![](/static/66c60d9f/assets/icons/icon-96x96.png)
![](https://lemmy.ml/pictrs/image/q98XK4sKtw.png)
Of course not, but you have to either trust your users to some extent or give them a system that’s locked down to the point of hindering them.
Of course not, but you have to either trust your users to some extent or give them a system that’s locked down to the point of hindering them.
What is ‘unallowed software’? A shell script the user wrote? Something they downloaded and compiled?
Limiting that seems fundamentally at odds with FOSS.
If you stop shipping autotools generated artefacts in your tarballs, things will be a lot simpler.
Weirdly enough the malicious code does look eerily similar to the benign code, because both are unnecessarily obfuscated.
This is not a human written or readable file you’re talking about. It’s a generated script.
As the other user suggested, you probably just need to mount the root subvolume somewhere and run it on that.
Try using btdu
. I’m not sure how it works with compression, but it at least understands snapshots, as long as they are named in a sane way.
Yeah, that’s fair. If you want to test that you can still decompress something compressed with some random old version, you either need to keep the old algorithm around, or the data.
Many of the files have been created by hand with a hex editor, thus there is no better “source code” than the files themselves.
I don’t buy that. There would have been some rationale behind the contents that could be automated, like “compressed file with bytes 3-7 in the header zeroed”.
You also probably don’t need these test files to be available in the environment where the library itself is built. There are various ways you could avoid that.
I do agree about the autotools stuff though.
Minor differences in those files are perfectly normal as the contents of them are copied in from the shared autoconf-archive project, but every distro ships a different version of that, so what any given thing looks like will depend on the maintainer’s computer.
This seems avoidable. We shouldn’t be copying code around like that.
I wonder if anyone is doing large scale searches for source releases that differ in meaningful ways from their corresponding public repos.
It’s probably tough due to autotools and that sort of thing.
All of this would be avoided if Debian downloaded from GitHub’s distributions of the source code, albeit unsigned.
In that case they would have just put it in the repo, and I’m not convinced anyone would have caught it. They may have obfuscated it slightly more.
It’s totally reasonable to trust a tarball signed by the maintainer, but there probably needs to be more scrutiny when a package changes hands like this one did.
it had a way to know it was being emissions tested and so it adapted to that.
Not sure why you got downvoted. This is a good analogy. It does a lot of checks to try to disable itself in testing environments. For example, setting TERM will turn it off.
the wilds of Nova Scotia
Walking across the Windsor Street exchange is wild for sure.
I’d probably:
systemctl suspend
When the screen fails to wake, are you able to get it back by powering it off, or by unplugging it? Is it X or wayland?