Just before the deadline for the release, the missing pieces fell into place and I came up with this beautiful new design that would not only fix my first Hurd vulnerability in a cleaner way, it would also make... some other things... better.
That's the good news, the bad news is that the new design is very different from what I've been doing this far, so I'll need to rewrite everything once again. And I have very little time.
@mpjgregoire Debian GNU/Hurd is one of the Debian ports, and the primary way people use the Hurd. We're trying to squeeze fixes into the upcoming Debian release, initially as downstream patches.
After that, we'll be able to release the details and talk about these vulnerabilities and what we've done to fix them publicly. Eventually the fixes are going to make it into some upstream Hurd release too.
If you're using non-Debian Hurd and don't want the details released until you are safe, speak up on bug-hurd
@bugaevc Oh, I haven't actually used the Hurd for years, certainly no need to worry about my security. I would *like* to run the Hurd on one of my computers, but not just at the moment.
Good luck with development.
@kai well yeah, I ended up altering almost every component of it. Although the new version of the patchset is way less invasive.
@kai perhaps :) But I'm definitely not releasing any details yet. That has to wait until the fixes are rolled and people's systems are no longer vulnerable.
If you're missing some context about what this is all about, these are the previous threads:
This Mastodon instance is for people interested in technology. Discussions aren't limited to technology, because tech folks shouldn't be limited to technology either!