Readit Newstrulyrandom commented on Docker limits unauthenticated pulls to 10/HR/IP from Docker Hub, from March 1 docs.docker.com/docker-hu... · Posted by u/todsacerdoti
Most of the OSS projects I use seem to either have moved to the GitHub container registry or some other (smaller) equivalent. Some have even set up their own registries behind Cloudflare.
Does GitHub's container registry still require authentication for pulls?
6.10 (TEN, the previous one) has been a very problematic release for me, with one desktop running into four major bugs in total: three separate amdgpu bugs resulting in video corruption, hangs and crashes, and now that I'm on 6.10.10 and those seem to be fixed, the system intermittently refuses to come up from sleep mode.
Anyone else having similar experience? This is the first time something like that happened in a decade of using the latest stable kernel release (in my experience, it's actually been stable for all that time except for 6.10).
Just to add a non-problematic experience report to the mix: I've been using 6.10 for months on two AMD machines with different hardware (one with a 7840U and one with a 5700XT) without any issues whatsoever.
trulyrandom commented on Tinystatus: A tiny status page generated by a Python script github.com/harsxv/tinysta... · Posted by u/harsxv
It doesn't need to be fixed. There isn't an issue here.
Depending on the OS, ping is either set setuid[1] as root, or more commonly these days, ping is granted a "capability"[2], such as CAP_NET_RAW on Linux. macOS does things a little different[3].
This allows non-root users to run stuff like ping without granting them full root access. You do not need to, nor should you, run the script as root.
% ls -l /usr/bin/ping
-rwxr-xr-x 1 root root 89768 Apr 8 09:00 /usr/bin/ping
% getcap /usr/bin/ping
/usr/bin/ping cap_net_raw=ep
~
% whoami
jake
~
% id
uid=1000(jake) gid=1000(jake) groups=1000(jake),4(adm),24(cdrom)
% ping -c 3 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: icmp_seq=0 ttl=117 time=9.195 ms
64 bytes from 8.8.8.8: icmp_seq=1 ttl=117 time=8.837 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=117 time=10.998 ms
--- 8.8.8.8 ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 8.837/9.677/10.998/0.946 ms
1. https://unix.stackexchange.com/questions/382771/why-does-pin...
2. https://unix.stackexchange.com/questions/592911/how-does-pin...
3. https://apple.stackexchange.com/questions/312857/how-does-ma...
Edit: updated explanation a bit.
On Linux, "net.ipv4.ping_group_range" is typically used to allow unprivileged users to do ICMP echo requests. Setting the setuid bit or granting a capability are both very old ways of doing this.
Repeat after me: I will never, ever, use proprietary software for important data again.
trulyrandom commented on Backdoor in upstream xz/liblzma leading to SSH server compromise openwall.com/lists/oss-se... · Posted by u/rkta
Note that the malicious binary is fairly long and complex.
This attack can be stopped by disallowing any binary testdata or other non-source code to be on the build machines during a build.
You could imagine a simple process which checks out the code, then runs some kind of entropy checker over the code to check it is all unminified and uncompressed source code, before finally kicking off the build process.
autogenerated files would also not be allowed to be in the source repo - they're too long and could easily hide bad stuff. Instead the build process should generate the file during the build.
This requires a more comprehensive redesign of the build process. Most Linux distributions also run the tests of the project they're building as part of the build process.