Search
Items tagged with: xz
A Microcosm of the interactions in Open Source projects
Originally a thread on Twitter about the xz/liblzma vulnerability, when I finished typing it, I realized I had a real world slice of Open Source interaction that deserved more attention.robmensching.com
Three years ago, #FDroid had a similar kind of attempt as the #xz #backdoor. A new contributor submitted a merge request to improve the search, which was oft requested but the maintainers hadn't found time to work on. There was also pressure from other random accounts to merge it. In the end, it became clear that it added a #SQLinjection #vuln. In this case, we managed to catch it before it was merged. Since similar tactics were used, I think its relevant now
https://gitlab.com/fdroid/fdroidclient/-/merge_requests/889
Search improvements: Sort based on keyword matching and removed alphabetic sort (!889) · Merge requests · F-Droid / Client · GitLab
The search results are pretty unusable currently. So I've changed it to show apps in this order: App name matches keyword, summary matches keyword, description matches keyword. Also,...GitLab
sudo apt purge xz-utils
[sudo] password di paolo:
Lettura elenco dei pacchetti... Fatto
Generazione albero delle dipendenze... Fatto
Lettura informazioni sullo stato... Fatto
I seguenti pacchetti sono stati installati automaticamente e non sono più richiesti:
libsensors-config libsensors5
Usare "sudo apt autoremove" per rimuoverli.
I seguenti pacchetti saranno RIMOSSI:
sysstat*
https://monodes.com/predaelli/2024/03/31/pare-mi-sia-andata-bene/
#Debian #xz
Pare mi sia andata bene
sudo apt purge xz-utils [sudo] password di paolo: Lettura elenco dei pacchetti… Fatto Generazione albero delle dipendenze… Fatto Lettura informazioni sullo stato… Fatto I seg…Paolo Redaelli
So, Philipp Kern dropped by asking if we could do some #ReproducibleBuilds verifications of recent Debian Security updates, given, well the whole #xz mess... and that our build infrastructure may have run compromised code at some point...
So I did a quick pass at a handful of updates and everything verified ok so far, though I skipped some of the probably more juicy targets such as chromium and firefox:
https://lists.reproducible-builds.org/pipermail/rb-general/2024-March/003321.html
Debian is reproducible enough to at least try this sort of thing!