Tech Casualties of Russia's War in Ukraine: Open Source and the Cloud?

Posted by EditorDavid

on Sunday March 20, 2022 @10:34AM from the unintended-consequences dept.

• • Re:

    what has not happened in the open as it is now is the question of developers not wanting their efforts to go to this upstream or that based on bias. the question is easily answered either way by forks. and open source developers hijack projects all the time "for the greater good" no doubt.

  • Re:

    It has already damaged trust.

    The reputation of Open Source is built on the reputation of the benevolent dictatorship of maintainers. When maintainers start putting backdoors (it does not f*cking matter in the name of what), the reputation is out the window.

    There will be no easy way of fixing it too. It will be rubbed up the open source community nose for years to come.

    Ditto for the cloud - cloud reputation is built on its neutrality. The only company/organization which remained truly neutral in this i

• ›

  by barlevg ( 2111272 ) on Sunday March 20, 2022 @10:44AM (#62374093)

  Operating on a system of least trust, where, at a minimum, your dependencies are all explicitly pinned, and, more realistically, where any bit of critical kit gets its dependencies from an internally managed mirror--with new versions being screened as they're published--this should be standard operating procedure.

  And saying this is a flaw in the Open Source ecosystem is FUD--the difference is that when closed source software injects malware into their latest update, you don't find out as quickly (or at all).

  • Re:

    you have just described 80% of closed source work. and i suspect closed source has never been actually as closed as people complain about, more likely the discussion from the beginning is very exclusive.

    • Re:

      And I don't really trust closed source. It's quite popular these days to send "usage statistics" to some home server and you can't opt out unless you first run the program and it has shared data with the home server already.

  • This is already the modus operandi in many places

    In many bigger software shops, this is already the norm. They have the extra money and headcount to support complex dependency systems that easily catch justice warrior shenanigans. They'll just skip the broken versions and switch to the eventual replacement once the community selects one.

    This is more of an issue for smaller companies, where headcounts are low, budgets are tight, and deadlines are always looming. Those poor chaps are quite reliant on their dependencies to do no evil, not by choice but by ci

  • Re:

    It's not even about malice or activism. Pinning is the only sensible thing to do: otherwise you will get random breakage. You might for example unwittingly be depending on behavior that is a bug and gets fixed in a minor point release (every observable behavior is a feature).

• Modern practices of continuous integration and deployment are the real issue here. If you are using your own copy of the source and pay attention then this is a non-issue. If you just pull the latest from a public repo and start using it then you are asking for trouble. It should be obvious in 2022 that software security is not a matter of the type of license.

  • Re:

    This. So much this. As a certified Old Guy who comes from an embedded world where step 1 of validating a build environment is "from scratch, create the build environment. Pull in the source from the most recent known good version. Verify that the binaries CRC-check with the binary that was qualified" - the number of commercial products (not at my employers, but just in talking to people) that pull random latest components down directly from the Internet is chilling. It would be like Ford saying "We make our

    • Re:

      That's certainly how the US Navy does it.

      https://www.defensenews.com/na... [defensenews.com]

      • Re:

        Yeah I read that story a while back, but at least (?) this was mere "I can't be bothered doing all that paperwork that is my actual paid job" vs "I want to poison the supply chain so that pressure hulls implode".
• The active choice to commit of crimes against humanity [un.org] by Russian soldiers under approval of its leadership necessarily dictates that the state be punished. It is a fact that actions against the state must also apply to the individuals the state represents. They are the ones who can change what the state does as their representative. Any EU/US/AUS programmer supporting Russia is violating sanctions, and claiming that contributing to a project not exclusively designed for Russia does not absolve that respons
  • 1 hidden comment

  • Yes and no

    Source code is not software, it is speech. The author of PGP proved that when prosecutors backed off after MIT Press published his source code worldwide, and DJB successfully won court cases based on a similar motif. You cannot have a country where the government allows free speech and then have the government enforce unnecessary restrictions on it at the same time.
    
    Interestingly enough, this same defence can be used to justify the malicious changes to peacenotwar as much as it can be used to defend peopl
• How about we switch back to actually managed repositories again? Most of the time, software you wanted to install you went to your Linux distro and installed it there. Now there is too much to get from there, so we go to the various language repositories. Some are managed well, some are not managed at all like NPM.
  
  Take CRAN for R as an example. If I manage a package in CRAN, can I remove a previous version or remove the software altogether? Nope. Impossible. It's all permanently archived with gatekeepers for submitting new versions to ensure that the package still works.
  
