It's amusing to see the mix of moral panic and hypocrisy in #InfoSec arousing around the #xzbackdoor.
Everybody propose "#xz takeaway", "lesson learned" and so on...
But everybody pretends such kind of carefully crafted attacks to be something new, something clever and unprecedented.
It's not.
For a #backdoor that has been discovered (by a fortunate and unlikely row of coincidences, while analyzing benchmarks of an unrelated software), thousands are still running in production.
Hiding backdoors in modern stack is incredibly easy due to its huge complexity. And this is obviously true for both #opensource and proprietary software.
The only way out is to redesign and rewrite everything from scratch to be human readable.
#Wirth was right.
@Shamar Only problem is rewrites and start from scratches comes with a huge price tag, and no guarantees of ROI. ROI in not in the sense of capital but achievement, like decrease on complexity.
That's naive.
While redesigning and rewriting from scratch you would build on the lessons learned during the last 3 decades at least.
AND you would have manageable complexity as a goal, likely with metrics to measure it.
Compared with the current mainstream mess that lacks any cohesion or design coherence since at least Unix V5, it's impossible to do anything worse, so the improvement would be certain.
@Shamar So we are ignoring the lessons learned from the Plan9. Isn't it effectively what you are suggesting?
Uhm.. I thought it was, and in fact forked #Jehanne to further simplify and make it more powerful: http://jehanne.h--k.it/
But infact I was wrong: Plan9 is still inheritelly elitist. Even its best incarnation, #9front, while a superb enginering achievement, builds on top of a broken history.
People should not need to learn grep, sed or awk to manipulate text files programmatically. Even just their names sounds arcane.
Furthermore the reason why people do not use Plan9 is rooted in the huge military investments that funded (and still funds) the broken alternatives through several companies (microsoft, ibm, sun, google...) and universities that spread the broken tools.
Spreading computing literacy for the masses is never been a goal of such actors.
Today the cultural #hegemony that was built this way, makes it unthinkable to further explore the vast design space that could actually gives us a safer foundation for modern computing.
That is also why "the Plan9 lesson" must ignore the economical and geo-political forces that lead to its (percieved) failure.
And why you didn't mention an European os like #Oberon instead.
@Shamar And you are already pointing out the different forces in effect causing the outcome. There are market forces, military forces and also user habits.
Perhaps I would need to also mention, current "modern" computing stack is complex layers of layers over each other and yes a simpler stack could be beneficial on many fronts.
Still this does not change the fact about investment price tag and ROI concerns.
@Shamar I didn't mention Oberon, because I admit I was not aware of it.
Now back to what I have mentioned, Plan 9 - Huge investment, no ROI. Oberon Huge investment no ROI. Jehanna, some investment?? No ROI.
I reiterate, I am not naive when saying redesigns, rewrites, start from scratches come with a huge price tag and no guarantees on ROI. I am talking about facts.
All of the above mentioned projects show the same outcome.