federico3

joined 4 years ago
[–] federico3@lemmy.ml 1 points 5 months ago (1 children)

You can use firejail or other sandoxes with any application packaged in any distribution.

[–] federico3@lemmy.ml 2 points 5 months ago

I am well aware of it. It is an example of the traditional distribution workflow preventing a backdoor from landing into Debian Stable and other security-focused distributions. Of course the backdoor could have been spotted sooner, but also much later, given its sophistication.

In the specific case of xz, "Jia Tan" had to spend years of efforts in gaining trust and then to very carefully conceal the backdoor (and still failed to reach Debian Stable and other distributions). Why so much effort? Because many simpler backdoors or vulnerabilities have been spotted sooner. Also many less popular FOSS projects from unknown or untrusted upstream authors are simply not packaged.

Contrast that with distributing large "blobs", be it containers from docker hub or flatpak, snap etc, or statically linked binaries or pulling dependencies straight from upstream repositories (e.g. npm install): any vulnerability or backdoor can reach end users quickly and potentially stay unnoticed for years, as it happened many times.

There has been various various reports and papers published around the topic, for example https://www.securityweek.com/analysis-4-million-docker-images-shows-half-have-critical-vulnerabilities/

They have to watch hundreds to thousands of packages so having them do security checks for each package is simply not feasible.

That is what we do and yes, it takes effort, but it is still working better than the alternatives. Making attacks difficult and time consuming is good security.

If there is anything to learn from the xz attack is that both package maintainers and end users should be less lenient in accepting blobs of any kind.

[–] federico3@lemmy.ml 5 points 5 months ago* (last edited 5 months ago) (2 children)

They do now have a verified tick in Flathub to show if a Flatpak is official

Jia Tan liked your comment

Without the traditional distribution workflow what prevents flatpaks to be full of security issues? Unfortunately sandboxing cannot protect the data you put in the application.

[–] federico3@lemmy.ml 2 points 5 months ago (2 children)

How does it compare with Paperwork? https://www.openpaper.work/en/

[–] federico3@lemmy.ml 6 points 8 months ago (2 children)

Radicle has plenty of red flags, see https://lemmy.ml/comment/8982169

[–] federico3@lemmy.ml 4 points 9 months ago* (last edited 9 months ago) (2 children)

Github is designed to centralize git (as the word "hub" suggests). You can still migrate away code, issues and wikis, but contributors, followers, wiki editors, issue subscribers, visibility in general and github stars are locked in. Discoverability matters to projects trying to attract contributors.

[–] federico3@lemmy.ml 2 points 10 months ago

Count me in! (Or shall I say: you have my sword?)

[–] federico3@lemmy.ml 7 points 1 year ago (1 children)

I did the survey but please would you mind identifying yourself and linking to the research paper when it's ready?

[–] federico3@lemmy.ml 4 points 1 year ago

free people from proprietary gardens, yet FOSS has actually been one of the biggest creators of such gardens

Forgive the nitpick, but FOSS is not creating walled gardens, companies are. (After all, software has no willpower... yet)

[–] federico3@lemmy.ml 1 points 1 year ago

Indeed. If a big instance like lemmy.ml was to be shut down all the communities would be lost. This is simply not sustainable. Why would users put effort building a community if it could be gone at any time?

view more: next ›