Local moth fairy loves lämp, more at 11 
@elfi@pixie.town
- Pronouns
- she/her, fae/faer
- Location
- Canada
I'm Elfi! I'm a fair folk, magical moth, greyace girl, greenhorn gamedev, in my thirties and 
, and ADHD+ASD+EDS. Disclosure: white
💕 Aine @SophicLeech
💕 Agi @AgiDine
💕 Jenny @Esme
💕 Cherry @deejvalen
Icon by @Zwiebelprinz, header from Liar Princess and the Blind Prince by NIS
Joined Feb 2020
@koko I just hope it's not fedora 41
found on a backup of my debian sid install from before I switched to fedora. it's definitely out there
@Jo if rumours of them being a state actor turn out true, being exposed like that might just mean it for them
Nasa are currently working to fix a computer error aboard Voyager 1. The probe's computer system runs at around 8000 instructions per second and has about 68kB of memory. Due to the interplanetary distances involved, even at light speed it takes 45 hours to send a signal and get a response. When asked about the unique challenges this poses, an engineer said "that's actually about average for a modern CI system".
@nilaypatel -- editor-in-chief of @theverge -- thinks there aren't girls on the fediverse 😂
boost this if you're a girl on the fediverse to scare him lmao
open for sex
@deejvalen I'll take it
I think at a baseline, we shouldn't be building critical official packages for distribution from release tarballs. A huge part of this was the tarball didn't match the repo and since we're talking a compression library, compressed archives shipped for "testing" concealed the payload.
Official builds should pull source and build/test scripts generate testing data in an auditable way rather than just trusting a tarball containing blobs.
@trysdyn Not to mention Ubuntu, Mint, et al
@trysdyn Even the fact that arch wasn't targeted doesn't mean shit--this was aimed at distributions targeting servers all the way up to the enterprise level. This would've cracked open the internet with a hammer.
Anyway the entire ops/dev world just dodged (we think/hope we dodged, anyway but are not 100% sure) the biggest supply chain attack in history that would have screwed absolutely, literally, everyone.
This needs a giant f**king industry-wide post-mortem once we're sure we're not all doomed.
"Isn't that a bit alarmist?" No!
xz is a base-system package in literally every distro I know of. It's everywhere.
Compromised releases have been out for five weeks and we didn't notice. We only noticed because someone caught openssh taking 10x as long to do DH exchanges and auth. If the attacker had been sneakier we wouldn't have noticed at all.
The compromised xz was in Fedora's testing versions and they didn't notice. You had the compromised version in Arch for a month (and arguably still do, but a combination of build method and source acquisition method likely renders it safe).
If some random guy didn't go "Why is openssh so slow?" and dig really deep into that, it would have hit stable/live distros and then what? We don't know.
@trysdyn Yeah, someone is almost certainly going to prison over this at the end. liblzma and xz are going to be extensively audited if it turns out the maintainer is responsible, and may never be considered safe considering how sophisticated the obfuscation on the injection sequence is
@yassie_j would be a pity if someone put together WALL is STOP...
Red Hat released an urgent security alert for Fedora 41 and Rawhide users:
> PLEASE IMMEDIATELY STOP USAGE OF ANY FEDORA 41 OR FEDORA RAWHIDE INSTANCES for work or personal activity.
https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users
> Although Fedora 40 beta contained the 5.6 version of xz in an update, the build environment prevents the injection from correctly occurring, and has not been shown to be compromised. Fedora 40 has now reverted to the 5.4.x versions of xz.
@Jo I've always wondered what an FPGA implementation of the Pico-8 would look like when put on an ASIC
These cool system clocks are now available online at https://rmcretro.store/collections/clocks
@Decimal Alright, I'm glad you have that option
@charlene @deejvalen Dwagon! Dwagon! Dwagon!
@Decimal still a damn shame. I hope the S22 still works over wifi at least
- Pronouns
- she/her, fae/faer
- Location
- Canada
I'm Elfi! I'm a fair folk, magical moth, greyace girl, greenhorn gamedev, in my thirties and , and ADHD+ASD+EDS. Disclosure: white
💕 Aine @SophicLeech
💕 Agi @AgiDine
💕 Jenny @Esme
💕 Cherry @deejvalen
Icon by @Zwiebelprinz, header from Liar Princess and the Blind Prince by NIS
Joined Feb 2020
