【Hacker News搬运】Xz:你能认出禁用Linux固定锁的单个字符吗?
-
Title: Xz: Can you spot the single character that disabled Linux landlock?
Xz:你能认出禁用Linux固定锁的单个字符吗?
Text:
Url: https://git.tukaani.org/?p=xz.git;a=blobdiff;f=CMakeLists.txt;h=d2b1af7ab0ab759b6805ced3dff2555e2a4b3f8e;hp=76700591059711e3a4da5b45cf58474dac4e12a7;hb=328c52da8a2bbb81307644efdb58db2c422d9ba7;hpb=eb8ad59e9bab32a8d655796afd39597ea6dcc64d
抓取内容时发生了错误,无法获取指定URL的内容。错误信息表明在尝试连接到git.tukaani.org时遇到了超时问题。请确保该网站是可访问的,并且网络连接是稳定的。如果问题仍然存在,请尝试使用其他工具或方法来获取所需的信息。Post by: dhx
Comments:
dhx: Answer: <a href="https://git.tukaani.org/?p=xz.git;a=commitdiff;h=f9cf4c05edd14dedfe63833f8ccbe41b55823b00" rel="nofollow">https://git.tukaani.org/?p=xz.git;a=commitdiff;h=f9cf4c05edd...</a><p>Description of Linux's Landlock access control system if you are not familiar with it: <a href="https://docs.kernel.org/userspace-api/landlock.html" rel="nofollow">https://docs.kernel.org/userspace-api/landlock.html</a><p>xz official (maybe...) incident response page: <a href="https://tukaani.org/xz-backdoor/" rel="nofollow">https://tukaani.org/xz-backdoor/</a>
dhx: 答:<a href=“https://;/;git.tukaani.org/?p=xz.git;a=commitdiff;h=f9cf4c05edd14dedfe63833f8ccbe41b55823b00”rel=“nofollow”>https:///;git.tukaani.org/;?p=xz.git;a=commitdiff;h=f9cf4c05edd</a> <p>Linux的描述;s Landlock访问控制系统(如果您不熟悉):<a href=“https://;/;docs.kernel.org/!userspace api/:Landlock.html”rel=“nofollow”>https:///;docs.kernel.org/;用户空间api;landlock.html</a><p>xz官方(可能…)事件响应页面:<a href=“https://;/;tukaani.org//!xz后门/”rel=“nofollow”>https:///;tukaani.org/;xz后门</一
rossjudson: There I am, scanning carefully, and I see a period where one clearly should not be. "This wasn't so hard", I said to myself.
I poked my screen, and the period moved.
Curse you, monitor dust particle.rossjudson: 我在那里,仔细地扫描,我看到了一个明显不应该出现的时期;这不是;t那么硬”;,我对自己说。我戳了戳屏幕,时间移动了。诅咒你,监测灰尘颗粒。
fcanesin: Geez, his last commit is making security reports worse: <a href="https://git.tukaani.org/?p=xz.git;a=commitdiff;h=af071ef7702debef4f1d324616a0137a5001c14c;hp=0b99783d63f27606936bb79a16c52d0d70c0b56f" rel="nofollow">https://git.tukaani.org/?p=xz.git;a=commitdiff;h=af071ef7702...</a>
fcanesin: 天哪,他的最后一次提交让安全报告变得更糟:<a href=“https://;/;git.tukaani.org/?p=xz.git;a=commitdiff;h=af071ef7702debef4f1d324616a0137a5001c14c;hp=0b99783d63f27606936bb79a16c52d0d70c0b56f”rel=“nofollow”>https:///;git.tukaani.org/;?p=xz.git;a=commitdiff;h=af071ef7702</a>
CGamesPlay: On an unrelated note, this malware team has assembled a great dataset for training AIs on identifying security problems. Every commit has some security problem, and the open source community will be going through and identifying them. (Thanks, maintainers, for the cleanup work; definitely not fun!)
CGamesPlay: 另一方面,这个恶意软件团队已经收集了一个很棒的数据集,用于训练人工智能识别安全问题。每一次提交都有一些安全问题,开源社区将进行检查并识别这些问题。(感谢维护人员的清理工作;绝对不好玩!)
karmakaze: I can't believe that system security is dependent on such a loose chain of correctness. Any number of things could have stopped this.<p><pre><code> + # A compile check is done here because some systems have
-
linux/landlock.h, but do not have the syscalls defined
-
in order to actually use Linux Landlock.
</code></pre>
Fix those headers on those systems to explicitly opt-out. What's the point of headers if they don't declare their capabilities?<p>Also why isn't there a single test after a binary blob (even when compiled from open source) is made to ensure security is in-tact?<p>I wouldn't even ship a website checkout without end-to-end tests for core capabilities. There must be a priority misalignment of adding features > stability.<p>Edit: I hope the 'fix' isn't to remove the '.'--<i>I just saw the other post on HN that shows removing the '.'</i>karmakaze: 我可以;我不认为系统安全依赖于这样一个松散的正确性链。任何事情都可以阻止这种情况的发生<p> <pre><code>+#这里进行编译检查,因为有些系统具有+#linux/;landlock.h,但没有定义系统调用+#以便实际使用Linux Landlock。</code></pre>修复那些系统上的标头以明确选择退出。什么;如果它们不是,则是头的点;t声明他们的能力<p> 还有为什么不;在制作二进制blob(即使是从开源编译的)后,是否有一个单独的测试来确保安全性<p> 我不会;在没有对核心功能进行端到端测试的情况下,甚至不会推出网站结账。必须存在添加特征的优先级错位>;稳定性p> 编辑:我希望;fix;不是;t以去除-'--<i> 我刚刚在HN上看到了另一篇帖子,显示删除了'</i>
-