The xz Debacle Redux; likes; pathman & serviceman

Friday got away from me, due to — in part — the topic of the first section, hence the late arrival of the Friday Drop.

Since that situation is pretty horrible, we’ll lighten things up in the other two (so, I guess, not everything is broken).

I’ve got tons of food to prep for the holiday weekend, so no Bonus Drop, but we resume the proper course Monday.

The xz Debacle Redux

NOTE: I’ve been re-posting scores of useful links regarding the xz debacle on Mastodon, so this won’t be an exhaustive section. Just trying to summarise the key points for folks still concerned, and offer some personal guidance for Ubuntu/Debian/macOS folks for how to get to some “safe” place, and an opine or three about open source development.

We had an[other] event which has caused open source software development to take yet-another fairly big hit in terms of safety, resilience, and trust.

This debacle surrounds the xz compression library and tools. They are widely used for compressing and decompressing files/content, and have been a staple in software development and distribution for years due to how efficient and fast it is. However, a backdoor in versions 5.6.0 and 5.6.1 was discovered and has quite literally sent shockwaves through the all parts of the software ecosystem; it’s also raised serious concerns about the integrity of the software supply chain and the security of countless systems worldwide.

While there are many areas of concern about the backdoor code, one major one revolves around the fact that it can/could potentially allow unauthorized SSH authentication to be bypassed (this is really the only “for-sure” issue that could have resulted from this backdoor). Thankfully, the affected versions of xz were not widely distributed, but the mere presence of such a backdoor raises alarming questions about the oversight and security practices surrounding open-source software development and distribution.

In response to the discovery, virtually all parts of the tech community have rallied to try to address the immediate security concerns and to prevent similar incidents in the future. This includes patching the vulnerability, revoking the compromised versions of the utility, and looking at enhancing security measures in the development and distribution process of various open-source projects. But, to put it bluntly, other open source projects almost certainly have fallen victim to a similar attack (and we just don’t know about them yet), and there is virtually nothing that can be done to safeguard every codebase and the processes they use to incorporate code updates and publish releases.

This is a good post by Dark Reading on what you can do to get xz back to a good state across all yout kit. macOS folks should run brew update and brew upgrade (upgrade everything, not just xz, especially since you likely haven’t in a long time).

Expect a fair amount of hyperbolic content and immense fallout from this xz debacle. I fear we’re in for a spate of draconian (and, nigh, useless) government regulation along with a bunch of “thought leaders” mostly just leading folks down daft paths.

The biggest two lessons folks should learn from this situation is that nobody has our collective backs, and that dependencies exist in places we might never expect (xz is only in Debian/Ubuntu ssh[d] to help out systemd).

likes

“likes” is a decentralized social network where folks can click on an image to “like” content, which increments the like count for that URL. Said like count is stored and served by a worker that handles GET and POST requests to the “likes.catskull.net” URL. The worker then generates an SVG image with the current like count.

The author was inspired by the social mechanics in the video game “Death Stranding” and wanted to create a simple, self-contained way for people to share “likes” without relying on large social media platforms. The system is designed to be ad/adware/spyware-free, with no analytics or tracking (save for you being served up to Cloudflare), and is fully open-source under an MIT license.

“Likes” is a neat approach to decentralized social interaction that provides a lightweight, privacy-focused alternative to traditional social media platforms.

I put the code at the bottom of my personal website home page if you want to check it out.

We’ll dig into D1 (the thing that powers “likes”) in a future Drop.

pathman & serviceman

Serviceman is a cross-platform service management tool that makes it super easy to run programs and scripts as system or user services on Linux, macOS, and Windows.

Some key features of Serviceman include:

• the ability to run programs and scripts as unprivileged (user mode) or privileged (system) services
• automatic service management for Linux (systemctl), macOS (launchctl), and Windows (HKEY_CURRENT_USER/.../Run)
• support for compiled programs as well as scripts (with ability to specify the interpreter)
• logging and debugging capabilities to help troubleshoot service issues
• workarounds for Windows-specific quirks like console vs GUI applications

It was created by AJ ONeal to simplify the process of running services, which he found to be overly complex and error-prone with traditional tools like systemd.

It is complementedd by pathman, a command-line utility that let us manage the system PATH environment variable using the same idiom on on Windows 10, macOS, and Linux. That is, it provides a simple and consistent way to add, remove, and list directories in your PATH across different operating systems and shells:

pathman list
pathman add ~/.local/bin
pathman remove ~/.local/bin
pathman version
pathman help

Being able to use the same commands across linux and macOS does help free up some mental cycles and increase keyboard muscle memory efficiency.

FIN

Remember, you can follow and interact with the full text of The Daily Drop’s free posts on Mastodon via @dailydrop.hrbrmstr.dev@dailydrop.hrbrmstr.dev ☮️