Popular Go Library fsnotify Raises Supply Chain Alarms After Maintainer Access Changes
Posted by CircumspectCapybara@reddit | programming | View on Reddit | 18 comments
TrickyAnteater9270@reddit
This is why maintainer access changes should be treated like production incidents. Popular small libraries carry massive hidden risk
Professional-Disk-93@reddit
Maybe they should have bought a commercial library with a support contract.
MooseBoys@reddit
... for a filesystem notification go wrapper???
Nooby1990@reddit
It does not matter what it is. As soon as someone starts making DEMANDS (especially if those demands come from a commercial entity), they should get a reminder that there is no support contract and they are not actually entitled to anything.
If they want to make demands like that, they should pay for the privilege to demand them.
MooseBoys@reddit
Who's making "demands"? If you are talking about people wanting explanations for suspicious contributor changes, that's hardly a demand. An explanation is warranted regardless of whether the dependee is a corporate user or another FOSS project.
Nooby1990@reddit
So you admit that it is a demand. Hardly one, but it is.
Why? Why is it "warranted"? It would be nice, but they don't owe anyone anything.
So what? It was used by enough people that it makes news now. Maybe it would be better if the people who demand explanations would donate to the maintainer.
It is apparently important enough that "downstream users need clear answers", but not enough for those users to donate to the project?
MooseBoys@reddit
Nobody "owes" anyone anything, and it's more of a statement than a request. The implied statement is "It seems like your lib is undergoing a possible supply-chain attack à la CVE-2024-3094. Absent an explanation for the recent changes, I'm going to stop using your lib and encourage the community to do the same."
Nooby1990@reddit
If they would do this in a case like this they would just damage their own reputation. The explanation for what happened is out there, if you want to look.
It does not even matter to my argument. People heavily rely on Open Source libraries, don't support them AT ALL, and then start making demands on the maintainers as soon as things don't go smooth. Now go and do this work for me for free.
THAT just isn't right.
pjmlp@reddit
Yes, people used to sell libraries.
Jaded-Asparagus-2260@reddit
The whole post sounds like Yasuhiro Matsumoto is the victim here and that his removal might be the sign of an attack. But he pushed directly to the main branch without prior discussion, claimed that his and the original developer's committer rights had been revoked, created a fork with a very official sounding name, and later backtracked on his statement about the original author being removed as well.
Sounds to me like very good reasons to have him removed, and that "maintainer Martin Tournoij" reacted exactly right. Why is he made out to be the perpetrator? Can somebody shed light on this?
lizardhistorian@reddit
Why would this matter at all.
What level of assholes pulls from main and releases it in their code.
tsimionescu@reddit
The main change that triggered this, per the article and the explanations from Martin Tournoij, the project owner, is a change that Yasuhiro Matsumoto, a minor contributor, pushed to the project's sponsorship doc, appointing himself (a person who had contributed 5 commits at that time in the whole history of the project) as the second person who should receive funding from people who want to sponsor the project. This is an obvious abuse of commit privileges, and it is more than enough to revoke anyone's rights to commit to a project.
Also, it is in no way common for an open source project to have random people commit directly to main without any review from the project maintainers.
Big_Combination9890@reddit
Sounds like people got spooked by a developer dispute.
Supply chain attacks do not come to light by massively visible public dispute in repos or orgs. The
xzattack was famously discovered by a random guy noticing lags during performance testing, not because people yelled at each other in github issues.ChampionshipFar7571@reddit
Good read.
programming-ModTeam@reddit
This content is low quality, stolen, blogspam, or clearly AI generated.
sylvester_0@reddit
This seems like a nothing burger. Convo from yesterday: https://www.reddit.com/r/golang/comments/1tag73i/popular_go_library_fsnotify_raises_supply_chain/
mjec@reddit
Here's the explanation from the issue five days ago: https://github.com/fsnotify/fsnotify/issues/757#issuecomment-4399405186
frakkintoaster@reddit
So uhh, is there a conclusion to this?