• step in and help review a few PRs

• help the project triage/reproduce bugs

• if code in the PR looks complicated or is hard to understand, ask for an explanation

• express your gratitude to the maintainers

• make your company sponsor projects they depend on

https://mastodon.social/@bagder/112194895793007918

Daniel is the creator of cURL : https://daniel.haxx.se/blog/2021/03/30/howto-backdoor-curl/

Upscayl: Free and Open Source AI Image Upscaler

https://www.upscayl.org/

@opensource

The Mixxx Board of Directors in pleased to announce plans to acquire the AlphaTheta Corporation (formerly known as Pioneer DJ), Serato Audio Research Ltd. and Native Instruments.

The successor of Openboard, Heliboard finally comes out in 1.0 my favorite open source keyboard out there.

I read the question and discussion started by @[email protected] and it got me thinking about where Bruce Perens' Post-Open Licence project was at. I missed the news that a first draft has been published.

The announcement from Bruce includes the below summary:

At the link below is the first draft of the Post-Open License. This is not yet the product of a qualified attorney, and you shouldn’t apply it to your own work yet. There isn’t context for this license yet, so some things won’t make sense: for example the license is administered by an entity called the “POST-OPEN ADMINISTRATION” and I haven’t figured out how to structure that organization so that people can trust it. There are probably also terms I can’t get away with legally, this awaits work with a lawyer.

Because the license attempts to handle very many problems that have arisen with Open Source licensing, it’s big. It’s approaching the size of AGPL3, which I guess is a metric for a relatively modern license, since AGPL3 is now 17 years old.

Send comments privately to bruce at perens dot com.

License Text

I hate my current solution.

I use notification dictionary and dict.cc which is obviously not open source. For me, it takes too long just to translate a word, or look it up. Do you have a great system?

Thought this was a good read exploring some how the "how and why" including several apparent sock puppet accounts that convinced the original dev (Lasse Collin) to hand over the baton.

Just a small tool I made to improve my Rust, GitHub repo can be found here.

I've taken inspiration from Rosettea/bunnyfetch and elenapan's bunnyfetch script.

I tried a couple license finders and I even looked into the OSI database but I could not find a license that works pretty much like agpl but requiring payment (combined 1% of revenue per month, spread evenly over all FOSS software, if applicable) if one of these is true:

• the downstream user makes revenue (as in "is a company" or gets donations)
• the downstream distributor is connected to a commercial user (e.g. to exclude google from making a non profit to circumvent this license)

I ask this because of the backdoor in xz and the obviously rotten situation in billion dollar companies not kicking their fair share back to the people providing this stuff.

So, if something similar exists, feel free to let me know.

Thanks for reading and have a good one.

xz backdoor
The Xz Backdoor Highlights the Vulnerability of Open Source Software—and Its Strengths

Jason Koebler · Mar 30, 2024 at 3:27 PM

The backdoor highlights the politics, governance, and community management of an ecosystem exploited by massive tech companies and largely run by volunteers.

Image: Zulian Firmansyah, Unsplash

Friday afternoon, Andres Freund, a software developer at Microsoft, sent an email to a listserv of open source software developers with the subject line “backdoor in upstream xz/liblzma leading to ssh server compromise.” What Freund had stumbled upon was a malicious backdoor in xz Utils, a compression utility used in many major distributions of Linux, that increasingly seems like it was purposefully put there by a trusted maintainer of the open source project. The “xz backdoor” has quickly become one of the most important and most-discussed vulnerabilities in recent memory.

Ars Technica has a detailed writeup of the technical aspects of the backdoor, which intentionally interfered with SSH encryption, which is a security protocol that allows for secure connections over unsecured networks. The specific technical details are still being debated, but basically, a vulnerability was introduced into a very widely-used utility that chains into a type of encryption that is used by many important internet servers. Luckily, this specific backdoor seems like it was caught before it was introduced into the code of major Linux distributions.

Alex Stamos, the chief trust officer of SentinelOne and a lecturer at Stanford’s Internet Observatory called the discovery of this backdoor “the most interesting hack of the year.”

This is because the mechanism of the attack highlights both the strengths and weaknesses of open source software and the ecosystem under which open source software is developed, and the extent to which the internet and massive tech companies rely on an ecosystem that is largely run by volunteers.

In this case, the vulnerabilities were introduced by a coder who goes by the name Jia Tan (JiaT75 on GitHub) who was a “maintainer” of the xz Utils codebase, meaning they could make commits (update the software’s code) without oversight from others. Critically, Tan has been one of the maintainers of xz Utils for almost two years and also maintains other critical open source projects. This raises the possibility, of course, that they have always been a bad actor and could have been introducing vulnerabilities into earlier versions of xz Utils and other open source projects.

“Given the activity over several weeks, the committer is either directly involved or there was some quite severe compromise of their system,” Freund wrote in his initial email.

The open source community is now doing a mix of collaborative damage control, soul searching, and infighting over the backdoor, how to respond to it, and what it means for the broader open source ecosystem. The xz backdoor was seemingly caught before it made its way into major Linux distributions, which hopefully means that there will not be widespread damage caused by the backdoor. But it is, at best, a close call that Freund himself said was essentially “accidentally” discovered.

This is all important because huge parts of the internet and software infrastructure rely on free and open source software that is often maintained by volunteer software developers. This has always been a controversial and complicated state of affairs, because big tech companies take this software, use it in their products, and make a lot of money from them. Many of these open source codebases are maintained by a small number of people doing it on a volunteer basis, and many of these projects have complicated politics about who is allowed to be a maintainer and how a project should be maintained and developed. If a trusted maintainer of a critical open source codebase is actually a malicious hacker, vulnerabilities could be introduced into widely used, critical software and chaos could ensue.

