Arthur Besse @ cypherpunks @lemmy.ml

cultural reviewer and dabbler in stylistic premonitions

---

Read more

Posts

292

Comments

886

Joined

3 yr. ago

Moderating

---

sure. first, configure sudo to be passwordless, or perhaps just to stay unlocked for longer (it's easy to find instructions for how to do that).

then, put this in your ~/.bashrc:

alias sudo='echo -n "are you sure? "; for i in $(seq 5); do echo -n "$((6 - $i)) "; sleep 1; done && echo && /usr/bin/sudo '

Now "sudo" will give you a 5 second countdown (during which you can hit ctrl-c if you change your mind) before running whatever command you ask it to.

to answer this question: if you're on a dpkg-based system, check /var/log/dpkg.log (or /var/log/dpkg.log.2.gz to get logs from January, if your system rotates them once a month).

Nice post, but your title is misleading: the blog post is actually titled "Supply Chain Attacks on Linux distributions - Overview" - the word "attacks" as used here is a synonym for "vulnerabilities". It is not completely clear from their title if this is going to be a post about vulnerabilities being discovered, or about them actually being exploited maliciously, but the latter is at least not strongly implied.

This lemmy post however is titled (currently, hopefully OP will retitle it after this comment) "Supply Chain Attack found in Fedora's Pagure and openSUSE's Open Build Service". edit: @OP thanks for changing the title!

Adding the word "found" (and making "Attack" singular) changes the meaning: this title strongly implies that a malicious party has actually been detected performing a supply chain attack for real - which is not what this post is saying at all. (It does actually discuss some previous real-world attacks first, but it is not about finding those; the new findings in this post are vulnerabilities which were never attacked for real.)

I recommend using the original post title (minus its "Overview" suffix) or keeping your more verbose title but changing the word "Attack" to "Vulnerabilities" to make it clearer.

TLDR: These security researchers went looking for supply chain vulnerabilities, and found several bugs in two different systems. After responsibly disclosing them, they did these (very nice and accessible, btw - i recommend reading them) writeups about two of the bugs. The two they wrote up are similar in that they both involve going from being able to inject command line arguments, to being able to write to a file, to being able to execute arbitrary code (in a context which would allow attackers to perform supply chain attacks on any software distributed via the targeted infrastructure).

it's 2025 now but otherwise yeah

Fuck this project, but... their source code can be free and open source even if they distribute binaries which aren't. (Which they can do if they own the copyright, and/or if it is under a permissive non-copyleft FOSS license.)

And if the source code is actually FOSS, and many people actually want to use it, someone else will distribute FOSS binaries without this stupid EULA. So, this BS is still much better than a non-FOSS license like FUTO's.

I immediately knew this was going to be from Microsoft users, and yeah... of course, it is.

Binaries distributed under this EULA do not meet the free software definition or open source definition.

However, unlike most attempts to dilute the concept of open source, since the EULA is explicitly scoped to binaries and says it is meant to be applied to projects with source code that is released under an OSI-approved license, I think the source code of projects using this do still meet the open source definition (as long as the code is actually under such a license). Anyone/everyone should still be free to fork any project using this, and to distribute free binaries which are not under this EULA.

This EULA obviously cannot be applied to projects using a copyleft license, unless all contributors to it have dual-licensed their contributions to allow (at least) the entity that is distributing non-free binaries under this EULA to do so.

I think it is extremely short-sighted to tell non-paying "consumers" of an open source project that their bug reports are not welcome. People who pay for support obviously get to heavily influence which bugs get priority, but to tell non-paying users that they shouldn't even report bugs is implicitly communicating that 2nd and 3rd party collaboration on fixing bugs is not expected or desired.

A lot of Microsoft-oriented developers still don't understand the free software movement, and have been trying to twist it into something they can comprehend since it started four decades ago. This is the latest iteration of that; at least this time they aren't suggesting that people license their source code under non-free licenses.

(source)

what makes someone think it's a good idea to post a jpeg with a mixture of barely-readable and almost-readable text, here, in this community of all places, with no link to the full res version and no information about the source?

smh my head

I didn’t know red hat was working for the US government. Can you tell me in what way?

tldr: https://www.redhat.com/en/solutions/public-sector/dod

see also: https://web.archive.org/web/20240530005438/https://www.redhat.com/en/resources/israeli-defense-forces-case-study

Various documents in (what wikipedia now calls) the "2010s global surveillance disclosures" showed that many components of NSA (and other Five Eyes partners) infrastructure is run on RedHat Enterprise Linux.

According to a 2008 study by the Office of the Director of National Intelligence, private contractors make up 29% of the workforce in the United States Intelligence Community and cost the equivalent of 49% of their personnel budgets. RedHat is part of that industry.

