Microsoft-Activation-Scripts VS libarchive

I'd love to know how many people are verifying checksums, and sourcing the checksums themselves from reputable sources. An event like this seems like a prime opportunity for someone to insert something extra into one of the components needed and a proportion of users will pick it up, whether the security cure is worse than the disease of an unsupported OS.

Just as an example of this everyone points out Massgrave for activation on a version of windows I doubt many are properly licensed for, and one of the methods used relies on periodically talking to KMS servers they provide including some on a Chinese TLD [0]. Personally I'd be charitable and say it's probably well intentioned using the cheap resources they can get (there's no mention of donations on the site), but I wonder how many are aware of what is involved and this is just something they rush through to get rid of the big scary warning that windows puts up and tech news hysteria.

[0] https://github.com/massgravel/Microsoft-Activation-Scripts/b...

Check properly next time, their 200 lines PowerShell script is downloading some 20k line cmd monstrosity https://github.com/massgravel/Microsoft-Activation-Scripts/b...

But this level of scrutiny is precisely why such DIY security claims ring hollow.

You don't have to buy grey market keys, use the public ones installed through mass gravel. Open source, hosted on Microsoft's own GitHub - it's practically an endorsement!

> https://github.com/massgravel/Microsoft-Activation-Scripts

The last I looked into this these were the conclusions I found depending on individual situation:

- If you're looking to do this 100% to the letter then you'll need to enter some form of VL agreement with an authorized reseller. This will come with a minimum purchase of 5 licenses.

- If you're looking to do this with a "real" key but not by the book then one of the gray market sites.

- If you're looking to do this morally by paying Microsoft but don't care if the actual activation is completed with the license you purchase then the Windows 11 Pro license and use https://github.com/massgravel/Microsoft-Activation-Scripts/ to activate your Windows 11 LTSC

- If you don't care about any of this then https://github.com/massgravel/Microsoft-Activation-Scripts/ still works

- If you absolutely want to do it by the book but don't want to purchase 5 licenses there is no official offering available.

LTSC eliminates so many antifeatures present in 11 and 10 Home, and also solves the problem of the EOL for 10 next year - Win10 IoT Enterprise LTSC is good through 2031.

Grab the "en-us_windows_10_iot_enterprise_ltsc_2021_x64_dvd_257ad90f" ISO, sha1 begins 76c3c10e, from Microsoft:

https://www.microsoft.com/en-us/software-download/windows10

(Note that you have to set your user agent to something other than Windows.)

Run the activation script from Github:

https://github.com/massgravel/Microsoft-Activation-Scripts

And enjoy a Windows that feels like your own PC again, not Microsoft's.

I have to run a number of CAD programs and proprietary IDEs in a Win10 VM, this is the only way it's usable for me.

I upgraded my Windows 7 to 10 (due to Chrome-based browsers weren't being updated anymore for Windows 7, and there was the WebP exploit) using DISM, and I learn that you can also upgrade Windows 10 to Enterprise, which is a little less car-salesman-ly than Pro (no web stuff on the Start Menu/search for example):

https://woshub.com/upgrade-windows-10-edition-without-reinst...

On this Windows edition I haven't seen any nudges to upgrade to 11.

There's even a "curl $URL | sh"-esque command to get Windows activated, hosted on Microsoft's own Github: https://github.com/massgravel/Microsoft-Activation-Scripts

Or MAS[0]

[0] https://github.com/massgravel/Microsoft-Activation-Scripts

Per this 2018 page, GNU tar seems to work with SCHILY.* encoded xattrs, but not LIBARCHIVE.* ones:

* https://mgorny.pl/articles/portability-of-tar-features.html#...

* Via: https://github.com/mxmlnkn/ratarmount/issues/145

bsdtar ≥3.7.2 apparently adds both types to its files for maximum portability:

* https://github.com/libarchive/libarchive/pull/691/files#diff...

AFAICT, bsdtar will default to "ustar" format, but will auto-switch to "pax" if needed.

Wild. All of these carefully inserted “seemingly innocuous” changes in the ecosystem to end up contributing to a wider exploit.

This comment sums it up nicely with a gif: https://github.com/libarchive/libarchive/pull/1609#issuecomm...

29. October 2021 At this point Jia Tan pops up, and the first thing we see from him is an innocuous patch to the xz repository, and while a lot of people believe he started out trying his luck with another library also known as libarchive, this is not the case, I would bet it’s more of a backup looking at the dates, being that there are a few days in between as shown in this commit.

Potentially malicious commit by same author on libarchive: https://github.com/libarchive/libarchive/pull/1609

Full agreement, and with the addition of xpk¹/xfd² as natural extensions to that extensibility too. I see things like xfd supporting xz¹, and I'm simultaneously amazed that it exists and happy that I don't need to do xz {,de}compression on 68k ;)

I guess we have something similar-ish with libarchive⁴, but nobody(including me) has pushed the extra mile to get file dialogs to support random compression and decompression formats.

Beyond OT: I didn't realise how much stuff was still going on at aminet, but I love love LOVE that people are still dropping new car sets for Geoff Crammond's F1GP.

¹ http://aminet.net/package/util/pack/xpk_User

² http://aminet.net/package/util/pack/xfdmaster

³ http://aminet.net/package/util/pack/xfd_lzma.lha

⁴ https://www.libarchive.org/

I don't have a preview channel install handy to check, but apparently they're using libarchive so here's the full list assuming they expose everything it supports:

https://github.com/libarchive/libarchive/wiki/LibarchiveForm...

As announced at the Build conference back in May, this build adds native support for reading additional archive file formats using the libarchive open-source project such as