Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Cloud Open Source

Tech Casualties of Russia's War in Ukraine: Open Source and the Cloud? (github.io) 93

Long-time Slashdot reader theodp writes: In On the Weaponisation of Open Source, software engineering consultant Gerald Benischke examines how the Russian invasion of Ukraine has spilled over into areas of software development, with some unintended consequences. In particular, Benischke looks at the decision by MongoDB to cut off services in Russia, the destructive change in a node library that deleted files on Russian IPs, and even a change in the code/licence in a community terraform module to assert that Putin is a 'dickhead.'

Benischke concludes, "My problem is that this weaponisation is killing off trust. I think the temptation of using open source projects as weapons against Russia should be resisted because it sets a dangerous precedent and may ultimately set back the open source movement and push organisations back into seeking refuge in commercial software with all its opaqueness and obscurity. It's not about sitting on the fence or taking sides in a war. It's about what open source has achieved over the last 30 years and I think that's now at risk of become collateral damage."

Meanwhile, the war is also being fought on the Cloud front, with Microsoft halting all new sales in Russia. In fact, all of the major U.S. cloud providers have stepped back from doing business in Russia. "You basically have Russia becoming a commercial pariah," explained economist Mary Lovely. "Pretty much no company, no multinational, wants to be caught on the wrong side of U.S. and Western sanctions."

This discussion has been archived. No new comments can be posted.

Tech Casualties of Russia's War in Ukraine: Open Source and the Cloud?

Comments Filter:
  • Trust No One (Score:4, Insightful)

    by barlevg ( 2111272 ) on Sunday March 20, 2022 @09:44AM (#62374093)
    Operating on a system of least trust, where, at a minimum, your dependencies are all explicitly pinned, and, more realistically, where any bit of critical kit gets its dependencies from an internally managed mirror--with new versions being screened as they're published--this should be standard operating procedure. And saying this is a flaw in the Open Source ecosystem is FUD--the difference is that when closed source software injects malware into their latest update, you don't find out as quickly (or at all).
    • Operating on a system of least trust, where, at a minimum, your dependencies are all explicitly pinned, and, more realistically, where any bit of critical kit gets its dependencies from an internally managed mirror--with new versions being screened as they're published--this should be standard operating procedure....

      you have just described 80% of closed source work. and i suspect closed source has never been actually as closed as people complain about, more likely the discussion from the beginning is very exclusive.

      • by Z00L00K ( 682162 )

        And I don't really trust closed source. It's quite popular these days to send "usage statistics" to some home server and you can't opt out unless you first run the program and it has shared data with the home server already.

        • So you're saying Satisfactory is sharing "usage data" with Coffestain already which is your implication unless there's some other data that they shouldn't have. Oh like say I'm a customer and bought their product.

        • It's more than that. If you let them, they'll copy all your contacts, and for bonus points use the microphone to listen to your conversation so they can make targeted ads.

          More than once, I've merely *talked* to people about an unusual subject and shortly afterwards I'm getting targeted ads about those subjects.

          Plus they've been caught multiple times using a lot more bandwidth than metric would require (multiple megabytes of data per day).

    • Operating on a system of least trust, where, at a minimum, your dependencies are all explicitly pinned, and, more realistically, where any bit of critical kit gets its dependencies from an internally managed mirror--with new versions being screened as they're published--this should be standard operating procedure

      In many bigger software shops, this is already the norm. They have the extra money and headcount to support complex dependency systems that easily catch justice warrior shenanigans. They'll just skip the broken versions and switch to the eventual replacement once the community selects one.

      This is more of an issue for smaller companies, where headcounts are low, budgets are tight, and deadlines are always looming. Those poor chaps are quite reliant on their dependencies to do no evil, not by choice but by ci

      • This is more of an issue for smaller companies, where headcounts are low, budgets are tight, and deadlines are always looming. Those poor chaps are quite reliant on their dependencies to do no evil, not by choice but by circumstance.

        Not necessarily. Many commercial libraries offer both binary and source+binary licenses. A licensee gets access to the source code in the latter, however they may only distribute binaries to their customers. This allows them to have their own fork and control their destiny. At small companies I have successfully convinced management to buy the more expensive source licenses, and in both cases it saved our asses. If the bug was in a library would could fix and patch and deliver a fix to our customers at the

      • by jabuzz ( 182671 )

        My view is that if you don't have the head count to dedicate someone to supporting the package dependencies then if package is not in the distribution that you are using repo's then you should not be using it.

        That is the value that a LTS distro brings. The problem is what I call the "Java boys" who think they have to be using latest greatest at all times, and rewriting everything in the latest fashionable language (which historically was Java) is the solution to world peace.

