That's fascinating! How would you detect whether what you're compiling is TCC - i.e. would it work on all versions of TCC? What if it tried to compile modified TCC source code?

Trusting Trust is why it's important to maintain some boot-strapping capability- and by extension, why it's important to maintain some very primitive compatibility. In the extreme case, paper tape, FORTH (because you _will_ "need" that level of macro capability), and a discretes-based (meaning, you can realistically build it with individual components, including resorting to relays) bit-at-a-time processor that's nonetheless able to interface with "modern" technologies, even if slowly and through intermediaries. At the end of the day, you absolutely want to be able to intelligently reprogram at least EEPROMs, regardless of anything else.

Nano is so much better than vim and emacs. If you’re a masochist, just use edlin.

@@yxtqwf if the specific part of the source code I replaced was detected, it would regenerate my modified source code and replace the original unmodified version in memory before compiling. I had to do it like that because my modification could not contain itself, so I adapted a quine - a program that regenerates then outputs its own source code. As long as the part of the code I modified was unchanged, it would continue working.

@@absalomdraconis but not everyone can do that, and as long as you have at least 2 different independent compilers for a language, you should be able to catch a "trusting trust" style self-perpetuating compiler backdoor using a technique known as "diverse double compiling" presented in computer scientist David A. Wheeler's PhD thesis from 2009. If you know to check and take the time, you can be reasonably sure that a compiler is not compromised.

My brain saw cows and given the context was like "Dirty cow!"

what?

holocaust: hold my soap!

@@joaomaria2398 He's implying that this video, one of many by Brodie, is Brodie milking the topic -- there doesn't seem to be much new in this video. It's probably getting good numbers for his channel, but there's just not a huge amount of analysis here that he hasn't already covered.

@@EvanEdwards Ohhhh, it makes sense now. My English is bad... Thanks, man!!

I woulda spent a week looking at diffs of hexdumps.

What we need is a book on how to build your system from scratch, starting with full wiped-out PC, and I mean FULL. Basically you will need to go and solder some stuff that can run from USB, boot into it, type the code and progressivly grow your own build environment.

​@@rogo7330that's nolonger possble thanks to SecureBoot. You need a Microsoft-signed bootloader.

​@@rogo7330: No, you need to be able to reflash the ROMs first, accessing via USB happens _after_ that. In the most extreme case, you need to build an "intelligent" (general-purpose CPU) flash tool from discrete components (though that _is_ pretty extreme). At the most extreme ends, paper tape is your friend, and FORTH is a matter of madness vs sanity. Once you've got ROMs flashed, then you want to port FORTH to your "real" machine (ideally going as far as to make it part of your firmware for a while), then build up. As for why FORTH, it's basically a command shell crossed with assembly, and individual commands can be written to take over the input stream, so it can be as high-level or as low-level as you want (also, you could have C, LISP, Pascal, and any other language that you can think of, be supported by taking over the text input if you wanted- it's _very_ flexible). Personally, I'm not fond of the syntax, but it's clear that FORTH is the most important software tool for this sort of thing.

@@rogo7330 solder what to what?

What did he use before?

@@xXRealXx brave, the homophobic crypto browser

@@JessicaFEREM What the heck?! This is the first time I heard of this.

​@@cosmicusstardust3300Brave does use their cryptocurrency stuff, it's pretty wellknown

@@JessicaFEREM homophobia is keyed albeit

NO

Yeah, that's probably the easiest way to approach it. It's even what RedHat realistically is doing already.

non-systemd related programs having a dependncy on systemd is also a terrible idea because it leads to a less flexible system and instantly cauaes issues for non linux users. It should just not be a thing

You might want to look at what's actually happening. The systemd patch isn't an sshd dependency, it's a shim that isn't even necessary to run.

​@@noot1337 that's why it was a systemd patch for openssh. It was added afterwards during build time not part of the base openssh. There is nothing wrong with systemd in regard to this exploit. The vulnerability was in the pipeline and the social engineering of the over extended maintainer. There was no bug. The application operated at expected given the compile inputs and options. What we need is provable reproducible builds that way if someone sneaks a patch in during a non build step it will get flagged.

@@ImperiumLibertas "that's why it was a systemd patch for openssh. It was added afterwards during build time not part of the base openssh" - Oh okay, that solves everything then. It wasn't added before, but later. So... why did a dependency of libsystemd make this an openssh vulnerability again? Because it's a dependency, not as in "openssh depends on it to function" but someone linked it in.

​@@orbatos You might want to check what actually happened. Quote: "openssh does not directly use liblzma. However debian and several other distributions patch openssh to support systemd notification, and libsystemd does depend on lzma." Then read what I wrote, and perhaps realize that it doesn't matter who does it, or when. The point is: It shouldn't be done, at least not without review and consideration. The fact that removing this dependency (Again, dependency as in linked code, not "depends on it to function") didn't break anything should really tell you something about how neccessary it was.

