Did Hyprland Ship A Major Plugin Vulnerability?
Рет қаралды 15,293
Күн бұрынHyprland is back in the news once again because of a "vulnerability" but is it really as bad as it's made out to be or is it being a little overblown
==========Support The Channel==========
► Patreon: brodierobertson.xyz/patreon
► Paypal: brodierobertson.xyz/paypal
► Liberapay: brodierobertson.xyz/liberapay
► Amazon USA: brodierobertson.xyz/amazonusa
==========Resources==========
Own Malloc Blog: blog.vaxry.net/articles/2024-...
Trampoline: blog.vaxry.net/articles/2023-...
OSS Security Post: www.openwall.com/lists/oss-se...
Mastodon Post: social.treehouse.systems/@the...
Hyprland Issue: github.com/hyprwm/Hyprland/is...
NVD Listing: nvd.nist.gov/vuln/detail/CVE-...
=========Video Platforms==========
🎥 Odysee: brodierobertson.xyz/odysee
🎥 Podcast: techovertea.xyz/youtube
🎮 Gaming: brodierobertson.xyz/gaming
==========Social Media==========
🎤 Discord: brodierobertson.xyz/discord
🐦 Twitter: brodierobertson.xyz/twitter
🌐 Mastodon: brodierobertson.xyz/mastodon
🖥️ GitHub: brodierobertson.xyz/github
==========Credits==========
🎨 Channel Art:
Profile Picture:
/ supercozman_draws
🎵 Ending music
Track: Debris & Jonth - Game Time [NCS Release]
Music provided by NoCopyrightSounds.
Watch: • Debris & Jonth - Game ...
Free Download / Stream: ncs.io/GameTime
#Linux #Hyprland #OpenSource #FOSS #Wayland
DISCLOSURE: Wherever possible I use referral links, which means if you click one of the links in this video or description and make a purchase I may receive a small commission or other compensation.
@skelebro9999 Ай бұрын
Yes. That's the anime girl wallpaper whenever I start Hyprland. That's a major vulnerability.
@XanTheXanadul Ай бұрын
The conversation between vaxry and solar is a nice change of pace from the conversations you usually cover. Just two guys casually talking about a software issue and fixing it real quick.
@unpotatoedsalmon Ай бұрын
Most sane comment in the comment section
@mq1995 Ай бұрын
vaxry is actually a good fellow. he only becomes venomous towards people who attack him
@xdevs23 Ай бұрын
I also find it quite nice to see how different their communication styles are but they still manage to peacefully and respectfully communicate.
@Hyperboid Ай бұрын
Headline take: Plugins are already an ACE vulnerability
@chair547 Ай бұрын
Bro didn't watch the video
@CommentGuard717 Ай бұрын
@@chair547he is saying this is what article headlines will read to create panic and get clicks
@kitlith Ай бұрын
The actual issue here is that on a multi-user system, under certain conditions, you could perform arbitrary code execution under the user running hyprland, from another user entirely.
@blarghblargh Ай бұрын
@@kitlith there can be more than one issue.
@Hyperboid Ай бұрын
@@chair547 I did, I just made this comment before I did. That's why I wrote "Headline take"
@JessicaFEREM Ай бұрын
physical access to a linux system getting a 10 on the CVE scale
@ImperiumLibertas Ай бұрын
That is hilarious. They're turning CVEs into a joke.
@XxZeldaxXXxLinkxX Ай бұрын
@@ImperiumLibertasI mean, that's why there's different metrics and subscores.
@ImperiumLibertas Ай бұрын
@@XxZeldaxXXxLinkxX how much you want to bet this gets severely downgraded?
@ArneBab Ай бұрын
where do you need physical access? You just need access to some user - i.e. through a browser vulnerability with those Javascript file system APIs.
@bigpod Ай бұрын
physical access is a bit of funny to be honest cause as an example if your app is CLI app that is vulnerable you dont need to stand in front of the computer all you need is to be either SSHd or some other real time bidirectional system like SSH
@lavavex Ай бұрын
Setting everything to 777 seems to just be a leftover from the start of the project, as you want to make sure permissions never get in your way and cause issues during dev Also from the ending: all hail dark lord Brodie
@mmstick Ай бұрын
Maybe if you're a student, but professional developers should already know what the numbers mean when they use them.
@AnEagle Ай бұрын
@@mmstickI believe the developer of hyprland is very young, he's probably learnt a lot on the way
@koye4427 Ай бұрын
@@AnEagle yes, Hypr and Hyprland were some of his first real programming projects save for some anarchy Minecraft mods. It's simultaneously very impressive and very terrifying lol
@MustacheMerlin Ай бұрын
Lol it's literally the meme. "Any sufficiently complicated program inevitably invents a shitty version of lisp" XD
@qlx-i Ай бұрын
especially EWW. I didn't even realize it was basically lisp without legs
@edhahaz Ай бұрын
MASSIVE vulerability!!!! So first you need access to a user on the box and......
@MissMuffin-qc8fc Ай бұрын
For multiple user you need friends. On linux thats a low risk cve.
@jenbanim Ай бұрын
Definitely a long-shot to actually exploit this, but writing a file to /tmp with 777 permissions then reading it back and executing it is agressively careless. If this is the level of security we can expect from this developer I hope that there are more people checking the code for vulnerabilities now
@thelanavishnuorchestra Ай бұрын
This.
@drelkin86 Ай бұрын
I don't think the person who found this handled it well, and while I do agree with you on most of this, I also don't think it's as much of a long shot as what many are saying. Pair this kind of thing with a compromised file syncing service that can be tricked into writing to /tmp at specific events and that gets you closer. It may not even require arbitrary command access. Some of the architecture described here sounds quite icky.
@himagainstill Ай бұрын
@@drelkin86 On the one hand, if I find a security issue in your project, I should report it to you. On the other, if you're a massive asshole and I don't feel like I have the energy to deal with you, that's a you problem.
@tacticalassaultanteater9678 Ай бұрын
The trampoline system is insane and should not exist. Anything it achieves can be achieved within the bounds of the standard in a way that works on all supported target platforms of your compiler. Low level programmers have a tendency to imagine an assembly and then write code they imagine will compile to something specific in that imaginary assembly. Whether and how often that's actually the case varies, but it's pretty much never actually necessary.
@BrodieRobertson Ай бұрын
What don't you like about it?
@tacticalassaultanteater9678 Ай бұрын
@@BrodieRobertson that it breaks the abstraction. It's not that hard to do the same thing in C++, by wrapping hookable methods in an object that calls through a global vector of function pointers. This sounds slow, but only because it's idiomatic C++, and there's a wide range of increasingly performant and accordingly less idiomatic or flexible solutions, all of which respect the C++ abstraction and compile for all C++ targets. The performance difference between checking whether a global function pointer is null and whatever Vaxry's doing is negligible, and the former will work on every platform.
@tacticalassaultanteater9678 Ай бұрын
@@BrodieRobertson I've come up with an even simpler solution in the mean time - assign all top-level functions to global function pointers and only ever call the pointers - make all methods virtual When an extension wants to install a hook, it finds the relevant pointer or vtable entry, copies it off into its own private global, replaces it with the hook body, and the hook body uses the private global as the "original" function. The very nice thing about these is that they stack transparently, and a hook always has the option to call the shared global pointer to repeat the entire dispatch chain.
@yellingintothewind Ай бұрын
So, if I understand the timeline correctly, sam didn't report the issue upstream, choosing instead to make a public announcement of a possible attack. The developer promptly downplayed the issue while also quickly fixing it (and related issues). That sounds like a fairly typical (if extra colorful) response. You get blindsided with a security issue, so you deflect attention while you get a fix in place.
@lua5dot1 Ай бұрын
"vaxry was playing 4D chess" is a take
@vaxryy Ай бұрын
being edgy, posting memes and liking hentai on twitter has become my business card. Becoming clinically insane is probably a side effect of committing 40 times a day and rewriting wlroots, but I am no psychologist. I am only clinically insane. Sorry to everyone for letting this slide, true oopsie daisy, but please do report issues to me, I take 'em seriously.
@PushingFriend28 Ай бұрын
That pfp gets me everytime. Like I'm over here ricing hyprland until i get reminded of ratchet and clank and laugh my ass out.
@Shubadus Ай бұрын
Love Hyprland, thanks for all the work you do!
@Lazllb Ай бұрын
Honestly, you do a great job with your projects. But maybe you should try to make it an organization now and get funding like Gnome or KDE so you can hire people and not have to commit 40 times a day. I'm sure you love it nonetheless but I'm sure you'd be able to grow Hyprland with some help!
@comosaycomosah Ай бұрын
LEGEND! appreciate you! andddd fuck ummmm!!!
@purplemossclump5505 Ай бұрын
It's amazing how these truly insufferable people keep finding you. Thanks for everything Mr. Vaxryy, I'm a big fan.
@yellingintothewind Ай бұрын
Lots of people run multi user systems, but you are missing an important point on that. You need a multi user system where one of the users isn't implicitly trusted. If everyone has sudo access already, or even if they don't, if they are a family member or otherwise have physical and unsupervised access to the hardware, they could simply live boot the system and do whatever they want.
@wannafedor4 Ай бұрын
Coding in swift while watching a video about major bugs in assembly getting fixed within hours has never ruined my confidence more. Keep it up Brodie!
@No-mq5lw Ай бұрын
Joking about something serious is fine and all, but you should probably back it up to set the record straight
@RogerCarry Ай бұрын
When Sam James tell you’re a ahole, you’re truly achieved something.
@Qyngali Ай бұрын
I like BAD (Brodie After Dark).
@Henrik0x7F Ай бұрын
Nobody talking about the fact that this hook system is completely overengineered?
@himagainstill Ай бұрын
So just like with xz we learned that users being assholes in comments and on mailing lists can present a security risk, now we see that maintainers being assholes on the internet can present a security risk, in that their behaviour may be so obnoxious that someone reporting a vulnerability would rather just not engage with them, and may disclose publlcly instead - or, worse, not at all.
@ayesaac Ай бұрын
Couple serious problems with the way this vulnerability was represented: 1. If I can execute arbitrary code as your user account, and your user account then ever performs any root (or other user) elevated action after that, I can execute arbitrary code as root (or that other user). 2. Every Linux system is a multi user system. Even if you are the only person who uses your computer, a *lot* of security assumptions rely on services and various applications running on their own accounts to isolate them. Executing a 777 file completely breaks the Linux user account security model. The only system this *wouldn't* be a root privelege escalation on is one which doesn't have sudo/doas/etc and where all root account actions are performed by actually logging in as root into a terminal. This was a very, very bad vulnerability.
@therealscifi Ай бұрын
Props to @vaxryy for all the good work. I still don't blame making a CVE out of it, just because I believe in processes and accountability. But ever developer, me included, has done something similar that we would take back. Probably many times
@rothn2 Ай бұрын
Reading the blogpost, I think the author just was an engineer who wanted to build something cool. And you get to do that when you build a popular tool, and you get to show it off. OSS contributors get paid in kudos sometimes. No issue with that. Better than handing over money!
@AndersHass Ай бұрын
Record whole video without lights, lol
@nezu_cc Ай бұрын
I've tried running hyprland on a multi-user system, but running it without a GPU is an absolute pain. The only sensible way this could be a privesc is if a system service like let's say cups got pwned.
@user-in2cs1vp6o Ай бұрын
I have a multi user arch laptop. Its a htpc in the living rooom and everyone else uses a guest account, lol
@user-in2cs1vp6o Ай бұрын
Yes it uses hyprland
@TKing2724 Ай бұрын
The pillock who made the public bug report is the bad guy in this story. He ends up looking like a child "I'm not going to responsibly notify the developer of this bug because I personally don't like him, I would rather put users of his software at risk because I let my personal feelings cloud my professional judgement."
@unpotatoedsalmon Ай бұрын
Everything is political to some people
@brettfo Ай бұрын
Vaxry, from a recent video, seems to be a very toxic person. He has burned many bridges. Nobody is obligated to deal with people like that.
@thelanavishnuorchestra Ай бұрын
To be fair, there's bad blood and he doesn't want to have anything to do with him.
@TKing2724 Ай бұрын
@@thelanavishnuorchestra To be fair, that's what I said, but with a different spin. "I'm not going to responsibly notify the developer of this bug because I personally don't like him." It's shameful for a professional to have this attitude.
@thelanavishnuorchestra Ай бұрын
@@TKing2724 yes, I agree. We said similar things, but you looked at it from one side and I the other. If I were a developer with a security focus and someone I considered a toxic child introduced a lame and insecure mechanism that should not exist, I wouldn't want to say more than I had to in order to call it out. I worked dev ops years ago and a big part of my job was telling developers no. Luckily these were people I was on good terms with and they often came by to run ideas past me before they pushed them to their manager.
@peacefulexistence_ Ай бұрын
8:20 : do note that Hyprland, as a Wayland compositor and Display Server, has additional permissions assigned to it by udev and seatd - namely unlimited access to the card DRM node, and all evdev events. This allows it to read and fake user input as well as all display data and issue unlimited control calls to the graphics card. So, it's a privilege escalation onto the level of the DS process, so in addition to all the user perms, it also can keylog and screencap everything, and possibly cause hardware damage to the graphics card should there be a kernel driver bug or should a driver not expect this (the DRM subsystem has a notion of variously privileged ioctls, it's a flags field on the ioctls struct that the driver defines).
@adjbutler Ай бұрын
Yes, but NixOS video when???
@electric26 Ай бұрын
I'm actually using ~8 users ATM where I'll have any number of them running Hyprland at any given time. Only one user has root access, one for gaming, work, and so on. I can use Linux's virtual consoles (TTYs) to easily switch between different users using Ctrl + alt + the F-keys. It works pretty well, and I get hardware acceleration (unlike Qubes OS) as well as a clear boundary between different personas, if you will.
@AM-yk5yd Ай бұрын
Oh. ATM=at the moment here. I for several minutes was confused why you use hyperland on banks' ATM and why ATMs would have ctrl, alt keys instead of being controlled remotely.
@electric26 Ай бұрын
@@AM-yk5yd 😂😂 yeah probably not the best use of an abbreviation. It was super late when I wrote that
@softwarelivre2389 Ай бұрын
If I understood correctly, all users are you, correct? That means it will just be a problem if you get a low permission user compromised
@electric26 Ай бұрын
@@softwarelivre2389 yes, just me. So if I have a user that is already compromised then it could've spread to another user. It would suck having a compromised user regardless, but at least now the impact would be very limited (unless it got to my admin user)
@electric26 Ай бұрын
@@softwarelivre2389 correct. But it would be an issue if any user was compromised since, well, more users would be compromised. And if they got to my admin user I'd be toast
@-aexc- Ай бұрын
how do yall people not understand that multi user systems are common
@BrodieRobertson Ай бұрын
Are they among people running a window manager like Hyprland?
@-aexc- Ай бұрын
@@BrodieRobertson yeah, I have several people remoting into my machine while I use sway
@SuperQuwertz Ай бұрын
@@-aexc- untrusted people?
@NikolayNIKfeed Ай бұрын
I host things on my PC and also have a couple of users for my friends and for my work. I have tried hyprland and still have it installed. I guess I'd just have to install a random plugin and switch to hyprland for me to be a perfect target.
@pauldunecat Ай бұрын
A wild Dark Brodie appears
@tranthien3932 Ай бұрын
CVE-Brodie-2024: Brodie didn't want to turn the light on
@spencerallen323 Ай бұрын
I have multiple multi user hyperland systems
@luketurner314 Ай бұрын
13:28 insert "too damn high" meme
@deadfry42 Ай бұрын
what vulnerability? correct me if I’m wrong, but if you’re running a hyprland plugin, you’re already putting your system at risk because you might not know what code you’re actually running a GitHub issue should’ve been made first imo edit - should’ve probably watch a little more
@bigpod Ай бұрын
is it just me or trampoline shouldnt be used in this case anyway
@BrodieRobertson Ай бұрын
There's definitely a discussion to be had on its merits
@dexterman6361 Ай бұрын
ngl the initial reporter had this aura of "holier than thou" mentality which even reads really offputting. If he really didn't care, then why make that email post. Just for the credits and the clout? just sounds miserable to be around, tbh.
@xyz8460 Ай бұрын
what does the whiteboard say at 13:40 ?
@celestialcrafter9931 Ай бұрын
i think it says hire me? maybe from a previous video edit: it says the same thing it says in the rest of the video, hypemem or something
@Lampe2020 Ай бұрын
4:42 Well, he's a programmer, I guess.
@xymaryai8283 Ай бұрын
dark brodie >:)
@terminalvelocity4858 Ай бұрын
Laughs in mode 644.
@michalpolak5864 Ай бұрын
I don't see the issue with Vaxxrys reaction if you consider how the issue was reported and that he fixed it immediately. What this looks like to me is that there are people who due to the recent drama decided to bully the Hyprland project.
@ysarato Ай бұрын
Oh that's why i earned a new environment variable to the socket... Anyway
@R4d1o4ct1v3_ Ай бұрын
I know very little about Hyprland and it's creators, but I keep hearing about problems with it's creators/maintainers. - And what I took from this video was: other developers dislike this guy to a degree where they would rather ignore and/or publish security vulnerabilities rather than deal with him. - This sounds... problematic for the project.
