It’s very hard to compete on quality in leather bags without a reputation and a good bricks and mortar network because online customers have no way to tell the quality and even in person customers probably lack the knowledge - so from the producers perspective why bother spending more?
ES modules mean you don't need to bundle your code; you just include your index.js in HTML, and all 30,000 JS files of your project come to the user's browser without trouble or delay (let's wish them luck, lol). Since you're bundling, it doesn't matter which module type you use; CJS has worked with code splitting perfectly for over 10 years. However, it's a pain every time you try to import a CJS library in your ESM or vice versa. The truth is, you can't just drop all legacy CJS packages in most real-world projects.
> “all 30,000 JS files of your project come to the user's browser without trouble or delay (let's wish them luck, lol)”
If only there was something in the HTTP protocol to make it more efficient to load multiple requests from the same server. Alas that must be a pipe dream, and every little image and script is loaded separately.
I wonder if trying to account for that would make you look even more risky/fraudulent. Eg you access the bank portal from a US address but at similar time you physically use the card in Europe.
It's well known that the IDF refuses to use dismounted infantry to protect their wagons, and that they've turned cities into rubble and given themselves some of the same kind of problems that the Nazis had in Stalingrad.
You'll also find interesting stories in israeli papers. Rabbis are important to the IDF because the state it is part of is based on religious convictions, and quite often there is no other justification for what they do.
The attacker changed the projects contact details at oss fuzz (an automated detection tool). There’s an interesting discussion as to whether that would have picked up the vulnerability https://github.com/google/oss-fuzz/issues/11760
I don't think it's plausible OSS-Fuzz could have found this. The backdoor required a build configuration that was not used in OSS-Fuzz.
I'm guessing "Jia Tan" knew this and made changes to XZ's use of OSS-Fuzz for the purposes of cementing their position as the new maintainer of XZ, rather than out of worry OSS-Fuzz would find the backdoor as people have speculated.
How many oss-fuzz packages have a Dockerfile that runs apt-get install liblzma-dev first?
Had this not been discovered, the backdoored version of xz could have eventually ended up in the ubuntu version oss-fuzz uses for its docker image - and linked into all those packages being tested as well.
Except now there's an explanation if fuzzing starts to fail - honggfuzz uses -fsanitize which is incompatible with xz's use of ifunc, so any package that depends on it should rebuild xz from source with --disable-ifunc instead of using the binary package.
This is interesting, but do you think this would have aroused enough suspicion to find the backdoor (after every Ubuntu user was owned by it)? I don't see why this is the case. It wasn't a secret that ifuncs were being used in XZ.
And if that's the case, it was sloppy of "Jia" to disable it in OSS-Fuzz and not do this:
to the XZ source code to fix the false positive and turn off the compilation warning, no attention would have been drawn to this at all since no one would have to change their build script.
With or without this PR, it's very unlikely OSS-Fuzz would have found the bug. OSS-Fuzz also happens to be on Ubuntu 20. I'm not very familiar with Ubuntu release cycles, but I think it would have been a very long time before backdoored packages made their way into Ubuntu 20.
This macOS version only supports models since 2017-19 (depending on product line). Apple don’t really have an excuse compared to Microsoft since they only have a few hardware options.
It’s amusing to compare the comments here to the comments on windows update threads. As nobody else has, let me add the reminder for everyone to switch to <different OS>.
Appart from my 2y old corporate laptop the newest machine in my household is a lenovo Yoga X390 from 2019, nearly 5 year old. everything else is between 6 to 15 years old and they are all running a supported OS.
reply