Open Source has some big questions ahead
There’s no doubt that open source software makes up the majority of the world’s internet services. However, some recent, and not so recent problems are starting to shine the light on some of the problems facing the open source communities.
- Malicious maintainers and contributors – xz compression backdoor that went for an amazingly long time before it was detected. The backdoor was added by a contributor Jia Tan who had been making contributions for 2 years. The level of obfuscation and sophistication was unprecedented. It was only discovered by a very astute senior Microsoft engineer.
- Hacking of open source maintainers/distro servers – Kernel.org was infected and came to light in 2011, when kernel maintainers revealed that 448 accounts had been compromised after attackers gained root system access to servers connected to the domain. There’s no evidence source was changed, but it just as easily could have.
- Open source burnout – The burnout levels among Rust developers spawned an interesting article (and another) that really speaks to general burnout problems. Honestly, this is just one more example of why ‘passion’ jobs are bad for you and what you really want is a job you work 8-5 and then unplug from completely.
That’s by no means the entire list. Open source is now the backbone of our modern computer infrastructure – and is under attacks from more threats than it has ever faced. From ransomware hacker groups, for-profit botnets, all the way to the increasing occurrences of state-sponsored hackers/infiltrators. The attacks and manipulations can now be combined with AI actors and code to create nearly limitless attack vectors and attackers.
Combine this with unpaid contributors that need to police themselves and this represents some serious threats.
The New Stack has a great article describing the new challenges facing open source development.