More

cozzyd · 2026-04-03T13:28:16 1775222896

I know what I always need in my production database is a yolo tool

cozzyd · 2026-04-03T03:17:23 1775186243

It's not an outage if the service no longer exists!

cozzyd · 2026-04-03T03:16:05 1775186165

Maybe Ellison can use his MiG to retaliate.

cozzyd · 2026-04-03T03:09:59 1775185799

I guess Trump was not content with just destroying the CDC

cozzyd · 2026-04-03T03:06:54 1775185614

NASA is deep in Microsoft's stack. Meetings with NASA are the only time I have to use Teams

cozzyd · 2026-03-31T15:26:03 1774970763

car seats are one of the reasons I'm glad I don't have a car... don't need a car seat on the bus or train!

cozzyd · 2026-03-31T15:13:36 1774970016

or you don't use a package manager where anyone can just publish a package (i.e. use your system package manager). There is still some risk, but it is much smaller. Like, if xz were distributed by PyPI or NPM, everyone would have been pwned, but instead it was (barely) found.

It's true that system repos doesn't include everything, but you can create your own repositories if you really need to for a few things. In practice Fedora/EPEL are basically sufficient for my needs. Right now I'm deploying something with yocto, which is a bit more limited in slection, but it's pretty easy to add my own packages and it at least has hashes so things don't get replaced without me noticing (to be fair, I don't know if the security practices of open-embedded recipes are as strong as Fedora...).

calvinmorrison · 2026-03-31T15:32:53 1774971173

it's muddying what a package is. A package, or a distro, is the people who slave and labor over packaging, reviewing, deciding on versions to ship, having policies in place, security mailing lists, release schedules, etc.

just shipping from npm crap is essentially the equivelant of running your production code base against Arch AUR pkgbuilds.

cozzyd · 2026-03-31T06:21:09 1774938069

Megaseconds are about the right timescale anyway

kace91 · 2026-03-31T09:41:54 1774950114

What megaseconds? They clearly meant the Microsoft-defined timeout.

cozzyd · 2026-03-31T13:36:03 1774964163

Well megaseconds has the nice property that it's about about equal to a Scaramucci so it can be used across domains.

cozzyd · 2026-03-31T06:19:34 1774937974

Yet.

Does cargo contain any mitigations to prevent a similar attack?

Now hopefully no distro signing keys have been compromised in the latest attacks...

slopinthebag · 2026-03-31T08:42:17 1774946537

Yes they do!

cozzyd · 2026-03-31T04:41:37 1774932097

that's why people are telling others to use 7 days but using 8 days themselves :)

wongarsu · 2026-03-31T10:33:46 1774953226

brb, switching everything to 9 days

johnisgood · 2026-03-31T13:18:13 1774963093

That is 3D chess level type shit. xD

MetaWhirledPeas · 2026-03-31T15:18:54 1774970334

You don't have to be faster than the bear, you just have to be faster than the other guy.

porridgeraisin · 2026-03-31T07:34:25 1774942465

Genius