@VeroniqueB99 I had this crazy thought when I was high earlier this week that they're building bunkers in preparation for "cleansing the world of the poors" via blanket nuclear/chemical/whatever weapon use. Kind of reminds me of the story of Noah's ark in The Bible. 🤪
Jan Heine, head of R&D at Rene Herse Cycles, explained: “One-by drivetrains have simplified bicycle gearing, but it’s time to go a step further. Most cyclists need only three gears: one for uphills, one for flat roads, and one for downhills. The steps between these gears tend to be relatively large. Large steps between three gears are easiest to accommodate on the front, with a triple crank. So we’ve effectively turned the one-by around and put all the gears on the front.”
The Floating Chain system uses a triple crank and just a single-speed freewheel on the rear. As an added benefit, front derailleurs are lighter, more reliable, and less prone to damage when the bike falls over.
In the interest of keeping the system simple and to reduce mechanical resistance to a minimum, there is no chain tensioner. The chain length is selected for the big chainring, and it’s allowed to float freely when it runs on one of the smaller chainrings. There is no need to keep the lower chain run tensioned, as long as you don’t backpedal for more than half a revolution of the cranks.
@Moon@mikoto@sun Just realized that the NVMe option is available for new volumes, so I'm copying attachments and database files to a new volume right now. Over 200 GB so it'll take a while. :P
Looks like we have a new #xz vulnerability (backdoor):
XZ Struck By Malicious Code That Could Allow Unauthorized Remote System AccessRed Hat today issued an "urgent security alert" for Fedora 41 and Fedora Rawhide users over XZ. Yes, the XZ tools and libraries for this compression format. Some malicious code was added to XZ 5.6.0/5.6.1 that could allow unauthorized remote system access.
Red Hat cites CVE-2024-3094 for this XZ security vulnerability due to malicious code making it into the codebase. I haven't seen CVE-2024-3094 made public yet but the Red Hat security alert sums it up as…
[quote]One portion of the backdoor is solely in the distributed tarballs. For easier reference, here's a link to debian's import of the tarball, but it is also present in the tarballs for 5.6.0 and 5.6.1:
That line is *not* in the upstream source of build-to-host, nor is build-to-host used by xz in git. However, it is present in the tarballs released upstream, except for the "source code" links, which I think github generates directly from the repository contents:
This injects an obfuscated script to be executed at the end of configure. This script is fairly obfuscated and data from "test" .xz files in the repository.
This script is executed and, if some preconditions match, modifies $builddir/src/liblzma/Makefile to contain
Note that the files were not even used for any "tests" in 5.6.0.
Subsequently the injected code (more about that below) caused valgrind errors and crashes in some configurations, due the stack layout differing from what the backdoor was expecting. These issues were attempted to be worked around in 5.6.1:
Given the activity over several weeks, the committer is either directly involved or there was some quite severe compromise of their system. Unfortunately the latter looks like the less likely explanation, given they communicated on various lists about the "fixes" mentioned above.
Florian Weimer first extracted the injected code in isolation, also attached, liblzma_la-crc64-fast.o, I had only looked at the whole binary. Thanks!