I imagine if this attacker wasn’t in a rush to get the backdoor into the upcoming Debian and Fedora stable releases he would have been able to notice and correct the increased CPU usage tell and remain undetected.

I think ideas about prevention should be more concerned with the social engineering aspect of this attack. The code itself is certainly cleverly hidden, but any bad actor who gains the kind of access as Jia did could likely pull off something similar without duplicating their specific method or technique.

as long as you’re up to date on everything here: https://boehs.org/node/everything-i-know-about-the-xz-backdoor

the only additional thing i’ve seen noted is a possibilty that they were using Arch based on investigation of the tarball that they provided to distro maintainers

if you feel comfortable mucking about in your BIOS, disabling TPM will pretty much guarantee they don’t spring 11 on you. they are really dead set on that requirement for some reason.

i also remember having the cube around the same time in OSX somehow but I forget the method

deleted by creator

Edge, unlike Internet Explorer, is not a system level dependency. There is a separately installed web view that handles that now, likely due to EU consumer protections.

Look into your shell’s tab completion abilities, the find command, and fzf. There’s also stuff like midnight commander but I find that to be a little overkill for my tastes.

So thoroughly CEO-brained he’s sabotaging his own business. He’d rather have his serfs in spitting distance than a future for his company. Truly incredible.

Once again, their adherence to the letter of the GPL is certainly up for debate, I said as much at the start.

Their violation of its intent, however, is not. They are putting up roadblocks, however trivial or insignificant you seem to believe they are, to limit your freedom in redistributing they code they are providing. Period. This controversy would not exist if they weren’t.

Those snapshots are not CentOS Stream. You are not running CentOS Stream, in the state in which it is provided, when you run a RHEL release. They arent entirely separate, but that’s exaggerating the claim and not what I’m arguing. The people who are using RHEL as provided are not able to redistribute the thing which they are using.

The people using RHEL aren’t using CentOS Stream, and they aren’t able to redistribute the actual software they are actively using. I don’t know how to state this any clearer.

… the freedom to study, change, and redistribute the software you use.

• Richard M. Stallman

They are specifically and explicitly trying to limit your freedom with regards to redistribution by making it a violation of their EULA to do so.

Whether or not they’re violating the letter of the GPL is entirely separate from whether they’re violating its intent. The former is debatable but the latter is absolutely happening here.

This argument that open source somehow needs to exploit users and blatantly skirt the intent of the GPL because profit must be taken from it is absurd.

Why is it assumed that they weren’t perfectly sustainable before and why is it the end users responsibility to bear the burden of making their business model viable if they weren’t? Being unprofitable doesn’t excuse you from following the terms of your software license.

This is tricky because I’m pretty sure lemmy is using history.pushState to change the URL and not actually navigating there in the traditional manner so you can’t really expect the script to run unless you refresh the page or paste the URL in directly.

From my experience there’s no simple way to do it. It’s something you’ll have to handle on a per-app basis as there’s no standard that is followed universally. Here’s a website with links to resources on various methods people use.

Aren’t there poison pill clauses in a lot of OSS licenses that prevent moves like this? Could they face legal repercussions?

Because it’s all about numbers and they don’t care how they get them.

Yeah reddit is full of “small” communities that are actually like thousands or tens of thousands of people. Those will be the ones most impacted by this.