Foxboron

mjg59, 11 days ago to random

Just got handed yhis

mort, 17 days ago to linux

The #CVE count of the #Linux #kernel is not looking good these days compared to any other #OS is it. Maybe time to switch to #FreeBSD or some other system which doesn't claim to find hundreds of significant vulnerabilities every day

Foxboron, 21 days ago to Bash

How do you parse json in bash?

Asking for a friend.

(No, jq is not a solution here)

#json #bash

Foxboron, 21 days ago to random

I was complaining about hotel prices in Vienna for Plumbers and stuff.

However #AllSystemsGo is the same week as Berlin Marathon and holy fuck those prices are insane.

Foxboron, 1 month ago to linux

Current mood.

#Linux #FOSS

Foxboron, 1 month ago to archlinux

Someone pointed out that rpm strips packages faster than pacman so a little bit of xargs hacking later and I've shaved off 1.5/2 seconds of the pacman package building.

https://gitlab.archlinux.org/pacman/pacman/-/merge_requests/175

#rpm #pacman #ArchLinux

Foxboron, 2 months ago to archlinux

The wheels on the rebuild goes build build build. Build Build Build. BUILD BUILD BUILD.

The wheels on the rebuild goes BUILD BUILD BUILD.

All through Python3.12.

#ArchLinux #PackagerLife

Foxboron, 2 months ago to random

NixOS linking to reproducible builds in their wiki 🤌

I should post the spicy post.

Foxboron, 2 months ago to random

It's weird going from the weekend discourse of xz backdoors to work and dependabot MRs.

Idk, yolo/which-files-changed-watch update 43 to 44 with an autogenerated conventional commits changelog, are you backdoored or are you fine?

Hits approve

Foxboron, 2 months ago to security

If people think the actor behind Jia an/or the #xzbackdoor needs to be sued you need to deeply consider the implications it will have for the FOSS community.

#Security #FOSS #linux #xz

mattdm, 2 months ago to random

This is a great article from @Di4na https://www.softwaremaxims.com/blog/not-a-supplier, and I strongly agree with his point: open source / free software project developers, contributors, and maintainers are not "suppliers".

The "software supply chain" metaphor puts demands in the wrong place, and responsibility in the wrong direction.

Yet, it's a very powerful way to help companies understand their reliance on the labor of others.

What different metaphor or picture would be as strong, but with reverse polarity?

vathpela, 2 months ago to random

The OpenSSF post that's going around flat out fails to understand what's going on, and their suggestion can only hurt; it can't possibly help.

whack, 2 months ago to random

Don’t worry, industry is on top of this. Instead of funding critical software as a risk mitigation, your projects will get a bad score and some finger-wagging from OpenSSF. Mischief managed! 😍

Viss, 2 months ago to random

the only input i have on the #xz #backdoor discussion is that folks who had turned on auto updates were way more likely to have had the backdoor installed without them knowing about it, versus folks that manually do their upgrading.

not that those folks would have known either, but im estimating that the cadence of auto updates is more often than when folks do it by hand, and the attackers were relying on that to be the case so they could slip in on the shady shady.

mjg59, 2 months ago to random

Being less flippant about this - the xz backdoor relied on a line that was present in the tarball release, but not in the git repo. Do we have any infrastructure for validating this kind of thing? (It's expected that the tarball would contain things that aren't in git - for example, the configure script doesn't exist in git, but is expected to be in the release. The problem is that extra code was injected into the configure script after it was generated)

Foxboron, 2 months ago to security

Distributed tarballs of xz has been backdoored.

https://www.openwall.com/lists/oss-security/2024/03/29/4

#xz #security #linux