Posting mostly about tech stuff I'm working on but happy to read and chat about non-tech stuff too. I'm grateful to be learning so much about the world from all of you.
Tech stuff I'm working on currently includes OpenBSD, Apache Subversion, Software Heritage, Game of Trees, @gothub, and Dulwich.
Toots get auto-deleted after one month.
| www | https://stsp.name |
| languages | de/en, a little fr |
| cities | Berlin / Brussels |
| pronouns | he/him/his |
None of us alive will experience climate better than what we have now. How much worse it gets is up to us.
As the midpoint of the year approaches, several climate records have already been broken. Arctic winter sea ice extent reached a record low. Several countries saw record-breaking winter heat waves. And more than 150 million acres have already burned globally in wildfires.
I published a patch today which adds support for Intel E610 #Ethernet devices to the #OpenBSD ix driver:
https://marc.info/?l=openbsd-tech&m=177850774103141&w=2
Tests would be very welcome on any ix(4) device.
We have awarded our first free VM to Runxi Yu, in return for security issues they found in #GameOfTrees and reported to the project. Thanks!
We recommend updating your got clients to version 0.125 as soon as feasible to prevent potential man-in-the-middle scenarios against your gothub.org server and other Git servers you might be using.
Details here: https://bsd.network/@stsp/116546813289077690
(EDIT: Fixes for the issue described below, and for a second issue which is more severe, have now been shipped in got and got -portable 0.125) If you are using #gameoftrees (on #OpenBSD or anywhere else) please always be diligent about checking SSH host key fingerprints. Versioned files inside the work tree's meta-data .got directory can be created during 'got checkout' or changed during 'got update'. Files in the meta-data directory should never be under version control, yet the current implementation unfortunately allows this. Which provides a way for malicious repositories to configure remote servers stored in .got/got.conf which would then be used by the fetch and send commands. Unless you already have the bad host key stored, SSH will ask for verification of the bad server's host key fingerprint as the last line of defense against a man-in-the-middle. The problem was reported to me by Runxi Yu about 2 hours ago. A fix for this issue is being worked on: https://marc.gameoftrees.org/mail/1778362202.49408_0.html
As per @stsp's announcement:
https://bsd.network/@stsp/116550507403402183
I've also released got's -portable version 0.125
Same features as this version of got; no -portable specific changes in this release.
See: https://gameoftrees.org/portable.html
Usual mirror updated as well.
Any questions about this release, let me know.
The #Git compatible version control system #GameOfTrees has a new release numbered 0.125. This release ships important fixes for two client-side security issues reported by Runxi Yu: :flan_yikes: Arbitrary file overwrite with user permissions via crafted tree object entry names. Anywhere on the filesystem with got-portable, only in /tmp on #OpenBSD. :flan_on_fire: Creation of .got/got.conf as a versioned file was possible. This could be abused to add malicious remote server entries to the run-time configuration used during fetch and send operations, potentially resulting in falsified Git history being downloaded. Double-checking unknown SSH host key fingerprints is recommended as a mitigation. Never blindly accept SSH host keys. And avoid cloning and fetching over HTTPS if possible. Thanks to Runxi Yu for spotting and reporting these issues :flan_flowers:
The #Git compatible version control system #GameOfTrees has a new release numbered 0.125.
This release ships important fixes for two client-side security issues reported by Runxi Yu:
Arbitrary file overwrite with user permissions via crafted tree object entry names. Anywhere on the filesystem with got-portable, only in /tmp on #OpenBSD.
Creation of .got/got.conf as a versioned file was possible. This could be abused to add malicious remote server entries to the run-time configuration used during fetch and send operations, potentially resulting in falsified Git history being downloaded. Double-checking unknown SSH host key fingerprints is recommended as a mitigation. Never blindly accept SSH host keys. And avoid cloning and fetching over HTTPS if possible.
Thanks to Runxi Yu for spotting and reporting these issues 
(EDIT: Fixes for the issue described below, and for a second issue which is more severe, have now been shipped in got and got -portable 0.125)
If you are using #gameoftrees (on #OpenBSD or anywhere else) please always be diligent about checking SSH host key fingerprints.
Versioned files inside the work tree's meta-data .got directory can be created during 'got checkout' or changed during 'got update'. Files in the meta-data directory should never be under version control, yet the current implementation unfortunately allows this.
Which provides a way for malicious repositories to configure remote servers stored in .got/got.conf which would then be used by the fetch and send commands. Unless you already have the bad host key stored, SSH will ask for verification of the bad server's host key fingerprint as the last line of defense against a man-in-the-middle.
The problem was reported to me by Runxi Yu about 2 hours ago. A fix for this issue is being worked on: https://marc.gameoftrees.org/mail/1778362202.49408_0.html
I won an astronomy communication and public education award from the Canadian Astronomical Society, for yelling about satellite pollution! I'm quite honoured, and now obligated to continue yelling.
Which I was going to do anyway, but it's extremely nice to know that my university (who gave me a public education award last year) and my professional society both think I am good at yelling about this and should keep doing it.
David Ho
Open Source Mobile Comms
Game of Trees Hub
Thomas Adam
Andrew Nesbitt
Andrew Ayer
Prof. Sam Lawler