• 0 Posts
  • 64 Comments
Joined 1 year ago
cake
Cake day: June 6th, 2023

help-circle


  • deadcade@lemmy.deadca.detoLinux@lemmy.mlThe CUPS Vulnerability
    link
    fedilink
    arrow-up
    9
    arrow-down
    2
    ·
    11 days ago

    As far as I’m aware, the exploit requires someone to try printing using a malicious networked printer. It is a vulnerability, yes, but it affects essentially nobody. Who tries manually printing something on a server exposed to the internet?

    Although for local network access, like in a corporation using Linux on desktops, the vulnerability is an actual risk.




  • According to Jim Starkey, the person who coined the term, “Blob don’t stand for nothin’.” However, it is often referred to as a “Binary Large OBject”, meaning a large file with content not easily readable by people.

    With an open source project, you have source code which is turned into executables/“blobs” by the compiler. As long as you trust the compiler, you can (functionally) know the content of the blobs by looking at the source code they were made from.

    In the case of Ventoy, several “blobs” are included from an unknown or vague origin. This is a great way to bundle malware, as seen with the XZ backdoor from earlier this year. As such, the original creator of the linked issue is requesting they are built/obtained at compile time, so either the content or origin of these files can easily be found.






  • Element is able to use features called “Integration Manager” and “Identity Server”. When using an Identity Server, you can choose to link name, email, and phone number to your Matrix account. When using an Integration Manager, there’s a feature to share your location with others in chat.

    As such, Vector discloses that they “collect this information”, although (except some diagnostics), this is completely optional.

    (I am not associated with Vector, just interested in Matrix)




  • Lets go through the summary and see if anything is wrong or misleading:

    Linutil is a distro-agnostic toolbox designed to simplify everyday Linux tasks. It helps you set up applications and optimize your system for specific use cases. The utility is actively developed in Rust 🦀, providing performance and reliability.

    • It is not distro agnostic. There is Arch and Fedora specific code, which are not separated into modules, but part of other scripts. Outside of the package manager, it also relies heavily on systemd.
    • Installing “Diablo II Resurrected loot filters” is not an “everyday task”. A lot of other scripts are similar, very specific, “one time use” things, not “everyday tasks”.
    • helps you set up applications, maybe, but only if you count running sudo pacman -S networkmanager as “helping”, even when it ignores existing network configuration.
    • “optimize your system for specific use cases”, it does nothing of the sort. There’s no kernel parameter tweaking, no other cpu scheduler, no IO options being changed, or anything remotely similar.
    • “The utility is actively developed in Rust” except for the ~70% that is shell scripts. (according to GitHub)
    • “Providing performance and reliability”, which is not something that’s determined by the programming language.

    So lets revise the short description, to exclude any incorrect/misleading statements:

    Linutil is a toolbox. The utility is actively developed.

    Alongside all that, the “installation instructions” include the biggest sin of all:

    curl -fsSL https://christitus.com/linux | sh

    TL;DR Never trust Chris Titus, or any “Linux YouTuber”, with your Linux machine. They do not know what the hell they’re doing.




  • Despite the downsides of F-Droid, there’s one thing they provide that other stores like Accrescent simply can’t. F-Droid provides APK builds with the exact source used for the build available. There’s a lot of trust involved, but this trust is in a single entity, rather than random developers. F-Droid has existed for a long time without adding malicious code to builds, so when they say “this source code produces this APK”, they have years of history doing exactly that to back their claim.

    A random app developer has no such trust built up. Stores like Accrescent, even if you download only FOSS apps, trust the app developer with building apps. It’s less prone to one massive takeover, but APKs built by random devs are much harder to verify and check for malicious code than the source code. If F-Droid is taken over, it should be noticed relatively quickly, but affects everyone using F-Droid. If an app on Accrescent bundles malware, only users of that app are affected, but it may go unnoticed for a much longer time.