Support us on Patreon
PayPalLatest Comments by pleasereadthemanual
XZ tools and libraries compromised with a critical issue
30 March 2024 at 9:48 am UTC Likes: 2
That's because none of these distributions have fully analyzed the source for xz, and out of concern that there is more malware hiding in the weeds, they've gone further back.
Also, the Arch Linux news post recommended using ldd on the xz executable which was known to be malicious in at least one way. You should never do this. Read the man page for ldd for why:
I don't understand why Arch is choosing to trust that very recent versions of xz are not compromised without much further investigation.
That being said, this should probably be disregarded:
Also worth mentioning that this impacted Homebrew for macOS users.
30 March 2024 at 9:48 am UTC Likes: 2
Quoting: sudoerMy issue is that Arch, unlike openSUSE, Gentoo, Nix, Fedora Rawhide, Fedora 40/41, Kali Linux, and Homebrew, are continuing to use the 5.6.1 release, just pulling directly from Github and not the binary tarballs which were compromised. All of these other distributions have downgraded to 5.4.6. Gentoo has gone so far as to downgrade to 5.4.2, which is the last release signed by the previous maintainer.Quoting: pleasereadthemanualMissed this comment the first time. This does not inspire confidence in me about using Arch in the future.
huh? maybe you missed that "The malicious code path does not exist in the arch version of sshd, as it does not link to liblzma" too. Also, how many "home" users use a ssh server...
That's because none of these distributions have fully analyzed the source for xz, and out of concern that there is more malware hiding in the weeds, they've gone further back.
Also, the Arch Linux news post recommended using ldd on the xz executable which was known to be malicious in at least one way. You should never do this. Read the man page for ldd for why:
QuoteSecurityAnd for the record, I use an SSH server.
Be aware that in some circumstances (e.g., where the program specifies an ELF interpreter other than ld-linux.so), some versions of ldd may attempt to obtain the dependency information by attempting
to directly execute the program, which may lead to the execution of whatever code is defined in the program's ELF interpreter, and perhaps to execution of the program itself. (Before glibc 2.27, the
upstream ldd implementation did this for example, although most distributions provided a modified version that did not.)
Thus, you should never employ ldd on an untrusted executable, since this may result in the execution of arbitrary code. A safer alternative when dealing with untrusted executables is:
$ objdump -p /path/to/program | grep NEEDED
Note, however, that this alternative shows only the direct dependencies of the executable, while ldd shows the entire dependency tree of the executable.
I don't understand why Arch is choosing to trust that very recent versions of xz are not compromised without much further investigation.
That being said, this should probably be disregarded:
Quoting: pleasereadthemanualIt gets a lot worse. This bad actor has made contributions all over core Linux projects like systemd: https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27?permalink_comment_id=5005888#gistcomment-5005888This developer is significantly more trustworthy. So at this stage, it's hopefully only xz that's compromised.
Also worth mentioning that this impacted Homebrew for macOS users.
XZ tools and libraries compromised with a critical issue
30 March 2024 at 5:49 am UTC Likes: 3
30 March 2024 at 5:49 am UTC Likes: 3
Quoting: williamjcmMissed this comment the first time. This does not inspire confidence in me about using Arch in the future.QuoteSo you'll want to ensure any XZ packages are not at version 5.6.0 or 5.6.1, and check the news directly from your chosen distribution for updates on it.
Arch has repackaged 5.6.1, using a repo clone instead of the compromised tarballs: https://security.archlinux.org/ASA-202403-1
https://gitlab.archlinux.org/archlinux/packaging/packages/xz/-/commit/881385757abdc39d3cfea1c3e34ec09f637424ad
XZ tools and libraries compromised with a critical issue
30 March 2024 at 1:27 am UTC Likes: 4
A malicious patch series almost got into the kernel, too.
Github has removed the xz repository entirely.
30 March 2024 at 1:27 am UTC Likes: 4
Quoting: pleasereadthemanualEdit: This comment originally linked to another comment about another related developer. But there's good reason to believe that this supply chain attack is limited to xz for now.Quoting: whizseOh, this might be bad. Seems like an inside job by the new'ish maintainer:So it would seem that this new maintainer has been trying to gain control of XZ since 2021, and has had control of it since 2023. That's quite concerning and surprising. It seems unusual for bad actors to try to gain control of the supply chain long-term. Older XZ releases might have other unreported vulnerabilities even on stable distributions...
https://boehs.org/node/everything-i-know-about-the-xz-backdoor
https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27
If so, someone needs to go through xz-utils with a fine toothed comb.
