Jonathan Corbet
Posts
236Following
25Followers
1151
Jonathan Corbet
corbet
Edited 5 months ago
Quote of the day (from the Fedora devel list):
We have no mechanism to flag when J. Random Packager adds "Supplements: glibc" to their random leaf node package. As a reminder, *we are a project that allows 1,601 minimally-vetted people to deliver arbitrary code executed as root on hundreds of thousands of systems*, and this mechanism allows any one of those people to cause the package they have complete control over to be automatically pulled in as a dependency on virtually every single one of those systems.â Adam Williamson
1
83
100
Jonathan Corbet
corbet
Edited 5 months ago
I'm on a holiday and only happened to look at my emails and it seems to be a major mess.â Lasse Collin
0
29
58
Jonathan Corbet
corbet
Edited 5 months ago
Also if you're on F41 and/or think you might have installed the vulnerable xz anywhere, note that the exploit has not been fully analyzed and no one really knows what it could do. I'm currently reinstalling a couple of machines from scratch and have regenerated my SSH keys.
0
8
10
Jonathan Corbet
corbet
@brauner Yup, I've been doing some digging. That patch (and the series containing it) is in linux-next now, but hasn't made it to mainline.
The last patch from Lasse Collin in mainline is from October 2021. There are reasons for people to go quiet, but one does wonder about why they returned just now.
The last patch from Lasse Collin in mainline is from October 2021. There are reasons for people to go quiet, but one does wonder about why they returned just now.
0
1
4
Jonathan Corbet
corbet
Random, unordered, probably useless thoughts on today's apocalypxze...
Part of the success in getting this into Debian may be the result of there being no xz maintainer there. It is "maintained" by people whose attention is normally elsewhere doing occasional non-maintainer updates.
This code will have been running on the machines of a lot of distribution maintainers. If it has already been exploited, it could be that its real purpose has already been achieved and the real problem is now elsewhere. I sure hope somebody can figure out a way to determine if this backdoor has been used.
The multi-front nature of the attack, including multiple efforts to get the malicious code installed more widely more quickly, suggests we're not just dealing with a lone sociopath. I fear we'll never know who was really behind this, but I would sure like to.
There is surely more where this cam from.
Part of the success in getting this into Debian may be the result of there being no xz maintainer there. It is "maintained" by people whose attention is normally elsewhere doing occasional non-maintainer updates.
This code will have been running on the machines of a lot of distribution maintainers. If it has already been exploited, it could be that its real purpose has already been achieved and the real problem is now elsewhere. I sure hope somebody can figure out a way to determine if this backdoor has been used.
The multi-front nature of the attack, including multiple efforts to get the malicious code installed more widely more quickly, suggests we're not just dealing with a lone sociopath. I fear we'll never know who was really behind this, but I would sure like to.
There is surely more where this cam from.
15
164
228
Jonathan Corbet
corbet
One of the things I have been doing to approve my language skills is reading science fiction in Italian. It's surprisingly hard to find books by Italian SF authors (even though there are many of them) rather than yet another Tolkien translation; this is especially true in Italian bookstores, sadly. Ebooks fill in nicely, though, once you discover who you're looking for.
I recently read WOHPE by Salvatore Sanfilippo. The story, which deals with fears of the AI apocalypse, was a fun read, and it was clear that the author actually had a clue about how systems like language models actually work. I definitely enjoyed it.
Meanwhile, I'm a kernel person, relatively ignorant of areas like databases. So as I was reviewing an upcoming article by another LWN author about the Redis mess, I learned a lot. One thing I picked up was that one of the creators of Redis was ... a certain Salvatore Sanfilippo (aka @antirez) Some searching establishes that it's indeed the same person; no wonder the book was as clueful as it was.
Small world...and people say hackers can't write :)
I recently read WOHPE by Salvatore Sanfilippo. The story, which deals with fears of the AI apocalypse, was a fun read, and it was clear that the author actually had a clue about how systems like language models actually work. I definitely enjoyed it.
