this post was submitted on 13 May 2024
115 points (93.9% liked)

Linux

48376 readers
1622 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 5 years ago
MODERATORS
top 50 comments
sorted by: hot top controversial new old
[–] stuckgum@lemmy.ml 142 points 6 months ago (1 children)
[–] WhatAmLemmy@lemmy.world 100 points 6 months ago* (last edited 6 months ago) (2 children)

Should ... Should we tell OP that nobody understands all of any moderately large codebase, especially the sub-dependencies ... or that even the thousands of developers who wrote most of that code don't understand how their own code works anymore?

I could read the same book every year and I still won't remember most of the minor events on my deathbed. Doesn't mean I won't remember the key components that make up the story — coding is like that, except the minor events and key components can be rewritten or removed by someone else whenever you go to read them next.

[–] taladar@sh.itjust.works 35 points 6 months ago (2 children)

that even the thousands of developers who wrote most of that code don’t understand how their own code works anymore?

The bugs I have fixed that were written by that idiot "me from a few weeks/months/years ago"...

[–] refalo@programming.dev 20 points 6 months ago (1 children)

several times I have searched for a problem and found my own stackoverflow question with no replies.

[–] taladar@sh.itjust.works 10 points 6 months ago

The worst thing is when it happens in this way and you can't remember even though it was your own question https://xkcd.com/979/

[–] glouriousgouda@lemmy.myserv.one 11 points 6 months ago

That guy sounds like the dude that "works" at my house too.

[–] stsquad@lemmy.ml 6 points 6 months ago

It's a web of trust. If the package maintainer is doing due diligence they should at least be aware how the upstream community runs. If it's a one person passion project then it's probably possible to give the changelog and diffstata once over because things don't change that fast. Otherwise they are relying on the upstream not shipping broken stuff.

[–] KISSmyOSFeddit@lemmy.world 70 points 6 months ago (1 children)

No, distros instead use a web of trust in the maintainers. New maintainers are vetted and established ones are assumed to not suddenly turn into malicious actors.
There's an ongoing project that tries to bootstrap a Debian system from a seed that's small enough to be read, but it's more of a proof of concept at this stage, and even this project requires trust into a few parts up front (like xz of all things).

[–] biribiri11@lemmy.ml 28 points 6 months ago (1 children)

I wouldn’t place too much faith in the vetting process. As of right now, there are 2,034 members of the packager group of Fedora. None of them are required to have 2FA (or any real account security past a password), and the minimum requirements to join the group aren’t very high (contribute a package, pick up an unmaintained one, etc). Any of those 2,034 people can push malware to Fedora, and within a week, it’d be in stable repos.

Most of these distros are volunteer efforts. They don’t have the manpower to ensure the software supply chain remains secure.

[–] taladar@sh.itjust.works 24 points 6 months ago

Any of those 2,034 people can push malware to Fedora

Maybe, but that is still a significantly higher bar than allowing everyone to publish a package the way most language specific package repositories work (or just use any random github repo even like some others).

[–] we_avoid_temptation@lemmy.zip 39 points 6 months ago* (last edited 6 months ago) (1 children)

Why would they do this?

Also, if you wanted to do this yourself, it is technically possible. Go build LFS and read every single LOC.

[–] Successful_Try543@feddit.de 55 points 6 months ago* (last edited 6 months ago) (1 children)

The kernel alone has more than 30,000,000 LOC. Alone reading would take forever and a day for a single person, let alone understand it.

[–] biribiri11@lemmy.ml 47 points 6 months ago* (last edited 6 months ago) (2 children)

That’s barely the tip of the iceberg, too. Currently, popular projects sit at:

31M for KDE

25M for GNOME

41M for Chromium

42M for Mozilla Firefox

17M for LLVM

15M for GCC

(Note that this metric includes comments and blank lines, to which Linux would count at 46M lines. Counts with blank lines and comments removed are also in those links)

Even if a package was completely vetted, line-by-line, before it made it into a repo, would the maintainer need to get every update, too? Every PR? Imagine the maintenance burden. This code QA and maintainer burden discussion was the crux of one of the most popular discussions on the Fedora devel list.

