Joonas Niilola wrote:
Hey,
I'll admit I didn't read everything, but I just want to point out you
may not have to edit ebuilds at all. If xz-utils is package.provided
portage should ignore the dependency without you removing the dep from an
ebuild. Then you can utilize /etc/portage/patches to
On 6.4.2024 14.57, Eddie Chapman wrote:
>
> --- /usr/portage/net-mail/dovecot/dovecot-2.3.21-r1.ebuild
> +++ /usr/local/portage/net-mail/dovecot/dovecot-2.3.21-r1.ebuild
> @@ -43,7 +43,6 @@
>
> DEPEND="
> app-arch/bzip2
> - app-arch/xz-utils
> dev-libs/icu:=
>
Sam James wrote:
> Eddie Chapman writes:
>> Below is a guide I've written to removing app-arch/xz-utils in case
>> anyone else wants to do so. Attached is the current version of the Bash
>> wrapper script I now use in place of /usr/bin/xz
>>
>> Comments, corrections on anything technical in the
Fabian Groffen wrote:
> If you just want to verify signatures and manifests after sync,
> qmanifest from portage-utils can help you do this.
>
> Thanks,
> Fabian
Thanks for the pointer, and I see you are one of the authors, thanks for
writing a very useful tool!
Eddie Chapman writes:
> On 04/04/2024 15:24, Eddie Chapman wrote:
>> Since there appears to be some interest I'll put together a single email
>> to the list later today detailing everything, as I needed to do more
>> things overall in addition to replacing /usr/bin/xz.
>
> Below is a guide I've
On 06-04-2024 12:57:23 +0100, Eddie Chapman wrote:
> There is one significant thing that breaks, which is Gemato
> (app-portage/gemato). Gemato requires lzma support in core python in
> order to do GPG signature verification. This means you will have to say
> goodbye (for now) to verifying
On 2024.04.06 12:57, Eddie Chapman wrote:
> On 04/04/2024 15:24, Eddie Chapman wrote:
> > Since there appears to be some interest I'll put together a single
> email
> > to the list later today detailing everything, as I needed to do more
> > things overall in addition to replacing /usr/bin/xz.
>
> On Sat, 06 Apr 2024, Eddie Chapman wrote:
> [...] this is ridiculous and unnecessary :-).
Indeed.
SCNR,
Ulrich
On 04/04/2024 15:24, Eddie Chapman wrote:
Since there appears to be some interest I'll put together a single email
to the list later today detailing everything, as I needed to do more
things overall in addition to replacing /usr/bin/xz.
Below is a guide I've written to removing
Sam James wrote:
> Eli Schwartz writes:
>
>> On 4/3/24 11:30 AM, Eddie Chapman wrote:
>>
>>> Just to report I've been able to remove app-arch/xz-utils from my own
>>> workstation, with 2412 packages installed and running kde. I'm going
>>> to roll it out to my other gentoo systems which have a
Eli Schwartz wrote:
> On 4/3/24 11:30 AM, Eddie Chapman wrote:
>
>> Just to report I've been able to remove app-arch/xz-utils from my own
>> workstation, with 2412 packages installed and running kde. I'm going to
>> roll it out to my other gentoo systems which have a lot less stuff on
>> them so
If that’s working, it could at least be on an user personnal page on the
wiki as well.
Le 04/04/2024 à 10:32, Sam James a écrit :
Eli Schwartz writes:
On 4/3/24 11:30 AM, Eddie Chapman wrote:
Just to report I've been able to remove app-arch/xz-utils from my own
workstation, with 2412
Eli Schwartz writes:
> On 4/3/24 11:30 AM, Eddie Chapman wrote:
>> Just to report I've been able to remove app-arch/xz-utils from my own
>> workstation, with 2412 packages installed and running kde. I'm going to
>> roll it out to my other gentoo systems which have a lot less stuff on them
>> so
On 4/3/24 11:30 AM, Eddie Chapman wrote:
> Just to report I've been able to remove app-arch/xz-utils from my own
> workstation, with 2412 packages installed and running kde. I'm going to
> roll it out to my other gentoo systems which have a lot less stuff on them
> so am confident will be fine.
