The XZ Utils backdoor, discovered last week, and the Heartbleed security vulnerability ten years ago, share the same ultimate root cause. Both of them, and in fact all critical infrastructure open source projects, should be fixed with the same solution: ensure baseline funding for proper open source maintenance.\n
  • DetectiveSanity@lemmy.world
    25·
    3 months ago

    Imagine if the governments were to fund open source projects when they need and as such the benefit is available to everyone if they have no money.

    In such scenario all governments/citizens would have access to software that is good.

    • registeredusername@lemmy.worldEnglish
      161·
      3 months ago

      But but think about those poor (for profit) corporations. How can they ever afford to pay upper management million dolla paychecks without milking us dry :)

      And think about the children

      /s

    • wiki_me@lemmy.mlEnglish
      2·
      3 months ago

      My country has non profits that lobby for citizens , I wonder if there is enough motivation in the community to set something like that for FOSS, I don’t think existing non profits (FSF, OSI) will want to deal with that kind of stuff .

  • bigkahuna1986@lemmy.ml
    10·
    3 months ago

    It’s always impressive to me that instead of sending billions of dollars to Microsoft, the US government could have had an entire operating system that caters exactly to them. They could have then given back in the form of commits improving the software for the rest of us too.

  • floofloof@lemmy.caEnglish
    101·
    3 months ago

    It was a huge fluke of luck that the XZ backdoor didn’t go in any actual Linux distribution releases.

    It did get into a few, just not the ones corporations are likely to be using.

      • bort
        15·
        3 months ago

        it’s safe to assume there are similar issues in closed source. A big part of the snowden leaks was about how NSA could access lots of data at will. It wouldn’t surprise me if they also could execute code.

        Also there is stuxnet. But I am not sure, if there were intentional backdoors, or only some “natural occuring” RCE.

        • Kelly@lemmy.worldEnglish
          7·
          3 months ago

          It wouldn’t surprise me if they also could execute code.

          They sat on external blue for 5 year before it was stolen and they disclosed the vulnerability to Microsoft.

          https://en.wikipedia.org/wiki/EternalBlue

          I don’t see why we wouldn’t assume there is always something similar in their armoury.