Quoting: ElectricPrismHaving read and reflected more, I feel like there are at least 2 points to drive home.

1. Why in the hell is anyone still using Github for FOSS? Projects should go independent or literally anywhere else.

2. This really drives home the point that __BINARY CANNOT BE TRUSTED__ -- we really should hammer this idea in HARD.

If you can't see the source, how are you going to verify (I) A Signature, and (II) What the software does and does not do.

I could see it being Legally Mandated that ALL SOFTWARE is required to publish their source code to ensure that malicious foreign actors haven't hidden things in the software.

__BINARY CANNOT BE TRUSTED__ -- of course most of you already know this -- Easy-Anti-Cheat? What does it really do? Denuvo? What does it really do? How do we know that it's safe? How can be verify that software is safe?

Binary Cannot Be Trusted. Fuck GitHub.

While there is some truth to what you're saying this is mostly unrelated to the issue at hand:

1. This would have happened whether the project source code was hosted on GitHub or not. The malicious archives were also available from xz.tukaani.org and the project also has its own git hosting at git.tukaani.org. How does that help mitigate the issue in any way?

2. The affected tarballs were source archives, not binaries. They do happen to contain binary test data because xz is a tool that reads/writes binary data. This test data is not supposed to be used at build time, only during tests by developers or on a CI setup, and it's not supposed to be executable. Now the malicious maintainer introduced some compressed scripts and executable code masquerading as test data in there some time ago, and in the last 2 releases they added a build step that reads and executes that at build time. That extra build step that only exists in the source archives is human-readable code and not binary. No one trusted the binary that gets loaded in the end because because no one knew it even existed.

Binary Cannot Be Trusted. Fuck GitHub.
Source Archives Cannot Be Trusted. Fuck Tar.

View this comment - View article - View full comments

Quoting: Liam Dawethe buttons are way too big

Maybe this has to do with translations: in the current version when the interface is in French the labels are larger and the cover feels misaligned as a result. (eg. “View Store Page” vs “Consulter la page du magasin”)
So maybe (hopefully?) they set the width of the buttons to max(translations) to spot that kind of issues during the beta and will revert to buttons that adapt to the actual text length on release?

View this comment - View article - View full comments

Quoting: denyasisNo, it can't infect "the system", but since we're executing programs out of /home, isn't that good enough? The malware is still running under the users permissions, it can still execute in /home, read data, access the network, etc.

Relevant xkcd: https://xkcd.com/1200/ [External Link]

Quoting: BlackBloodRumIt is possible the malware has been trained to handle Linux, in which case it will try to get access to your home directory. Worst case here is your home directory gets hosed, and data which your user has permission to modify is altered, which is fairly minor.

Worst case is rather that it uploads your ~/.ssh, ~/.mozilla and ~/.thunderbird to some remote server.
I would not call that “fairly minor” either way, what is more valuable on your computer than your data?

View this comment - View article - View full comments

Quoting: ElectricPrismIsn't Ubisoft the one where if you don't login for a few months they delete your purchases?

No and no:
* After 4 years of inactivity they send a notice to give you 30 days to cancel the deletion.
* If and only if you've got no game to loose in the process. [External Link]

View this comment - View article - View full comments

Quoting: hardpenguinThis is a legitimate business tactic that does not violate open source principles at all.

I completely agree. This also seems to be quite common for creative software, two other (great) examples on the top of my head where the official no-cost binary is only for demo purposes:

• Aseprite [External Link], a pixel art editor/animator: “WARNING: You CANNOT SAVE files with the trial version”


• Ardour [External Link], a DAW: gives the choice between binary and source upfront, the demo binary “periodically goes silent after 10 minutes”.

EDIT: it seems Aseprite isn't open source anymore (since 2016), but still source-available :sad:

View this comment - View article - View full comments

Quoting: GeamanduraThe processor doesn't need to be able to access your RAM to be a security risk. If its crypto engines or RNG engine is analyzed and a flaw in the algorithm is detected, it can be exploited to weaken anything that has been encrypted with this processor.

This can be said about basically any piece of security hardware or software. “it could be broken someday” ≠ “it's a backdoor”

View this comment - View article - View full comments

Quoting: LinasThis is great news. Does anyone know if it is possible to run Steam headless on a home server just for the purpose of caching game files?

I have no idea about running Steam headless, but you might want to take a look at lancache instead, it has been supported by Steam since 2020 already:
https://lancache.net/news/2020/01/14/steam-client-now-supports-lancache/ [External Link]

View this comment - View article - View full comments

My main takeaway from this video:
flatpak install flathub net.sourceforge.ExtremeTuxRacer

That must indeed be a great game to use the gyro!

View this comment - View article - View full comments

Dolphin is also a very good sftp client.
In short from a terminal, krunner or whatever: `dolphin sftp://deck@<deck ip>/home/deck`.
Or some clickety way through the GUI.

Also protip, you can replace `systemctl enable sshd && systemctl start sshd` with `systemctl enable --now sshd` 😉

View this comment - View article - View full comments

Quoting: randylGetting screwed over by businesses not fulfilling their promises, while having little to no recourse, is maddening.

But that's not the case here (no pun intended). We're talking about a 3$ refundable reservation for a collection of objects whose prices were unspecified from the beginning.
So the “recourse” for people who think the final price is too expensive is really simple: don't buy the product & ask for the refund…

I'm actually surprised those queue systems with a small refundable fee work so well to get people emotionally invested (for better or for worse).

View this comment - View article - View full comments