Luke Kenneth Casson Leighton
lkcl at lkcl.net
Tue Jun 16 14:13:43 BST 2020
On Tue, Jun 16, 2020 at 1:33 PM Staf Verhaegen <staf at fibraservi.eu> wrote:
> What security implication are you considering for a fully open source project ?
one of NLNet's grant recipients was hacked via their (unfunded)
infrastructure being used to develop the (funded) code.
the hackers gained control of the git repositories and inserted
malicious code directly into the git repositories, as code commits,
pretending to be from one of the developers.
this was then downloaded by thousands of unsuspecting users interested
in privacy-respecting applications and trusting that the project -
funded by NLNet - would provide it.
NLNet-funded projects, by nature of them being directed towards
privacy, are *automatic* high-value hacking targets.
> You could not use the release feature of gitlab for example.
who is going to stop working on everything that they are doing and
focus solely and exclusively on the evaluation for fitness of purpose,
and perform the full security audit of the (massive) github codebase,
and work out its required configuration?
this has been discussed many times. every time everyone says "why
don't you just use gitlab, it's so simple and has everything you
need", unfortunately not being aware of the time and resource
implications both from the initial install, migration, training,
resource utilisation and maintenance. we simply do not have time or
resources to cover all of that.
the unix philosophy serves us extremely well: each tool shall do one
thing and do it well.
gitlab fundamentally violates that.
this is a perspective that can only really be fully appreciated when
you have tried to do simple web development tasks that pull in 250
megabytes of dependencies.
> > > It seems you guys are trying to reinvent the wheel. gitlab for examplehas issue boards, supports check lists in issues etc.
> > yes it does. the hassle associated with it unfortunately has alreadyeliminated it from consideration.
> Isn't it time to reevaluate if people are planning to implement kanban boards and other things on top of the bugzilla REST API?
there is existing kanban board code. we do not have to write one at all
however Cole feels inclined to write something and i am not going to
say "no you can't do that".
> Developing, maintaining, auditing that code will also have cost implications.
my brother dan has a business need which happens to match precisely
with what we also need.
therefore we are not paying for it.
in addition it is a *focussed* and incremental enhancement, where we
get the opportunity to input and decide what *we* want.
not what gitlab says we need.
More information about the libre-riscv-dev