- That commit's date matches the date in the 404media article (July 13th)
- The commit message is totally unrelated to the code (highly suspicious)
- The code itself downloads additional code at runtime (highly highly suspicious)
I have not yet been unable to uncover the code it downloads though. It downloaded code that was hosted in the same repo, https://github.com/aws/aws-toolkit-vscode/, just on the "stability" branch. (downloads a file called "scripts/extensionNode.bk") The "stability" branch presumably was a branch created by the attacker, and has presumably since been deleted by Amazon.
I'm not a git expert, but how was the attacker able to push the stability branch directly to the Amazon owned repo? The PR would have been to merge the modified branch to main right?
Joseph's 404 article quotes the hacker as saying they "got admin privileges on a silver platter," so I think this is it: first part of the breach was gaining the GitHub permission to create a branch. Possibly just by asking.
I was impressed at this. By sharing side-load instructions and by the the overall restrained language of the post, they're emphasizing that this is not a personal attack on Deepin or an attempt to hurt Deepin and also emphasizing that OpenSUSE leadership understands the value of their community and have no power fantasy aspirations about trying to exert undue control over the users of the distribution. Really, OpenSUSE had more than enough ammunition to make a scathing takedown on the behavior of the Deepin maintainer and all of Deepin upstream, and many other OSS leaders would have done so ("Fuck Nvidia" anyone?), but they did not. They chose restraint and statements encouraging reconciliation. Cheers to the author for keeping it together in this obviously quite disappointing situation.
opensuse continuously impresses me on a community level but for some reason it's one of the only major distros i've never actually tried running. not sure why!
For #1 I can highly recommend this interactive article by Bartosz Ciechanowski: https://ciechanow.ski/sound/. It might lack the depth you want in intermediate or advanced topics, but in my opinion it is the most efficient and effective beginner education material out there.
I have the same problem. Snaps are confined to only files within $HOME. I keep almost all data under /media/ and this caused snaps to be mostly unusable for me, at least unusable for productivity apps where I need to process data. Some apps though are self contained, e.g. Spotify, for example, works fine for me as a snap.
Yup. There needs to be considerable work to integrate snaps from completely sandboxed (no access to file system/network/hardware), to giving them controlled access to some resources, managed/monitored by root and/or user.
I would be interested in seeing and reviewing your asyncio work gwillz! I have a small (750 sloc) network service implemented with asyncio and ran into some design problems around modularly handling healthchecking, exception handling/monitoring, and auto recovery/restart. I was unable to find much in the way of large software written with asyncio to learn better patterns from, so ended up with what, to me, feel like mediocre solutions. My email is in my profile.
"transaction-level" pooling might be a more apt description. Instead of assigning each incoming connection to a dedication upstream connection for the entire duration of the incoming connection, it assigns the upstream connections on a per-transaction basis. When each transaction ends, the upstream connection is returned to the pool. A better description is at https://wiki.postgresql.org/wiki/PgBouncer.
ref: dang's comment @ https://news.ycombinator.com/item?id=45645793