for example, on a linux distro, we could modify the desktop environment and make it waaaaay lighter by getting rid of jpg or png icons and just using pure svg on it.

this has largely happened; if you’re on a dpkg-based distro try running this command:

dpkg -S svg | grep svg$ | sort

…and you’ll see that your distro includes thousands of SVG files :)

Reading just those quotes alone, or skimming the article and searching for “CIA”, can give an incorrect impression that Sharp’s affiliation with the Central Intelligence Agency was more overt than it actually was.

Just to clarify: the “CIA at Harvard” it’s referring to is actually an [independent, totally-not-CIA™, founded by Henry Kissinger] organization which was then called the Center for International Affairs at Harvard (which was originally actually abbreviated “CIA”, according to Howard J. Wiarda’s book about it, but later was called “CFIA” and today is the WCFIA).

Here is the paragraph where it is first introduced in the article:

In the mid-1960s, Thomas Schelling, a Nobel Prize-winning nuclear theorist, recruited 29-year-old Sharp to join the Center for International Affairs at Harvard, bastion of the high Cold War defense, intelligence, and security establishment. Leading the so-called “CIA at Harvard” were Henry Kissinger, future National Security Advisor McGeorge Bundy, and future CIA chief Robert Bowie. Sharp held this appointment for thirty years. There, with Department of Defense funds, he developed his core theory of nonviolent action: a method of warfare capable of collapsing states through theatrical social movements designed to dissolve the common will that buttresses governments, all without firing any shots. From his post at the CIA at Harvard, Sharp would urge U.S. and NATO defense leadership to use his methods against the Soviet Union.

Change Agent: Gene Sharp’s Neoliberal Nonviolence

A ctrl-d does nothing on a non-empty line.

ctrl-d actually is flushing the buffer regardless of if the line is empty or not.

See my other comment for how you can observe it.

Note: for readers who aren’t aware, the notation ^X means hold down the ctrl key and type x (without shift).

ctrl-a though ctrl-z will send ASCII characters 1 through 26, which are called control characters (because they’re for controling things, and also because you can type them by holding down the control key).

^D is the EOF character.

$ stty -a | grep eof
intr = ^C; quit = ^\; erase = ^?; kill = ^U; eof = ^D; eol = <undef>;
$ man stty |grep -A1 eof |head -n2
       eof CHAR
              CHAR will send an end of file (terminate the input)

Nope, Chuck Testa: there is no EOF character. Or, one could also say there is an EOF character, but which character it is can be configured on a per-tty basis, and by default it is configured to be ^D - which (since “D” is the fourth letter of the alphabet) is ASCII character 4, which (as you can see in man ascii) is called EOT or “end of transmission”.

What that stty output means is that ^D is the character specified to trigger eof. That means this character is intercepted (by the kernel’s tty driver) and, instead of sending the character to the process reading standard input, the tty “will send an end of file (terminate the input)”.

By default eof is ^D (EOT), a control character, but it can be set to any character.

For instance: run stty eof x and now, in that terminal, “x” (by itself, without the control key) will be the EOF character and will behave exactly as ^D did before. (The rest of this comment assumes you are still in a normal default terminal where you have not done that.)

But “send an end of file” does not mean sending EOT or any other character to the reading process: as the blog post explains, it actually (counterintuitively) means flushing the buffer - meaning, causing the read syscall to return with whatever is in the buffer currently.

It is confusing that this functionality is called eof, and the stty man page description of it is even more so, given that it (really!) does actually flush the contents of the buffer to read - even if the line buffer is not empty, in which case it is not actually indicating end-of-file!

You can confirm this is happening by running cat and typing a few characters and then hitting ^D, and then typing more, and hitting ^D again. (Each time you flush the buffer, cat will immediately echo the latest characters that had been buffered, even though you have not hit enter yet.)

Or, you can pipe cat into pv and see that ^D also causes pv to receive the buffer contents prior to hitting enter.

I guess unix calls this eof because this function is most often used to flush an empty buffer, which is how you “send an end of file” to the reader.

