Comments by "" (@PainterVierax) on "Mastery Learning" channel.

  1. Linus is just talking sh*t like usual.
    30
  2.  @markiel55  that's not an ISA vulnerability, that's an implementation issue. When Qualcomm SoC got another vulnerability discovered during the month, no one is fool enough to say that's an issue with the ARM ISA as a whole. And ARM by its structure has very few different architectures compared to Risc-V. As I said on another discussion, Linus shares his opinions/feelings on many IT topics he's far from an expert, worse sometimes he's even at the level of just any random user but uses his notoriety to rant. Here he simply wants to trow shades on disruptive companies he doesn't work with, that's all.
    13
  3.  @NoidoDev  This doesn't mean the guy is an expert on every IT related topics. Here he is just criticizing entire teams of hardware specialists based on absolutely nothing tangible while mixing concepts. That's far from the first time the guy shares unwise opinions with tons of assurance so he should be taken with a grain of salt every time he doesn't speak directly about his job.
    10
  4.  @dansanger5340  TBF, from what has been leaked through the years, proprietary software is often very badly written. Though even on FOSS, a lot of vulnerabilities are still left unpatched on many devices, because of OEMs and manufacturers dropping support. That's a huge problem in the embedded world and stuffs like IoT is a timebomb.
    5
  5.  @MikkoRantalainen  Even if your interpretation is right, the critics are still valid: 1/ he's vague and it's still not related to the ISA itself, rather than being microarchitecture dependent. 2/ Spectre is 6 years old and was a shock in the entire CPU industry so pretty confident hw and sw engineers already thought about that when creating recent out-of-order/ prefetch mechanisms. 3/ Side channel attacks are generally not as easy to exploit as Intel specific issues like Meltdown or lazyFPU. 3/ It's really presumptuous to think engineers from many companies, sometimes very large ones, will not learn from the past and sometimes quite recent events. 4/ This guy is far from being as knowledgeable as Theo De Raadt on kernel security and he has some monetary interests in ARM and x86 development, making him suspiciously partisan.
    5
  6.  @estranhokonsta  being an expert on cooking doesn't make you an expert on farming. That's the same issue when years ago he shared his opinion about DE on Linux. Linus has the bad tendency to speak on IT topics out of his domain of expertise and people still preach his words like he is an expert. Saying arm is on par with x86 shows how much he is just a guy using cloud services, disconnected from the mess of physical implementations.
    4
  7.  @estranhokonsta  do you realize this is the guy whom the kernel is his sole job for decades and prefer using WSL to work? His opinion should have no weight on totally different domains of the whole OS or in IT in general. He should have the wisdom to not talk about subjects he doesn't understand.
    3
  8.  @Turalcar  to me, that Windows Enterprise bug showed the same failure as xz: deploying a new release should be done carefully before being pushed into production systems.
    2
  9.  @dansanger5340  you're right for supply chain attacks, though it's only a small fraction of the whole spectrum of attacks, even when narrowing the issue on social engineering only which is already a large palette of attack strategies. In this peculiar case of xzlib, we can claim this is the worst case FLOSS got. But, ultimately, the real impact, particularly on production systems, was extremely limited and as always mitigations were deployed very quickly inside every distro. So the whole supply chain reacted flawlessly, and it took a very long preptime for the attacker to fail in the end. Sure the discovery of that vulnerability was very random and very late in the deployment chain, though it showed how any techie can easily bring their own contribution and how virtuous the transparency of the FLOSS model is to make the code safe. All in all it made devs and maintainers more aware of security issues, raising bad habits like using prepacked archives, making a key component like having key components depending on a single 3rd party library, like patching soft in an unsafe manner for convenience, etc. and in a way it kinda gave a point to the cathedral paradigm over the bazaar (but also annihilates it for a more heterogeneous ecosystem) as well as the necessity of those few rugged stable/enterprise distros too easily criticized by rolling release advocates. This was a very frightening reality check for the people too much comfortable with the apparent sense of security and I truly believe any people in the chain has learnt something of this event.
