Elfififififififi... @elfi@pixie.town

Nasa are currently working to fix a computer error aboard Voyager 1. The probe's computer system runs at around 8000 instructions per second and has about 68kB of memory. Due to the interplanetary distances involved, even at light speed it takes 45 hours to send a signal and get a response. When asked about the unique challenges this poses, an engineer said "that's actually about average for a modern CI system".

@nilaypatel -- editor-in-chief of @theverge -- thinks there aren't girls on the fediverse 😂

boost this if you're a girl on the fediverse to scare him lmao

I think at a baseline, we shouldn't be building critical official packages for distribution from release tarballs. A huge part of this was the tarball didn't match the repo and since we're talking a compression library, compressed archives shipped for "testing" concealed the payload.

Official builds should pull source and build/test scripts generate testing data in an auditable way rather than just trusting a tarball containing blobs.

Anyway the entire ops/dev world just dodged (we think/hope we dodged, anyway but are not 100% sure) the biggest supply chain attack in history that would have screwed absolutely, literally, everyone.

This needs a giant f**king industry-wide post-mortem once we're sure we're not all doomed.

"Isn't that a bit alarmist?" No!

xz is a base-system package in literally every distro I know of. It's everywhere.

Compromised releases have been out for five weeks and we didn't notice. We only noticed because someone caught openssh taking 10x as long to do DH exchanges and auth. If the attacker had been sneakier we wouldn't have noticed at all.

The compromised xz was in Fedora's testing versions and they didn't notice. You had the compromised version in Arch for a month (and arguably still do, but a combination of build method and source acquisition method likely renders it safe).

If some random guy didn't go "Why is openssh so slow?" and dig really deep into that, it would have hit stable/live distros and then what? We don't know.

Red Hat released an urgent security alert for Fedora 41 and Rawhide users:

> PLEASE IMMEDIATELY STOP USAGE OF ANY FEDORA 41 OR FEDORA RAWHIDE INSTANCES for work or personal activity.

https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users

> Although Fedora 40 beta contained the 5.6 version of xz in an update, the build environment prevents the injection from correctly occurring, and has not been shown to be compromised. Fedora 40 has now reverted to the 5.4.x versions of xz.

#RedHat #Fedora #FedoraRawhide #Fedora41

These cool system clocks are now available online at https://rmcretro.store/collections/clocks

the middle schooler: then I installed linux on my [school] chromebook

me: um are you allowed to do that?

middle schooler: I asked our tech teacher and he doesn't know what linux is so I decided yes

It's the Trans Week of Visibility, and today I'm hostin' cozy chat games for a cause!

Come chat, chill, have some fun, and support TransLifeline: stream's up in 1hr!

#charitystream #vtuber

Another #PixelArt daily done! :) Treetop traverse.

You can grab the full-quality versions (for free) here: https://ko-fi.com/i/IG2G1W4Q3T

ENJOY!

you can tell i was a lil too focused on the background haha <3

this icon/headshot commission is for the same commissioner (hazelenglish on discord) as my previous post! not so scary now...

smooches <3

rubberduck debugging :3 piece for @fl4nn