nation state actor maintenance of an open source project may introduce a lot of backdoors, but it also helps a lot of PRs get merged, so, it;s impossible to say if its bad or not,
Watching people much better at this than me RE the xz backdoor and it's very much the reverse engineering scene from Hackers (spoiler it seems to take a signed payload smuggled in the form of the client's SSH pubkey and then pass that to system()) https://youtu.be/bcAACOrgVKE
It's kind of amazing that systemd had already upstream changed the behaviour of libsystemd such that liblzma wouldn't have been loaded, raising the hilarious possible alternative reality where that release got cut earlier and hit distros before the backdoored liblzma did and all of that work would have been for nothing
Being less flippant about this - the xz backdoor relied on a line that was present in the tarball release, but not in the git repo. Do we have any infrastructure for validating this kind of thing? (It's expected that the tarball would contain things that aren't in git - for example, the configure script doesn't exist in git, but is expected to be in the release. The problem is that extra code was injected into the configure script after it was generated)
@trdebunked I think the obvious response there is just how much free software ended up depending on GNU behaviour (be that libc, gcc, or even somewhat more arguably Linux)
@trdebunked I think it's interesting tying this into the "systemd isn't really free software because it's so complicated" kind of argument. Free software is never going to be equivalently free for everyone - people who can code enjoy more freedom than people who can't (unless they have enough money to pay someone to do it). Where do boundaries get drawn?
@trdebunked (I don't think LLM models are inherently non-free - if someone supplied all the tools and the training data someone could rebuild that, the problem is that it would be implausibly expensive for most people to do so, but again that's not something that's been factored into the free software definition)
@trdebunked I completely agree there, you're pushing a free idea into an opaque blob in order to receive free code. But free software as defined in the 80s was fine with opaque compilers, and I don't think anything ever happened to expressly redefine that
@RoganDawes@ryanc There's not really a problem in the banner exchange - the client won't initiate key exchange until it's consumed the banner, so no matter who speaks first it could send a different packet type if the server had sent a signal in the banner
Is there a reason ssh doesn't support including server name in the handshake before key exchange so it can be proxied to the actual host via a single IP? I know you can make this work with proxycommand, it just seems like a weird absence in the protocol
@ryanc Looking at the RFC it sounds like the server is allowed to send additional information in the connection - a client that understood this would presumably be able to alter its behaviour (eg, send a desired hostname, get connected to the appropriate backend, re-start negotiation)?
If you're standing there facing people and thinking "They're not going to care about what I have to say" remember that a committee of people who know what the audience is interested in has already decided that the audience is interested in what you have to say
The first real conference talk I gave was on a large stage and I was timetabled against the first public presentation of d-bus and it was a community I had no real prior experience with and yeah it was fucking terrifying but I promise it does get easier
Former biologist. Actual PhD in genetics. Security at https://aurora.tech, OS security teaching at https://www.ischool.berkeley.edu. Blog: https://mjg59.dreamwidth.org. He/him.