No known victims. So I would assume there isn’t any.

Unless somebody was running Tumbleweed or a development release of a few other distros in production it's very unlikely. Even then it wasn't made public until patches were already shipping

@@BrodieRobertson That was my understanding as well. Thank you sir.

I had the malicious XZ package on my Arch system. Thankfully, arch doesn't patch openssh with systemd, so i wasn't "vulnerable" But still...

well it would be trivial for this to be done with Microsoft Windows - and has been! (read about PRISM)

​@@yxtqwf: No, _REALLY,_ what about Windows? This is a video about Linux distros, and those are fundamentally and massively different from Windows, this _is not_ the right place to be talking about Windows. For the purposes of this video, Microsoft Windows might as well have never had a version 3, much less all of the other stuff that came after. Windows doesn't matter.

In a nutshell: Some state actor, we don't know who, orchestrated a long term social engineering attack on a lone developer, took over the project legitimately using a sock puppet account, then deployed a targeted attack Trojan against sshd through the xz tooling.

Yeah, what is this xyz thing anyways?

@@noderunner_ what is linux Edit: GNU slash linux

​@@YaySyuNo it's just "linux", not gnu+linux or whatever lgbtqabcdefg+ acronym you wanna give it

@@vendetta.02 What kind of mental gymnastics does it take to turn one of the most common linux memes into "I don't like queer people" lmao log off bro

To be fair, a big part of the XZ issue is social engineering and anyone can be a target of that. Not saying you're wrong, I agree, just wanted to add the disclaimer that even when there are multiple maintainers, it's good to be vigilant.

Thanks to all the eyes on open source software, this was caught before it actually shipped as stable. The only people affected were using unstable / testing repos and likely didn't have an exposed SSH port. I'd say the impact of this entire incident was next to zero. Windows fanboys should do more research :)

Maybe they need to be reminded of the Solar Winds hack a few years back.

windows has spyware and malware in it that isnt viewable because microsoft was forced by governments to put it in there, and it will probably remain there far after win 10+win 11 death until it inevitably gets a source code leak and we are able to see the backdoor Windows is less secure cus u have to trust microsoft to not adhere to what governments force them to do to their software, i guarantee that the FBI or CIA or some other three letter agency told microsoft to put a backdoor in windows thats unviewable.

​@@capn Honestly, this seems more like Linux got lucky and dodged a bullet at the last second, than "the system is working as intended" (aka, "everything is fine, nothing to look at here" /leslienielsen). Fanboying can go both ways, and doesn't help solve problems.

@@CosmicCleric "last second"? I think you should brush up on the timeline at play: The backdoor was discovered almost immediately and wasn't shipped in any stable distros. Compare that to the vulnerability that Microsoft left unpatched for months at the NSA's request (presumably as a backdoor), resulting in WannaCry getting spread across critical infrastructure and wreaking havoc. I think the Linux backdoor incident was much more favorable. Obscurity doesn't work.

It would be enough at least participate in wiki and forums of the projects literally on any topic that you think you can provide alternative to what already written. For example, I fully ditched NetworkManager from my laptop and replaced it with wpa_supplicant + dhcpcd + iw and some homegrown scripts to create network device for AP on my wifi card, and now its even more flexible than doing everything through NM on one single network device that created by default for single wifi-card because I can broadcast AP and be connected to another AP as a station at the same time.

have you ever played a unity game

​@@bigpod​imagine being over the age of 16 and still be playing games. manchild behaviour

@@bigpod in a privilege restricted container, yes. I have a systemd container for steam games. It has UID mapping and no access to any of my files. Also has its own X server...mainly because I don't have XWayland normally so that container provides XWayland and gamescope for steam games. It does have direct access to my systems compositor in order to run gamescope n such but that's just something I have to accept. Fully aware unity is mono, I hate it...was so mad when godot went that direction too. EDIT: 🤔 I just realized I could probably use the cage compositor on my host and pass that into the container. Might give that a try actually, that will prevent the container from being able to directly access the host compositor. As long as cage can correctly lock the mouse, that's why I don't nest sway for that.

​@@Scoopta: If you ever decide your current setup isn't enough, then try to find a way to initialize a drive inside computer A from computer B while A is turned off, that way you can have virtually complete sandboxing (maybe even force the network connections through a VPN so the Steam box can't even see your network). I can't think of how to do the drive gimmickry, but even an "escape the sandbox" attack could be rendered mostly (RIP Steam account?) irrelevant through that route.

