this post was submitted on 10 May 2024
152 points (92.2% liked)

Technology

59534 readers
3183 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS
all 18 comments
sorted by: hot top controversial new old
[–] Zo0@feddit.de 52 points 6 months ago (1 children)

I recently found out one my favourite FOSS projects was abandoned due to bullying. It was a small project and very fresh so it obviously came with some bugs and issues which is a given. The maintainer gave up only few months after because of all the negativity.

[–] tabular@lemmy.world 13 points 6 months ago (1 children)
[–] Zo0@feddit.de 32 points 6 months ago (1 children)

The latest one was LSPatch. Did so much for me. Last message from the maintainer was something along the lines of 'Seems like people are not happy with the project so I'm dropping it'.

[–] piracysails@lemm.ee 20 points 6 months ago

I don't even know what that is and I want to thank them for the project...

[–] tal@lemmy.today 47 points 6 months ago* (last edited 6 months ago) (2 children)

I'd actually broaden the concern. Like, having sockpuppet accounts bullying a maintainer is one form of attack, but more-broadly, social engineering is, I think, a real concern.

My understanding is that it's considered likely that there was a national intelligence agency behind the xz attack. Point is, if they did it once, it's probably in the toolkit, and will come up again. Not just from them, but from other organizations who will study attacks and see what works.

The problem with being an open-source developer is that you don't spend your days trying to figure out counters to social engineering attempts. On the other side, you've got people who may well be spending a lot of time, reading papers, throwing around theories on just how to best pull this sort of thing off. The result is that one side is a novice, and the other has a lot of expertise and time to create a plan.

And the problem isn't just how to counter social engineering attempts, but how to do so without being too corrosive to the open-source development community. Like, right now there's a certain level of reliance on trust. If there isn't any trust, it's gonna be harder to do open-source development.

In both the potential F-Droid attack mentioned and at least some of the people with the Jia Tan/xz attack, some sockpuppets were used that had little history. It might increase the cost of an attack to take into account someone's history. But...then, the Jia Tan attack also had a very considerable amount of effort put into creating a false persona, the one that actually did the commits.

[–] WamGams@lemmy.ca 9 points 6 months ago

I love Lemmy, but the harassment and sock puppet accounts is a huge fucking issue. It seems like some of the main instances are just tankies who won't allow anybody else to have an enjoyable time

[–] magic_lobster_party@kbin.run 6 points 6 months ago

Social engineering is one of the most underestimated attack vectors. It doesn’t matter how cryptographically secure your system is if you can just ask for access.

[–] gregorum@lemm.ee 18 points 6 months ago* (last edited 6 months ago) (1 children)

Perhaps this speaks to a larger issue— how much bullying exists in the FOSS community, and what can the community - at large - do to address it, or even begin to bring awareness to it?

This argument that it’s a security vulnerability isn’t a terrible one (it’s certainly very logical and quite irrefutable), but I think there are others to be made for addressing this issue.

[–] jimmy90@lemmy.world 2 points 6 months ago

yeah, i think any project needs effective leadership. without it disagreements can fester into conflict and bullying becomes a bad way of resolving or beating those you are in conflict with

[–] lurch@sh.itjust.works 10 points 6 months ago

at the moment we have to accept we can't please everyone. if people bully maintainers, they can gtfo and fork. same if you get bullied by maintainers, just fork and forget. maybe join with likeminded people if it's too much work.

[–] fruitycoder@sh.itjust.works 2 points 6 months ago

Are there any moderation tools or groups offering moderation support for projects?