On Wed, 2024-04-03 at 16:30 +0100, Eddie Chapman wrote:
> It does involve a
> relatively small hack and functionality previously provided by xz-utils is
> replaced by app-arch/p7zip.
I did the same thing with app-arch/unzip a long time ago. You caught a
lot of shit for your post, but I don't
Just to report I've been able to remove app-arch/xz-utils from my own
workstation, with 2412 packages installed and running kde. I'm going to
roll it out to my other gentoo systems which have a lot less stuff on them
so am confident will be fine. It's not completely trivial but not as
difficult as
On 02/04/2024 20:46, Eli Schwartz wrote:
On 4/2/24 4:43 AM, Eddie Chapman wrote:
Well, they change one thing. It's hard for the security professionals at
work to deal with things when they are constantly having to respond to the
three-ring circus.
This is a complaint I hear very often from
On 4/2/24 4:43 AM, Eddie Chapman wrote:
>> Well, they change one thing. It's hard for the security professionals at
>> work to deal with things when they are constantly having to respond to the
>> three-ring circus.
>
> This is a complaint I hear very often from the people working at the heart
>
On 01/04/2024 15:56, Azamat Hackimov wrote:
There is no problem in the XZ/LZMA format itself as the reference
algorithm is not compromised. It's all about trust between developers
of application and developers of distribution. If you lost trust to
xz-utils's developers, you may use alternatives
Michał Górny wrote:
> On Mon, 2024-04-01 at 08:57 +0100, Eddie Chapman wrote:
>
>> I stand by and reiterate my view that there is far too much of a
>> cavalier attitude towards the matter in general out there including here
>> in Gentoo. But not in particular here, it is everywhere where this is
OK, I said I was done and this is a waste of time for everyone, but if
people want to keep the discussion going I'll bite :-)
Eli Schwartz wrote:
> But also, please keep in mind that 98% of all people on the internet can
> do whatever they want and it simply doesn't matter. They are public
>
On 1.4.2024 23.07, James Le Cuirot wrote:
>
> That's not stupid at all, I'd been thinking exactly the same thing. I raised
> this whole issue during a discussion at FOSDEM 2019, where I admitted that I
> didn't check the code changes for packages I was bumping, knowing that few to
> none of the
On Mon, 2024-04-01 at 20:51 +0200, Kévin GASPARD DE RENEFORT wrote:
> > Thanks for clarifying that, it wasn't clear to me when I read the
> > earlier e-mail.
> >
> > Personally I think the long term solution is to identify critical code
> > bases that have a low bus factor before the bad actors
Thanks for clarifying that, it wasn't clear to me when I read the
earlier e-mail.
Personally I think the long term solution is to identify critical code
bases that have a low bus factor before the bad actors do and make a
concentrated community effort to help audit and maintain these code
bases.
