At least being open source you can look at the code and find a solution.
With Closed Code, you are at the mercy of whatever company makes the code.
Years-old bugs in open source tool left every major cloud open to disruption
A series of "trivial-to-exploit" vulnerabilities in Fluent Bit, an open source log collection tool that runs in every major cloud and AI lab, was left open for years, giving attackers an exploit chain to completely disrupt cloud services and alter data. The Oligo Security research team found the five vulnerabilities and - in …
-
-
Monday 24th November 2025 17:36 GMT m4r35n357
Well according apt-cache it is not part of Debian. I can't speak for other distros.
I don't go downloading "open source" from random companies without some sort of due diligence.
Had Chronosphere done anything to earn trust? Because getting your "open source" into a curated collection is a pretty good way to do it.
-
Monday 24th November 2025 18:19 GMT VoiceOfTruth
Amen. I have referred to similar sentiments in several posts, and I think some people just don't get it.
A lot of people seem to make the argument that open source software can be audited by anyone, and from that they draw the conclusion that somebody does indeed audit it. It is usually expressed as 'the community checks it'.
Firstly, you need somebody competent (maybe more competent than the original author) to do the checking. That auditor != anyone. The idea that the community checks stuff is a non-sequitur. Somebody has to decide to do it, or is perhaps gets paid to do it. Do people really think that devs are sitting around begging to audit code and look for bugs? In some limited cases, maybe. In some narrow areas that they are interested in, maybe. But every piece of open source software? No chance whatsoever.
We have seen reports here on The Reg recently where compromised packages have been downloaded thousands of times. I'm willing to bet a tidy sum that many of those devs did not audit the code. They just blindly accepted it.
You refer to your own due diligence. Excellent. You have also taken my argument to the next logical stage. What has Chronosphere done to earn trust? I have nothing against that company, I don't know them. But why should I trust them? Because they have a web site?
Other people's code = other people's code.
-
Monday 24th November 2025 20:41 GMT mark l 2
Well I'm sure all the big tech companies who use the software on their clouds would have had employed devs who could have inspected the source code for any bugs that could leave a backdoor, but of course the tech companies want to use the software for free and let others do the bug fixes for them, rather than actually giving something back to the projects the use by paying their developers to submit patches.
-
-
Monday 24th November 2025 18:10 GMT ajadedcynicaloldfart
@Blackjack
Yeah you are right. Thing is, how long did it take before someone looked and found these bugs?
In principle, "many eyes" is a very good thing.
But in practice it seems to actually be that "many eyes" means as long as those eyes belong to someone else. (Damn, I can already feel the knives being stuck into my heart!!!)
But seriously, I totally agree with your second sentence.
-
-
Monday 24th November 2025 16:48 GMT alain williams
If only those who make heavy use of open source ...
and save much money by not writing it internally or buying proprietary licenses were to contribute a small fraction to open source maintainers then these things would be even better.
But all of these corporations have many Mr Bean Counters who just see the price of everything and fail to understand the value of anything.
Donations of total amounts that would not affect the share price or dividends given.
-
Tuesday 25th November 2025 01:47 GMT Taliesinawen
What's old is new again ..
“The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '.../...//' (doubled triple dot slash) sequences that can resolve to a location that is outside of that directory”
Oct 2000: ‘The attack, also known as the "dot-dot" or "path traversal" attack, leveraged a flaw in how the IIS server handled Unicode-encoded characters in URLs.’
Biting the hand that feeds IT
