Proxygen
xz
Proxygen | xz | |
---|---|---|
7 | 24 | |
8,025 | 160 | |
0.2% | - | |
9.2 | 9.7 | |
6 days ago | about 1 month ago | |
C++ | C | |
GNU General Public License v3.0 or later | GNU General Public License v3.0 or later |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
Proxygen
-
Backdoor in upstream xz/liblzma leading to SSH server compromise
Looking forward to the time when Meta will make https://github.com/facebookincubator/zstrong.git public
found it mentioned in https://github.com/facebook/proxygen/blob/main/build/fbcode_..., looks like it's going to be cousin of zstd, but maybe for the stronger compression use cases
- Nghttp3 1.0.0 – HTTP/3 library written in C
- Zap – fast back ends in Zig
- C++ (or C, I guess) application server that's QUIC/HTTP3 ready?
-
kleinsHTTP: A stupid stupidly simple HTTP Server
proxygen claims to support all 3, although I'm still not sure if it's an actual library or just an interface.
-
cpprestsdk in maintenance mode
If you need an embedded C++ HTTP server then there are plenty of libraries/frameworks (in random order): Crow, RESTinio, Boost.Beast, cpp-httplib, http_backend, Pistache, RestBed, served, proxygen, Simple-Web-Server, drogon, oat++.
-
Experiments with h3 clients + Envoy
proxygen/hq
xz
-
XZ backdoor story – Initial analysis
Very funny. This one:
https://github.com/tukaani-project/xz/commits?author=thesame...
- Xz: Update maintainer and author info. The other maintainer suddenly disappeared
- Thanks Andres Freud
- The xz-utils backdoor has been removed
-
The xz sshd backdoor rabbithole goes quite a bit deeper
> The payload of the 'hack' contains fairly easy ways for the xz hackers to update the payload. They actually used it to remove a real issue where their hackery causes issues with valgrind that might lead to discovering it, and they also used it to release 5.6.1 which rewrites significant chunks;
The valgrind fix in 5.6.1 overwrites the same test files used in 5.6.0 instead of using the injection code's extension hooks. This is done with what should have been a highly suspicious commit: https://github.com/tukaani-project/xz/commit/6e636819e8f0703... - this replaces "random" test files with other "random" test files. The state reson is questionable to begin but not including the seed used when the the purpoted reason was to be able to re-create the files in the future is highly suspicous. This should have raised red flags bug no one was watching. I'd say this is another part of the operation that was much more sloppy than it needed to be.
-
Timeline of the xz open source attack
In https://archive.softwareheritage.org/browse/revision/e446ab7...
-
GitHub Disabled the Xz Repo
You're right, but maybe because there's nothing to see : https://github.com/tukaani-project/xz
- Xz Repository Censored by GitHub
- Backdoor in upstream xz/liblzma leading to SSH server compromise
- The Return of the Frame Pointers
What are some alternatives?
C++ REST SDK - The C++ REST SDK is a Microsoft project for cloud-based client-server communication in native code using a modern asynchronous C++ API design. This project aims to help C++ developers connect to and interact with services.
wasmtime - A fast and secure runtime for WebAssembly
Boost.Beast - HTTP and WebSocket built on Boost.Asio in C++11
stencil-golang - Template repository for Golang applications
POCO - The POCO C++ Libraries are powerful cross-platform C++ libraries for building network- and internet-based applications that run on desktop, server, mobile, IoT, and embedded systems.
tukaani-project
Simple-WebSocket-Server
libarchive - Multi-format archive and compression library
nghttp2 - nghttp2 - HTTP/2 C Library and tools
Folly - An open-source C++ library developed and used at Facebook.
Mongoose - Embedded Web Server
JDK - JDK main-line development https://openjdk.org/projects/jdk