mastodon.zunda.ninja is one of the many independent Mastodon servers you can use to participate in the fediverse.
Zundon is a single user instance as home of @zundan as well as a test bed for changes of the code.

Administered by:

Server stats:

1
active users

#xz

0 posts0 participants0 posts today
stdevel<p>Der April war vor allem von der <a href="https://chaos.social/tags/XZ" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>XZ</span></a>-Lücke geprägt, die mir neben eurem Feedback besprechen. Es gab aber auch Erfreuliches: eine neue Forgejo-Vorabversion, neue <a href="https://chaos.social/tags/RHEL" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>RHEL</span></a> und <a href="https://chaos.social/tags/AlmaLinux" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>AlmaLinux</span></a> Betas, sowie erste Entwicklungen der <a href="https://chaos.social/tags/Redis" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Redis</span></a>-Forks. Incus 6.0 LTS ist erschienen, Xen-Kosten scheinen sich zu erhöhen und Canonical bietet fortan bis zu 12 Jahre Support für LTS-Versionen, beginnend ab Ubuntu 14.04.</p><p>🎧 <a href="https://focusonlinux.podigee.io/103-newsupdate-0424-xz-und-kernel-cve-forgejo-700-rc-12-jahre-ubuntu-lts-support-incus-60-und-rhel-betas" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">focusonlinux.podigee.io/103-ne</span><span class="invisible">wsupdate-0424-xz-und-kernel-cve-forgejo-700-rc-12-jahre-ubuntu-lts-support-incus-60-und-rhel-betas</span></a></p><p><a href="https://chaos.social/tags/XZorcist" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>XZorcist</span></a> <a href="https://chaos.social/tags/FocusOnLinux" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>FocusOnLinux</span></a> <a href="https://chaos.social/tags/Podcast" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Podcast</span></a></p>
Dr. Todd A. Jacobs<p>I was recently asked about whether signed commits would have prevented the <a href="https://infosec.exchange/tags/xz" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>xz</span></a> attack. The tl;dr is "no."</p><p>It's very important that the non <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infosec</span></a> community understands what a <a href="https://infosec.exchange/tags/digitalsignature" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>digitalsignature</span></a> does and doen't do. The notion that there's a <a href="https://infosec.exchange/tags/silverbullet" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>silverbullet</span></a> for every technical, social, or trust problem is part of what makes <a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybersecurity</span></a> so hard to implement well.</p><p><a href="https://infosec.exchange/tags/OpenPGP" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>OpenPGP</span></a> signatures rely on the system clock for setting the timestamp of a signature when signing the metadata and content of a commit. The author and committer dates can both legitimately differ from the timestamp of the signature for a number of reasons, or be made exactly the same rather trivially. </p><p><a href="https://infosec.exchange/tags/Git" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Git</span></a> history is a directed acyclic graph, not a cryptographic <a href="https://infosec.exchange/tags/blockchain" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>blockchain</span></a>, so a commit is just the delta between objects in the current treeish and the parent treeish in the graph. The signed metadata includes the current parent's SHA hash, but there's nothing stopping you from moving commits around and re-signing the new commits. If you couldn't do this, then you couldn't rebase, squash, do non-fast-forward merges, or cherry-pick.</p><p>This doesn't mean you can forge someone else's signature without access to their key material, but the attack wasn't the result of forged metadata or account impersonation. Signing wouldn't prevent commits by someone with commit access to the repository; it would just show that commits associated with Jia Tan were also signed by Jia Tan's private key. That provides no useful security control here. This was <em>not</em> a Git problem.</p>
SorairoLake<p><span>xzと同じLZMAを使うlzipを読み書きできるpure Goのパッケージを作った<br></span><a href="https://misskey.io/tags/lzip" rel="nofollow noopener" target="_blank">#lzip</a> <a href="https://misskey.io/tags/lzma" rel="nofollow noopener" target="_blank">#lzma</a> <a href="https://misskey.io/tags/xz" rel="nofollow noopener" target="_blank">#xz</a> <a href="https://misskey.io/tags/xzutils" rel="nofollow noopener" target="_blank">#xzutils</a> <a href="https://misskey.io/tags/go" rel="nofollow noopener" target="_blank">#go</a> <a href="https://misskey.io/tags/golang" rel="nofollow noopener" target="_blank">#golang</a><span><br></span><a href="https://github.com/sorairolake/lzip-go" rel="nofollow noopener" target="_blank">https://github.com/sorairolake/lzip-go</a></p>
