Debian unstable/sid (the rolling branch) was affected. Debian is not special.

Debian stable, Red Hat, and Ubuntu LTS were not affected. They also happen to be popular on servers, because of things like this.

This specific attack was discovered early,

Debian only updates packages on a new distro release, every 4 years. Red Hat does so every 13 years. There is a huge difference between a 6+ year window to detect packages, and a less than a week’s notice because you are keeping up with the latest from upstream.

The stable distro model is broken.

I will address this one at the end, since it’s a longer point.

Distro developers are not better than upstreams at judging upstream code. Many non-security tagged bugs can become security ones.

Okay. And? We are talking about supply chain security here.

There is a huge difference between vetting packages once every 6 years, and the continuous, ongoing, toilsome process that you are made to in order to maintain systems like cargo’s build system.

despite actually shipping the compromised xz version? It’s Arch. Why? Because they didn’t patch systemd with xz support thinking they can outsmart an upstream.

The XZ utils backdoor could have easily effected any distro that uses xz for any form of root/system level service. The backdoor makers decision to not do this doesn’t actually make Arch or other distros that did this more secure. Debian stable did not receive vulnerable code in the first place. Big difference.

Distros pull from upstreams anyway (code has to exist somewhere), crates.io included.

This is because rust and crates makes it impossible to do any form of dynamic linking. Which is why some people have gripes with rust and avoid it.

But for C, Java, and other languages, it is possible for distros to ship and manage libraries, which has the benefit that the various libraries can have their security issues fixed automatically.

What makes you think JAVA or its ecosystem(s)

The Java ecosystem, and it’s various language specific package managers have lots of problems. But I am specifically talking about the Java ecosystem available from stable Linux distros, like Red Hat or Debian.

So. Why would I want a stable distro? Why would I want “old” packages? The reason is very simple: The absolute guarantee of compatibility between the security updates, of the programs themselves, and dynamically linked libraries.

If I make, say, a Java program, and tie it to Java packages available from the stable distro, when programs in that

The model of vendoring dependencies, breaks this. With Cargo (or uv or etc), the programs move very fast, and updates break things. In order to prevent their program from breaking, developers pin packages. And then, they don’t update them. This results in them shipping code with CVE’s to their users, even though the CVE has already been fixed in an upstream version.

I like to run cargo-audit, or the go equivalents on the open source projects I look at, and I almost always find vulnerabilities of varying degrees of criticallity. Here is cargo-audit ran against radicle-tui: https://gist.github.com/moonpiedumplings/7e71121b76c58ecaba4176be9bb827c4

With a mere 5 months of not being touched, there are now present CVE’s that are critical on the scoring system (radicles top repo had none yippee! and their second to top repo had a few mediums). It irritates me to see them in software that interacts with networked systems.

I only very rarely find programs that are empty of CVE’s. Usually only the most well resourced, active projects are able to keep their audit clean. It’s a lot of work —

Work that a stable distro automates. With a stable Linux distribution like Debian, I can be confident that if I make a program tied to libraries or programs that the distro provides, this stuff will automatically be patched and handled for me.

Look, you don’t have to use a stable distro on your own personal Linux desktop. I use Arch on my laptop. But for servers, not using pinned dependencies, and instead linking against libraries provided by distros means saving thousands of hours of toil doing basic cleanup of updating libraries and figuring out what the newer version of libraries broke. With a stable distro, you just do that once every six years.

One downside is that the cached file is not independently archived so it could be tampered with. Thanks for the idea.

You could have multiple researchers archive it and store copies independently. Then tampering would show up accross copies.

Unfortunately, central hosting doesn’t guarantee that it is tamper free. The host could be hacked, or could be malicious. Archive.is was caught tampering with their archived pages:

https://en.wikipedia.org/wiki/Wikipedia:Archive.today_guidance

Check out Zotero: https://www.zotero.org/

Zotero is an open source bibliography manager. It’s my main go to tool for generating works cited pages, like during essays.

But, it also has a browser extension, which can download, and archive sites or academic articles you are adding to the sources. I would then use the fulltext search that zotero provides for easy searching of sources.

Unfortunately, it’s not hosted, which would make it difficult to share.

EDIT: It does look like the server component is open source, AGPLv3: https://github.com/zotero/dataserver/

But, I cannot find any deployment instructions. But, it looks like their hosted version lets users create groups of shared items, including sharing archived snapshots of the various items.

One issue I have with rust is that it adds another layer of trusting the compiler isn’t backdoored. All UNIX/Linux systems use the gcc toolchain

They are probably also referring to this: https://kerkour.com/rust-supply-chain-nightmare

In a recent analysis, Adam Harvey found that among the 999 most popular crates on crates.io, around 17% contained code that do not match their code repository.

Cargo and crates are basically just as bad as npm, just less popular, which is why they haven’t been hit yet… And it’s currently very difficult to build rust programs without cargo.

