Friend who is not a software person sent me this tweet, which amused me as it did them. They asked if “runk” was real, which I assume not.
But what are some good examples of real ones like this? xz became famous for the hack of course, so i then read a bit about how important this compression algorithm is/was.
Based on my cheatsheet, GNU Coreutils, sed, awk, ImageMagick, exiftool, jdupes, rsync, jq, par2, parallel, tar and xz utils are examples of commands that I frequently use but whose developers I don’t believe receive any significant cashflow despite the huge benefit they provide to software developers. The last one was basically taken over in by a nation-state hacking team until the subtle backdoor for OpenSSH was found in 2024-03 by some Microsoft guy not doing his assigned job.
I heard about that last one on a podcast and it was the first thing I thought of when I saw this post. Genuinely interesting story (if you’re into that sort of thing). The pod was saying how it’s both a flaw of open source that it could happen that way and an advantage because it was discoverable due to the fact that the code is open source.
Do you have a link to the podcast?
Sounds like the open source security podcast. Specifically this episode: https://opensourcesecurity.io/2024/04/01/xz-bonus-spectacular-episode/
Kurt and Josh are great, one of my favourites.
https://shows.acast.com/the-404-media-podcast
Episode 32
Which podcast? Sounds like something I’d be interested in listening to
Also replied to another comment, sounds like this one here: https://opensourcesecurity.io/2024/04/01/xz-bonus-spectacular-episode/
404 Media
https://shows.acast.com/the-404-media-podcast
Episode 32
And those are only fully packaged user-facing software.
I’d guess almost all of the Rust code for low level hardware access is maintained by a single person. Most of them once joined forces and created a standard, it had 4 developers last time I checked. The only usable cryptography library for C# has a single developer, and while on crypto, that meme got widespread because of OpenSSL, that had a single developer who spent most of his time on OpenSSH and other BSD user-facing software.
Also, while we are on crypto, the modern algorithms were all created by a single researcher, that got famous for a work on how to decide if you can trust a crypto algorithm. Almost everybody uses his code.
Anyway, that meme first appeared because of Javascript, when a developer removed his library (with ~10 lines of code) from the language’s repository and almost every Javascript software broke.