fsebugoutzone.org:9999

       Post B2fUvRmB2Ru4QJU8ae by Suiseiseki@freesoftwareextremist.com
 (DIR) More posts by Suiseiseki@freesoftwareextremist.com
 (DIR) Post #B2fMUaAOw14WzjUjbM by mjg59@nondeterministic.computer
       2026-01-26T04:46:56Z
       
       4 likes, 3 repeats
       
       The presumption that free software is sufficient or necessary to ensure all software you depend on is trustworthy is simultaneously naive and ignorant of what software is capable of. The only realistic way to develop trust in software is to trust the people who write it, and development processes associated with free software make that trust easier.
       
 (DIR) Post #B2fMUpw6Ix8ju0vXX6 by mjg59@nondeterministic.computer
       2026-01-26T04:49:45Z
       
       0 likes, 0 repeats
       
       But merely being free software isn&#39;t sufficient - software developed in a way that prevents arbitrary observers from witnessing design conversations may still be free software, but doesn&#39;t give us a strong reason to trust the developers. We all know how easy it is to hide dubious code in the open. The libxz backdoor was discovered by examining the binary and tracking that back to the source, not through source examination.
       
 (DIR) Post #B2fUvRmB2Ru4QJU8ae by Suiseiseki@freesoftwareextremist.com
       2026-01-26T06:26:55.661288Z
       
       0 likes, 0 repeats
       
       @mjg59 If it&#39;s proprietary software, it&#39;s most likely proprietary malware.If it&#39;s actually free software, it&#39;s most likely not malware.&gt;We all know how easy it is to hide dubious code in the open.The libxz/libsystemd backdoor source code was not published - it was included as proprietary software without source code in the release archive - but it happened to be discovered early during execution.Maybe a enhanced generic version of deblob-check would be useful.
       
 (DIR) Post #B2fWDzQuk0F5yXwfmy by mjg59@nondeterministic.computer
       2026-01-26T06:29:07Z
       
       0 likes, 0 repeats
       
       @Suiseiseki No, nobody is checking whether something that appears to be test data is free software or not. That&#39;s not a thing anyone has ever done.
       
 (DIR) Post #B2fWE0YkYM6XT8cRdo by Suiseiseki@freesoftwareextremist.com
       2026-01-26T06:41:27.593716Z
       
       0 likes, 0 repeats
       
       @mjg59 The tests in deblob-check will check for test data and report them.Obviously one would need to manually check the test data and see if it&#39;s free software.For test data in Linux, deblob-check has reported it and it has been manually confirmed that such test data is proprietary and such therefore has been removed in Linux-libre.
       
 (DIR) Post #B2fX5086shHLU5QZKS by mjg59@nondeterministic.computer
       2026-01-26T06:42:08Z
       
       0 likes, 0 repeats
       
       @Suiseiseki Have you run it against the compromised xz repo? What would manual checking have told you?
       
 (DIR) Post #B2fX51O6Cjf9NxuqtE by Suiseiseki@freesoftwareextremist.com
       2026-01-26T06:51:02.348579Z
       
       0 likes, 0 repeats
       
       @mjg59 No, as I can&#39;t be bothered - I don&#39;t use systemd.Assuming the backdoor part was disguised in an array of numbers, manual checking with cpu_rec or whatever would have uncovered that such is CPU instructions.
       
 (DIR) Post #B2fZcSFPYpWq9dvF0y by mjg59@nondeterministic.computer
       2026-01-26T06:52:22Z
       
       0 likes, 0 repeats
       
       @Suiseiseki No, it wouldn&#39;t, because it was encrypted. Please try to ensure you know what you&#39;re talking about before talking.
       
 (DIR) Post #B2fZcTXWkxc8A7PDtI by mjg59@nondeterministic.computer
       2026-01-26T06:56:19Z
       
       0 likes, 0 repeats
       
       @Suiseiseki &quot;Ah but why would test data be encrypted we could tell the difference because of the entropy&quot; no, you couldn&#39;t, because the test data in question was supposed to be malformed compressed data and good compression and good encryption result in equivalent levels of entropy
       
 (DIR) Post #B2fZcUP3XwQqq8RyKG by Suiseiseki@freesoftwareextremist.com
       2026-01-26T07:19:26.676529Z
       
       0 likes, 0 repeats
       
       @mjg59 I&#39;m not talking, I&#39;m writing.Turns out that in that specific case, it could be hidden as compressed data that didn&#39;t look out of place.For test data that is compressed, the way to test it is to decompress it and see what it contains - of course you should be wary if you can&#39;t figure out how to decompress it (although that is extremely common to occur for compressed formats that don&#39;t use headers).
       
 (DIR) Post #B2fZjNbDF2s7lUQD3Y by mjg59@nondeterministic.computer
       2026-01-26T04:51:30Z
       
       2 likes, 0 repeats
       
       Frankly: binaries are the thing that executes on your system and embody the truth of software behaviour, and with modern technology it&#39;s often *easier* to determine that truth through the binary than through the source code (throw the &quot;login&quot; app from Reflections on Trusting Trust into Ghidra and you&#39;d learn the truth even if the source code wouldn&#39;t tell you that)
       
 (DIR) Post #B2fZjWhDQ61NyiIdA8 by mjg59@nondeterministic.computer
       2026-01-26T04:53:50Z
       
       1 likes, 0 repeats
       
       I believe that free software is vital. People should have control over everything that executes on their system. But let&#39;s not kid ourselves - even someone running linux-libre on a machine with open firmware on a custom fabbed RISC-V with no microcode hasn&#39;t verified every line of code they execute, and nor has the community as a whole
       
 (DIR) Post #B2fZjfVqdjHBK43BC4 by mjg59@nondeterministic.computer
       2026-01-26T04:57:06Z
       
       0 likes, 0 repeats
       
       At some point we have to trust that other humans won&#39;t just lie to us - and that&#39;s true whether the software is free or proprietary. Debian could modify mirrors to push a backdoored package to a specific IP address, but the people wit the ability to do that are well known to the community and we trust that they wouldn&#39;t. That&#39;s not a function of Debian being free software - that&#39;s a function of an open community
       
 (DIR) Post #B2fZjnvfLcgJQSBuXw by mjg59@nondeterministic.computer
       2026-01-26T04:58:30Z
       
       2 likes, 0 repeats
       
       Build communities. Find people you trust and place more faith in their recommendations. Don&#39;t trust anyone who says there&#39;s a magical solution here.
       
 (DIR) Post #B2fZjwXXKhjC8DyGga by mjg59@nondeterministic.computer
       2026-01-26T05:00:11Z
       
       1 likes, 0 repeats
       
       (And for the love of God ignore anyone who&#39;s telling you not to use Signal right now, every alternative is meaningfully worse for the vast majority of people)
       
 (DIR) Post #B2fxjvKaE2fnHYR5CS by mjg59@nondeterministic.computer
       2026-01-26T08:56:14Z
       
       0 likes, 0 repeats
       
       @lil5 Cool what do you think people on the street are carrying because it&#39;s not a fucking laptop
       
 (DIR) Post #B2fxjx5lg60ikBWHNw by wolf480pl@mstdn.io
       2026-01-26T11:49:42Z
       
       0 likes, 0 repeats
       
       @mjg59crazy idea: @lil5 can use XMPP and deltqchat even if vast majority of people don&#39;t