Buah-eh... until the TypeScript ran the way I had to have it for WebComponents it had taken me forever to search for libraries and I hadn't even started writing the code tests yet… 🤦♂️🤷♂️
Here's a Flatpak story: The other day, my best friend told me that he had switched to Linux! Arch Linux with KDE Plasma, a noble choice in my opinion. He's a smart guy, but he was having some issues that he couldn't figure out: Firefox' maximise and minimise buttons were missing, drag and drop from archives wasn't working, his selected theme wasn't applied everywhere, and many other small issues I can't remember now.
I tried reproducing his issues on my machine, but everything worked fine for me. We were confused. Is there missing libraries? We went through packages to find out what my system had that his didn't. It was weird, everything was kinda working, but the devil was always in the details, for every single app.
And then we found it: All those applications he had issues with were Flatpaks! He simply didn't pay attention when installing them through the Discover store. He didn't even know what Flatpak meant.
I helped him remove Flatpak from his system and install the system packages instead, and all issues were gone.
Man, Flatpaks suck. How does anyone prefer Flatpaks over system packages? How does anyone think this was a good idea? Stop trying to invent new things to solve old problems and instead go back and fix the problems.
Containers, Flatpak, Immutable distros, it's all wasted effort. There is no magical solution that will solve all our problems. The only way to solve all problems is by solving each problem individually one by one. And that is exactly what countless distribution and package maintainers are doing on your behalf every single day.
We have byte-by-byte reproducible builds of everything at Polar Signals, including container images. We just migrated from podman to buildkit, and it looks like producing provenance information includes build times, ultimately breaking reproducibility. Is there any way to fix this?
Run your own #kubernetes cluster on #raspberrypi's they said, it will be fun they said. So now once every blue moon there is a leader change in the middle of a #terraform apply 🤣
I found the borders between what should be part of IaC and what should be a service deployment operations to be somewhat blurred yet.
Although I think containers are probably here to stay (in likely a even more "invisible" format), the whole orchestration system is too complex and still looking for itself, just like serverless.
Ever worked on #nodejs projects locally and wished for a more standardized, production-like experience for your team? Try @ddev! I walk you through setting your local up with #docker#containers in my latest article on @lullabot
There's a huge backdoor (#CVE -2024-3094) allowing remote SSH access (as far as I can tell at this moment) caused by a util called #xz affecting a ton of systems (#Linux and #macOS, well not really) and it's causing quite a huge panic. I honestly don't know much about it just yet, but just sharing some pieces to read about the huge vulnerability.
The person who had maliciously planted this vulnerability into xz-utils, Jia Tan, has made at least 750 contributions to the project over the past 2 years. They even have direct push access to the code repo, allowing them to have pushed commits with forged authors. Being "free" from this vulnerability is not as simple as reverting to a previous version due to just how much and how long they've contributed to the project, and people are rightfully suspicious that this person might have hidden other backdoors in xz.
Unlike most other vulnerabilities, it's a lot harder to pinpoint versions affected by this but the most likely case is most systems out there have xz installed on their system that are impacted - which at this moment, the info being thrown around is any version past 5.3.1, 5.4.6, or 5.6.0 (latest is 5.6.1).
As far as I can tell, you're only impacted by this vulnerability only if:
Your distro sources/packages xz from their release tarballs rather than through the Git source directly.
The payload was only included for the #RPM or #DEB packaging, so unless your distro uses these - you're probably safe.
As far as I can tell, it also only affects x86 systems so #ARM based systems should be fine.
As far as I can tell, your system needs to be running #systemd to be impacted by this, so #Docker/#Podman#containers should mostly if not entirely be fine....? maybe.
In other news, people are currently investigating and evaluating other projects also actively contributed by the compromised developer, Jia Tan, including #libarchive.
People are also analysing the dev's commit history to deduce their background from their activity lol. They've been found to push commits during office hours Mon-Fri, every other Saturdays, presumably Public Holidays that seem to align with China's PH, and seems to be on GMT +8 locale.