this post was submitted on 16 Jan 2026
25 points (87.9% liked)

Technology

1356 readers
57 users here now

A tech news sub for communists

founded 3 years ago
MODERATORS
muad_dibber@lemmygrad.ml
burlemarx@lemmygrad.ml
25
Is Germany Looking to Put a Backdoor into Arch Linux? (www.youtube.com)
submitted 1 week ago by yogthos@lemmygrad.ml to c/technology@lemmygrad.ml
46 comments fedilink hide all child comments
you are viewing a single comment's thread
view the rest of the comments
[–] RedClouds@lemmygrad.ml 5 points 1 week ago (1 children)

About this issue:

The self-replicating back door is a.... real stretch of an argument. This is the kind of things that governments and billion dollar corporations think about. It's (one of) the reasons the Apple has maintained it's own programming languages. Big tech agencies often house their own compilers and make their developers use it (even if it's just a copy of the open source ones) to ensure that if a compiler is compromised, they can continue working on it under their own direction. Also, if Germany could get a self-replicating compiler vulnerability in a compiler, it would hit much harder and further to just attack GCC, which is the main compiler for 90% of c code, which is 90% of the infrastructure of software (Yes, many of those language libraries you use, use C underneath, or at least, their compiler is written in C).

Furthermore, this is a problem for any language that only has one compiler, and a second implementation of rust has been in the works for gcc for awhile (gccrs I believe). Also, there's many many places where there's a push to move C code to Rust to increase security, this isn't 'wierd'.

There are so many other problems to consider before going down this route. supply chain attacks, trust verification, code signing, all these come in play way before this. Plus it's not like Germany owns rust, they can't necessarily inject a compiler issue into rust the way Lunduke argues.

The real issue is that most security vulnerabilities are caused by things Rust seeks to fix, use-after-free and double-free causing crashes that can be taken advantage off by a clever malware writer. Writing in Rust is (a slow and somewhat painful way of) making software more secure, not less.

About the agency

Additional note, this govt agency (and I'm no fan of Germany's govt necessarily, but just to note) has given millions to many open source projects. Let's encrypt, pypi, yocto, the openprinting stack, activitypub (you know, from the fediverse, how this platform runs...). They've also recommended languages other than Rust for projects too.

About Lunduke

He's a racist transphobe maga hat wearing techie (keeps the hat hidden, also don't know if he's actually a fan of trump, but he's an alt-right conspiracy theorist). I'm "passionate" about talking about him because I followed him for a number of years, now kinda regrettably (we all make mistakes, it's best to learn and move on, but still, this one hurt, I was a big fan for awhile).

He used to live in Portland, Oregon, and during the pandemic, he moved away because the city had become something that he "didn’t like". That was when the city started to show its real anti-fascist and anti-Trump sentiments. That was also when the whole anti-police movement happened in Portland and Seattle.

I became suspicious of him after that, and then he basically said that he didn’t want to talk in public about the things he actually wanted to talk about, but that you could pay him money to subscribe to his journal and he would actually discuss those topics. He then left YouTube on his other channel and, I think, left the Lunduk Journal channel, but later came back for a video once in awhile.

I found some of his writings that were public and non-paid, and he talked about anti-trans topics, gender-neutral bathrooms, and things like that. He has a big enough base that he can pretty much single-handedly create controversy. Although he’s a big Linux fan, he’s a massive critic of all the diversity, equity, and inclusiveness that the field tends to promote.

He really fuels the conspiracy that "the left" is the worst part of technology. He wants to make technology seem like a right-wing thing. He’s been denouncing the fall of Linux for a while now, mostly because he thinks the developers of Linux are too woke.

[–] yogthos@lemmygrad.ml 6 points 1 week ago (1 children)

Big tech agencies often house their own compilers and make their developers use it (even if it’s just a copy of the open source ones) to ensure that if a compiler is compromised,

That's precisely what makes Rust appealing here with it being a new language and only having a single compiler implementation.

Also, there’s many many places where there’s a push to move C code to Rust to increase security, this isn’t ‘wierd’.

I actually do find it weird that there's a massive push to rewrite all the stable and battle tested software that's been known to work fine for decades in a new language that's still evolving.

There are so many other problems to consider before going down this route. supply chain attacks, trust verification, code signing, all these come in play way before this.

Why assume that's mutually exclusive? Intelligence agencies would pursue a multi pronged approach, and if one trick works that's all you need.

The real issue is that most security vulnerabilities are caused by things Rust seeks to fix, use-after-free and double-free causing crashes that can be taken advantage off by a clever malware writer. Writing in Rust is (a slow and somewhat painful way of) making software more secure, not less.

Sure, the idea of Rust seems generally useful. However, the features Rust provides are entirely tangential to the discussion.

Additional note, this govt agency (and I’m no fan of Germany’s govt necessarily, but just to note) has given millions to many open source projects. Let’s encrypt, pypi, yocto, the openprinting stack, activitypub (you know, from the fediverse, how this platform runs…). They’ve also recommended languages other than Rust for projects too.

That of itself doesn't really let us know anything one way or the other.

Finally, I personally was not familiar with Lunduke, sounds like he's a massive piece of shit. I don't think that has anything to do with the question of whether it is problematic that there's a mass push to rewrite mature software in a new language that only has a single compiler implementation.

[–] RedClouds@lemmygrad.ml 3 points 6 days ago (1 children)

So for sure, everything you said is correct. One compiler, the push to rewrite software (This one I do 100% agree with, I do write Rust, but for greenfield stuff, it's not really useful to rewrite working, stable, secure software, in Rust). Security work isn't mutually exclusive, and what agencies do elsewhere doesn't represent what it doe here.

I guess my best argument here is that I don't think Lunduke cares about what he claims, I think he's a right wing propagandist that looks for any reason, no matter how small, to push controversy and pull people to his blog to make money.

So yeah, you're right, security wise it's not a nothing burger, and is suspicious. Though I will still say that even though the Rust evangelists have rightfully been told to back off a bit, there's lots of companies that have decided to rewrite a lot in Rust.

[–] yogthos@lemmygrad.ml 2 points 6 days ago* (last edited 6 days ago) (1 children)

Sure, Lunduke is a terrible person and we obviously shouldn't take anything he says as gospel. But the conversation itself is very much worth having. It's too bad he had to be the guy to bring it up since that immediately taints the whole discussion. I didn't really think to look him up when I saw the video, otherwise I would've just made a post without referencing him.