@blinking_dodo Ай бұрын
I would consider this "unstable code" at best. As far as i am aware, if you got so far that you could exploit that bug, you'd probably also have physical access. And physical access would be a game-over already.
@snowwsquire Ай бұрын
ssh exists
@FlafyDev Ай бұрын
why do you think it's only exploitable with physical access?
@kelownatechkid Ай бұрын
TIL that hyprland is intentionally incompatible with non-x86 platforms. That's awful lmao
@SFSAtlas 28 күн бұрын
Technically, I actually do have hyprland running fine on my raspberry pi running Arch Linux ARM, but I haven't tried plugins
@laughingvampire7555 Ай бұрын
nah, part of FS should be to have fun
@ahettinger525 Ай бұрын
I'm going to disagree on a couple of points. 1) as soon as I got to "writing an object file at a predictable path in /tmp and reading it back later" I knew EXACTLY what the problem was. 2) he links to the sections of the code-base dealing with it, further explaining the problem. 3) vaxry's response is _exactly_ why sam didn't want to deal with him, if vaxry would like to behave like an adult maybe he would get better responses. Where I do agree is that it would have been better to leave a drive-by bug report (or better yet, send an email directly, as this is a vulnerability), it's not that surprising that some people just don't want to deal with him at all.
@RenderingUser Ай бұрын
#3 is a circular argument. If he did respond to him directly, he wouldn't have also memed it in public
@ahettinger525 Ай бұрын
@@RenderingUser Can't be sure. We're talking about someone who has a history of not behaving reasonably. There's a significant chance that vaxry would have either still been public about it, just ignored it, or responded inappropriately in private (or some combination). It's clear that sam and vaxry have a history, it's clear from this interaction that vaxry's behavior is the source of the problem, and it's not remotely surprising that someone wouldn't want to deal with him at all. That's really not circular, it you treat people like garbage, they won't want to interact with you. Once you stop treating people like garbage _some_ of them _might_ decide you're worth dealing with... maybe.
@RenderingUser Ай бұрын
@@ahettinger525 unreasonable behaviour isn't reason enough to not message the developer of a program directly about the program and instead posting it public. Also, what history does he have for responding in private? Also I don't think github issue tracker is private.
@ahettinger525 Ай бұрын
@@RenderingUser You're allowed to think that, but if you treat people like garbage some of them are just not going to want to engage you. I have no idea how he behaves in private, but I don't imagine it's any better then he does in public.
@RenderingUser Ай бұрын
@@ahettinger525 if it was any worse, people will probably release their dms
@burein_ita Ай бұрын
Why was Niji trending?
@BrodieRobertson Ай бұрын
Why was Niji trending... This time
@matan-h Ай бұрын
tldr: on a multiple users linux system running a spesific hyperland plugin, it creates then run a temp file (with 777 permission) and other (local) users can change the file in the milliseconds between the creating and the running steps. 99.9999404% of users not affected
@RedBlueProductions1 Ай бұрын
teenage code be like strcpy
@ArneBab Ай бұрын
Laughing at someone who writes about a potential vulnerability is a no-go. And if you do and then you find out you were wrong, that’s a big cause to say you’re sorry. And “you disrespect the user” followed by “if you [vulnerable user] exist” is kind of a bad take. If this wasn’t relevant to anyone, then no one was disrespected. And if it was, then vulnerable users exist. ⇒ less defensive, please. I get from this video why the reporter did not write to upstream but rather wrote about it in a roundabout way (don’t want to make it too clear, lest people exploit it) to enable others to report it.
@BrodieRobertson Ай бұрын
I'm trying to decipher what you wrote lol
@ArneBab Ай бұрын
@@BrodieRobertson then in short: if the dev acts like a $^*, they can’t expect good reports. You can misstep (we’re all human), but if that happens more often, your behavior is what threatens user safety.
@ayaya-ayaya Ай бұрын
@@ArneBabTerrible deflection. If within the FOSS community group A and group B hate each other and irresponsibly disclose vulnerabilities to dunk on the other group then all the reputation that FOSS accumulated for being secure will be gone. You don't have to like each other, you don't need to talk to each other, but at least don't be harmful
@ArneBab Ай бұрын
@@ayaya-ayaya they didn’t disclose how to exploit it.