This maintainer has at least 750 commits to his name: https://hachyderm.io/@joeyh/112180715824680521
But to quote Glyph:
QuoteI really hope that this causes an industry-wide reckoning with the common practice of letting your entire goddamn product rest on the shoulders of one overworked person having a slow mental health crisis without financially or operationally supporting them whatsoever. I want everyone who has an open source dependency to read this message https://www.mail-archive.com/[email protected]/msg00567.html
A malicious patch series almost got into the kernel, too.
Github has removed the xz repository entirely.
XZ tools and libraries compromised with a critical issue
30 March 2024 at 12:39 am UTC Likes: 9
This maintainer has at least 750 commits to his name: https://hachyderm.io/@joeyh/112180715824680521
But to quote Glyph:
30 March 2024 at 12:39 am UTC Likes: 9
Quoting: whizseOh, this might be bad. Seems like an inside job by the new'ish maintainer:So it would seem that this new maintainer has been trying to gain control of XZ since 2021, and has had control of it since 2023. That's quite concerning and surprising. It seems unusual for bad actors to try to gain control of the supply chain long-term. Older XZ releases might have other unreported vulnerabilities even on stable distributions...
https://boehs.org/node/everything-i-know-about-the-xz-backdoor
https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27
If so, someone needs to go through xz-utils with a fine toothed comb.
This maintainer has at least 750 commits to his name: https://hachyderm.io/@joeyh/112180715824680521
But to quote Glyph:
QuoteI really hope that this causes an industry-wide reckoning with the common practice of letting your entire goddamn product rest on the shoulders of one overworked person having a slow mental health crisis without financially or operationally supporting them whatsoever. I want everyone who has an open source dependency to read this message https://www.mail-archive.com/[email protected]/msg00567.html
Oh Snap! Canonical now doing manual reviews for new packages due to scam apps
29 March 2024 at 4:52 am UTC Likes: 6
29 March 2024 at 4:52 am UTC Likes: 6
Quoting: pilkI'm glad they're finally doing this, but this should've been implemented, at the very least, after the first time this happened.In 2018?
SDL 3 will prefer Wayland Over X11, if certain protocols are available
28 March 2024 at 1:07 pm UTC Likes: 5
28 March 2024 at 1:07 pm UTC Likes: 5
Sounds reasonable. Hope the protocol extensions get implemented sometime soon.
Just out of curiosity, I was counting the merge requests for protocol extensions in wayland-protocols today...
There are currently 86 open merge requests (MRs) in wayland-protocols. 4 protocol extensions were merged in the past 7 days, including the long-time linux-drm-syncobj-v1 protocol for explicit sync. 155 MRs have been merged in total (not all are protocols, but most are), and 51 have been closed (either in favor of new protocols or rejected outright).
Of the 86 open MRs, 43 of them were created in the past year. The remaining 43 are more than 1 year old. 14 MRs are between 1-2 years old. 9 MRs are between 2-3 years old. 12 MRs are between 3-4 years old. 8 MRs are between 4-5 years old, including the enormous Color Management protocol (#14), which is actually even older than that because this one predates the gitlab instance.
Did someone mention portals? Certainly not me.
FWIW, Explicit Sync and Color Management are the ones I really care about, and Explicit Sync is finally merged.
Just out of curiosity, I was counting the merge requests for protocol extensions in wayland-protocols today...
There are currently 86 open merge requests (MRs) in wayland-protocols. 4 protocol extensions were merged in the past 7 days, including the long-time linux-drm-syncobj-v1 protocol for explicit sync. 155 MRs have been merged in total (not all are protocols, but most are), and 51 have been closed (either in favor of new protocols or rejected outright).
Of the 86 open MRs, 43 of them were created in the past year. The remaining 43 are more than 1 year old. 14 MRs are between 1-2 years old. 9 MRs are between 2-3 years old. 12 MRs are between 3-4 years old. 8 MRs are between 4-5 years old, including the enormous Color Management protocol (#14), which is actually even older than that because this one predates the gitlab instance.
Did someone mention portals? Certainly not me.
FWIW, Explicit Sync and Color Management are the ones I really care about, and Explicit Sync is finally merged.