Meanwhile, I'm a kernel person, relatively ignorant of areas like databases. So as I was reviewing an upcoming article by another LWN author about the Redis mess, I learned a lot. One thing I picked up was that one of the creators of Redis was ... a certain Salvatore Sanfilippo (aka @antirez) Some searching establishes that it's indeed the same person; no wonder the book was as clueful as it was.
Small world...and people say hackers can't write :)
2
8
32
Jonathan Corbet
repeated
repeated
ðŠĶ Vernor Vinge, author of many influential hard science fiction works, died March 20 at the age of 79.
0
3
0
Jonathan Corbet
corbet
@kernellogger Sorry I had to work through a few other docs patches first, or I would have gotten it in sooner...
0
0
7
Jonathan Corbet
corbet
Once upon a time, if I enabled tethering on an Android phone, it would take the phone off the local WiFi network and route traffic over the cellular link
Now, if the phone is on a WiFi network, tethering will route packets from the tethered device over that WiFi network.
I'm guessing that improvements in WiFi interfaces and drivers have enabled this change. But it misses an important point: if I'm tethering a device in an environment where a WiFi network exists, it is almost certainly because said WiFi network sucks and I want to circumvent it. Having the phone continue to use it silently thwarts that purpose.
It's easy enough to work around â just turn off WiFi on the phone â but for slow folks like me that only happens after wondering for a while why the performance is still bad. Does anybody know of a way to disable this behavior permanently?
Now, if the phone is on a WiFi network, tethering will route packets from the tethered device over that WiFi network.
I'm guessing that improvements in WiFi interfaces and drivers have enabled this change. But it misses an important point: if I'm tethering a device in an environment where a WiFi network exists, it is almost certainly because said WiFi network sucks and I want to circumvent it. Having the phone continue to use it silently thwarts that purpose.
It's easy enough to work around â just turn off WiFi on the phone â but for slow folks like me that only happens after wondering for a while why the performance is still bad. Does anybody know of a way to disable this behavior permanently?
5
2
10
Jonathan Corbet
corbet
@gnomon Interesting, I was not aware of that tool...
Anyway, full-text RSS has been on the list for a while; I just have to figure out how to make the authentication work. I'll try to actually get around to that...meanwhile, though, unfortunately, I don't have anything to offer you.
Anyway, full-text RSS has been on the list for a while; I just have to figure out how to make the authentication work. I'll try to actually get around to that...meanwhile, though, unfortunately, I don't have anything to offer you.
1
0
1
Jonathan Corbet
corbet
Ah joy ... red flag warning in February.,.. https://www.google.com/maps/@39.8666965,-105.3048058,10z/data=!4m2!21m1!1s%2Fg%2F11vqwtkgjv?entry=ttu
0
0
1
Jonathan Corbet
corbet
@drewdevault You're talking about the practice whereby every instance immediately fetches the page when somebody posts a URL? I've wondered about the thinking behind that for a while...
0
0
3
Jonathan Corbet
corbet
@lcamtuf I have to say that Tom Christiansen's advice on operator precedence still is the best... https://lwn.net/Articles/382023/
0
0
3
Jonathan Corbet
corbet
@coldclimate So I just tried this on my Pixel 7...it stayed cold and quiet. It seems that not all Android phones do that.
0
0
0
Jonathan Corbet
corbet
@luis_in_brief When I really want comfort food I go back to the Lensman series by EE Doc Smith...takes me right back to my childhood (where it had already been around for a while - I'm not *that* old!)
What I like to recommend to people is the Terra Ignota series by @adapalmer - a great and (mostly) hopeful look forward by somebody who is clearly far smarter than I am...one of the few things I've reread in recent years.
What I like to recommend to people is the Terra Ignota series by @adapalmer - a great and (mostly) hopeful look forward by somebody who is clearly far smarter than I am...one of the few things I've reread in recent years.
1
0
1