this post was submitted on 12 Oct 2023
355 points (97.8% liked)
Linux
48031 readers
1280 users here now
From Wikipedia, the free encyclopedia
Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).
Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.
Rules
- Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.
- No misinformation
- No NSFW content
- No hate speech, bigotry, etc
Related Communities
Community icon by Alpár-Etele Méder, licensed under CC BY 3.0
founded 5 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
Nobody is even slightly concerned that this made it to release? if they can shove in hate speech without anyone noticing, cant be much harder to slowly introduce a backdoor over several commits.
Minecraft got in trouble when the Afrikaans translation had the n-word (in English) due to a malicious translator. CDPR had an issue with the Ukrainian translation making references to the ongoing war.
This sort of thing happens somewhat frequently. It's the same reason how fake sign language interpreters can hold positions. It's hard to verify the accuracy of a translation in a language you don't speak. They have to trust that the translator did their job right.
Translations are usually just text strings. No reasonable project would allow translators to write code.
I mean honestly though, if there are code reviews, how hard would it be to just make a quick "translation review", putting the stuff through a translator program, and verifying it's not obvious bullshit? Especially for new/unknown contributors. Of course it's additional work, again, but a sanity check should easily be possible.
Quite hard. We had Open Source'ish LLMs for only around six months, if they are even up to the task of verifying a translation is another issue and if they are up to Debian's Open Source guidelines yet another. This is obviously going to be the long term solution, but the tech for that has simply not been around for very long.
And of course once you have translation tools good enough for the task, you might just skip the human translator altogether and just use machine translations.
I more meant that if something contains "fucking kill all ukrainians and trans people", which it sounds like this was something like that, that should be possible to see even with bad translation tools.
I would assume since it was a block of raw text in Ukrainian in a translation file, it would have passed more under the radar than something like a backdoor. I do not know how things are reviewed before being pushed to release though.
Not really, not only because of the language but also because the same scrutiny between code and content wouldn't have to be the same. I also don't expect core aspects of the distribution, e.g kernel, package manager, cryptography libraries, to be verified the same way than a random software, e.g Kdenlive. So... is it bad, absolutely. Does it mean everything should be questioned again? Probably not.
I'm sure more people know C or Python than Ukrainian at Canonical. It looks like this particular change has been authorized by a third-party localization project, though I'm not sure the whole process works.
Translations are not going to be analyzed as thoroughly as code, and this was still found quite quickly. Submitted code is analyzed much more thoroughly, often by multiple members or the project.
It is very concerning, absolutely. With that said, it's entirely possible localization/translation reviews work differently than code reviews.
Well but they DID notice
Most translations are contributed by external users for languages that the project developers don't speak themselves, so they can't always check everything unless there's multiple active translators for one language.
Ukrainian has enough speakers for there to be multiple translators, doesn't it?
Clearly not enough active ones for each and every project out there.
But oPeN sOuRce iS sAfe.
Lol. You have to understand the context here. This is just translations. Actual code has many, many more eyes on it. An entire university was banned from submitting code to Linux, because of two dumbasses. They found and fixed genuine bugs. Built up lots of trust. Then violated that trust with actual use-after-free bugs submitted intentionally.
The submitted "patches" to the development branch was to prove it's easy to get exploits into high profile open source projects. They ultimately proved the contrary. Making their "research" bunk. The code they submitted never made it past the development testing phase.
The context is that code made its way into shipped open source software.
The type doesn't matter. It proves that there can be slip ups.
Move goal posts, though.
Something nobody has ever disputed.