Thought this was a good read exploring some how the “how and why” including several apparent sock puppet accounts that convinced the original dev (Lasse Collin) to hand over the baton.

  • umbrella@lemmy.ml
    link
    fedilink
    arrow-up
    45
    arrow-down
    3
    ·
    edit-2
    9 months ago

    honestly these people should be getting paid if a corporation wants to use a small one-man foss project for their own multibillion software. the lawyer types in foss could put that in GPLv5 or something whenever we feel like doing it.

    also hire more devs to help out!

    • taladar@sh.itjust.works
      link
      fedilink
      arrow-up
      24
      arrow-down
      3
      ·
      9 months ago

      If you think people are going to be trustworthy just because they are getting paid you are naive.

      • umbrella@lemmy.ml
        link
        fedilink
        arrow-up
        13
        arrow-down
        2
        ·
        edit-2
        9 months ago

        not trustworthy per se but maybe less overworked and inclined to review code more hastily, or less tired and inclined to have the worse judgement that makes such a project more vulnerable to stuff like this.

        these people maintain the basis of our entire software infrastructure thanklessly for us in between the full time jobs they need to survive, this has to change.

        as for trust in foss projects, the community will often notice bad faith code just like they just did (and very quickly this time, i might add!)

        • taladar@sh.itjust.works
          link
          fedilink
          arrow-up
          3
          ·
          9 months ago

          I guess you are using trust in a different way here. Trust in competency can vary with both volunteer and paid workers, everyone makes mistakes though. Trust that someone doesn’t do something deliberately malicious is a different matter though.

    • Dunstabzugshaubitze@feddit.de
      link
      fedilink
      arrow-up
      6
      arrow-down
      3
      ·
      9 months ago

      i can’t see how paying someone would have changed anything in this scenario.

      this seems to be a long running campaign to get someone into a position where they could introduce malicious code. the only thing different would have been that the bad actor would have been paid by someone.

      this is not to say, that people working on foss should not be paid. if anything we need more people actively reviewing code and release artifacts even if they are not a contributor or maintainer of a piece of software.

      • xionzui@sh.itjust.works
        link
        fedilink
        arrow-up
        6
        ·
        9 months ago

        i can’t see how paying someone would have changed anything in this scenario.

        we need more people actively reviewing code and release artifacts

        I think you’ve answered your own question there

        • Dunstabzugshaubitze@feddit.de
          link
          fedilink
          arrow-up
          2
          arrow-down
          3
          ·
          9 months ago

          no, the solution is not to pay someone to have someone to blame if shit happens.

          there are a bus load of people involved on the way from a git repo to actuall stuff running on a machine and everyone in that chain is responsible to have an eye on what stuff they are building/packaging/installing/running and if something seems off, it’s their responsibility to investigate and communicate with each other.

          attacks like this will not be solved by paying someone to read source code, because the code in the repo might not be what is going to run on a machine or might look absolutely fine in a vacuum or will be altered by some other part in the chain. and even if you have dedicated code readers, you cant be sure that they are not compromised or that their findings will reach the people running/packaging/depending on the software.

          • xionzui@sh.itjust.works
            link
            fedilink
            arrow-up
            3
            ·
            9 months ago

            Of course you can’t be sure anyone involved, paid or not, isn’t compromised. But if you want more human effort put into a project, people need a reason to do so. Complaining that volunteer contributors don’t spend enough of their time and effort with no compensation isn’t going to solve anything. Maybe AI tools will make that work more available in the near future.

      • Serinus@lemmy.world
        link
        fedilink
        arrow-up
        5
        ·
        9 months ago

        If my job didn’t pay me, I would have certainly burned out years ago. For one, I’d need another job.