smpl
joined 2 years ago
I know they did in december 2021.
https://web.archive.org/web/20211210133430/https://mastodon.social/@protonmail/107421854866115843
I've now finished reading and it wasn't about the xz code as I thought. The article was about the F-Droid developer Hans-Christoph Steiner telling a story about someone attempting to put pressure on F-Droid to merge code that was vulnerable in response to what happened with the xz project. So F-Droid never had the vulnerable code in it.
Tuesday, Hans-Christoph Steiner, a longtime developer of F-Droid, explained that a very similar situation nearly led F-Droid to push an update that would have introduced a security vulnerability into the product three years ago: “Three years ago, F-Droid had a similar kind of attempt as the Xz backdoor,” he posted on Mastodon. “A new contributor submitted a merge request to improve the search, which was oft requested but the maintainers hadn't found time to work on. There was also pressure from other random accounts to merge it. In the end, it became clear that it added a SQL injection vulnerability. In this case, we managed to catch it before it was merged. Since similar tactics were used, I think it’s relevant now.”
My intention was not to influence your writing. I'm just curious as to why apps from F-Droid would be more likely to be malicious. I was surprised because my intuition tells me that apps from F-Droid are inherently safer than apps from Play, because the apps are carefully reviewed. If it's just the XZ incident, which was a fascinating case of a supply chain attack, I'm not convinced since I'd assume apps in other app stores using liblzma would be equally affected.
Thanks for sharing your experiences!
Could you please provide sources for this claim?
F-droid: Is an alternative store that can be used in place of Google Play. It has mainly FOSS applications but occasionally it can contain malicious software. You must be aware of this and know what you are looking for.
Your fellow competitors did not necessarily perform the search when they were at the pub. It could be a the john when they got home. Your data profile is still tied to them right now.
Have you looked at the OpenSearch Description file for your instance? It might be generated with an IP by SearXNG not knowing the hostname. The URL is probably https://search.home/opensearch.xml.
If you want to examine the search engines in your browser profile, they're stored in a json file compressed with a mozilla specific variant of lz4. The file is search.json.mozlz4 and can be unpacked to json with lz4json.
I'd recommend you donate money to those who host open infrastructure. That stuff is expensive and critical to the free and open internet.
As for free software projects I suggest donating your time with contributions. That's what they need the most. Helping with bug reports and writing documentation are easy starters and worth much more than money. That's hard to sell as a gift though.. One gift card for confirming and investigating a bug in free software of choice. Merry Christmas Uncle Bob!
Going from being a cool hacker who does things for fun and share it with his peers to being a poor cyberbeggar does no good to a persons selfworth. Help out by contributing and let Mr. Cool Hacker have time for his day job on the side. We get better software and fewer burnouts.
view more: next ›