Estás usando un navegador desactualizado. Es posible que no muestre este u otros sitios web correctamente. Deberías actualizar o usar un navegador alternativo.
Open Source Software Community - it's about ethics in Code of Conducts
🔧 Site instability resolved. You can report double-posts and broken attachments. For bigger issues, use the Technical Grievances thread.
🇵🇦 Nuestro primer dominio localizado está en español en kiwifarms.pa. Our first localized domain is on Spanish on kiwifarms.pa.
Want to keep track of this thread?
Accounts can bookmark posts, watch threads for updates, and jump back to where you stopped reading. Create account
I've been using Debian for a long time and, I've had to deal with being depicted as a boomer, neckbeard, basement dweller, and whatever the fuck, but this is really the rock bottom depiction. Fuck no, but whatever floats their boat.
On topic, open source has become, for the most part, a grifter and attention whore paradise. Vibe coding, look at me, gibs me dat, looking for the IPO, etc. It has been completely taken over by this.
This seems like a load of barnacles. Not that AI is all terrible or all good. But a lot of these projects they list have gone no where. I'm mainly talking about the two Calibre forks they've listed.
Did you do the needful and keep the tranime mascot visible (as required in the CoC) or did you change it to something else and DISRESPECT the troon dev. Ver archivo adjunto 9129255 [Source - Article about Anubis]
I did a minor write up on Anubis and the dev "Xe Iaso" (his new name) [Here]. It is a whole rabbit hole that should be investigated, and I missed a ton but I personally have seen it gain more and more adoption. Ver archivo adjunto 9129264
The "man behind the curtain". Xhe uses BSD and is C*nadian btw.
Over 400 AUR packages have been infected with infostealer malware. It was announced on a Fediverse instance called "gaysex.cloud".
MANY ORPHANED AUR PACKAGES ARE BEING TARGETED WITH AN INFOSTEALER.
the Arch User Repository package `alvr` has been orphaned, then adopted by a threat actor who immediately updated it with an infostealer. If you have [this package](https://aur.archlinux.org/packages/alvr) on your system and updated it recently, you've been compromised. This is not a result of any upstream compromise; it's just that one AUR package. in particular, the `alvr-bin` sister package seems to be fine.
[here's the relevant thread for `alvr` from the Arch Linux mailing list](https://lists.archlinux.org/archives/list/aur-general@lists.archlinux.org/thread/2LGBF2AZBPVCCY4VTN6DOVUNNBURFJ2J/). `alvr` seems to be the first package compromised and/or the first one that was noticed. it was updated maliciously at `2026-06-11 13:53:45 UTC` ($[unixtime 1781186025]) and reverted approximately 3-4 hours after that.
SEVERAL OTHER PACKAGES ARE BEING TARGETED WITH THE SAME MALWARE: [1](https://lists.archlinux.org/archives/list/aur-general@lists.archlinux.org/thread/L2JXQNYBGWOQQQXDEPEAICBHKFEFANUC/), [2](https://lists.archlinux.org/archives/list/aur-general@lists.archlinux.org/thread/GNJEESAL6MT7LD2HCVP3HCTZIB6YQM2N/), [3](https://lists.archlinux.org/archives/list/aur-general@lists.archlinux.org/thread/EAVGB55YBS4HRVU5N6NTYCGGMDDOJAM6/), [4](https://lists.archlinux.org/archives/list/aur-general@lists.archlinux.org/thread/E5QPKBGL3QKLBOJ5HWUAS6AGZKHNTLG7/), [5](https://lists.archlinux.org/archives/list/aur-general@lists.archlinux.org/thread/LVYB62N3FPAWUHNJ5Z5GXG6OIR7S5P3F/)
[AUR mailing list megathread](https://lists.archlinux.org/archives/list/aur-general@lists.archlinux.org/thread/FGXPCB3ZVCJIV7FX323SBAX2JHYB7ZS4/) <-- over 400 (!!!!) packages have the malicious npm dependency
they all share in common that they will install the `atomic-lockfile` package from NPM (so, [here's a live link to the actual malware](https://www.npmjs.com/package/atomic-lockfile). do not install that). they were all orphan takeovers. as far as i can tell, all of the ones i linked have been reverted to known safe versions. including `alvr`.
this is an **infostealer**, meaning it exfiltrates sensitive data from your system such as login credentials. removing the malware will not undo the damage. moreover, **uninstalling the malicious package will not remove the malware** because it persists as a systemd service that stays on your system indefinitely.
it executes as an npm preinstall script, and the npm package is installed by the AUR packages. this means that **simply installing the malicious versions of any of these packages will compromise you**. it does not require you to do anything more afterwards. again, **the malware persists if you uninstall the malicious packages**
to check if you've been compromised, look in `/etc/systemd/system` and `~/.config/systemd/user` for a recently added .service file with a random name. that's the persistence mechanism and the most obvious mark that you've been compromised.
