How does the xz incident impacts the average user ?

It doesn't.

Average person:

• not running Debian sid, Fedora nightly, Arch, OpenSUSE Tumbleweed, or tbh any flavour of Linux. (Arch reportedly unafffected)
• ssh service not exposed publicly

The malicious code was discovered within a day or two a month of upload iirc and presumably very few people were affected by this. There's more to it but it's technical and not directly relevant to your question.

For the average person it has no practical impact. For those involved with or interested in software supply chain security, it's a big deal.

Edit:
Corrections:

• OpenSUSE Tumbleweed was affected; Arch received malicious package but due to how it is implemented did not result in compromised SSH service.
• Affected package was out in the wild for about a month, suggesting many more affected systems before malicious package was discovered and rolled back.

Good bot

Wait, is that even a thing here?

My long and mostly complete list:

• Audiobookshelf (GH)
  • Using for audiobooks. Ebooks, comics, and podcast support in early stages.
• Authelia (GH)
  • Using for two-factor authentication in front of all of my services. Critical infrastructure.
• Bazarr (GH)
  • Using for automated subtitle management. Have not needed to rely on it much.
• Code-Server (GH)
  • Using for a plethora of things. I could write an entire post on this alone.
• Courier
  • Using (occasionally) for package-tracking from various carriers.
• EmulatorJS
  • Using for retro-emulation.
• Gitea (GH) x2
  • Using as a git repo server, package repository, and for CI/CD automation. Is critical infrastructure in my lab. Could also write an entire post on this one.
• Headscale with Headscale-UI. Tailscale clients on various VMs LXCs, etc.
  • Using to securely network with my remote servers.
• Homepage
  • Using as a "single-pane-of-glass" to get an overview of service health with links to the various services.
• Invidious
  • Using in-place of YouTube.
• IT-Tools (GH)
  • Using for the myriad of various useful tools it offers.
• Jellyfin (GH)
  • My media player of choice. Using for movies and television, but supports music, ebooks, and photos in addition.
• Kopia Server (GH)
  • Using for data backups to my Minio instance on local NAS and Wasabi. Simple, fast, and reliable.
• Librespeed (GH)
  • Using for the occasional speedtest to my remote servers.
• Matrix stack using Conduit back end and Element-Web front end
  • Federated Discord essentially. Using as a private instance for friends and family.
• Minio
  • Using primarily as a gateway to storing backups, also serves git-lfs for Gitea.
• N8N (GH)
  • Using for home-automation, backing up my Reddit saved posts to a database, deal-alerts, and part of a CI/CD pipeline.
• NTFY (GH)
  • Using for infrastructure notifications mostly. Very simple and versatile alerting solution.
• NZBGet
  • Using for getting "usenet articles".
• Paperless-NGX
  • Using for document archival. Important receipts, documentation, letters, etc. live here.
• Portainer (GH) with multiple agents on VM's LXCs and VPSs
  • High level management of my various docker containers.
• Prowlarr
  • Using to provide torznab API to websites that dont natively have it. Integrates with Radarr and Sonarr
• Radarr (GH)
  • Using for movie management.
• Radicale
  • Using for contacts and calendar server.
• Raneto (GH)
  • Using as a knowledge base. Lab documentation, lists, recipes, lots of things live here. Using with with code-server and Gitea.
• Readarr (GH)
  • Using for book management
• Recyclarr (GH)
  • Using for Radar and Sonarr to sync search terms for their automations. Very useful, hard to summarize.
• Requestrr
  • Using (very rarely) as a requests bot for Radarr and Sonarr.
• SFTP-Go
  • Using mostly in-place of Nextcloud. Used to back up phones mostly.
• Shaarli (GH)
  • Using as a read-it-later service. Went through lots of these, and Shaarli has been good enough.
• Singlefile-Archive
  • A hacky way of presenting pages saved with the singlefile browser extension. Not exactly happy with the solution, but for my ocasional use it does work.
• Sonarr (GH)
  • Using as TV series manager
• Speedtest-Tracker (GH)
  • Using to get periodic speedtests. Plan to automate results to blast my ISP if my service speed gets too low.
• Traefik (GH) on each seperate host
  • Using as a web proxy in front of my various services. Critical infrastructure.
• Transmission (GH)
  • Using to get "Linux ISOs"
• Uptime Kuma (GH)
  • Using to monitor site and services status along with a few others. Integrated with NTFY for alerts.
• Vaultwarden
  • Using as my password manager. Have been using for years, cannot recommend enough.
• A handful of static websites served with NGINX
  • The old standby, its been reliable as a webserver.