Stable linux distributions have extremely strong supply chain security in comparison to language specific package managers. Debian, for example, was not affected by the xz utils backdoor, due to it’s policy of only doing cherry picked security patches, and ignoring feature or bugfixes for the most part. Given the:

installation instructions for Debian-based distros: here

That’s probably what the author was going for. Unfortunately I am too lazy to load up tor browser right now, to check the Debian installation instructions. I suspect they have their own repo with signed keys, just like Radicle does.

Of course, C is still questionable. I would prefer Java if you cared strongly about supply chain security, since its a memory safe language with a mature ecosystem, and many packages available from Debian’s repositories. But, it would be slower than C.

Calling an enterprise-grade platform

Except you use JWT’s for auth, which is idiotic and a security nightmare. No enterprise that cares about security would ever accept this.

More info: https://gist.github.com/samsch/0d1f3d3b4745d778f78b230cf6061452

There are other problems, some of which I can see… and some of which I can’t. The problem is that I am not a comprehensive expert, I can only spot a few things here and there. Even if I was an expert, why would I audit your software for free lmao? Pay me for that shit.

What I do know, is that vibecoded apps are bad at security. Many, many vibecoded apps have been hit by horrific security bugs like remote code execution, xss, or authentication bypasses. That shit is simply unacceptable and should be extremely rare in modern apps. The fact that I’m not skilled enough to find them reliably makes me even more cautious and concerned around apps like yours.

It’s not just about the app architecture, but also about you. When a known community figure creates an app, I have confidence that they will have a good security posture and architecture. With vibecoding… not so much.

If you have an actual architectural critique

Nice bait, but the problem is this: Just because you get people to audit “critique” your software, doesn’t fix the root cause of those problems — you. Just because you manage to re-vibecode the app to not use JWT’s or to fix any other number of issues someone would point out, doesn’t actually mean more issues exist that that person missed. Like if someone specialized in python, then they might miss database issues, and so on. The second problem is that inevitably, you will expand this software, adding more features… and vulnerabilities. That is to say, even if you manage to fix the architecture and security now, you have not demonstrated the requisite skill needed in order to keep it fixed.

More new comments (see rest of my comments in this thread).

Privacy.com finally verified me. So I guess I’m gonna use that. I don’t think it’s very good at being private, but I want virtual cards as more of an anti scam thing.

Okay I know people sort by new comments, so I’m just going to keep creating more comments here.

I paused halocard for now, since it does look like it’s paid. That makes me hesitate, but also gives me confidence (that its business model isn’t glorping up all my data).

I tried wise.com, which looks free, but it also asked for my SSN… which it then said it couldn’t verify?

What if the new account user, who is working on a product that integrates with what the vast majority of selfhosters run, just found Lemmy?

This happens on Reddit, and basically my problem is that these users often don’t have enough experience to be able to actually give solutions. Reddit is full of people who think they have a good solution, dealing with comments of people explaining that what they are struggling with is actually a solved problem (or a skill issue). No one cares about your vibecoded slop that implements 1% of the features of an existing open source solution (they used to not be vibecoded but we still didn’t care). It being paid and proprietary is just even more annoying.

My idea of requirement to engage with the community is also about being able to ensure that the users are technically competent. If they are experienced, it will show up in the discussions we can see and review. For their benefit, if they lurk, then they can take a look at what is being used, and what problems actually exist, instead of making assumptions.

If they really believe their product is so good, they can spend a few weeks helping people with Linux questions and sharing their (non product related) insightful thoughts on Lemmy so I don’t dismiss them instantly when they finally advertise it.

Second comment in the thread, since I decided to go hunting for alternatives: https://discuss.privacyguides.net/t/alternatives-to-privacy-com-which-dont-require-a-u-s-phone-number/30692

edit 1: Okay I am trying out Halocard right now. What the actual fuck, it sends the verification code via Whatsapp to the phone number I provide.

edit 2: no wait I received it as a text. It looks like whatsapp has a service to send text to people.

It is possible to detect and moderate them, as long as your mods haven’t been disappeared and replaced by people who’s job is to accept bribes. And also when we can actually see people’s history, since reddit now has an option to hide your history from others because of course.

My usual method is to focus on content, rather than writing style. The AI bots can write a lot, or be brief, or whatever, but they don’t actually contribute to the discussion. They just kinda paraphrase and restate what has been said, or when trying to sell a product they disagree and go “Are you sure this isn’t an problem?” to everybody in the thread telling them that it’s actually a skill issue.

Sometimes they’ll be a little better, but it’s often surface level stuff that can be found at the top of a google search of keywords.

This also makes it possible to tell the difference between ESL speakers who are using AI to clean up their writing style, and true bots. Since the ESL speakers will actually have something to say, but bots won’t.

And then: https://xkcd.com/810/

Unraid is an example, that I consider fairly reasonable. Sure, it is a subscription.

But all of the services are docker containers. What unraid brings to the table is a nice management UI, and the ability to mix and match drive of different sizes in a single raid pool. It makes having a fairly resilient self hosting setup easier than trying to do all of this stuff from scratch.