    1
  10.  @dansanger5340  you're right for supply chain attacks, though it's only a small fraction of the whole spectrum of attacks, even when narrowing the issue on social engineering only which is already a large palette of attack strategies. In this peculiar case of xzlib, we can claim this is the worst case FLOSS got. But, ultimately, the real impact, particularly on production systems, was extremely limited and as always mitigations were deployed very quickly inside every distro. So the whole supply chain reacted flawlessly, and it took a very long preptime for the attacker to fail in the end. Sure the discovery of that vulnerability was very random and very late in the deployment chain, though it showed how any techie can easily bring their own contribution and how virtuous the transparency of the FLOSS model is to make the code safe. All in all it made devs and maintainers more aware of security issues, raising bad habits like using prepacked archives, making a key component like having key components depending on a single 3rd party library, like patching soft in an unsafe manner for convenience, etc. and in a way it kinda gave a point to the cathedral paradigm over the bazaar (but also annihilates it for a more heterogeneous ecosystem) as well as the necessity of those few rugged stable/enterprise distros too easily criticized by rolling release advocates. This was a very frightening reality check for the people too much comfortable with the apparent sense of security and I truly believe any people in the chain has learnt something of this event.
    1
  11.  @dansanger5340  you're right for supply chain atks, though it's only a small fraction of the whole spectrum of vulnerabilities, even when narrowing the issue on social engineering only which is already a large palette of various strategies. In this peculiar case of xzlib, we can claim this is the worst case FLOSS got. But, ultimately, the real impact, particularly on production systems, was extremely limited and as always mitigations were deployed very quickly inside every distro. So the whole supply chain reacted flawlessly, and it took a very long preptime for the attacker to fail in the end. Sure the discovery of that vulnerability was very random and very late in the deployment chain, though it showed how any techie can easily bring their own contribution and how virtuous the transparency of the FLOSS model is to make the code safe. All in all it made devs and maintainers more aware of security issues, raising bad habits like using prepacked archives, making a key component like having key components depending on a single 3rd party library, like patching soft in an unsafe manner for convenience, etc. and in a way it kinda gave a point to the cathedral paradigm over the bazaar (but also annihilates it for a more heterogeneous ecosystem) as well as the necessity of those few rugged stable/enterprise distros too easily criticized by rolling release advocates. This was a very frightening reality check for the people too much comfortable with the apparent sense of security and I truly believe any people in the chain has learnt something of this event.
    1
  12.  @dansanger5340  (Jeezz I hate wasting my time having to rewrite because of crazy shadowban) That's right for supply chain, though it's only a small fraction of the whole spectrum of vulnerabilities, even when narrowing the issue on social engineering only which is already a large palette of strategies.
    1
  13.  @dansanger5340  I can't answer you properly YT comment bot decided to be an arse.
    1
  14.  @dansanger5340  I agree with you, though supply chan is only a small window even when narrowing the issue solely on soc-engineering.
    1
  15. ​ @dansanger5340  (let's see if the rest of the message is accepted) That being said, in this peculiar case of xzlib, we can claim this is the worst case FLOSS got. But, ultimately, the real impact, particularly on production systems, was extremely limited and as always mitigations were deployed very quickly inside every distro. So the whole supply chain reacted flawlessly, and it took a very long preptime for the attacker to fail in the end. Sure the discovery of that vulnerability was very random and very late in the deployment chain, though it showed how any techie can easily bring their own contribution and how virtuous the transparency of the FLOSS model is to make the code safe. All in all it made devs and maintainers more aware of security issues, raising bad habits like using prepacked archives, making a key component like having key components depending on a single 3rd party library, like patching soft in an unsafe manner for convenience, etc. and in a way it kinda gave a point to the cathedral paradigm over the bazaar (but also annihilates it for a more heterogeneous ecosystem) as well as the necessity of those few rugged stable/enterprise distros too easily criticized by rolling release advocates. This was a very frightening reality check for the people too much comfortable with the apparent sense of security and I truly believe any people in the chain has learnt something of this event.
    1
  16.  @dansanger5340  That being said, n this peculiar case of xzlib, we can claim this is the worst case FLOSS got. But, ultimately, the real impact, particularly on production systems, was extremely limited and as always mitigations were deployed very quickly inside every distro. So the whole supply chain reacted flawlessly, and it took a very long preptime for the attacker to fail in the end. Sure the discovery of that vulnerability was very random and very late in the deployment chain, though it showed how any techie can easily bring their own contribution and how virtuous the transparency of the FLOSS model is to make the code safe.
    1
  17.  @dansanger5340  I give up on the rest of the message. I've wasted too much time for a single sentence. The rest was about xz and how the supply chain reacted and how everybody involved in the chain should have learned something.
    1
  18. although he had some out of expertise takes in past conferences which were religiously received with barely no skepticism. glad he aged wiser.
    1
  19.  @estranhokonsta  it has to do with the fact he doesn't experience the OS as a user. This is an example of why you should take his opinions with a grain of salt. This "Arm is on par with x86" claim negates the user expérience of hundreds of thousands end users, developers and maintainers… and this has nothing to do with the ISA but the implementation inside a larger package.
    1