[–] lily33@lemm.ee 25 points 6 months ago (2 children)

Finally, presumably if anyone added some malicious code in a their program, it would be sneaky and not obvious from quickly reading the code.

[–] Norgur@kbin.social 37 points 6 months ago (2 children)

I'd expect them to properly comment it with "#-------Begin malicious shit--------".
COMMENT YOUR CODE, PEOPLE!

[–] atzanteol@sh.itjust.works 20 points 6 months ago

The exploit should be written in a way that it is obvious and doesn't need commenting!

[–] lily33@lemm.ee 14 points 6 months ago* (last edited 6 months ago) (1 children)

Oh, in that case we don't need to read either - just run a simple grep!

[–] Norgur@kbin.social 10 points 6 months ago (1 children)

Those malicious coders are too sly for that. Some write "Sh1t" to throw grep off, others even do a "B3g1n"... They are always one step ahead!

[–] lily33@lemm.ee 4 points 6 months ago

Good point. I'd try to grep for something like [Bb3][Ee3]g[Ii1][nη]\w+<and so on> but I just know I'll miss something

[–] banazir@lemmy.ml 12 points 6 months ago (1 children)

Well yeah, the recent xz vulnerability was not present in the source code at all. Any amount of code reading would not have caught that one.

[–] Successful_Try543@feddit.de 3 points 6 months ago* (last edited 6 months ago) (1 children)

Wasn't the problem that ~~it~~ the backdoor was not present in the source code on GitHub, but was in the source tarball? So as long as one reads the code that one actually builds from should be fine.

[–] SuperIce@lemmy.world 6 points 6 months ago (1 children)

A line of code that enables the backdoor was out present in the tarball. The actual code was obfuscated within an archive used for the unit testing.

[–] Successful_Try543@feddit.de 4 points 6 months ago

OK. So simply reading what was readable wouldn't have helped. Thanks.

[–] bitfucker@programming.dev 9 points 6 months ago (2 children)

It is bonkers that a fucking Web Browser has more LOC than a Desktop Environment

[–] leopold@lemmy.kde.social 12 points 6 months ago* (last edited 6 months ago)

It's even more bonkers than it sounds. If you look at the code locations for that KDE count, you'll see it also includes just about every KDE project. That's not just Plasma, that's hundreds of projects, including some really big ones like Krita, Kdenlive, Calligra, LabPlot, Kontact, Digikam and Plasma Mobile. Hell, it even includes KHTML/KJS, KDE's defunct web engine as well as the ancestor of WebKit and Blink. It even includes AngelFish and Falkon, KDE's current web browser frontends.

Same deal with GNOME. It includes just about everything on GNOME's GitLab, even things that are merely hosted there without strictly being GNOME projects, like GIMP and GTK.

And yet still they are both that far behind Chromium and Firefox. Modern web browsers are ludicrous.

load more comments (1 replies)
[–] solrize@lemmy.world 25 points 6 months ago (1 children)

OpenBSD probably comes closest.

[–] refalo@programming.dev 2 points 6 months ago* (last edited 6 months ago)

I would argue NetBSD or plan9 is much smaller and easier to read, but of course this comes with potentially decreased usability.

[–] nyan@sh.itjust.works 23 points 6 months ago (2 children)

Dude. I actually have sources for most of my installed packages lying around, because Gentoo. Do you know how much space that source code takes up?

Just under 70GB. And pretty much everything but maybe the 10GB of direct git pulls is compressed, one way or another.

That means that even if your distro is big and has 100 people on development, they would each have to read 1GB or more of decompressed source just to cover the subset of packages installed on my system.

How fast do you read?

[–] brunofin@lemm.ee 8 points 6 months ago (1 children)

Lol read and understand it.

load more comments (1 replies)
[–] Kangie@lemmy.srcfiles.zip 2 points 6 months ago

I'm looking at bringing Dillo back into Gentoo atm. I had to read 15k lines of code, and that's just what's different since the last release....

