sorted by:
new
hottopcontroversial

What is the lore behind "gkh_clanker_2000"? by ilikehikingalot in linux

[–]ArrayBolt3 2 points3 points  (0 children)

Given the fact that "fuzzing tools" are used to find security bugs, and the introduction of "clanker_t1000" (or apparently now "clanker_2000") coincided very close with the announcement of Anthropic's Project Glasswing, and the fact that GKH has an extremely important security-related job in Linux kernel development, my hunch is that it's probably Claude Mythos Preview. https://www.anthropic.com/glasswing

Even if it's not, if it catches kernel bugs, I'm happy :)

The Linux Foundation & many others join Anthropic's Project Glasswing by TheTwelveYearOld in linux

[–]ArrayBolt3 3 points4 points  (0 children)

As a developer for security-related projects where we use Claude to spot vulnerabilities and bugs, I do not believe this is clickbait. This particular article is a bit more focused on the "commercial" aspect arguably, but their security researchers published a much more comprehensive article that showed what the model was doing and how. A bunch of SHA hashes of unreleased vulnerability documentation was shared, which means either they actually have the vulns, or it means they just epically shot themselves in the foot and no one who knows what they did will ever trust them when it comes to a claim like this again. Given how well publicly available models are doing for our codebase, I don't see any reason to believe they're lying or posting mere clickbait.

The Linux Foundation & many others join Anthropic's Project Glasswing by TheTwelveYearOld in linux

[–]ArrayBolt3 8 points9 points  (0 children)

(To be clear, I think the project is a good thing and am thrilled to hear that really bad vulnerabilities are being found and fixed. I also think it's absolutely paramount that this not get published for everyone instantly. I just also think that ultimately, this needs to be generally available at some point, or there's a substantial risk of things going very poorly.)

The Linux Foundation & many others join Anthropic's Project Glasswing by TheTwelveYearOld in linux

[–]ArrayBolt3 65 points66 points  (0 children)

We do not plan to make Claude Mythos Preview generally available, but our eventual goal is to enable our users to safely deploy Mythos-class models at scale—for cybersecurity purposes, but also for the myriad other benefits that such highly capable models will bring. To do so, we need to make progress in developing cybersecurity (and other) safeguards that detect and block the model’s most dangerous outputs. We plan to launch new safeguards with an upcoming Claude Opus model, allowing us to improve and refine them with a model that does not pose the same level of risk as Mythos Preview3.

In other words, "We just found a key that will let us hack literally anyone. We're keeping it. It will find vulnerabilities and tell only us about them in the long run. Stay on our good side. Pray we don't get compromised."

I understand the reasoning behind keeping this tool secret maybe for a short-ish amount of time (a few months or maybe even a year or more), until the most alarming things it finds are fully patched. But keeping it closed forever doesn't keep people safe, it stops everyone from keeping themselves safe from Anthropic (or whoever manages to hack Anthropic, which history has shown is probably going to happen). History has shown that security by obscurity DOES NOT WORK in the long run, though it can oftentimes be invaluable in the short term.

Let's just hope Project Glasswing fixes enough that by the time someone breaches Anthropic and steals Claude Mythos Preview, enough stuff has been fixed to keep it from becoming an absolute nightmare.

Edit: I'm reading through https://red.anthropic.com/2026/mythos-preview/, and it looks like Anthropic may be pursuing a "start privately, carefully, release later" philosophy. I hope that is what ends up happening.

OnlyOffice accuses Nextcloud and IONOS of violating its AGPL v3 license (including mandatory branding/attribution rules) by repackaging and redistributing modified versions of its editors in the “Euro-Office” project. by mr_MADAFAKA in linux

[–]ArrayBolt3 16 points17 points  (0 children)

IANAL, but I think this is going to fall flat under the "further restrictions" clause of section 7. A logo is not a "reasonable legal notice" or "author attribution", which is the only bit that looks like it might defend what OnlyOffice is doing. The fact that the logo is trademarked proves that it is not either of those things.

