That's it, bros. I was using Debian sid for a long time but it's time to switch to Arch. Debian is insecure. It went to shit since the diversity team came in.
https://www.debian.org/intro/diversity
Nothing Ever Happens Shirt $21.68 |
Ape Out Shirt $21.68 |
Nothing Ever Happens Shirt $21.68 |
ok moron
>KDE on Debian
An epitome of doing it wrong. Rest in piss, homosexual. You won't be missed.
>An epitome of doing it wrong. Rest in piss, homosexual. You won't be missed.
bump
>Debian is insecure.
Less so than Arch.
>named after evil kid that breaks shit
that's just asking for something bad to happen
>Arch
Arch is still on xz 5.6.1 even though more suspicious commits have been identified. Their security team is moronic for not going to 5.4 because they think they know better, when no one knows the extent yet.
>Arch is still on xz 5.6.1
Black person are you stupid or something? 5.6.1 is the latest release, how could they possibly be ahead of it?
Other distros have downgraded the package.
>Their security team is moronic for not going to 5.4
Can you not read or is it that you can't count? 4 < 6.
Every distro has gone to some 5.4.x release because 5.6.1 contains the malware and about 700 commits by Jia Tan. More commits continue to be found that introduce exploits like the cmake landlock bypass.
guy also introduced a bunch of potential weaknesses to libarchive that they're having to deal with, and has a pr merged to oss-fuzz that hides his exploit. he/they had two years and hundreds of commits to do whatever they wanted.
Pronouns she/her, please
singular/plural, not your mentally ill gender shit
5.4.x could still be dangerous, and still include Jia Tan commits.
5.2.5 is before any Jia Tan commits and is what you *should* roll back to.
But it breaks ABI so most distros are too pussy to do it (even though breaking ABI is a security feature not a bug, you also break the ABI of any malware lmao)
5.4 releases should be much easier to audit due to fewer commits and less access at the time. I think I also saw at least one distro or project use the last 5.4 release signed by the original maintainer.
The thing is that even Jia Tan's first commit is suspicious.
I'm an Archgay, but Debian stable is would arguably have been a better system to be on for this kind of attack. It's just luck that Arch happened to not patch the openssh in such a way that this exploit was viable. Don't forget Archgays have been suffering from the recent dogshit Plasma 6 release (and Debian users are still riding comfy on 5.27), and the AUR (arguably the biggest selling point of Arch) is getting more and more compromised by the day.
>Arch is still on xz 5.6.1
xz 5.6.1-2*
> but Debian stable is would arguably have been
>would arguably have been*
God dammit, been drinking too much tonight.
>AUR
that's literally where this type of malware would FLOURISH
Sid is still on 5.27?
Maybe they did the same as opensus. Same version, but reverted patches to avoid package management conflicts.
>same as opensus
iirc, OpenSUSE reverted to a 5.4 point release but named it something like 5.6.1-2revert-to-5.4 or something.
https://build.opensuse.org/projects/openSUSE:Factory:Update/packages/xz/files/xz.spec
https://gitlab.archlinux.org/archlinux/packaging/packages/xz/-/blob/main/PKGBUILD
I checked again. OpenSUSE has reverted to xz 5.4.6 while Arch is still using 5.6.1.
What Arch did was grab the git tag and run automake instead of using the tarball with the modified .m4 that executes the exploit. Rather dumb.
>https://www.debian.org/intro/diversity
Is this why their website sucks so much ass? Seriously, worst distro website I've ever seen and it's not even close.
>It went to shit since the diversity team came in.
>systemd
>wayland
just come out of closet and use MacOS, gay
funny i've been using le meme distro for 10yers now and as i grow older and become lazier i can't even be arsed to syu hence why my xz is .4.6 lel if i wasn't so lazy i would maybe try to switch to ubanto lts (cos non lts is a shitshow btw) maybe if i get another pc
if you don't have an nvidia gpu you cold try fedora
Agree with the other guy. Fedora is unironically the best stable distro for non-power users. Even the CCP realise it, that's why they want in.
>non-power users
You mean all Linux users?
Power user is a Windows terminology.
fun fact if the postgres autist waited a few more months this WOULD have made it into ubuntu 24 lts lol
A lot of Linux systems had some Chinese hacker install backdoors on them, none of them that were open source were unaffected: https://therecord.media/malicious-backdoor-code-linux-red-hat-cisa
You should worry if there's a Chinese working on the team because it could mean your computer is compromised.