Linus Torvalds: Speaks on XZ Hack in Linux and Trust in Open Source Dev
Linus Torvalds Speaks on the XZ hack and how it affected Linux causing trust issues in the open source dev community and Linux. How do we handle future security vulnerabilities and hacks? We’ll listen to the Creator of Linux.
My Linux Cheat Sheet and 25 Page Checklist here:
📚 https://learn.savvynik.com
Share this free tool and support Small YouTubers
https://editbulk.com
(I made this tool to help creators)
Want more info/content?
https://savvynik.com
Useful Links/Commands:
Discord Link – https://discord.gg/zZD5q92
Summit – https://www.youtube.com/watch?v=cPvRIWXNgaM
#opensource #linus #linux
by SavvyNik
linux foundation
Did XZ affect you?
mASS updates r good. no1 should be able 2 track them. we need exponential growth of updates. and AI has to add additional updates ontop.
I wonder if Linus would like to walk away and start a new kernel project. Without identity politics.
well stated. rules are broken. is harder to escape the unknow scrutiny of an unknow developer in the wild.
We are social animals. And trust is the magic word. As in our physical relationships so in digital ones. Trust is a human property we can not avoid in whatever we do. Be it throwing a bone to a wild wolf or being overwhelmed with overwork, no time and sinister "friends". Any human property can be misused. I don't think we can write a magic recipy to avoid that. Trust has given us way more than what we could achieve by being loners.
I bet no feminists will be offended by the lack of gender-neutral terms: BAD ACTORS but never bad actresses. They want to fight for the C-suite positions and never the brick laying jobs.
Considering the combined market cap of MS/GOOGLE/AMAZON exceeds $7 trillion and they take advantage of Linux, I believe they should provide corporate developers and AI to search Linux code for potential threats. Further, they should provide a "reviewed" repository of Linux code, which should be the source for all distributions. MS does own GitHub, so the repository infrastructure already exists.
time to go microkernel
Starts at 0:36, you’re welcome
The high trust culture has vanished, and nobody knows how to replace it. :/
It's hard to help with FOSS projects when you can not code. I would go even further and say when you are just an end user you can not help the project.
– If you can not code you can not help adding features
– If you are just an end user and don't know how to write a helpful bug report, the report will be closed because the developer can not reproduce it, you are frustrated because you wasted time with the bug report and everybody who has the same problem is pissed that the program crashes. (The typical end user does not want to study coding just to produce a bug report. They do not want to setup an extra dev environment they can't use for anything else)
– If all you can do is test the app and suggest new features, they may never get included because the developer is busy doing something else or sees your request as too niche.
– If you are a great designer you could may spend some time on improving the UI. You can may even draw icons and upload them to the project. But you can not influence whether your work is included in the project or if it was just a waste of time for you.
– You may can donate money, but if it's a project with a single developer that created the project as a hobby and has a day job as well, they may need your help much more than your money.
For my part: I would love to help with the Linux Kernel development, but I can not code at such a high level and I do not have access to or the money for new hardware to test it the kernel. Let alone that I have never compiled a kernel or done anything on my production system as I need it to work and I'm scared that I would break the Linux machine I need for my daily business.
So even I would love to support the Kernel, I'm not sure if I could help with anything else beside donating money.
TLDR: It's very hard (I would say nearly impossible) to help in FOSS development when you can not code.
Capitalism is based on competition and is the exact opposite of a communal system of trust. People set up elaborate legal contracts because they don't trust each other, and even within these contracts, they try to outsmart one another. As a result, an entire justice and law enforcement system has to keep up with these competing interests. Linux won't change this.
fun fact: I'm exactly 18 years younger than Linus, +- some hours. …That was very much more fun to discover back when I was 18, then writing it in a random comment when I'm 37 and he's 55.
Mr Torvalds,,,,another super system i use is Chromebook/ChromeOS BY GOOGLE,,,All people tell me is based on Linux!!!…Mr Torvalds this Google system is so much polished on SPEED and SECURITY…Never seen anything like it in my entire LIFE!!!
Mr Torvalds Linux is Internet,,,with Linux i have experienced super SPEED and SECURITY!!!….Dont Quit keep the system ALIVE!!!
XZ attack has similar M.O as in Left illiberal wokes gaining management control of Wikipedia Twitter Google Alphabet Facebook Meta Microsoft Linkedin etc 😂
Very interesting to hear, especially after the Microsoft worldwide crash
lines
Leenus?
More trust issues these recent days:
* GNOME (foundation)
* CrowdStrike (QA)
* Intel (13th&14th gen Issues)
….
What else?
Honestly Linus said it the best, it doesn't matter if it is open source or propitiatory software. It can happen to anything. It comes down to having trust and bad actors taking advantage of said trust. I think their should be a few vetted people to look over code before said code can even be implemented, as well as better background checks of contributors.
Microsoft trusted Clownstrike… do I need to say more?
Where did this interview take place?
Why we'll need Top Level trusted maintainers and even Linus himself to really double check everything, before sending it all out. IMHO.