HackerTrans
TopNewTrendsCommentsPastAskShowJobs

duncaen

no profile record

comments

duncaen
·hace 5 años·discuss
What extra steps? Arch is missing debug packages, a package manager that can detect bad partial updates, different architectures etc.
duncaen
·hace 5 años·discuss
Regex to parse lisp expressions?
duncaen
·hace 5 años·discuss
This is not what happened according to them:

https://www-users.cs.umn.edu/~kjlu/papers/clarifications-hc....

> (4). Once any maintainer of the community responds to the email, indicating “looks good”, we immediately point out the introduced bug and request them to not go ahead to apply the patch. At the same time, we point out the correct fixing of the bug and provide our proper patch. In all the three cases, maintainers explicitly acknowledged and confirmed to not move forward with the incorrect patches. This way, we ensure that the incorrect patches will not be adopted or committed into the Git tree of Linux.
duncaen
·hace 5 años·discuss
See page 9 of the already published paper:

https://raw.githubusercontent.com/QiushiWu/qiushiwu.github.i...

> We send the emails to the Linux communityand seek their feedback. The experiment is not to blame any maintainers but to reveal issues in the process. The IRB of University of Minnesota reviewed the procedures of the experiment and determined that this is not human research. We obtained a formal IRB-exempt letter. The experiment will not collect any personal data, individual behaviors, or personal opinions. It is limited to studying the patching process OSS communities follow, instead of individuals.
duncaen
·hace 5 años·discuss
I would say that the concept and implementation in C is inherently insecure. Switching to something less reviewed because there is a sudo vulnerability is not a guarantee that you are now "safer" especially if those ports are not reviewed.

As far as I can say, never ever use slicer69/doas, I've found 3 critical security vulnerabilities in it, the author does not understand C or how it should work in general.

Here are 3 examples if issues I found and the author used misleading commit titles to hide the issues and made excuses saying a clear buffer overflow very similar to the one found in sudo is just "potential":

- https://github.com/slicer69/doas/commit/261c2164496dbebe6e3e...

- https://github.com/slicer69/doas/commit/2f83222829448e5bc4c9...

I even had to do a PR myself to fix an issue the author was not able to understand and more and more people started to use it:

- https://github.com/slicer69/doas/pull/23