home.social

#package-manager — Public Fediverse posts

Live and recent posts from across the Fediverse tagged #package-manager, aggregated by home.social.

fetched live
  1. 🛡️🪲 Managerul de pachete GNU Guix a fost lovit de patru vulnerabilități de securitate 🚀💻

    GNU Guix, managerul de pachete tranzacțional și avansat din ecosistemul GNU — apreciat la nivel global pentru abordarea sa puristă în privința libertății software, configurarea declarativă și reproductibilitatea absolută a build-urilor — se confruntă cu o provocare serioasă de securitate. Comunitatea de dezvoltatori a confirmat oficial descoperirea a patru vulnerabilități în logica sa de funcționare, forțând emiterea unor patch-uri de urgență.

    Deoarece GNU Guix folosește un demon de fundal cu privilegii ridicate (guix-daemon) pentru a compila și izola pachetele destinate utilizatorilor, aceste breșe reprezintă un risc considerabil pentru integritatea sistemelor afectate.

    Iată detaliile principale despre problemele identificate:

    🔹 Breșe la nivelul privilegiilor și izolării (Sandbox Escape):
    Vulnerabilitățile identificate vizează în mod special mecanismul de sandbox (mediul izolat) pe care Guix îl folosește în timpul compilării pachetelor din surse.

    Riscul: Anumite erori logice în gestionarea permisiunilor și a directoarelor temporare de build puteau permite unui pachet malițios să „evadeze” din containerul său izolat. Odată evadat, codul atacatorului ar fi putut interfața cu fișierele critice ale sistemului gazdă sau ar fi putut obține o escaladare neautorizată a privilegiilor până la nivelul de root.

    🔹 Manipularea reproducerii pachetelor (Build Poisoning):
    Una dintre cele mai mari calități ale GNU Guix este reproductibilitatea (același cod sursă generează bit cu bit același binar). Breșele raportate introduceau un risc de „otrăvire” a procesului de build local, permițând unui utilizator local neautorizat sau unui script malițios să modifice rezultatul compilării altor pachete de pe mașină, alterând binarul final fără ca administratorul să observe imediat.

    🔹 Remedierea și corecturile aplicate:
    Echipa GNU Guix a reacționat cu promptitudine imediat ce detaliile tehnice au fost verificate. A fost lansată o actualizare care modifică modul în care guix-daemon gestionează variabilele de mediu, legăturile simbolice (symlinks) și montarea directoarelor în sandbox, închizând complet portițele de evadare folosite în scenariile de atac testate.

    ⚠️ Acțiune obligatorie pentru utilizatori: Dacă rulezi GNU Guix ca manager de pachete independent pe o altă distribuție sau dacă folosești sistemul de operare complet Guix System, este critic să îți actualizezi demonul de sistem imediat.

    Pentru a securiza mașina, utilizatorii trebuie să ruleze comanda de actualizare a profilelor și, extrem de important, să repornească serviciul de fundal:

    Bash
    guix pull
    sudo systemctl restart guix-daemon
    Prin această intervenție rapidă, comunitatea demonstrează din nou că transparența totală a codului open-source și auditurile de securitate riguroase sunt cele mai bune mecanisme de protecție împotriva defectelor inevitabile de programare.

    #GNUGuix #GuixSystem #GNULinux #Cybersecurity #PackageManager #SandboxEscape #PrivilegeEscalation #OpenSource #TechNews

  2. 🛡️🪲 Managerul de pachete GNU Guix a fost lovit de patru vulnerabilități de securitate 🚀💻

    GNU Guix, managerul de pachete tranzacțional și avansat din ecosistemul GNU — apreciat la nivel global pentru abordarea sa puristă în privința libertății software, configurarea declarativă și reproductibilitatea absolută a build-urilor — se confruntă cu o provocare serioasă de securitate. Comunitatea de dezvoltatori a confirmat oficial descoperirea a patru vulnerabilități în logica sa de funcționare, forțând emiterea unor patch-uri de urgență.

    Deoarece GNU Guix folosește un demon de fundal cu privilegii ridicate (guix-daemon) pentru a compila și izola pachetele destinate utilizatorilor, aceste breșe reprezintă un risc considerabil pentru integritatea sistemelor afectate.

