Spyke
Eric_the_Cerise
fedia.io

Werner Koch, the guy who created, and who has maintained for 25 years now, pretty much all by himself, GnuPG, the modern email encryption replacement for PGP.

Just the other day, I realized I actually live just a few kms away from the guy, here in Germany ... very tempted to reach out to him someday and actually buy him an actual coffee.

87
spartanatreyureply
programming.dev

That was the one I couldn't remember, I got GPG and PGP confused but I remember it involved email encryption.

This guy was the reason that every security dev had those personal public keys clearly posted next to their email address on every announcement and blog post they ever released.

3
BeePlusPlus
beehaw.org

Log4j was a fun one to watch unfold everywhere when things went haywire

85
axtualdavereply
lemmy.world

The neat thing about the log4j thing was even a cursory explanation of the vulnerability made anyone with a passing familiarity with security say, "Why the fuck would that even be a feature?!"

37
JackbyDevreply
programming.dev

Basically it involved parsing JNDI stuff which involved grabbing remote code (but that was a niche feature of JNDI in the Dev's defense). Basically, you may think it is just something like variable substitution but can involve much crazier stuff.

Edit: and for more context, JNDI is typically a thing for getting a database connection stored on the application server. The idea being you just ask for "customer database" and don't have to define the connection in the code. The server has it defined elsewhere. So in each environment it works the same. Basically glorified and standardized config file type of thing.

8
ColonelPanicreply
lemmy.ml

Wait until you learn that PDFs support embedded Javascript.

13
fuboreply
lemmy.world

At this point, it wouldn't surprise me to hear that PDFs support embedded ELF executables.

(I'm pretty sure they don't, but ... seriously, it's PDF.)

3
kaffienereply
lemmy.world

Yeah. It was frustrating cos it was reported as a Java flaw whereas is was really just a wtf were you thinking??? issue

1
boonhetreply
lemm.ee

As a non-java company developer at the time, I think our biggest challenge was explaining to everyone that Log4j didn't affect us. It took a non-zero amount of effort because a lot of customers panicked. To be fair, it was also an industry where confidentiality is important.

22
argv_minus_onereply
beehaw.org

It was if none of your code used log4j. I remember being very grateful that I had chosen java.util.logging and Logback for my Java logging needs.

6
OneDimensionPrinterreply
lemm.ee

Lol, yeah for us we didn't own any of the code that used it but depended on server software made internally that did. At the time we managed our own hosts, so it was a long week of deployments.

3
BinaryEnthusiastreply
beehaw.org

Oh man. I missed it by like a month. I graduated with my bachelors in December, and started in January. I was hearing horror stories from my new coworkers about how people had to cancel vacations to get stuff patched asap

5
elracreply
kbin.social

That one was so annoying because you had to be using the log server to have any issues. If your network was locked down, the log server was disabled, or if you happened to be using a version that was from before the log server was added, then there were no issues. But clients just heard "log4j" and thought it was unsafe.

8
Hausreply
kbin.social

Couldn't remember which logging library it was, thanks for mentioning it, it would have low-key bugged me all day.

3
Wolfwood1reply
lemmy.world

Came here looking exactly for this answer. What a week that was... And the next ones too

1
fubo
lemmy.world

Public NTP time servers have occasionally been that piece of infrastructure.

NTP is used for synchronizing computer clocks, ultimately using highly-accurate time sources such as atomic clocks. The most authoritative public time servers tend to be run by research universities, national labs, and so on.

Multiple home router vendors have sold devices configured to poll university NTP servers vastly excessively; effectively running a denial-of-service attack against public infrastructure. In a few cases, public time servers have closed down because of abuse by misconfigured consumer devices.

https://en.wikipedia.org/wiki/NTP_server_misuse_and_abuse

81
Black616Angel
feddit.de

Sci-Hub anyone?

Alexandra Elbakyan manages this truly awesome source of scientific papers completely on her own. She got sued twice and lost, had to change the URL multiple times due to takedowns and only gets along by donations.

81
SkyeStarfallreply
lemmy.blahaj.zone

It is a crime to humanity to lock knowledge behind a huge paywall. She does God's work.

And it's not like the actual scientists/academics support knowledge being locked away either, or profit from it.

21
Gorkreply
lemmy.ml

She's the best thing that's happened to the s scientific publishing field. I'm no longer a student but I still enjoy reading scientific papers and I'll be damned if I have to pay $20 per article (which doesn't go to the authors) since I no longer have access to a library that maintains relationships with these big publishers.

