It looks fishy. Happy to see somebody putting something out there but if I am not reading the code I have to trust reputation and the age and number of stars on GitHub (although those can be bought too) are not doing it for me.
I absolutely could. That doesn’t change my stance on this software.
The code hidden in xz was also publicly available and didn’t get caught. So much for open source making all things safe just by being open source. And that was a high value target. Imagine what happens (or could) on a smaller scale.
Honestly now, are you reading code of a nice project You want to spin up in a docker to try out? I don’t. I check the project and the stars/engagement. If it goes any further I check who is involved in it and that’s about it.
Yeah, I had a Android application installed recently which strangely enough tried to reach my vaultwarden DNS? That sounded sketchy AF and just blocked it, removed it and cleaned every trace of it…
It looks fishy. Happy to see somebody putting something out there but if I am not reading the code I have to trust reputation and the age and number of stars on GitHub (although those can be bought too) are not doing it for me.
When will there be the next xz attack thingy?
It’s open source, so you can read the code.
I absolutely could. That doesn’t change my stance on this software.
The code hidden in xz was also publicly available and didn’t get caught. So much for open source making all things safe just by being open source. And that was a high value target. Imagine what happens (or could) on a smaller scale.
Honestly now, are you reading code of a nice project You want to spin up in a docker to try out? I don’t. I check the project and the stars/engagement. If it goes any further I check who is involved in it and that’s about it.
Yeah, I had a Android application installed recently which strangely enough tried to reach my vaultwarden DNS? That sounded sketchy AF and just blocked it, removed it and cleaned every trace of it…
Right? It is even odder to me that the selfhosted newsletter shared it.
What is xz attack thingy?
https://en.wikipedia.org/wiki/XZ_Utils_backdoor
https://www.akamai.com/blog/security-research/critical-linux-backdoor-xz-utils-discovered-what-to-know