Skip Navigation
We don't need more Wayland Compositors
  • I have been really happy with sway. It does all that I want it to do.

  • Analyst firm raises alarm about EUV chipmaking tools — each consumes as much power as a small city, fabs to consume 54,000 Gigawatts by 2030
  • Is it a requirement for journalists now to not understand how the unit Watts works in relation to time?

  • luv me iron bru, 'ate black puddin, simple as
  • While I can agree with most of this map, you have absolutely no right to include South Tyrolia in this, they value their food a lot and don't lack behind the rest of Italy at all.

  • Cognitive Biases
  • What bias is it if the only entry I've read in this table is the one for confirmation bias?

  • Google Pixel battery charge limit was never coming in the first Android 15 update
  • I can already do that on LineageOS 21 (Android 14), no rooting required.

  • I started the day so optimistic
  • Debugging CI pipelines is so annoying, why is there no better way than committing a bunch of dumb changes until it works?

  • Ventoy Update
  • Honestly, I'm starting to feel uneasy about the machines that I have booted Ventoy on.

  • Traffic rule
  • This, but unironically.

  • PS/2 things
  • Does USB not use interrupts?

  • I have the weirdest aesthetic preferences
  • It's not just ugly, it's against the spec. The quiet zone is meant to be 4 "dots" wide on all sides for the code to be optimally readable.

  • Oxygen
  • Like rocket engines in space, the sun has its own oxidizer tank. Let's hope it won't run out anytime soon.

  • Release 0.13.0 · iced-rs/iced · GitHub
  • The documentation has improved a lot recently. Especially the pocket guide is a great addition.

  • The EU wants to cut funding for Free Software. Tell them why they should reconsider.
  • As far as I understand it the funds were previously part of the so-called Digital Europe programme which includes funding for a wide range of sectors in the tech industry. The €27 million for free software projects are not included in the latest proposal for renewal. I don't know why that decision was made. If the money was diverted, then probably towards investments into semiconductor fabs or some AI stuff.

  • The Map of the Berlin Tram Lines clearly show the seperation of the East and West from years gone by
  • That might have been the case at some point, but I have definitely been on a doubledecker bus that's crossing Tram lines in east Berlin.

  • The EU wants to cut funding for Free Software. Tell them why they should reconsider.
    fsfe.org Bring Back Free Software Funding: Give Your Feedback to the European Commission - FSFE

    The European Commission has cut important funds for Free Software. The non-transparent decision shows the need for sustainable long-term funding to allow t...

    Bring Back Free Software Funding: Give Your Feedback to the European Commission - FSFE

    linked from: https://programming.dev/post/19267200

    > In its current plan, the EU commission intends to cut €27 million in funding for Free Software. The article has a link to a questionnaire that you can fill out and express your opinion about the plan. I believe non-EU citizens can participate as well.

    0
    The EU wants to cut funding for Free Software. Tell them why they should reconsider.
    fsfe.org Bring Back Free Software Funding: Give Your Feedback to the European Commission - FSFE

    The European Commission has cut important funds for Free Software. The non-transparent decision shows the need for sustainable long-term funding to allow t...

    Bring Back Free Software Funding: Give Your Feedback to the European Commission - FSFE

    In its current plan, the EU commission intends to cut €27 million in funding for Free Software. The article has a link to a questionnaire that you can fill out and express your opinion about the plan. I believe non-EU citizens can participate as well.

    3
    Based on a true story
  • No, you absolutely don't need to care at all about the memory management when using Linux. This rabbit hole is really only relevant when you want to work on the Linux kernel or do some really low-level programming.

    I would say the most obscure thing that is useful to know for running Linux is drive partitioning, but modern installers give you a lot of handrails in this process.

  • Who Stops a "Bad Guy With a Gun"?
  • The really crazy thing about the graph is that there are 433 fucking datapoints!

  • Trams on da Street!
  • Why are there so many EU flags in Bosnia?

  • Some thoughts on the xz backdoor

    While the exact details of this vulnerability are still investigated (see here if you want to catch up on the topic), I wanted to share some of the thoughts I had regarding to what this incident means for the wider open source ecosystem.

    TL;DR: To summarize, these are the main points I found remarkable in this entire development:

    • A backdoor was snuck relatively openly into an open source project
    • It was done by a somewhat trusted maintainer
    • The target was not even xz itself, but rather sshd through an obscure chain of dependencies
    • Luckily, it was discovered within a few weeks before the backdoored version was widely adopted

    Obviously, there are many examples of security vulnerabilities occurring in open source software. But these are usually due to oversights or mistakes of most likely well-meaning developers that end up enabling the possibility for critical exploits. In the case of the xz backdoor however, it was obviously constructed with malicious intent and high effort towards a precise target. Does anybody know of another vulnerability ending up in a high-profile open source project that is similar in that sense?

    This was only possible because the malicious actor under the pseudonym Jia Tan had direct write access to the xz repository as a maintainer. I don't think it is too unreasonable that with enough time and effort, anyone can get maintenance access to openly developed projects like xz. That is part of the beauty of the democratic process in open source. But what this incident shows is that for projects that are as widely used as xz, even changes coming from seemingly trusted maintainers should be properly reviewed. I don't mean to say that the original maintainer Lasse Collin has any fault in this matter, or that he should have prevented it, this is too much of a burden to expect from a single person. Instead I think the large tech corporations should put more resources into vetting these kind of open source projects that much of their infrastructure so heavily relies on (in fact, this backdoor seems to mainly target servers).

    Even just looking at the source code, the backdoor was very cleverly hidden in testing binaries for the compression algorithm. These things are always easy to say in hindsight, but I do believe that a closer review of the build system shenanigans used to install the backdoor would have at least raised some questions. There was just too much luck involved in the discovery of the backdoor with someone noticing ssh access taking 0.5 seconds longer than usual.

    This isn't really news, but this incident again shows that just like a chain is only as strong as its weakest link, a program is only as strong as its weakest dependency. The fact that the backdoor just hooks into the dynamic library loading process and completely hijacks authorization functions of ssh from inside xz is pretty scary. Maybe this will encourage developers to be more careful and sparing with adding dependencies. However to be honest, up until recently I would have pretty blindly trusted xz to be a very safe dependency due to its popularity and relatively simple use-case.

    By opening a backdoor into ssh servers, this is a very critical issue, and there was clearly a lot of time and effort put into making it seem innocuous and hard to detect. I'm very glad that it got found and patched by the time it did, but it does leave me wondering what else is out there. It would be illusionary to think that such attack vectors always get found out eventually.

    11
    Gobbel2000 Gobbel2000 @programming.dev

    Same person as @Gobbel2000@feddit.de, different instance.

    Posts 3
    Comments 58