125
submitted 7 months ago by lemmyreader@lemmy.ml to c/linux@lemmy.ml
you are viewing a single comment's thread
view the rest of the comments
[-] A1kmm@lemmy.amxl.com 49 points 7 months ago

I wonder if this is social engineering along the same vein as the xz takeover? I see a few structural similarities:

  • A lot of pressure being put on a maintainer for reasons that are not particularly obvious what they are all about to an external observer.
  • Anonymous source other than calling themselves KA - so that it can't be linked to them as a past contributor / it is not possible to find people who actually know the instigator. In the xz case, a whole lot of anonymous personas showed up to put the maintainer under pressure.
  • A major plank of this seems to be attacking a maintainer for "Avoiding giving away authority". In the xz attack, the attacker sought to get more access and created astroturfed pressure to achieve that ends.
  • It is on a specially allocated domain with full WHOIS privacy, hosted on GitHub on an org with hidden project owners.

My advice to those attacked here is to keep up the good work on Nix and NixOS, and don't give in to what could be social engineering trying to manipulate you into acting against the community's interests.

[-] zygo_histo_morpheus@programming.dev 25 points 7 months ago

Don't know anything about this particular case so while "social engineering to create a backdoor" is certainly a possibility, so is the more straightforward explanation that it is drama about real or perceived problems in the nix community. I think that it's dangerous to dismiss this altogether because of the recent xz debacle.

[-] FractalsInfinite@sh.itjust.works 21 points 7 months ago

Too many people involved I think, someone will have to check this but all those members with names attached look like real developers who were significantly contributing to the project. It is perfectly possible for a dictator for life to have festered a toxic culture that got worse over time, and has happened multiple times before.

[-] acockworkorange@mander.xyz 8 points 7 months ago

How much of those are actual people? I count half a dozen git links in the signatures. Those could belong to a single attacker. Everyone else either has an email or an unlinked handle. Who knows if they are Nix devs?

[-] wewbull@feddit.uk 19 points 7 months ago

I think you're right to be suspicious. The XZ attack has showed that there are people and organisations out there that would love to get hold of a piece of trusted critical infrastructure like Nix. They'll go the long lengths to do it, manipulate people, and exploit the maintainer's desire to do the right thing.

And if the person can't stand by their critism and can only give wooly examples, then best to ignore it.

[-] ikidd@lemmy.world 10 points 7 months ago

I agree. This immediately jumped out to me as a social engineering attack when they started spouting off about "more people with commit access" and otherwise being anonymous and most of the signatories not on the contributor list, especially at the start.

[-] corbin@awful.systems 3 points 7 months ago

The original signers include members of the infrastructure and moderation teams. You can find about half of them on Mastodon. They're all well-established community members who hold real responsibility and roles within the NixOS Foundation ecosystem.

Also note that Eelco isn't "a maintainer" but the original author and designer, as well as a de facto founder of Determinate Systems. He's a BDFL. Look at this like the other dethronings of former BDFLs in the D, Python, Perl, Rails, or Scala communities; there's going to be lots of drama and possibly a fork.

this post was submitted on 21 Apr 2024
125 points (87.4% liked)

Linux

48247 readers
447 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 5 years ago
MODERATORS