John Goerzen<p>I am getting tired of reading about the <a href="https://floss.social/tags/xz" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>xz</span></a> <a href="https://floss.social/tags/security" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>security</span></a> issue as if it is all about issues within <a href="https://floss.social/tags/opensource" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>opensource</span></a>. It is much bigger than that, and those takes conflate the problem with the solution.</p><p>So I wrote "The xz issue isn't about Open Source" here: <a href="https://changelog.complete.org/archives/10642-the-xz-issue-isnt-about-open-source" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">changelog.complete.org/archive</span><span class="invisible">s/10642-the-xz-issue-isnt-about-open-source</span></a></p>
Michael Downey 🧢<p>"You have to understand, we’re responsible for taxpayer money here. We can’t just make a donation to your open source project."</p><p>— a national government who relies on <a href="https://floss.social/tags/Matrix" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Matrix</span></a> when being asked to support it financially</p><p>Read more about the problem and some initiatives that are responding to it:</p><p><a href="https://matrix.org/blog/2024/04/open-source-publicly-funded-service/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">matrix.org/blog/2024/04/open-s</span><span class="invisible">ource-publicly-funded-service/</span></a></p><p><a href="https://floss.social/tags/FreeSoftware" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>FreeSoftware</span></a> <a href="https://floss.social/tags/OpenSource" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>OpenSource</span></a> <a href="https://floss.social/tags/FOSS" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>FOSS</span></a> <a href="https://floss.social/tags/FLOSS" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>FLOSS</span></a> <a href="https://floss.social/tags/funding" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>funding</span></a> <a href="https://floss.social/tags/xz" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>xz</span></a> <a href="https://floss.social/tags/sustainability" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>sustainability</span></a></p>
The Matrix.org Foundation<p>Open source infrastructure *must* be a publicly funded service, and funders need to support maintenance – not just new feature development 📣</p><p>This is on our minds this week in the wake of the <a href="https://mastodon.matrix.org/tags/xz" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>xz</span></a> news, and as we continue to seek funding to support <a href="https://mastodon.matrix.org/tags/Matrix" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Matrix</span></a>.</p><p>Read the latest from project lead, <span class="h-card" translate="no"><a href="https://mastodon.matrix.org/@matthew" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>matthew</span></a></span>: <a href="https://matrix.org/blog/2024/04/open-source-publicly-funded-service/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">matrix.org/blog/2024/04/open-s</span><span class="invisible">ource-publicly-funded-service/</span></a></p><p><a href="https://mastodon.matrix.org/tags/OpenSource" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>OpenSource</span></a> <a href="https://mastodon.matrix.org/tags/FOSS" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>FOSS</span></a> <a href="https://mastodon.matrix.org/tags/OpenStandards" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>OpenStandards</span></a></p>
Marcel Waldvogel<p>«Die Feiertage. Die ganzen IT-Abteilungen feiern mit der Familie… Die ganzen IT-Abteilungen? Nein! Eine von unbeugsamen Open-Source-Enthusiasten bevölkerte Mailingliste hört nicht auf, den Eindringlingen Widerstand zu leisten.»</p><p>Wie die Open-Source-Gemeinde über Ostern in letzter Minute eine riesige, von langer Hand vorbereitete Sicherheitslücke (<a href="https://waldvogel.family/tags/Backdoor" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Backdoor</span></a>) entschärft hat.</p><p><a href="https://waldvogel.family/tags/xz" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>xz</span></a> <a href="https://waldvogel.family/tags/OpenSource" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>OpenSource</span></a> <a href="https://waldvogel.family/tags/OSS" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>OSS</span></a> <a href="https://waldvogel.family/tags/FOSS" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>FOSS</span></a> <a href="https://waldvogel.family/tags/FLOSS" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>FLOSS</span></a> <br>📰 <a href="https://dnip.ch/2024/04/02/xz-open-source-ostern-welt-retten/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">dnip.ch/2024/04/02/xz-open-sou</span><span class="invisible">rce-ostern-welt-retten/</span></a><br>🧵 <a href="https://waldvogel.family/@marcel/112199949979360732" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">waldvogel.family/@marcel/11219</span><span class="invisible">9949979360732</span></a></p>
