Thank you for helping me realize and share the importance of the open source maintainer experience. Incredibly thankful for your post. Hopeful that my frustrations are at least a bit cathartic 😅 My heart goes out to Lasse. I hope this is the start of some real change.

@@t3dotgg If the low level dudes need so much time to dissect this then this has been quite expensive to make so someone paid good money for this exploit. Like that hacker tv series lol.

More of the companies that build (collectively) trillions in value off of those OSS repos need to fork up and pay maintainers

I think "Get forked!" should become the standard response to any individual being rude and aggressive toward an OSS maintainer...

@@ChuckNorris-lf6vo "so someone paid good money for this exploit"... Yeah, maybe. "Whether it be the intrusion of hackers, a major explosion at the World Trade Center, or a bombing attack by Bin Laden, all of these greatly exceed the frequency of bandwidth understood by the American military. The American military is naturally inadequately prepared to deal with this type of enemy psychologically, in terms or measure, and especially as regard military thinking and the methods of operation derived from this." - Qiao Liang, Unrestricted Warfare p.344 - 45 | Published in 1999

i honestly feel like its such a disservice to him, having Microsoft's name called out everytime anyone speaks of him. I really don't feel his discovery had anything to do with the work he does for MS, but simply because he got curious about the high CPU usage. MS should get absolutely no credit for this. Just credit for banning 1 repo and 2 github accounts, one of which is being heavily debated by the community.

@@ark_knight Wait, why not? If they are paying his bills by the end of the day then they are actually doing good to the FOSS world. Just imagine that guy to have a less well paid job, so he would have to do more jobs and not have enough time to investigate on such issues.

@@DuRoehre90210 That's your head canon. Any other company would be paying this man if not MS. He clearly knows his stuff and what he is doing. There is absolutely no reason MS gets credit here. Perhaps you like letting faceless corpos take credit for your work.

​@@ark_knightbecause "the competition accidentally fixed it" gets clicks

@@jceggbert5 tbf, only a very few are using that as clickbait and are genuinely referring to the sage who discovered this as guy from MS. I understand nobody (or most) actually mean nothing by it, but MS is getting credit either ways as more people say it. Edit - it sounds like I am more opposed to this because its MS, perhaps that is my bias. But our "Friend" (haha, get it?) should get more credit.

this attack is absolutely insane (it's these btw)

@@bible1944 difficult to say, since it could be sockpuppets, but it seems too sophisticated to just be the work of a single person

To think that this is the only package the threat actors had infiltrated is...naive

@@raul0ca with a certain level of paranoia, you can't run anything but silicon your company made inside your own factories in your own country

@@blarghblargh Only with people you have known since birth

Very fair point, my mistake on that. I planned on going more into him when I recorded the intro and then got distracted by the social engineering stuff 🙃

@@t3dotgg the insights into the social engineering stuff is really valuable, and it definitely makes me think more about my online interactions.

that was nsa/M$ job

I have a feeling Andres Freund will get the credit he deserves in the long term, a la Marcus Hutchins. However, I agree he's been a footnote in most coverage and there's been no shortage of people poking fun, calling him a nerd, etc. on social media.

@@pdoherty926 Andres surname is very fitting for this attack, but it might be unfair to name it after him... Jia Tan was pretending to be a "Fruend" to the project

I fear this already happened. Someone _needs_ to investigate the core open source projects everyone depends upon

Even from Jia alone. They have been a maintainer for 2 years, what if this is not their first exploit.. I use they because Jia could be a team of bad actors behind the acc

In the end, the git history is clear. The only way this happened this time is because the maintainer snuck it into the build system and no one caught it, but before had hidden this data into test files. It is not impossible for those test files to have been decompressed and caught. Which makes OSS a good thing for this. When was the last time you decompressed your coworker's binary test files to check for backdoors? People are much more paranoid in open source, and that's why this was eventually found.

@@mstech-gamingandmore1827 why trust that someone

Lol, this isn't even close to the biggest know... biggest this month maybe

My assumption upon learning how carefully the attack was carried out and how long the person maintained focus on it, was that it was the work of a nation state. So, I would be surprised if it wasn't.

@@Omnifarious0 depends how much time the bad actor spent.. many maintainers work full-time as well, so it could be someone just looking for stuff to sell on the dark web or something.

