XZ story REVISED: Should we apologize or demand an apology – This crisis is placing all of us under the test CVE-2024-3094

Posted on by

Systems running without systemd are apparently safe

What crisis?  CVE-2024-3094
Compromised lzma library triggered by an openssh-hook to systemd notify (sd_notify) to obtain code hidden in liblzma to create a backdoor to any debian/fedora/ubuntu ssh server.  Apparently not even openssh-selinux is safe under those conditions (glibc, x86-64, preconfigured tarball source from github 5.6.0 and 5.6.1, systemd, openssh, rpm or deb packaging, with enabled calls to systemd through the openssh.service ).  If source was built from git with native clean autoconf/make the suspect code is not included.  Musl systems have nothing to worry about, probably because they can’t compile sd_notify to trigger this whole thing.

Psychopath, paranoid, not knowing shit about software

When we criticized zstd and advocated that long term friend xz, suspecting zstd of a trojan horse for security and encryption, those were some of the names I/we were called by the fan-club of facebook-hired ex-military author of zstd.  Mind you zstd is commonly built with lzma library enabled!

IMPOSSIBLE, it is just a compression algorithm, it can’t be used to exploit security of a system. they said

Sorry, I may had no clue how but IT IS now POSSIBLE!!!

Good news:  As far as experts in debian fedora arch ubuntu can TELL it takes systemd  to energize the backdoor, specifically a hook used by debian to build openssh a certain way that systemd/dbus/sd-bus/sd-notify run rogue code to obtain material from a blob (check/test result) from lzma to modify running binaries to open the backdoor.

Continue reading

What does it take to form a large effective team of developers and have a professional product?

Posted on by

Money?  What else?  Fame, glory, power?

What motivates people to join a team to produce and construct something?

What specifically are people with a given skill see in contributing to benefit others indiscriminately?

FOSS may be the sole largest field where people as individuals or small teams contribute many many hours of their “free” time, for the benefit of anyone who wants to “consume” the product of their labor.  Sure, there may be some philanthropic activities, community gardens, bicycle co-ops and pizza co-ops, sports, theater, … but are minor to this endless contribution of open and free code consumed by millions around the earth.

Why?

Continue reading

On the discussion about elogind and dbus “hate”, is there reason?

Posted on by

A vivid discussion has broken out between members of the community, whether q66 considers her/himself one or not is not our prerogative to define, or exclude anyone, about the hardcore stance against FOSS pests such as systemd, elogind, dbus, udev, etc.  So since the topic of discussion is very specific it would have been best if a topic addressed the specific issue, which is irrelevant to whether Chimera Linux belongs on a strict list of distributions without systemd or not.  The criteria about that list are very clear.  The criteria for the “gray” list are not very clear, but nobody really cares about this sloppy list of gray categorized distros, such as void, artix, and devuan. Continue reading

How safe are you and how much do you trust your distro?

Posted on by

Except for a few distros that assist their users to build everything they install from source (kiss and forks, LFS and forks, gentoo and forks, crux, exherbo, T2-sde, etc), most linux-distributions, offer binaries to be installed, usually backed up by the source code (script) building the package from either their own source code, or what we call upstream (other FOSS sources).  How do you know though, that what the source repository shows and what the binary package contains is the same?  One way is to build it with the same recipe (packaging source script) and compare the sums.  Very few people do this and in very rare and controlled environments is the product the same, meaning checksums are identical (Arch is reporting 15-20% failure to reproduce their own packages).  So what most distros do is they sign their packages and by having their public signature key, you know what they built is what you got.  But are you sure they built it right, or did they take adequate measures to make sure what they pulled from upstream to build the package is what the author really published?  How can you check?

Continue reading

Arch No-Systemd … yes but how? Is systemd so different than ALL the other inits?

Posted on by

Hypothetically speaking, let us take Arch, and rebuild nearly all of it, without systemd.  What does this mean?

On any particular core, extra, community package, the minimal environment needed to build a package, incorporates systemd and its libs.  It is part of Arch base.  So systemd is present even when it is not required.  Some packages from source incorporate utilities based on systemd/libs and will utilize those in their package when present.  Sometimes it is evident, sometimes not so obvious.  So the hypothetical task is to build everything (except systemd and parts themselves) in a systemd-free environment.  See when errors arise due to the lack of it, disable systemd/logind utilities where we can, and see what arch would be like without systemd.

Continue reading

Spyware: KDE Plasma, like Gnome, the anti-FOSS eye-candy blackmail

Posted on by

Non-Linux OS with extensive telemetry:
MS Windows
Apple macOS – based on Unix
Apple iOS & derivites – based on Unix
Google Chromebook ChromeOS – based on Linux
Google Android – based on Linux

Linux OS with extensive telemetry:

Pretty much any Linux with KDE-plasma or Gnome, and there are some like ElementaryOS, EndeavourOS, Fedora that may use telemetry even with LXDE or i3wm.

