On Sat, May 25, 2024 at 10:10 PM Matthias Koeppe
wrote:
> This has been merged in 10.4.beta7.
>
Good to see some action :)
Here is a short anti-security rant from my experience.
To protect something, you need to fix all weaknesses.
To break it, an attacker needs only one exploitable weakness.
On Saturday, April 20, 2024 at 2:13:13 AM UTC-7 Matthias Koeppe wrote:
On Thursday, April 18, 2024 at 11:05:52 PM UTC-7 Georgi Guninski wrote:
The only sage change I see after the xz drama []
Well, here's one, waiting for review:
https://github.com/sagemath/sage/pull/37726 (prepared by
On Sat, 2024-04-20 at 12:53 -0700, Emmanuel Charpentier wrote:
>
> Do we have the manpower necessary to such development ? .
Linux distributions (or e.g. Conda) already do it for us.
What we don't have is the manpower to do what we currently do, but
*correctly*. The sage distribution sucks.
I’d like to point out that Sage, by it’s very nature, *is* a large bundle
of other people’s packages, offering them a (more or less) unified
interface, thus ensuring interoperability. To reuse a simile used in Sage’s
initial statements of intent, Sage is a car using many already- pepared
On Thursday, April 18, 2024 at 11:05:52 PM UTC-7 Georgi Guninski wrote:
The only sage change I see after the xz drama []
Well, here's one, waiting for review:
https://github.com/sagemath/sage/pull/37726 (prepared by @faisalfakhro; I
reviewed and made some minor changes) updates the
On 2024-04-18 16:04:43, Lorenz Panny wrote:
> >
> > It's also 214 software packages which might, for all we know, at any
> > time be hijacked by The Bad Guys to run arbitrarily malicious code on
> > every Sage user's machine.
> >
> > This is terrifying.
276 now
--
You received this message
I think you raise very important concerns.
The only sage change I see after the xz drama is @Dima occasionally
PGP signing his mails.
The more packages you "own", the more developers you own. The more
developers you own, the more packages you own.
On Thu, Apr 18, 2024 at 5:09 PM Lorenz Panny
This also seems like a good time to reiterate an old comment of mine:
https://groups.google.com/g/sage-devel/c/Dq83PiiCAsU/m/RKSpD9_rDQAJ
...pasted below for your convenience.
On Tue, 21 Dec 2021 04:04:31 +0100, Lorenz Panny wrote:
> On Mon, 20 Dec 2021 14:41:27 +0100, Michael Orlitzky
>
If the recent xz backdoor drama didn't induce enough paranoia in you,
here is a second chance exception:
https://www.theregister.com/2024/04/16/xz_style_attacks_continue/
Open sourcerers say suspected xz-style attacks continue to target maintainers
Social engineering patterns spotted across
