Announcement

Collapse
No announcement yet.

GitHub Disables The XZ Repository Following Today's Malicious Disclosure

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • #41
    Originally posted by avis View Post

    Not a regular user, Andres Freund, a well-known Microsoft developer of all people, which shows how people here who continue to blame MS for having/pushing/distributing back doors in their products are far removed from reality.

    https://lwn.net/ml/oss-security/2024...3.anarazel.de/
    He found it by simply using it as a user though (indirectly even), my point was that it is already out there in the wild.

    Comment


    • #42
      Originally posted by hf_139 View Post
      xz is a good format and i am not going to move away from it just because the NSA asset RedHat tells me to. The company that runs XKeyscore and PRISM isn't the most trustworthy.
      Are you denying that there is a backdoor or what the hell is going on? It's not just redhat telling you not to use it, it's everyone with at least two brain cells too.

      Comment


      • #43
        Originally posted by byteabit View Post

        This has nothing to do with what Microsoft does on closed source Windows. And it does not matter at all for this topic.
        Read the comment just below yours and tell me more about that. Phoronix forums and r/Linux are so full of crazy shit and conspiracies it's just painful to read. What's worse these people genuinely believe large corporations are in bed with bad actors or/and agencies and we're all fucked, and there's no security, only malware. Only Linux is "secure" of course. The Internet choke full of compromised IoT devices and servers running Linux of course doesn't count. And this whole vulnerability is nothing to talk about. Not even the fact that the person who added this code has been a project maintainer for over two years which sounds like a damning evidence of gaping insecurity of Open Source/the bazaar model in general.
        • Anyone can contribute, that's great! (except when it's bad actors)
        • Many eyes are scanning the code! (except when absolutely no one does)
        • Since it's open it's less likely to be buggy/insecure! (except it's not been proven)
        Again, if you want to dig deep into the conversation without rabid Open Source fanaticism you're welcome to Hacker News. There's a lot of interesting investigative work posted over there.

        Comment


        • #44
          Originally posted by avis View Post

          What's worse these people genuinely believe large corporations are in bed with bad actors or/and agencies and we're all fucked, and there's no security, only malware.
          They absolutely are, this one is only bad because China did it.

          Comment


          • #45
            Originally posted by mSparks View Post

            you going to have to explain that more, because right now you sound like a malware author complaining that github deleted their shit.
            Exactly opposite. GitHub reacts as if it was the author of this malware.

            Comment


            • #46
              Originally posted by Volta View Post

              Exactly opposite. GitHub reacts as if it was the author of this malware.
              it locked malware authors out of their account and stopped distributing malware.

              It is going to need more explaining why they should do anything else, let alone why NOT distributing malware makes them untrustworthy.

              Comment


              • #47
                Originally posted by avis View Post
                which shows how people here who continue to blame MS for having/pushing/distributing back doors in their products are far removed from reality.
                It's a fact Windows is infected by spyware. Keep trying. He was able to discover this, because it slowed his benchmark. Imagine trying the same on Windows where built in spyware slows the OS down and you can't verify the source of packages. Proprietary should be forbidden, because it's unsafe by definition. There's no way for users to check it for backdoors and M$ and apple are as trustworthy as your computer knowledge.
                Last edited by Volta; 30 March 2024, 06:20 AM.

                Comment


                • #48
                  Originally posted by mSparks View Post

                  it locked malware authors out of their account and stopped distributing malware.

                  It is going to need more explaining why they should do anything else, let alone why NOT distributing malware makes them untrustworthy.
                  Good excuses. By the way, they hid everything from the public. To disable malware authors accounts github has to disable entire repository?

                  Comment


                  • #49
                    Originally posted by ⲣⲂaggins View Post
                    Disabling the repository was dumb as f*ck. The Arch PKGBUILD, for example, points to it as its upstream. So now if Arch wants to build a good package from an old commit, they can't, because upstream has disappeared.

                    It's also now needlessly hard for people to analyse the paper trail of commits and discussions, since one has to find a fork or a mirror. And since such forks and mirrors inevitably exist, they're not really blocking access to anything.

                    GitHub should have marked the repo read-only, and maybe reset master branch to some older commit to prevent unsuspecting people from building the pwned version, but not disabled the repository entirely. This makes me think the staff have no idea what they're doing.
                    Wasn't github taken over by people who have no idea they were doing a few years ago?

                    Comment


                    • #50
                      Originally posted by mSparks View Post

                      They absolutely are, this one is only bad because China did it.
                      Outstanding claims require outstanding evidence. I'm not talking about China, I'm talking about again Apple/Google/MS.

                      China is a whole different issue because the party and businesses are intricately intertwined in the country. It's much less so in the US and other purported democracies. China almost doesn't sell software outside. On the other hand these three companies serve the entire world and have a lot at stake.

                      Comment

                      Working...
                      X