XZ story REVISED: Should we apologize or demand an apology – This crisis is placing all of us under the test CVE-2024-3094

Posted on by

Systems running without systemd are apparently safe

What crisis?  CVE-2024-3094
Compromised lzma library triggered by an openssh-hook to systemd notify (sd_notify) to obtain code hidden in liblzma to create a backdoor to any debian/fedora/ubuntu ssh server.  Apparently not even openssh-selinux is safe under those conditions (glibc, x86-64, preconfigured tarball source from github 5.6.0 and 5.6.1, systemd, openssh, rpm or deb packaging, with enabled calls to systemd through the openssh.service ).  If source was built from git with native clean autoconf/make the suspect code is not included.  Musl systems have nothing to worry about, probably because they can’t compile sd_notify to trigger this whole thing.

Psychopath, paranoid, not knowing shit about software

When we criticized zstd and advocated that long term friend xz, suspecting zstd of a trojan horse for security and encryption, those were some of the names I/we were called by the fan-club of facebook-hired ex-military author of zstd.  Mind you zstd is commonly built with lzma library enabled!

IMPOSSIBLE, it is just a compression algorithm, it can’t be used to exploit security of a system. they said

Sorry, I may had no clue how but IT IS now POSSIBLE!!!

Good news:  As far as experts in debian fedora arch ubuntu can TELL it takes systemd  to energize the backdoor, specifically a hook used by debian to build openssh a certain way that systemd/dbus/sd-bus/sd-notify run rogue code to obtain material from a blob (check/test result) from lzma to modify running binaries to open the backdoor.

Continue reading

syslog-ng how long have logs being accessible by your sys-admin?

Posted on by

Interesting discussion taking place in a r/joborun thread about building syslog-ng without systemd and telemetry!

What is interesting is that the author of syslog-ng took notice of the article and responded himself defending his choice.

This may continue so visit the link directly but here are the first two responses to the article:

https://www.reddit.com/r/joborun/comments/16x7u8o/users_of_syslogng_beware_telemetry_is_coming_not/
users of syslog-ng beware …. telemetry is coming! Not from skarnet
Continue reading

Do you need pkexec and polkit on a WM? NO! CVE-2021-4034

Posted on by

Thanks to Somewhat Reticent for being always on alert and contributing:

Do you need pkexec and polkit on a WM? NO! CVE-2021-4034

Not unless you want some automated menu and icons to click on and use various user/root rights to execute a gui!  Otherwise you are “safe“.

Don’t think because RH is reporting this the only affected parties are RHEL users,  anyone who uses their systemd elogind and polkit derivatives are equally affected.

But gksu/gksudo was insecure and had to be erased from nearly every distro that is an IBM “client”.

More and more complexity is expected to avoid this.  Sudo gparted from a terminal would have been fine, but if you want to click on a gparted icon in a menu or filemanager as a user and have it execute as root, this is how much complication is added.  A logind -aemon negotiates with a polkit, through one of the layers of dbus, whether to allow you to execute something or not.  Mind sizzling ……    enterprise security in your “DESKTOP“.

CVE-2021-4034

Public on January 25, 2022

Important Impact   What does this mean?

Rating of severity:   7.8/10 Continue reading

Top 10 best Desktop Environments for 2022 Linux and against Linux

Posted on by

First we should explain the reason for the title, then we should explain why has this become a trendy catchy titling of pseudo-media, what is pseudo-media, who they serve, and how can there be real linux development without this consuming black hole?

How were desktop environments conceived and developed, and why were they developed?  Many technical reasons:

1   as hardware became quickly more able to display more complex graphics than the old text terminals, it became possible to display graphical images that weren’t drawn by grouping alphanumeric symbols together in lines, then digital drawings (CAD), then low resolution photographs that kept climbing in higher and higher levels, then video and high-fidelity audio.  Continue reading

Spyware: KDE Plasma, like Gnome, the anti-FOSS eye-candy blackmail

Posted on by

Non-Linux OS with extensive telemetry:
MS Windows
Apple macOS – based on Unix
Apple iOS & derivites – based on Unix
Google Chromebook ChromeOS – based on Linux
Google Android – based on Linux

Linux OS with extensive telemetry:

Pretty much any Linux with KDE-plasma or Gnome, and there are some like ElementaryOS, EndeavourOS, Fedora that may use telemetry even with LXDE or i3wm.

Continue reading

FSF Richard M. Stallman and the gangsters of the globe

Posted on by

There is much talk these days about RMS, the founder of FSF returning to the board of FSF and IBM refusing to have him, popular demand, vote, or otherwise.

I could list countless articles here as a detailed research on the matter, but the plethora of them TOTALLY MISS THE ISSUE.

Who decides and how is a decision made?  Is it influence by rational arguments or is it a choke-hold maneuver that even his (RMS’s) dearest of friends can’t escape?

The rational argument by IBM, and their fellow mutually interested global giant corporations, is “YOU DO AS WE SAY, OR NO MONEY COMING TO YOU“. Continue reading

Popular mythology spread by IBM parrots elogind vs consolekit2 1.2.2

Posted on by

Thanks to the great work by Eric Koegel and Antoine Jacoutot we were not wrong again!

