Debian 10 buster has moved to archive.debian.org freeing up space on our mirror network holding presently at 5,746GB across several architectures. More information on this move and other details: lists.debian.org/debian-devel-… #debian
Debian 10 buster has moved to archive.debian.org freeing up space on our mirror network holding presently at 5,746GB across several architectures. More information on this move and other details: https://lists.debian.
I have been trying to tell CTOs for years that the time to give money to the projects in the middle of their stack that they’ve never heard of is *before* a crisis happens. But human nature being what it is, that’s a very hard sell. mastodon.social/@glyph/1121809…
I really hope that this causes an industry-wide reckoning with the common practice of letting your entire goddamn product rest on the shoulders of one overworked person having a slow mental health crisis without financially or operationally supporting them whatsoever. I want everyone who has an open source dependency to read this message mail-archive.com/xz-devel@tuka…
An incredibly technically complex #backdoor in xz (potentially also in libarchive and elsewhere) was just discovered. This backdoor has been quietly implemented over years, with the assistance of a wide array of subtly interconnected accounts:
Updates the vendored version of xz to be 5.6.1. Also updates the
vendor script to support the addition of SPDX-License-Identifier
headers into some files.
I really hope that this causes an industry-wide reckoning with the common practice of letting your entire goddamn product rest on the shoulders of one overworked person having a slow mental health crisis without financially or operationally supporting them whatsoever. I want everyone who has an open source dependency to read this message mail-archive.com/xz-devel@tuka…
"I never thought a sophisticated APT would backdoor *my* volunteer-maintained infrastructure that I got for free" sobs entire industry who voted for the "volunteer-maintained infrastructure that I get for free with no defense against sophisticated APTs" party
🚨 ⚠️ Emergency PSA: A critical security exploit was discovered in the xz package recently, used for compression and decompression on nearly all Linux distributions.
Rawhide users ARE impacted and should immediately STOP using Rawhide until the package update is fully rolled back. (1/3)
Red Hat Information Risk and Security and Red Hat Product Security learned that the latest versions of the “xz” tools and libraries contain malicious code that appears to be intended to allow unauthorized access.
Three more org members in the Foundation, a new beta for Fractal, and matrix-docker-ansible-deploy moving away from Redis. That, and much more happened This Week in Matrix
Provided to YouTube by OpusMám ťa rád · Karol Duchoň20 naj, Vol. 2℗ 2016 OPUS a.s.Composer: Benjamin David FindonComposer: Leslie Sebestian CharlesLyricist: ...
I was doing some micro-benchmarking at the time, needed to quiesce the system to reduce noise. Saw sshd processes were using a surprising amount of CPU, despite immediately failing because of wrong usernames etc. Profiled sshd, showing lots of cpu time in liblzma, with perf unable to attribute it to a symbol. Got suspicious. Recalled that I had seen an odd valgrind complaint in automated testing of postgres, a few weeks earlier, after package updates.
So when is native Exchange Support coming to Thunderbird - and what role does Rust play? Get the answer in this clip from our most recent office hours! 📼 🦀
Also, this video and ALL our videos going forward will have German subtitles. Ausgezeichnet! 🇩🇪
Is support for Microsoft's Exchange protocol coming to the desktop version of Thunderbird? What about K-9 Mail and Thunderbird for Android? What's the timeline? Here's your answer in a short video clip from our recent Community Office Hours session.
Is native support for Microsoft's Exchange protocol coming to the desktop version of Thunderbird? What about K-9 Mail and Thunderbird for Android? What's the...
@gumnaam Hey there! Everything is fine! Last year the financial report came out in the beginning of May, so the 2023 report should be out around the same time. Hope this helps calm any worries!
This is big: one of the xz-utils / liblzma *upstream maintainers* added malicious code to the last couple of releases. This is the person who actually publishes and signs the tarballs. If you are using liblzma 5.6.0 or 5.6.1 make sure to update your packages asap and consider reinstalling the OS or recreating the container.
I'm sure there are several lessons to learn from this, but here's the one that jumps out at me:
> openssh does not directly use liblzma. However debian and several other distributions patch openssh to support systemd notification, and libsystemd does depend on lzma.
This tells me that insisting on minimalism at every layer isn't premature optimization, and people who do so aren't wasting their time.
