Paul

@solarkraft
462 Followers
1.1K Following
5.8K Posts

Fun facts, random musings and shitposts, usually related to technology.

Microsoft Least Valuable Professional.

I care/know a bit about
- Sustainability (there's a fusion reactor in the sky!)
- Free Software (by far the most
sustainable type of software)
- Ecosystem strategy/marketing ("how do we get people to use this?")
- UX (developers are users!)
- Web Development (the least bad application platform, probably)
- Photography (lately mostly slow-motion videos)
- Memery (RIP, Cheems)

Show threadPaulAug 28, 2024
@mosseri hi from the internet! how‘s EU support coming along? I still can’t reach most of the people I want to reach.
Show threadPaulAug 28, 2024
@mosseri hi from the internet! how‘s EU support coming along?
Show threadPaulApr 18, 2024
@altstore My first mission is actually to install the #Pebble app because my Pebble has been drifting out of sync for months.
PaulApr 18, 2024
@altstore is installed! Beautiful! Thanks for all the work, AltStore team and EU!
Now to install my own app I still need "notarization" (Apple still having a hand in distribution, which I wish was illegal).
Is that possible without paying the 100€/year that App Store distribution would require? If so, I might actually become interested in iOS development.
PaulApr 17, 2024
AltStoreApr 17, 2024

Europe’s coolest alternative app marketplace is HERE!

Introducing AltStore PAL — an Apple-approved version of AltStore exclusive to the EU

Download now from our website for just €1.50/year (+ VAT) 🇪🇺 https://altstore.io

AltStore

PaulMar 30, 2024
Harry SintonenMar 29, 2024
Some aspects of this #xz / #liblzma #sshd #backdoor remind me of Ken Thompson's 1984 lecture "Reflections on trusting trust". This is a practical implementation of a similar attack for a modern world. https://www.cs.cmu.edu/~rdriley/487/papers/Thompson_1984_ReflectionsonTrustingTrust.pdf #infosec #cybersecurity
PaulMar 30, 2024
Show threadAndresFreundTecMar 29, 2024

I was doing some micro-benchmarking at the time, needed to quiesce the system to reduce noise. Saw sshd processes were using a surprising amount of CPU, despite immediately failing because of wrong usernames etc. Profiled sshd, showing lots of cpu time in liblzma, with perf unable to attribute it to a symbol. Got suspicious. Recalled that I had seen an odd valgrind complaint in automated testing of postgres, a few weeks earlier, after package updates.

Really required a lot of coincidences.

PaulMar 30, 2024
AndresFreundTecMar 29, 2024

I accidentally found a security issue while benchmarking postgres changes.

If you run debian testing, unstable or some other more "bleeding edge" distribution, I strongly recommend upgrading ASAP.

https://www.openwall.com/lists/oss-security/2024/03/29/4

oss-security - backdoor in upstream xz/liblzma leading to ssh server compromise

PaulMar 30, 2024
-> @haileys.questMar 30, 2024
After seeing how the XZ maintainer's burnout and mental health decline was exploited to the potential detriment of the whole world, we're totally going to be supporting our developers more, right guys? We're totally going to fund critical OSS and pay maintainers enough to hire on other maintainers to take the burden off of them and reduce burnout, right? Right?
PaulMar 30, 2024
Show threadGlyphMar 29, 2024
@eb I really hope that this causes an industry-wide reckoning with the common practice of letting your entire goddamn product rest on the shoulders of one overworked person having a slow mental health crisis without financially or operationally supporting them whatsoever. I want everyone who has an open source dependency to read this message https://www.mail-archive.com/xz-devel@tukaani.org/msg00567.html
Re: [xz-devel] XZ for Java