diff options
| author | Xe Iaso <me@christine.website> | 2022-10-17 18:45:12 -0400 |
|---|---|---|
| committer | Xe Iaso <me@christine.website> | 2022-10-17 18:45:12 -0400 |
| commit | 201da519c333c2b22b6b41c96d238175f6705332 (patch) | |
| tree | 2a6f565f03a62c31dbc7e9feb37e82a2989aa188 | |
| parent | 6c69164a590451ab98ed7463b612dfd99ab8186f (diff) | |
| download | xesite-201da519c333c2b22b6b41c96d238175f6705332.tar.xz xesite-201da519c333c2b22b6b41c96d238175f6705332.zip | |
update 1
Signed-off-by: Xe Iaso <me@christine.website>
| -rw-r--r-- | blog/OVE-20221017-0001.markdown | 27 |
1 files changed, 27 insertions, 0 deletions
diff --git a/blog/OVE-20221017-0001.markdown b/blog/OVE-20221017-0001.markdown index 2726404..210e4ea 100644 --- a/blog/OVE-20221017-0001.markdown +++ b/blog/OVE-20221017-0001.markdown @@ -40,5 +40,32 @@ Here are other discussions about this: Modrith](https://twitter.com/modrinth/status/1582093129641234432) - [A thread from @gamingonlinux](https://twitter.com/gamingonlinux/status/1582103691762405378) +- [Gentoo Bug #877495](https://bugs.gentoo.org/877495) +- [Important warning for users of the PolyMC mod + launcher](https://old.reddit.com/r/Minecraft/comments/y6lt6s/important_warning_for_users_of_the_polymc_mod/) +- [Switch off of PolyMC + ASAP](https://www.reddit.com/r/PolyMCLauncher/comments/y6k4x7/switch_off_of_polymc_asap/) Future updates to come. + +UPDATE(2022 M10 17 22:35): Minecraft mod launchers work by downloading arbitrary +Java bytecode as instructed to by a metadata server. The metadata server that +PolyMC uses is in the hands of the threat actor in control of the GitHub +organization and as such you should treat any file that the PolyMC launcher +downloads as advised by that metadata server as compromised. We do not have +evidence of any compromise at this time, but the Minecraft mod ecosystem does +not cryptographically sign mods when they are published so we have no way to +easily tell. + +Some people have advised that users of PolyMC can mitigate this issue by +changing the metadata server that the client uses, however I do not feel this is +a sufficient fix. I suggest that you should _purge_ the PolyMC launcher from +your systems and wait a few days for the dust to settle. No offense to the +estranged PolyMC devs that are just trying to create a working solution for +users, but there is not enough clarity to really know what is going on. + +NixOS and Gentoo have masked the PolyMC package. PolyMC is no longer installable +via those distributions. I am told that the Flatpak package is not under the +control of the threat actor, but I want to wait and see. + +<xeblog-conv name="Cadey" mood="coffee">Happy monday, eh?</xeblog-conv> |