@@absalomdraconis I just need to use WoL to power on the machine when I need it and then stream the games over my lan, honestly definitely could work, seems expensive though. I'm sure this was meant to be sarcastic but I can't help but appreciate it since my current setup is ridiculous and I am fully aware of that. Should I also mention the fact that said container runs a CLAT for 464XLAT because my network is pure IPv6 and steam hates that...am I a walking tech meme? Maybe...not quite sure tbh but I love my ridiculous setups.

Wait what

Huh. It's possible that github locked him out and re-enabled the account so that people could research his previous contributions. But this is 100% speculation on my part.

@@ruroruro not sure but i notice weeks ago and been questioning it for weeks now and wondering why nobody is talking about about this... it makes me wonder man.

Maybe they want to see if he logs in and leaves more digital footprints? A successful de-anonymization would be pretty nice in this case.

You're the first to mention it so it may be an issue on your end

@@BrodieRobertson ty, will investigate

a week of computation time? wild

First of all, the initial estimate of "a week" was conservative. It "only" took three days to complete. Second, it doesn't "take a minimum of a week for the CI to complete", replacing the normal package doesn't take any longer to complete than on any other distro (actually, it can probably be even faster than even other rolling distros, because they don't really have "releases" so to speak, they continuosly build on every commit and every commit pushed to nixos-unstable has already passed CI). The only reason why this particular rebuild took such a long time is that XZ is included in the stdenv alongside bash, gcc, make, etc. Basically, stuff you need to build other stuff. So when you change any package in the stdenv, you need to "rebuild the world" and that (understandably) takes a long time. You'll notice that this is basically exactly what OpenSUSE did when they noticed that their GCC was potentially compromised. Except unlike OpenSUSE, NixOs didn't have the benefit of a pre-public-disclosure warning. Additionally, the community quite quickly identified that NixOs was not actually affected by this exploit, because nixpkgs doesn't include the sshd patch that links it to systemd. And even if it did, NixOs still wouldn't be vulnerable, because the build logic in xz actually checks a bunch of environment variables to identify if it's being built as an RPM. Since the environment variables aren't present in the nix sandbox, the resulting xz/liblzma binaries don't actually contain the malicious payload. And even if all that wasn't true and the xz/liblzma actually was vulnerable, there are a bunch of ways to mitigate this problem without actually doing the "rebuild the world thing", for example you could use the `system.replaceRuntimeDependencies` NixOs option. Also, if NixOS was actually identified as vulnerable, I suspect that instead of just replacing the stdenv.xz with the earlier version, the security team would either "surgically" replace xz in important/affected packages first (such as sshd) to get those updated quickly and only then replace it in stdenv (potentially leading to the long rebuild). Since no package was actually vulnerable, there was no real incentive to spend time patching individual packages for faster rebuild. And if all else fails, you could just roll back your installation to an earlier generation, which didn't have the new xz version. You know, atomic generation switching, you might have heard of it, it's only like one of the DEFINING FEATURES OF THE DISTRIBUTION.

WTF week for a CI pipeline what the hell are they doing

​@@bigpodrebuilding ALL the packages, because xz is included in the standard build environment (see my earlier comment in this thread for the reasoning). Also, keep in mind that nixpkgs (arguably) has more packages than even the AUR. If anything, the "world rebuild" was surprisingly quick.

Because they are most likely not a single person, but a team, possibly state sponsored.

​@@ruroruroYeah. Good luck trying to extradite a Russian or North Korean hacker _sponsored by their governments._

did you just assume cops already know where Jia tan lives and could've just arrested them

17 views in 2 minutes. And 2 of those view are here rn

You have to watch the video for more than 28 seconds before it gets counted as a view.

25 likes in 1 hour 💀 bro fell off

Our little comedian

3100 in 3 hours, bro's getting up there

Because F having convenient package management, right? We GOTTA copy proprietary oldware!

Windows does have a store, but it sucks so nobody uses it. Most Linux distros have a good enough store, so people use it. I think most people would use the Microsoft Store if it was good. People do not want to download everything from the the internet from random sources, they just are forced to because Microsoft Store is not good.

that's kinda what the "atomic" desktops build towards

@@supercellex4D No, we gotta have a stable platform that doesn't change much, from kernel space to userspace, so software developers, even opensource devs, can have time to build software on it. That's how Windows did, hell, even Android, a fucking OS that uses linux as a kernel, did, why linux desktop has to be different? Are you fucking retarded? And i've said: there's the deb sources that you can add to keep updating with the rest of the system.

@@rockpods4498 None of the app stores are good, or they are already filled with viruses (which people learn how to avoid it), play store is in this category, or they simply don't have updated programs, and stable distros fall on the second category. For me, those things should work like emacs: emacs offer a package manager, and then you put whatever source you want to get packages from (MELPA, for example). The "official" package source should only contain the stable operating system, so the other sources can base their dependencies on that.