We can't find the internet
Attempting to reconnect
Something went wrong!
Attempting to reconnect
Analysis Summary
Ask yourself: “Is this structured to help me understand something, or to keep me watching?”
Worth Noting
Positive elements
- Provides unedited clip of Linus Torvalds' direct insights on the XZ backdoor's implications for open source trust models and community defenses.
Be Aware
Cautionary elements
- Appeal to Linus Torvalds' authority as Linux creator to endorse the channel's open source advocacy.
Influence Dimensions
How are these scored?About this analysis
Knowing about these techniques makes them visible, not powerless. The ones that work best on you are the ones that match beliefs you already hold.
This analysis is a tool for your own thinking — what you do with it is up to you.
Related content covering similar topics.
Announcing RunElixir.com
Peter Ullrich
Helix 25.07: What's New?
DevOnDuty
Installing and Managing JetBrains IDEs with toolbox app
Mastery Learning
Learn Linux TV's Linux Swag Shop #linux #swag #merch
Learn Linux TV
🎬 Download and Play YouTube Clips with bash/Go
RWXROB
Transcript
let's get lenus Tal's thoughts on trust in the open source Community especially in the light of the significant security breach and Hack That was known as the XZ utilities backdoor vulnerability lenus talks about this and more including the importance of a robust trust model with a strong interconnected open- Source Community to defend against threats like this there's definitely a unique and complex level of concern in the Linux open source project here's a recent conversation that lenus had with Dirk who is the head of the open source program office at Verizon let's get into what lenus thinks about this now it certainly is today yeah but let's let's switch gears a little bit um we talked about security we talked about the the challenges that come from the hardware up towards us let's go the other way let look at user space and of course the last few weeks a lot of people who care about security have learned a lot about XZ and about the the um pretty amazing and amazing in a bad way uh long very long planned and well executed attack on the ecosystem and I'm curious what your thoughts are about this well so I'm hoping people know the background I'm not going to go very much into that uh where open source in many ways relies in a certain amount of trust MH where you trust the developers you trust your co-maintainer you trust the people around you to to do the right thing and uh honestly it's not true just in open source I mean it's true even in in proprietary Source the you you depend on the trust in the company but also within the company you depend on trusting your employees and that trust can be violated and uh how to figure out when it's being violated is an open problem and we've we've seen this before um in the colel space we actually saw a a university a few several years ago that try to do a study on how easy it is to Upstream bad kernel patches and and that's that's actually an interesting study they just didn't do it very well and they didn't they didn't tell a third party about this and they they just send us bad patches uh and uh understandably maintainers a caught the bad patches and B were really upset about this and were going hey you're a university group and we were kind of trusting you and you broke that trust and that really ends up being a a very personal matter we had maintainers who were very pissed off well you were being experimented on you were the the objects of an experiment and that is in violation of a ton of Ethics rules yes you can't do that yes but I mean so we've both seen that kind of experiments and now not in the kernel space but in in another open source project we've seen an actual malicious attack and nobody really had any explicit gates in place to try to catch this but what I actually see as a huge positive is that despite they're not being any like explicit rules in place let's try to catch malicious activity both in both cases they were actually really caught fairly quickly so the XC attack had a history going back several years but when the actual bad actor took advantage of becoming a maintainer uh it was found within weeks it was pretty quickly but it was found randomly it was found randomly but but my point is random ends up being good I mean you don't always you don't always you can't always have specific rules in place because it's kind of when you have rules in place the Bad actors they don't follow the rules uh so they can try to work around whatever technical rules you have in place and the fact that open source projects have found these kinds of attacks does seem to imply a fairly strong amount of stability and and that these things do get caught um so clearly it's a wakeup call there's no question about that and uh there are a lot of people who are looking into various measures of trust um in the colonel I mean we we had there are existing projects pgp being one of the really classic one which has this notion of a network of trust and in the colel we actually use that amongst maintainers uh but but I think uh we're going to see a lot of work being put into some kind of uh trust model where where people see oh this is a new person or this is a person that is acting differently from from before yeah for no particular reason I want to point out the engineer who found this was a German engineer but it's just random um uh thank you there's there's another German in the audience um but I I think what's so interesting about this this whole notion of trust is in the after Thea analysis of these personas that were the Bad actors of course they had none of the typical footprint that a real person would have so uh um BR KPS had this interesting piece that he said the email address used for these attacks never showed up in any of the data breaches any of the many aquax United Health you know name any company T-Mobile anybody who has their data stolen and and all these email addresses are online you can find them in databases and the emails of these Bad actors weren't in that data which is an interesting way to define whether you're a real person or not but right but so the the the Linux network of trust one of the requirements for the signature is that you meet the person face to face and you are supposed to look at their government idea of course a a nation state aggressor can create a false government IDE but still there is there is an additional level of difficulty but to me I think the the biggest defense against all that is a healthy Community yes and the Linux curdle has this incredibly big but also incredibly deeply intwined and connected Community where there are multi-year multi- deade relation ships at the core of all well it is that is true at the same time it is worth really pointing out how unusual the colel is as an open source project a lot of open- source projects even very Central ones are basically run by one or two or three people and they may have many more people who occasionally contribute but most open- Source projects are are really fairly small and and uh the colonel having like just the number of main maintainers depending on how you count is between 50 and maybe 150 uh but we have a thousand people that basically participate in every single release every couple of months what we do is not NE necessarily something that can translate to 99% of all the open- source projects but one of the things I I believe we and this is the larger we all of us here in the room the industry should be doing is we should be looking at the projects that are under underutilized that are not underutilized that are under supported by their own community and by all of us who are using this software I think there is this this discrepancy of being a user of Open Source and depending on it deeply and a certain responsibility to then to help solve the problems and supporting a lot of these smaller projects not with money money is is really hard in this case what people are looking for is help so engaging you know each of you works for a company have your company adopt a couple of such projects and just participate read the code be part of the of the reviews of the patches provide just moral support to the maintainers is as simple as that so I think there's a lot more that we can do not everything can be Linux that would be uh hard no I mean this is uh I I think this has been a wakeup call for I mean people have been talking about the infrastructure security for the several last years because of not necessarily Bad actors but just bad bugs yeah and and I think that will actually continue to be a main the main problem the the Bad actors may be interesting but they are at the same time not going to be the common case we are we're very good at creating code but part of that is also we're very good at then sometimes getting it wrong and so it happens even in the colel community when we try to be very careful because of the area we're working in yeah and no one is perfect thanks to the Linux foundation for hosting this event and conversation if you want more of this video or you found this conversation interesting between lenus and Dirk check out the link in the description below let me know what you think about the recent vulnerabilities in Linux which subject the entire open source Community to more scrutiny and I'd also love to hear what you think about Len's thoughts from this conversation catch me in a great community on Discord and I'll catch you in another video thanks for watching
Video description
Linus Torvalds Speaks on the XZ hack and how it affected Linux causing trust issues in the open source dev community and Linux. How do we handle future security vulnerabilities and hacks? We'll listen to the Creator of Linux. My Linux Bundle is here: 📚 https://savvynik.com Share this free tool and support Small YouTubers https://editbulk.com (I made this tool to help creators) Useful Links/Commands: Discord Link - https://discord.gg/zZD5q92 Summit - https://www.youtube.com/watch?v=cPvRIWXNgaM #opensource #linus #linux