11
OneDimensionPrinter
lemm.ee

Left pad https://arstechnica.com/information-technology/2016/03/rage-quit-coder-unpublished-17-lines-of-javascript-and-broke-the-internet/

Had GPT summarize what happened.

The "left pad" incident refers to a controversy that arose in 2016 when a developer named Azer Koçulu removed his JavaScript package called "left-pad" from the NPM (Node Package Manager) registry. This caused a ripple effect, breaking numerous projects that relied on this package and highlighting the potential risks of relying on external dependencies. The incident sparked a debate about the stability and trustworthiness of the open-source ecosystem and led to discussions about best practices for managing dependencies in software development.

63
Tortyreply
beehaw.org

This is the one I came to post about. The fact there's a library for this is so stupid to me.

I feel like it demonstrates how npm and modules have probably to some degree gotten out of hand.

21
fuboreply
lemmy.world

"It broke the build at Big Tech Company" is mostly a testimony that Big Tech Company was deeply dependent on someone's work and they weren't paying for it.

1
AnonymousLlamareply
kbin.social

From memory the NPM blokes had to have a think about how they handle important packages because of that. Didn't they revert the changes to left pad to ensure everything else didn't break?

Fascinating to see the house of cards some of these solutions / libraries are built off

7
JackbyDevreply
programming.dev

Yes. They added it back. The policy now is that you can't remove packages that are depended on (or something to that extent, I don't know the specifics).

8
Spiritreaderreply
kbin.social

That's always the one I'm thinking of when anyone mentions the xkcd.

npm is one crazy infrastructure.

6
spartanatreyu
programming.dev

cURL was one of these for a while (according to my limited understanding)

It was made in the 90s and it didn't get commercial support until a few years ago.

52
jonne
infosec.pub

TzData is basically maintained by 2 guys. Pretty much every computer, phone and language relies on this database for timezone information.

49
muttley
kbin.social

The core-js library is used by 1000s of top websites and is maintained by one guy
https://github.com/zloirock/core-js

42
Highsightreply
kbin.social

It's honestly a fascinating read. We count so much on these kinds of people to keep our way of life intact, but when they ask for a little help in their own life, they get spat on.

19
gk99reply
kbin.social

It's really, really sad that this sort of stuff doesn't get picked up and funded for the greater good. Stuff like the NLnet Foundation exists, which has helped fund some pretty major projects (including the development of Lemmy), but something this critical I feel should be consistently funded by even larger entities in order to keep things working right.

10
Baldrreply
programming.dev

This story got me sad. But also, the guy should know better as not to dedicate all of his time on that. This article talk a bit about this issue.

5
lightsecondreply
lemmy.world

Thanks for sharing that article. Most open-source projects start not with a plan to monetise but because an engineer wanted to solve a problem by themselves.

Also, when i read zloirock’s post about what it takes to maintain ‘core-js’, i couldn’t understand why he would not just walk away or at least take on a lesser role. It isn’t good for any project if it depends on one person. Especially for something that is such a core part of the js ecosystem (pun intended). I’m sure he’d get lots of volunteers if not the money directly.

1
fuboreply
lemmy.world

OpenSSL was (and is) an actively maintained project; although some infrastructure users prefer Google's stripped-down fork, BoringSSL.

1
sasquash471
feddit.de

Not a package but FileZilla is developed by Tim Kosse for over 20 years. I know that there are a lot of other FTP-Clients but FileZilla is my favorite. Easy to use and very very stable. There is a pro version sure, but most of the time the regular one does the job. My company throws thousands of dollars a month at Adobe, Microsoft and others. But they would never even think about giving anything to Tim Kosse and others, even though I've probably saved days of work with tools like this.

36
ilovededyoupiggyreply
sh.itjust.works

My company's anti-malware started triggering on filezilla's installer a few years ago because they started packaging apparently sketchy ads in it. Dunno if that's still the case or not. I ended up switching to WinSCP instead. (Which I believe is actually another example of just one or two guys running that show too.)

11
pwshguy (mdowst)
programming.dev

Basically every Windows sysadmin is indebted to Mark Russinovich and SysInternals. Fortunetly, PowerToys has come a long way because I'm pretty sure sysinternals haven't been updated since Windows XP.

30
GrishAixreply
feddit.de

Mark Russinovich now works for Microsoft and they own Sysinternals. Also the tools get updated quite regularly.

19
RustySharpreply
programming.dev

"Mark works for MS" is a massive understatement. He's CTO of Azure now.