These services are the result of years of development and administrating my lab and while there is still some cruft, it's mostly services that I think have real utility.

As far as hardware:

• Running pfsense on a toughbook laptop as a router-firewall.

• A SuperMicro 24 bay disk-shelf with Proxmox and ZFS for NAS duties and a couple services.

• Lenovo Tiny boxes with a Proxmox cluster for the majority of my local services.

• Dell managed switch

• A few Raspberry-pi's with Raspbian for various things.

• Linksys AP for wifi

Edit: Spelling is hard.

I think that's where they're headed intentional or not, but probably intentional. I think they're trying to pivot their business model. If I had to guess what will happen going forward in broad strokes.

• Strike will break one way or another (mod removal most likely)
• Huge mod turnover
• Moderation quality takes a nosedive with spam, thinly-veiled ads, porn, and trolling ending up more and more prevalent in regular subs
• Confidence of power-users starts to evaporate once the post quality sucks and niche subs devolve to /pics and discussion turns into the Youtube comments section
• Comments become heavily restricted by Admins to pump their upcoming IPO
• NSFW content either gets eradicated or heavily restricted by admins to pump their upcoming IPO
• Slow diaspora of power-users to nowhere/federated platforms/new centralized platforms/niche forums/discord
• Vast majority that's left are Tiktok adjacent crowd scrolling though the site upvoting and downvoting (though that's being gamed even more than currently) with little meaningful discussion or community in subs anymore

so like 9gag.

Bonus-round predictions:

• Google has to re-rank search results because Reddit isn't a treasure trove of niche knowledge and mostly-real user experiences anymore
• AI firms scraping Reddit for LLM data will cease eventually and most likely start redirecting that to where the real discussion's are happening
• /spez will have cashed out soon after the IPO, carrying buckets of money off into the sunset
• New leadership and duty to make all the cash will finish strangling the holdout's of Old Reddit
• Invasive ads and lack of anything resembling good content will make the site a shell of its former self.

I'll be surprised if this process takes another 5 years, but by year 10 I definitely think the downfall will be complete.

I'm all for bots that are used as tools for the community, the invidious one seems pretty great too. A bit concerned about what the potential "bot army" on some of these instances will be used for going forward though.

Today's episode of Veronica Explains is brought to you in part by corporate greed.

Less than 5 seconds in and I already know I'm going to like this video.

Assuming they're generally on the same instance ::cough EH cough:: others can just defederate if they want. Those that are harassing and spreading hate speech on mixed servers can be blocked, banned from communities, or the instance in question if egregious enough.

Edit: Am I resurrecting a 3 year old post rn?

They did. Its called airmessage. Has been around for almost 3 years now

lemfinity

Oh god, I feel like I'm going to get blamed for this down the line

In addition to the ones listed:

• Matrix client (Element, Shildichat, Fluffy chat, etc.)

• XMPP client (Conversations, Monocles Chat, Blabber, etc.)

• SimpleX Chat

• Briar

None of them are tied to your phone number if that's what you mean by non voip.

Here's one I have saved in my shell aliases.

nscript() {
    local name="${1:-nscript-$(printf '%s' $(echo "$RANDOM" | md5sum) | cut -c 1-10)}"
    echo -e "#!/usr/bin/env bash\n#set -Eeuxo pipefail\nset -e" > ./"$name".sh && chmod +x ./"$name".sh && hx ./"$name".sh
}
alias nsh='nscript'

Admittedly much more complicated than necessary, but it's pretty full featured. first line constructs a filename for the new script from a generated 10 character random hash and prepends "nscript" and a user provided name.

The second line writes out the shebang and a few oft used bash flags, makes the file executable and opens in in my editor (Helix in my case).

The third line is just a shortened alias for the function.

It depends on if you were the first person on your instance to subscribe, and if that subscription happened before or after the posts were made. Lemmy doesn't do backfilling content, which means only new content after the subscription happens will be visible to your instance. I'm not a fan of that personally, but I can see why they did it that way.

the app was worth every penny

Agreed. It was a great app while it lasted. Wish him the best on what he decides to do going forward.

