Bullying in Open Source Software Is a Massive Security Vulnerability - eviltoast
  • mlg@lemmy.world
    link
    fedilink
    English
    arrow-up
    46
    arrow-down
    1
    ·
    7 months ago

    meanwhile Linus hounding down the google devs for making stupid pull requests

      • TheGrandNagus@lemmy.world
        link
        fedilink
        English
        arrow-up
        22
        ·
        edit-2
        7 months ago

        Years ago, Linus Torvalds, creator of Linux, was notoriously mean to people who submitted bad code.

        Like he would straight up call it absolute dogshit and say they should feel ashamed, he’d call them fucking morons, on one occasion I believe he even told someone to kill themselves.

        In the years since, though, he’s said that he’s found the abrasive authority figure schtick doesn’t really work and has the unfortunate side effect of making others involved adversarial too, or will hasten the notorious FOSS developer burnout, and he has changed to a much warmer and friendlier way of working, and been quite apologetic about his past attitude.

        • barsoap@lemm.ee
          link
          fedilink
          English
          arrow-up
          12
          ·
          edit-2
          7 months ago

          Oh he’s still perfectly blunt about code, and even about people if need be but he makes sure he has a good night’s worth of sleep before he does that to not do it in anger. Which means dress-downs are now of the “I’m not angry, I’m disappointed” type. I’m not aware of him ever telling people to kill themselves, just erm “wondering”:

          Of course, I’d also suggest that whoever was the genius who thought it was a good idea to read things ONE F*CKING BYTE AT A TIME with system calls for each byte should be retroactively aborted. Who the f*ck does idiotic things like that? How did they noty die as babies, considering that they were likely too stupid to find a tit to suck on?

          (And to be fair, yes, reading things one byte at a time is fucking stupid. Not something you’d ever expect in a kernel)

          • TheGrandNagus@lemmy.world
            link
            fedilink
            English
            arrow-up
            5
            ·
            edit-2
            7 months ago

            I’m not referring to that incident, I’m referring to his criticisms when he was using OpenSUSE and became frustrated at having to use the root password to do basically anything:

            “If you have anything to do with security in a distro, and think that [users] need to have the root password to access some wireless network, or to be able to print out a paper, or to change the date-and-time settings, please just kill yourself now. The world will be a better place.”

            And just as with you said above, yes, he is right, but it was completely uncalled for and unprofessional to go about the criticism in such a way.

            I do find his quips funny, and in some workplaces it’d just be behind-closed-doors banter, but it’s right that he doesn’t go on mean rants anymore. Publicly humiliating devs and wiping your hands clean of the situation while your fans continue to harass them is not optimal.

        • sugar_in_your_tea@sh.itjust.works
          link
          fedilink
          English
          arrow-up
          4
          ·
          7 months ago

          To be fair, he has to deal with a lot of nonsense in his job. A lot of companies try to push utter crap through, and if his subsystem maintainers miss something, it makes his life much more difficult. He’s merging tons of changes every day and doesn’t have the time to review everything.

          So I think some righteous anger is justified here. His subsystem maintainers should know better, and his anger was usually directed at them, not some random new contributor.

          • TheGrandNagus@lemmy.world
            link
            fedilink
            English
            arrow-up
            4
            ·
            edit-2
            7 months ago

            Absolutely. His workload was insane and unending, and if crap code made its way through, he’d get a portion of the blame. It’s very human to lash out in the way he did, particularly when he frequently saw the same mistakes over and over again.

            But it’s right that he made steps to not act in that way anymore. Linux developer burnout is bad enough even without Linus and others publicly calling you a shithead or telling you to kill yourself when you fuck up.

            • sugar_in_your_tea@sh.itjust.works
              link
              fedilink
              English
              arrow-up
              2
              ·
              edit-2
              7 months ago

              Yup. My point was that it’s not necessarily autism or bullying that brought us here, but years of dealing with people who should know better. I’m glad he’s toned it down though, but I did secretly enjoy reading his creative insults (and wouldn’t want to be on the receiving end).

  • Buddahriffic@lemmy.world
    link
    fedilink
    English
    arrow-up
    32
    ·
    7 months ago

    The trick is to stop giving af about demands from random assholes. Using software doesn’t entitle anyone to updates. Part of the point of open source is if you want it to be different, the source code is available for you to do that.

    • sugar_in_your_tea@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      7
      ·
      7 months ago

      Yup. I’ve contributed to a number of FOSS projects (including lemmy) and try to always observe the proper etiquette. That means (IMO):

      • read through the contribution guidelines and follow them to a T
      • check for feedback at least once/day
      • allow at least two days for initial feedback, and gradually back off (so bump after 2 days, bump again after another 3-4 days)
      • if there’s no feedback after a week, bring it up on another channel (IRC, Matrix, email, etc)
      • never demand anything, always ask how to help

      None of that is written down anywhere, but to me it’s common sense. If you don’t want to do that, fork the project and maintain it yourself. Maybe they’ll pull your changes in if they’re good.

