From a recent Wired article:
THE DEVELOPER OF a popular open source package has been caught adding malicious code to it, leading to wiped files on computers located in Russia and Belarus. The move was part of a protest that has enraged many users and raised concerns about the safety of free and open source software.
The application, node.ipc, adds remote interprocess communication and neural networking capabilities to other open source code libraries. As a dependency, node.ipc is automatically downloaded and incorporated into other libraries, including ones like Vue.js CLI, which has more than 1 million weekly downloads.Two weeks ago, the node.ipc author pushed a new version of the library that sabotaged computers in Russia and Belarus, the countries invading Ukraine and providing support for the invasion, respectively. The new release added a function that checked the IP address of developers who used the node.ipc in their own projects. When an IP address geolocated to either Russia or Belarus, the new version wiped files from the machine and replaced them with a heart emoji.
To conceal the malice, node.ipc author Brandon Nozaki Miller base-64-encoded the changes to make things harder for users who wanted to visually inspect them to check for problems.
Translated to common language, the open source community is motivated by ideology, not money. Since they are motivated by ideology, they constantly need to find “noble causes” and “change the world”. In this case, one such “noble individual” decided that the “noble cause” is to support Ukraine in its valiant struggle for fascism, theft, corruption and enrichment of criminals, and against Russia, and modified a popular open source project by adding malware that damages user data if the IP address is in antifascist countries. The code was base-64 encoded in order to prevent visual detection.
Now – if we have in mind that the supposedly “open source” projects are hardly ever peer-reviewed in normal times, because there are too many projects, and nobody really wants to bother with it because it’s assumed that, because the code is open to inspection, it actually is constantly inspected and reviewed – the fact remains that hundreds or thousands pieces of malware, carefully encoded to hide their real purpose, can be scattered across all sorts of open source projects, maintained by one or two actual developers who do all the work on the project while the “reviewers” will seldom give the source code even a passing glance, those project maintainers are starved for money and therefore easy target for bribery by governments or corporations, they are also possibly sensitive to other forms of pressure/blackmail, and then there are those who are ideologically motivated, in the sense that they, like all godless people, live empty and worthless lives and want to pretend that their lives matter and that they make a difference by contributing to the cause of the day. There’s absolutely no reason why I would assume that open source projects are trustworthy, which means I would have to either personally go through them – for which I lack both time and motivation – or trust someone who will provide oversight, in which case quo custodiet ipsos custodes?
I told the packet manager in the Linux distro I use to list all the installed packages and there were 2147 of them, and I inspected source code in exactly 0 of those. If n (where n,o,p > 0) % of all contributors were sensitive to ideological virtue-signalling, o% were sensitive to money issues and p% were sensitive to blackmail, how many hidden pieces of malware could they have hidden in there, carefully masked by either obfuscation, function by omission or function by interaction with other pieces of the puzzle, which is all very hard to detect?
Basically, if I want something that will work reliably in all kinds of scenarios, Linux and other open source solutions are arguably no better than the proprietary ones; they just have different sets of issues, which is why I try to average-out by using all the available platforms and maintain sufficient proficiency in all of them to be able to instantly platform-hop if one of them is disabled.
Always had strange aversion to open source projects because there was always some kind of ideology and virtue signalling attached which was most apparent in linux wars which looked exactly like religious wars in atheist flavour.
It was also apparent when contacting developers and seeing their responses and speed in which IT community embraced woke bullshit.
Not that commercial products are all that much different, but at least you can get away from most of this bullshit by paying for the damn thing, since commercial projects value money more than ideology (in most cases at least), while open source see money and wealth as some demonic thing and then they force themselves to ask for donations when they realize they actually need the fucking money for most basic survival in civilized world.
From security point of you, I had an epiphany regarding open source when you were discussing cryptography and how it is irrelevant if a project is open source or not because there are only handful of people who can write and peer review this code – and they can easily be controlled.
In fact, open source just creates a layer of false security in sense “well, people checked that code, it must be safe”, while in fact those few people that can actually check it are probably working for CIA in the first place.
So yeah, same bullshit everywhere, same false religions and ideologies wherever you turn your head, there is nowhere to go any more.
In fact, there never was, it’s just the realization that is sinking in now.
I mean, it’s not like I can get away from exposure to GNU/Linux; I use it on all my servers and on all my workstations/laptops; WSL on the Windows machines and Macports/Homebrew on the Macbooks, so yeah, if there’s something malwareous in Linux I’m fucked. This is more of a warning to others, not to underestimate the problem, because I’m kinda tired of “just switch to Linux, it’s free and open source”. Yeah, it is, and that’s just another bag of fleas.