI library (see SWING/Tk)
          • Enough bits to create a server
          • Full set of data structures and algorithms
          • Full set of serialization format processing XML/JSON/YAML/CVS/INI files
          • HTTP(S) server for production with support for letsencrypt etc.

          Things I don’t know about if they are provided by a Rust standard library:

          • Go like communication channels
          • High level parallelism constructs (like Tokyo etc.)

          My point is, to provide good enough defaults in a standard library which everybody knows/are well documented and taught. If someone has special needs, they always can come up with a library. Further, if something in the standard library gets obsolete, it can easily be deprecated.

          • areyouevenreal@lemm.ee
            link
            fedilink
            arrow-up
            1
            ·
            7 months ago

            Python doesn’t have a production web server in its standard library. Neither does Java. Those are external programs or libraries. C# is the only language I know that comes with an official production grade server, and that’s still a separate package (IIS).

            Rust has a set of recommended data structures in their standard libraries too: https://doc.rust-lang.org/std/collections/index.html

            I don’t know what algorithms you are looking for so can’t answer here.

            The rest I don’t think are included in Rust. Then again they aren’t included in most languages standard libraries.

            • wolf@lemmy.zip
              link
              fedilink
              English
              arrow-up
              1
              ·
              7 months ago

              Golangs web server is production grade and used in production. (Of course everyone uses some high performance proxy like NGINX for serving static pages, that’s another story.)

              Technically you are right that java has no production web server, which I don’t like, OTOH Java has standard APIs WebServers and Spring is the defacto standard for web applications. (I totally would not mind to move Spring into the OpenJDK.)

              My point is simple: Instead of having Rust edtion 2020, 2021 etc. and tweaking the syntax ad infinitum, I’d rather have a community which invests in a good/broad standard library and good tooling.

              The only platform widely used in production w/o a big standard library is Node.js/JavaScript, mostly for historical reasons and look at the problems that Node.js has for a decade now because of the missing standard library.

        • Miaou@jlai.lu
          link
          fedilink
          arrow-up
          1
          ·
          7 months ago

          It does, but the person you reply to apparently expects a standard library to contain an ECS and a rendering engine.

    • RegalPotoo@lemmy.world
      link
      fedilink
      English
      arrow-up
      1
      ·
      edit-2
      7 months ago

      It’s a really wicked problem to be sure. There is work underway in a bunch of places around different approaches to this; take a look at SBoM (software bill-of-materials) and reproducible builds. Doesn’t totally address the trust issue (the malicious xz releases had good gpg signatures from a trusted contributor), but makes it easier to spot binary tampering.

      • wizzim@infosec.pub
        link
        fedilink
        arrow-up
        1
        ·
        edit-2
        7 months ago

        +1

        Shameless plug to the OSS Review Toolkit project (https://oss-review-toolkit.org/ort/) which analyze your package manager, build a dependency tree and generates a SBOM for you. It can also check for vulnerabilitiea with the help of VulnerableCode.

        It is mainly aimed at OSS Compliance though.

        (I am a contributor)

    • Killing_Spark@feddit.de
      link
      fedilink
      arrow-up
      1
      ·
      7 months ago

      Debian actually started to collect and maintain packages of the most important rust crates. You can use that as a source for cargo

    • acockworkorange@mander.xyz
      link
      fedilink
      arrow-up
      1
      ·
      7 months ago

      Do you really need to download new versions at every build? I thought it was common practice to use the oldest safe version of a dependency that offers the functionality you want. That way your project can run on less up to date systems.

      • treadful@lemmy.zip
        link
        fedilink
        English
        arrow-up
        1
        ·
        7 months ago

        Okay, but are you still going to audit 200 individual dependencies even once?

      • baseless_discourse@mander.xyz
        link
        fedilink
        arrow-up
        1
        ·
        edit-2
        7 months ago

        Most softwares do not include detailed security fixes in the change log for people to check; and many of these security fixes are in dependencies, so it is unlikely to be documented by the software available to the end user.

        So most of the time, the safest “oldest safe” version is just the latest version.

        • acockworkorange@mander.xyz
          link
          fedilink
          arrow-up
          1
          ·
          edit-2
          7 months ago

          So only protects like Debian do security backports?

          Edit: why the downvote? Is this not something upstream developers do? Security fixes on older releases?

          • Kelly@lemmy.world
            link
            fedilink
            English
            arrow-up
            1
            ·
            7 months ago

            Backports for supported versions sure,.