Great read. I'm expecting the next wave of Redditors on June 30th after their 3rd party app stop working. And update! I think the threadiverse has broken 200K signups as of today. Definitely an explosion from even a month ago. Thanks for linking here too OP, I love seeing these interesting articles written by smaller publications. That's something I've always loved about Hacker News, and seeing it here is simply awesome!

They could technically make their app so you could insert your own API keys which you'd get from Reddit directly, but it's not very seamless to the user. You wouldn't just need to enter your username and password when you log in the first time, you'd need to go into the old.reddit preferences > apps > create a new app > agree to the API EULA > fill out redirect URI, about URI, app-name, etc. > THEN it would give you your API key that you'd have to copy and paste to the waiting app along with your username and password. The developer of "Infinity for Reddit" (an open-source Reddit client) already asked Reddit about this prior to the blackout and they said big fat NO unfortunately. They want every Infinity app to share a single API key for every phone that's using it. There are ways around this, but out of the scope of what you're asking.

Just to clarify, are you wanting to create an instance (an entire server like lemmy.ca, lemmy.ml, lemmy.world), or a community (a subreddit like nostupidquestions@lemmy.world, canada@lemmy.ca, main@sh.itjust.works)? Instructions differ greatly depending on your answer.

Hmmm. I don't have a network/infrastructure diagram or anything yet, but I've been meaning to create one. I'll probably put one together and post more about my setup if there's any interest. I'll be sure to tag you when I do. Thanks for the interest!

Agree completely. In the grand scheme of things the damage that appears to have happened here is small potatoes, but it brought attention to the vulnerability so it was patched quickly. Going forward now, the authors and contributors to the project might be a bit more focused on hardening the software against these types of vulnerabilities. Pen testing is invaluable on wide user-base internet accessible platforms like this because it makes better, more secure software. Unfortunately this breech wasn't under the "ethical pen testing" umbrella but it sure as hell brought the vulnerability to the mindshare of everyone with a stake in it, so I view it as a net win.

There's always a catch. Oracle has and will claw back that free allowance unless you meet specific criteria or move to a pay-as-you-go tier with a cc on file with a $100 authorization charge, and even then they may. Ask me how I know lol

Thanks for sharing! I'll definitely be looking into adding this to my infra alerting stack. Should pair well with webhooks using ntfy for notifications. Currently just have bash scripts push to uptime-kuma for disk usage monitoring as a dead man trigger, but this should be better as a first-line method. Not to mention all the other functionalities it has baked in.

Edit: Would also be great if there was an already compiled binary in each release so I can use bare-metal, but the container on ghcr.io is most-likely what I'll be using anyway. Thanks for not only uploading to docker hub.

Snaps are pretty terrible IMO, so I usually end up bootstrapping a custom Ubuntu image without snap for this reason (and others) for my cloud images. Definitely not general purpose though.

For sure. They just banned /NewYuzuPriacy 3 days ago for example.

The only thing that makes sense to me is that they sent an automated message to all the private subs over a certain threshold. And it looks like some scab submod decided to mutiny and take the sub.

Kopia repo on a separate disk dedicated to backups. Have Kopia on my servers as well sending to my local s3 gateway and second copy to wasabi.

Correcting the link for non lemmy.world users. !unixporn@lemmy.world

Looks like there's an outstanding issue for it already on Github. Jeroba is likely taking a distant third place to backend and web-ui development time right now, so it could be a while.

having to do a firmware update on my soldering iron

You don't. It works perfectly fine OOTB. Can't speak for the Pinecil v2 with Bluetooth and the companion app but I have v1 and the software been stable and bug-free enough I've never even given a thought to updating the firmware on it

If you're just looking for ebooks Calibre/Calibre-Web will do the job. I wanted a good audiobook player too so I went with Audiobookshelf as it does that and a few other things. You could also go with Jellyfin as I've read it can do epub, but I have no experience with it.

Which Android devices are you currently using?

Oneplus 7 Pro

What do you love most about them?

Having a pop-up camera probably, clean uninterrupted screen.

Having an unlockable bootloader and non-oem roms is pretty nice too.

What do you dislike?

Probably the rounded glass screen edges.

Stock roms are utter trash.

Have 256gb storage, but microsd expansion would be nice.

Would love to run CalyxOS or GrapheneOS, but understandably there's no build for this phone.

Edit: Detail. Also probably won't consider changing phone until Google foldables get good and can de-google with a aftermarket rom.

It's because the original image macro that this is based on was about piracy, saying something along the lines of "I bring a certain 'just torrent it' vibe to the conversion that the riaa just doesn't like."

