So Alpine Linux has a pretty serious set of vulnerabilities because
- It doesn’t download packages over TLS, making them prone to MitM. Which on its own isn’t terrible but it also...
- Doesn’t check hashes before extracting to root (!)
- And uses custom gzip code which is vulnerable to arbitrary code execution (!!)
It has been fixed before being publicly announced.
@lord Here’s to speedy fixes!
@cypnk worth it to avoid richard stallman's crusty influence (GNU coreutils(
@cypnk Alpine maintainers are like "ah, it's container's root, it's isolated so just drop this shit there" (I like this practice too)
> If you use Alpine Linux in a production environment, you should 1. rebuild your images and 2. consider donating what you can to the developers. It seems like apk has one main developer who fixed this bug in less than a week. The lead maintainer of Alpine cut a new release shortly thereafter.
tfw your industry is locked in resource glut and labor starvation
@garbados The priorities are so completely screwed up and upside down in the tech industry, I’m seriously considering becoming a potato farmer
It would also be a better investment than Bitcoin since it shows inherent proof of work, is hacker proof, and delicious
@cypnk i have very similar goals tbh.
@cypnk I wonder how long it would have taken for these issues to be noticed if lots of people ran Alpine on their workstation rather than just in containers.
@cypnk time to rebuild and donate
@cypnk so... you would say perfect for an enterprise application?
@msmouse Oh snap! (Wait, do people still say “oh snap”? I’m so old 😭)
Server run by the main developers of the project It is not focused on any particular niche interest - everyone is welcome as long as you follow our code of conduct!