@@sub-harmonik u can make waaay more money and waaay faster than build a biinary backdoor in commits for months and become a maintaner after 2+ years he could have done literely anything and he will make waaaay more money this is not financially motivated no way

read a blog yesterday about this, they broke down the name dude used and according to the person breaking the name down its a fake name to appear as a Chinese person (something about the first/last isn't a name you would see due to some Cantonese vs mandarin naming. If that is the case my bet is the state actor being NSA/CIA maybe MI5 or Mossad.

@@GreatTaiwan if you have a backdoor to every linux box running ssh? idk about that one

He said he didn't notice it because the 500ms, he noticed it because of high CPU usage

Consider that it was noticed as soon as it was published and (responsible) server admins never ran this version.

wow is postgres owned by microsoft too?

Sounds like you missed the point

@@sub-harmonik no, but it is used by a lot of major companies

It is also a possibility that the maintainer created a fictional attacker so that if the exploit should ever get discovered....

@@aperson4051 in theory, it could be possible, but due to human nature it is _extremely_ unlikely. people don’t suddenly flip from being generous kind people into manipulative psychopaths like that, so they would’ve had to have built the project from the beginning for that purpose in that case. it’s way easier and cheaper to exploit an existing project with a maintainer that’s already tired than building something from the ground up just to tear it all down i guess a possibility would be that they were approached by someone and offered money for doing this, but even then it would probably be easier for the malicious actor to do the pretending themselves instead of relying on the acting skills of a random developer

@@asdfghyter Plus, theres plenty incentive to NOT do so. Why would someone like this willingly torch their own reputation and future employability to have some sort of state-sponsored attack after spending years (more than a decade?) contributing to open source, AND THEN go around and do as much as they can to undo this attack after discovery? Sure, its POSSIBLE, but highly unlikely compared to the higher likelihood of some poor dude getting socially exploited.

​@@DeadLikeYouWe don't know much though so all scenarios are plausible. Either way, any reasonable person would avoid working with that guy in the future wether he did it on purpose or not.

that maintainer needs a big check, he needs financial support. Stop being so cheap and actually help the guy, he doesn't need your "hug".

I wouldn't stress about it too much. Security experts expect open source software to be riddled with security holes. That's why there are firewalls, intrusion detection systems and other such things.

If Lasse is innocent, and I think he really is, his account will be reinstated. This is just standard procedures as investigation is done. But at the end of the investigation, I expect big companies to assign reliable maintainers to these core packages asap. And while at it, fund those projects. Because if bug bounty is a thing, then maintainers should be rewarded when niche packages are used.

@@ark_knight Will it? You work at Github in their security division? You have some insight we don't have? You must have more, please share your wisdom. If he's innocent, Lasse's account SHOULD be reinstated. You have no fucking idea if his account will or won't be reinstated. That's up to Github.

@@jeffwells641 Yea, if Github (and MS) wants PR nightmare, sure. Unfortunately, they are not in vacuum themselves.

Linux and Mac users sweating.

I took the comment to just mean it was found by some guy not even doing work directly related to xz or sshd. He just randomly stumbled upon this from some other thing he was working on.

Stop clutching your pearls. It's Microsoft.

"derogatory" lmao

Many also call it a Linux backdoor even though it's in xz. Poor Linux getting a bad name for something he didn't do.

@@satunnainenkatselija4478 I think that's because it was targeting Linux, there were conditions to only work there (I think)

I agree. Though there are shitty forkers out there too. libav and enough influence at debian to supplant ffmpeg, even though it was only a literal copy at that point.

The "good devs" know this, undoubtedly the attacker too - this wasn't a good guy though. The attacker didn't want to fork it, they wanted to control the original as it was a trusted fundamental pillar to SSH and if it was compromised would lead to [consequences]. If they forked it they would have to make it better and trusted, waiting years for community support and integration where they would have to keep the fork better than the original. The original already was all of those things and compromising the original was therefore significantly the quickest and easiest way to achieve this.

As someone who would probably feel the same way if someone commented that on my project, that was barely rude at worst. The way we should see that type of message is not "Why aren't you keeping up with comments? Do you care that people are trying to use this?" it's "Yo, what's this? Looks useful. I need to know X though." (a week passes) "Hmm, nobody responded yet. Maybe it's dead?" (moves on with his day) In this case the attacker may have been intentionally been trying to make the author feel guilty. The later comments were clearly rude, and we should try to avoid accidentally hurting people's feelings when we can remember, but most of the time when people say something like this they're just wondering what's going on and they ask. It's not passive aggressive. There's no greater meaning behind it at all. Using this to justify bans is overkill by a lot.

yeah. they attack all the men that built America

It's honestly infrastructure, like roads and bridges. Not even that, a lot of open source software is the underpinnings and girders of structures we all use every day. We don't get roads and bridges for free, we pay for those with taxes. The government should be paying software engineers to audit, maintain and write commodity open source software. There's a reason one of the major Linux conferences is called "Linux Plumbers" - it deals with all the "plumbing" that exists beneath the porcelain.