Their reuse of the macro is indirectly an answer or a continuation of it that can be seen as acknowledging the original message.

Me. $350 off and $100 worth of storage upgrades on a Pixel 9 pro was worth it for me. Phones now are expensive as fuck but getting a ~40% discount on a brand new product made it easier to accept.

I was a bit late one the social media train, isn't that where the "Eternal September" thing came from?

Rust > PHP

Lots already. Of course depends on what your interest are. For ex. my subs

• !3dprinting@lemmy.world
• !android@lemmy.world
• !arduino@lemmy.ml
• !buytiforlife@sh.itjust.works
• !collapse@sopuli.xyz
• !cybersecurity@sh.itjust.works
• !diy@beehaw.org
• !elitedangerous@lemmy.world
• !environment@beehaw.org
• !ergomechkeyboards@lemmy.world
• !explainlikeimfive@lemmy.world
• !freemediaheckyeah@lemmy.fmhy.ml
• !fediverse@lemmy.ml
• !food@beehaw.org
• !foodporn@lemmy.world
• !foss@beehaw.org
• !functionalprint@kbin.social
• !funny@burggit.moe
• !linuxhumor@lemmy.ml
• !games@sh.itjust.works
• !gaming@beehaw.org
• !gaming@lemmy.ml
• !general@burggit.moe
• !general_discussion@lemmy.fmhy.ml
• !golang@lemmy.ml
• !kombucha@sh.itjust.works
• !lemmy@lemmy.ml
• !lemmyworld@lemmy.world
• !plugins@sh.itjust.works
• !lemmy_support@lemmy.ml
• !linux@lemmy.ml
• !linux_gaming@lemmy.world
• !linux_gaming@lemmy.ml
• !linux_memes@sopuli.xyz
• !mechanicalkeyboards@lemmy.ml
• !medicine@lemmy.world
• !mildlyinfuriating@lemmy.world
• !newyuzupiracy@lemmy.dbzer0.com
• !nostupidquestions@lemmy.world
• !opensource@lemmy.ml
• !operating_systems@beehaw.org
• !patientgamers@lemmy.ml
• !photography@lemmy.ml
• !piracy@lemmy.ml
• !piracynews@lemmy.ml
• !piracy@lemmy.dbzer0.com
• !politics@beehaw.org
• !pop_os@lemmy.world
• !privacy@lemmy.ml
• !privacyguides@lemmy.one
• !programmerhumor@lemmy.ml
• !programming@programming.dev
• !proxmox@lemmy.world
• !RedditMigration@kbin.social
• !science@beehaw.org
• !selfhosted@lemmy.world
• !sewing@sh.itjust.works
• !sewingrepairing@sh.itjust.works
• !steamdeck@lemmy.ml
• !steamdeck@sopuli.xyz
• !technews@radiation.party
• !technology@beehaw.org
• !technology@lemmy.ml
• !zelda@lemmy.ml
• !unixporn@lemmy.ml
• !whatisthisthing@lemmy.world
• !worldnews@lemmy.ml
• !youshouldknow@lemmy.world
• !asklemmy@lemmy.ml
• !diy@sh.itjust.works
• !homeassistant@lemmy.world
• !main@sh.itjust.works
• !ntfy@discuss.ntfy.sh
• !unix@sh.itjust.works

There is. See here. IDK how good the API documentation is (haven't checked), but it should be linked in that page.

Seems he's revealing that he is either Bruce Wayne or Bane. As they're the only two to ever escape from the pit; historically speaking.

Oh that's interesting, that's the first I've heard of it. I wonder how one would go about testing if that works.

Oh I have quite a few that I've set up then pulled out of service for various reasons. I'm always evaluating potential use-cases for new services and if a different service would better suit my needs than what I have deployed currently. It's definitely a hobby.

Some container-based projects that I'm loosely tracking updates for and have deployed, but since, have pulled out of service (non-exhaustive):

Media:

• Calibre / Calibre-Web

  • Supplanted by Audiobookshelf. For tagging and book conversion I just temporarily install Calibre on my Workstation when the need arises.

• FreshRSS

  • Did not end up using it for much at the time. Re-evaluating if I'd like to stand it up again.

• Plex

  • Plex is nice but too many drawbacks that don't work for me. Supplanted with Jellyfin.

