Show more

This just triggered a thought: the fact that a well resourced actor spent all this time on the focused on distros because they were not able to reliably hack into GNU/Linux in general, so they had to resort to this quite expensive campaign to get access again. Yes, this is speculation and yes I'm a fanboy. But there is a lot of good evidence that the free software distro model is quite good for providing secure setups. So take this news as good news 😄

Show thread

Some thoughts about attribution in the XZ backdoor, having just wasted so many hours digging into the details.

The email addresses used for a couple of years at least by the parties involved have absolutely *zero* trace in any kind data breach or database beyond Github/Gitlab, and maybe Tukaani and Debian and a few mailing lists.

Normally when I see this, the assumption is that we're dealing with a single-use or single-purpose email address that was created either for fraud or b/c someone is super paranoid about privacy.

The people in the latter camp who do this tend to have other tells that give them away, or at least *some* trace or home base in the online world. Especially if we're talking on the order of years using that address.

Either way, very few people do opsec well, and for every year you're operating under the same name, nick, number, email, etc you dramatically increase the risk of screwing up that opsec. And almost everyone does, eventually.

To see this complete lack of presence in breached databases once or twice in the course of an investigation is rare, but to find it multiple times suggests we're dealing with an operation that was set up carefully from the beginning. And that almost certainly means a group project (state-sponsored).

A popular dev culture these days is bult on always pulling in the latest library whenever possible. There can be good reasons to do that but new library code must still be reviewed. Or at least, confirm that the maintainers have been doing that, and still are. If you've even been through a code audit, it becomes crystal clear that dependencies are part of the profile. provides another layer of review. I use deps from Debian and review when updating packages, to share.

First more detailed analysis of the backdoor AFAIK, in this Bluesky thread: bsky.app/profile/did:plc:x2nsu

So the backdoor’s intention isn’t compromising SSH sessions but rather executing arbitrary code on vulnerable Linux servers. The payload is hidden within the RSA key sent to the SSH server during authentication. This payload has to be signed with some unknown Ed448 key which only the attackers possess. If the signature is deemed correct, the payload is passed to system() (executes it as a shell command). Otherwise the code falls back to the default SSH behavior.

Had this backdoor been discovered a few months later, we would now have a lot of vulnerable servers all over the world. And only the attackers would be able to detect from outside which ones are vulnerable, because only they can send a correctly signed payload that would trigger command execution.

Planting a command execution backdoor into most Linux servers out there sounds too ambitious for someone driven by monetary interests, there are simpler ways to build a botnet. The level of sophistication and long-term planning indicates a state-level actor. Unfortunately, there isn’t a shortage of candidates. With quite a few Western governments pushing for lawful interception lately, I wouldn’t rule out any country at this point.

Show thread

It is now possible to re-order the position of repositories in the list. The repo at the top has the highest priority while the repo at the bottom has the lowest priority. Only if an app is available from more than one repo, the priority matters.

For example, if NewPipe's repo was added and the user always wants to prefer apps from that repo, they can move it to the top. In older versions of F-Droid, newly added repos were implicitly granted higher priority than repos added before.

Show thread

If the app is available from more than one repository, the box in the app details screen becomes a drop-down where the user can see all repos and choose which one should be used for installation, updates and app information.

Show thread

When tapping an app, the user sees the app details screen as usual. There, a new box at the top shows the repository the app comes from.

All information on that page including the versions provided for installation are provided by that repo.

Show thread

Version 1.20 of @fdroidorg brings some pretty big changes of how repositories are handled:

• official repo is always preferred
• the repo an app comes from is prominently shown
• if an app is available from more than one repo, they can choose where to get it from
• power users can change global repo priorities

If you did not yet opt-in to beta versions of F-Droid, please manually install 1.20 and help testing before we make it available for everyone.

Show thread

Are you experienced with GTK and Rust ? :gnome: ❤️ :rust:

We are looking to contract someone to work on the new GNOME Password Manager 🔑

We want it to become a core/default app and help secure millions of users.

You'll be working with the GNOME Foundation, a non-profit dedicated to building emancipatory technologies for everyone.

Please send resume / portfolio to stf@gnome.org

Boosts welcome :boost_love:

#GTK #Rust #rustlang #GNOME #Linux #Ubuntu #Linux #Fedora #OpenSUSE #Debian

Its also kinda enlightening on how distros react to the #xz backdoor:
* #arch "lets rerelease the version from the untrusted party, we run autogen.sh ourselves now"
* #debian "lets roll back to the last version not having any changes by the untrusted party and rebuild our infra from scratch"

I know which of these I trust more as an upstream ...

@selectallfromdual Latest F-Droid Client 1.20 alpha (expand Versions to install) redesigned the repo section. Feedback is welcome.

I accidentally found a security issue while benchmarking postgres changes.

If you run debian testing, unstable or some other more "bleeding edge" distribution, I strongly recommend upgrading ASAP.

openwall.com/lists/oss-securit

Three years ago, had a similar kind of attempt as the . A new contributor submitted a merge request to improve the search, which was oft requested but the maintainers hadn't found time to work on. There was also pressure from other random accounts to merge it. In the end, it became clear that it added a . In this case, we managed to catch it before it was merged. Since similar tactics were used, I think its relevant now

gitlab.com/fdroid/fdroidclient

For anybody cynically going "haha, 'given enough eyeballs, all bugs are shallow" my ass", I'm willing to argue that the reverse engineering of the #xz #backdoor actually validates this claim.

We just didn't have enough eyeballs on this particular dependency, nor is it possible to have every commit in your dependency graph investigated. But once the issue was found, the community's focus moved like the 👁️ of Sauron; few teams could have done that work (as quickly, thoroughly, or at all).

@eb I really hope that this causes an industry-wide reckoning with the common practice of letting your entire goddamn product rest on the shoulders of one overworked person having a slow mental health crisis without financially or operationally supporting them whatsoever. I want everyone who has an open source dependency to read this message mail-archive.com/xz-devel@tuka

Today, we've opened five non-compliance investigations under the Digital Markets Act.

It concerns:
🔹Alphabet’s rules on steering in Google Play
🔹Alphabet’s self-preferencing in Google Search
🔹Apple’s rules on steering in the App Store
🔹Apple's choice screen for Safari
🔹Meta’s ‘pay or consent model’

More info europa.eu/!4NF6bV

Feels a little funny to be sympathic to 's point of view in the compliance workshop when some of the advertising industry lobbyists ask questions. From what I've seen, Google is less crappy than the average ad tech company when it comes to privacy, so I really hope the DMA does not open us up to more crappy ad tech companies.

In collaboration with @fdroidorg, the @fsfe prepared a study for the Japanese Competition Authority HDMC on how Apple's plans to comply with the #DMA represent a risk for #FreeSoftware and #DeviceNeutrality.

Key recommendations: 👇
- Full and unfettered side-loading
- No distribution via DRM encryption
- No residency or credit requirements for
3rd party app stores
- No interoperability request forms
- More competition on trustworthiness

download.fsfe.org/device-neutr

#Sideloading apps and using alt stores like #Flathub is a major feature of elementary OS and a competitive edge over closed platforms that only let you install apps from a locked down store. In this release we’ve made several improvements to smooth out the experience of using alt stores based on your feedback and the latest #CrossPlatform standards.

Show thread
Show more
image/svg+xml Librem Chat image/svg+xml