Linux
Did Hyprland Ship A Major Plugin Vulnerability?
Hyprland is back in the news once again because of a “vulnerability” but is it really as bad as it’s made out to be or is it being a …
source
Hyprland is back in the news once again because of a “vulnerability” but is it really as bad as it’s made out to be or is it being a …
source
Lorem ipsum dolor sit amet, consectetur.
Oh that's why i earned a new environment variable to the socket… Anyway
I know very little about Hyprland and it's creators, but I keep hearing about problems with it's creators/maintainers. – And what I took from this video was: other developers dislike this guy to a degree where they would rather ignore and/or publish security vulnerabilities rather than deal with him. – This sounds… problematic for the project.
Too be fair there are a lot of script kiddies who would rather run some random install script off of github than RTFM, and seeing them get pwned would be kinda funny
Coding in swift while watching a video about major bugs in assembly getting fixed within hours has never ruined my confidence more. Keep it up Brodie!
Nobody talking about the fact that this hook system is completely overengineered?
"powerful" and "plugins" are a bad combo
(And also just a terrible design. No clear API is just asking for breakage and unintended dependencies between basically everything. C++, OOP and especially mixing it with all the low-level knobs and levers were a mistake.)
CVE-Brodie-2024: Brodie didn't want to turn the light on
4:42 Well, he's a programmer, I guess.
I host things on my PC and also have a couple of users for my friends and for my work. I have tried hyprland and still have it installed. I guess I'd just have to install a random plugin and switch to hyprland for me to be a perfect target.
Putting innocent users at risk because you don't like the developer is detestable.
A practical demonstration of how having toxic developers/community does affect software quality.
is it just me or trampoline shouldnt be used in this case anyway
tbh i love vax and i don't think he should change
You gotta do some shit for people not prioritizing reporting upstream to you. Holy hell.
where is the exe?
What a retard sam is lol
You forgot the most important thing which is that hyprland uses XDG_RUNTIME_DIR/hypr instead of /tmp/hypr for everything now which should have been the obvious choice from the start and easily prevents any problem like this from ever happening.
For multiple user you need friends. On linux thats a low risk cve.
"I cannot report a vulnerability because the mean man said a naughty word" You are pathetic and will never make it in the real world.
Vaxry is awesome.
dark brodie >:)
ngl the initial reporter had this aura of "holier than thou" mentality which even reads really offputting. If he really didn't care, then why make that email post. Just for the credits and the clout?
just sounds miserable to be around, tbh.
what vulnerability? correct me if I’m wrong, but if you’re running a hyprland plugin, you’re already putting your system at risk because you might not know what code you’re actually running
a GitHub issue should’ve been made first imo
edit – should’ve probably watch a little more
i do disagree that it's not that important a vuln. a service could be compromised, and constrained within a low privilege service user. this would have provided a way out of that, probably to a user with the wheel group. this is the start of a route to root. raising it is right, surely.
nah, part of FS should be to have fun
Laughing at someone who writes about a potential vulnerability is a no-go. And if you do and then you find out you were wrong, that’s a big cause to say you’re sorry. And “you disrespect the user” followed by “if you [vulnerable user] exist” is kind of a bad take. If this wasn’t relevant to anyone, then no one was disrespected. And if it was, then vulnerable users exist. ⇒ less defensive, please. I get from this video why the reporter did not write to upstream but rather wrote about it in a roundabout way (don’t want to make it too clear, lest people exploit it) to enable others to report it.
I have multiple multi user hyperland systems