Nice features sure, that many people find worth paying for, even if I don’t. But they are just nice to haves. If the company ever dies, it’s absolutely possible to export the data and move to say, portainer, or docker via the cli, or podman, or anything that can run containers.

On reddit, there is a community called r/progressionfantasy, which is about a specific type of fantasy fiction. They have a rule that self promotional posts (for paid books) must be preceeded by 10 comments, and actual engagement with the community.

This is a reasonable compromise, in my opinion. Known community member who has been answering questions and contributiting to discussions?

I would be okay if they dropped a paid product of good quality and with a reasonable business model (please no vibecoded slop).

But drive by ProductNameAccount users who have never posted on lemmy before a bunch of self promotional posts? Yeah ban that shit.

Privacy.com is, legally, a bank. Banks have always had aggressive KYC requirements, but it’s only gotten worse in recent years.

I went through the sign up and they made me take pictures of my face with Persona.

Once I did that, I then declined to use this other platform, Plaid for storing my card. Instead I submitted my debit card information directly.

The logged in page said that my account was pending, and would be verified in a 1-2 business days. It’s been like 5 days now.

I dug around on reddit, and found someone with a similar experience. They theorized that delayed, or even indefinite account “verification” is a way of soft punishing people who don’t submit to every single privacy invasive thing.

I really only wanted protection from fraud, overcharching, and bad merchants, so I wish this was a feature my bank would provide.

EDIT: see other comment, Privacy.comm verified me.

I use Vanilla music. It was the only music player I found that would keep my place in my long running playlist that I have on shuffle all the time. It gets through all the songs, shuffles, and then queues through all the songs again, reshuffled. Other players I tested would forget the place, or that music was playing in the first place, and that was frustrating.

I stream it to my computer by connecting my phone to my computer via Bluetooth. I think it’s was a new KDE feature, but now my Linux laptop will pretend to be a headset/speakers, and the Android phone will just play to it. It’s so amazing. Because then I can listen to audio from both my phone and my computer at once pretty easily, and keep my spot in that one playlist I keep running. Unfortunately, it has an annoying issue where it drops out (but doesn’t pause the audio) when the CPU is used too much. Lemmy post: https://programming.dev/post/45725312

When I want a more reliable setup, like when I am compiling things, I usually plug my phone into my computer and use srcpy. This can stream the android screen to the computer over ADB, but I just stream the audio, since that’s all I care about.

Programs/orgs like Conda are like the #1 reason projects like Guix exist.

Conda’s default repos are only technically free for personal use, and you have to pay an exorbitant amount if you want to use them in a company. But what happens is devs install Conda anyways, not realizing this, the software phones home, and all of a sudden you have a bunch of lawyers on your case, demanding 10 gorbillion dollars.

And because programs like Conda, or Oracle Java, or so on are technically not malware (even though they literally act like ransomware in some ways), they aren’t, and will not ever be caught by antivirus software.

So the solution people come up to not have to deal with those, with, is to restrict all installation of software entirely, via things like AppLocker on Windows. This makes it so that only approved software can be installed. Software can be manually vetted, confirmed to actually be free for the business, or paid for, before being explicitly allowed.

But the problem with this, is that users like being able to autonomously install the tools they need in order to solve problems. So now they just get frustrated that they can’t do that at all.

Guix, and other projects which only ship open source software, present a middle ground. They distribute a large repo of software, that is essentially confirmed safe for a business to use, and for their users to install autonomously. If I gave someone Guix, I could feel confident that they could install various tools they needed without risking totally-not-ransomware from getting onto the systems.

Anyway. There is nonguix and other additional guix package channels if you want, say CUDA so it’s an option. I’m just trying to explain why some people insists on this model, and why someone would see that as a benefit.

Unfortunately, the browser extension is proprietary. They used to have an open source one but they stopped maintaining it.

Proprietary was a dealbreaker for me. There is no way to verify that it isn’t selling everything I type even if I do have it configured to point at a local server.

I’m also concerned that the extension may eventually no longer work against local servers as well.

https://github.com/languagetool-org/languagetool-browser-addon/issues/247

As an alternative, there is harper by wordpress: https://github.com/Automattic/harper

It is webassembly and runs entirely in your browser.

EDIT:

I will add that the rest of the languagetool ecosystem continues to work fine. Libreoffice now has a built in client, which you can point at your own hosted server. VSCode [1] also has their own languagetool extension. I use those and those work great. But in the browser I use harper nothing. I should probably install harper.

[1] Well, technically I use [code-oss]https://wiki.archlinux.org/title/Visual_Studio_Code), which gets the extension from https://open-vsx.org/

Proxmox is also making their own: https://www.proxmox.com/en/products/proxmox-datacenter-manager/overview

source code: https://github.com/proxmox/proxmox-datacenter-manager

Two more that I have found:

https://docs.pegaprox.com/

And: https://github.com/xdkaine/uma-proxmox-wrapper-public

https://wiki.archlinux.org/title/Arch_is_the_best