The empty-read-means-EOF semantics are documented, among other places, in the man page for the read() syscall (man read):

RETURN VALUE
      On success, the number of bytes read is returned (zero indicates end of
      file), and the file position is advanced by this number.

If you want to send an actual ^D (EOT) character through to the process reading standard input, you can escape it using the confusingly-named lnext function, which by default is bound to the ^V control character (aka SYN, “synchronous idle”, ASCII character 22):

$ man stty|grep lnext -A1
       * lnext CHAR
              CHAR will enter the next character quoted
$ stty -a|grep lnext
werase = ^W; lnext = ^V; discard = ^O; min = 1; time = 0;

Try it: you can type echo " and then ctrl-V and ctrl-D and then "|xxd (and then enter) and you will see that this is sending ascii character 4.

You can also send it with echo -e '\x04'. Note that the EOT character does not terminate bash:

$ echo -e '\x04\necho see?'|xxd
00000000: 040a 6563 686f 2073 6565 3f0a            ..echo see?.
$ echo -e '\x04\necho see?'|bash
bash: line 1: $'\004': command not found
see?

As you can see, it instead interprets it as a command.

$ echo -e '#!/bin/bash\necho lmao' > ~/.local/bin/$(echo -en '\x04')
$ chmod +x ~/.local/bin/$(echo -en '\x04')
$ echo -e '\x04\necho see?'|bash
lmao
see?

[email protected] is the more active of the two lemmy communities about it

sure. first, configure sudo to be passwordless, or perhaps just to stay unlocked for longer (it’s easy to find instructions for how to do that).

then, put this in your ~/.bashrc:

alias sudo='echo -n "are you sure? "; for i in $(seq 5); do echo -n "$((6 - $i)) "; sleep 1; done && echo && /usr/bin/sudo '

Now “sudo” will give you a 5 second countdown (during which you can hit ctrl-c if you change your mind) before running whatever command you ask it to.

here are some related issues:

• https://github.com/LemmyNet/lemmy/issues/833 Option to disable notifications for a specific post - this was closed in favor of #1883
• https://github.com/LemmyNet/lemmy/issues/1883 Add settings to disable comment, mention, and private message notifications - here @[email protected] commented “We already have one for post notifs” but i don’t see where that exists 🤔
• https://github.com/LemmyNet/lemmy/issues/3042 Add a “disable inbox replies” option of posts and comments

to answer this question: if you’re on a dpkg-based system, check /var/log/dpkg.log (or /var/log/dpkg.log.2.gz to get logs from January, if your system rotates them once a month).

Nice post, but your title is misleading: the blog post is actually titled “Supply Chain Attacks on Linux distributions - Overview” - the word “attacks” as used here is a synonym for “vulnerabilities”. It is not completely clear from their title if this is going to be a post about vulnerabilities being discovered, or about them actually being exploited maliciously, but the latter is at least not strongly implied.

This lemmy post however is titled (currently, hopefully OP will retitle it after this comment) “Supply Chain Attack found in Fedora’s Pagure and openSUSE’s Open Build Service”. edit: @OP thanks for changing the title!

Adding the word “found” (and making “Attack” singular) changes the meaning: this title strongly implies that a malicious party has actually been detected performing a supply chain attack for real - which is not what this post is saying at all. (It does actually discuss some previous real-world attacks first, but it is not about finding those; the new findings in this post are vulnerabilities which were never attacked for real.)

I recommend using the original post title (minus its “Overview” suffix) or keeping your more verbose title but changing the word “Attack” to “Vulnerabilities” to make it clearer.

TLDR: These security researchers went looking for supply chain vulnerabilities, and found several bugs in two different systems. After responsibly disclosing them, they did these (very nice and accessible, btw - i recommend reading them) writeups about two of the bugs. The two they wrote up are similar in that they both involve going from being able to inject command line arguments, to being able to write to a file, to being able to execute arbitrary code (in a context which would allow attackers to perform supply chain attacks on any software distributed via the targeted infrastructure).

it’s 2025 now but otherwise yeah

Fuck this project, but… their source code can be free and open source even if they distribute binaries which aren’t. (Which they can do if they own the copyright, and/or if it is under a permissive non-copyleft FOSS license.)

