• 0 Posts
  • 22 Comments
Joined 2 years ago
cake
Cake day: July 14th, 2023

help-circle
rss

  • I’ve now finished reading and it wasn’t about the xz code as I thought. The article was about the F-Droid developer Hans-Christoph Steiner telling a story about someone attempting to put pressure on F-Droid to merge code that was vulnerable in response to what happened with the xz project. So F-Droid never had the vulnerable code in it.

    Tuesday, Hans-Christoph Steiner, a longtime developer of F-Droid, explained that a very similar situation nearly led F-Droid to push an update that would have introduced a security vulnerability into the product three years ago: “Three years ago, F-Droid had a similar kind of attempt as the Xz backdoor,” he posted on Mastodon. “A new contributor submitted a merge request to improve the search, which was oft requested but the maintainers hadn’t found time to work on. There was also pressure from other random accounts to merge it. In the end, it became clear that it added a SQL injection vulnerability. In this case, we managed to catch it before it was merged. Since similar tactics were used, I think it’s relevant now.”


  • My intention was not to influence your writing. I’m just curious as to why apps from F-Droid would be more likely to be malicious. I was surprised because my intuition tells me that apps from F-Droid are inherently safer than apps from Play, because the apps are carefully reviewed. If it’s just the XZ incident, which was a fascinating case of a supply chain attack, I’m not convinced since I’d assume apps in other app stores using liblzma would be equally affected.

    Thanks for sharing your experiences!











  • It’s easy to overlook with the omnipresent internet, but self-hosting doesn’t require internet. You could host for your fellow students on the local network. If that’s also against the Wifi rules you can either ignore that stupid rule or set up your own god damn wifi with hostapd on your machine and let students connect directly to it. It’s probably best to use a machine dedicated to the task for security reasons as you wouldn’t want curious students to accidentally erase your homework. I wouldn’t use containers or VMs for any of this, I’d just use bare metal like in the good ol’ days. You could also, without having to worry, give people shell accounts because it’s a closed network. The options are endless without all the worries of hosting on the internet.