XZ story REVISED: Should we apologize or demand an apology – This crisis is placing all of us under the test CVE-2024-3094

Systems running without systemd are apparently safe

What crisis?  CVE-2024-3094
Compromised lzma library triggered by an openssh-hook to systemd notify (sd_notify) to obtain code hidden in liblzma to create a backdoor to any debian/fedora/ubuntu ssh server.  Apparently not even openssh-selinux is safe under those conditions (glibc, x86-64, preconfigured tarball source from github 5.6.0 and 5.6.1, systemd, openssh, rpm or deb packaging, with enabled calls to systemd through the openssh.service ).  If source was built from git with native clean autoconf/make the suspect code is not included.  Musl systems have nothing to worry about, probably because they can’t compile sd_notify to trigger this whole thing.

Psychopath, paranoid, not knowing shit about software

When we criticized zstd and advocated that long term friend xz, suspecting zstd of a trojan horse for security and encryption, those were some of the names I/we were called by the fan-club of facebook-hired ex-military author of zstd.  Mind you zstd is commonly built with lzma library enabled!

IMPOSSIBLE, it is just a compression algorithm, it can’t be used to exploit security of a system. they said

Sorry, I may had no clue how but IT IS now POSSIBLE!!!

Good news:  As far as experts in debian fedora arch ubuntu can TELL it takes systemd  to energize the backdoor, specifically a hook used by debian to build openssh a certain way that systemd/dbus/sd-bus/sd-notify run rogue code to obtain material from a blob (check/test result) from lzma to modify running binaries to open the backdoor.

Continue reading →

can systemd do ANYTHING other systems can not do? Can you transition to wayland?

NO!

NO, what? To which question, both?

Then what is the problem with systemd or replacing it with another system?

The quick answer is NO, but in reality one must be able to match the resources of IBM/x-RH to chase behind this dog when this dog does its best to try to shake all tailgaters away from it.  “It” wants to run throughout the system, from bios/efi/boot-loading to every click you make on the desktop with your mouse or finger touch to the touch-screen.  PRECISELY what google has done on android, for which we have no say it is a private non-open non-free system.  Monkey see, monkey do, monkey governments enforce its use, monkeys conform.  Fuck you google and fuck the state that mandates its use (I wonder if North Korean sites have google apis in them, RT do!).

HOW does this work? Continue reading →

2023: Linux rusting away into non-FOSS territory – Build rnote and you will see

Linux 6.2-rc2 kernel is out as the last commit in kernel.org at the start of the 2023 year.  RUST is here, the initial code-base is included in the kernel.  At least Arch seems to be disabling it for now, at the beta level at least, we shall see.

Rust is not just a language, as people commonly think, it is much more.  It is a building environment, system, and a mode change of the philosophy of building packages from source.   Rust incorporates its own git system in pulling code in from 2nd and 3rd parties.  So if you have never gotten into the real FOSS practice of auditing code before you build, try and audit this stuff.  If building in C you thought was a practice similar to building sand castles, by comparison, this is like building sand castles with quick-sand ON QUICK SAND.

Continue reading →

Joborun vs Obarun linux

The surface:

obarun  stands for OpenboxRunit … but has been the home for arch based s6 implementation with tools (currently 66) to make s6 less hostile to MOST users of linux.  Runit only lasted a few weeks before s6 was implemented and runit dumped.  Currently featuring a graphic installer of base, openbox, jwm, xfce4, and plasma desktops and a setup of s6/66 to get you going.

joborun stands for JwmOpenBoxObarunRunit, so it is everything Obarun can be, plus runit that can coexist and alternatively boot instead of s6/66, but also replaces most core Arch pkgs with ones built in vaccuum of systemd/logind/udevd.   Currently not including an installer, or an iso image, but an old fashioned tarball of the base and instructions on how to make it a bootable system within minutes.  Joborun is basically a source based distro, although it provides 2 tarballs, base system, and builder system, and binary repositories of all packages it provides source for.  You always need a binary system to build your binaries, joborun just makes the process easier and quicker, without frustrating fails. Continue reading →

Can you build ARCH from source? Let’s see!

Apart from the object to build arch minimal base without systemd and its libraries, the idea or question that came to mind was whether you can build all your packages from the Arch recipes. Since Artix now is autonomous and relies on its own software base, not Arch, the same question applies, and I suppose the same applies to Manjaro. Most of the core pkgbuilds in Artix are just copies of Arch. Systemd may not be there but many of its libraries or pieces are still there. But let’s say you just want to build Arch, authentic and 100% true arch.