And if the source code is actually FOSS, and many people actually want to use it, someone else will distribute FOSS binaries without this stupid EULA. So, this BS is still much better than a non-FOSS license like FUTO’s.

cross-post of my comment elsewhere:

I immediately knew this was going to be from Microsoft users, and yeah… of course, it is.

Binaries distributed under this EULA do not meet the free software definition or open source definition.

However, unlike most attempts to dilute the concept of open source, since the EULA is explicitly scoped to binaries and says it is meant to be applied to projects with source code that is released under an OSI-approved license, I think the source code of projects using this do still meet the open source definition (as long as the code is actually under such a license). Anyone/everyone should still be free to fork any project using this, and to distribute free binaries which are not under this EULA.

This EULA obviously cannot be applied to projects using a copyleft license, unless all contributors to it have dual-licensed their contributions to allow (at least) the entity that is distributing non-free binaries under this EULA to do so.

I think it is extremely short-sighted to tell non-paying “consumers” of an open source project that their bug reports are not welcome. People who pay for support obviously get to heavily influence which bugs get priority, but to tell non-paying users that they shouldn’t even report bugs is implicitly communicating that 2nd and 3rd party collaboration on fixing bugs is not expected or desired.

A lot of Microsoft-oriented developers still don’t understand the free software movement, and have been trying to twist it into something they can comprehend since it started four decades ago. This is the latest iteration of that; at least this time they aren’t suggesting that people license their source code under non-free licenses.

I immediately knew this was going to be from Microsoft users, and yeah… of course, it is.

Binaries distributed under this EULA do not meet the free software definition or open source definition.

However, unlike most attempts to dilute the concept of open source, since the EULA is explicitly scoped to binaries and says it is meant to be applied to projects with source code that is released under an OSI-approved license, I think the source code of projects using this do still meet the open source definition (as long as the code is actually under such a license). Anyone/everyone should still be free to fork any project using this, and to distribute free binaries which are not under this EULA.

This EULA obviously cannot be applied to projects using a copyleft license, unless all contributors to it have dual-licensed their contributions to allow (at least) the entity that is distributing non-free binaries under this EULA to do so.

I think it is extremely short-sighted to tell non-paying “consumers” of an open source project that their bug reports are not welcome. People who pay for support obviously get to heavily influence which bugs get priority, but to tell non-paying users that they shouldn’t even report bugs is implicitly communicating that 2nd and 3rd party collaboration on fixing bugs is not expected or desired.

A lot of Microsoft-oriented developers still don’t understand the free software movement, and have been trying to twist it into something they can comprehend since it started four decades ago. This is the latest iteration of that; at least this time they aren’t suggesting that people license their source code under non-free licenses.

(source)

what makes someone think it’s a good idea to post jpeg with a mixture of barely-readable and almost-readable text, here, in this community of all places, with no link to the full res version and no information about the source?

smh my head

I didn’t know red hat was working for the US government. Can you tell me in what way?

tldr: https://www.redhat.com/en/solutions/public-sector/dod

see also: https://web.archive.org/web/20240530005438/https://www.redhat.com/en/resources/israeli-defense-forces-case-study

Various documents in (what wikipedia now calls) the “2010s global surveillance disclosures” showed that many components of NSA (and other Five Eyes partners) infrastructure is run on RedHat Enterprise Linux.

According to a 2008 study by the Office of the Director of National Intelligence, private contractors make up 29% of the workforce in the United States Intelligence Community and cost the equivalent of 49% of their personnel budgets. RedHat is part of that industry.

It’s often illuminating to search a company’s job listings for words like “clearance”. There are currently only eight listings for that query at RedHat but sometimes they have many more. Here (archive) is a current one. Here is another one archived last year.

I wonder how much work is entailed in transforming Fedora in to a distro that meets some definition of the word “Sovereign” 🤔

Personally I wouldn’t want to make a project like this be dependent on the whims of a US defense contractor like RedHat/IBM, especially after what happened with CentOS.