            That’s why there is an incentive to limit support to latest and maybe one previous release, it saves on the backporting burden.

    • trolololol@lemmy.world
      link
      fedilink
      arrow-up
      1
      ·
      7 months ago

      I’m not familiar with rust but at least for java there’s a owasp plugin that tells you if you’re using an unsafe library.

    • corsicanguppy@lemmy.ca
      link
      fedilink
      arrow-up
      1
      arrow-down
      1
      ·
      6 months ago

      Like, what are we even suppose

      supposed

      to tell “normal people” about security? “Yeah, don’t download files from people you don’t trust and never run executables from the web. How do I install this programming utility? Blindly run code from over 300 people and hope none of them wanted to sneak something malicious in there.”

      You’re starting to come to an interesting realization about the state of ‘modern’ programming and the risks we saw coming 20 years ago.

      I don’t want to go back to the days […]

      You don’t need to trade convenience for safety, but having worked in OS Security I would recommend it.

      Pulling in random stuff you haven’t validated should feel really uncomfortable as a professional.

    • sus@programming.dev
      link
      fedilink
      arrow-up
      1
      ·
      7 months ago

      because AbstractTransactionAwarePersistenceManagerFactoryProxyBean needs to spin up 32 electron instances (one for each thread) to ensure scalability and robustness and then WelcomeSolutionStrategyExecutor needs to parse 300 megabytes of javascript to facilitate rendering the “welcome” screen

  • Cosmic Cleric@lemmy.world
    link
    fedilink
    arrow-up
    1
    ·
    edit-2
    7 months ago

    The problem I have with this meme post is that it gives a false sense of security, when it should not.

    Open or closed source, human beings have to be very diligent and truly spend the time reviewing others code, even when their project leads are pressuring them to work faster and cut corners.

    This situation was a textbook example of this does not always happen. Granted, duplicity was involved, but still.

    • GamingChairModel@lemmy.world
      link
      fedilink
      arrow-up
      0
      ·
      edit-2
      7 months ago

      100%.

      In many ways, distributed open source software gives more social attack surfaces, because the system itself is designed to be distributed where a lot of people each handle a different responsibility. Almost every open source license includes an explicit disclaimer of a warranty, with some language that says something like this:

      THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.

      Well, bring together enough dependencies, and you’ll see that certain widely distributed software packages depend on the trust of dozens, if not hundreds, of independent maintainers.

      This particular xz vulnerability seems to have affected systemd and sshd, using what was a socially engineered attack on a weak point in the entire dependency chain. And this particular type of social engineering (maintainer burnout, looking for a volunteer to take over) seems to fit more directly into open source culture than closed source/corporate development culture.

      In the closed source world, there might be fewer places to probe for a weak link (socially or technically), which makes certain types of attacks more difficult. In other words, it might truly be the case that closed source software is less vulnerable to certain types of attacks, even if detection/audit/mitigation of those types of attacks is harder for closed source.

      It’s a tradeoff, not a free lunch. I still generally trust open source stuff more, but let’s not pretend it’s literally better in every way.

      • 5C5C5C@programming.dev
        link
        fedilink
        arrow-up
        0
        arrow-down
        1
        ·
        edit-2
        7 months ago

        There are two big problems with the point that you’re trying to make:

        1. There are many open source projects being run by organizations with as much (often stronger) governance over commit access as a private corporation would have over its closed source code base. The most widely used projects tend to fall under this category, like Linux, React, Angular, Go, JavaScript, and innumerable others. Governance models for a project are a very reasonable thing to consider when deciding whether to use a dependency for your application or library. There’s a fair argument to be made that the governance model of this xz project should have been flagged sooner, and hopefully this incident will help stir broader awareness for that. But unlike a closed source code base, you can actually know the governance model and commit access model of open source software. When it comes to closed source software you don’t know anything about the company’s hiring practices, background checks, what access they might provide to outsourced agents from other countries who may be compromised, etc.

        2. You’re assuming that 100% of the source code used in a closed source project was developed by that company and according to the company’s governance model, which you assume is a good one. In reality BSD/MIT licensed (and illegally GPL licensed) open source software is being shoved into closed source code bases all the time. The difference with closed source software is that you have no way of knowing that this is the case. For all you know some intern already shoved a compromised xz into some closed source software that you’re using, and since that intern is gone now it will be years before anyone in the company notices that their software has a well known backdoor sitting in it.