    Iată detaliile principale despre problemele identificate:

    🔹 Breșe la nivelul privilegiilor și izolării (Sandbox Escape):
    Vulnerabilitățile identificate vizează în mod special mecanismul de sandbox (mediul izolat) pe care Guix îl folosește în timpul compilării pachetelor din surse.

    Riscul: Anumite erori logice în gestionarea permisiunilor și a directoarelor temporare de build puteau permite unui pachet malițios să „evadeze” din containerul său izolat. Odată evadat, codul atacatorului ar fi putut interfața cu fișierele critice ale sistemului gazdă sau ar fi putut obține o escaladare neautorizată a privilegiilor până la nivelul de root.

    🔹 Manipularea reproducerii pachetelor (Build Poisoning):
    Una dintre cele mai mari calități ale GNU Guix este reproductibilitatea (același cod sursă generează bit cu bit același binar). Breșele raportate introduceau un risc de „otrăvire” a procesului de build local, permițând unui utilizator local neautorizat sau unui script malițios să modifice rezultatul compilării altor pachete de pe mașină, alterând binarul final fără ca administratorul să observe imediat.

    🔹 Remedierea și corecturile aplicate:
    Echipa GNU Guix a reacționat cu promptitudine imediat ce detaliile tehnice au fost verificate. A fost lansată o actualizare care modifică modul în care guix-daemon gestionează variabilele de mediu, legăturile simbolice (symlinks) și montarea directoarelor în sandbox, închizând complet portițele de evadare folosite în scenariile de atac testate.

    ⚠️ Acțiune obligatorie pentru utilizatori: Dacă rulezi GNU Guix ca manager de pachete independent pe o altă distribuție sau dacă folosești sistemul de operare complet Guix System, este critic să îți actualizezi demonul de sistem imediat.

    Pentru a securiza mașina, utilizatorii trebuie să ruleze comanda de actualizare a profilelor și, extrem de important, să repornească serviciul de fundal:

    Bash
    guix pull
    sudo systemctl restart guix-daemon
    Prin această intervenție rapidă, comunitatea demonstrează din nou că transparența totală a codului open-source și auditurile de securitate riguroase sunt cele mai bune mecanisme de protecție împotriva defectelor inevitabile de programare.

    #GNUGuix #GuixSystem #GNULinux #Cybersecurity #PackageManager #SandboxEscape #PrivilegeEscalation #OpenSource #TechNews

  3. Chocolatey packaging has resumed!

    Earlier, we’ve showcased a new installation script for Chocolatey that utilizes the WiX installer’s quiet mode instead of the ZIP extraction method. However, our deployment of this new installation script didn’t go smoothly, causing new versions of our packages to fail to meet the validation checks.

    To recap, we’ve always provided Chocolatey packages to make installation of our programs easier and frictionless. This makes sure that we always provide an easy way for our users to install Nitrocid and BassBoom, alongside our future programs that will come soon in the coming months.

    We wanted to make the experience consistent with WinGet, so we’ve decided to make appropriate changes to the Chocolatey packages to make sure that both Chocolatey and WinGet packages provide the exact same experience. We ran into problems pushing those packages, though.

    We are now very excited to announce that the distribution of Chocolatey packages for our projects has resumed! The new packages will be available for download in the next few hours.

    Special thanks to the Chocolatey Team for assisting us with this issue!

    To learn more, visit the Aptivi Newsroom article.

    Learn more #020 #021 #BassBoom #Chocolatey #news #Nitrocid #Nitrocid010 #Nitrocid020 #Nitrocid021 #Nitrocid021TechPreview #NitrocidKS #NitrocidKS020 #NitrocidV010 #NitrocidV021 #PackageManager #Tech #Technology #update #Windows
  4. Chocolatey packaging has resumed!

    Earlier, we’ve showcased a new installation script for Chocolatey that utilizes the WiX installer’s quiet mode instead of the ZIP extraction method. However, our deployment of this new installation script didn’t go smoothly, causing new versions of our packages to fail to meet the validation checks.

    To recap, we’ve always provided Chocolatey packages to make installation of our programs easier and frictionless. This makes sure that we always provide an easy way for our users to install Nitrocid and BassBoom, alongside our future programs that will come soon in the coming months.

