tukaani-project
homebrew-core
tukaani-project | homebrew-core | |
---|---|---|
5 | 133 | |
- | 13,271 | |
- | 0.9% | |
- | 10.0 | |
- | 3 days ago | |
Ruby | ||
- | BSD 2-clause "Simplified" License |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
tukaani-project
-
Backdoor in upstream xz/liblzma leading to SSH server compromise
Thank you. If you wouldn't have explained the background, I totally would've thought that this is just an innocent typo.
(I still think it's like... 60% a typo? don't know)
Anyhow, other people called the CCing of JiaT75 by Lasse suspicious:
https://news.ycombinator.com/item?id=39867593
https://lore.kernel.org/lkml/20240320183846.19475-2-lasse.co...
Someone pointed out the "mental health issues" and "some other things"
https://news.ycombinator.com/item?id=39868881
https://www.mail-archive.com/[email protected]/msg00567.h...
Lasse is of course a Nordic name, and the whole project has a finnish name and hosting
https://news.ycombinator.com/item?id=39866902
If I wanted to go rogue and insert a backdoor in a project of mine, I'd probably create a new sockpuppet account and hand over management of the project to them. The above is worringly compatible with this hypothesis.
OTOH, JiaT75 did not reuse the existing hosting provider, but rather switched the site to github.io and uploaded there old tarballs:
https://github.com/tukaani-project/tukaani-project.github.io...
If JiaT75 is an old-timer in the project, wouldn't they have kept using the same hosting infra?
There are also some other grim possibilities: someone forced Lasse to hand over the project (violence or blackmailing? as farfetched as that sounds)... or maybe stole Lasse devices (and identity?) and now Lasse is incapacitated?
Or maybe it's just some other fellow scandinavian who pretends to be chinese and got Lasse's trust.
Is the same person sockpuppeting Hans Jansen? It's amusing (but unsurprising) that they are using both german-sounding and chinese-sounding identities.
That said, I don't think it's unreasonable to think that Lasse genuinely trusted JiaT75, genuinely believed that the ifunc stuff was reasonable (it probably isn't: https://news.ycombinator.com/item?id=39869538 ) and handed over the project to them.
And at the end of the day, the only thing linking JiaT75 is a swedish/finnish racist joke which could well be a typo. People already checked the timezone of the commits, but I wonder if anyone has already checked the time-of-day of those commits... does it actually match the working hours that a person genuinely living (and sleeping) in China would follow?
homebrew-core
-
Is Go Used in Production more than Rust ?
$ brew info eza ==> eza: stable 0.18.13 (bottled) Modern, maintained replacement for ls https://github.com/eza-community/eza Not installed From: https://github.com/Homebrew/homebrew-core/blob/HEAD/Formula/e/eza.rb License: MIT ==> Dependencies Build: pandoc ✘, pkg-config ✔, rust ✘ Required: libgit2 ✘ ==> Analytics install: 12,792 (30 days), 38,295 (90 days), 68,375 (365 days) install-on-request: 12,790 (30 days), 38,293 (90 days), 68,375 (365 days) build-error: 0 (30 days)
-
GitHub Disabled the Xz Repo
Is disabling the compromised repo the typical GitHub policy? My concern is there are monorepos used by package managers, like brew, that are a collection of thousands of projects [1]. These monorepos seem like a prime target for attack and if GitHub disables one because a malicious commit was merged then you've taken down an entire ecosystem.
[1] https://github.com/Homebrew/homebrew-core
-
Backdoor in upstream xz/liblzma leading to SSH server compromise
> Correct. Though we do not appear to be affected, this revert was done out of an abundance of caution.
[1] https://github.com/Homebrew/homebrew-core/pull/167512
-
Pyenv – lets you easily switch between multiple versions of Python
> right, but now you know even less about your setup when you some roadblock
This is the same with a binary though. And with homebrew, you can't follow patches or flags used or if they change.
- https://github.com/Homebrew/homebrew-core/blob/c964ad7fa53ad...
- Apple curl security incident 12604
-
Cowsay
definitely be careful about using fortune in a corporate environment or public space if you don't know what dat files you are using or you might just get an extremely unwelcome surprise.
I was practicing a presentation and used to use "fortune" all the time. I forget exactly what it output but I remember being absolutely mortified about what could have happened if that had popped up during an internal company tech talk.
Kudos to brew for keeping unsuspecting people safe
https://github.com/Homebrew/homebrew-core/commit/3fb3c4c3e55...
-
Ask HN: Trouble with a Stargate
I'm sorry to be asking this as I find it a bit silly, but it's blocking my PR [3], so could a few of you star the project on Github [1] to get my PR to run?
[1] https://github.com/laktak/chkbit-py
[2] https://brew.sh
[3] https://github.com/Homebrew/homebrew-core/pull/160018
- Simulate an Ubuntu-like VM inside macOS
- When open source platforms are worse than closed source
- Homebrew Rejects the Idea for Post-Install Notes
What are some alternatives?
systemd - The systemd System and Service Manager
yt-dlp - A feature-rich command-line audio/video downloader
xz - XZ Utils [GET https://api.github.com/repos/tukaani-project/xz: 403 - Repository access blocked]
asdf-python - Python plugin for the asdf version manager
wasmtime - A fast and secure runtime for WebAssembly
HomeBrew - 🍺 The missing package manager for macOS (or Linux)
rust1 - rust1
homebrew-php - :beer: Homebrew tap for PHP 5.6 to 8.4. PHP 8.4 is built nightly.
openconnect
osxfuse - FUSE extends macOS by adding support for user space file systems
xz - xz compression in Go
homebrew-cask-versions - 💀 Alternate versions of Casks (deprecated)