this post was submitted on 29 Mar 2024
671 points (99.0% liked)
Technology
59605 readers
3302 users here now
This is a most excellent place for technology news and articles.
Our Rules
- Follow the lemmy.world rules.
- Only tech related content.
- Be excellent to each another!
- Mod approved content bots can post up to 10 articles per day.
- Threads asking for personal tech support may be deleted.
- Politics threads may be removed.
- No memes allowed as posts, OK to post as comments.
- Only approved bots from the list below, to ask if your bot can be added please contact us.
- Check for duplicates before posting, duplicates may be removed
Approved Bots
founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
And that's why you cannot trust open source software blindly.
And yet with closed-source software you have no choice but to trust it blindly. At least open source software has people looking at the code.
Bet you anything there were more pairs of eyes on SolarWinds code than this. Sick of this open source bystander effect.
Code scanners check for vulnerabilities not malicious code. Ain't no one running full coverage dynamic scanners to trigger all branches of code on this thing, otherwise this would've been caught immediately
Vulnerabilities are caught and fixed faster in open source projects than closed ones.
Intel: 24 years
Your data is about remediation speed not thoroughness of discovery.
FOSS is substantially faster in both.
There is, it’s Google Fuzz which the maintainer of XZ handily disabled the codeshare for.
Interesting! When? Maybe that can be a metric or requirement before companies or seriously popular projects consider importing upstream code.
https://github.com/google/oss-fuzz/pull/10667
https://github.com/google/oss-fuzz/pull/10667#pullrequestreview-1518981986
Looks like it was a cover up attempt to prevent manual attention and would not have been caught by the automation.