Gabriele Svelto<p>In the light of the <a href="https://fosstodon.org/tags/xz" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>xz</span></a> backdoor, if you're a <a href="https://fosstodon.org/tags/RustLang" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>RustLang</span></a> developer, I recommend you familiarize yourself with cargo vet:</p><p><a href="https://mozilla.github.io/cargo-vet/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="">mozilla.github.io/cargo-vet/</span><span class="invisible"></span></a></p><p>Auditing your dependencies, or relying on external audits, adds an important layer of protection.</p><p>It's not a silver bullet against bad dependencies as there's no such thing. However adding more layers of protection makes attackers' lives harder and this is one of them.</p>
Marcel Waldvogel<p>Based on their analysis of working hours, timestamps, and holidays, it seems likely "Jia Tan" worked out of Eastern Europe or Russia while doing the <a href="https://waldvogel.family/tags/xzBackdoor" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>xzBackdoor</span></a> ⬆️.</p><p>Clever analysis by Rhea Karty and Simon Henniger.<br><a href="https://waldvogel.family/tags/xz" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>xz</span></a> <br><a href="https://rheaeve.substack.com/p/xz-backdoor-times-damned-times-and" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">rheaeve.substack.com/p/xz-back</span><span class="invisible">door-times-damned-times-and</span></a></p>
Jens Bannmann<p>Any experienced C developers among my followers? <a href="https://nerdculture.de/tags/BoostsWelcome" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>BoostsWelcome</span></a>.</p><p>Expat, arguably the world's most popular <a href="https://nerdculture.de/tags/XML" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>XML</span></a> parser, is understaffed and without funding. As <a href="https://nerdculture.de/tags/xz" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>xz</span></a> has shown, situations like this are dangerous.</p><p>Last month, maintainer Sebastian Pipping put up a plea for help at <a href="https://github.com/libexpat/libexpat/blob/R_2_6_2/expat/Changes" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">github.com/libexpat/libexpat/b</span><span class="invisible">lob/R_2_6_2/expat/Changes</span></a></p><p>(I would help myself, but my C skills barely surpass "Hello, World".)</p><p>Found via <span class="h-card" translate="no"><a href="https://cosocial.ca/@timbray" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>timbray</span></a></span> - <a href="https://cosocial.ca/@timbray/112203547801373427" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">cosocial.ca/@timbray/112203547</span><span class="invisible">801373427</span></a></p><p><a href="https://nerdculture.de/tags/libexpat" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>libexpat</span></a><br><a href="https://nerdculture.de/tags/SoftwareSupplyChainSecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SoftwareSupplyChainSecurity</span></a> <a href="https://nerdculture.de/tags/OpenSource" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>OpenSource</span></a> <a href="https://nerdculture.de/tags/OpenSourceMaintainer" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>OpenSourceMaintainer</span></a> <br><a href="https://nerdculture.de/tags/C" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>C</span></a></p>
Tim Bray<p>I think the <a href="https://cosocial.ca/tags/xz" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>xz</span></a> incident is teaching us that our infrastructure is dangerously fragile in the face of well-organized/funded attackers. The response isn’t “try harder” or “donate to your OSS project”, it needs to be institutional, professional, and at scale. </p><p>So, here’s my proposal, called “OSQI”, aimed at starting a how-to discussion: <a href="https://www.tbray.org/ongoing/When/202x/2024/04/01/OSQI" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">tbray.org/ongoing/When/202x/20</span><span class="invisible">24/04/01/OSQI</span></a></p>
Marcel Waldvogel<p>Oh, btw: I was just made aware of a 4½ minute video that summarizes most of the events and has (what I greatly appreciate) some great real-world analogy for how the backdoor was installed and then detected. Enjoy!</p><p><a href="https://waldvogel.family/tags/xz" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>xz</span></a> <a href="https://waldvogel.family/tags/xzBackdoor" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>xzBackdoor</span></a><br><a href="https://www.youtube.com/watch?v=bS9em7Bg0iU" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">youtube.com/watch?v=bS9em7Bg0i</span><span class="invisible">U</span></a></p>
Marcel Waldvogel<p>Inzwischen gibt es Demo-Code, mit dem jede Applikation ohne die ganzen <a href="https://waldvogel.family/tags/xz" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>xz</span></a>-Abhängigkeiten `systemd`-Notifications versenden können. Danke, <span class="h-card" translate="no"><a href="https://mastodon.social/@pid_eins" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>pid_eins</span></a></span> !<br><a href="https://mastodon.social/@pid_eins/112202687764571433" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">mastodon.social/@pid_eins/1122</span><span class="invisible">02687764571433</span></a></p>