  • Rikudou_Sage@lemmings.world
    link
    fedilink
    English
    arrow-up
    31
    arrow-down
    6
    ·
    7 months ago

    Well, it’s fun that they mention F-Droid, because the maintainers are bullies who bully their contributors and generally act very unpleasant. They like to make new rules on the spot.

    I abandoned using the project altogether, not someone I want to support.

        • Buddahriffic@lemmy.world
          link
          fedilink
          English
          arrow-up
          15
          arrow-down
          2
          ·
          7 months ago

          Good rule, those should be web addresses, not apps. Or even better, native applications rather than web apps, but it does depend on the context.

          • Rikudou_Sage@lemmings.world
            link
            fedilink
            English
            arrow-up
            7
            arrow-down
            4
            ·
            edit-2
            7 months ago

            Eh… why? More to the point, it’s not mentioned anywhere in their guidelines, it was made up on the spot by the fella doing the code review.

            • Buddahriffic@lemmy.world
              link
              fedilink
              English
              arrow-up
              11
              ·
              7 months ago

              They are inefficient and bloated.

              And personally, I prefer good reasoning over good rules. If something comes up that is a bad idea but there’s no existing rule against it, the rules should be changed to address it. As long as the reasoning is sound, I think it’s a good thing, especially when we’re talking about something like a software distribution platform as opposed to say laws that determine freedom or imprisonment.

              • RvTV95XBeo@sh.itjust.works
                link
                fedilink
                English
                arrow-up
                10
                ·
                7 months ago

                Also if you’ve made a web app, let it be installed as a web app. Both FF and Chrome let you install web apps in one click.

              • Rikudou_Sage@lemmings.world
                link
                fedilink
                English
                arrow-up
                3
                arrow-down
                5
                ·
                7 months ago

                Inefficient and bloated describes 90% of all apps I’ve ever seen, regardless of technology used, so I fail to see your point.

        • sugar_in_your_tea@sh.itjust.works
          link
          fedilink
          English
          arrow-up
          3
          ·
          7 months ago

          If you really want to have it available on F-Droid, you can always put it in a separate repository. So I can see it being annoying that they reject it from their repo, but there’s still a reasonable path forward.

          • Rikudou_Sage@lemmings.world
            link
            fedilink
            English
            arrow-up
            2
            ·
            7 months ago

            Well, I have the app on Google Play store, which was originally meant to be the alternative, now it’s the main store.

          • Rikudou_Sage@lemmings.world
            link
            fedilink
            English
            arrow-up
            4
            ·
            7 months ago

            Not WebView, but a so-called TWA, aka Trusted Web Activity, a features specifically designed to wrap PWAs and give them full-blown app capabilities.

            • hedgehog@ttrpg.network
              link
              fedilink
              English
              arrow-up
              2
              ·
              7 months ago

              What additional capabilities does that give the app beyond using Firefox or Chrome to install it as a PWA?

    • ikidd@lemmy.world
      link
      fedilink
      English
      arrow-up
      18
      arrow-down
      1
      ·
      7 months ago

      Seems to me like they’ve done a pretty good job keeping their store free of malicious apps, I’ve never heard of any breaches like I have of every other store including Snap and Flatpak.

      Maybe they’re pissing some people off in the process, but maybe it’s the right people to piss off. They’ve been able to hold it together in the FOSS app space better than most.

  • 🇰 🌀 🇱 🇦 🇳 🇦 🇰 ℹ️@yiffit.net
    link
    fedilink
    English
    arrow-up
    13
    ·
    edit-2
    7 months ago

    I would simply deal with these bullies by telling them to fuck off and fork their own thing instead of bugging me to push an update on the main. This feels nore like it should be happening to closed source things where the only way to get a thing in it is to beg the dev.

    • AdmiralShat@programming.dev
      link
      fedilink
      English
      arrow-up
      24
      arrow-down
      2
      ·
      7 months ago

      This comment said:

      Naturally closed source for profit software is so much better and would never contain anything malicious.

      We know this for certain because the PR department affirmed us that there is nothing malicious or illegal within their code. There internal investigations found no proof of hacking from external sources, All code changes where done with the full legal permission of our Ceo and Overlord Marz Kucherberg ™

      • webghost0101@sopuli.xyz
        link
        fedilink
        English
        arrow-up
        17
        ·
        7 months ago

        I mistook the post and didn’t know it was about bullying specifically so my comment was unwarranted

        There have been other posts of late where my sentiment is more ontopic but here it only muddies the actual discussion.

    • AtmaJnana@lemmy.world
      link
      fedilink
      English
      arrow-up
      2
      arrow-down
      2
      ·
      7 months ago

      No need to be so defensive… unless you you the F-Droid team they are writing about. Are you?

      Either way it is just whataboutism aimed at a strawman. No one is saying proprietary software is better.

      • webghost0101@sopuli.xyz
        link
        fedilink
        English
        arrow-up
        10
        ·
        7 months ago

        Not sure why its still showing for you but i removed my comment seconds after posting as i misread and didnt know this was about bulling. I firmly stand against bullies of any kind.