The short answer is NO!
The long answer is explained here:
Continue reading →

mr Edward Snowden, facebook and open/free code directed to linux users

This is going to be short, it is me not providing information but asking for it from the community.

Snowden has come out and spoken loudly on facebook, google, and other social media, of being up to no good against people using their free services.  I can’t find any reference on how exactly those mega corporations deal and cooperate with state agencies, or even whether state agencies relate to the foundation of such corporations.  If, and whether, some were founded specifically for the purpose of what they are accused of doing, by Snowden and many others who are less well known. Continue reading →

Update your 66? no, you 66-update your 66

Coming up, any day now, is your new 66 package.

obcore-testing/66 0.2.4.0-5 (base s6-suite)
  small tools built around s6 and s6-rc programs

obcore/66 0.2.3.2-1 (base s6-suite)
   small tools built around s6 and s6-rc programs
 No .zstd packaging here, just good old xz, despite of the 0,0094 second decompression advantage. 🙂

Ok, 0.2.4 over 0.2.3… brings yet one more tool to you. Still, the package (66) is only a fraction of systemd, but it has more “features”. That database of trees and services you have created, after a major reorganization of 66 and its service file definitions and syntax do not have to be destroyed and recreated, not for the root and not for the user. Simply run 66-update as root and as user after each upgrade to ensure perfect transitioning to the upgraded software. 66-update -v4 for maximum verbosity.

The next step in development will be a more automated backup and restore of your trees and services structure.

In the past 9 months 66 evolved quite a bit and after each major evolutionary step the safest way to upgrade was to destroy old trees (delete them) and recreate them and populate them with services. Not any more. But that is not all. 66-update doesn’t mean it is a one way procedure, Say you found out something is wrong, you located the bug of the century, something wrong with 66, and you want to downgrade back to the previous edition of 66. You downgrade the package and run 66-update again.

 

PS  Now, if someone who is not banned from r/linux or r/archlinux could try and crosspost this important announcement there, to see if you can do this for a banned user like me, it would be nice to know, that I can still piss them off with my existence.

You want to update your 66, no, you 66-update your 66
byu/fungalnet inobarun

Continue reading →

zstd compression algorithm and the dethroned old king xz

Here is the comparative numbers reported by Arch devs on which they based their decision to use this fast but resource hungry compression tool.  XZ still wins in size, loses on time, while ZSTD is a huge loser in memory use while compressing; decompressing is comparable and equally fast.  Zstd (gang) software also relies heavily on very current powerful server grade machines to provide the benefit of speed, to make up what it lacks in quality.   Compression software should primarily be judged on their ability to compress, and zstd fails miserably against this 45 year old trusty switchblade called xz.  So we can conclude that arch has an abundance of computing/building/packaging apparatus, with truck loads of spare ram to parallely process many packages.

My article (a link to it) was removed from r/linux yesterday for no good reason, 100% linux related material, and as I complained I was permanently banned from posting there.

https://www.reddit.com/r/linux/comments/ejn5c5/arch_2020_welcomes_its_little_brothers_and/

In case you are wondering I was reporting that arch nearly silently started using this facebook compression algorithm on packaging and here is their own test data to support this decision: Continue reading →

Arch Linux 2020 – what’s there to be happy about?

Happy new year facebook fans and Arch friends (friends of who? we don’t know, not us, not on facebook, not in the past and not in the future, but you must have friends amongst yourselves).

Some of you may have taken the previous post about abandoning Arch as a joke, since most of what we do recently is promote Obarun, an Arch based distribution with s6 and 66 init and service management.   When we published that article we knew nothing of what Hyperbola was planning to do (we assume it was discussed within the community) or whether they were going to give-in to the pressure and incorporate arch’s pacman and packaging methodology change into their distribution.  (Note: Hyperbola may be based on Arch but has its own separate repositories and rebuilds everything on their own to ensure everything is Free).  All of their free packages, as far as we can tell are still compressed with xz.  The bomb was set and it will go off soon (in open/free software tradition of timing kind of soon).  Hyperbola is not just leaving Arch, it is leaving linux, for OpenBSD.  But this is not about hyperbola, it is about Arch….     or skip to here if you are in a rush! Continue reading →