  Python? I'm guessing since I've worked with PIP only a bit, but kinda? They can easily clamp down on that, though. The archives I think you can remove/edit which they can just stop allowing.
  
  NPM is just a wild west of do whatever you please. Ever noticed how all of these problems have been happening almost exclusively on NPM?
  
  Any software distributed exclusively on Git repos should be considered experimental anyway.
  
  Most software dependendecies that matter (C++ Boost, MariaDB, Java, etc) aren't going anywhere. Stop equating such a horrible package management system as the whole open source environment. Also, try to stick to your packages available in your OS and you'll probably never have any issues.
  
  The problem here is that corporate software development environments haven't learned how to use Linux correctly. The underlying systems haven't changed and the risks and mitigations haven't changed in 20-30 years. You should be doing these things anyway for security concerns.

  • Re:

    When I see PIP I'm thinking of that old CP/M command.

    • CP/M's PIP was a knockoff

      Indeed... although CP/M (Digital Research, Inc; 1974) more-or-less copied the PIP command from RSX-11 (Digital Equipment Corp.; 1972) which was a port of DEC's RSX-15 (1971). The whole CP/M command line environment was almost a look-alike for RSX... Ah, the days of well-oiled Teletypes and zippy DECwriters! VDTs (video display terminals like the VT-52 and the later VT-100) were a luxury, and we lived at 300 baud.

• 1/ Killing off the cloud: not a minute too soon! Russia's action forced a practical demonstration of what everybody with 2 working brain cells has known for years: when a cloud operated by someone other than you goes down for any reason, you're fucked.

  2/ Killing the trust in open-source: yeah, that's sad. But you know what? The whole premise of open-source is that you didn't have to trust anyone, and you could assess what the code does for yourself. You know, if enough eyeballs... This "killing of trust" only underlines something else everybody has known for years also: there are no eyeballs reviewing open-source code. If there were, revenge code would never get deployed in the first place.

  In short, open-source is mostly composed of nice guys, and lazy companies rely on that to cut corners. When some of the nice guys stop being nice, bad things happen to said lazy companies.

  • 1 hidden comment

  • Re:

    What? Nope.

    The premise of Open Source code is that the Source is Open so anyone can look at it. That's it, full stop, END OF LINE. This has both positive and negative repercussions when it comes to security.

    Right. IF, ENOUGH. Some projects receive that level of scrutiny, and some don't. In fact, most don't. However... well, let me circle back.

    There are eyeballs reviewing open source code. There are not competent eyeballs surveying all code, and there are not enough eyeballs to catch every problem. But when

  • Re:

    plenty of Russian major social media and other sites still up, because they use cloud from nations not marching to USA tune. Expect more Russian business and military alliances with China, India, Iran, certain South America and East Asian countries because of this. yay?

• • by quantaman ( 517394 ) on Sunday March 20, 2022 @11:44AM (#62374247)

    I suppose NATO has never sinned. I suppose there are absolutely zero Not-sees in Ukraine. Up until the recent invasion no Russian blood has been spilled. No US Democrats has had ANY involvement in Voldemort's goon squads. It's a fine thing it's such a black and white issue with a clear moral line on which side to stand. The "whole" world coming together to punish Russia is EXACTLY what would happen if say China or Israel committed some hypothetical atrocity, because, of course - - you all always follow the same unwavering standards of morality.

    1) There's a small handful of far right groups in Ukraine, they have zero influence. There's way more far right groups in Russia, and they're arguably in power. You should look at what Putin has been doing in Ukrainian territories he already controls [aljazeera.com]. You wanna tell me that doesn't remind you of Nazis? Him controlling the rest of Ukraine is an unacceptable outcome.

    2) The US has done nasty stuff, not nearly this nasty. False equivalencies do not a compelling argument make.

    3) Ukrainians are certainly benefiting from being white European victims when it comes to international support. But still, what Putin is doing is pretty much unprecedented since WWII.

    • Re:

      " far right" yea right! far lefties like you are part of the problem not the solution.

• This is great news. Perhaps now people learn not to include 3rd party repos in their projects, or if they must, first clone said repos to their own git servers, thus never be suprised by upstream doing stupid things.
  Most important law, your app must be able to be compiled on a build server that doesn't have connection to the internet and said app much be able to launch without network connectivity.

• The west is essentially accusing Russia of committing the ultimate crime, a war of aggression. You know, what we tried the Nazis for at Nuremberg. I'm waiting for the experts on this subject, George W. Bush & Tony Blair, to weigh in with their judgments in this case before taking sides.