    We wanted to make the experience consistent with WinGet, so we’ve decided to make appropriate changes to the Chocolatey packages to make sure that both Chocolatey and WinGet packages provide the exact same experience. We ran into problems pushing those packages, though.

    We are now very excited to announce that the distribution of Chodolatey packages for our projects has resumed! The new packages will be available for download in the next few hours.

    Special thanks to the Chocolatey Team for assisting us with this issue!

    To learn more, visit the Aptivi Newsroom article.

    Learn more #020 #021 #BassBoom #Chocolatey #news #Nitrocid #Nitrocid010 #Nitrocid020 #Nitrocid021 #Nitrocid021TechPreview #NitrocidKS #NitrocidKS020 #NitrocidV010 #NitrocidV021 #PackageManager #Tech #Technology #update #Windows
  5. Installing Spotify on Windows is just one command away with Winget! 🎵

    No more hunting for the official installer – here's the quick way to get it done 👇

    darryldias.me/blog/install-spo

  6. Temporary pause applied to Chocolatey package updates

    Since several years ago, we have been providing Chocolatey packages for each new version of our applications, such as Nitrocid and BassBoom. Both of these applications used manual extraction as the method, and our Chocolatey packages tried to make it easier for users to install them. Since then, we’ve implemented the WiX installer method so that Windows users can install our applications seamlessly.

    However, we are currently running into problems with pushing new Chocolatey packaging for each new version of our projects, due to the changes and the adjustments that we’ve made so that our packages use the WiX installation method for more consistency with the rest of the install methods.

    As those technical problems are serious and need a bit of time to analyze and to solve, we’ve decided to temporarily halt the distribution of all further Chocolatey packages for new versions of our projects, including Nitrocid (0.2.1 TP, 0.2.0.x, and 0.1.0.x) and BassBoom (1.0.x).

    This temporary halt will give us time to find the root cause and to attempt to provide a permanent fix.

    For more information about this decision, see the Aptivi Newsroom article below.

    Learn more #020 #021 #BassBoom #Chocolatey #news #Nitrocid #Nitrocid010 #Nitrocid020 #Nitrocid021 #Nitrocid021TechPreview #NitrocidKS #NitrocidKS020 #NitrocidV010 #NitrocidV021 #PackageManager #Tech #Technology #update #Windows
  7. Temporary pause applied to Chocolatey package updates

    Since several years ago, we have been providing Chocolatey packages for each new version of our applications, such as Nitrocid and BassBoom. Both of these applications used manual extraction as the method, and our Chocolatey packages tried to make it easier for users to install them. Since then, we’ve implemented the WiX installer method so that Windows users can install our applications seamlessly.

    However, we are currently running into problems with pushing new Chocolatey packaging for each new version of our projects, due to the changes and the adjustments that we’ve made so that our packages use the WiX installation method for more consistency with the rest of the install methods.

    As those technical problems are serious and need a bit of time to analyze and to solve, we’ve decided to temporarily halt the distribution of all further Chocolatey packages for new versions of our projects, including Nitrocid (0.2.1 TP, 0.2.0.x, and 0.1.0.x) and BassBoom (1.0.x).

    This temporary halt will give us time to find the root cause and to attempt to provide a permanent fix.

    For more information about this decision, see the Aptivi Newsroom article below.

    Learn more #020 #021 #BassBoom #Chocolatey #news #Nitrocid #Nitrocid010 #Nitrocid020 #Nitrocid021 #Nitrocid021TechPreview #NitrocidKS #NitrocidKS020 #NitrocidV010 #NitrocidV021 #PackageManager #Tech #Technology #update #Windows
  8. 🚨 Request to Linux app developers - please don't limit your app releases to Debian DEB packages.

    Yes, Debian-based Ubuntu is the most widely used Linux distro, but many of us also use non-Debian-based distros like AlmaLinux, Rocky, Fedora, openSUSE, and the like.

    Please also provide a repository, RPM, Flatpak, AppImage, or TAR file for installation on non-Debian distros. Thanks a bunch! ✌😄

    #Linux #Debian #NonDebian #RedHat #Repository #RPM #Flatpak #AppImage #TAR #Apps #PackageManager

  9. 🚨 Request to Linux app developers - please don't limit your app releases to Debian DEB packages.

    Yes, Debian-based Ubuntu is the most widely used Linux distro, but many of us also use non-Debian-based distros like AlmaLinux, Rocky, Fedora, openSUSE, and the like.

    Please also provide a repository, RPM, Flatpak, AppImage, or TAR file for installation on non-Debian distros. Thanks a bunch! ✌😄

    #Linux #Debian #NonDebian #RedHat #Repository #RPM #Flatpak #AppImage #TAR #Apps #PackageManager

  10. Naty S @eclecticpassions ·

    I wrote a note about maintaining my own tap for the .

    I have decided to maintain my own tap for the first time because of the deprecations that will come into action later this year in around September 2026.

    These deprecations are for software that has not signed or notarized to meet the macOS requirements.

    Read full note: burgeonlab.com/notes/2026/0610

    📈 burgeonlab.com/tags/100daystoo

    Syndicated by getindiekit.com/

  11. I wrote a note about maintaining my own tap for #homebrew the #packagemanager.

    I have decided to maintain my own tap for the first time because of the deprecations that will come into action later this year in around September 2026.

    These deprecations are for #macOS software that has not signed or notarized to meet the macOS #Gatekeeper requirements.

    Read full note: burgeonlab.com/notes/2026/0610

    📈 burgeonlab.com/tags/100daystoo

    Syndicated by getindiekit.com/

    #apple #100DaysToOffload

  12. Guys, I wanted to know how much the auto-categorization function of packages in a package manager would be in demand?

    #Foss #packagemanager

  13. Been quietly building UPAC — an open-source package manager designed for immutable Linux systems — for a while now, and it's finally getting real shape.
    It's a solo passion project, and honestly it's been a long road. If you're into Linux, packaging, or just like rooting for small FOSS projects, all possible help will be fine!

    🔗 github.com/justpav05/upac

    #Linux #OpenSource #PackageManager #ImmutableLinux #foss

  14. winget-tui - A terminal UI for Windows Package Manager (winget) - search, install, upgrade, and manage packages | by Scott Hanselman

    github.com/shanselman/winget-t

    #winget #cli #packagemanager #tui #windowsdev #commandline

  15. winget-tui - A terminal UI for Windows Package Manager (winget) - search, install, upgrade, and manage packages | by Scott Hanselman

    github.com/shanselman/winget-t

    #winget #cli #packagemanager #tui #windowsdev #commandline

  16. RPM 6.1.0 porta fix importanti, macro più flessibili, firme PKCS11 e build più pulite. Un aggiornamento da tenere d’occhio per chi usa Linux e gestisce pacchetti. #Linux #RPM #DevOps #OpenSource #PackageManager

    linuxeasy.org/rpm-6-1-0-rilasc

  17. RPM 6.1.0 porta fix importanti, macro più flessibili, firme PKCS11 e build più pulite. Un aggiornamento da tenere d’occhio per chi usa Linux e gestisce pacchetti. #Linux #RPM #DevOps #OpenSource #PackageManager

    linuxeasy.org/rpm-6-1-0-rilasc

  18. PyPI Package elementary-data Compromised to Steal Developer Data

    A malicious release of the popular elementary-data package on PyPI, which has over 1.1 million monthly downloads, allowed an attacker to steal developer data through a sneaky backdoor. This widely-used open-source tool for data observability in dbt pipelines became a prime target for the secrets-stealing campaign.

    osintsights.com/pypi-package-e

    #OpensourceCompromise #SupplyChain #PackageManager #Pypi #DataObservability

  19. Hey y'all

    The Package Manager is ready for testing. I removed hard dependency on our Distro making it work on any Arch-based Distro (with limitations).

    Feel free to test and report any issues via Github. Will try my best.

    github.com/xerolinux/xPackageM

  20. Hey y'all

    The #XeroLinux Package Manager is ready for testing. I removed hard dependency on our Distro making it work on any Arch-based Distro (with limitations).