• Overseerr

  • Didn't have much use for this, but it will likely change soon. Since I've stuck with Jellyfin I'll be going with Jellyseer if I decide to stand up this kind of service again.

• Libreddit

  • Rarely made use of it. Nice project, but it's not feasible now for obvious reasons.

• Miniflux

  • Same as FreshRSS, though I'm a big fan of go and rust projects in general so this is the one I'm more keen on re-implementing.

• Tautulli

  • Part of the Plex ecosystem which I abandoned. It was useful software, but unfortunately locked to Plex.

• Unmanic

  • Never really had a use for this, though I thought I would at the time.

• TT-RSS

  • Project is decent but the author is a asshole and very user-hostile, so I dropped it when I retooled my homelab a few years ago.

• Jackett

  • Supplanted with Prowlarr.

• Ombi

  • Same as the reason for dropping Overseerr.

• Neko

  • Did it's job, consumed lots of resources, and no arm64 docker image; though I managed to build my own. Got rid of it when I no longer had a use for the service.

Archival/Documentation:

• Filestash

  • Something about the project rubbed me the wrong way, vague on the details though.

• Shiori

  • Was decent but the lack of updates then subsequent maintainer turnover scared me off. I check in from time to time to see how the project's going.

• Wallabag

  • Ended up being too slow and clunky for me, but that could be the hardware I was running it on at the time.

• Archivebox

  • Same as above, but it definitely wasn't the hardware.

• Bookstack

  • It was alright but decided I didn't need a separate service for documentation, I just use Code-Server with a documentation repo and raneto to give me a pretty page to navigate and for the family.

• Filerun

  • Worked well while I was using it, not a fan of the closed-source nature and just didn't feel the need to redeploy when I retooled my infrastructure.

• Wiki.js

  • Same as bookstack, didn't really have a use for a separate service.

Dashboards:

I'm going to preface this by saying I have some sort of addiction with dashboards, it's unhealthy really.

• Organizr

  • Didn't like how everything was an iframe and it seemed particularly resource heavy for what I needed it to do.

• Heimdall

  • My second dashboard. Liked the API integration not so much the design.

• Homer

  • Wasn't a fan of the design.

• Homarr

  • Also didn't like the design much.

• Flame

  • Decent project, but decided to move on to something configuration file based.

• Sui

  • Liked this one a lot and used for quite a while before homepage lured me away with API widgets.

Infrastructure:

• Apt-cacher-ng

  • Inadvertently made my infrastructure brittle with how I had it implemented. Decided to just rebuild my cluster's cloud image on-demand instead of daily and update my apt distros the old-fashioned way.

• LLDAP

  • Liked this project a lot, but added complexity to my infrastructure that could be more simply achieved other ways.

• OpenLDAP

  • Same as lldap, but more feature rich and thus even more complicated.

• Docker Registry

  • Set-up briefly but found a better use-case with Gitea's integrated package registry which I'd already had deployed.

• Guacamole

  • Used this for a while, but the clipboard situation sucked at the time and I gravitated to just using SSH anyway, and since I have Proxmox on hypervisor duties just used xterm.js or noVNC for console access.

• Watchtower

  • Did it's job but the :latest tag is dangerous to use. I like having change logs, an evaluation environment, and an approval based update workflow so I switched to renovate-bot.

• Netmaker

  • Was a decent option for sure and faster than what I'm using currently in theory, but seemed a little to unnecessarily complicated to keep running for me.

• Netboot.xyz

  • Definitely useful. Will probably redeploy it at some point.

• OpenSSH-Server

  • Supplanted with Wireguard implementation in Tailscale.

• Node-Red

  • Tried it very briefly but N8N fit my use-case better.

Readarr is akin to Sonarr/Radarr. Audiobookshelf is like Jellyfin/Plex

Full disclosure: I've never used 1Password so can't really comment on it compared with others, but I'm currently running a selfhosted Bitwarden re-implementation (vaultwarden) and am generally pretty happy with it. I've only ever used LastPass as a password manager before (aside from a seeding algo back in the day), and while I really don't like their business practices or security history, their extension has or at least had a bit better consistency on Firefox than Bitwarden does, at least with regards to detecting username/password fields and detecting when a new credential is being created and asking it to be saved automatically. That being said, it's something that I can live with considering it's free software. As far as I'm aware, in terms of features all the big players in that space are pretty evenly matched, though I do remember some advanced feature that 1Password offered over others; maybe related to privilege access management in enterprise.