The World runs on invisible labor

I am going to try to explain the XZ vulnerability recently discovered in many systems and its connection to caring for your grandparents.

Imagine you have a hobby

Let’s say you used to learn to play the guitar. You even joined a band in high school! You edited your songs to release 1 CD, of which you sold 100 copies, which was great fun.

Then, life intervened; people moved, others got married, you got a baby, and the band was no more. You decide to release your CD as free music for everybody to enjoy.

The Rolling Stones use a piece of your song in theirs. It’s very flattering at first, and what great fun! But there is a catch: every time Rolling Stones play, an army of lawyers descends on you to square the rights to this song. It quickly becomes a major source of stress.

Invisible labor of modern technology

I know this was a crude analogy, but it kind of explains the situation of Open Source maintainers:

1. They produce some piece of code for fun
2. It becomes extremely popular in a very obscure way: as a crucial support of somebody else’s product
3. They are now expected to maintain that piece of technology, forever, for free, with no upside and very niche recognition.

Fast forward to today: XZ

Recently, a massive vulnerability has been discovered that could affect countless servers, services and critical points all around the Internet. Here is my crude summary:

1. A guy in Netherlands creates the XZ package: A compression algorithm that is useful for specific use cases
2. That package made its way to some Linux distributions to help with compressing data for the main process, which escalates privileges for the code connected with the package
3. That guy in the Netherlands has been maintaining the project for years without any compensation, rewards, or recognition.
4. Suddenly, he is flooded with requests to do more work on the software. He tries to keep up, but the demands start being overwhelming
5. A contributor steps in and helps out with these requests. The original author slowly decides to hand off the project to “New Management”
6. “New Management” slowly introduces a specific and very obscure backdoor. It only works because of a quirk of how Linux packages are put together
7. New versions of a few Linux distributions are released with a backdoor that allows the “New Management guy” to take control over any computer running this software. It’s estimated that this would affect around 1% of world servers.
8. Another guy at Microsoft recognizes that on some servers, it takes half a second longer to log in. He starts digging and uncovers the whole plot.

There are a few points worth underscoring:

• There was really a lot at stake. 1% of servers may not sound like a lot, but once you have some foothold, it’s much easier to extend your influence in other ways
• There are plenty of frustrated, unrecognized, and burned-out Open Source maintainers. Their code and labor are treated like commodities, and entitled people expect them to maintain it forever. At the same time, it’s critical to almost the entire economy
• I cannot explain how sloppy programmers are with pulling dependencies. Most of the time, they will install random packages found on a website somewhere, and I am surprised (or maybe oblivious) that we don’t hear more about dependency attacks.
• That being said, this attack was extremely elaborate, which probably points to a state-sponsored actor.

Invisible labor is all around us

It is hard for my mom to spend time with her granddaughter because helping her own parents takes most of what she has to spare. I – on the other hand – have to help my other grandfather, and I won’t even mention the challenges of fatherhood.

There are countless untold stories of people caring for the young, the old, the sick, and the disabled. We like to romanticize this as beautiful, inspiring, and “proper”, but dealing with neurodegenerative diseases of the elderly is thankless, depressing, and exhausting.

I can’t even imagine what single mothers, parents of very sick children, or families of alcoholics have to go through daily just to keep going. And there is A LOT of people in these situations. We just don’t like to think about them because it’s depressing.

All there is to win is more work

Did you notice how all stories end with “happily ever after”, some resolution, some kind of end?

It’s rarely like this in real life. The “happy ever after” of a love story is the actual labor, after which comes the labor of parenting. It’s rewarding on its own terms, but it also requires more work than getting the girl – the story being told.

Most things in life are like this: The reward for winning is more work, more invisible labor, more responsibilities.

We need to celebrate and reward that invisible labor

People all around you (or maybe yourself) are making sacrifices quietly because the situations are not glamorous or heroic. Remember that, and remember to thank them.

For the love of God, Big Tech companies need to support Open-Source projects they are benefiting from. In WordPress, we have Five For The Future, and we need more similar initiatives.

The post The World runs on invisible labor appeared first on Artur Piszek.