HackerLangs
TopNewTrendsCommentsPastAskShowJobs

jwilk

9,113 karmajoined 11 anni fa


  ^__^
  (oo)\_______
  (__)\       )\/\
      ||----w |
      ||     ||

Submissions

AURpocalypse now: a look at the recent AUR attacks

lwn.net
134 points·by jwilk·21 giorni fa·101 comments

Moving beyond fork() + exec()

lwn.net
359 points·by jwilk·mese scorso·345 comments

LLM-driven security reports disrupt coordinated disclosure

lwn.net
3 points·by jwilk·2 mesi fa·0 comments

Debian decides not to decide on AI-generated contributions

lwn.net
376 points·by jwilk·4 mesi fa·289 comments

As ye clone(), so shall ye AUTOREAP

lwn.net
3 points·by jwilk·4 mesi fa·0 comments

Security incident on plone GitHub org with force pushes

openwall.com
1 points·by jwilk·5 mesi fa·0 comments

GNU InetUtils Security Advisory: remote authentication by-pass in telnetd

openwall.com
5 points·by jwilk·6 mesi fa·0 comments

A free and open-source rootkit for Linux

lwn.net
218 points·by jwilk·6 mesi fa·40 comments

The difficulty of safe path traversal

lwn.net
2 points·by jwilk·6 mesi fa·0 comments

A “frozen” dictionary for Python

lwn.net
191 points·by jwilk·7 mesi fa·167 comments

Explicit Lazy Imports for Python

lwn.net
1 points·by jwilk·9 mesi fa·0 comments

comments

jwilk
·10 ore fa·discuss
Subscriber link:

https://lwn.net/SubscriberLink/1080822/bfd11a50a0d41ad6/
jwilk
·15 giorni fa·discuss
https://news.ycombinator.com/item?id=48649785 was posted earlier with a subscriber link.
jwilk
·20 giorni fa·discuss
Search for "yen sign path separator".
jwilk
·21 giorni fa·discuss
Discussed ~2 weeks ago:

https://news.ycombinator.com/item?id=48425528 (over 300 comments)
jwilk
·mese scorso·discuss
Discussed also in 2021: https://news.ycombinator.com/item?id=29709802 (16 comments)
jwilk
·8 mesi fa·discuss
Yes, you can do "apt-get install --dry-run ./nyancat_1.5.2-0.2_i386.deb" these days.
jwilk
·8 mesi fa·discuss
> Their signed package formats (there are two) add extra sections to the `ar` archive for the signature

APT does not verify package-level signatures (and nobody uses them anyway), so this is irrelevant.
jwilk
·11 mesi fa·discuss
From the HN Guidelines <https://news.ycombinator.com/newsguidelines.html>:

> Please don't comment on whether someone read an article. "Did you even read the article? It mentions that" can be shortened to "The article mentions that".
jwilk
·anno scorso·discuss
Notes are copied to from the original to the rewritten commit by default. See https://git-scm.com/docs/git-notes#Documentation/git-notes.t... for details.

But I have this in my IRC logs:

  < _jwilk> TIL git-notes rewriting doesn't work properly when doing amend within rebase. :/
jwilk
·2 anni fa·discuss
Or if you can't stand the lkml.org UI:

https://lore.kernel.org/lkml/20240330144848.102a1e8c@kaneli/
jwilk
·2 anni fa·discuss
> do you see anything suspicious

No.

> libunistring could also be affected as that has also been pushed there

What do you mean by "that"?
jwilk
·2 anni fa·discuss
What do you mean?
jwilk
·2 anni fa·discuss
FWIW, "4 - 2" is explained earlier in the file:

  // The "-2" is included because the for-loop will
  // always increment by 2. In this case, we want to
  // skip an extra 2 bytes since we used 4 bytes
  // of input.
  i += 4 - 2;
jwilk
·2 anni fa·discuss
"#, fuzzy" means the translation is out-of-date and it will be discarded at compile time.
jwilk
·2 anni fa·discuss
eval in autoconf macros is nothing unusual.

In (pre-backdoor) xz 5.4.5:

  $ grep -wl eval m4/*
  m4/gettext.m4
  m4/lib-link.m4
  m4/lib-prefix.m4
  m4/libtool.m4
jwilk
·4 anni fa·discuss
Not base64, but this should be easy to reproduce:

  $ printf '{\n\t"list": [\n\t\t{},\n\t\t{}\n\t]\n}\n' > test.json

  $ jq < test.json 
  {
    "list": [
      {},
      {}
    ]
  }

  $ yamllint test.json 
  test.json
    2:1       error    syntax error: found character '\t' that cannot start any token (syntax)
jwilk
·4 anni fa·discuss
Beware of security implications of using a YAML parser:

https://docs.ruby-lang.org/en/3.0/YAML.html#module-YAML-labe...

> Do not use YAML to load untrusted data. Doing so is unsafe and could allow malicious input to execute arbitrary code inside your application.
jwilk
·8 anni fa·discuss
(2016)

Previous discussion: https://news.ycombinator.com/item?id=11532599
jwilk
·8 anni fa·discuss
But not the others:

1999 LiveJournal

1999 Blogger

2001 Movable Type

2003 WordPress