[Linux-aus] How could we get society to adequately fund free software developers
Aníbal Monsalve Salazar
anibal at debian.org
Sat Mar 30 20:51:52 AEDT 2024
On Sat, 2024-03-30 09:58:22 +0100, Ingo Jürgensmann wrote:
> Am 30.03.2024 um 08:56 schrieb Lucas Nussbaum <lucas at debian.org>:
>
>> Yes. In that specific case, the original xz maintainer (Lasse Collin)
>> was socially-pressed by a likely fake person (Jigar Kumar) to do the
>> "right thing" and hand over maintenance.
>> https://www.mail-archive.com/xz-devel@tukaani.org/msg00566.html
>
> In his reply to that mail Lasse writes in
> https://www.mail-archive.com/xz-devel@tukaani.org/msg00567.html:
>
>> It's also good to keep in mind that this is an unpaid hobby project.
>
> This reminds me of https://xkcd.com/2347/ - and I think that’s getting
> a more common threat vector for FLOSS: pick up some random lib that is
> widely used, insert some malicious code and have fun. Then also
> imagine stuff that automates builds in other ways like docker
> containers, Ruby, Rust, pip that pull stuff from the network and
> installs it without further checks.
>
> I hope (and am confident) that Debian as a project will react
> accordingly to prevent this happening again.
>
> But as a society (that is widely using FLOSS) I would also hope that
> our developers will get proper funding instead of requiring them to
> maintain such software in their spare time.
The original thread is at:
https://lists.debian.org/debian-devel/2024/03/msg00340.html
How could we get society to adequately fund free software developers to
avoid this type of security threat?
At this time, the consequences of this injection of malicious code into
xz-utils are not yet known with certainty.
More information about the linux-aus
mailing list