The upstream xz repository and the xz tarballs have been backdoored

What kind of question is thst? Of course Rust isn’t necessary. What do you even mean by “necessary”? Computers aren’t necessary, in a certain sense.

A better, more meaningful, question is: does Rust deliver what it promises? Of course it doesn’t, it’s all just feel-good nonsense. Memory unsafety is only a serious issue when it affects the security of software. Yet software written in Rust has plenty of security issues unrelated to memory safety, mostly due to dependency bloat and cargo, which is an inherently unsafe, unsecure system.

Is this problem resolved? I haven’t been paying attention to the details, our systems are fine now?

It was never a problem on Arch or Arch-based distros:

Arch does not directly link openssh to liblzma, and thus this attack vector is not possible.

https://archlinux.org/news/the-xz-package-has-been-backdoored/

Another project almost got jiatanned again!

Social engineering takeovers of open source projects.

Very scary … Will get hard to get people in on development.

The real question is how to build the needed trust in open source development?
One want privacy, that’s where everyone have respect for, but trust and privacy can get unsafe.

You really can’t get around it, it’s the good old:

1. Accept anyone based on merits of contributions / code quality.
2. Let the code speak about person, anything shady, not clear or unnecessary - should not be tolerated.
3. ALWAYS trust but check, never relax…don’t trust even yourself when checking the code.

It really doesn’t matter how private or public person is during development, it can be very public person and then after 20 years turn out to be a federal agent that will never receive any repercussions except getting excluded from project / foss community.

So complete anon (verified by gpg of course) is not less trustworthy than public figure, only code can tell.

It reminds me of the saying “In God we trust. All others pay cash”

This also reminds me why it’s so important to have assets that aren’t just crypto and a “bank account.”

Gold, silver, platinum, and lots and lots of lead to protect it all. Tangible wealth, since I can’t possibly trust the thousands or millions of people who create computers. Even in Linux. I just assume computers will be compromised at some point. A great defense is to not have anything worth taking on them.

@keybreak Paranoia can stress you to death too.

Nah i’m gonna stress it back with loud HONK noises

this one is the easy part .

Here’s another great way to write the most secure and private software that is technically uncompromisable…you can’t social engineer that!

I’m very good at developing such software.

the perfect code

sooo… any new backdoor found so far?

I’m still using the front door.

jia902×520 52.9 KB

this will always be known herewith as “they tried to pull the old Jia Tan.”

Good old jiatanning out there!

I got jiatanned today…

Checking my old code it sometimes feels that someone hacked it and implemented multiple vulnerabilities.

and it goes a little something like this:

DEar FoundaTIon,
Allow me introduce. Name is Sparty Mannix, I write Big Codes. I write Hello World in PythonRustC+ so know all the big ones, like Crome and Dr. Pepper. Please give me your project.
Thank you, Sparty

DEar FoundnaTion.
this is Stella Artois. I write huge programs very well-able. Been coding for a long time. You may have heard of Plazmas? I write that. Please give all your source code to Sparty. Sparty is so smart.
thanks, Jia, I mean Stella

DEar FounSaTion:
my name is Keven Spacey. I am coder a long time ago. Long time friend of Jia, I mean Sparty Mannix. Sparty and I go back to when he wrote my motion picure Gigli with Afflecks and Sparty coded all the specicial effects like the JLo Simulator. GIve Sparty your Project Now. I mean it.
yours, Kevin

That one is clearly jia tan…

Correct code should be:

Hello clown world!

In hindsight I wish I’d used safe-search when I googled backdoored