IBM did this at one time and I think Microsoft has started to do it?? Google also did this at one time but no longer AFAIK.

Hopefully you are right - and this is a temporary condiition.

I would imagine it's because they suspended the xz repo and it's standard practice to suspend maintainers of such projects

What if Lasse has two personalities. He himself doing all of this? Unlikely.

@@carnivorebear6582 Yeah, probably just a knee-jerk reaction. If GitHub (MS) had actual people looking into this they could backtrack Lasse's access and check for anything suspicious. But, it's all bots now, and the pod bay doors won't open.

Linux and Mac users sweating.

Yes and no. In a very small company, sure. For the same reason. For any large enough organization, it's very hard, unless there's a whole team of attackers inside, which is always possible but just a bit less likely.

@@joseoncrack No, I worked for a European government and your could literally go to a parking garage without cameras and use the exposed wires to pug into the unencrypted government network and read all the stuff. The government knew this and mandated full encryption but they were unable to get the project started for years. Also we had news that big corporations didn't fix several security bugs they had several times.

@@joseoncrack I suspect you could play the same tricks in a large company - the only difference would be the background checks for hiring may act as a bar, but with contractors and outsourcing this may be bypassed for anthing that is not high security.

@@joseoncrack It doesn't matter how hard a company vets new hires, as long as they're a malicious state sponsored actor, then they will introduce it and no large company is going to code review well enough to find everything.

@@joseoncrack I worked for a multinational engineering company where it would have been possible, in the not too distant past, to inject malicious firmware into all their products simply by having access to their factory because all of the machines on the factory floor had full admin access. They also had no source control and all the production code was on those machines. You would only need to be hired as a temp with no qualifications to f-up a very large part of their global business. Lots of large organisations have horrifically lax security policies, you have no idea what horror stories lurk out there.

No one is saying that these projects should be proprietary and closed-source, but people _are_ saying that the OSS community sucks and needs to get better, and that is a completely valid criticism of the OSS community. OSS is good, and it has its strengths, but that also doesn't mean it's completely impenetrable and doesn't have its flaws, and having people say that we shouldn't criticize OSS when things like this happen because "OSS makes software better" is just plain wrong, and removes the ability for anyone to improve the situation or the community. I do agree that sometimes the criticisms can get stupid, but this is completely valid.

@ShibDivingSuit High entropy, obviously. Thermodynamics 201. People want drama and chaos.

@@timecubed this is absurd. They are making the dance for Microsoft that is trying to apply EEE. The same history. We, the people on this from the start, saw this kind of game over and over.

Yeah, came here to say this. I keep hearing that "this attack exploited an inherent weakness of Open Source Software" - what weakness is that? I'm sorry, I'm not a software engineer myself, but what is this weakness? In my mind there is nothing that would have made this type of attack impossible with closed source, maybe it would have been a bit more difficult to pull off, but it would also be dramatically more difficult to detect and remediate. I do not accept explanations that "it was the community that failed" - this type of software development should be governed by processes, so clearly there is either a gap in a process or human error was made. You can't point a root cause to collective responsibility. The whole narration around this feels like a weird psy op. I'm waiting for Apple to bring this up as the reason why people shouldn't be allowed to replace their batteries.

@@yurithebrave Random unidentified people get in positions to commit code to important software. But but that could happen in proprietary case.. They would be formally identified and would be arrested. This isn't some conspiracy against open source, perhaps you're a bit too emotionally involved with the concept open source..

I didn’t even know he passed 😢

TIL Kevin Mitnick's dead. Pancreatic cancer, leaving a pregnant widow. Mitnick is not my favorite person, but that is sad.

now he is free. RIP

and ?

And to be clear those rude comments would have been an insta-ban on a project that I was managing. I don't have time for a-holes.

​@@noobertime Absolutely agree. If you can't make criticism constructively, then you're not making criticism at all.

​@@noobertime I think that could prove to be difficult since rudeness can be subjective to culture and fluency of a language. With OSS often crossing international lines all the time, it could be easy to misinterpret something as rudeness where none was intended. I still think we should make an effort in this area, but it may prove to be difficult to enforce and end up shutting out legitimately useful and productive contributors because they didn't understand the nuance of what they were communicating.