        Ever since the xz thing i have noticed a general increase in articles and clickbait titles spreading fear about open source software in general, its started to feel like intentional propaganda, for this post it was unwarranted.

        Ps: please do confirm if my comments is removed by now on your end, i suspect comments may not always continue to sync between lemmy servers after the first initial postings.

        • AtmaJnana@lemmy.world
          link
          fedilink
          English
          arrow-up
          2
          ·
          7 months ago

          No, I still see it. Not sure why, maybe because I commented on it.

          I’ve had several comments behave the same way, unable to actually delete them, even after waiting a while for the delete to propagate.

          • AdmiralShat@programming.dev
            link
            fedilink
            English
            arrow-up
            4
            ·
            7 months ago

            The best thing to do is edit it to be just a period then delete. I can still sew deleted comments by hitting copy text

  • BargsimBoyz@lemmy.world
    link
    fedilink
    English
    arrow-up
    12
    arrow-down
    24
    ·
    edit-2
    7 months ago

    It’s probably far more common than most people realize. Open source software doesn’t automatically make it secure, and in many cases can be less secure than closed source as it’s just one or two people doing it for free.

    Much easier to be tempted to do something wrong or to get others to help in and take the weight off.

    • null@slrpnk.net
      link
      fedilink
      English
      arrow-up
      18
      arrow-down
      2
      ·
      7 months ago

      in many cases can be less secure than closed source as it’s just one or two people doing it for free.

      Absurd take. How could having the source closed possibly enhance the security?

        • null@slrpnk.net
          link
          fedilink
          English
          arrow-up
          3
          arrow-down
          4
          ·
          7 months ago

          Weird that they would say something totally different from what they mean…

          • SqueakyBeaver@lemmy.blahaj.zone
            link
            fedilink
            English
            arrow-up
            5
            ·
            7 months ago

            I mean, they didn’t though Theoretically, well-funded teams would be able to create more secure software and fix vulnerabilities faster than some random guy who works a full-time job and codes in his free time

            • null@slrpnk.net
              link
              fedilink
              English
              arrow-up
              1
              arrow-down
              1
              ·
              edit-2
              7 months ago

              You say they didn’t, and then go on to make a point they didn’t make…

              They didn’t comment on funding whatsoever. Plenty of open-source software gets funding, and not all closed source software gets funding.

              The issue is with bullying and burnout. Nothing to do with being closed or open source.

              • SqueakyBeaver@lemmy.blahaj.zone
                link
                fedilink
                English
                arrow-up
                3
                ·
                7 months ago

                I’m sorry that I’m apparently not getting my point across to you

                Proprietary software is often made by a corporation, who pays full-time developers. Those full-time developers are given a salary to work on that software. That salary is normally more than what open-source devs make off their software. The team who is paid to work full-time on the software will patch issues faster (theoretically)

                I bet you’ll find something wrong with this, but I don’t care

                • null@slrpnk.net
                  link
                  fedilink
                  English
                  arrow-up
                  3
                  arrow-down
                  1
                  ·
                  7 months ago

                  There’s nothing wrong with what you’re saying, I’m not challenging the point you’re making here.

                  I’m challenging your ability to mind-read and ascribe that point to a different commenter.

    • HuntressHimbo@lemm.ee
      link
      fedilink
      English
      arrow-up
      14
      ·
      7 months ago

      Closed source software has the exact same bullying issue, the difference is instead of the bullies being random people on the internet, they are managers with power over you. They are at least as likely to make you do something dangerous as the randoms, but they don’t have to try as hard to hide it.

      • sugar_in_your_tea@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        1
        ·
        7 months ago

        It’s not the same, but it can be.

        Bullying in closed source software is a company culture issue. Bullying in open source software can come from anywhere, and a good CoC won’t necessarily fix it because outside community members can just bully from different accounts. But that also means bad company culture can’t be fixed as easily as playing whack-a-mole in a FOSS project.

    • NoneOfUrBusiness@kbin.social
      link
      fedilink
      arrow-up
      10
      arrow-down
      2
      ·
      edit-2
      7 months ago

      I mean you can see the source code. You’ll know if anyone does something weird if you have two braincells.

      Edit: Clown here move along.

      • lewdian69@lemmy.world
        link
        fedilink
        English
        arrow-up
        11
        arrow-down
        1
        ·
        7 months ago

        You’re manually reviewing the entire code of every open source product you use? Manually reviewing the code at every commit of every open source software you use?

          • null@slrpnk.net
            link
            fedilink
            English
            arrow-up
            2
            ·
            7 months ago

            It’s not a dumb point so much as just naive – and its the lesson we learned from the xz backdoor.

            Sure the source code is out there for anyone to see, but are the right people actually looking?

    • tabular@lemmy.world
      link
      fedilink
      English
      arrow-up
      1
      ·
      edit-2
      7 months ago

      How do you qualify the security of a closed source code when you can’t verify it?