On Mon, 1 Apr 2024 12:01:13 -0400
Kenton Groombridge wrote:
> On 24/04/01 08:40AM, orbea wrote:
> > On Mon, 1 Apr 2024 11:14:15 -0400
> > Kenton Groombridge wrote:
> >
> > > On 24/03/31 12:13PM, Eddie Chapman wrote:
> > > > Eli Schwartz wrote:
> > > > > On 3/29/24 11:07 PM, Eddie
On 24/04/01 08:40AM, orbea wrote:
> On Mon, 1 Apr 2024 11:14:15 -0400
> Kenton Groombridge wrote:
>
> > On 24/03/31 12:13PM, Eddie Chapman wrote:
> > > Eli Schwartz wrote:
> > > > On 3/29/24 11:07 PM, Eddie Chapman wrote:
> > > >
> > > >> Given what we've learnt in the last 24hrs about xz
On Mon, 1 Apr 2024 11:14:15 -0400
Kenton Groombridge wrote:
> On 24/03/31 12:13PM, Eddie Chapman wrote:
> > Eli Schwartz wrote:
> > > On 3/29/24 11:07 PM, Eddie Chapman wrote:
> > >
> > >> Given what we've learnt in the last 24hrs about xz utilities,
> > >> you could forgive a paranoid
On 24/03/31 12:13PM, Eddie Chapman wrote:
> Eli Schwartz wrote:
> > On 3/29/24 11:07 PM, Eddie Chapman wrote:
> >
> >> Given what we've learnt in the last 24hrs about xz utilities, you could
> >> forgive a paranoid person for seriously considering getting rid
> >> entirely of them from their
сб, 30 мар. 2024 г. в 06:07, Eddie Chapman :
>
> Given what we've learnt in the last 24hrs about xz utilities, you could
> forgive a paranoid person for seriously considering getting rid entirely
> of them from their systems, especially since there are suitable
> alternatives available. Some
On Mon, 2024-04-01 at 08:57 +0100, Eddie Chapman wrote:
> I stand by and reiterate my view that there is far too much of a cavalier
> attitude towards the matter in general out there including here in Gentoo.
> But not in particular here, it is everywhere where this is being discussed
> at the
On 4/1/24 3:57 AM, Eddie Chapman wrote:
> No, I don't need to do that. I don't appreciate suggestions to "just calm
> down", especially when I'm not being hysterical. Your comment to me just
> reinforces what I mean when I say there is far too much of a cavalier
> attitude.
I think you're
Matt Jolly wrote:
> Hi Eddie,
>
> On 31/3/24 21:13, Eddie Chapman wrote:
>
>> At the moment there is far too much of
>> a cavalier attitude about the whole thing being shown by too many,
>> including here I'm sad to see.
>
> It's obvious that this is something that you are very worried about, but
Hi Eddie,
On 31/3/24 21:13, Eddie Chapman wrote:
At the moment there is far too much of
a cavalier attitude about the whole thing being shown by too many,
including here I'm sad to see.
It's obvious that this is something that you are very worried about, but
I think that you need to take a
On 2024-03-31 01:33, Eli Schwartz wrote:
On 3/29/24 11:07 PM, Eddie Chapman wrote:
Given what we've learnt in the last 24hrs about xz utilities, you
could
forgive a paranoid person for seriously considering getting rid
entirely
of them from their systems, especially since there are suitable
Eli Schwartz wrote:
> On 3/29/24 11:07 PM, Eddie Chapman wrote:
>
>> Given what we've learnt in the last 24hrs about xz utilities, you could
>> forgive a paranoid person for seriously considering getting rid
>> entirely of them from their systems, especially since there are suitable
>>
On 3/30/24 11:17 AM, Eddie Chapman wrote:
> Yes that's a very good point, that was something I was wondering in
> weighing up both sides, what the costs would be practically, as I don't
> know the realities of running Gentoo infrastructure. And maybe the costs
> is just too high of a price to pay.