I used to be an absolute jerk and I still contributed some valuable code to the projects I volunteered for. Open source was one of the few ways for me to be part of something and find community, and I'm glad that wasn't taken away from me due to my mental health issues and my occasional bad behavior. Just throwing that out there.

@@seeibe Was there something that made you realize you needed to improve? I'm asking because that might be helpful in the future.

This need more upvotes if correct.

@@Fractal227 You can see they even made a lot of commits to XZ and obviously removed Jia Tan from wherever it was possible

Or you're being duped by him?

That can't really be done, sorry. This is a human problem and the attack was (likely state sponsored) espionage.

We can't even get folks to not click risky links in spam. The industry is adversarial by nature ie as counter measures for attacks are deployed new attacks are developed. Consider how this social attack took place, there was some public discourse, however much of the trust building probably occurred through private channels. For any security measure that would mean having to monitor those private conversations. I have some thoughts on addressing at risk dependencies in the supply chain... However I suspect much would be manual review

@@goraxe01 exactly, and this is something that open source makes possible, though still by no means easy. Just like the xkcd we have corporations worth billions running on technology they often make zero effort to help maintain. Some pressure in the name of security is appropriate. If this was an internal product we'd be hearing of what losses were incurred, not how it was found and prevented from causing issues.

To some extent, the actual blame here is the distribution maintainers that aren't verifying the developer, and doing the reviews that you would do for a new maintainer on seeing a hand-off.

@@SimonBuchanNz No, not really. This was espionage by a contributor who was under cover for two years. There's no way for package maintainers to verify in cases like this. What would have helped? The dev getting support from downstream projects rather than being forced to run it by himself.

Clean build rooms are going out of fashion. If you want some nightmare fuel look up Ken Thompson compiler hack

could u explain more

@@GreatTaiwan basically we had pure java/kotlin stack, and mostly used open source projects, he was CI/CD nerd, he built a system that literally checks out the projects of jars we depended on, builds them from source, stores the artifacts in our repo and compares checksums with maven repos... only then our services can use that to build themselves... and any time his build process would break he would carefully observe wtf changed that suddenly it does not work. It had 0 impact on actuall speed of our builds cos once he built those jars those are cached in repo... but we knew we built them so no man in the middle swapping arts would do anything to us. XZ was exactly that... hacker does not show obvious signes of the hack in the code but outside (in build process).

​@@GreatTaiwanI guess he means compile, checksum, and fuzz test everything yourself. Compile all ports for yourself and virus scan the compilations. I spent sunday and monday checking compilations. I have about 9 computers and 2 of them were dedicated to kali. I just finished testing [ haveged ]. I don't trust anything right now. I'm one of the few that has 1 epyc-64 256GB-RAM and 1 epyc 1TiB-RAM. I'm trying to reduce the kernel footprint. I'm shifting stuff to freebsd for a while. I'm scraping my mailing list. This event is going to have me backtracking for about a month, just setting up compilation tools and chains to check for this new move. But its a great find for the community. But now the new black hatters and script kiddies are going to try this "long game" now. In my effort to fight this cve, I was surprised to find other areas and affected projects. Give the maintainer of xz a prayer. He might be getting blasted with messages from all types of security companies. This plus the rumors in the security community about russia causing concerns in the tech world, its all looks like a huge coerced play from a certain war. I guess ww3 begins in the tech. Ha...I'm laughing but I'm kind of serious.

It would probably not help here since you would probably use the same compromised xz build files/system in your CI/CD

People do all sorts of stuff just for giggles. Take Linus Torvalds. He had no reason to think that anyone else would be interested in a kernel, yet he spent his spare time in university to write Linux. I'm pretty sure he never expected it to be of any use to anyone.

@@passantNL True, but this is a very specific attack vector, and seems like it would have cost a lot in terms of time and money to actually get to this point.

Well, a backdoor like that is incredibly valuable, the money you can make off it alone seems enough of a good reason to justify the effort.

@@v0ldy54 follow the money, as they say

If it's barely a skeleton and unfinished put a note about it in the readme so people stop pestering you imo. The way I solved this was to setup a proper CI-pipeline with Github Actions, so it's easy for others to write PRs with tests. If someone asks for a feature or fix, I'll tell them to provide a PR and I'll merge+release it. So far people haven't provided anything because it wasn't important enough for them after all. If it's not important for them, it definitely isn't important enough for me.

