• 0 Posts
  • 171 Comments
Joined 1 year ago
cake
Cake day: January 2nd, 2024

help-circle









  • It’s not quite what you’ve asked for here, but as a Dev I’d be remiss if I didn’t shill for Gentoo.

    It ticks your rolling release box, has fantastic docs, a huge package repository (and the community repo Guru), and by design enables almost infinite configurability and customisation. We also have a binary package repository now for popular architectures, so you can choose to avoid compiling if you don’t want to deviate from sane defaults (or only compile in cases where you do!)

    On the hardware side, we have fantastic support for a number of architectures, I recently brought up a SPARC system and have some arch64 and riscv in the past.

    Finally, even if you just decide to check the distro out, the process of installing, configuring, and maintaining a Linux system is outlined in detail within our handbook, and can provide a peek behind the scenes at what some other distros abstract; it’s a fantastic learning experience for those interested.

    Finally, we have fantastic support through volunteers in official IRC channels and forums, as well as unofficial hubs like discord.

    Hopefully I’ve planted a seed and you’ll check it out down the line. :)





  • I’m a huge proponent of Gentoo Linux as a learning experience. It’s a great way to learn how the components of a system work together and the distro enables an amazing amount of configurability for your system.

    Even following a handbook install in a VM can be a good experience if you’re interested.






  • TL;DR don’t worry (for now) - it only impacts rpm and deb builds and impacted releases only really made it into OpenSuSe tumbleweed - if you’re running bleeding edge maybe you need to worry a little.

    A laymans explanation about what happens is that the malicious package uses an indirect linkage (via systemd) to openssh and overrides a crypto function which either:

    • allows access to the system to a particular key
    • allows remote code execution with a particular key

    Or both!

    I have secondhand info that privately the reverse engineering is more advanced, but nobody wants to lead with bad info.

    As for what you should do? Unless you’re running an rpm or deb based distro and you have version 5.6.0 or 5.6.1 of xz-utils installed, not much. If you are, well, that comes down to your threat model and paranoia level: either upgrade (downgrade) the package to a non-vulnerable version or dust off and nuke the site from orbit; it’s the only way to be sure.