It's often illuminating to search a company's job listings for words like "clearance". There are currently only eight listings for that query at RedHat but sometimes they have many more. Here (archive) is a current one. Here is another one archived last year.

I wonder how much work is entailed in transforming Fedora in to a distro that meets some definition of the word "Sovereign" 🤔

Personally I wouldn't want to make a project like this be dependent on the whims of a US defense contractor like RedHat/IBM, especially after what happened with CentOS.

Because Netanyahu doesn’t want to testify at his corruption trial

Yes, that was one reason...

and because the United States has not stopped giving them weapons to carry out this war, regardless of what they did and or who the US president was

and that is another.

But, this article buries the lede about what was probably the most compelling reason for Benjamin Netanyahu in making his decision to murder hundreds of people yesterday and today:

Netanyahu has a deadline: his government must pass a national budget in two weeks, or face the prospect of his government collapsing, triggering new elections.

Returning to war paved the way for Netanyahu to bring his far-right ally Itamar Ben Gvir back inside the coalition and beef up his governing majority. Ben Gvir had quit because of the January ceasefire with Hamas, and returned Tuesday with the resumption of the war.

[...]

The strikes could last at least another two weeks until Israel passes its national budget, giving Netanyahu a stronger position in power and more flexibility to resume a ceasefire, analysts say.

if you've never used ed(1) technically it's illegal for you to say "it's a UNIX system, i know this"

They had a Republican governor from 2003 to 2011.

Clinton got 46.4% there in 2016, only a 1.5% lead over Trump.

Their House of Representatives is currently split 50/50 (with Republican leadership due to this), and the DFL has a one-seat majority in the Senate.

I wouldn't call it "incredibly blue", and certainly not "one of the bluest".

as i said, it "is about to be released".

or, one could also say that the the 3.0.0 source code has been released, but the official binaries haven't been yet :)

edit: i see https://flathub.org/apps/org.gimp.GIMP has 3.0.0 now, and from https://testing.gimp.org/downloads/ i see that https://download.gimp.org/gimp/v3.0/linux/GIMP-3.0.0-x86_64.AppImage is also there. presumably https://www.gimp.org/downloads/ will be updated very soon.

StartPage/StartMail is owned by an adtech company who's website boasts that they "develop & grow our suite of privacy-focused products, and deliver high-intent customers to our advertising partners" 🤔

They have a whitepaper which actually does a good job explaining how end-to-end encryption in a web browser (as Tuta, Protonmail, and others do) can be circumvented by a malicious server:

The malleability of the JavaScript runtime environment means that auditing the future security of a piece of JavaScript code is impossible: The server providing the JavaScript could easily place a backdoor in the code, or the code could be modified at runtime through another script. This requires users to place the same measure of trust in the server providing the JavaScript as they would need to do with server-side handling of cryptography.

However (i am not making this up!) they hilariously use this analysis to justify having implemented server-side OpenPGP instead 🤡

Could anybody in short explain, what I have to understand from “it’s tagged”?

Git is the most popular version control system, which lets developers track changes to software source code. A "tag" applies a name (or version number) to a specific point in the history.

The commit shows that there was a longer with 3.0.0 tag before and now its just 3.0.0

The link goes to a commit which is tagged GIMP_3_0_0, and shows the change made in this commit. This commit happens to change the version line in a file called meson.build - this file configures Meson, which is used to build GIMP. The version is being changed from 3.0.0-RC3+git to 3.0.0. The string "RC3" in the previous version number is short for "release candidate 3", and "git" here means that there were additional changes since "release candidate 3" was released.

What does that tell us? :D

So far the news and downloads pages still haven't been updated, but the version being changed to 3.0.0 and this commit being tagged tells us that GIMP 3.0.0 is about to be released: official binaries and an announcement about it can be expected to appear very soon.

The tag means no more changes will be included in 3.0.0; if some show-stopping bug were discovered now, the version number would be incremented to 3.0.1 rather than to include a fix in 3.0.0. (Technically, a tag can be updated/replaced, but by convention it is not.)

The "VP Engineering for Ubuntu" being a NixOS user is hilarious and reminds me of the CEO of Ford saying he's been driving a Xiaomi EV "for six months now and I don’t want to give it up".

The fact remains this article is titled in a very clickbaity way

The link is to a youtube video, not an article, so apparently you resisted taking the bait... but aren't letting your lack of a click prevent you from commenting :)

Like one of the bluest.

However with the Democratic–Farmer–Labor Party having a majority (by a single seat) in the Senate, this bill will obviously not pass, and if it did, obviously the governor (Tim Walz) would not sign it.

This is just trolling by some deeply unserious politicians.