@@EsperSpirit it already has one, put there 8 months ago

@@Imperial_Squid yup, most people don't even bother to read the README before they come whinging...

I'm not sure you are correct. I'm a huge fan of open source, but here the social exploit depended on open access to just one maintainer. How can you justify the claim that other development environments have a smaller number? In a closed source environment the number of people with this kind of access is smaller than in FOSS. That brings huge benefits, but we must wise up to the fact that it brings along with it the increased risk as well So the attack surface for social engineering is larger for an open source community than for a corporate environment with corporate safeguards. However: the other side of the coin is the RMS thing about not having blobs in the code. That is an essential safeguard for open source that somewhat mitigates the fact that the doors are wider open for attack. All the more important to resist closes blobs where we do not have source access. And that is the strength of a fully FOSS system. So both attack and counter attack seem to have larger scope in open source: and this exploit demonstrates both. In my analysis it is a judgment call as to which dominates: the security benefits of more eyes looming as against the disadvantage of debts being more accessible and less supported than they would be in a closed corporate environment. Don't let the meme about "open is good because it's easier to spot attacks" blind you to the things we need to learn about the corresponding increased vulnerability to social engineering. And that's why this particular aspect of this CVE is being focused on in this video: and kudos for this channel creator for pointing this out.

@@trueriver1950 not sure if I buy that OS automatically is more vulnerable to SE the US gov can march into any of the US-based tech companies, say "put this code into yours", and "if you talk about this, there will be severe legal consequences". that's not even SE, that's just leverage. as for other govs, how many employees with family in india or china do you think works at any of those companies? probably not few, right?

​@@trueriver1950 We will never know whether I am right or wrong about closed-source, because it is, um, closed. ;) Also, I am not saying closed-source has fewer maintainers; I'm saying that closed-source has fewer people who can see the code.

@@dotanuki3371 You bring up and even stronger point than the one I made: closed-source is defenseless against government manipulation. If government tried the same thing with closed source (and, btw, this is likely what happened in this case), someone in a different country can see the exploit and remove it (also, btw, probably what happened in this case). No doubt EVERY major closed-source implementation has government-manipulated code.

@@freeideas Closed source may have fewer people who _can_ see the code, but, in general, they have more people actively looking because that's what they're paid to do.

people like you who treat open source and closed source like a crusade are so embarrassing. You dont care about security you care about your "team". If you're gonna be like this at least do it for something trivial, instead acting like a bot posting essentially the same comment multiple times

I'm sure you are right.

@@Vin50000there's a lot of places where this whole XZ thing is portraited as a "problem with open source", so the distinction between "teams" is very tangible in the whole conversation. To a big extent it is, because "hobby and unpaid" ne "work and paid". It's worth remembering that this can happen in the closed source world too, where finding out the reasons why there are delays and weird CPU usage is practically impossible.

@@polettix but it IS a problem with open source. Bringing up closed source is just whataboutism, it's just a distraction from the actual issue. Nobody worth paying attention to is suggesting "this wouldn't have happened with closed source", they're just saying that the issues brought to light by this hack need to be addressed.

​​​​​@@caerphotoas OP said, I am pretty sure there are even bigger exploits in closed course software. Do you think that some hacker couldnt get hired into some company and do the same stuff? I think it is even much easier to do, some companies completely trust to their employees and try to release features as soon as possible without thorough testing. closed source does not have so many eyes, sometimes it needs only for 1 guy (team lead or whoever checks the code) to miss something during the code review

As I understand it, it's even more sneaky than that: the code which runs during the build process and injects the backdoor into the compiled binary isn't even in the Git repo. The code uses GNU Autoconf and GNU Automate to build, but - and this is pretty common for projects that use the Autotools - the repo does not contain the ./configure script. The repo only contains the configure.in sources, and the ./configure script is auto-generated with Autoconf when the release tarball is built. Except in this case, the ./configure script in the release tarball contains a little bit extra code. This is a fairly typical setup. You don't want to have generated files in the repo, so you keep ./configure out of it. But, Autotools can be finicky to set up and have a lot of dependencies, so you don't want to impose this on your users either. So, you build ./configure using Autotools and include it in the release tarball. Many projects do this. Now, how often do you check that the ./configure script in the release tarball is byte-identical to what you would get if you ran Autotools on the source code in the repository? I'll put my hand up and say that I have *never* done that.

@@JorgWMittag Oh yikes. Maybe we should swap to something that we ARE comfortable with 'imposing on our users'... Seems like a serious failure of the tools and programming language if no one actually wants to read or build it. (I say we as if I have any stake in the matter; I already fled as far away from C/C++ as possible!)

shocked!