Sure, business-minded folks would rather we just keep cranking out more crap on top of our already over-complicated software stacks. But perhaps simplicity is our best defense against these exploits.
“simplicity” is a real load-bearing word there though . The simplicity we need to push for is in the social trust graph, the superficial simplicity of less code doesn’t really help with this problem unless the “less code” is maintained by fewer people we have to trust.
But requiring that there be fewer people per LOC in the loop creates other problems of sustainability and brittleness
@glyph When the topic of sustainability in open source comes up, I sometimes wonder if we'd be better off if open source had just never happened, if nobody put out anything for free and we had to pay for everything. Software would develop more slowly, but maybe the smaller amount of software we had would be better maintained.
@glyph uh... you've used proprietary software, right? as bad as the problems with open source software are, I've found proprietary software to be even worse, on average
@unlambda @glyph Sure, I use both open-source and proprietary software every day. Practically, I can't say one is clearly better than the other. But one of the obvious answers to all the concerns about open-source sustainability is that we should pay more for our software, to make sure the maintainers are fairly compensated. But the availability of so much stuff free of charge sets up a strong incentive to take without paying. If nobody put out anything for free, that problem wouldn't exist.
Another one that jumps out at me is: "monocultures are bad". This affects a very large subset of Linux users: those with glibc, on x86_64, and who are running from a Debian or RPM package. So maybe it is good to have a wide diversity of operating systems and architectures. Let a million flowers bloom!
So what direct actions can we individual developers, sysadmins, and business owners (I'm co-owner of a tiny SaaS company) take, while the xz/liblzma exploit is fresh on our minds, to prevent something like this from happening again? I really want to know if there's something I should do today. If not, who *can* do something about it? I don't feel comfortable dismissing this as the sole province of those with a lot more money; that seems like too easy a way to avoid doing anything.
I think it is not entirely bad news - it was caught after all, and earlier than it could have been. I'm almost glad it happened - as with many things, it must happen first until we start doing anything, but after today this will not be as easy to repeat - everyone will be paranoid now🙂
It’s finally happening — sideloading is coming to the EU!
We’ve started the process of becoming a legitimate “app marketplace”, allowing our European friends to download @delta and other AltStore apps officially for the first time ever!
Provided to YouTube by OpusNechtiac · Pavol Hammel · Marián VargaZelená pošta℗ 1972 OPUS a.s.Lyricist: Boris FilanComposer: Marian VargaAuto-generated by You...
Venku je příjemně fajn, mít tak ten domeček na kolečkách, odjela bych pryč z města, na kraj lesa, kde je výhled do krajiny, poslouchala zpěv ptáků, bzučení včel a kochala se... 🥲 Místo toho koukám v paneláku do zdi, nad hlavou mi dupou a hádají se sousedi, otrávená realitou, svázaná systémem, nic mě nebaví a sen o svobodě se čím dál víc vzdaluje...
My jsme jezdili na vandry. Autobusem do Tatrovic, je tam krásný srub, jezero a kolem skály. Nikdo tam nechodí a krásný klid v lese. Od vás to není daleko. Teda už je to let co jsem tam byl, ale bylo tam fakt super.
Provided to YouTube by OpusSlnecnice · Pavol Hammel · Marián VargaZelená pošta℗ 1972 OPUS a.s.Lyricist: Kamil PeterajComposer: Marian VargaAuto-generated by ...
Now that we have fully offline ISOs #bluefin can ship with @thunderbird right on the dock, as intended. Looks great, and I love the ptyxis icon so much lol.
Hey ya’ll, thanks to @dogphilosopher 's heroic last minute efforts fighting with R2 we’ve got new Bluefin ISOs up! We now ship the Flatpaks on the ISO itself, allowing for a full offline installation.
One thing AltStore does that should really get you thinking about alternative payment systems that Apple never would have considered: it has Patreon integration, and can tie access to apps to your Patreon pledge — which gives you an entirely different, personal relationship with your users, and lets you use the same reward system you use for videos, blog posts, merch etc. Alternative app stores don’t just have to recreate Apple’s model. And this provides a CTF-friendly avenue (and 1M user cap)
V rámci boje o duševní zdraví jsem se rozhodl se hýbat. Dneska jsem vyměnil pláště za bezdušáky na koloběžce, sešteloval brzdy, dotáhl niple a zítra má být hezky a jdu na to. Tuhle mrchu musím porazit...
