IRCv3 has extended IRC quite a bit over the past decade, fixing a lot of minor pain points if clients support the fixed versions of the protocol.
i’m lizard 🦎
IRCv3 has extended IRC quite a bit over the past decade, fixing a lot of minor pain points if clients support the fixed versions of the protocol.
Given that the UUID changed, you almost certainly made a new LUKS container, overwriting the old one. That’s bad, because the LUKS header is the only source of the actual encryption key that was used, and making a new one will overwrite both the main header as well as its backup copy immediately. Your password/keyfile/whatever is merely used to decrypt the part of the header that has the actual encryption key, and that’s gone in that case.
Unless you have access to a header backup from before that, there’s a fairly strong chance it’s irrecoverable. I’d suggest going through any archives you might have to see if you have such a backup - most of the instructions on the Gentoo wiki encourage making one, so you might have made one through the power of copying & pasting instructions. Should be a file of around 16MB.
The KeePassXC people are also volunteers and dealing with the fallout of this decision.
Some people are opposed to sudo
being a fairly complex program with an awkward to understand configuration language and a couple of methods that can fetch config from elsewhere. Fixing upstream sudo
can’t happen because those features exist and are presumably used by some subset of people, so straight up removing them is not good, but luckily doas
and sudo-rs
exist as alternatives with a somewhat stripped featureset and less footguns.
Others are opposed to the concept of SUID. Underneath all the SUID stuff lies far more complexity than is obvious at first sight. There’s a pretty decent chunk of code in glibc’s libdl that will treat all kinds of environment variables differently based on whether an executable is SUID, and when that goes wrong, it’s reported as a glibc bug (last year’s glibc CVE-2023-4911 was this). And that gets all the more weird when fancy Linux features like namespaces get involved.
Removing SUID requires an entirely different implementation and the service manager is the logical place for that. That’s not just Lennart’s idea; s6, as minimal and straight to the point as it tends to be, also implements s6-sudo{,d,c}
. It’s a bit more awkward to use but is a perfectly “Unix philosophy” style implementation of this very same idea.
SO already was. Not even harvested as much as handed to them. Periodic data dumps and a general forced commitment to open information were a big part of the reason they won out over other sites that used to compete with them. SO most likely wouldn’t have existed if Experts Exchange didn’t paywall their entire site.
As with everything else, AI companies believe their training data operates under fair use, so they will discard the CC-SA-4.0 license requirements regardless of whether this deal exists. (And if a court ever finds it’s not fair use, they are so many layers of fucked that this situation won’t even register.)
View -> User Interface, change to Tabbed or Tabbed Compact (or Notebookbar in old versions).
This is a fork of the evaluator/language implementation/daemon/builder/whatever you want to call it. The other one (Auxolotl) is a fork of Nixpkgs, the repository of build scripts and all the NixOS misc pieces.
Or put into other terms, this is a fork of APT/RPM as well as their associated builder tools, while Aux is a fork of Debian/Fedora/whatever. The Nix evaluator is a much more complex piece of software than most other package managers so it does benefit from having a dedicated team working on it.
Lemmy (and Kbin for that matter) very much do the same thing for posts. I don’t think they fetch URL previews for links in comments, but that doesn’t matter: posts and comments are both fairly likely to end up spreading to Mastodon/etc anyway, so even comments will trigger this cascade.
Direct example: If you go to mastodon.social, stick @fediverse@lemmy.world
in the search box at the topleft and click for the profile, you can end up browsing a large Mastodon server’s view of this community, and your very link has a preview. (Unfortunately, links to federated communities just result in a redirect, so you have to navigate through Mastodon’s UI.)
Looking at the implementation, it doesn’t really implement sudoers or tools like sudoedit in any way. systemd-run
has already been an existing tool for quite some time and this is really just a different CLI for it. That tool asks systemd to make a temporary new service and immediately run it. That, in turn, requires blanket yes/no approval for org.freedesktop.systemd1.manage-units
via polkit.
So with run0, you can either do everything or you can do nothing. In-betweens are just not a thing at the moment. There’s very little new backend code running as root.
run0 bash
should behave very similar to something like systemd-run --uid=0 --gid=0 --wait --same-dir --send-sighup --pty --pipe --collect bash
and the majority of those options have been available for quite a while.
The point of this is to implement some form of privilege escalation without the SUID mechanism. sudo
, pkexec
and doas
are all SUID.
Note Dark Void Zero never really got rid of their draconian, broken DRM. Still has the same old 2010-era SecuROM with half-functioning servers that may or may not permanently go offline on any random day.
