![](https://lemmy.ml/pictrs/image/a146cb96-f93f-4dc6-a584-5b37adb9d7f8.png)
![](https://lemmy.world/pictrs/image/4271bdc6-5114-4749-a5a9-afbc82a99c78.png)
(probably the most downvoted post i’ve made yet on lemmy 😂)
cultural reviewer and dabbler in stylistic premonitions
(probably the most downvoted post i’ve made yet on lemmy 😂)
E: old thinkpad gang input: take the time to reapply thermal grease to the cpu at some point. It makes a huge difference.
What’s a “gang input”?
😂 it’s an input to this discussion from a member of the group of people (“gang”) who have experience with old thinkpads. and yes, if your old thinkpad (or other laptop) is overheating and crashing, reapplying the thermal paste is a good next step after cleaning the fans.
xzbot from Anthony Weems enables to patch the corrupted liblzma to change the private key used to compare it to the signed ssh certificate, so adding this to your instructions might enable me to demonstrate sshing into the VM :)
Fun :)
Btw, instead of installing individual vulnerable debs as those kali instructions I linked to earlier suggest, you could also point debootstrap at the snapshot service so that you get a complete system with everything as it would’ve been in late March and then run that in a VM… or in a container. You can find various instructions for creating containers and VMs using debootstrap (eg, this one which tells you how to run a container with systemd-nspawn
; but you could also do it with podman or docker or lxc). When the instructions tell you to run debootstrap
, you just want to specify a snapshot URL like https://snapshot.debian.org/archive/debian/20240325T212344Z/
in place of the usual Debian repository url (typically https://deb.debian.org/debian/
).
A daily ISO of Debian testing
or Ubuntu 24.04 (noble
) beta from prior to the first week of April would be easiest, but those aren’t archived anywhere that I know of. It didn’t make it in to any stable releases of any Debian-based distros.
But even when you have a vulnerable system running sshd in a vulnerable configuration, you can’t fully demo the backdoor because it requires the attacker to authenticate with their private key (which has not been revealed).
But, if you just want to run it and observe the sshd slowness that caused the backdoor to be discovered, here are instructions for installing the vulnerable liblzma deb from snapshot.debian.org.
because i thought the situation described by the post was tragicomic (as was somewhat expressed by the line from it quoted in the post title)
Mattermost isn’t e2ee, but if the server is run by someone competent and they’re allowed to see everything anyway (eg it’s all group chat, and they’re in all the groups) then e2ee isn’t as important as it would be otherwise as it is only protecting against the server being compromised (a scenario which, if you’re using web-based solutions which do have e2ee, also leads to circumvention of it).
If you’re OK with not having e2ee, I would recommend Zulip over Mattermost. Mattermost is nice too though.
edit: oops, i see you also want DMs… Mattermost and Zulip both have them, but without e2ee. 😢
I could write a book about problems with Matrix, but if you want something relatively easy and full featured with (optional, and non-forward-secret) e2ee then it is probably your best bet today.
As the image transcript in the post body explains, the image at the bottom is a scene from a well-known 1998 film (which, according to Wikipedia, was in 2014 selected for preservation in the United States National Film Registry by the Library of Congress as being “culturally, historically, or aesthetically significant”).
This meme will not make as much sense to people who have not seen the film. You can watch the referenced scene here. The context is that the main character, The Dude (played by Jeff Bridges) has recently had his private residence invaded by a group of nihilists with a pet marmot (actually portrayed by a ferret) and they have threatened to “cut off his Johnson”. In an attempt to express sympathy, The Dude’s friend Walter (played by John Goodman) points out that, in addition to the home invasion and threats, the nihilists’ exotic pet is also illegal. The Dude’s retort “what, are you a fucking park ranger now” is expressing irritation with that observation, because it is insignificant compared with the threat of the removal of his penis.
This meme attempts to draw a parallel between this humorous scene and XZ developer Lasse Collin’s observation that the XZ backdoor was also a violation of Debian’s software licensing policies.
Thank you for reading my artist’s statement.
Ok, you and @d3Xt3r@lemmy.nz are both mods of /c/linux@lemmy.ml now. Thanks!
Ok, I just stickied this post here, but I am not going to manage making a new one each week :)
I am an admin at lemmy.ml and was actually only added as a mod to this community so that my deletions would federate (because there was a bug where non-mod admin deletions weren’t federating a while ago). The other mods here are mostly inactive and most of the mod activity is by me and other admins.
Skimming your history here, you seem alright; would you like to be a mod of /c/linux@lemmy.ml ?
As of today, NixOS (like most distros) has reverted to a version slightly prior to the release with the Debian-or-Redhat-specific sshd backdoor which was inserted into xz just two months ago. However, the saboteur had hundreds of commits prior to the insertion of that backdoor, and it is very likely that some of those contain subtle intentional vulnerabilities (aka “bugdoors”) which have not yet been discovered.
As (retired) Debian developer Joey Hess explains here, the safest course is probably to switch to something based on the last version (5.3.1) released prior to Jia Tan getting push access.
Unfortunately, as explained in this debian issue, that is not entirely trivial because dependents of many recent pre-backdoor potentially-sabotaged versions require symbol(s) which are not present in older versions and also because those older versions contain at least two known vulnerabilities which were fixed during the multi-year period where the saboteur was contributing.
After reading Xz format inadequate for long-term archiving (first published eight years ago…) I’m convinced that migrating the many projects which use XZ today (including DPKG, RPM, and Linux itself) to an entirely different compression format is probably the best long-term plan. (Though we’ll always still need tools to read XZ archives for historical purposes…)
for those unfamiliar: Reflections on trusting trust by Ken Thompson
two weeks later: GitLab confirms it’s removed Suyu, a fork of Nintendo Switch emulator Yuzu
sad to see their new git hosting is behind cloudflare 😢
that was predictable
It’s a mild pain and definitely not what we were promised
I think this is precisely what the ActivityPub model of federation promised, actually 😅
+1 to ctrl-alt-fsomething (start at f1 and go up to move through the different virtual terminals). once in a while there are graphics problems which this will fix.
If you’re using GNOME Shell on X you can reload the shell (and all of its extensions) with alt-f2 and then in the “Run a command” dialog that appears type r
and hit enter. Unfortunately this doesn’t work in GNOME on Wayland.
That installs and or updates roots flatpaks
Which is what flatpak will always do unless provided with the
--user
flag.
By default it operates in system-wide mode, which is different from “root’s”.
flatpak list
and sudo flatpak list
will both show you what is installed system wide, and flatpak list --user
will show you your user’s, and sudo flatpak list --user
will show you the root user’s flatpaks installed in per-user mode (of which there are typically none).
💯 points for the name.
They should make it use the sosumi sound for something so that maybe they can get sued by Apple Inc too 😂
Poor choice of git hosts though; won’t gitlab.com
take down anything that a big company asks them to?
I somehow first read “Redhat” as “Reddit” in this sentence, and so was briefly thinking that perhaps this bad idea originated there 😂