colonel_mortis

Moved to General Discussion

I think this is more likely to be an issue on the browser side than on the forum side, so unless you can repro this on a supported OS+browser combo I don't think there's much we can do.

We have to load the font from the web rather than your computer because Comic Sans MS is owned by Microsoft (hence the MS) and is therefore not installed by default on all other operating systems (it may be on some non-MS platforms, but not all). If we relied on a built-in font, it would not be blocked here - that's why the fallback font works fine.

The goal is not to be frustrating or unwanted... Just some April Fools fun.

The font is being downloaded from another website, and that site is likely blocked.

Probably. You're not missing out on much though.

This works if builds are reproducible (ie if two people building the same release will get the same bytes out), and that is a good thing to aim for, but in practice at the moment it is surprisingly common for the output to be affected by things like the versions of dependency libs you currently have installed, compiler version, current time, etc. Progress has been made towards reproducible builds in many languages, but that has taken a fair amount of work, so it seems unlikely that it can happen any time soon for everything. I hope we do start seeing reproducible builds in more critical infrastructure so that we can make progress towards this world, and maybe that's the best we can hope for, but it seems unlikely to me that a package like this, with a single maintainer that wasn't particularly motivated to work on it, would do that work. It's still not a silver bullet though - this attacker already demonstrated an ability to use sock puppet accounts to achieve their goals, so in this case it would likely have only represented a minor inconvenience for them. Of course, multiple minor inconveniences can quickly add up to a significant increase in the effort required to pull off an attack like this, especially doing so undetected, so it would still be valuable. Ah I see - yes, I agree that would clearly be a good thing. Again not a silver bullet - they did still sneak multiple changes into the repo itself in plain sight to set the groundwork for this attack, and it doesn't address any binary distribution avenues where simply taring a git repo is not sufficient - but clearly a good thing. It sounds like there are good reasons for the current setup, but that is definitely something we should be moving away from.

On the first idea (multiple signatures), that assumes there's some way for one stakeholder to prove to the other that the package is legitimate, which I don't think is possible - ultimately someone (or some CI build, which would make the attack look more like the SolarWinds attack) has to generate the package, and there needs to be trust there. I believe there is some sophisticated systems that could be built involving reproducible builds and stuff that could make that work, but that is not going to be feasible for most small OSS packages. Remember, this repo was previously only maintained by one (trustworthy) person. I'm not sure I understand the git comment.

Honestly I find this attack pretty terrifying - this is the second example (that we know of) of a very well implemented supply-chain attack (the first being SolarWinds), and it was only caught by chance by someone noticing that OpenSSH was being slow. It is entirely plausible that the perf regression could have gone unnoticed (or, although I don't have a deep understanding of what it was trying to do, I suspect it could also have been possible to write the payload in a way that doesn't cause such a perf regression at all), resulting in this malicious release making it out of the bleeding edge and into mainstream distributions. I hope this will lead to some changes in the industry, but I don't know what those changes could be. Now that the concept has been proven, I doubt that this will be the last time something like this is attempted. It's not a trivial attack to pull off, but nor is it overly difficult as long as you have time to burn (in this case the attacker started getting a foothold 2 years ago) - it would be a great choice for nation-state attackers, but could also be pulled off by solo attackers. The scariest thing to me is that this may not be the first time - for all we know, and with no way to verify, there may be other compromised libraries out there already.

It is a forum issue, but it's a bit awkward to fix because of how the special offline page works.

It is meant to work even when the topic is scheduled to be posted later, but there might be some edge cases. I'll look into it.

Yes, they are taken into account, but have less weight (and it decreases the longer it's been).

Your attachment storage is not full, there is no limit. Your screenshots are unreasonably large though (the two that you uploaded to that post were 17MB each, whereas a normal screenshot would be <1MB), and there is a 20MB per post limit, so it's possible that you're just trying to upload another unreasonably large image.