And speaking of Sysinternals, arguably the most exciting update was when ProcessExplorer got a dark mode late last year :)

19
Baldr
programming.dev

Node frameworks are famous for this purely because of a lack of standard library. I feel like most languages have a standard library that balance being generic but still providing utilities of common used stuff. So a company that doesn’t want to rely on a random guy’s library can build their own with only the features they want. But with Node, any complicated feature is using a tree of hundreds of random packages that you have no idea who created them.

28
Fylkirreply
lemmy.sdf.org

Someone ought to write a Node.js fork that includes native implementations of popular modules that are unlikely to need maintenance like isodd. Then come with a custom version of NPM that refuse to install the packages.

6
spartanatreyureply
programming.dev

Deno basically did this by including a standard library that removes the need for the most popular modules. It's the best js/ts experience I've ever had.

10
Baldrreply
programming.dev

I just checked it and seems nice! Also seems to have been well received by the community.

2
fing3r
feddit.de

Look up a machine called Therac-25. great example of this. Terrifying.

25
Felemusoreply
feddit.de

Tl;dr:

The Therac-25, a radiation therapy machine produced by Atomic Energy of Canada Limited (AECL), was implicated in six accidents between 1985 and 1987 where patients received massive radiation overdoses due to software errors.

11
PAPPP
lemmy.sdf.org

In the same kind of vein as imagemagick, Dave Coffin's dcraw tool at least partly underlies almost every non-proprietary RAW image decoder, and some of the commercial ones (if they don't use code, they use constant matrices and such).

He's not a sole maintainer to any of his major projects anymore, but honorable mention to Fabrice Bellard who initiated both ffmpeg and qemu among other notable activities.

IIRC the Expat XML parser that's embedded everywhere was basically on spare-time maintenance by Clark Cooper and Fred Drake for a couple decades, but I think they have a little more resources now.

SQLite is a BDFL situation more than single-maintainer, but D. Richard Hipp still has his hands on everything, and there are only a relatively small number of folks with commit access.

25
JackbyDev
programming.dev

Standard JS. It's a library maintained by one guy in Russia who went to jail for some car accident (I don't have the full context). He needed money and had trouble getting it. Then the Ukraine invasion happened and that only made it more difficult for him to get money. Also he was harassed by less technical people seeing his code on websites thinking it was malicious.

It's really a sad story to me.

22
Bourffreply
lemmy.world

You mean coreJS, not standard JS, right? But yes, it's a sad story.

13
l4sgcreply
programming.dev

Wow I saw that my angular projects used core-js, but it seemed so massive and fundamental that I assumed it had the backing of a large company like angular itself. It's staggering to see that it was largely being held up by a single person and I hope their situation has improved since writing that blogpost. I can't even begin to imagine donating so much time and energy to a project even in spite of getting so much hate in return.

3
nasal_demonreply
lemmy.fmhy.ml

I don't get it. What's funny about "A complete film set up for the day less than a week and a half hours or so to get a new Hampshire the same thing we have to do yay for it to be done with the repellant the same thing we have to do you have to be a car or a goat does it make you feel better than I expected it to my mother-in-law and I will be there in a few minutes to be there for you to get back to me is getting a little bit of a man on the way to work through the ditches the other day and I will be there in the morning and I will be there in the morning...

3
mchermreply
lemmy.world

That's an example of a bug, not an example of a key library that is maintained by some little-known, unsupported individual.

2
fuboreply
lemmy.world

OpenSSL was actively worked-on by a large group of people before, during, and after that incident.

If it hadn't been, the incident would have been vastly worse.

2
wewbull
feddit.uk

The Network Time Protocol was certainly one of these for a long time, although I think it gets reasonable support now.

Having the clock read the same on all the computers in the world makes so many thing possible.

14
Gorkreply
lemmy.ml

A bit older, but how did time even get standardized between time zones so we're all synchronized to the same minute / second, only being different by the hour?

0
graphicsguy
programming.dev

RenderDoc is made by one person. It's used by every graphics programmer. It's free, open source, faster + better than anything else. I love it.

11
bitcrafterreply
lemmy.sdf.org

Huh, is glibc really only maintained by a small number of people? I would not have expected that.

4
bitcrafterreply
lemmy.sdf.org

Interesting, but are those commits to the glibc library itself or commits to the Debian package of it? The link makes it look like the latter, but I could be wrong.

2
0xpr03reply
feddit.de

ah yeah the original is actually here https://sourceware.org/git/glibc.git

running git shortlog -s -n -e glibc-2.35.. (03.02.2022 to now) gives

  270  Adhemerval Zanella 
   179  Noah Goldstein
   166  Florian Weimer
   158  Sunil K Pandey
   105  Sergey Bugaev
    84  Samuel Thibault
 [...]
´´´
1