Comment by shoddydoordesk
1 day ago
You are dismissing the seriousness of this. Their package manager is widely used. One would only need to compromise their build servers to wreak havoc.
Didn't they have a vulnerability in their firmware download tool like a minute ago?
The difference between OpenWRT and Linux distros is the amount of testing and visibility. OpenWRT is loaded on to residential devices and forgotten about, it doesn't have professional sysadmins babysitting it 24/7.
Remember the xz backdoor was only discovered because some autist at Microsoft noticed a microsecond difference in performance testing.
I'm confused why you're so honed in on OpenWRT as a third-party open-source project here when the vulnerability you quoted (TotoLink) was the official firmware update server of a brand of devices.
Is it "scary" to think about OpenWRT potentially getting hacked? If you get scared by theoretical possibilities in software, sure. Is it relevant? Not exactly. Are companies' official servers more secure than an open-source project's servers? In this case, apparently not.
What's scary is that OpenWRT is a project created by people who wanted a better solution than what was out there, and are therefore largely driven by a desire to create a good product.
Meanwhile, corporations are driven entirely by profit motive, so as long as it's more expensive to be vigilant about security than it is to be lax about it they will never improve.
Until companies which produce (and do not update) vulnerable equipment are penalized (e.g. charged with criminal negligence) for DDoS attacks using their hardware then the open-source projects are going to continue to be far more trustworthy and less vulnerable than corporations which mass-produce the cheapest hardware they can and then designating it as obsolete and unsupported as fast as possible to force more updates.
The disappointing thing is that the companies don't just ship the open source firmware on their devices from the factory. They rarely if ever have any marketable features the open source firmware doesn't -- it's more often the other way around -- and then you don't have a zillion unpatched devices when they decide to stop caring because the community continues to maintain the code.