    • It's not even about malice or activism. Pinning is the only sensible thing to do: otherwise you will get random breakage. You might for example unwittingly be depending on behavior that is a bug and gets fixed in a minor point release (every observable behavior is a feature).

    • There are three options not two.
      (1) FOSS license
      (2) Commercial Source license
      (3) Commercial Binary license

      FOSS and Commercial Source licensing are nearly identical for direct licensees. A licensee has the source code to the application or library, they may make changes or additions, they may freely distribute binaries with their changes. The difference is largely that source code only goes one generation, to the direct licensee and not to their customers too.

      So as a developer you have two options w
    • by Pieroxy ( 222434 )

      Sure, you can (and should) pin your dependencies versions. But when the time comes to upgrade them, how do you do it? Upgrade them on your dev machine and test? Bam, random files were deleted on your dev machine.

      This is not a random bug, it's a targeted attack against devs machines.

      Unless you dev in a VM or a container (which has its own problems) you're going to get hit.

      • Bam. Random files deleted from your appropriately sandboxed and isolated test machine... after the dependency has been scanned for obviously malicious or known nefarious code. Is this going to catch the truly novel and creative hacks? No. But most of these upstream dependency attacks (that we hear about at least) are stupidly obvious and even brazen about what they're doing.
        • by Pieroxy ( 222434 )

          Usually you test first on a sandboxed test machine *before* testing on your dev machine? That's odd.
          Or do you use a VM as a test machine ?

  • by awwshit ( 6214476 ) on Sunday March 20, 2022 @09:45AM (#62374095)

    Modern practices of continuous integration and deployment are the real issue here. If you are using your own copy of the source and pay attention then this is a non-issue. If you just pull the latest from a public repo and start using it then you are asking for trouble. It should be obvious in 2022 that software security is not a matter of the type of license.

    • by larwe ( 858929 )

      If you just pull the latest from a public repo and start using it then you are asking for trouble.

      This. So much this. As a certified Old Guy who comes from an embedded world where step 1 of validating a build environment is "from scratch, create the build environment. Pull in the source from the most recent known good version. Verify that the binaries CRC-check with the binary that was qualified" - the number of commercial products (not at my employers, but just in talking to people) that pull random latest components down directly from the Internet is chilling. It would be like Ford saying "We make our

      • That's certainly how the US Navy does it.

        https://www.defensenews.com/na... [defensenews.com]

        • by larwe ( 858929 )
          Yeah I read that story a while back, but at least (?) this was mere "I can't be bothered doing all that paperwork that is my actual paid job" vs "I want to poison the supply chain so that pressure hulls implode".
      • Actually, I've had two gcc's with the same version number and options give different results, and not just because of the difference in build date. And not even with the MPC stuff, it was a simple operation that was 2 instructions versus on, as if the optimization was ever so slightly better in one. A head scratcher.

        • by larwe ( 858929 )
          Oh, me too - and not even just because of glibc changes. My old life required matching basically every byte of the compiler and standard libraries, and optimization options, and .... as the known starting point - else trigger heartwrenchingly long tool requalifications :)
      • by Pieroxy ( 222434 )

        If you just pull the latest from a public repo and start using it then you are asking for trouble.

        This. So much this.

        So how do you do it when you want to upgrade? Do you read changelogs and diff of all libs you upgrade? Remember that this thing also target dev machines.

        • by larwe ( 858929 )

          So how do you do it when you want to upgrade? Do you read changelogs and diff of all libs you upgrade?

          As part of updating the SBOM - the short answer is "yes, and if there are changes, they will trigger a security assessment and other qualification steps which is why I try to be very conscious of WHEN to consume library upgrades".

    • But the issue is while you are validating the software, your competitors are already selling product.

      Once a decade, your due diligence saves your ass.

      But after three years, your company went bankrupt.

      Validating software costs money and time. When the software is literally reliable for *years*, that cost of time and money becomes a competitive disadvantage.

      And in cases like log4j, it doesn't even buy you anything compared to your competitors.

      I certainly understand the U.S. navy and even a fortune 500 compa

    • This is the anti-Facebook method. Move slow and be sure not to break anything.
      • Wear clothes and practice self-defense to avoid getting raped.

        Break things, and fix them, before you get to production.

        Who was Facebook ever in a race with and did they win by moving fast and breaking things? Did they ever treat security concerns in a 'move fast and break things' manner?