I'd prefer a world where we don't need to struggle for survival and actually have the time and energy to do this sort of thing as a hobby. But I'd settle for the non-profit in the meantime.

OpenSSL is maintained by OpenBSD

The German govt does that recently for a few projects

Funny: this is how most EU countries deal with social security. Tax paid by citizens is applied to funding healthcare or other initiatives which serve the public interest. In the ultra liberal US however, this sort of thing is considered ‘evil’ or ‘communist’. The results are plain: social inequality, physical and mental health issues and indeed situations like this one…

The Linux Foundation already does this, BUT they hadn't noticed how important this project had become.

Then spends 20 mins talking about being respectful

Actually, watching the rest of the video hours later, I see that you are right! I didn't know about that chaos until now.

lol

is that what you do when someone collapses your society?

I think what this video is about is more on the human side of the execution, not just "it had social engineering involved", but about the harass and toxic relations.

@@pedro4205 Yes! I am not invalidating this video, I actually quite liked it. Just was answering the "I don't see enough attention" which I just came out to say another creator that did address (to a lesser extent) the topic of this video.

And crazier? Just because some ssh logins took a bit longer and were more CPU bound… pure coincidence and luck that this was found. Also: that the engineer who found this directly went to the OSS community and shared his concerns instead of keeping it to himself or even just ignoring it…

There was a bug filed against systemd recently which raised concerns about the large number of dependencies it links against. Developers are actively working on fixing that. This would make the exploit useless. It is thought that this work accelerated the attacker's timeline, prompting them to make mistakes. Remember, there is a pretty brittle chain of dependencies this attack relies on. The exploit code is in liblzma. systemd links against liblzma. OpenSSH upstream actually does *not* link against systemd, precisely because the developers want to keep the dependencies small(ish). The patch which links systemd to OpenSSH was developed by Linux distributors because of some bug reports that were filed with OpenSSH sometimes failing to be properly restarted by SystemD. For OpenSSH to send status messages to systemd, the easiest way is to link against systemd and use their helper functions. If any of these domino bricks gets removed, the exploit doesn't work. If OpenSSH does no longer link against systemd because the helper functions get broken out into a separate library, the chain is broken. If systemd no longer links against liblzma because that part gets broken out, the chain is broken. If the OpenSSH patch is removed because either upstream OpenSSH or SystemD gets more clever about service management, the chain is broken. Essentially, if they didn't get the exploit code into this LTS release of Ubuntu, they wouldn't get another chance.

I've been using Linux (and BSDs) exclusively for almost a decade and a half, have spent about as long in communities focused around FOSS, and have contributed a bit to some projects. The claim (which I would personally make) that open source is the best is usually that it's the best model (at least for the end user), not that the software itself is necessarily the best option in terms of functionality. Claims of superior security usually just revolve around the fact that code is open to audit, this incentivizes sound design in the first place since security through obscurity (i.e. making a poor design and hoping nobody ever actually figures out how it works) is even less viable in FOSS. I know this still requires people to actually perform the audits, and FOSS is still just as susceptible to security issues introduced through programmer error. Personally, I'd focus more on the privacy aspect of security, which is a pretty clear win for FOSS, given how it's much more difficult to implement forced telemetry in a FOSS project. Agree that there are entitled users who don't contribute back. I think some of it is an empathy issue, kinda like how working at a retail job, some of the worst customers to deal with are those who have clearly never worked retail.

MacOS: Less exploits than Windows and Linux combined, fully closed source. Linux only has less than Windows because no one wants to waste time hacking

@@BlueEyedVibeChecker I hear this "nobody would waste time" argument all the time, and its bunk. You have way more linux devices in your home than anything else. That smart fridge thats a vector into your home network? What about your router? And then servers too - which, you know, actually hold data worth hacking. I mean its not even close - for every piece of critical infrastructure running Windows there 10 running a linux operating system.

It's actually Israel but close enough

Making attempts at this are certainly cheap, you can offer to help with a lot of projects given a few disposable identities, if you get taken up on too many "burning out" or unexpected family/ work commitments are easy outs. But actually doing this is fairly expensive ( you can't have that many people spending 2 or 3 years building trust doing maintenance drudgery especially with the limitations on needed skill sets ).

Ehh, it was just a slightly more educated version of good cop bad cop

@@FadkinsDiet From a certain point of view yea, but definitely smells like some sort of psycho manipulation