On 3/29/24 11:07 PM, Eddie Chapman wrote:
> Given what we've learnt in the last 24hrs about xz utilities, you could
> forgive a paranoid person for seriously considering getting rid entirely
> of them from their systems, especially since there are suitable
> alternatives available. Some might say
"Eddie Chapman" writes:
> Given what we've learnt in the last 24hrs about xz utilities, you could
> forgive a paranoid person for seriously considering getting rid entirely
> of them from their systems, especially since there are suitable
> alternatives available. Some might say that's a bit
Eddie Chapman wrote:
> Michał Górny wrote:
>
>> On Sat, 2024-03-30 at 14:57 +, Eddie Chapman wrote:
>>
>>
>>> Note, I'm not advocating ripping xz-utils out of tree, all I'm saying
>>> is wouldn't it be nice if there were at least 2 alternatives to
>>> choose from? That doesn't have to be
Rich Freeman wrote:
> On Sat, Mar 30, 2024 at 10:57 AM Eddie Chapman wrote:
>
>> No, this is the the bad actor *themselves* being a
>> principal author of the software, working stealthily and in very
>> sophisticated ways for years, to manoeuvrer themselves and their
>> software into a position
Eddie Chapman wrote:
> Michał Górny wrote:
>> On Sat, 2024-03-30 at 14:57 +, Eddie Chapman wrote:
>>
>>> Note, I'm not advocating ripping xz-utils out of tree, all I'm saying
>>> is wouldn't it be nice if there were at least 2 alternatives to choose
>>> from? That doesn't have to be disruptive
Michał Górny wrote:
> On Sat, 2024-03-30 at 15:17 +, Eddie Chapman wrote:
>
>> Michał Górny wrote:
>>
>>> On Sat, 2024-03-30 at 14:57 +, Eddie Chapman wrote:
>>>
>>>
Note, I'm not advocating ripping xz-utils out of tree, all I'm
saying is wouldn't it be nice if there were at
On Sat, 2024-03-30 at 15:17 +, Eddie Chapman wrote:
> Michał Górny wrote:
> > On Sat, 2024-03-30 at 14:57 +, Eddie Chapman wrote:
> >
> > > Note, I'm not advocating ripping xz-utils out of tree, all I'm saying
> > > is wouldn't it be nice if there were at least 2 alternatives to choose
>
On Sat, 30 Mar 2024 16:02:25 +0100
Michał Górny wrote:
> On Sat, 2024-03-30 at 14:57 +, Eddie Chapman wrote:
> > Note, I'm not advocating ripping xz-utils out of tree, all I'm
> > saying is wouldn't it be nice if there were at least 2 alternatives
> > to choose from? That doesn't have to be
Michał Górny wrote:
> On Sat, 2024-03-30 at 14:57 +, Eddie Chapman wrote:
>
>> Note, I'm not advocating ripping xz-utils out of tree, all I'm saying
>> is wouldn't it be nice if there were at least 2 alternatives to choose
>> from? That doesn't have to be disruptive in any way, people who wish
On Sat, Mar 30, 2024 at 10:57 AM Eddie Chapman wrote:
>
> No, this is the the bad actor *themselves* being a
> principal author of the software, working stealthily and in very
> sophisticated ways for years, to manoeuvrer themselves and their software
> into a position of trust in the ecosystem
On Sat, 2024-03-30 at 14:57 +, Eddie Chapman wrote:
> Note, I'm not advocating ripping xz-utils out of tree, all I'm saying is
> wouldn't it be nice if there were at least 2 alternatives to choose from?
> That doesn't have to be disruptive in any way, people who wish to continue
> using and
Rich, Duncan, Dale, orbea, you have to admit the situation with xz-utils
is nothing like the typical scenario people usually worry about, where a
bad actor manages to compromise a project and slip something into a widely
used piece of software. No, this is the the bad actor *themselves* being a
On Sat, Mar 30, 2024 at 3:06 AM Dale wrote:
>
> when I got to the part about it not likely to affect Gentoo, my level of
> concern dropped significantly. If this is still true, there's no need to be
> concerned.
"not likely" is the best way to characterize this. The exploit has
not been
orbea wrote:
> On Sat, 30 Mar 2024 03:07:13 -
> "Eddie Chapman" wrote:
>
>> Given what we've learnt in the last 24hrs about xz utilities, you
>> could forgive a paranoid person for seriously considering getting rid
>> entirely of them from their systems, especially since there are
>> suitable
On Sat, 30 Mar 2024 03:07:13 -
"Eddie Chapman" wrote:
> Given what we've learnt in the last 24hrs about xz utilities, you
> could forgive a paranoid person for seriously considering getting rid
> entirely of them from their systems, especially since there are
> suitable alternatives
51 matches
Mail list logo