Continue reading

linux removes obarun presentation

r/linux removes Obarun announcement

Posted on by

https://www.reddit.com/r/linux/…./modular_boot_process_a_new_door_to_the_future
linux removes obarun presentationIn case the above link magically vanishes from reddit here is a screenshot of what it looked like (a couple more comments may have been added) and below see the text and imagine the reasons this announcement was removed by the moderators of r/linux.  Imagine also what the “image” of linux is perpetrated to be.  I say they are going for one linux, IBM’s linux, systemd linux, with various flavors of desktop crap just like themes of MS-windows or Apple’s and Google’s squishy flaky bubble hovering CRAP! Continue reading

2 How to remove systemd from Debian Buster

Posted on by

As mentioned in the proposed topics of July2nd2020 this is article 2 from that list.

This came from a community member as a proposed topic.

How to remove systemd from Debian Buster

older-pig:  A guide for removing systemd from Debian Buster and fixes for some issues which may occur because of that
https://gitlab.com/older-pig/buster-nosystemd Continue reading

Coming up next the new sysdfree resurrection

Posted on by

Just so when “some” were happy this is done and over with, POP goes the sysdfree community project again.  From now on, we will have a summary article of what is coming up next, and a series of articles discussing in detail the most worthy or note-worthy topics of interest.  Since  YOU haven’t been contributiong much to the community, it will be OUR topics of interest.

Why did we vanish for a little while?  After all this closure and prohibition to end the covid diaspora we have been burning some skinny road bike tires enjoying the end of spring and the starrt of a very HOT summer.  So now that it is getting hot, we will stay indoors again enough to write something up.  Yeeahhheee!!!! Or is it Yaaayyyy….!!!

1  Devuan:  Boring new stable release a year later  (you wanted an article .. go find one elsewhere).

2  Debian:  Script that runs and removes systemd and installs sysvinit and reboots to a systemd init free system.

3  Adelie (and Alpine) free and non-free independent repository

4  Black Artix, as if Artix wasn’t shady enough

5  Adequacy of traditions scripts (sysV or BSD inits) necessity of supervision suites (s6, 66, synit, minit, perp) or other alternatives such as OpenRC.

6  Split Linux, based on Void, security, anonymity, real firewalling, and more ….

7  Enough with supervising dry-cut monolythic services, the future is in modules (modular services and bundles of services).  If systemd was already burried and done with, this builds a pyramid on top, just so nobody will ever dear to open the mummy’s coffin.

8  Live streaming with Terry Barentsen on 2 wheels, no gas or dirty coal electric motors!

9  Kiss gets a new package manager

10  The shit (green energy environmental disaster) has to stop.  A documentary about the end of the planet’s ecosystem and who are the deceiving actors causing it.  It may be the most revealing 100′ of your life, or at least your recent world perception.

11  A song for our own resurrection:

            __________   –  “*”  –   __________ Continue reading

Trident + void + zfs one step closer to 1.0

Posted on by

Trident project released a beta image following their alpha releases in the past two months.

For those who missed this developing transition, of Trident leaving its TrueOS/FreeBSD base and moving to linux using Void as its base, here is a summary of what you are missing.  It has been a common story for a distribution being fed-up with linux development, developers being consumed to modify their software around systemd-functionality, and have moved to some form of a BSD-unix base.  As far as we know there hasn’t been an effort to leave BSD to come to linux.  So Trident is drawing its own path making it now a 2 way street.  Here are a couple of juicy quotes of their late announcements:

2020 OS Migration

2019-10-14

…Currently, Project Trident is based on FreeBSD and uses the TrueOS build framework. Over the years, we have accumulated multiple long-standing issues with the underlying FreeBSD OS. Issues with hardware compatibility, communications standards, or package availability continue to limit Project Trident users…..

Continue reading

How does systemd prevail if it is so crappy?

Posted on by

Is reddit’s r/linux just a front of IBM’s marketing agents?  Under what remote logic would an announcement for a 5 year old distribution be removed and how could it possibly violate r/linux strict code of ethics?

Obarun: New for December …. upgraded yes, new not at all.
Sorry, this post has been removed by the moderators of r/linux.
Moderators remove posts from feeds for a variety of reasons, including keeping communities safe, civil, and true to their purpose

Those are the same tactics utilized across news-sites that appear to be “objectively” promoting linux in general, forums of systemd-only distributions, social media rooms and pages. The idea is to portray linux to new users inquiring about linux while on MSwindows, MACos, Android etc. as a systemd related operating system ONLY. Continue reading

antiX – runit – brief stop and onto s6 and 66 : How to

Posted on by

1st some history/background:
Back some time ago an alternative to sysvinit was developed called daemontools (look at sources below) and people liked it.   From “it” runit was cloned, very similar but started from scratch, to be as small, as light, as simple, and as responsive as hw itself.  Runit set some goals for its development, kept being refined and eliminating any bugs, it worked on as many architectures as people could get their hands on, and the chief runit man decided to put it to bed.  Runit has been frozen in time by its developer.  Don’t expect it to catch up with other system development unless Void decides to clone it and develop it on their own, which in some ways they already do, but it is more polishing up the existing runit.

Continue reading