A bit paranoid, but intentionally quote the commit messages, not to confuse future visitors. This is NOT BECAUSE FreeBSD IS AFFECTED.
Note that this MFC target is only for stable branches (stable/14 and stable/13), as xz 5.6.0 is not yet MFS (Merge From Stable)'ed into any releng branches, thus does not affect Releases and Patch Release (for example, something like 14.0-p1).
I wasn't the only one in this thread stating this. Several people (correctly) analyzed it was "luck" (with being a less attractive target than major Linux distros probably playing a role)
Sounds simple, and who will do it? Like in this example, the single exhausted maintainer (and original author)? Just impossible.
Well, consider why some projects are closed source - too many cooks spoil the broth. Sometimes, people want to work in peace, undisturbed. Both 'closed source' and Open Source projects have boundaries that frankly do need to be respected by others if you want to come out with a quality product. Lots of stuff needs to be balanced and fine-tuned. Sometimes, people can't handle that very well, and then the situation blows up in everybody's face.
If customer's expectation of something changes, that can blow up in people's faces if not managed right.
The bulk of closed source software is very boring. It is things like accounting software in banks, huge quantities of business logic and web applications for all sorts of industries, and even more important embedded software. I used to work (about 25 years ago) in a company that made hugely complex and high-tech industrial equipment (semiconductor wafer inspection machines). We had the best optical microscopes in the world, and the fastest image processors that weren't in classified projects; yet over half of our engineers were software engineers. Another example: I think the Boing 767 (released in the late 70s or early 80s) was the first airplane that was not capable of lifting one copy own software documentation when printed on paper. In the late 90s or early 2000s, there was a Stanford study on what the largest software companies in the US were (in terms of how many software engineers they employed): Place 1 was shared by GE and GM, with Boing in place 3. The only "computer" company that made the top 10 was IBM (not because of its systems software, but because of its army of 100s of thousands of programmers working on contract for banks, insurance, and all the rest). In the last 25 years, software has become even more pervasive, and nearly all of it is closed source.
IoT consumer devices are quite common and cheap precisely because people started using Open Source firmware with them... Software has become a bit like an agricultural commodity. High quality stuff is tightly controlled, and is expensive, even for simple stuff. Low quality stuff that is hackable, it's not subject to the same tight controls, but is free. Yeah, you can find something that is actually high quality among the free stuff, but then you discover it takes up a LOT of your own time to process it and make it useful.
Perhaps Blender, PHP, OpenSSL, Apache and Python will "rewrite their software in Rust" and lead the way.
Sounds more like another set of shackles for FOSS or a stick for the big corps to hit small developers with. It's a move towards "uncertified" or software that has not been audited, being stigmatised. We should all know who gains from that by now...Rust, Python, Apache Foundations and Others Announce Big Collaboration on Cybersecurity Process Specifications - Slashdot
The foundations behind Rust, Python, Apache, Eclipse, PHP, OpenSSL, and Blender announced plans to create "common specifications for secure software development," based on "existing open source best practices." From the Eclipse Foundation: This collaborative effort will be hosted at the...developers.slashdot.org
But I doubt this will mean help and resources for open source developers; probably lots of words and policies. But we will see.
I think it also points out a "pain point" of FOSS: the eyes need to look, there needs to be "trust but verify" or harder/stronger vetting of potential commiters.
The quality of the reviewers also matters. ${WORK} I've run into people more concerned with how the code is formatted rather than "does the change do what it is supposed to do". Form over function. Granted, consistency in code is good especially if lots of people are working on it. But if a change doesn't do what it's supposed to do then why bother.
I fully agree, but I think that's the intent in many of plethora of articles on the subject. I would suggest that it's clear to most of us here that this individual or individuals could have just as easily infiltrated a proprietary project and it would have been much harder to find their "payload".
That's why they make emacs init files and "modes". Select all, reformat. Multiple people on a project, everyone use the same configuration. I've had issues trying to get consistent configuration when people are using different editors/IDEs.
Yeah, this is the kind of situation that prompted the FSF to take a rather extremist position of only accepting libre software under its umbrella... there's even a Linux distro out there that was cobbled together using only components that were developed as libre projects, iirc. Searching for that kind of stuff on Google turned up individual projects that have 'libre' as part of the name, but not a decent article explaining what that movement is about.
Thoughts on the infamous Debian Openssl patch?
liblzma: Fix false Valgrind error report with GCC. · tukaani-project/xz@82ecc53
With GCC and a certain combination of flags, Valgrind will falsely trigger an invalid write. This appears to be due to the omission of instructions to properly save, set up, and restore the frame p...github.com
I liked that one - speaking as a Valgrind developer. It's almost always the same thing - blame it on a false positive. Usually it's just bugs and losers that 'know' their code is right. This time it was to hide some skulduggery.
Thankfully I don't use Linux much and still have Fedora 39 - only Rawhide and possibly 40 are affected.
I thought this was a key point:
