Reading just those quotes alone, or skimming the article and searching for “CIA”, can give an incorrect impression that Sharp’s affiliation with the Central Intelligence Agency was more overt than it actually was.

Just to clarify: the “CIA at Harvard” it’s referring to is actually an [independent, totally-not-CIA™, founded by Henry Kissinger] organization which was then called the Center for International Affairs at Harvard (which was originally actually abbreviated “CIA”, according to Howard J. Wiarda’s book about it, but later was called “CFIA” and today is the WCFIA).

Here is the paragraph where it is first introduced in the article:

In the mid-1960s, Thomas Schelling, a Nobel Prize-winning nuclear theorist, recruited 29-year-old Sharp to join the Center for International Affairs at Harvard, bastion of the high Cold War defense, intelligence, and security establishment. Leading the so-called “CIA at Harvard” were Henry Kissinger, future National Security Advisor McGeorge Bundy, and future CIA chief Robert Bowie. Sharp held this appointment for thirty years. There, with Department of Defense funds, he developed his core theory of nonviolent action: a method of warfare capable of collapsing states through theatrical social movements designed to dissolve the common will that buttresses governments, all without firing any shots. From his post at the CIA at Harvard, Sharp would urge U.S. and NATO defense leadership to use his methods against the Soviet Union.

A ctrl-d does nothing on a non-empty line.

ctrl-d actually is flushing the buffer regardless of if the line is empty or not.

See my other comment for how you can observe it.

Note: for readers who aren’t aware, the notation ^X means hold down the ctrl key and type x (without shift).

ctrl-a though ctrl-z will send ASCII characters 1 through 26, which are called control characters (because they’re for controling things, and also because you can type them by holding down the control key).

^D is the EOF character.

$ stty -a | grep eof
intr = ^C; quit = ^\; erase = ^?; kill = ^U; eof = ^D; eol = <undef>;
$ man stty |grep -A1 eof |head -n2
       eof CHAR
              CHAR will send an end of file (terminate the input)

Nope, Chuck Testa: there is no EOF character. Or, one could also say there is an EOF character, but which character it is can be configured on a per-tty basis, and by default it is configured to be ^D - which (since “D” is the fourth letter of the alphabet) is ASCII character 4, which (as you can see in man ascii) is called EOT or “end of transmission”.

What that stty output means is that ^D is the character specified to trigger eof. That means this character is intercepted (by the kernel’s tty driver) and, instead of sending the character to the process reading standard input, the tty “will send an end of file (terminate the input)”.

By default eof is ^D (EOT), a control character, but it can be set to any character.

For instance: run stty eof x and now, in that terminal, “x” (by itself, without the control key) will be the EOF character and will behave exactly as ^D did before. (The rest of this comment assumes you are still in a normal default terminal where you have not done that.)

But “send an end of file” does not mean sending EOT or any other character to the reading process: as the blog post explains, it actually (counterintuitively) means flushing the buffer - meaning, causing the read syscall to return with whatever is in the buffer currently.

It is confusing that this functionality is called eof, and the stty man page description of it is even more so, given that it (really!) does actually flush the contents of the buffer to read - even if the line buffer is not empty, in which case it is not actually indicating end-of-file!

You can confirm this is happening by running cat and typing a few characters and then hitting ^D, and then typing more, and hitting ^D again. (Each time you flush the buffer, cat will immediately echo the latest characters that had been buffered, even though you have not hit enter yet.)

Or, you can pipe cat into pv and see that ^D also causes pv to receive the buffer contents prior to hitting enter.

I guess unix calls this eof because this function is most often used to flush an empty buffer, which is how you “send an end of file” to the reader.

The empty-read-means-EOF semantics are documented, among other places, in the man page for the read() syscall (man read):

RETURN VALUE
      On success, the number of bytes read is returned (zero indicates end of
      file), and the file position is advanced by this number.

If you want to send an actual ^D (EOT) character through to the process reading standard input, you can escape it using the confusingly-named lnext function, which by default is bound to the ^V control character (aka SYN, “synchronous idle”, ASCII character 22):

$ man stty|grep lnext -A1
       * lnext CHAR
              CHAR will enter the next character quoted
$ stty -a|grep lnext
werase = ^W; lnext = ^V; discard = ^O; min = 1; time = 0;

Try it: you can type echo " and then ctrl-V and ctrl-D and then "|xxd (and then enter) and you will see that this is sending ascii character 4.

You can also send it with echo -e '\x04'. Note that the EOT character does not terminate bash:

$ echo -e '\x04\necho see?'|xxd
00000000: 040a 6563 686f 2073 6565 3f0a            ..echo see?.
$ echo -e '\x04\necho see?'|bash
bash: line 1: $'\004': command not found
see?

As you can see, it instead interprets it as a command.

$ echo -e '#!/bin/bash\necho lmao' > ~/.local/bin/$(echo -en '\x04')
$ chmod +x ~/.local/bin/$(echo -en '\x04')
$ echo -e '\x04\necho see?'|bash
lmao
see?

sure. first, configure sudo to be passwordless, or perhaps just to stay unlocked for longer (it’s easy to find instructions for how to do that).

then, put this in your ~/.bashrc:

alias sudo='echo -n "are you sure? "; for i in $(seq 5); do echo -n "$((6 - $i)) "; sleep 1; done && echo && /usr/bin/sudo '

Now “sudo” will give you a 5 second countdown (during which you can hit ctrl-c if you change your mind) before running whatever command you ask it to.

to answer this question: if you’re on a dpkg-based system, check /var/log/dpkg.log (or /var/log/dpkg.log.2.gz to get logs from January, if your system rotates them once a month).

Nice post, but your title is misleading: the blog post is actually titled “Supply Chain Attacks on Linux distributions - Overview” - the word “attacks” as used here is a synonym for “vulnerabilities”. It is not completely clear from their title if this is going to be a post about vulnerabilities being discovered, or about them actually being exploited maliciously, but the latter is at least not strongly implied.

This lemmy post however is titled (currently, hopefully OP will retitle it after this comment) “Supply Chain Attack found in Fedora’s Pagure and openSUSE’s Open Build Service”.

Adding the word “found” (and making “Attack” singular) changes the meaning: this title strongly implies that a malicious party has actually been detected performing a supply chain attack for real - which is not what this post is saying at all. (It does actually discuss some previous real-world attacks first, but it is not about finding those; the new findings in this post are vulnerabilities which were never attacked for real.)

I recommend using the original post title (minus its “Overview” suffix) or keeping your more verbose title but changing the word “Attack” to “Vulnerabilities” to make it clearer.

TLDR: These security researchers went looking for supply chain vulnerabilities, and found several bugs in two different systems. After responsibly disclosing them, they did these (very nice and accessible, btw - i recommend reading them) writeups about two of the bugs. The two they wrote up are similar in that they both involve going from being able to inject command line arguments, to being able to write to a file, to being able to execute arbitrary code (in a context which would allow attackers to perform supply chain attacks on any software distributed via the targeted infrastructure).

it’s 2025 now but otherwise yeah

(source)

I didn’t know red hat was working for the US government. Can you tell me in what way?

tldr: https://www.redhat.com/en/solutions/public-sector/dod

see also: https://web.archive.org/web/20240530005438/https://www.redhat.com/en/resources/israeli-defense-forces-case-study

Various documents in (what wikipedia now calls) the “2010s global surveillance disclosures” showed that many components of NSA (and other Five Eyes partners) infrastructure is run on RedHat Enterprise Linux.

According to a 2008 study by the Office of the Director of National Intelligence, private contractors make up 29% of the workforce in the United States Intelligence Community and cost the equivalent of 49% of their personnel budgets. RedHat is part of that industry.

It’s often illuminating to search a company’s job listings for words like “clearance”. There are currently only eight listings for that query at RedHat but sometimes they have many more. Here (archive) is a current one. Here is another one archived last year.

I wonder how much work is entailed in transforming Fedora in to a distro that meets some definition of the word “Sovereign” 🤔

Personally I wouldn’t want to make a project like this be dependent on the whims of a US defense contractor like RedHat/IBM, especially after what happened with CentOS.

Because Netanyahu doesn’t want to testify at his corruption trial

Yes, that was one reason…

and because the United States has not stopped giving them weapons to carry out this war, regardless of what they did and or who the US president was

and that is another.

But, this article buries the lede about what was probably the most compelling reason for Benjamin Netanyahu in making his decision to murder hundreds of people yesterday and today:

Netanyahu has a deadline: his government must pass a national budget in two weeks, or face the prospect of his government collapsing, triggering new elections.

Returning to war paved the way for Netanyahu to bring his far-right ally Itamar Ben Gvir back inside the coalition and beef up his governing majority. Ben Gvir had quit because of the January ceasefire with Hamas, and returned Tuesday with the resumption of the war.

[…]

The strikes could last at least another two weeks until Israel passes its national budget, giving Netanyahu a stronger position in power and more flexibility to resume a ceasefire, analysts say.

as i said, it “is about to be released”.

or, one could also say that the the 3.0.0 source code has been released, but the official binaries haven’t been yet :)

edit: i see https://flathub.org/apps/org.gimp.GIMP has 3.0.0 now, and from https://testing.gimp.org/downloads/ i see that https://download.gimp.org/gimp/v3.0/linux/GIMP-3.0.0-x86_64.AppImage is also there. presumably https://www.gimp.org/downloads/ will be updated very soon.

StartPage/StartMail is owned by an adtech company who’s website boasts that they “develop & grow our suite of privacy-focused products, and deliver high-intent customers to our advertising partners” 🤔

They have a whitepaper which actually does a good job explaining how end-to-end encryption in a web browser (as Tuta, Protonmail, and others do) can be circumvented by a malicious server:

The malleability of the JavaScript runtime environment means that auditing the future security of a piece of JavaScript code is impossible: The server providing the JavaScript could easily place a backdoor in the code, or the code could be modified at runtime through another script. This requires users to place the same measure of trust in the server providing the JavaScript as they would need to do with server-side handling of cryptography.

However (i am not making this up!) they hilariously use this analysis to justify having implemented server-side OpenPGP instead 🤡

Could anybody in short explain, what I have to understand from “it’s tagged”?

Git is the most popular version control system, which lets developers track changes to software source code. A “tag” applies a name (or version number) to a specific point in the history.

The commit shows that there was a longer with 3.0.0 tag before and now its just 3.0.0

The link goes to a commit which is tagged GIMP_3_0_0, and shows the change made in this commit. This commit happens to change the version line in a file called meson.build - this file configures Meson, which is used to build GIMP. The version is being changed from 3.0.0-RC3+git to 3.0.0. The string “RC3” in the previous version number is short for “release candidate 3”, and “git” here means that there were additional changes since “release candidate 3” was released.

What does that tell us? :D

So far the news and downloads pages still haven’t been updated, but the version being changed to 3.0.0 and this commit being tagged tells us that GIMP 3.0.0 is about to be released: official binaries and an announcement about it can be expected to appear very soon.

The tag means no more changes will be included in 3.0.0; if some show-stopping bug were discovered now, the version number would be incremented to 3.0.1 rather than to include a fix in 3.0.0. (Technically, a tag can be updated/replaced, but by convention it is not.)

The “VP Engineering for Ubuntu” being a NixOS user is hilarious and reminds me of the CEO of Ford saying he’s been driving a Xiaomi EV “for six months now and I don’t want to give it up”.

The fact remains this article is titled in a very clickbaity way

The link is to a youtube video, not an article, so apparently you resisted taking the bait… but aren’t letting your lack of a click prevent you from commenting :)

Tuta’s product is snake oil.

A cryptosystem is incoherent if its implementation is distributed by the same entity which it purports to secure against.

If you don’t care about their (nonstandard, incompatible, and snake oil) end-to-end encryption feature and just want a freemium email provider which (purports to) protect your privacy in other ways, the fact that their flagship feature is snake oil should still be a red flag.

Clickbait. The VP Engineering for Ubuntu made a post that he was looking into using the Rust utils for Ubuntu and has been daily driving them and encouraged others to try

It’s by no means certain this will be done.

Here is that post. It isn’t certain to happen, but he doesn’t only say that he is daily driving them. He says his goal is to make them the default in 25.10:

My immediate goal is to make uutils’ coreutils implementation the default in Ubuntu 25.10, and subsequently in our next Long Term Support (LTS) release, Ubuntu 26.04 LTS, if the conditions are right.

yep. (see my other comment in this thread)

The three currently-maintained engines which (at their feature intersection) effectively define what “the web” is today are Mozilla’s Gecko, Apple’s WebKit, and Google’s Blink.

The latter two are both descended from KHTML, which came from the Konquerer browser which was first released as part of KDE 2.0 in 2000, and thus both are LGPL licensed.

After having their own proprietary engine for over two decades, Microsoft stopped developing it and switched to Google’s fork of Apple’s fork of KDE’s free software web engine.

Probably Windows will replace its kernel with Linux eventually too, for better or worse :)

How else are Chrome, Edge, Brave, Arc, Vivaldi and co getting away with building proprietary layers on top of a copyleft dependency?

They’re allowed to because the LGPL (unlike the normal GPL) is a weak copyleft license.