←back to thread

Open Source is one person

(opensourcesecurity.io)
433 points LawnGnome | 1 comments | 28 Aug 25 01:54 UTC | HN request time: 0.207s | source
Show context
poulpy123 ◴[28 Aug 25 11:02 UTC] No.45050692[source]
The title of the register article is completely disgusting

> Putin on the code: DoD reportedly relies on utility written by Russian dev

then in the article:

> Hunted Labs told us that it didn't speak to Malinochkin prior to publication of its report today, and that it found no ties between him and any threat actor.

replies(4): >>45051056 #>>45051324 #>>45051850 #>>45053194 #
1. weirdpickles ◴[28 Aug 25 13:22 UTC] No.45051850[source]
Yeah, it is pretty amazing but not surprising. The Register has taken to a certain kind of sensationalism as of late.

I found this interesting:

> "Every piece of code written by Russians isn't automatically suspect, but popular packages with no external oversight are ripe for the taking by state or state-backed actors looking to further their aims," Smith told us in an email. "As a whole, the open source community should be paying more attention to this risk and mitigating it."

Uh, I guess? The nature of open source is supposed to be that the dev provides the effort and the code, and that's where the guarantee stops. It is up to the people who uses it to implement and ensure security. People treat OSS like it is a business product that must have drop-in replacement ready at all times.

The modern nature of development is perhaps my biggest gripe as a professional. There is little care given. Projects begin with importing dozens of other packages and libraries that we never look at, let alone fully understand. And it is normalized.