如果用緊呢個version要downgrade或者upgrade
問題係唔知呢條友/team人2年入面有幾多malicious commit係未發現到
呢單嘢如果唔係MS條友手多去troubleshoot ssh慢咗半秒
可能仲大單過當年heartbleed
知名壓縮軟件xz-utils被發現植入後門 多個Linux發行版中招
天蠍座
70 回覆
53 Like
1 Dislike
暫時發現到5.6.0同5.6.1有backdoor
如果用緊呢個version要downgrade或者upgrade
問題係唔知呢條友/team人2年入面有幾多malicious commit係未發現到
呢單嘢如果唔係MS條友手多去troubleshoot ssh慢咗半秒
可能仲大單過當年heartbleed
如果用緊呢個version要downgrade或者upgrade
問題係唔知呢條友/team人2年入面有幾多malicious commit係未發現到
呢單嘢如果唔係MS條友手多去troubleshoot ssh慢咗半秒
可能仲大單過當年heartbleed
近幾年愈嚟愈多呢啲OSS新聞
xz原來又係得返1個人main,結果俾人有機可乘
xz原來又係得返1個人main,結果俾人有機可乘
有研究話係東歐生活既東歐人,因為佢農曆新年無停到commit ,但聖誕同元旦就有放假
Mr.A點睇?
你講既只係本自係close source, 後來open source出街既scenario
呢個當然係咁,就好似Android咁
好多時公司版同community版係分開repo
但係好多open source project本身就係由志願者用業餘時間去maintain
之所以會參與,就係因為大家都係無利益關係,無人own哂個project
尤其係Linux世界,血液入面就係一班hobbyist
我唔係否認close source有佢好處,我都唔係open source死忠
不過你要了解你講緊乜,你講緊既係假open source / 原則上破壞open source community,因為如果已經有牟利公司own左個repo,其他人係無incentive去改善你啲code。每個project都有一定程度既中央集權,不過真正成功既project都需要民主/decentralized
呢個當然係咁,就好似Android咁
好多時公司版同community版係分開repo
但係好多open source project本身就係由志願者用業餘時間去maintain
之所以會參與,就係因為大家都係無利益關係,無人own哂個project
尤其係Linux世界,血液入面就係一班hobbyist
我唔係否認close source有佢好處,我都唔係open source死忠
不過你要了解你講緊乜,你講緊既係假open source / 原則上破壞open source community,因為如果已經有牟利公司own左個repo,其他人係無incentive去改善你啲code。每個project都有一定程度既中央集權,不過真正成功既project都需要民主/decentralized
我多年前手痕嘅決定令我幾個server 都冇中招
我因為某啲原因deploy 唔到systemd 嘅server ,嬲嬲地全轉用openrc 。屋企本身用Gentoo 亦冇事。
真係十分好彩,不過穩陣起見,都係downgrade 咗落5.4.1
我因為某啲原因deploy 唔到systemd 嘅server ,嬲嬲地全轉用openrc 。屋企本身用Gentoo 亦冇事。
真係十分好彩,不過穩陣起見,都係downgrade 咗落5.4.1
xz 係commit左一堆compiled blob上git, 網上有人直接review啲blob, 發現唔到compiler嘅痕跡, 應該有人直接寫machine code target sshd
根據你咁講,xz就係假open source
根據你咁講,xz就係假open source
咁講有啲錯,發現問題係因為做perf時發現有個program冇symbol , 冇symbol 通常係因為個個program 唔經你部Linux compile 而對方刻意刪走左ref table
咁就代表apt install 時個makefile插左啲唔洗compile 既code係入面
咁就代表apt install 時個makefile插左啲唔洗compile 既code係入面
大佬你估open source project等於wiki咩
你講到任何人想改就改到咁
你講到任何人想改就改到咁
最好嘅做法係學RMS分返開open source同free (as in freedom) software,而唔係咩真假open source,只要佢可以俾你睇到全部嘅code就係literally open source
maintainer係另一個問題,個作者身體唔好甚至死撚咗點算?所有non corporate project點都要有啲external maintainer嘅
maintainer係另一個問題,個作者身體唔好甚至死撚咗點算?所有non corporate project點都要有啲external maintainer嘅
basically
the OG maintainer of liblma, xz-utils etc... started the project as a hobby, a fuck ton of corporations, open source projects, every linux distro used it as a dependency. He was the only maintainer and was under a ton of pressure, he had no help maintaining, no financial help etc and was having mental health issues.
You can read the mailing list, its sad. A person there was brutally rude telling him to give the project up because he wasn't moving fast enough (which is just insanely out of touch and rude) so he passed it off to the only other person who was committing to the project, and that person slowly introduced commits that very intentionally added a backdoor.
https://www.reddit.com/r/linux/s/B9RctOtibh
慘,one man band proj ,各大公司大proj拎左黎用但無sponsor 
遙遙領先
假ac黎
成個ac只係用黎維護呢個project
成個ac只係用黎維護呢個project
disagger
ssh任入,嚴重程度係三戰/核戰level
ssh任入,嚴重程度係三戰/核戰level
好人公司會喺README.md加一句credit講返人名同license type咁多
咪臭係
究竟單一open source事件反映到嘅係更多未知嘅open source問題定係更多closed source問題冇辦法被發現
某程度上係證明咗open source可以有效咁揾出問題(咁隱蔽都俾人揾咗出嚟去唔到stable),但係另一方面就係代表可能有藏得更深嘅未揾到
後者就假定有backdoor,本身就唔洗諗
後者就假定有backdoor,本身就唔洗諗
Closed source 就backdoor 假定,open source 又可能比人潛伏,要等其他高人發現
咁其實個coding 生態只係信仰問題,除非你能力高到可以所有tools自己寫再有能自己hack返自己去揾潛在security issue
喺你未有能力睇得明所有open source project之前,一般人都只係買大細睇邊個多人用仲未有人發現問題就唯有用住先
咁其實個coding 生態只係信仰問題,除非你能力高到可以所有tools自己寫再有能自己hack返自己去揾潛在security issue
喺你未有能力睇得明所有open source project之前,一般人都只係買大細睇邊個多人用仲未有人發現問題就唯有用住先