[–] Deckweiss@lemmy.world 18 points 6 months ago* (last edited 6 months ago) (2 children)

Man, I forgot what it was called, but once I was on the website of some batshit paranoid linux / bsd distro, which had a list of argument for why they removed certain packages.

It definitely seemed like the maintainers were reading the source, but some of the arguments were also really out there.

Hope somebody can remind me of what it was called.


Edit:

found it

https://wiki.hyperbola.info/doku.php?id=en:philosophy:incompatible_packages

[–] limelight79@lemm.ee 7 points 6 months ago (1 children)

That is, ummm, interesting. Can their installed system do anything, though? There are so many restrictions, it seems like it would be a difficult installation to daily drive.

And some of the justifications are really confusing. I realize some are probably typographical errors, but I can't figure out what a few of them are saying at all. It reminds me of the people that invent their own lexicon and just expect everyone to understand what they are saying.

[–] Deckweiss@lemmy.world 6 points 6 months ago (1 children)

Package has different security-issues and is not oriented on the way of technical emancipation as Hyperbola is trying to adapt lightweight implementations.

It sounds like something chatGPT would hallucinate.

[–] natsume_shokogami@lemmy.world 2 points 6 months ago

I think even ChatGPT would eb called non-free for them though

[–] refalo@programming.dev 5 points 6 months ago (1 children)

if you think that's insane, you should see LibreJS.

[–] leopold@lemmy.kde.social 4 points 6 months ago* (last edited 6 months ago)

Well, it is basically LibreJS logic applied to an entire distro, like your typical FSF-approved distro. It's a distro by free software extremists for free software extremists and no one else. It's is completely impractical for actual use. But really it's worse than the average FSF-approved distro. It takes things several steps further by removing many things that are 100% free software, but just subjectively disliked by the maintainers, including even the Linux-libre kernel, as the project is in the process of moving to an OpenBSD base. The OpenBSD people naturally want nothing to do with them, so I'm looking forward to seeing that play out.

[–] Drito@sh.itjust.works 17 points 6 months ago

This is unrealistic. Read everything represents too much work.

[–] markstos@lemmy.world 14 points 6 months ago

These days you are likely running some code nobody read closely.

The author trusted AI and didn’t fully understand it.

The maintainer trusted the author and merged because the change sounded good and the tests passed and they are grateful anyone contributed at all.

The packager trusted the maintainer. The security team trusted the packager. The user trusted the distro.

[–] GolfNovemberUniform@lemmy.ml 13 points 6 months ago* (last edited 6 months ago) (1 children)

TempleOS doesn't have a repo I think so its dev writes and reads 100% of the code. I also heard of a tty-only Linux distro project that didn't have a repo but I'm not sure

[–] tkk13909@sopuli.xyz 7 points 6 months ago

Boy do I have news for you...

[–] rotopenguin@infosec.pub 13 points 6 months ago (1 children)

Tim Cook reads every single LOC submitted to his OS.

load more comments (1 replies)
[–] kixik@lemmy.ml 12 points 6 months ago (2 children)

Probably Guix, and GNU endorsed distributions. Binary blobs are not allowed on free/libre distributions, or not on their official repos. That said, most gnu + linux distributions don't care about those. Most will take care, if they get to realize it, about distribution licenses, so if something has some sort of legal issue to be distributed, that will get purged from its repos most probably...

[–] Shareni@programming.dev 3 points 6 months ago

Aaah, so that's why it takes them so long to update packages.

I'll bet you anything they're not reading the code for every random package and dependency. But yeah, with free distros it's at least possible to read everything that's on your machine.

[–] Auli@lemmy.ca 1 points 6 months ago (1 children)

I’d bet you they don’t. It would be an impossible task to expect people to do.

load more comments (1 replies)
[–] PseudoSpock@lemmy.dbzer0.com 8 points 6 months ago (4 children)

Explain your username, please. I have a hard time with someone using that handle making posts in here.

load more comments (4 replies)
[–] bloodfart@lemmy.ml 5 points 6 months ago
[–] possiblylinux127@lemmy.zip 1 points 6 months ago

I wonder if you could use AI for this

load more comments
view more: next ›