    Feel free to test and report any issues via Github. Will try my best.

    github.com/xerolinux/xPackageM

    #FOSS #Linux #OpenSource #ArchLinux #PackageManager

  21. PHP Composer Flaws Expose Code Execution Risk, Prompting Patches

    Critical flaws in PHP Composer, a popular package manager, leave countless websites vulnerable to code execution attacks - but fortunately, patches have been released to swiftly mitigate this risk. If exploited, these high-severity vulnerabilities could allow hackers to execute arbitrary commands, putting entire…

    osintsights.com/php-composer-f

    #PhpComposer #CodeExecution #PackageManager #CommandInjection #VulnerabilityManagement

  22. Okay okay. That's that. I'm converted. It's uv all the way.

    Not just because of the speed though. It uses the best ideas of poetry and Pipenv, both of which I've used and the latter I've depended on for the past 4-ish years.

    #python #python-uv #PackageManager

  23. Okay okay. That's that. I'm converted. It's uv all the way.

    Not just because of the speed though. It uses the best ideas of poetry and Pipenv, both of which I've used and the latter I've depended on for the past 4-ish years.

    #python #python-uv #PackageManager

  24. Oh joy, another package manager no one asked for, claiming to be faster than a caffeinated cheetah on a sugar high 🏃‍♂️💨. Written in #Zig, because why not? Apparently, it's 7,000x faster than Homebrew, but only if you squint hard enough and sacrifice a goat to the gods of #benchmarks 🐐🔮.
    nanobrew.trilok.ai/ #packageManager #fasterThanHomebrew #techHumor #programmingJokes #HackerNews #ngated

  25. Oh joy, another package manager no one asked for, claiming to be faster than a caffeinated cheetah on a sugar high 🏃‍♂️💨. Written in #Zig, because why not? Apparently, it's 7,000x faster than Homebrew, but only if you squint hard enough and sacrifice a goat to the gods of #benchmarks 🐐🔮.
    nanobrew.trilok.ai/ #packageManager #fasterThanHomebrew #techHumor #programmingJokes #HackerNews #ngated

  26. GlazePKG porta ordine nel caos dei package manager: una TUI elegante che mostra ogni pacchetto installato, con ricerca fuzzy, snapshot, diff e supporto a 34 gestori diversi. #Linux #PackageManager #TUI

    linuxeasy.org/glazepkg-unifica

  27. GlazePKG porta ordine nel caos dei package manager: una TUI elegante che mostra ogni pacchetto installato, con ricerca fuzzy, snapshot, diff e supporto a 34 gestori diversi. #Linux #PackageManager #TUI

    linuxeasy.org/glazepkg-unifica

  28. I'm trying to understand / implement dependency resolving using the pubgrub algorithm (to use in my buildsystem nitto). But I keep running into bugs; The newset one:

    Suppose we have the following state:
    ```
    root 1.0.0 -> foo ^1.0.0, bar ^1.0.0
    foo 1.1.0 -> bar ^2.0.0
    foo 1.0.0 -> n/a
    bar 1.0.0 -> n/a
    bar 1.1.0 -> n/a
    bar 2.0.0 -> n/a
    ```

    Now after avoiding a conflict and by choosing to not select `foo 1.1.0` and deriving `not foo 1.1.0` from `{foo 1.1.0, not bar ^2.0.0}`, it derives `foo ^1.0.0` from `{root 1.0.0, not foo ^1.0.0}` even tho it is already an derivation term in the assignments! Aparentily it relates `not foo ^1.0.0` as as overlapping, and wants to add it again to the partial solution...

    #pubgrub #packagemanager #packagemanagement #dependencyresolution #programming #developing #coding #softwaredevelopment #foss #floss

  29. Are you using Homebrew? Sorry to hear that, check this out:

    🍺 **zerobrew** — A modern drop-in replacement for Homebrew on macOS

    💯 Content-addressable store + parallel downloads = 20x faster

    🦀 Written in Rust!

    ⭐ GitHub: github.com/lucasgelfond/zerobr

    #rustlang #cli #devtools #macos #homebrew #packagemanager #performance

  30. #Notepad plus plus reminds us to thank our package maintainers for doing what they do.

    Tbh not having a #packagemanager seems kind of barbaric to me.

    #PackageManagement is a public good.