Linux & Tech news 📰

SGS · 24 March 2024 12:33

“I allowed FireDragon to use the code for free.”

but … closed source

Kayo · 24 March 2024 13:12

That’s an odd shift to say the least. Closed source Firefox browsers seem a bit silly to me, and there really hasn’t been many in the past from what I have seen (Maybe like one or two that I can faintly remember? One being a multi-core browser that was only for Windows).

That really puts things in a weird spot now . A lot of the wording on that announcement makes it sound like they aren’t too sure how they want things to be. Floorp might be up for a lot of “flip-flopping” whenever it suits them.

Either way how it turns out, it leaves a bad taste in my mouth and makes it hard to care whatever the “new features” they are talking about in the new version if they are closed source.
(Looking foward to Waterfox’s new features that are currently in beta at least )

BluishHumility · 24 March 2024 15:03

The plot thickens, it seems:

Although the blog post announcing the code would be closed off was released only earlier today, it appears the “private” repo linked in the post is now a public repository.

Now the code is licensed as CC BY-NC-SA (see: CC BY-NC-SA 4.0 Deed | Attribution-NonCommercial-ShareAlike 4.0 International | Creative Commons), which means people can use the code as they wish as long as they give credit to the author and don’t use it for commercial purposes. So, people can’t fork the browser and sell their fork (which I think may have been happening with the original license).

I think this seems like a reasonable choice. Probably they could have shifted to this license in a less disruptive way to avoid the backlash from the community, but c’est la vie.

Meanwhile, it looks like the maintainer of the NixOS package is dropping it since it was announced that there will be proprietary bits:

github.com/Floorp-Projects/Floorp-core

New `Floorp-private-components` repository

opened 07:31PM - 19 Mar 24 UTC

closed 12:22AM - 20 Mar 24 UTC

christoph-heiss

Hi! I'm maintaining the Floorp package for NixOS. While updating Floorp to t…he newly released v11.11.0, I noticed - since it failed the build - that a new `Floorp-private-components` repository/submodule was introduced as part of this repository. What does it contain? Is it required to build Floorp? If (esp. the latter) is true, than I will go ahead and drop the Floorp package for the next release of NixOS, since I'm not willing and never will support proprietary software.

I wonder if they will reconsider this move now that the author appears to be quickly backpedaling back to an open source model.

So…this is good!

…I think?

Bro · 24 March 2024 15:19

I think its a crazy world we live in–always was–its just that sometimes smth. like this brings it to our attention. I also think that if we here lived only in the Windows World, we would never even notice news like this.

Does this mean we’re the “sensitive” type?

Colin · 25 March 2024 13:16

“This campaign is a prime example of the sophisticated tactics employed by malicious actors to distribute malware through trusted platforms like PyPI and GitHub,” the researcher concluded.

“This incident highlights the importance of vigilance when installing packages and repositories even from trusted sources. It is crucial to thoroughly vet dependencies, monitor for suspicious network activity, and maintain robust security practices to mitigate the risk of falling victim to such attacks.”

Austin · 25 March 2024 15:21

Some interesting gaming related news…

Colin · 25 March 2024 22:09

All of Floorp’s source code is now publicly available once again!

To defend against these botnets, use strong admin passwords and upgrade your device’s firmware to the latest version that addresses known flaws. If the device has reached EoL, replace it with an actively supported model.

Common signs of malware infection on routers and IoTs include connectivity problems, overheating, and suspicious setting changes.

heinrikur · 28 March 2024 17:11

Meanwhile Tiktok is the one getting banned.

Facebook caught spying on Snapchat, YouTube and Amazon

Colin · 28 March 2024 17:15

Austin · 28 March 2024 18:13

I was reading through Fedora 40 changes and came across these security enhancements.
I wonder if we could add some of these features in Garuda?

The NetworkManager gets a new ability to address conflicts of duplicate IPv6 addresses in the same physical network.
While this is something enabled by default under-the-hood, it should reduce unnecessary connectivity issues.
In terms of security, Fedora 40 decides to enable high level systemd security hardening settings. It aims to isolate and sandbox system services for enhanced protection.
And, not to forget, Fedora 40 randomizes the Mac addresses for each Wi-FIi connection with a stable/individual address to reduce passive surveillance by Internet Service Providers. So, giving you a better network privacy.

TimRambo · 28 March 2024 20:10

Have you guys seen this?

Austin · 29 March 2024 16:21

TimRambo · 29 March 2024 21:46

Malicious backdoor found in ssh libraries
https://openwall.com/lists/oss-security/2024/03/29/4

tbg · 30 March 2024 06:50

I never leave ssh or any type of remote access enabled. Most people would call that paranoid, but just because your paranoid doesn’t mean they aren’t out to get you. Usually my paranoia is justified, as backdoors have been found more than once in remote access software.

Also no wifi or bluetooth access on my computer or phone for me. Bluetooth is riddled with security holes, and wifi can be compromised especially if you use public connections.

guybrush · 30 March 2024 10:12

I like to use Bluetooth headsets while travelling, but I’ve recently switched to a dedicated mp3 player for that purpose. Otherwise, my Bluetooth is always off, partially because of the reasons you mentioned. Additional reason to keep BT off at all time while using an iPhone: after each and every OS update Apple has suddenly turned BT back on.

Colin · 30 March 2024 12:41

The situation only looks more bleak over time with how the upstream project was compromised while now the latest twist is GitHub disabling the XZ repository in its entirety.

The central repository tukaani-project/xz on GitHub has now been disabled by GitHub with the message:

“Access to this repository has been disabled by GitHub Staff due to a violation of GitHub’s terms of service. If you are the owner of the repository, you may reach out to GitHub Support for more information.”

Arch Linux

The following release artifacts contain the compromised xz:

    installation medium 2024.03.01
    virtual machine images 20240301.218094 and 20240315.221711
    container images created between and including 2024-02-24 and 2024-03-28

The affected release artifacts have been removed from our mirrors. We strongly advise against using affected release artifacts and instead downloading what is currently available as latest version! It is strongly advised to do a full system upgrade right away if your system currently has xz version 5.6.0-1 or 5.6.1-1 installed.

Following that were more clean-ups and fixes to the SRSO mitigation code. It’s been a quiet few months since while merged on Friday was fixing some of the mitigation code due to being ineffective.

Thanks in part to that opt-in automatic crash reporting, details were gathered for fixing at least three important crashes within Plasma 6 this week.

heinrikur · 30 March 2024 16:37

Austin · 1 April 2024 12:47

BluishHumility · 1 April 2024 13:16

KDE drops Wayland support following Plasma 6 backlash - 1 Apr 24

kde-brkhrt-wayland900×349 36.1 KB

dr460nf1r3 · 1 April 2024 14:14

No words

The plot twist

I ■■■■ing fell for it