I think they’ll give it a genuine shot. These stalking services pop up like weeds and every time it gets some media attention they end up with significant problems not much later. dis.cool
was the last well-known entry but there’s been more.
Test files often represent states that can’t be represented in the library proper. Things like “a tree where node A is a child of B and node B is a child of A”, “the previous instruction repeated x times” where x was never set or there was no previous instruction, or weird combinations of mutually exclusive effects. More often than not, you can’t really generate those using the library itself, as libraries tend to be written to reject those kinds of invalid states (there’s only so much you can do in C but in functional programming land, “make invalid states unrepresentable” is a straight up mantra).
Even if you did manage to do that, using the system under test to generate test data for the system under test is generally not very useful by itself; you’d need some kind of extra protections on top to make sure the actual test files continue to be identical between revisions (like hashing them). Otherwise, a major incompatibility could be easily overlooked. But that also makes it hard to make any kind of valid changes to the library at all. Worse yet, some libraries don’t implement everything needed to generate the test files: even xz is missing pieces, for example there’s an lzip decompressor but not a compressor.
There’s some arguments to be made for separating the test system from the main distribution, but the end result will likely be that nobody runs the testsuite at all. It’s difficult enough to get distros to do it in the first place.
These things are always easy to say in hindsight, but I do believe that a closer review of the build system shenanigans used to install the backdoor would have at least raised some questions.
Nobody noticed it because nobody is reviewing autotools spaghetti and especially not autotools spaghetti that only exists as shipped in a tarball. Minor differences in those files are perfectly normal as the contents of them are copied in from the shared autoconf-archive project, but every distro ships a different version of that, so what any given thing looks like will depend on the maintainer’s computer. And nearly nobody has a good understanding of what any given line in a .m4 file is going to ultimately lead to the execution of regardless, so why bother investigating any differences? The maintainer of Meson has a good take on this.
Shipping tarballs without any form of generated files and having a process to validate release tarballs against the repo would be a good step, but is much easier said than done for a variety of reasons. Same thing can be said for shipping without any form of binary files in the repo, there’s quite high value in integration tests and xz’s README for the test blobs has correctly included this paragraph for 16 years:
Many of the files have been created by hand with a hex editor, thus there is no better “source code” than the files themselves.
For any given tag, GitHub will always have an autogenerated “archive/” link, but the “release/” link is a set of maintainer-uploaded blobs. In this situation, those are the compromised ones. Any distro pulling from an “archive/” link would be unaffected, but I don’t know of any doing that.
The problem with the “archive/” links is that GitHub reserves the right to change them. They’re promising to give notice, but it’s just not a good situation. The “release/” links are only going to change if the maintainer tries something funny, so the distro’s usual mechanisms to check the hashes normally suffice.
NixOS 23.11 is indeed not affected.
They already did before this. MS-hosted Office 365 is running the vast majority of worldwide corporate email and hosts a significant amount of corporate files on business OneDrive/SharePoint. I’ll never understand why companies bought into ‘the cloud’ so easily.
You’re looking at the wrong line. NixOS pulled the compromised source tarball just like nearly every other distro, and the build ends up running the backdoor injection script.
It’s just that much like Arch, Gentoo and a lot of other distros, it doesn’t meet the gigantic list of preconditions for it to inject the sshd compromising backdoor. But if it went undetected for longer, it would have met the conditions for the “stage3”/“extension mechanism”.
Sam Jones’s FAQ is by far the best single source, links to other solid sources for more in-depth technical details and also lightly debunks a few things.
The main thing sources online disagree on are which distros are affected. That’s because it’s not a simple yes/no and some distros are taking a nuanced approach in their public communication, while others have chosen the sledgehammer in an attempt to get people to upgrade their systems but keep/kept the nuance in the back room where the audience understood not everything was known yet. Some distros are underselling how vulnerable they were, others are overselling it.
Realistically, I think vendors will be trying to push their crap using this attack as leverage. They did it with Heartbleed, Shellshock and the Log4j issue. Their software won’t/wouldn’t accomplish anything, just like it didn’t with those issues, but they’re sure as hell gonna try to make it seem like it does.
This list genuinely looks like some of the marketing they had around Win7 times. No joke.
Snap? Yep, advertised feature. Touchscreen stuff? Absolutely! Better search? Yeah, advertised (and it was true in Windows 7!). New app to make movies? They got it. I guess the Win 7 page was missing Widgets. That was a Vista feature instead…