Tweet
Originally posted by theuserbl
View Post
-
My MS Paint statistical regression skills tell me that it will be fully compatible by January 2026 + 2 months for bugs and Christmas +- 1 monthLast edited by aerospace; 28 April 2024, 06:35 AM. -
https://github.com/scullionw/dirstat-rs is also much much faster than dir here.Originally posted by bug77 View Post
Look wise it was not my favorite, but the speed gained me.Last edited by geearf; 28 April 2024, 07:03 AM.Comment
-
I wonder if Apple will choose to update macOS with uutils (as the license of uutils is compatible with macOS).Originally posted by mirmirmir View PostComment
-
Originally posted by ZeroPointEnergy View Post
Holy modularity, Batman! You weren't kidding!
On one hand, having more small modules as opposed to fewer big ones means that any given module is likely more easily auditable, but on the other hand, the sheer number of modules makes the likelihood of an XZ Utils incident too high for my liking. Given how, well, core the coreutils are, if this gets widespread adoption, every module in that list is an XZ begging for a malicious actor to try to take over.Comment
-
Nice graph, although I think there are some typos in your x-axis.Originally posted by theuserbl View Post
My guess is that the lines will become asymptotic near the end.Comment
-
If you're not writing the code, why does it matter? Some day one package will be switched for another package with a symlink and you're probably never notice.Originally posted by wangling View PostComment
-
The likelihood of an XZ-style attack in a Cargo-based project is extremely small. Look at that URL: for every dependency there is a checksum. If you trust the upstream developers of coreutils, then unless you voluntarily do "cargo update", then - hash collisions aside - you can be certain that if you build coreutils, it will use the same exact code in the dependencies as what upstream expects. From this point of view, it's actually far more secure than the C/C++-style dependency management where it simply tells you to download library XYZ (or a distro package) but, in the best of cases, it checks its version number, not its actual contents.Originally posted by QwertyChouskie View Post
Holy modularity, Batman! You weren't kidding!
On one hand, having more small modules as opposed to fewer big ones means that any given module is likely more easily auditable, but on the other hand, the sheer number of modules makes the likelihood of an XZ Utils incident too high for my liking. Given how, well, core the coreutils are, if this gets widespread adoption, every module in that list is an XZ begging for a malicious actor to try to take over.
In fact if systemd was written in Rust and had its dependencies managed by cargo, the XZ attack wouldn't have worked (the XZ crate's checksum wouldn't match).Comment
-
For me, the big win is how much easier it is to build Rust projects across operating systems and CPU architectures.
Having uutils support Windows and available via GitHub (releases or sources) is also really convenient.
I still don't know where the gnu core utils sources are or if the sourceforge binaries for Windows are malware
Comment
-
The whole point with XZ was that "Jia Tan" built trust and got the malicious update shipped in many distros as a normal update. Checksums prevent MitM attacks, they mean nothing if you intentionally update to a new release that later turns out to be malicious. The Cargo ecosystem is absolutely vulnerable to an XZ-style attack, same as any package-based ecosystem where you might have packages maintained by a single person that doesn't get much scrutiny.Originally posted by jacob View PostComment
-
Every project should develop their own libraries for absolute everything. That will improve security for sure. Including the standard library. We can not trust into someone else standard, can we? No, we can't. Neither should we trust the compiler, who knows what that thing generates? Home baked compilers everyone. And why would we trust in the operating system? Did we develop it ourselves? Excepting Linus Torvalds, we didn't! Not Invented Here(c) is the new/old paradigm.Originally posted by QwertyChouskie View Post
Holy modularity, Batman! You weren't kidding!
On one hand, having more small modules as opposed to fewer big ones means that any given module is likely more easily auditable, but on the other hand, the sheer number of modules makes the likelihood of an XZ Utils incident too high for my liking. Given how, well, core the coreutils are, if this gets widespread adoption, every module in that list is an XZ begging for a malicious actor to try to take over.Comment
Comment