Skip to main content

💚 Stay strong xz maintainer(s). We're with you.💚

daniel:// stenberg:// reshared this.

in reply to daniel:// stenberg://

Sardo
Sardo
There are so many projects which are considered as “they must be there” and underfunded or not funded at all. I believe, companies using packages should sponsor them.
in reply to Sardo

Marcel Waldvogel
Marcel Waldvogel

@sardo Unfortunately, as @lcamtuf points out, money is not enough:

* "it’s hard to build a sustainable community around watching paint dry"
* "It’s hard to build a rewarding career on being very familiar with some boring, old dependency that’s just taken for granted by everyone else."

I don't know what the solution will be, but it will have to (not only) consist of money. Any good ideas?
https://lcamtuf.substack.com/p/technologist-vs-spy-the-xz-backdoor


Techies vs spies: the xz backdoor debate

Diving into some of the dynamics and the interpretations of the brazen ploy to subvert the liblzma compression library.
lcamtuf (lcamtuf’s thing)
@lcamtuf :verified: :verified: :verified: @Sardo
in reply to Marcel Waldvogel

daniel:// stenberg://
daniel:// stenberg://
money has to be involved of course, but I agree that it is not easy to figure exactly how the system should ideally work.
This entry was edited (1 month ago)
in reply to daniel:// stenberg://

Matthias Klumpp
Matthias Klumpp

Thank you! I can't imagine how bad this must feel for Lasse Collin, especially after reading[1].
We're with him and all honest XZ contributors, and they're not to blame 🙂

[1]: https://robmensching.com/blog/posts/2024/03/30/a-microcosm-of-the-interactions-in-open-source-projects/

A Microcosm of the interactions in Open Source projects

Originally a thread on Twitter about the xz/liblzma vulnerability, when I finished typing it, I realized I had a real world slice of Open Source interaction that deserved more attention.
robmensching.com
in reply to daniel:// stenberg://

Joris Meys
Joris Meys
are we really? Yeah, we feel sorry for them, but not with them. It's still largely an unpaid one-man band taking care of a crucial bit that keeps multi billion companies running.
in reply to Joris Meys

daniel:// stenberg://
daniel:// stenberg://
@JorisMeys yes of course we are with them/him. We know what it means. We are/have been/will be there ourselves. We recognize that its not his fault.
@Joris Meys
in reply to daniel:// stenberg://

Joris Meys
Joris Meys
sorry, forgot to check the bio before reacting. Yes, you can genuinely make that claim. Apologies.
in reply to daniel:// stenberg://

subroutine
subroutine
Time for companies to step up and fund the projects they rely on. Solidarity with the hardworking maintainers out there.
in reply to daniel:// stenberg://

rostundrad
rostundrad
Gab es nicht vor ewiger Zeit mal die Behauptung einer Entwicklerin sie hätte Stück für Stück Schadcode im Kernel platziert?
War ein Fake, aber hat die Aufsicht dann doch sensibilisiert.
ssh oder ssl hatte doch ein ähnliches Problem vor einiger Zeit, GPG war auch mal am wackeln.
in reply to daniel:// stenberg://

fanf42
fanf42

(total agreement).

Does the green heart has a special meaning? The internet Pythias are only drowning me with AI generated voidness