by andreyv on 7/9/24, 2:51 PM with 56 comments
by stncls on 7/9/24, 3:28 PM
(I am only joking of course. As a recovering academic, I understand that researchers need recognition, and I have no right to throw stones -- glass houses and all. Also, this one is really like regreSSHion's little sibling. Still, easily finding the information I needed made me happy.)
by hannob on 7/9/24, 2:57 PM
by londons_explore on 7/9/24, 2:59 PM
by qalmakka on 7/9/24, 3:14 PM
1. I hate the fact they have the hubris to think they can be smarter than the upstream developers and patch old versions
2. I hate the fact they don't ship vanilla packages, but instead insist on patching things for features that nobody relies on anyway, __because they're not upstream__.
Maintainers should stick to downloading tarballs, building them and updating them promptly when a new version is out. If there's no LTS available, pay upstream and get an LTS, don't take a random version and patch it forever just to keep the same version numbers, it's nonsensical and it was only a matter of time before people tried to exploit it. Just look at the XZ backdoor for instance, which relied on RedHat and Debian deploying a patched libsystemd.
by candiddevmike on 7/9/24, 3:00 PM
by ta988 on 7/9/24, 2:57 PM
by password4321 on 7/9/24, 6:01 PM
https://news.ycombinator.com/item?id=40843778
Edit: Ok it seems very closely related; I was just surprised no one had linked the previous discussion.
by crest on 7/9/24, 3:02 PM