• A1kmm@lemmy.amxl.com
    link
    fedilink
    English
    arrow-up
    66
    arrow-down
    18
    ·
    7 months ago

    I wonder if this is social engineering along the same vein as the xz takeover? I see a few structural similarities:

    • A lot of pressure being put on a maintainer for reasons that are not particularly obvious what they are all about to an external observer.
    • Anonymous source other than calling themselves KA - so that it can’t be linked to them as a past contributor / it is not possible to find people who actually know the instigator. In the xz case, a whole lot of anonymous personas showed up to put the maintainer under pressure.
    • A major plank of this seems to be attacking a maintainer for “Avoiding giving away authority”. In the xz attack, the attacker sought to get more access and created astroturfed pressure to achieve that ends.
    • It is on a specially allocated domain with full WHOIS privacy, hosted on GitHub on an org with hidden project owners.

    My advice to those attacked here is to keep up the good work on Nix and NixOS, and don’t give in to what could be social engineering trying to manipulate you into acting against the community’s interests.

    • wewbull@feddit.uk
      link
      fedilink
      English
      arrow-up
      24
      arrow-down
      6
      ·
      7 months ago

      I think you’re right to be suspicious. The XZ attack has showed that there are people and organisations out there that would love to get hold of a piece of trusted critical infrastructure like Nix. They’ll go the long lengths to do it, manipulate people, and exploit the maintainer’s desire to do the right thing.

      And if the person can’t stand by their critism and can only give wooly examples, then best to ignore it.

    • FractalsInfinite@sh.itjust.works
      link
      fedilink
      arrow-up
      21
      arrow-down
      3
      ·
      7 months ago

      Too many people involved I think, someone will have to check this but all those members with names attached look like real developers who were significantly contributing to the project. It is perfectly possible for a dictator for life to have festered a toxic culture that got worse over time, and has happened multiple times before.

      • acockworkorange@mander.xyz
        link
        fedilink
        arrow-up
        12
        arrow-down
        5
        ·
        7 months ago

        How much of those are actual people? I count half a dozen git links in the signatures. Those could belong to a single attacker. Everyone else either has an email or an unlinked handle. Who knows if they are Nix devs?

    • ikidd@lemmy.world
      link
      fedilink
      English
      arrow-up
      17
      arrow-down
      8
      ·
      7 months ago

      I agree. This immediately jumped out to me as a social engineering attack when they started spouting off about “more people with commit access” and otherwise being anonymous and most of the signatories not on the contributor list, especially at the start.

    • corbin@awful.systems
      link
      fedilink
      English
      arrow-up
      5
      arrow-down
      2
      ·
      7 months ago

      The original signers include members of the infrastructure and moderation teams. You can find about half of them on Mastodon. They’re all well-established community members who hold real responsibility and roles within the NixOS Foundation ecosystem.

      Also note that Eelco isn’t “a maintainer” but the original author and designer, as well as a de facto founder of Determinate Systems. He’s a BDFL. Look at this like the other dethronings of former BDFLs in the D, Python, Perl, Rails, or Scala communities; there’s going to be lots of drama and possibly a fork.

  • eveninghere@beehaw.org
    link
    fedilink
    arrow-up
    22
    arrow-down
    5
    ·
    edit-2
    7 months ago

    So… why don’t they just write that people (or they) want a more progressive NixOS management?

    Would be more to the point.

    Edit: if you doubt, just check all the examples in the letter.

    • wewbull@feddit.uk
      link
      fedilink
      English
      arrow-up
      19
      arrow-down
      4
      ·
      7 months ago

      Honestly, without concrete examples of why this is a problem, I just wish people wouldn’t do this. Open source projects aren’t democracies. They are do-ocracies. People get “positions” by getting off their arse and contributing. Nix OS surviving doesn’t depend on how many users it has. It depends on how many developers it has.

      If critisism is coming from the developer base, fair enough. If it’s coming from the user base then all they are going to do is stop the developers wanting to do what they do, and then the project is dead.

      I know there was the poor choice of sponsor for one of the live events recently, but I suspect this has opened the flood gates for people to pointlessly criticise from any direction.

      • toastal@lemmy.ml
        link
        fedilink
        arrow-up
        4
        arrow-down
        3
        ·
        7 months ago

        People get “positions” by getting off their arse and contributing.

        I have a lot of issues with the letter, but it’s hard to deny that certain demographics get better opportunities to have the free time & will to contribute. Does that mean you force other demographics in or not? I’m still on the fence as it the upsides have some drawbacks, but discussions should be had–especially by those other demographics & folks better educated on the topic than myself.

        I know there was the poor choice of sponsor

        It was a defense contractor I believe. I’m not pro-autonomous drones or anything, but it seems odd to hone in on a single sector. Defense makes obvious tools for killing in the form of weapons, but we wouldn’t have GPS or the internet, etc. without research from the sector either (also see dual-use technology). It’s easy to criticize the military industrial complex, but we have just as many non-military corporations & industries absolutely putting their profits above folks & the environment which is just as destructive–just not as immediate/obvious. If you start kicking out all unethical sponsors, you’re gonna end up with no sponsors under our current capitalist system that doesn’t put any value into or reward being ‘ethical’ or even giving the correct value for labor.

