Follow

So Alpine Linux has a pretty serious set of vulnerabilities because

- It doesn’t download packages over TLS, making them prone to MitM. Which on its own isn’t terrible but it also...

- Doesn’t check hashes before extracting to root (!)

- And uses custom gzip code which is vulnerable to arbitrary code execution (!!)

justi.cz/security/2018/09/13/a

@cypnk worth it to avoid richard stallman's crusty influence (GNU coreutils(

@lynnesbian @cypnk Not that he's anything to do with it...

Ironically some of the Alpine Linux devs that I've managed to stumble upon are pretty irrationally anti-Stallman themselves...

@cypnk @garbados it's good to know that the bug is already fixed, because this is one awesome distro.

@cypnk Alpine maintainers are like "ah, it's container's root, it's isolated so just drop this shit there" (I like this practice too)

@cypnk

> If you use Alpine Linux in a production environment, you should 1. rebuild your images and 2. consider donating what you can to the developers. It seems like apk has one main developer who fixed this bug in less than a week. The lead maintainer of Alpine cut a new release shortly thereafter.

tfw your industry is locked in resource glut and labor starvation

@garbados The priorities are so completely screwed up and upside down in the tech industry, I’m seriously considering becoming a potato farmer

It would also be a better investment than Bitcoin since it shows inherent proof of work, is hacker proof, and delicious

@cypnk
Welp, now I'm trying to draw parallels between the future of bitcoins and the irish famine of 1845.
@garbados

@cypnk I wonder how long it would have taken for these issues to be noticed if lots of people ran Alpine on their workstation rather than just in containers.

@cypnk @angristan Actually, the first isn't crucial if the second is (and it MUST br) implemented correctly.

@cypnk so... you would say perfect for an enterprise application?

@msmouse Oh snap! (Wait, do people still say “oh snap”? I’m so old 😭)

Sign in to participate in the conversation
Mastodon

Server run by the main developers of the project 🐘 It is not focused on any particular niche interest - everyone is welcome as long as you follow our code of conduct!