1200
submitted 7 months ago by possiblylinux127@lemmy.zip to c/linux@lemmy.ml
you are viewing a single comment's thread
view the rest of the comments
[-] refreeze@lemmy.world 79 points 7 months ago

I have been reading about this since the news broke and still can't fully wrap my head around how it works. What an impressive level of sophistication.

[-] rockSlayer@lemmy.world 83 points 7 months ago* (last edited 7 months ago)

And due to open source, it was still caught within a month. Nothing could ever convince me more than that how secure FOSS can be.

[-] lung@lemmy.world 94 points 7 months ago

Idk if that's the right takeaway, more like 'oh shit there's probably many of these long con contributors out there, and we just happened to catch this one because it was a little sloppy due to the 0.5s thing'

This shit got merged. Binary blobs and hex digit replacements. Into low level code that many things use. Just imagine how often there's no oversight at all

[-] rockSlayer@lemmy.world 49 points 7 months ago

Yes, and the moment this broke other project maintainers are working on finding exploits now. They read the same news we do and have those same concerns.

[-] lung@lemmy.world 21 points 7 months ago

Very generous to imagine that maintainers have so much time on their hands

[-] rockSlayer@lemmy.world 11 points 7 months ago* (last edited 7 months ago)

Bug fixes can be delayed for a security sweep. One of the quicker ways that come to mind is checking the hash between built from source and the tarball

[-] lung@lemmy.world 14 points 7 months ago

The whole point here is that the build process was infiltrated - so you'd have to remake the build system yourself to compare, and that's not a task that can be automated

[-] Corngood@lemmy.ml 18 points 7 months ago

I wonder if anyone is doing large scale searches for source releases that differ in meaningful ways from their corresponding public repos.

It's probably tough due to autotools and that sort of thing.

[-] Quill7513@slrpnk.net 28 points 7 months ago

I was literally compiling this library a few nights ago and didn't catch shit. We caught this one but I'm sure there's a bunch of "bugs" we've squashes over the years long after they were introduced that were working just as intended like this one.

The real scary thing to me is the notion this was state sponsored and how many things like this might be hanging out in proprietary software for years on end.

[-] smeenz@lemmy.nz 10 points 7 months ago

Can be, but isn't necessarily.

[-] slazer2au@lemmy.world 8 points 7 months ago

Yea, but then heartbleed was a thing for how long that no-one noticed?

The value of foss is so many people with a wide skill set can look at the same problematic code and dissect it.

this post was submitted on 01 Apr 2024
1200 points (100.0% liked)

Linux

48313 readers
674 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 5 years ago
MODERATORS