Nova, a Rust-based Linux driver for NVIDIA GPUs announced
27 March 2024 at 10:46 pm UTC Likes: 1
27 March 2024 at 10:46 pm UTC Likes: 1
Quoting: EikeQuoting: pleasereadthemanualYou see, it's actually really simple.
(...writes a manual...)
Quoting: EikeProbably!Quoting: pleasereadthemanualI get the distinct feeling I'm missing something...
(Serious) question: Mesa?
Nova, a Rust-based Linux driver for NVIDIA GPUs announced
27 March 2024 at 12:28 am UTC Likes: 9
27 March 2024 at 12:28 am UTC Likes: 9
I see there is some confusion about the Nova/Nouveau + NVK + Zink/Nouveau NVIDIA driver situation.
You see, it's actually really simple.
Graphics drivers always come in pairs, you see: there's a kernel driver, and then there's a userspace driver that sits on top of the kernel driver. First, we had the Nouveau kernel driver, which was a reverse-engineered open source driver alternative to the proprietary NVIDIA driver (it does not have a name). The proprietary NVIDIA driver, to keep things simple, is both the kernel and userspace driver in one. So, by itself, the Nouveau kernel driver is not useful, which is why it needs a userspace driver. To keep things simple, it was also called "Nouveau". It handled OpenGL calls.
Many years later, NVIDIA open sourced the kernel driver of their proprietary stack, often referred to as "open kernel modules". So now they have two drivers too!
Now we have NVK, which is a userspace driver just for Vulkan. Then Zink was written (which afaik was also being used for AMD) for the OpenGL calls, but what it really does is convert the OpenGL calls to Vulkan calls, which ends up being both faster than writing a new OpenGL driver and actually faster in performance because Vulkan is apparently the panacea to almost every problem on Linux.
So you can have a few stacks:
Nouveau (kernel) + Nouveau (userspace)
Nouveau (kernel) + NVK + Zink
Nova + NVK + Zink
NVIDIA (proprietary kernel) + NVIDIA (proprietary userspace)
NVIDIA (open modules) + NVIDIA (proprietary userspace)
The open modules are also "out of tree", which means they will never be mainlined like Nouveau, so they are no easier to install than the proprietary modules, and offer the same performance.
However, be careful! You can't combine the open modules from NVIDIA with Nouveau userspace or NVK + Zink. The open kernel modules only work with the proprietary driver.
I wonder if you could combine Nouveau (kernel) with NVK and Nouveau (userspace). Food for thought!
Then there's the GSP firmware for the GPUs. This is what will allow NVK to support HDMI 2.1+, because that code is inside the firmware. I think. I don't know anymore.
I get the distinct feeling I'm missing something...
Oh, and I almost certainly got the stuff about Zink wrong. I think that had something to do with converting the OpenGL code on the Nouveau userspace driver to Vulkan or something..?
You see, it's actually really simple.
Graphics drivers always come in pairs, you see: there's a kernel driver, and then there's a userspace driver that sits on top of the kernel driver. First, we had the Nouveau kernel driver, which was a reverse-engineered open source driver alternative to the proprietary NVIDIA driver (it does not have a name). The proprietary NVIDIA driver, to keep things simple, is both the kernel and userspace driver in one. So, by itself, the Nouveau kernel driver is not useful, which is why it needs a userspace driver. To keep things simple, it was also called "Nouveau". It handled OpenGL calls.
Many years later, NVIDIA open sourced the kernel driver of their proprietary stack, often referred to as "open kernel modules". So now they have two drivers too!
Now we have NVK, which is a userspace driver just for Vulkan. Then Zink was written (which afaik was also being used for AMD) for the OpenGL calls, but what it really does is convert the OpenGL calls to Vulkan calls, which ends up being both faster than writing a new OpenGL driver and actually faster in performance because Vulkan is apparently the panacea to almost every problem on Linux.
So you can have a few stacks:
Nouveau (kernel) + Nouveau (userspace)
Nouveau (kernel) + NVK + Zink
Nova + NVK + Zink
NVIDIA (proprietary kernel) + NVIDIA (proprietary userspace)
NVIDIA (open modules) + NVIDIA (proprietary userspace)
The open modules are also "out of tree", which means they will never be mainlined like Nouveau, so they are no easier to install than the proprietary modules, and offer the same performance.
However, be careful! You can't combine the open modules from NVIDIA with Nouveau userspace or NVK + Zink. The open kernel modules only work with the proprietary driver.
I wonder if you could combine Nouveau (kernel) with NVK and Nouveau (userspace). Food for thought!