@ayaya-ayaya Ай бұрын
@@ArneBab There was just enough information to figure out what it was. What difference does it make if you disclose 100% or just 90% for some motivated adversary? And lets forget that this particular case was very unlikely to be exploited. The same attitude would be cataclysmical if it happened to a different project that would allow for remote exploitation. Regardless of circumstances, irresponsible/uncoordinated disclosure is not acceptable and there were different ways to approach and avoid having to deal with the developer.
@deviantsemicolon618 Ай бұрын
According to Betteridge's law, no, Hyprland did not ship a vulnerability. But maybe I'm wrong
@BrodieRobertson Ай бұрын
I really hate that it is called a law, it's almost always used incorrectly and makes more sense to describe as a correlation
@SR-ti6jj Ай бұрын
The only solution is to stop using software
@BrodieRobertson Ай бұрын
All software, live in the woods
@guyblack9729 Ай бұрын
Too be fair there are a lot of script kiddies who would rather run some random install script off of github than RTFM, and seeing them get pwned would be kinda funny
@user-vu8fm5vb4n Ай бұрын
Friendly reminder: plugins are arbitrary code
@marbek5334 Ай бұрын
where is the exe?
@Linuxdirk Ай бұрын
I hate Hyprland plugins! Those aren’t plugins, those are recompiles of Hyprland files. You need a whole build toolchain and pull the source code of Hyprland. The whole “plugins” concept should be ripped off the code and re-implemented as proper plugins system. This would also fully prevent such issues.
@caedis_ Ай бұрын
Its more of a mixin
@shooterdefronvrps2 Ай бұрын
when i see vaxry post on twitter i saw him qttweeting the post of him laughting the fool with a post saying just fix it also the dark setup on the outro is very cool, mayhapps use it on the gaming channel when you play a spooky game
@Lazllb Ай бұрын
The only reason I run Hyprland is because I trust the Gentoo developers to catch things like these.
@F_Around_and_find_out Ай бұрын
You gotta do some shit for people not prioritizing reporting upstream to you. Holy hell.
@RichardLucas Ай бұрын
Woopsie. This is why i do not go out and install every neato piece of software hyped by a KZfaq subcontractor.
@VertisSidus Ай бұрын
the main thing i'm taking away from this is a reminder that using software maintained by caustic jackasses can result in vulnerabilities and other bugs going unreported
@himagainstill Ай бұрын
After xz, maintainers started suggesting that asshole users making demands should be treated as a security risk. Maybe we should do the same for asshole maintainers.
@Bill_the_Red_Lichtie Ай бұрын
13:37 (very elite!) I love the darkmode outro! Talk to @TechnoTim about a possible "darkmode" copyright infringement though 😀 Love the video and already subscribed.
@zzco Ай бұрын
23:53 Dark Brodie, lol.
@terminalvelocity4858 Ай бұрын
No thanks, Hyprland seems doomed to fail because there is entirely too much immature drama & cumulative bloat every release. SwayFX all the way without all that, devs just released a new version too.
@Rcomian Ай бұрын
i do disagree that it's not that important a vuln. a service could be compromised, and constrained within a low privilege service user. this would have provided a way out of that, probably to a user with the wheel group. this is the start of a route to root. raising it is right, surely.
@BrodieRobertson Ай бұрын
That's fair, but it's a vuln that's only dangerous in the case of an already compromised system
@Rcomian Ай бұрын
@@BrodieRobertson yep, for sure. just not limited to where you have multiple actual users on a system and one runs root
@BrodieRobertson Ай бұрын
@@Rcomian I did talk about a low priv user breaking into a higher priv one
@ayaya-ayaya Ай бұрын
Putting innocent users at risk because you don't like the developer is detestable.
@interru_io Ай бұрын
Putting users (debatable whether most of them are innocent) at risk because you write janky code while you also create an atmosphere that people with common sense, who could report security issues, want to avoid, is detestable.
@ayaya-ayaya Ай бұрын
@@interru_io One detestable behavior does not excuse another.
@ayaya-ayaya Ай бұрын
@@interru_io Also implying that _most_ users deserved it is reprehensible. You should be ashamed for making such claims and I wouldn't feel safe using anything you make. People with such poor ethics like you have just shown will do all kinds of awful things as long as they can find some excuse.
