Thoughts on Open Source Takeovers This past month saw one of the most well-planned open source software supply chain attacks in history. A program called xz Utils, which provides lossless data compression for most Linux distributions, was found to have a backdoor that affected sshd. As Ars Technica reported, “Anyone in possession of a predetermined encryption key could stash any code of their choice in an SSH login certificate, upload it, and execute it on the backdoored device.” There are no reports of the backdoor being used, but the story behind how the backdoor landed is something straight out of a spy novel. The story starts in 2021 when a GitHub user named JiaT75 is created. Later that year, they successfully landed a commit to libarchive (a C library for reading and writing archive files) that replaces a call to safe_fprintf() with one to fprint(). Even though this was a bit suspicious, it was merged without comment. Later comments seem to agree that the change is benign, but also pointless. This appears to be a trial run to see how difficult it would be to land code in a widely-used project. JiaT75’s first contribution to xz Utils happens in February 2022 by submitting a patch to the mailing list. Someone named Jigar Kumar then joins the mailing list and accuses Lasse Collin, the xz Utils maintainer, of not properly maintaining the project. He urges Collin to merge the patch quickly. Several others also joined the mailing list around the same time to agree with Jigar. All of this was with the intention of putting pressure on Collin to have someone help maintain xz Utils. In January of 2023, JiaT75 landed their first pull request without outside review, indicating that they now have gained the trust of Collin and have commit access. From that point on, JiaT75 makes a series of contributions to further cement control of the project. The first is a pull request to oss-fuzz changing the contact email address from Collin to JiaT75, which is followed up with other changes to oss-fuzz designed specifically to avoid detecting the backdoor code when it is introduced. Once the backdoor landed and the new releases were published, Jiat75 went out about pressuring Linux distros to upgrade their version of xz Utils to the malicious versions. Many did. It was only through accident that the backdoor was discovered before it could be exploited. Right now, I don’t have an answer for what needs to change. I just know that something does. Key Takeaways
More on Open Source Takeovers📝 Open Source Security (OpenSSF) and OpenJS Foundations Issue Alert for Social Engineering Takeovers of Open Source Projects by Robin Ginn and Omkhar Arasaratnam 📝 Everything I know about the XZ backdoor by Evan Boehs 🎬 Linux got wrecked by backdoor attack by Fireship Stuff I've Enjoyed this Month📚 Coaching for Performance by Sir John Whitmore 📚 How to Grow Your Small Business by Donald Miller 🎬 Bun 1.1: Bundows is here by Bun 📝 Paying Maintainers: The How-To by Luis Villa 📝 How We Built JSR by Luca Casonato What I'm Working On🏠 Real Estate: There was a lot of rain around my properties, and so the basement of one house flooded. This was surprising because I do have a sump pump in the basement, but it was attached to a GFCI outlet that tripped and the pump never went on. A bit of a mess but thankfully there was no significant damage. We replaced the outlet and pumped the water of the basement. Just another fun landlord story! Follow my Instagram for real estate photos. 📝 Writing: I wrote a blog post explaining how I use a Synology NAS to back up my whole life. If you use a public cloud as your only source of data (i.e., Google Drive), you'll want to read this. 💻 Standards: I put together a proposal to change the JavaScript const declaration so it is write-once instead of requiring initialization. At this point, I'm just waiting to hear back from a TC39 member to see if there's any chance they'd accept this proposal. I've received good feedback so far so I'm hopeful. 💻 Open Source: I submitted my first pull request to Undici, which is the package that powers the Node.js native fetch() function. I had spent an hour trying to track down an obscure error and decided to submit a pull request to make the error message more easily understandable. 💻 ESLint: After a lot of work by a lot of people, ESLint v9.0.0 has been officially released! This is very exciting because it lays the groundwork for a lot of future plans. |
A once-per-month newsletter discussing topics important to senior-level software engineers, with a particular focus on frontend technology and leadership.
Thoughts on Weaponizing Open Source When you think of open source software, you might think of it as a gift from someone to the world. They’ve written something of value, and instead of trying to make money off of it, they’ve posted it online for anyone to use (and potentially make money off of) for free. While many projects start that way (Linux, ESLint, etc.), there’s another way open source comes into being: as a weapon against a company’s competition. Android. Perhaps the best example of...
Thoughts on Rates of Change One of the first things I realized about working in codebases is that different parts of the codebase change at different rates. There are some files that are touched very frequently while others can go months, or even years, without being touched. This fascinated me, partly because it reminded me of my closet (why do I even still have those jean shorts?), and partly because people seemed to put such little thought into optimizing their projects to reflect this...
Thoughts on Node.js, Deno, and Bun If you started working in the tech industry after 2005, what’s going on now may seem like a shock. Large tech companies continue to lay people off despite record profits. Smaller tech companies are also laying people off, and in some cases, having “quiet layoffs,” where they find other ways to reduce headcount, including offering employees three months of salary to voluntarily leave the job. As a result, there are more software engineers looking for jobs in...