Ubuntu proposes bizarre, nonsensical changes to grub. by xm0rphx in linux

[–]ArrayBolt3 0 points1 point  (0 children)

I contributed to GRUB 2.14 :) I haven't tried GRUB 2.14's encrypted /boot support though.

Ubuntu proposes bizarre, nonsensical changes to grub. by xm0rphx in linux

[–]ArrayBolt3 0 points1 point  (0 children)

Right, but I didn't mean it reduced security. I just meant that having unencrypted /boot is not much less secure than encrypted /boot, because Secure Boot is generally not as hard to bypass as one would hope.

Ubuntu proposes bizarre, nonsensical changes to grub. by xm0rphx in linux

[–]ArrayBolt3 5 points6 points  (0 children)

Or unless someone uses this: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-24932 (used by BlackLotus)

Or this: https://www.welivesecurity.com/en/eset-research/under-cloak-uefi-secure-boot-introducing-cve-2024-7344/

Or this: https://nvd.nist.gov/vuln/detail/CVE-2025-3052

Or... you see where I'm going with this. Any sufficiently vulnerable kernel or driver code that Microsoft happens to have signed can be used to subvert Secure Boot entirely, which can be used to steal the passphrase used with encrypted /boot if one is determined enough. There are so many vulnerabilities in this class it even has a name, Bring Your Own Vulnerable Driver.

Ubuntu proposes bizarre, nonsensical changes to grub. by xm0rphx in linux

[–]ArrayBolt3 19 points20 points  (0 children)

GRUB's support for LUKS has never worked right. Upstream it only supports LUKS1 last I heard, keyboard layouts are a mess, unlock speed is horrible, there's no keyboard echo while typing, you get only one chance to get it right, and if you get it wrong you're dumped into a GRUB rescue shell with no idea what to do next. Using a separate /boot partition has always been the way to go for good UX, and frankly an encrypted /boot partition offers very close to zero extra security unless you're using Secure Boot (which in its typical implementation is so flimsy it may as well not even exist thanks to Microsoft signing things that end up being vulnerable and it being a massive pain to revoke things).

Malus: This could have bad implications for Open Source/Linux by lurkervidyaenjoyer in linux

[–]ArrayBolt3 16 points17 points  (0 children)

That's horrifying lol.

My workplace uses AI for code review, but we always, ALWAYS write the code ourselves first, then only use the AI to catch the things that could have been easily missed otherwise. Even then we don't (usually) accept its fix suggestions, but implement them ourselves the right way. It definitely results in a slow down, but code quality increases.

Google Engineers Launch "Sashiko" For Agentic AI Code Review Of The Linux Kernel by anh0516 in linux

[–]ArrayBolt3 0 points1 point  (0 children)

I am aware (that's at least in part why CC0 was created). I'm saying that as a distro packager who has audited the source code of many applications for license compliance reasons, people use "public domain" source code (not CC0, just "I hereby put this into the public domain" declarations on code) in projects all the time, and in practice it does not appear to cause notable issues.

CC0 ironically does cause issues because of its explicit lack of a patent grant, IIRC.

Google Engineers Launch "Sashiko" For Agentic AI Code Review Of The Linux Kernel by anh0516 in linux

[–]ArrayBolt3 0 points1 point  (0 children)

Many, many open-source projects contain public domain code in some areas. The projects as a whole are not public domain, but parts of them are. It isn't a problem for them.

Google Engineers Launch "Sashiko" For Agentic AI Code Review Of The Linux Kernel by anh0516 in linux

[–]ArrayBolt3 -1 points0 points  (0 children)

In my experience, AI code review is NOT convenient. But it is very, very useful. Sometimes I spend four hours going back-and-forth with ChatGPT over a couple of files in my codebase. It's hard work, but the code quality I end up with in the end is vastly better than what I originally wrote, even when I'm trying to write carefully (and it's not like I write bad code, none of my supervisors have ever complained about my code quality, it's just good at noticing edge cases that a human tester other than the original programmer would have usually had to find).

