> We can’t change git’s shell to /sbin/nologin or /bin/false, or users wouldn’t be able to connect over SSH.
Git actually has a solution for this! I don’t know if it would work with the custom python stuff going on, but you can set the login shell to `git-shell`
Nice writeup!
Thinking generally it seems something like the xz/lzma vulnerability could be snuck in by 1-2 nefarious people colluding across packaging and package producing, especially if we are talking about nation-state actors who can afford to look legit for years before being trusted to work without oversight - then when no one is watching, sneak in a backdoor.
I feel we are in a very innocent age and will look wistfully back at the days we trusted our anonymous open source brethren.
On macOS I think about this every time I “brew install”, and every time oh-my-zsh auto-updates. Do Linux users think about this?
For those looking for alternatives to the status quo on Linux supply chain security, check out [StageËŁ].
It is 100% deterministic, hermetic, and reproducible. Also it is full source bootstrapped from 180 bytes of human-auditable machine code, all released artifacts are multi-party reproduced/reviewed/signed, and it is fully container-native all the way down "FROM scratch" making it easy to pin dependency hashes to reproduce your own projects with it.
I started it after years of unsuccessful pleading with existing distros to stop giving ultimate solitary trust to -any- maintainers or sysadmins involved in the project.
I've got to say, Git resignifying -- and requiring --end-of-options instead is bonkers
>In addition, this is a self-service application, in the sense that anyone can create a Fedora contributor account and gain authenticated access to various services.
I legitimately wanted to get a package into Fedora a few years ago, a service that did not exist already, and I couldn't get past the fact that they require new contributor accounts to be sponsored by someone already a contributor. I was unable to secure sponsorship by anyone and just gave up.
NoLimitSecu, French cybersecurity podcast, released an episode yesterday with the authors: https://www.nolimitsecu.fr/compromission-de-distributions-li...
It was amazing to hear that they chose the weakest path, argument injection and were able to found a vector in two weeks twice (fedora + opensuse).
Does anyone else have the title overlay taking up 2/7ths of the top of the screen?
[dead]
"Let's use red hat's products but let's not get them from red hat to save some bucks"
This is the risk you take
Because bash for some goddamn reason loads the bashrc for interactive shells AND when started by sshd, regardless of whether the shell is interactive or an tty is present. Bash (and only bash) literally has a special case for sshd to enable this kind of exploit.
As a result of this, git and rsync wont work at all if the bashrc on the remote machine writes any data to stdout. Like setting a window title.
To work around that, every bashrc on this earth needs a case switch to return early to avoid this specific bug.