FoxQuirk 🦊 @quirk@computerfairi.es

interesting analysis: the xz attacker might live in eastern europe https://rheaeve.substack.com/p/xz-backdoor-times-damned-times-and

STUDY: “The findings suggest that E-Bikes not only serve as a crucial alternative to cars but also complement limited transit services.” Via @sciencedirect #EBikes
https://www.sciencedirect.com/science/article/abs/pii/S0966692324000437

Tip for new fedi users! you should reject your humanity

become cat or fox or dog or wolf or doll or robot or angel or creature

I accidentally found a security issue while benchmarking postgres changes.

If you run debian testing, unstable or some other more "bleeding edge" distribution, I strongly recommend upgrading ASAP.

https://www.openwall.com/lists/oss-security/2024/03/29/4

by age 30 you should have spent years contributing to an open source project in your free time, building trust and becoming a maintainer, and then have skilfully inserted a highly obfuscated backdoor that successfully made its way into multiple linux distributions

making videogames is easy. you just sit down at your computer every day and put in the work on your game as your sanity slowly slips away from you

Whenever you feel like saying "dude", just say "gamer".

"Gamer" is....

1) Gender neutral: Everyone can be a gamer
2) Guaranteed to piss somebody off because not everybody identifies as "gamer", but they can't give you any real flak for it because see point number one.

In Gaza, every person, the first thing they want to tell me in English or Arabic is 'We need food.' They are saying that because their assumption is the world doesn’t know, because how would this be allowed to happen if the world knew? ~ UNICEF spokesperson James Elder

@eb I really hope that this causes an industry-wide reckoning with the common practice of letting your entire goddamn product rest on the shoulders of one overworked person having a slow mental health crisis without financially or operationally supporting them whatsoever. I want everyone who has an open source dependency to read this message https://www.mail-archive.com/xz-devel@tukaani.org/msg00567.html

I’ve seen numerous people express concern that their xz installation is several versions out of date — because while it may have saved them in this specific case, doesn’t that mean they must not be running updates correctly in general?

No! It’s normal for your personal copy of an open source program to be several versions out of date. When you get an update to a commercial software package, it’s already been through months of internal testing by professionals. In volunteer-based open source, the bulk of this testing is done by simply releasing the update on their site and letting advanced users try it out. At some point, if there’s no problems, it will get shuffled forward to stable update channels. Therefore it’s normal for most Linux software to be one to two years out of date compared to the absolute newest version you could possibly get.

The good news is that this backdoor was found before most distros accepted the update as stable, and therefore it was not yet installed on the majority of production servers — it’ll be mainly on testing servers. The bad news is that the malicious actor was clever enough to make sock puppet user accounts to complain about xz crashing and claim that the new update is a critical fix that needs to be rushed out the door as soon as possible. This was a close call, we were very lucky.