[conspire] xz exploit and backdoor

[Ivan Sergio Borgonovo]

On 4/5/24 6:40 AM, Rick Moen wrote:

> Getting back to distro software choice and packaging:  The "every
> possible use-case must be supported out of the box" syndrome is
> dispiritingly ubiquitous.  Some stuff is compiled into a daemon binary
> even though almost nobody will use it, just because someone might.
> Why is Apache httpd almost always the default, rather than Lighttpd,
> nginx, sthttpd, or Hiawatha?  Because its big dumb software that does
> everything, that everyone's used to.
> 
> $FIRM ran Apache httpd, but many PCIDSS complaints got finessed by
> sending them our conffiles where various buggy features were
> specifically disabled.

Because you don't get rid of complexity, you just move it somewhere else.

When you've to learn how to install, configure and manage N software, 
you won't know them well as you may know to configure 1 "complicated" 
software.
If you split N developers and N*M auditors/users across N software...

Of course it has trade-offs.

Writing good software and using software adhere to very similar principles.

How you account trade-offs depends on the stakeholders (the company, the 
users...). <- the problem is here

But even if you limit yourself to the "technical" aspect of writing and 
managing software you may get the point that "simpler" is not "better".

While I'm a big fan of interoperability and standardization, it has some 
drawback too.
I'd argue that «you're crippling our "innovation"» has been a recurring 
mantra of monopolies... etc...
Then you've "de facto standards" pushed by monopolies etc...

I can't help myself thinking of the refrain of this Italian song
https://www.youtube.com/watch?v=cu3K1njbYqs

È un mondo difficile
E vita intensa
Felicità a momenti
E futuro incerto


Side note node.js is the epitome of bad modularization, dependency and 
complexity management.
https://www.npmjs.com/package/is-true

-- 
Ivan Sergio Borgonovo
https://www.webthatworks.it https://www.borgonovo.net