|
4 posts total
 How to tell your OSS is ridiculously popular: people aren't 100% sure they _didn't_ embed it, and tack on the software equivalent of "packaged in a facility where peanuts were also present" to the license list. This watch contains software, so statistically probably contains at least traces of curl.  Yesterday I ended up taking a random walk through "the rust memory model is more what you'd call "guidelines" than actual rules". Today I took a wrong turn and ended up on the LKML, in which I learned that the kernel has its own unique memory model, but also now contains rust code which follows the rust memory model (whatever that turns out to be), and also it's necessary to be able to exchange data back and forth between memory models. Some days, I'm just amazed that computers sometimes work. No diss on anyone involved, to be clear. The kernel has reasons for its own memory model, Rust obviously has _some_ memory model even with edge cases (and in some places delegates to c++20, which I'm assuming is partly a consequence of going through LLVM and inheriting a lot of stuff from C++). People are doing hard and productive work to get all these things nailed down and be confident in how computers work. It's just... could computers work by themselves every now and then please As the xz thinkpieces start showing up about What Should Be Done, a couple of questions I'd encourage you to keep in mind while reading them: I suppose this post also counts as a thinkpiece about the incident, arguably. Feel free to derive your own critical thinking rule of thumb from it, I guess :) @danderson arguably the badness was stopped because professionals noticed something fishy and found the root cause. If anything, to my mind, the system (if it can be called one) is actually working quite well given the fallibility of humans and the systems we create. @danderson It seems to me that dismissing all technical solutions because the problem is social is itself a form of giving up because stopping 100% of badness is impossible. If the option of hijacking crypto code in the sshd process through an obscure dynamic linking feature and an underfunded library hadn't been an option, for example, would the attacker have gotten nearly as far as they did? The poor original maintainer of xz is on it now, and has already found another "fun" thing: https://git.tukaani.org/?p=xz.git;a=commitdiff;h=f9cf4c05edd14dedfe63833f8ccbe41b55823b00 . The configure check for enabling the Landlock sandboxing facility was subtly broken, so that Landlock support would never get enabled. The original malicious commit landed around the same timeframe as the main backdoor, also at an abnormal time of day compared to the new maintainer's historical activity pattern. @danderson that one is deliciously clever. I didn't see it when I looked at the diff despite having been primed to look for something evil. @danderson That one is tricky! I'm so sorry for Lasse, who now has double the amount of work, to review again every line of code added by the malicious actor. @danderson I want to support the original maintainer or show my appreciation if I can. But I feel like sending an email just to say thanks or ask how to help would just add to the stress; there must be a ton of emails coming in already. |
Gregory's Server
@danderson @mralex hilarious. I’ll have to see if my Garmin has the same thing.
@danderson @0xabad1dea
@danderson (to the tune of Sex Bomb) SBOM, SBOM, where's that SBOM ... You can give it to me so I know what's going on.