[00:09:28] https://discord.com/channels/178359708581625856/392015565171982346/1223052197135253616 [00:09:45] MediaWiki 1.41.1 has been released [01:19:53] [1/2] Are these kind of notices just non critical FYIs that only are enabled in dev enviormerns and are ignored in prod or do they always show and must be addressed? [01:19:54] [2/2] https://cdn.discordapp.com/attachments/1006789349498699827/1223079151247036447/zTn8t6p.png?ex=66188c39&is=66061739&hm=f7dbf286903a721bad07b0f381fd73bb0c7e556df2b83e38af5eb6eb2ca017e0& [06:49:07] You can filter some warnings out but if you're developing with getting it on Miraheze as an eventual aim, we'll consider some a large increase in warnings as a blocker. [10:36:17] https://phabricator.wikimedia.org/T345249#9672556 [10:36:51] SUL2 is already broken on Chromium it seems [10:37:24] well, already, more like will very soon be broken [10:44:04] Fun! [10:44:11] We're screwed [10:44:19] yeah, this is a new kind of broken [10:44:44] Big broke too [12:02:08] https://tenor.com/view/skull-explode-gif-25528415 [12:03:40] Yeah that’s likely my end intention. I’ll probably raise the level from notice to warning to not get sidetracked, cause missing a page Alias probably isn’t a dealbreaker for prod maybe possibly [14:48:02] What makes warnings a dealbreaker is if they drown out the logs [14:48:12] So it depends how often they trigger [16:41:48] if anyone here uses Linux at all, they may want to checkout: https://www.openwall.com/lists/oss-security/2024/03/29/4 [16:42:11] TL;DR the release tarballs of xz have been backdoored [16:43:49] another ref: https://lists.debian.org/debian-security-announce/2024/msg00057.html [16:52:53] [1/4] ```Given the activity over several weeks, the committer is either directly [16:52:53] [2/4] involved or there was some quite severe compromise of their [16:52:53] [3/4] system. Unfortunately the latter looks like the less likely explanation, given [16:52:54] [4/4] they communicated on various lists about the "fixes" mentioned above.``` [16:53:28] by fixes they meant adjustments to the exploit code [16:54:35] https://github.com/tukaani-project/xz/commit/6e636819e8f070330d835fce46289a3ff72a7b89 comments are pretty funny though [16:59:55] `Due to the working of the injected code (see below), it is likely the backdoor can only work on glibc based systems.` phew, I'm safe [17:22:54] What's xz? [17:23:07] xz is a compression utility [17:23:28] the issue here is that it was backdoored to allow for some shenanigans on OpenSSH servers [17:24:55] the mail by Andres Freund is not 100% clear on what exactly was the objective of the exploit, but it seems it was to allow for some form of RCE on OpenSSH servers running on Debian or distros that use the RPM format for packaging [17:26:28] these distros patch OpenSSH for linking with liblzma, a library part of xz [17:28:05] man, everyone is getting supply-chained these days [18:08:29] [1/2] https://cdn.discordapp.com/attachments/1006789349498699827/1223332973001048125/image.png?ex=6619789d&is=6607039d&hm=c70ee5a7a643afb675363cefb32b468fc199ba700ab6dcac164d88a2fc89f2cd& [18:08:30] [2/2] https://cdn.discordapp.com/attachments/1006789349498699827/1223332973269745726/image.png?ex=6619789d&is=6607039d&hm=b25ddc984a36c2974f2c761f360c04e1c339a423deef888bbbf1efd3c207ed08& [18:08:35] I tried to remove and reinstall node [18:20:03] [1/2] Also for reference [18:20:03] [2/2] https://cdn.discordapp.com/attachments/1006789349498699827/1223335882472558672/image.png?ex=66197b52&is=66070652&hm=397d9d7ef444e5352a23925f61ebaa1fc3a06a2ed1eae0e3078990e5f7146e56& [19:59:31] Do we have errror levels set to notice [20:59:02] https://github.com/tukaani-project/xz/commit/af071ef7702debef4f1d324616a0137a5001c14c#commitcomment-140382601 😂 [21:10:01] See https://github.com/miraheze/mw-config/blob/master/LocalSettings.php#L6229