/jp/ - 2D/Random

this happened like a week ago you retard

>>617777
…

I've been afraid of upstream supply-chain malware and also malicious distro package maintainers for years now.

I've been called paranoid, "concern trolling", etc. so I always just shut up about it, but it feels good to be a little bit vindicated, and hopefully community awareness and prevention around this issue improves.

I only update Arch once every two months, I upgrade and reboot with no internet access, and check Wireshark to see if there is anything trying to make network connections, or any suspicious processes running.

I've also been thinking about downloading updates a week before I plan to upgrade (pacman -Syuw), and then installing them offline (pacman -Su), so anything I install would have had everyone else beta-test for a week, and if I don't hear nerds shouting from every rooftop that ransomware was inserted into [small library package that no one gives a fuck about it] I assume I'm fine.

>>617780
yeah but how can you trust anything going forward? this didn't show up in the source code, and was discovered purely by chance because a windows dev was doing some benchmarking and noticed performance discrepancies

how can you know for certain you aren't running a malicious package with an unknown backdoor and the CIA is covertly monitoring you making all these anti USA pro china posts on ota?

i would just stop using computers at this point if i were you

>>617781
Network monitoring mainly. I trust that I would see the malware making network connections on Wireshark, or my OpenWRT router's network monitor.

this is a weird maki quads thread

>>617782
what if the malicious package modified wireshark so it wouldn't show when connections were made through the backdoor, also how can you know for certain your OpenWRT firmware isn't compromised as well?

besides, i really doubt you're monitoring your network at all times

>>617785
what if my friend henri came back and posted on ota again