@archos musím, musím s tím něco dělat. Mám teď takové dávky prášků, že se cítím vyždímanej jak ručník. Musím unavit i tělo, ať to mozku začne dávat smysl
@archos Nejen to — uvádí se, že se přio sportu uvolňují tzv. hormony štěstí a navozují pocit pohody až euforie. Potvrzuji, jsem zničenej, ale vysmátej.
Ja jezdim obden na rotopedu snad uz pres rok, a stale to nemohu zvysit. Ale zas je fakt, ze jedu v kuse a intenzivne. Cca 12-3 km A kondice se mi uz nezvysuje. Vic to sice dam ale jsem pak uplne k.o.
Já jsem to minulý rok docela flákal, tak snad to letos bude lepší a v létě vyrazím na Klínovec. Na tradiční 100 km. Ono tělo si zvykne na vše a pak kondice neroste. Na kondici je nejlepší pomalu a delší dobu, aby člověk nebyl kaput. Třeba tepovku kolem 125. Snažit se i kadenci držet kolem 80-90. Dobré je to střídat. Intezivní a kondiční trénink 👍
Ja se snazim na tom rotopedu stridat jizdu od pomalejsi po rychlejsi a to v podstate na nizsi stupen. Je to samozrejme mnohem lepsi nez kdyz jsem zacinala, ale proste me to stve, ze se to nelepsi ten vykon. Vetsinou odchazim na nohy, byt se predem protahnu a procvicim. Nejak tak po domacku..Tepovku mam tak od 90 do 120.
@Milu Tak to jsem špatně pochopil, tepovka je takhle super. Já jsem na rotopedu doma nikdy nejel, mám teda trenažer, ale jdu na něj minimálně. Jen zima a když je vyloženě špatné počasí.
Found a whole new level of security incompetence.
Went to type in my 2FA code, but nothing appeared on screen.
They hadn't disabled pasting. Instead, they used JavaScript to ensure that only numbers could be typed in.
@jawnsy we never tried to nail that down. It is probably also hard to make the distinction many times. And perhaps eventually not a constructive exercise: we need features.
Yeah, I think you're right - how we choose to categorize issues can result in different conclusions, and it's not all that useful anyways.
We need both features and bug fixes, and any change can introduce security issues, even if they look innocuous and even if they're fixing another security issue.
I realise that it's an opinion piece and not everything is to be taken literally, but the comment on the time when phones were "plastic toys" makes me want to do a comparative destructive test of some old-style Nokia kit and whoever's newest.
Tuta Mail is the secure email service, built in Germany. Use encrypted emails on all devices with our open source email client, mobile apps & desktop clients.
If you could provide calendar widgets similar to Fossify Calendar, then there would be no need for a separated app. Also please allow synchronization with Nextcloud+Davx5.
At least on Android, I know it’s possible to have one application have multiple entries in the App Launcher, and go to a specific part of the application depending on which one is used to access the application. So with that, you can have "multiple" applications while still having just one application. Could even be made as an option.
No need an additional app for calendar. I like one app with everything inside. However it’ll be nice to open the calendar’s tab from a calendar’s notification.
Dazu bin ich zwei gespalten. Irgendwie eine gute Idee. Andererseits nutze ich schon freie Kalender genauso wie unfreie online Kalender. Ich müßte also viel Überzeugung leisten bei anderen die Tuta noch gar nicht nutzen. 🤔 Wie gesagt. Zwiegespalten.
Krčma na konci dediny, ľahko dohľadatelná, predstavujem si ako od miestnych štamgastov získavam informácie o naschvál prekopanom na čierno vykopanom odpadovom kanály z drezu od Mariky, ale, keďže všetci v okolí sú rodina a "nemajú" dôvod lebo trpia všetci, je záhada.
. The simplicity we need to push for is in the social trust graph, the superficial simplicity of less code doesn’t really help with this problem unless the “less code” is maintained by fewer people we have to trust.
This is my first time ever in a stadium. It’s where my mother in law is married today
Zem 🇪🇹 🇪🇺
in reply to Debian • • •