---
Attached is a screenshot of an announcement from the "Linux VR Adventures" discord.
i know we all hate discord, but LVRA has a lot of auxiliary discussion, so [here's an invite link](https://discord.gg/zKPzbNwC6H)
of special interest, [here's a malware analysis thread](https://discord.com/channels/1065291958328758352/1514675213089116342/1514675217056927774). Feel free to follow it in real time, or contribute, or whatever. Whanos has produced [a preliminary analysis blog post that contains a lot of important information about the malware](https://ioctl.fail/preliminary-analysis-of-aur-malware/).
personally, I think this is a good thing given that this decreases the likelihood of shitty people worming their way into the project and ruining it. Its not like people can't just have a public community fork if they wanna screw with their own patches.
On topic, open source has become, for the most part, a grifter and attention whore paradise. Vibe coding, look at me, gibs me dat, looking for the IPO, etc. It has been completely taken over by this.
Open Source has always been the Red Hat commiepedotroon playground, if you want the place with actual humans in it, Free Software is what you're looking for.
This seems like a load of barnacles. Not that AI is all terrible or all good. But a lot of these projects they list have gone no where. I'm mainly talking about the two Calibre forks they've listed.
Calibre is jeetware and effectively finished at any point in time, it is just under "maintainance" because the jeet can't help but shit it up every once in a while. A fork should effectively be static o algo.
personally, I think this is a good thing given that this decreases the likelihood of shitty people worming their way into the project and ruining it. Its not like people can't just have a public community fork if they wanna screw with their own patches.
That is the way of the future and should have been the standard since forever. Take OpenBSD, they always get lauded for having such clean code and security practices, but 99% of that just stems from rigidly rejecting dogshit PRs (and browns getting filtered by mailing list patch submissions). Being "open for everyone" is a cute idea in theory, but in practice, it equates to having no standards. If only Ludo could take his rightful place as BDFL and not have to do this whole "ruling council" rigamarole bs.
Take OpenBSD, they always get lauded for having such clean code and security practices, but 99% of that just stems from rigidly rejecting dogshit PRs (and browns getting filtered by mailing list patch submissions).
Incorrect. 99% of that reputation comes from its creators having excellent message discipline when it comes to marketing. The truth is that its security is a joke.
personally, I think this is a good thing given that this decreases the likelihood of shitty people worming their way into the project and ruining it. Its not like people can't just have a public community fork if they wanna screw with their own patches.
It need not solely act as a shield to keep anime avatar tranny readme proof readers away, but it'd also help with the incredible amount of awful low effort contributions that """people""" (Indians) make so they can LARP as a prolific open source contributor to hiring managers.
Incorrect. 99% of that reputation comes from its creators having excellent message discipline when it comes to marketing. The truth is that its security is a joke.
This site is bad and you should feel bad for posting it. The only thing it says is "it's not secure because no one proved it's secure". This is trying to prove a negative, which you can't. But of course at the end there's the standard bitch and moan about OpenBSD being big bad meanies THEY CALLED PEOPLE NAMES.
This site is bad and you should feel bad for posting it. The only thing it says is "it's not secure because no one proved it's secure". This is trying to prove a negative, which you can't. But of course at the end there's the standard bitch and moan about OpenBSD being big bad meanies THEY CALLED PEOPLE NAMES.
While true (to a point), there is good reason for despising OpenBSD: Because Theo is the kind of obtuse faggot who thinks a bug allowing denial-of-service isn't a security issue. He's so desperate to hold onto the notion that OpenBSD is the "secure" OS that he autistically redefines terms so he never has to admit to making a mistake. More people would tolerate his foul temperment if it was actually justified by results, but instead all we get is security theater. Also, he's a leaf, so fuck him anyway.
While true (to a point), there is good reason for despising OpenBSD: Because Theo is the kind of obtuse faggot who thinks a bug allowing denial-of-service isn't a security issue. He's so desperate to hold onto the notion that OpenBSD is the "secure" OS that he autistically redefines terms so he never has to admit to making a mistake. More people would tolerate his foul temperment if it was actually justified by results, but instead all we get is security theater. Also, he's a leaf, so fuck him anyway.
I can CLEARLY see you using *checks notes*, ImageMagick...and Linux, and...curl.
