our investigation has concluded that Alpine's supply-chain is not compromised, but instead, some Alpine packages are being used as components in a rootkit called VPNFilter.
to avoid being flagged by various IDS systems, we are going to be rebuilding the packages that were used in said rootkit. we will also be in communication with the IDS vendor which generated this bogus alert, to ensure they do not do so in the future.
there is also the possibility that the vendor is not actually who UW is talking to, but instead an APT who is trying to social engineer a rebuild so they may inject malware. this one is actually the one i find most likely.
unfortunately i suspect that these discussions will be embargoed for now.
there are a few possibilities:
- there really is an APT that has compromised the supply chain: this involves serving malware versions of TOR source packages to the maintainer as well as our builders (this seems unlikely tbh)
- TOR itself is compromised by an APT (maybe, but i would hope they would have procedures to prevent that)
- the vendor in question have made a mistake (also maybe)
- an APT has factored one of our signing keys and has produced malware-laden replacement packages (we have transitioned to RSA-4096 signing keys so this seems unlikely)
- an APT has found a novel exploit in apk-tools that allows them to bypass the signing requirement (seems unlikely, as each file's header in the apk is uniquely signed)
as a precaution, i have just fired off composes for every Alpine tree v3.7 to present that will disable the community/tor package.
we have received a report from the University of Washington that, according to their vendor, these packages may be somehow compromised.
while I personally find this to be unlikely given how the package supply chain in Alpine is designed, I decided to pull the packages until we can verify that there is no compromise in our supply chain for community/tor.
i apologize for any inconvenience, but if there is a possibility that the packages are compromised, then we must err on the side of caution until we have more information.
install instructions coming soon, but @aag and i have a ton of installs in the field already, and we have a business angle that keeps this port well supported for the foreseeable future (assuming COVID-19 doesn't cause societal collapse anyway).
> use the semantic Qt signals instead of hooking ::clicked and ::doubleClicked. so that touch controls work in a reasonable way > get burned badly by KDE Plasma 5.18 > KDE: your app is broken, don't do the right thing if you don't want us to do this to your app
it's not about "not being able to do normie things for a few months."it's about the 30%+ projected unemployment rate, it's about the bills that won't stop accruing, it's about the small businesses which will go out of business and not be bailed out like the airlines will. your average mom and pop store isn't going to be able to survive being down for "a few months."it's about the curtailing of civil liberties, the tracking, the liberals being useful idiots and cheering trump on as he starts executing a coup with executive orders as netanyahu did in Israel.anyone framing this as people complaining about not being able to "do normie things" is either being a useful idiot or has not considered the situation fully and how the poor and other marginalized folks are about to have their lives in shambles.
this would be a fairly trivial modification to any fediverse software, really.
but, even better, you don't have to modify the software at all.
fediverse software supports proxies, which may be used to proxy object fetches. this is actually a good thing, as it allows the fediverse to continue working behind firewalls or across islands (such as TOR or I2P).
well, a proxy can silently rewrite the HTTP Signatures, meaning that gab.com can deploy a software which rewrites the HTTP Signature and thus evade the effects imposed by authorized fetches.
i look forward to somebody releasing such a proxy to demonstrate this point. maybe then we can talk about actual security, for once. haha who am I kidding?
as pleroma.site and juche.town have been transferred to new infrastructure, and few people are using socially.whimsic.al, this instance will be terminated on March 31, 2020.