@interru_io Ай бұрын
@@ayaya-ayaya > Also implying that most users deserved it is reprpehensible You should work on your reading comprehension. Because this isn't implied at all. I'm unfazed by your rant. But it's telling that you immediately try to categorize people.
@ayaya-ayaya Ай бұрын
@@interru_io Then what was that remark meant to convey?
@colto2312 Ай бұрын
literally as much as a vulnerability as having multiple user accounts on a machine is a vulnerability
@Florennum_ Ай бұрын
ur not first
@user-in2cs1vp6o Ай бұрын
First
@Bill_the_Red_Lichtie Ай бұрын
TBH I think that multi-user UI on Linux is dead anyway. The death of the "Remote X Server" (apart from the associated security problems) should be more than apparent. Isn't that exactly why Wayland with local accelerated UI is the direction that we are headed? Most new UIs are "web applications" and with good developers, they *might* be a progressive web app (PWA). So yes, it will be VERY rare that more that one person is running Hyprland on the same machine at the same time.
@bigpod Ай бұрын
i run a multi user system they are not up at the same time but ssh still exists
@Bogster13 9 күн бұрын
user in this case doesn't necessarily mean person using the system, any number of software and services on your linux system use their own user for permissions to access the file system and run commands, all that would be necessary to exploit this would be a malicious service waiting for the user to do anything that would create the temporary file and then write it's own code into it.
@Bill_the_Red_Lichtie 8 күн бұрын
@@Bogster13 That "service accounts" run as with a user account is correct. But they are users as understood by the majority of people. I can't remember the last time I saw a multiple X-Servers (terminals), each with their own user, connected to a single server.
@tato-chip7612 Ай бұрын
hot take: It's actually a good thing because everyone likes it when vaxry needs to add an entry in the #days-since-vaxry-was-an-idiot channel.
@CRYPTiCEXiLE Ай бұрын
I wlil just stick with KDE :)
@mskiptr Ай бұрын
"powerful" and "plugins" are a bad combo (And also just a terrible design. No clear API is just asking for breakage and unintended dependencies between basically everything. C++, OOP and especially mixing it with all the low-level knobs and levers were a mistake.)
@skeleton_craftGaming Ай бұрын
Sure, this allows you to execute arbitrary code, if you've already hacked your victim...
@nymnicholas Ай бұрын
Not going to use Hyprland. Tried it in the past. Going to use other WMs.
@supercellex4D Ай бұрын
If there is someone with access to my device enough to install shit to my compositor I am unplugging my computer
@tinglabing Ай бұрын
Yet another case of a maintainer acting like a baby.
@BrodieRobertson Ай бұрын
Never forget that an adult is just an 18 year old baby
@sirzorg5728 Ай бұрын
Vaxry is awesome.
@TheObsesedAnimeFreaks Ай бұрын
so basically it's a "vulnerabilityn't."
@Berkshire-Hathaway Ай бұрын
First :D
@jfolz Ай бұрын
A practical demonstration of how having toxic developers/community _does_ affect software quality.
@BrodieRobertson Ай бұрын
It got reported publicly, and then got fixed. The quality wouldn't have changed with a private report
@jfolz Ай бұрын
@@BrodieRobertson security is part of software quality. Hyprland would've avoided irresponsible disclosure if it was less toxic. This time the issue was limited on scope and fixed quickly, so the impact was low.
@BrodieRobertson Ай бұрын
@@jfolz if it didn't get reported that would have affected the quality because it wouldn't have been fixed, irresponsible disclosure or not the problem got fixed
@FagnerLuan Ай бұрын
"Oh, look, a vulnerability, as I'm an attention whore, now it's my time to spread the word that this guy is toxic, this will hurt him so much" I never used hyprland and don't pretend to, but I admire this guy as he looks like a really good developer that understands what he's doing, and shows how hypocritical (and stupid) the community is.
@happygofishing Ай бұрын
Freedesktop on suicide watch
@christiansmith2658 Ай бұрын
tbh i love vax and i don't think he should change
@_MrSnrub Ай бұрын
Most obnoxious dev ever. Great software, super annoying person.
Marusya Outdoors
Рет қаралды 340 МЛН
Low Level Learning
Рет қаралды 423 М.
Rozetked
Рет қаралды 613 М.
Blueberry Lutein
Рет қаралды 153 М.
MaxxPC
Рет қаралды 867 М.
Яблочный Маньяк
Рет қаралды 65 М.