Follow

@qbi
> Open source is a supply chain risk

So, fails to properly secure , but it's FLOSS that gets the blame?

🤦‍♀️

· · Web · 3 · 6 · 14

@rysiek @qbi Indeed. The article is good (and the work they've done is impressive) but the section "Takeaways" is incredibly stupid.

@bortzmeyer @rysiek @qbi
This article is better : wiz.io/blog/omigod-critical-vu
And the "Key Takeaways – Microsoft’s Patch Process in The OMI Repository – Irresponsible Disclosure?" is spot on.

@rysiek @qbi
«What is OMI?

Open Management Infrastructure (OMI) is an open source project sponsored by Microsoft in collaboration with The Open Group. Essentially, it’s Windows Management Infrastructure (WMI) for UNIX/Linux systems.»

Not only is it Microsoft failing to secure Azure, the open source project to blame is also a Microsoft project!

@rysiek @qbi @emacsomancer want to see who wrote and maintains OMI?

tmpdir=$(mktemp -d); git clone github.com/microsoft/omi.git "$tmpdir" && git -C "$tmpdir" shortlog -sne --all | awk '{domain=$NF; sub(/>$/,"",domain); sub(/^[^@]*@/,"",domain); sub(/\\.*/,"",domain); sub(/^</,"",domain); count[domain]+=$1}; END{for (domain in count) printf("%d\t%s\n", count[domain], domain)}' | sort -nk 1

"FLOSS in the supply chain is a risk" is corrosively disingenuous.

@gnomon I'll bite, what the actual h-e-double-hockey-sticks is that supposed to do?

@skquinn oh sorry

It uses "git shortlog" to generate a list of every commit author in the repo and the number of commits they wrote, then further collates by the domain of each email address.

Long story short like 98% of the commits come from @microsoft.com addresses and the other ones are trivial.

The OMI codebase may be "OSS" according to its license but it has no OSS development process or community, so the license is as meaningless as the scapegoating.

@gnomon "Open source" is pretty meaningless anyway. This is why I refer to "free software" when applicable, as it's the freedoms that matter. It is very Microsoft-like to co-opt the "open source" label with things that do not qualify as free software especially when 98% of the code comes from them.

Sign in to participate in the conversation
Mastodon for Tech Folks

This Mastodon instance is for people interested in technology. Discussions aren't limited to technology, because tech folks shouldn't be limited to technology either!