gentoo
xz
gentoo | xz | |
---|---|---|
51 | 24 | |
1,992 | 160 | |
0.8% | - | |
10.0 | 9.7 | |
5 days ago | about 1 month ago | |
Shell | C | |
- | GNU General Public License v3.0 or later |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
gentoo
- Backdoor in upstream xz/liblzma leading to SSH server compromise
-
Vulkan Video Extensions for Accelerated H.264 and H.265 Encode
Whilst Firefox may support hardware video decoding, Mesa since March 2022 disables patent encumbered codecs by default[1], and distributions such as Fedora and OpenSuse do not explicitly enable these patent encumbered codecs to avoid possible legal problems. Even Gentoo (built from source code by the user) requires the user to explicitly enable a USE flag (proprietary-codes) to use patent encumbered codecs.[2]
The thought process is that AMD, NVIDIA, Intel and the likes are not providing a patent license with their hardware.[3] They are instead just supplying part of an overall system that together with operating system kernel, display manager software, video player software, etc allows the decoding and encoding of patent encumbered video files. Open source software projects and distributions are concerned they'd be found to be infringing patents by enabling a complete solution out-of-the-box. Hence they put some hurdles in place so that a user has to go out of their way to separately piece together the various parts to form a complete system capable of encoding and decoding patent encumbered codecs.
[1] https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/15...
[2] https://github.com/gentoo/gentoo/commit/1265a159743d7f07185a...
[3] https://lists.fedoraproject.org/archives/list/[email protected]...
-
I like gentoo's package deprecation process
Thank you! I don't live in git and this helps! Normally under gentoo I shouldn't have to. This actual git https://github.com/gentoo/gentoo (as opposed to the gentoo browser view) plus this "checkout the commit" should get me much further. ... And probably deserve some space in the gentoo docs.
- Great news java people: Gradle eclass is in the works!
- LLVM stages
-
Is gentoo difficult to maintain as a daily driver?
You choose - here's a list
- Error 2124 when trying to interact with super-block (show-super, set-option)
- HTTP-Tiny: verify_SSL (Draft PR)
-
My CNCF LFX Mentorship Spring 2023 Project at Kubescape
(pending) gentoo/gentoo #30595 sys-cluster/kubescape: new package, add 2.2.6
-
Why do the desktop profiles add so many USE flags?
profiles/targets/desktop/make.defaults:
xz
-
XZ backdoor story – Initial analysis
Very funny. This one:
https://github.com/tukaani-project/xz/commits?author=thesame...
- Xz: Update maintainer and author info. The other maintainer suddenly disappeared
- Thanks Andres Freud
- The xz-utils backdoor has been removed
-
The xz sshd backdoor rabbithole goes quite a bit deeper
> The payload of the 'hack' contains fairly easy ways for the xz hackers to update the payload. They actually used it to remove a real issue where their hackery causes issues with valgrind that might lead to discovering it, and they also used it to release 5.6.1 which rewrites significant chunks;
The valgrind fix in 5.6.1 overwrites the same test files used in 5.6.0 instead of using the injection code's extension hooks. This is done with what should have been a highly suspicious commit: https://github.com/tukaani-project/xz/commit/6e636819e8f0703... - this replaces "random" test files with other "random" test files. The state reson is questionable to begin but not including the seed used when the the purpoted reason was to be able to re-create the files in the future is highly suspicous. This should have raised red flags bug no one was watching. I'd say this is another part of the operation that was much more sloppy than it needed to be.
-
Timeline of the xz open source attack
In https://archive.softwareheritage.org/browse/revision/e446ab7...
-
GitHub Disabled the Xz Repo
You're right, but maybe because there's nothing to see : https://github.com/tukaani-project/xz
- Xz Repository Censored by GitHub
- Backdoor in upstream xz/liblzma leading to SSH server compromise
- The Return of the Frame Pointers
What are some alternatives?
gentooLTO - A Gentoo Portage configuration for building with -O3, Graphite, and LTO optimizations
wasmtime - A fast and secure runtime for WebAssembly
torbrowser-overlay - Gentoo overlay for Tor Browser related ebuilds
stencil-golang - Template repository for Golang applications
cmake-init-conan-example - cmake-init generated executable project with Conan integration
tukaani-project
cmake-init-vcpkg-example - cmake-init generated executable project with vcpkg integration
libarchive - Multi-format archive and compression library
llvm-overlay - Unofficial experimental gentoo overlay for compiling llvm with additional components
Folly - An open-source C++ library developed and used at Facebook.
cmake-init - The missing CMake project initializer
JDK - JDK main-line development https://openjdk.org/projects/jdk