34
Sorry for no transcript :(
No, this is kinda right. Memory leaks =/= memory safety. Memory leaks are just when you keep allocating more and more memory, and can be done in any language. If I make accidentally make a list that infinitely grows in python, that's a memory leak.
There are techniques to write code that is mostly free of leaks, which is what he is referring to.
Memory safety, on the other hand, doesn't seem to be mentioned on that page...
Debian Linux, and many other Linux distros, have extensive measures to protect their supply chain. Packages are signed and verified, by multiple developers, before being built reproducibly (I can build and verify and identical binary/package). The build system has layers, such that if only a single layer is compromised, nothing happens and nobody flinches.
Programming langauge specific package repos, have no such protections. A single developer has their key/token/account, and then they can push packages, which are often built on their own devices. There are no reproducible build to ensure the binaries are from the same source code, and no multi-party signing to ensure that multiple devs would need to be compromised in order to compromise the package.
So what happened, probably, is some developer got phished or hacked, and gave up their API key. And the package they made was popular, and frequently ran unsandboxed on devs personal devices, so when other developers downloaded the latest version of that package, they got hacked too. The attackers then used their devices to push more malicious packages to the repo, and the cycle repeats.
And that's why supply chain attacks are now a daily occurrence.
They do it though. People all of a sudden are motivated and able to enable bitlocker and secure boot and update their bios when they need it to play le funni video game.
This includes sideloaded apps.
This exactly. I have a FOSS app called VirtualXPosed installed (although I never use it anymore), which creates a "virtual android" in which apps can be installed and be manipulated in ways that would normally require root, despite me not having it on my phone.
Despite having "play protect" disabled, google still constantly sends me notifications about it being harmful.
There are exactly 3 types of phoronix commenters:
- Trolls
- People falling for the trolling
- Professionals working at intel, red hat, etc who use that site as some kind of communications board for some strange, unknown reason
https://help.kagi.com/orion/faq/faq.html#oss
We're working on it! We've started with some of our components and intend to open more in the future.
The idea that "open-source = trustworthy" only goes so far. For example, the same tech company that offers a popular open-source browser also has the largest ad/tracking network in history, with that browser playing a significant role in it. Another company with a closed-source browser (using WebKit like Orion) is on the forefront of privacy awareness and technologies in its products.
So, does anyone here remember when all chromium browsers had a secret api that sent extra data to google? Brave, Opera, and Edge got hit by this one, but I think Vivaldi dodged it. They all removed this after they found out, but still...
When it comes to things like browsers, due to the sheer complexity and difficulty to truly audit chromium, I don't really consider chromium to be "open source" in the same sense as many other apps. Legally, you can see and edit the code. But in practice, it's impossible to audit all of it, and the development is controlled by a single corporation who puts secrets in it, or removes features that harm their interests (manifest v3). Personally, I consider Minecraft Java to be closer to open source than chromium is.
To say that:
The idea that "open-source = trustworthy" only goes so far
is really just a cop-out and excuse for not being transparent with their code and what they are doing.
Stallman doesn't seem to get that pedophilia is wrong because of the hierarchy of power, and the power imbalances between older/younger people, not because of some inherent wrongness about being attracted to a prepubescent person. This is shown by how he condemns some pedophilia, but is accepting of 12+/past puberty. (I despise this logic, because it would also make gay sex and sodomy wrong, as well).
I find this deeply ironic, because his primary issue with proprietary software is the way that it gives developers levels of power over users. From his article Why Open Source Misses the Point
But software can be said to serve its users only if it respects their freedom. What if the software is designed to put chains on its users? Then powerfulness means the chains are more constricting, and reliability that they are harder to remove.
You would expect someone who is so in tune with the hierarchies that appear with software developers, publishers, and users, to also see those same hierarchies echoed in relationships between people of vastly different ages, but instead, we get this. I'm extremely disappointed.
These failures to understand hierarchy and power, are exactly why Stallman shouldn't be in a position of power. Leaders should continually prove that they understand hierarchy and the effects of their actions on those below them. Someone who doesn't understand how their power could affect another, shouldn't be a leader.
https://forgejo.org/compare-to-gitea/
I dunno, some of these are a pretty big deal, in particular:
Gitea repeatedly makes choices that leave Gitea admins exposed to known vulnerabilities during extended periods of time. For instance Gitea spent resources to undergo a SOC2 security audit for its SaaS offering while critical vulnerabilities demanded a new release. Advance notice of security releases is for customers only.
Gitea is developed on github, whereas forgejo is developed on and by codeberg, who use it as their main forge (also mentioned on that page). Someone dogfooding gives me more confidence in the software.
moonpiedumplings
joined 2 years ago
The reality is that security is not just technical implementation, but also actually getting people to use the solutions. "Stop disabling SELinux" is not a real answer to when people disable it, like we have one person in this thread.
Another problem with complex security solutions is they are hard to get right. Even if you enable them and configure them, without being an expert, it's possible you left a gap here or there, and holes and gaps in these solutions.*
There is a good, but bit dated writeup here about the problems with Linux security, from an architecturual perspective: https://madaidans-insecurities.github.io/linux.html . But, the short version is that the Linux kernel is large and complex, and has a lot of attack surface. And it's a frequent source of vulnerabilities because attackers can hit it as long as they access to the kernel, even if they are in a container/sandbox. Like, copyfail and dirtyfrag would punch through containers, but also punch through SELinux.
For example, just earlier on lemmy someone dropped a zero day that punches through SELinux: https://programming.dev/post/51103657
Now, SELinux can be used to restrict what a root shell could do after escalating... but that's further complexity you have to learn to configure, and configure it correctly as well.
Ultimately, none of the Linux security solutions come anywhere near the isolation of simply running something in a virtual machine. Which, also happens to be a lot simpler and actually possible to get people to use.
*(putting this at the bottom because it veers off topic) I have a greater argument and problem with mentalities like this. I have noticed a pattern, where many of the more effortfull and toil intensive security solutions are recommended by people who have the time, energy, and skills to execute them. They have a bias/blindspot to the realities, which is that not everyone is in the same situation as them.
For example, updating/patching software. Linux distros like RHEL or Debian, have a policy where they only do security updates, and don't do feature updates or bugfixes. This enables them to ship automatic updates, so that security issues are automatically handled.
On the other hand software like Windows, likes to bundle in breaking changes along with security updates. So automatic updates get disabled because "They might break something". And then, people don't update them, and environments get horrifically out of date, because not enough money/time/people is put into regular IT people who are in charge of maintaining them.
But some environments, have heroes, people who go around patching everything and keeping everything up to date and secure. And when they see these environments that don't have everything patched, they usually give the advice of "You should patch everything" (while simultaneously advising against auto updates), not understanding that these environments are lacking a key ingredient: Themselves.
Sure, I could be a hero. I could "patch" everything manually. I could deploy SELinux. But that would only last until I get burnt out, or leave. Once I'm gone, SELinux, the patches, any similar security solutions are gone. I've met so many people, even in cybersecurity, that are apathetic about security, even though they might have cared once upon a time.