GNU social JP
  • FAQ
  • Login
GNU social JPは日本のGNU socialサーバーです。
Usage/ToS/admin/test/Pleroma FE

  • Public

    • Public
    • Network
    • Groups
    • Featured
    • Popular
    • People

Conversation

Notices

  1. Embed this notice
    niconiconi (niconiconi@mk.absturztau.be)'s status on Saturday, 30-Mar-2024 05:32:07 JST niconiconi niconiconi

    "There are no known reports of those [backdoored xz] versions being incorporated into any production releases for major Linux distributions"It's the one single big difference between npm and traditional distro packages - a bad upstream change doesn't instantaneously propagate to all end users within a picosecond.

    In conversation about 8 months ago from mk.absturztau.be permalink
    • Haelwenn /элвэн/ :triskell: likes this.
    • Embed this notice
      Haelwenn /элвэн/ :triskell: (lanodan@queer.hacktivis.me)'s status on Saturday, 30-Mar-2024 06:16:22 JST Haelwenn /элвэн/ :triskell: Haelwenn /элвэн/ :triskell:
      in reply to
      • alina 🌸
      @teidesu @niconiconi provenance statements are cool so you know how the sausage is made but are entirely useless when it's a backdoor injected by the project themselves, as is often the case for npm stuff.
      In conversation about 8 months ago permalink
    • Embed this notice
      alina 🌸 (teidesu@very.stupid.fish)'s status on Saturday, 30-Mar-2024 06:16:23 JST alina 🌸 alina 🌸
      in reply to

      @niconiconi@mk.absturztau.be i highly doubt it would be possible to effectively moderate npm or alike the way its done in linux distros, simply because of its enormous size

      probably the best way to at least try to mitigate this is to have a "quarantine" for a set period of time, but this would likely only work for corporate environments

      npm also has this, idk if theres similar on other langs' registries

      In conversation about 8 months ago permalink
    • Embed this notice
      :umu: :umu: (a1ba@suya.place)'s status on Saturday, 30-Mar-2024 06:17:16 JST :umu: :umu: :umu: :umu:
      in reply to
      • alina 🌸
      @teidesu @niconiconi I think npm and alikes should implode.
      In conversation about 8 months ago permalink
      Haelwenn /элвэн/ :triskell: likes this.
    • Embed this notice
      :umu: :umu: (a1ba@suya.place)'s status on Saturday, 30-Mar-2024 06:18:07 JST :umu: :umu: :umu: :umu:
      in reply to
      • alina 🌸
      @teidesu @niconiconi stuff like this gets compromised every week

      and because dependency trees are giant, there is a chance that infected version of some dependency was included in popular software
      In conversation about 8 months ago permalink
      Haelwenn /элвэн/ :triskell: likes this.
    • Embed this notice
      alina 🌸 (teidesu@very.stupid.fish)'s status on Saturday, 30-Mar-2024 06:18:08 JST alina 🌸 alina 🌸
      in reply to
      • :umu: :umu:

      @a1ba@suya.place @niconiconi@mk.absturztau.be 🤨 why

      In conversation about 8 months ago permalink

Feeds

  • Activity Streams
  • RSS 2.0
  • Atom
  • Help
  • About
  • FAQ
  • TOS
  • Privacy
  • Source
  • Version
  • Contact

GNU social JP is a social network, courtesy of GNU social JP管理人. It runs on GNU social, version 2.0.2-dev, available under the GNU Affero General Public License.

Creative Commons Attribution 3.0 All GNU social JP content and data are available under the Creative Commons Attribution 3.0 license.