Rolling release is dead.
Never use Rolling release distros, use Fixed release distros with Flatpak to get updated apps.
Noone has the capacity of checking the code in the rolling release model for potential backdoors.
Thalidomide Vintage Ad Shirt $22.14 |
Thalidomide Vintage Ad Shirt $22.14 |
Nobody has the capability to check the code in frozen-release distros either. Famously, over 95% of bugs in Debian aren't caught until they hit stable.
Maybe true but keep it to yourself or we'll no longer have beta testers and we'll find the backdoors in fixed release
Reminder not a single rolling-release distro was susceptible to this attack, it only activated for .deb packages.
Really? So it only worked on Debian sid?
Only distros which patched sshd were vuln. Debian and Fedora. Maybe Ubuntu.
Fedora wasn't affected despite being patched and using rpms.
The following distributions shipped the confirmed-backdoored (>= 5.6.0) version of the package:
Debian Sid/Unstable
Fedora Rawhide
OpenSUSE Tumbleweed, MicroOS and derivatives
Arch Linux and derivatives
The following distributions shipped the confirmed-backdoored (>= 5.6.0) version of the package _and_ have been confirmed to be vulnerable to the RCE it implements:
Debian Sid/Unstable
Fedora Rawhide
OpenSUSE Tumbleweed (the biggest losers)
The following distributions shipped versions of the package released after the sneaky chinaman started contributing to the project (>~ 5.2.5), but not versions with confirmed vulnerabilities (except for those listed above).
Ubuntu > 22.04
Debian > Bookworm
Fedora > 37
Mageia > 8
OpenSUSE Leap > 15.5
RHEL 9 and CentOS Stream 9
All rolling-release distributions
deb and rpm I believe
rolling release isn't dead, "bleeding edge" is dead
t. Gentoo stable
Yep, both. So Debian sid (not sure about testing) and Fedora 40 beta and 41 (rawhide). Also OpenSUSE tumbleweed I think, since they're an RPM distro too
And if all had gone according to plan, eventually Debian stable, Ubuntu, RHEL... that's like 95% of servers.
They probably had some targets in mind knowing they run these. It was a long con.
>And if all had gone according to plan
And it very much didn't, did it? there's a reason for that saying "plans do not survive first contact with the enemy".
you get a (You) for being a Yuruposter
>Gentoo stable
I think everyone seems to think rolling release means it'll be like arch where they push stuff to 'stable' almost instantly, it was like 6 days for plasma. I've never had issues with gentoo, it's great. And it's easy to unmask a more recent version of a package that you specifically care about.
how old do packages on gentoo stable get before they're updated?
Debian Unstable and Fedora Rawhide are technically "rolling" and were targeted.
All distros, including stable ones, are at risk because versions after 5.2.5 might have malicious code that needs to be audited.
Well rolling release is always going to be the beta testers for stablechads, but if this exploit weren't discovered by chance it likely would have gone undetected for a while, and got into stable releases.
We should be thanking the gods for Microsoft. If it wasn't for them everyone would have gotten completely owned.
my rolling release wasn't affected by liblzmaballs
how about slowroll? anyone using it?
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068024
Skill issue
susey qts are safe
openSUS is a Red Hat derived distro
[citation needed]
It uses RPM, that's probably what's being checked
I know (I use it) but I wasn't correcting him based on his intent. I was correcting him based on what he said.
shut the frick up, you have no clue what you're talking about. all you idiot unemployed undergrads are so fricking stupid. shut the FRICK UP you fricking homosexual
The fact that Debian stable branch and other fixed release distros are unaffected by the xz fiasco is lucky timing.
I was running Arch for gaming until the news broke out but now I've switched back to Windows 11, bought a Home license and everything. If this was backdoored for this long, imagine what other packages are compromised and nobody even knows it. If anyone can contribute code, anyone can make that code as vulnerable as possible so they can steal important data from users.
Why would you have a open port facing the internet on your rolling release?
You do realize that you would not only need to open your port but also connect your machine to a router with a static IP address yes?
Why would you take all of those steps on a gaming PC?
Why are you replying a troll that doesn't even know how computer works in computer board?
I honestly believe we have people this stupid on IQfy and there's a lot of mid level people who might not fully understand the issue.
I'm just upset by this behavior from some anons.
You're forgetting that with in the rolling distro you can choose your own update schedule. If you updated from openSUSE snapshot 20240321 to 20240328 you wouldn't have a single day with this backdoor.
And even if you update to every single snapshot, you'd have at most one day with this backdoor, which speaks volumes how quickly and professionally openSUSE community works.
>use heckelin flatpak
no thanks, i’m sticking with .debs ‘n shit
averi is a pure maiden and thus has no children, fug u
Yeah, as an Archgay, between the recent Plasma 6 debacle and now this, I'm strongly reconsidering using a rolling release distro. Arch avoided this particular exploit, but only by the skin of its teeth. If I could get Debian stable with a fairly recent mesa/kernel release, I think I'd be happy forever.
I'm never using flatpak or docker for anything no matter how much you shill it
>Our rolling release distribution openSUSE Tumbleweed and openSUSE MicroOS included this version between March 7th and March 28th.
Feels bad, so sad.
> For our openSUSE Tumbleweed users where SSH is exposed to the internet we recommend installing fresh, as it’s unknown if the backdoor has been exploited.
Luckily the computer isn't directly exposed to the internet but I probably still should install a fresh copy.
This is the death of openSUSE then, it was already niche but now it's pretty much defeated by being the only loser distro.
I told you guys the whole Lincucks update process was extremely insecure.
>Rolling release is dead.
No, it's not; my artix box was unaffected.