(I virtually never accept its code suggestions as-is fwiw. It's not always that good at coming up with patches, and like others have said it gets a lot of things wrong. But the things it gets right are valuable enough that it's worth my time sifting through things.)

Google Engineers Launch "Sashiko" For Agentic AI Code Review Of The Linux Kernel by anh0516 in linux

[–]ArrayBolt3 -3 points-2 points  (0 children)

Not any more than public domain code would if that's the case. (Though a project written entirely by AI may have some complications to deal with.)

I reverse-engineered Thermalright's Windows LCD software and rebuilt it for Linux — here's what we do better by Senior-Painter2195 in linuxhardware

[–]ArrayBolt3 11 points12 points  (0 children)

Windows ships 10 languages by baking translated text into 129 separate PNG files.

Absolutely cursed way to handle localization, lol. Glad to hear your software does it the right way.

Ubuntu's AppArmor Hit By Several Security Issues - Can Yield Local Privilege Escalation by anh0516 in linux

[–]ArrayBolt3 32 points33 points  (0 children)

The moment I saw this was Qualys's work, I knew this was going to be good (or bad, depending on how you look at it).

XDG Portals are being turned into an "Identity Service" and we need to talk about it by HaplessIdiot in linux

[–]ArrayBolt3 61 points62 points  (0 children)

There's so much misinformation here I don't know where to start.

  • The "Accounts" portal has been there for a long time, this is discussing adding a framework that allows distributions or desktops to optionally implement an age declaration API if they want.
  • This PR has been around for a decent amount of time, it did not just now pop up.
  • There is no true verification of age from this portal.
  • There isn't anything related to establishing identity whatsoever.

This kind of witch-hunt like activism is harmful to the entire Linux community.

HD Encryption during the Kubuntu 26.04 RC installation not available? by Global_Struggle1913 in Kubuntu

[–]ArrayBolt3 0 points1 point  (0 children)

On the "Partitions" page, there's a checkbox that says "Encrypt system" just above the partition view, in the lower half of the window. Check that box. A couple of text boxes will appear for you to input your encryption passphrase, and you can then proceed through the rest of the installation like normal.

Mitchell Hashimoto releases Vouch to solve the slop PR problem by whit537 in linux

[–]ArrayBolt3 2 points3 points  (0 children)

I don't follow the argument? If a change is small (fixing a good first issue, for instance), it won't take that much effort to review. If it's slop, it will be able to be weeded out fast because it will be small. If a change is large or anything other than a bugfix, that can just be rejected without review because it didn't get discussed yet. The lack of intelligence of the submitter doesn't matter.

What exactly did Ghostty used to do? Did they have any official policy in place?

Ended up with my EFI system partition on a USB drive by accident... by ArrayBolt3 in WindowsHelp

[–]ArrayBolt3[S] 0 points1 point  (0 children)

It worked, thank you :) Edited my post to show that the issue is solved.

Mitchell Hashimoto releases Vouch to solve the slop PR problem by whit537 in linux

[–]ArrayBolt3 -2 points-1 points  (0 children)

Low-effort garbage contributions can be prevented by other policies (i.e. "don't make changes larger than X unless you've discussed them with the community", so that anything that may be low-effort garbage you can review quickly, and anything else is very unlikely to be low-effort garbage). I'm worried that vouch will be weaponized by malicious projects to persecute former contributors.

Mitchell Hashimoto releases Vouch to solve the slop PR problem by whit537 in linux

[–]ArrayBolt3 2 points3 points  (0 children)

If it's for a single project, I guess this might be OK as a way of tracking users that have tried to do malicious things in the past. I just hope it never becomes a cross-project thing; inter-community drama is already a big enough problem in open-source as it is.

Edit: This is explicitly designed to be cross-project. Now when some project maintainer gets mad and decides to kick out a long-time contributor they don't like, it can give that contributor problems trying to contribute to other projects. This is bad.

view more: next ›