Then there's the GSP firmware for the GPUs. This is what will allow NVK to support HDMI 2.1+, because that code is inside the firmware. I think. I don't know anymore.
I get the distinct feeling I'm missing something...
Oh, and I almost certainly got the stuff about Zink wrong. I think that had something to do with converting the OpenGL code on the Nouveau userspace driver to Vulkan or something..?
SDL 3 has a first preview release out with HDR and Vulkan for the 2D rendering API
26 March 2024 at 8:45 am UTC
There are definitely Valve employees like Joshua Ashton who engage in Wayland Protocol discussion. Joshua Ashton has also done a few implementations for Wayland protocols such as in Mesa. I'm sure there's more I don't know about. For this particular protocol, at least Xaver Hugl (KDE), Joshua Ashton (Valve), Simon Ser (wlroots, gamescope) and Derek Foreman (Collabora) have been working on it. No idea how close it is to completion, and it seems to depend on another protocol that isn't finished.
Oh, and even flibitijibibo is commenting on the SDL pull request.
26 March 2024 at 8:45 am UTC
Quoting: Marlockthey could delay SDL3... but that only helps if Wayland devs clearly signal they'll solve their end of the issue soon with high priority... which seems a bit unlikely, though Valve does have plenty of people working for them on both things, iircThis was brought up in the pull request, but it doesn't seem like something SDL is interested in doing. Either because they just don't believe they can get this protocol and implementations sorted out in time for the next release (ideally, that might take 6 months?), or because they don't want to delay it at all. That might change as SDL3 gets closer to release.
There are definitely Valve employees like Joshua Ashton who engage in Wayland Protocol discussion. Joshua Ashton has also done a few implementations for Wayland protocols such as in Mesa. I'm sure there's more I don't know about. For this particular protocol, at least Xaver Hugl (KDE), Joshua Ashton (Valve), Simon Ser (wlroots, gamescope) and Derek Foreman (Collabora) have been working on it. No idea how close it is to completion, and it seems to depend on another protocol that isn't finished.
Oh, and even flibitijibibo is commenting on the SDL pull request.
SDL 3 has a first preview release out with HDR and Vulkan for the 2D rendering API
25 March 2024 at 11:04 pm UTC
I can only assume it's based on the time between SDL1 and SDL2, and now SDL2 and SDL3.
25 March 2024 at 11:04 pm UTC
Quoting: hell0There is no evidence supporting this one way or the other that I can find, aside from Conan-Kudo's argument. He is the only one that mentioned it, and no one else responded about it. I couldn't find any information about how long SDL versions are supported for.Quoting: pleasereadthemanualQuoteIf we do this, we are basically accepting these issues are unfixable for the next ten years (SDL4).
[...]
Shipping a broken default is the wrong thing to do. Unfortunately, that protocol is unlikely to be finished before SDL3's release (3+ months away).
Two bad options. There's suggestions of flipping the default later on in the lifecycle of SDL3 once this protocol is implemented, and that seems like what's going to happen. I'm not sure what the downsides of this are.
I'm not interested enough to go and read the whole debate. But is there really a 10 year life cycle for SDL? Or something preventing them from releasing SLD4 a year from now?
I can only assume it's based on the time between SDL1 and SDL2, and now SDL2 and SDL3.
- GOG launch their Preservation Program to make games live forever with a hundred classics being 're-released'
- Sony say their PSN account requirement on PC is so you can enjoy their games 'safely'
- Valve dev details more on the work behind making Steam for Linux more stable
- NVIDIA detail upcoming Linux driver features for Wayland and explain current support
- Steam Beta gets fixes for WiFi on Steam Deck, plus AMD GPU startup crash on Desktop
- > See more over 30 days here
-
Temtem: Swarm is a survivor-like bullet heaven with cut…
- teablossom -
Get a fresh look at Half-Life 2 RTX in a new video plus…
- Phlebiac -
Half-Life 2 free to keep until November 18th, Episodes …
- ElectricPrism -
Old Skies from Wadjet Eye Games looks like one to remem…
- emphy -
Half-Life 2 free to keep until November 18th, Episodes …
- StalePopcorn - > See more comments
- Weekend Players' Club 11/15/2024
- Pengling - Our own anti-cheat list
- Liam Dawe - What do you want to see on GamingOnLinux?
- Linux_Rocks - Does Sinden Lightgun work?
- Linas - Steam and offline gaming
- missingno - See more posts