All things Linux

[Noodles]

I was using Claude to go through some things I can do to optimize the webserver I have from Digital Ocean and one thing was to reboot it because it had an uptome of like 220 days.

 

[Essence Lumin]

I was using Claude to go through some things I can do to optimize the webserver I have from Digital Ocean and one thing was to reboot it because it had an uptome of like 220 days.

Then there was windows 95 which had some 32 bit counter in a device driver causing it to crash in 49.7 days. Not many people were affected since generally windows 95 crashed before then anyway.

 

[Argent Stonecutter]

Microsoft keeps making that mistake:

Microsoft

In Microsoft Windows 7, Windows Server 2003, Windows Server 2008, and Windows Vista, TCP connection start information was stored in hundredths of a second, using a 32-bit unsigned integer, which caused TCP connections to fail after 497 days.
Windows 95 and Windows 98 had a problem with rollovers in a virtual device driver, VTDAPI.VXD, which used unsigned 32-bit integers to measure system runtime in milliseconds; this value would overflow after 49.7 days, causing systems to freeze.
Until version 6.0, Microsoft's .NET platform had a bug that caused threadpool hill-climbing to fail periodically after 49.7 days due to an overflow while handling milliseconds since startup.

-- https://en.wikipedia.org/wiki/Time_formatting_and_storage_bugs

 

[Free]

Ubuntu infrastructure has been down for more than a day

The outage has hampered communication concerning a critical vulnerability that gives root.

arstechnica.com

Servers operated by Ubuntu and its parent company Canonical were knocked offline on Thursday morning and have remained down ever since, a situation that’s preventing the OS provider from communicating normally following the botched disclosure of a major vulnerability.

Attempts to connect to most Ubuntu and Canonical webpages and download OS updates from Ubuntu servers have consistently failed over the past 24 hours. Updates from mirror sites, however, have continued to work normally. A Canonical status page said: “Canonical’s web infrastructure is under a sustained, cross-border attack and we are working to address it.” Other than that, Ubuntu and Canonical officials have maintained radio silence since the outage began.

A group sympathetic to the Iranian government has taken credit for the outage. According to posts on Telegram and other social media, the group is responsible for a DDoS attack using Beam, an operation that claims to test the ability of servers to operate under heavy loads but, like other “stressors,” are, in fact, fronts for services miscreants pay for to take down third-party sites. In recent days, the same pro-Iran group has taken credit for DDoSes on eBay.

 

[Noodles]

Microsoft probably getting nervous about everyone dumping Windows 11.

 

[Govi]

Don Tzu: "People in grass houses should be careful about flaming rocks."

 

[Dakota Tebaldi]

Interesting trivia:

 

[Dakota Tebaldi]

Computer Facts (@computer@facts.computer)

"man pages" you mean grindr?

facts.computer

 

[Free]

I keep trying to swipe left on man pages, but then I remember grindr doesn't have that feature.

 

[Free]

Dozens of Red Hat packages backdoored through its offical NPM channel

Anyone who has downloaded affected Red Hat packages should investigate immediately.

arstechnica.com

Official Red Hat NPM accounts have been compromised and used to push a malicious worm that spreads from machine to machine, where it pilfers sensitive credentials in hopes of stealing yet more confidential data, researchers said.

The supply-chain attack began Monday and remained active at the time this post went live, according to researchers at security firm Aikido. It’s the result of the threat actor responsible for the hack taking control of @redhat-cloud-services, a legitimate channel in the npm repository that’s reserved for official Red Hat packages. As such, the channel is widely trusted by developers who rely on Red Hat cloud services.

It’s unclear precisely how the threat actor took control of the namespace, but it almost certainly involved the compromise of credentials required to access it, possibly through a previous supply-chain attack. More than 30 packages seem to be affected.

The packages execute an obfuscated payload that can run during the npm install process, which occurs before a developer imports or actually uses the package in a production environment. Security firm Socket said an analysis of the malware revealed that it’s designed to collect sensitive credentials, including GitHub action secrets, npm tokens, Kubernetes and Vault material, and credentials for other cloud services. The worm then spreads by republishing backdoored packages to third-party accounts the infected device has access to. Most, but not all, of the packages had been taken down in the hours following the incident.

 

[Noodles]

This is so good and super accurate.

Hammers Without Handles

The Linux user experience we have? It's not the one we deserve.

gardinerbryant.com

 

[Dakota Tebaldi]

Oh no

Ubuntu 26.04 is the OS for the AI agentic era, says Canonical's Mark Shuttleworth - here's why

Canonical's pitch starts with snaps and security.

www.zdnet.com

Specifically, he stated that the pace of AI-driven software innovation has outstripped traditional packaging and release processes. For AI, Linux users must move beyond Advanced Packaging Tool (APT) and Red Hat Package Manager (RPM) to signed, auto-updated, policy-driven snaps.

lol well of course

 

[Spirits Rising]

... Considering the horror show Snap packages are described to be by users, I am incredibly glad I no longer use Xubuntu.

 

[Noodles]

I forget if I dislike Snaps or Flatpacks or both. I just want to apt-get ya'll.

 

[Argent Stonecutter]

I'm still pissed nobody but Apple did anything with the NextStep package model, which gives you all the packaging advantages of snaps and flatpack and the like without the security theater that make them suck so badly.

 

[Noodles]

What I don't get doesn't Linux have all the security theater built in, with SUDO and groups and crazy permissions.

 

[Dakota Tebaldi]

If flatpak permissions are being annoying, I strongly recommend Flatseal, which lets you manage them per-package in as much detail as you want. Like, flatpaks don't normally see the /mnt directory where I have some storage drives mounted, so if I want a particular flatpak program to be able to read or write in that drive I can use Flatseal to give it access to /mnt, or just that particular drive, or even just a specific folder inside that specific drive, and from now on when I run the program and open the file save window that location will magically be there.

I'm starting to learn how to build programs from source finally, so once I get the hang of that, I suspect I'm going to start preferring it and only use Flatpaks if the source code looks like it's going to be Dependency Hell. So it'll be like, APT always first, and if it's not on APT or the Debian package is too old, then

.deb if available
Source code
Flatpak
AppImage
Snap way down here, last resort, maybe not at all

 

[Argent Stonecutter]

What I don't get doesn't Linux have all the security theater built in, with SUDO and groups and crazy permissions.

The UNIX group model if properly used (like it hasn't really been since they started adding crap like SElinux and other glued-on security models and people quit designing applications around only exposing rights through the set-group mechanism) is actually quite effective. The "turnin" program at college survived years of undergraduate CS majors trying to cheat it. I wouldn't call it "security theater".

 

[Bartholomew Gallacher]

But still the NSA decided the UNIX group model is not enough and created SE Linux.

 

[Argent Stonecutter]

The NSA has a requirement for mandatory access control (Orange Book) for classified information which nobody outside the federal Governent cares about, but SElinux doesn't even do that right. It's ass all the way down.