Stamos noted that the backdoor “proves what everybody suspected about the supply-chain risks of OSS. Should hopefully drive some serious investment by the companies that profit from open-source to look for back doors using scalable means.”

The backdoor highlights open source software’s strengths and its weaknesses in that, well, everything is happening in the open.

While a malicious maintainer can commit code that introduces a backdoor, the community can also actively analyze the code and trace exactly what was introduced, when it was introduced, who did it, and what the code does. The project can (and is) rolling back its codebase to an earlier distribution before the vulnerability was introduced. The coding history and email arguments of that user can be traced over time, and the broader developer community can make educated guesses about how this all happened. As I’m writing this, coders are analyzing Jia Tan’s contributions to other projects and the political discussions in listservs that led to them becoming a trusted maintainer in the first place.

On the open source software security listserv, developers are trying to make sense of what happened, and are debating about how and when the discovery of the vulnerability should have been made public (the discovery was made one day before it was distributed to the broader listserv). Tavis Ormandy, a very famous white hat hacker and security researcher who works for Google, wrote on the listserv, “I would have argued for immediately discussing this in the open.”

“We’re delaying everybody else’s ability to react,” he added. Others argued that making the vulnerability known immediately could have incentivized attackers to exploit the bug, or could have allowed others to do so. On Mastodon, software developers are criticizing Microsoft and GitHub for taking down some of the affected code repositories as people are trying to analyze it.

“Hey, it’s totally cool that Microsoft GitHub blocked access to one of the repositories in the very center of the xz backdoor saga,” Michal Woźniak, a white hat hacker who was part of a team that discovered DRM in a Polish train earlier this year wrote on Mastodon. “It’s not like a bunch of people are scrambling to try to make sense of all the right now, or that specific commits got linked to directly from media and blogposts and the like. Cool, cool.” Other coders mused that Copilot, a subscription AI coding assistant created by GitHub, could have integrated some of the malicious code into its training data.

All of this discussion and many of these issues are not normally possible when a vulnerability is discovered in closed source software, which is kept private by the company and whose governance is determined by the companies releasing a product. And that’s what makes all of this so interesting. Not only is vulnerability mitigation being managed in public, but so is the culture, politics, supply chain, and economics that governs this type of critically important software. About the author

Jason is a cofounder of 404 Media. He was previously the editor-in-chief of Motherboard. He loves the Freedom of Information Act and surfing.
More from Jason Koebler

I use Imagemagick for some things, but this is to recommend to other non technical users

A lot of people upload their sensitive files to online converters/compressors, and I'd like to recommend something easier

Say

• webp to PNG to jpeg
• compressing PDF, converting to and from other formats, extracting pages, unlocking, etc

I am looking something to connect to my server from outside my local network.

I am on a shared IP and my ISP doesn't have port forwarding.

• Can I opensource it in a way where changes is not open to the public?
• I have google verification file on my git, is it ok to put it in the public?

The platform is gitlab.

It has been a month since the last time I've posted about Treedome. Back then it was still in 0.4.0 and there's a lot of little tiny tidbits of missing/bugged components.

I've polished it since then, please take a look https://codeberg.org/solver-orgz/treedome/compare/0.4...0.4.5!

Notable changes since then are:

• Node path will now be visible on editor, made sure user make less mistake when editing their note
• The width of note tree and text editor is now configurable
• Configurable idle timeout that will close and save your notes, defaulted to 300,000 ms or 5 minutes
• Removed about menu, now user can easily click on big badges which will open links to our repository, matrix room, etc.
• Various fixes and little adjustments

Install it on arch (btw) and nix (0.4.5 is in review not merged yet)

https://www.pushbullet.com/

Winlator is an Android application that lets you run Windows (x86_64) games and applications using Wine and Box86/Box64.

Version 6.0 Changelog:

• Added Magnifier
• Added option to add Wallpaper
• Improved UI
• Fixed Container startup error that occurred on some devices
• Improved XInput compatibility
• Improved Input Controls and Cursor sensitivity
• Added support for external mouse
• Updated Wine, Box86/Box64, Turnip and DXVK
• Added "Bring to Front" on Task Manager
• Added 7-Zip on context menu
• Removed the option to install OBB image (now it's all in one apk)
• Performance improvements and other fixes

This repo is also mirrored to Codeberg.

I made an easy to use ToDo app, just to learn a bit about programming and Flutter. It does not really provide any benefits over other ToDo apps, but I am glad that I was able to make this.

You can download the APK for Android, rpm for RHEL/Fedora or just use the AppImage.

I am willing to work more on this, you can read the roadmap in the link provided.

Any guidance, criticisms, or comments will be greatly appreciated.

What's up hackers, i know there's a lot of marketplaces scamming / seized by LE, so i decided to start an open source marketplace where anyone can sell digitals goods securely on and off the clearnet (supports TOR).

I initially wanted to create this marketplace as a hidden market on Tor but the implications and legalities involved are a lot, not just LE, but maintenance, bug fixes e.t.c... would be a lot for a solo developer. so i decided to make it open, where i'd get contributions from amazing hackers and anyone who is tried of exit scams can also start their own marketplace without a lot of moving parts.

TLDR; As chef, i'm cooking with all the modern recipes / spices.

API

• framework: RoadmanJS (built by yours truly, it's like ReactJS but for backend components)
• database: Couchbase (its like mongodb and postgres had a kid) + Redis

UI:

• framework: NextJS 14 App router (modern PHP that can spit HTML-only with zero js, noscript)
• components: Styled-components with a framework-like Twitch UI.

Here is a list of all features i'll be working on, open to anyone who'd want to contribute as i'm in the early stages, lot's of features and bug fixes missing.

• github: https://github.com/stoqey/sslatt
• demo: https://sslatt.com