  • The active choice to commit of crimes against humanity [un.org] by Russian soldiers under approval of its leadership necessarily dictates that the state be punished. It is a fact that actions against the state must also apply to the individuals the state represents. They are the ones who can change what the state does as their representative. Any EU/US/AUS programmer supporting Russia is violating sanctions, and claiming that contributing to a project not exclusively designed for Russia does not absolve that respons
    • Source code is not software, it is speech. The author of PGP proved that when prosecutors backed off after MIT Press published his source code worldwide, and DJB successfully won court cases based on a similar motif. You cannot have a country where the government allows free speech and then have the government enforce unnecessary restrictions on it at the same time.

      Interestingly enough, this same defence can be used to justify the malicious changes to peacenotwar as much as it can be used to defend peopl
      • Source code is not software, it is speech.

        Why can't it be both?

        I mean, we can also say the same thing about binary programs, if we encode them in ASCII and then scan or recite (for those masochistic enough) letter-by-letter the resultant "text".

      • Yes, and even speech can be made illegal in wartime. Even morally incorrect, such as speech that helps the enemy ("here's where our troops will be located tomorrow at 3am").

        When war is involved, it stops being mere politics because lives are being lost. Granted, politicians always get involved, as is their way. Saying one doesn't want to get involved in politics here is like using politics to say why you don't want to be serve on a jury trial for a murderer because you don't want to get involved in polit

    • The active choice to commit of crimes against humanity [un.org] by Russian soldiers under approval of its leadership necessarily dictates that the state be punished. It is a fact that actions against the state must also apply to the individuals the state represents.

      I think you have it backwards. Most of the actions done by a soldier, when done individually and in isolation, can't be considered crimes against humanity. It's when these actions are done systematically by a group that they become crimes against humanity. Far from merely approving the actions of their subordinates, the leaders in the chain of command are the masterminds. Without Putin ordering the invasion of Ukraine, none of these Russian soldiers can commit any of these heinous crimes.

    • by DarkOx ( 621550 )

      Any EU/US/AUS programmer supporting Russia is violating sanctions, and claiming that contributing to a project not exclusively designed for Russia does not absolve that responsibility.

      Stop making stuff up. By and large its not true at all. OSS is mostly legally considered to be 'speech' and not illegal to publish. Its also mostly not illegal to sell software to Russians OR even directly to Putin's government. A lot of big names are opting to do that including Microsoft but they are not legally obligated to do so.

      So now that were past the strait up bullshit here some other realities. Russia is not technically speaking the 'they enemy' we are not at war with Russia. Ours and other governme

      • by Jzanu ( 668651 )
        You deny the major element that is not in dispute. Your cowardice and attempt at hand-waving away your obligations is sickening. Your views are the product of cowardice and are antithetical to my own. Soviets invaded East Germany, and held it for decades. We are not going to lie down again. We will fight and kill the Russian invaders who come to replace the old systems. We will fight and kill them when the invade the EU. And we will fight and kill them in Ukraine once it joins. There is nothing more to say
  • by account_deleted ( 4530225 ) on Sunday March 20, 2022 @10:01AM (#62374137)
    Comment removed based on user account deletion
    • by Z00L00K ( 682162 )

      When I see PIP I'm thinking of that old CP/M command.

      • Indeed... although CP/M (Digital Research, Inc; 1974) more-or-less copied the PIP command from RSX-11 (Digital Equipment Corp.; 1972) which was a port of DEC's RSX-15 (1971). The whole CP/M command line environment was almost a look-alike for RSX... Ah, the days of well-oiled Teletypes and zippy DECwriters! VDTs (video display terminals like the VT-52 and the later VT-100) were a luxury, and we lived at 300 baud.
        • by Z00L00K ( 682162 )

          With the ASR33 it was 110bps and with null feeds at the carriage return to ensure that it didn't lose characters.

      • by Rufty ( 37223 )

        Thankyou! I'm not the only one!

  • by Rosco P. Coltrane ( 209368 ) on Sunday March 20, 2022 @10:15AM (#62374179)

    1/ Killing off the cloud: not a minute too soon! Russia's action forced a practical demonstration of what everybody with 2 working brain cells has known for years: when a cloud operated by someone other than you goes down for any reason, you're fucked.

    2/ Killing the trust in open-source: yeah, that's sad. But you know what? The whole premise of open-source is that you didn't have to trust anyone, and you could assess what the code does for yourself. You know, if enough eyeballs... This "killing of trust" only underlines something else everybody has known for years also: there are no eyeballs reviewing open-source code. If there were, revenge code would never get deployed in the first place.

    In short, open-source is mostly composed of nice guys, and lazy companies rely on that to cut corners. When some of the nice guys stop being nice, bad things happen to said lazy companies.

    • 2/ Killing the trust in open-source: yeah, that's sad. But you know what? The whole premise of open-source is that you didn't have to trust anyone, and you could assess what the code does for yourself.