Parrots never think of what it is they say, they hear things (generally things are heard through highly paid and supported media that serve corporate and state interests) and reproduce the sound of them.  Not that they are dumb, but they can’t process rational language based communication. 

QUESTION: Why are you dumping consolekit2 and use elogind, that you know is just a significant piece of systemd, which further makes upstream reliance to systemd more acceptable and wide spread?

EXCUSE:  Consolekit is deprecated, it is unmaintained, it will never work with Wayland, and we must support wayland because that is the future.

QUESTION: Could consolekit2 be able to work with wayland?

EXCUSE: No, it never will!

QUESTION: Elogind, being a piece of the most convoluted piece of opensource software ever encountered is very big.  Shouldn’t this be a performance concern?

EXCUSE: No, because consolekit was also huge!

ANSWER:  Consolekit2 1.2.2 was released Dec.20 2020 and among its changes is a memory leak fix, NetBSD/OpenBSD fixes/compliance and more.  If you notice in the list of issues and discussion there has been a workaround to get ck2 to work with wayland in Gentoo since 2018. 

Consolekit2 is between a 1/5 to 1/6 of the size of elogind!

Continue reading

mr Edward Snowden, facebook and open/free code directed to linux users

Posted on by

This is going to be short, it is me not providing information but asking for it from the community.

Snowden has come out and spoken loudly on facebook, google, and other social media, of being up to no good against people using their free services.  I can’t find any reference on how exactly those mega corporations deal and cooperate with state agencies, or even whether state agencies relate to the foundation of such corporations.  If, and whether, some were founded specifically for the purpose of what they are accused of doing, by Snowden and many others who are less well known. Continue reading

Sabotage Linux on the “progress” of Linux

Posted on by

Since we agree with every word and punctuation in this article, we proudly republish it from the Sabotage Linux website:

When “progress” is backwards

Lately I see many developments in the linux FOSS world that sell themselves as progress, but are actually hugely annoying and counter-productive.

Counter-productive to a point where they actually cause major regressions, costs, and as in the case of GTK+3 ruin user experience and the possibility that we’ll ever enjoy “The year of the Linux desktop”.

Continue reading

Ataraxia and the need for a stricter list of distros

Posted on by

A while ago someone I didn’t know contacted me in reddit about the list of distributions without systemd, suggesting I should add ataraxia linux.  Ataraxia Linux was very similar to kiss-linux, source based, musl, but featuring an array of init and service supervision systems available to choose.  A few weeks ago, someone (turns out to be the same person) added a comment to this blog to this more precise list of “linux distributions without systemd” and suggested I should add Ataraxia to the list, and I did.

Then a comment comes in by someone who is really going through the list of distributions and also has been reviewing the narrow list of distributions, or systems, built on musl instead of glibc.  He alerted me to the fact that Ataraxia is now using systemd as its default init system.  It didn’t strike me as odd in the beginning, even though I had recently given it a try.  I was under the impression, never tried, that systemd couldn’t be built on musl as it wasn’t even written in C.  So I asked that same guy, who turns out to be the distro owner of ataraxia, how has he  achieved this, and I got a single word response:  “patching”. Continue reading

firefox-esr and Arch-Linux, masters of disasters – Mozilla Inc.

Posted on by

_package() {
pkgdesc=”$2 language pack for Firefox ESR”
depends=(“firefox-esr>=$pkgver”)
install -Dm644 firefox-esr-i18n-$pkgver-$1.xpi \
“$pkgdir/usr/lib/firefox/browser/extensions/[email protected]

The above is a piece off of a late language pack for Firefox-ESR PKGBUILT

For whatever reasons Arch dropped official support for firefox-esr (mozilla’s development seems to have a growing crowd of rejecting their trending prostitution to corporate preferences, more people tend to go back to -esr versions, and Arch caters to all BIG CORPORATE preferences and tastes), but it is not our business what they do with their repositories.

Automatically, it seems, “someone” (DCT MEI and Manuel Kauschinger ), adopted those packages in AUR and as you may know each firefox product comes with a zillion language packs.  Only the binary package in AUR is called firefox-esr-bin, the dependency of each language pack is for firefox-esr, which doesn’t exist in community or aur.  You can force install it (-dd) or you can edit the pkgbuilt and edit the line above “depends=(“firefox-esr-bin”>$pkgver”) and then build it. Continue reading

How does systemd prevail if it is so crappy?

Posted on by

Is reddit’s r/linux just a front of IBM’s marketing agents?  Under what remote logic would an announcement for a 5 year old distribution be removed and how could it possibly violate r/linux strict code of ethics?

Obarun: New for December …. upgraded yes, new not at all.
Sorry, this post has been removed by the moderators of r/linux.
Moderators remove posts from feeds for a variety of reasons, including keeping communities safe, civil, and true to their purpose

Those are the same tactics utilized across news-sites that appear to be “objectively” promoting linux in general, forums of systemd-only distributions, social media rooms and pages. The idea is to portray linux to new users inquiring about linux while on MSwindows, MACos, Android etc. as a systemd related operating system ONLY. Continue reading