Victor Julien<p>If the <a href="https://mastodon.social/tags/xz" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>xz</span></a> backdoor was a nation state attack, is it then generally the job other nation state intel services to detect it? Track bad actors like this? If they could/did, how would they act? Couldn't imagine an agency then allowing it entering RHEL and letting their own govt use it, or am I being naive now?</p>
federico :debian:<p><span class="h-card" translate="no"><a href="https://mastodon.social/@bagder" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>bagder</span></a></span> It is difficult but the xz incident is also a success story: the backdoor was spotted before landing in stable Linux distributions.<br><a href="https://oldbytes.space/tags/xz" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>xz</span></a> was probably chosen due to the presence of a corrupted xz file as part of the tests making it an ideal candidate for hiding data. In cryptography there are <a href="https://en.wikipedia.org/wiki/Nothing-up-my-sleeve_number" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">en.wikipedia.org/wiki/Nothing-</span><span class="invisible">up-my-sleeve_number</span></a> - the same principle could be used to reject mysterious blobs from codebases. Yet many "bugdoors" can be introduced by creating subtle vulnerabilities and that's difficult to spot.</p>
equi<p><a href="https://github.com/FRRouting/frr/pull/8508" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">github.com/FRRouting/frr/pull/</span><span class="invisible">8508</span></a> <a href="https://chaos.social/tags/xz" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>xz</span></a></p><p>(note how this is almost exactly 3 years old.)</p><p>I'm just gonna pin this to my profile for a bit. Not because I was somehow clever or prescient for doing it. I wasn't.</p><p>I'm pinning it because I got 👏fucking👏paid👏for👏it👏 as part of my day job, because people understood you need to put 👏money👏into👏actual👏maintenance👏.</p>
FobUpset<p><span class="h-card" translate="no"><a href="https://mastodon.social/@bagder" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>bagder</span></a></span> a key thing people are missing here is that the backdoor was inserted into the <a href="https://infosec.exchange/tags/xz" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>xz</span></a> tarballs and not in the public git repo.</p>
daniel:// stenberg://<p>There simply is no established or easy way to detect backdoors done the <a href="https://mastodon.social/tags/xz" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>xz</span></a> way. We give powers and trust to maintainers because that is the development model.</p><p>Anyone suggesting there is an easy fix has not understood the issues at hand.</p><p>But we are Open Source which allows everyone to dig, check, read code and investigate.</p>
Marcel Waldvogel<p>«Die Feiertage. Die ganzen IT-Abteilungen feiern mit der Familie… Die ganzen IT-Abteilungen? Nein! Eine von unbeugsamen Open-Source-Enthusiasten bevölkerte Mailingliste hört nicht auf, den Eindringlingen Widerstand zu leisten.»</p><p><a href="https://waldvogel.family/tags/xz" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>xz</span></a> <a href="https://waldvogel.family/tags/xzbackdoor" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>xzbackdoor</span></a> <a href="https://waldvogel.family/tags/lzma" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>lzma</span></a> <a href="https://waldvogel.family/tags/ssh" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ssh</span></a><br><a href="https://dnip.ch/2024/04/02/xz-open-source-ostern-welt-retten/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">dnip.ch/2024/04/02/xz-open-sou</span><span class="invisible">rce-ostern-welt-retten/</span></a></p>
Marcel Waldvogel<p>Durch Good-Cop/Bad-Cop-Taktiken wurden Softwareentwickler dazu gedrängt, subtil versteckte Sicherheitslücken einzubauen. Wie können wir das zukünftig vermeiden?<br>.<br>1️⃣ Vereinfachung/Reduzierung von Programmen und Abhängigkeiten<br>2️⃣ Mehr Wertschätzung und Unterstützung für die Open-Source-Entwickler <br>3️⃣ Bessere Kontrolle, aber ohne Belastung für die Entwickler<br>4️⃣ Angewandtere Ausbildung</p><p>Was sind eure Ideen dazu? Freue mich auf Feedback!</p><p><a href="https://waldvogel.family/tags/xz" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>xz</span></a> <a href="https://waldvogel.family/tags/lzma" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>lzma</span></a> <a href="https://waldvogel.family/tags/ssh" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ssh</span></a> <a href="https://waldvogel.family/tags/FOSS" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>FOSS</span></a> <a href="https://waldvogel.family/tags/FLOSS" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>FLOSS</span></a> <a href="https://waldvogel.family/tags/OSS" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>OSS</span></a><br><a href="https://marcel-waldvogel.ch/2024/04/02/wie-die-open-source-community-an-ostern-die-it-welt-rettete/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">marcel-waldvogel.ch/2024/04/02</span><span class="invisible">/wie-die-open-source-community-an-ostern-die-it-welt-rettete/</span></a></p>