      What? Nope.

      The premise of Open Source code is that the Source is Open so anyone can look at it. That's it, full stop, END OF LINE. This has both positive and negative repercussions when it comes to security.

      You know, if enough eyeballs...

      Right. IF, ENOUGH. Some projects receive that level of scrutiny, and some don't. In fact, most don't. However... well, let me circle back.

      This "killing of trust" only underlines something else everybody has known for years also: there are no eyeballs reviewing open-source code. If there were, revenge code would never get deployed in the first place.

      There are eyeballs reviewing open source code. There are not competent eyeballs surveying all code, and there are not enough eyeballs to catch every problem. But when

      • The idea that proprietary software is higher quality than open source is wholly unsubstantiated.

        Maybe, but there's one thing proprietary has that open-source never will. Legal liability. That's a force unto itself in enforcing standards including quality.

        • That's entirely theoretical. If it was a thing, a lot of Microsoft employees would have been thrown into the slammer over the decades.

        • Maybe, but there's one thing proprietary has that open-source never will. Legal liability.

          What? Absolutely not. Licenses always absolve the publisher (etc.) from any liability. If they had liability then there would be [almost] no software.

      • Of course it is done better at commercial outfits, after all they have Corporate Mission Statements and Slogans, even posters on the wall, all proclaiming that quality is their chief goal! The idea that someone might create bad code and or review it too quickly because of looming deadlines is absurd! :-) (this is a joke of course)

    • plenty of Russian major social media and other sites still up, because they use cloud from nations not marching to USA tune. Expect more Russian business and military alliances with China, India, Iran, certain South America and East Asian countries because of this. yay?

    • There are many eyes looking at open source- but they are often focused on active areas of the code and don't review apparently stable areas of the code.

      • Bullshit.

        When some dude slips "if IP in Russia then delete files" in the code and commits it, that's actively changed code, not stable stuff that's been there unchanged forever.

        People happily pull the stuff and use it, and then go all surprised because the code does something nasty. The truth is, nobody looks at the diffs, amd that's how open-source can come with malware despite the code being readable. And even if they looked at the changes before rolling out a new version, all it takes is a little obfusca

        • We work with open source and we have about 20 open source projects. And we actually do use winmergeu, look at the change logs, and so on to look at the diffs. Maybe other areas of opensource aren't as careful.

          • (but we don't spend days doing it. It's hard enough to keep everything updated as it is. So we focus on the hotspots. And test before promoting to production.

        • Back when I had a simpler system I used to look at the diffs for a lot of things just updating my system. But now I have a massive raft of stuff since my system does so much more, and that's simply not practical. I just have to hope that someone is looking at code. But then, that's how commercial software is, too. I have to hope that no rogue employee or infiltrator of their network (possibly even an automated one) has inserted something malicious into their code.

    • Closed source is similar, not enough eyeballs reviewing code.

      I am utterly embarrassed at times when we find a terrible bug, bad enough that the CEO of the customer company calls up our CEO to complain about it and there's an all-hands-on-deck to fix things, then I find the obvious bug and proclaim "what idiot failed to review this code properly!" and it turns out to be me...

  • This is great news. Perhaps now people learn not to include 3rd party repos in their projects, or if they must, first clone said repos to their own git servers, thus never be suprised by upstream doing stupid things.
    Most important law, your app must be able to be compiled on a build server that doesn't have connection to the internet and said app much be able to launch without network connectivity.

  • The west is essentially accusing Russia of committing the ultimate crime, a war of aggression. You know, what we tried the Nazis for at Nuremberg. I'm waiting for the experts on this subject, George W. Bush & Tony Blair, to weigh in with their judgments in this case before taking sides.
  • As a former open source contributor and long-time open source advocate, I am not fully comfortable with the dominance of open source. Nearly every organization scrambled in the last 10 years to rewrite it's front-end with handouts from advertising companies, like Facebook and Google, which I have never really found THAT impressive. Also, remember how badly Angular screwed over anyone who invested in them by breaking backwards compatibility in their early versions. I've personally been screwed heavily whe
  • Should Ukrainians update open source software that the Russian military is using?
    The answer is: OF COURSE NOT.

    If you have any other answer than that, you are mental.

    Should Ukrainians update open source software that Russian business is using?
    The answer again is: OF COURSE NOT.

    ---

    Russia is currently an enemy to the world. I think that makes it a valid exception to normal open source philosophy.
    People who are killing pregnant women, children, toddlers, and babies can't expect updates to their open source so

  • the koch Industries are not shutting operations in russia and that is telling. Full on traitors to the US.

The goal of Computer Science is to build something that will last at least until we've finished building it.

Working...