Local moth fairy loves lämp, more at 11 
@elfi@pixie.town
- Pronouns
- she/her, fae/faer
- Location
- Canada
I'm Elfi! I'm a fair folk, magical moth, greyace girl, greenhorn gamedev, in my thirties and 
, and ADHD+ASD+EDS. Disclosure: white
💕 Aine @SophicLeech
💕 Agi @AgiDine
💕 Jenny @Esme
💕 Cherry @deejvalen
Icon by @Zwiebelprinz, header from Liar Princess and the Blind Prince by NIS
Joined Feb 2020
open for sex
@deejvalen I'll take it
I think at a baseline, we shouldn't be building critical official packages for distribution from release tarballs. A huge part of this was the tarball didn't match the repo and since we're talking a compression library, compressed archives shipped for "testing" concealed the payload.
Official builds should pull source and build/test scripts generate testing data in an auditable way rather than just trusting a tarball containing blobs.
@trysdyn Not to mention Ubuntu, Mint, et al
@trysdyn Even the fact that arch wasn't targeted doesn't mean shit--this was aimed at distributions targeting servers all the way up to the enterprise level. This would've cracked open the internet with a hammer.
Anyway the entire ops/dev world just dodged (we think/hope we dodged, anyway but are not 100% sure) the biggest supply chain attack in history that would have screwed absolutely, literally, everyone.
This needs a giant f**king industry-wide post-mortem once we're sure we're not all doomed.
"Isn't that a bit alarmist?" No!
xz is a base-system package in literally every distro I know of. It's everywhere.
Compromised releases have been out for five weeks and we didn't notice. We only noticed because someone caught openssh taking 10x as long to do DH exchanges and auth. If the attacker had been sneakier we wouldn't have noticed at all.
The compromised xz was in Fedora's testing versions and they didn't notice. You had the compromised version in Arch for a month (and arguably still do, but a combination of build method and source acquisition method likely renders it safe).
If some random guy didn't go "Why is openssh so slow?" and dig really deep into that, it would have hit stable/live distros and then what? We don't know.
@trysdyn Yeah, someone is almost certainly going to prison over this at the end. liblzma and xz are going to be extensively audited if it turns out the maintainer is responsible, and may never be considered safe considering how sophisticated the obfuscation on the injection sequence is
@yassie_j would be a pity if someone put together WALL is STOP...
@Jo I've always wondered what an FPGA implementation of the Pico-8 would look like when put on an ASIC
These cool system clocks are now available online at https://rmcretro.store/collections/clocks
@Decimal Alright, I'm glad you have that option
@charlene @deejvalen Dwagon! Dwagon! Dwagon!
@Decimal still a damn shame. I hope the S22 still works over wifi at least
you can fascinate a robot girl by showing her the room in your home with the checkered floor where you keep your reflective spheres
@lyncia I didn't realize they all had those names and that makes them even cuter dhglsdhgd
so anyhow, while looking after my friends cat i bombed his house with notes.
@Nifflas@mastodon.gamedev.place my philosophy is E=mc², let's have some fun
@deejvalen in a couple months tho 
God I need a cute girl to sit on my lap and let me shove my tongue down her throat
- Pronouns
- she/her, fae/faer
- Location
- Canada
I'm Elfi! I'm a fair folk, magical moth, greyace girl, greenhorn gamedev, in my thirties and , and ADHD+ASD+EDS. Disclosure: white
💕 Aine @SophicLeech
💕 Agi @AgiDine
💕 Jenny @Esme
💕 Cherry @deejvalen
Icon by @Zwiebelprinz, header from Liar Princess and the Blind Prince by NIS
Joined Feb 2020