          • toastal@lemmy.ml
            link
            fedilink
            arrow-up
            2
            ·
            edit-2
            7 months ago

            I think it is a bit of column A & a bit of column B in the case of defense as we’ve seen other cases of sections of the Nix community vehemently protest certain folks by employer for some political reason or other. But I was more riffing off the parent comment + developer communites in general than the letter specifically as well see this sort of callouts. For instance adjacently, at first blush I could get down with Hippocratic License but you can see how some of these things a really too muddy to be able to exclude entire industries over. It’s tough to handle the introduction of politics into a community, yet often you almost have to at a certain community scale.

    • x3i@kbin.social
      link
      fedilink
      arrow-up
      8
      arrow-down
      2
      ·
      7 months ago

      My thoughts exactly. Also, these are a lot of words for very little content, feels like an attempt to obscure the actual intention.

  • Sips'@slrpnk.net
    link
    fedilink
    arrow-up
    17
    arrow-down
    4
    ·
    7 months ago

    Could someone share the contents of it? Have newly registered domains blocked by default.

    • eveninghere@beehaw.org
      link
      fedilink
      arrow-up
      33
      arrow-down
      7
      ·
      edit-2
      7 months ago

      Someone has to rewrite this…

      You have to read thousands of words past Executive Summary to see what’s going on, which eventually turns out to be the usual left-right culture war (aargh…) The worst is that this actual theme is hidden in the links and is never directly mentioned in the letter.

      The letter also stops short of taking side between left and right although the links clarify it’s obviously the former.

      It instead accuses the NixOS platform of having “systemic” problems in “leadership,” “structure,” etc. etc. I was like, “just say it, you simply believe in a more progressive NixOS team.”

      They only say “bad behaviors,” then define bad behaviors with abstract terms using one paragraph. That’s shortly after the text uses the metaphor of “missing stairs in a staircase”, without explaining what these missing stairs are about.

      So abstract, without examples for all this depth of abstraction.

      They go on with their “bad behavior”, bad behavior, bad behavior, and finally there are links. If you click on the first (?) of these links, you finally see that this one example was about minority representation in NixOS development. In the rest, you see examples of the usual conservative vs. progressive culture war.

      There are proper ways to do this.

  • meteokr@community.adiquaints.moe
    link
    fedilink
    arrow-up
    14
    arrow-down
    1
    ·
    7 months ago

    Fork it, maintain it, and move on. RHEL was forked into Alma/Rocky when the original provider’s goals, and their community’s goals were not in alignment. So far, the forks have improved the ecosystem over all. Fork Nix/NixOS and build the community. Its no different than the Debian derivatives like Mint or Ubuntu.

  • xinayder@infosec.pub
    link
    fedilink
    arrow-up
    8
    arrow-down
    2
    ·
    7 months ago

    Can someone ELI5 what’s going on? Seems like they are still fighting about Nix allowing a defense company to sponsor their conferences, and trying to ad hominem the project leaders.

  • kingthrillgore@lemmy.ml
    link
    fedilink
    arrow-up
    2
    arrow-down
    2
    ·
    7 months ago

    I have never used Nix and I don’t see its immediate applications for what I do but seeing this has me concerned about adopting it.

  • casual_turtle_stew_enjoyer@sh.itjust.works
    link
    fedilink
    arrow-up
    6
    arrow-down
    6
    ·
    7 months ago

    Nix is already beyond fucked because they actively dismiss the need for appropriate security measures to prevent supply chain attacks. There were multiple discussions about this over the years that appear to have succumbed to neglect.

    I wouldn’t trust nix, just like I don’t trust pip, brew, or a whole plethora of other package managers and repositories. They are just too neglectful

      • casual_turtle_stew_enjoyer@sh.itjust.works
        link
        fedilink
        arrow-up
        2
        arrow-down
        2
        ·
        7 months ago

        If I were to fully elaborate, I’d be typing for hours, so I’ll sum up:

        • pip - default behavior is to install to system-wide site packages. In a venv, it will try to upgrade/uninstall system packages without notice/consent unless you specify --require-virtualenv. Multiple things can fuck up your ENV to make the python binaries point to system-wide, while your terminal will still show you as in a venv. Also why TF would package metadata files need to be executable? Bad practice, -1/10
        • nix - they acknowledged years ago that they should probably have some kind of package signing and perhaps an SBOM or similar mechanism, but then did nothing to implement it and just said “oh well, guess we’re vulnerable to supply chain attacks, best not to think about it”
        • brew - installing packages parallel to your system packages manager, without containers. My chief complaint here is that brew is a secondary package manager that people might treat as a “set and forget” for some packages, rarely updating them. So what happens when a standard library used by a brew package is vuln? A naive Linux user might update their system packages but totally forget to update brew. And when updating brew, you can easily hit max_open_file_descriptors because kitchen sink

        From there, it’s all extremely nit-picky and paranoid-fueled-- basically, none of the package managers I mentioned are conducive, in my eyes at least, to a secure and intuitive compute environment.

        Unfortunately, there’s not much I can do about it except bang pots and pans and throw maintainers under buses when the issue that has been present for years rears it’s ugly head. Because they are the only ones who can change this, and pressure is the only thing that might motivate them to.