website/news.xhtml

<!DOCTYPE html>

<!-- Inferencium - Website - News -->
<!-- Version: 1.1.0-beta.1 -->

<!-- Copyright 2024 Jake Winters -->
<!-- SPDX-License-Identifier: BSD-3-Clause -->


<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
	<head>
		<meta charset="utf-8"/>
		<meta name="viewport" content="width=device-width, initial-scale=1"/>
		<link rel="stylesheet" href="main.css"/>
		<link rel="icon shortcut" href="asset/img/logo/inferencium-notext.png"/>
		<title>Inferencium - News</title>
	</head>
	<body>
		<nav class="navbar">
			<div class="logo"><a href="index.xhtml"><img src="asset/img/logo/inferencium-notext.png" alt="Inferencium logo"/></a></div>
			<div class="title"><a href="index.xhtml">Inferencium</a></div>
			<div><a href="about.xhtml">About</a></div>
			<div><a href="news.xhtml">News</a></div>
			<div><a href="documentation.xhtml">Documentation</a></div>
			<div><a href="source.xhtml">Source</a></div>
			<div><a href="changelog.xhtml">Changelog</a></div>
			<div><a href="blog.xhtml">Blog</a></div>
			<div><a href="contact.xhtml">Contact</a></div>
			<div><a href="directory.xhtml">Directory</a></div>
			<div><a href="key.xhtml">Key</a></div>
			<div class="sitemap"><a href="sitemap.xhtml">Sitemap</a></div>
		</nav>
		<h1 id="news"><a href="#news">News</a></h1>
			<nav id="toc">
				<h2><a href="#toc">Table of Contents</a></h2>
					<ul>
						<li><a href="#2024-04-01">2024-04-01</a></li>
							<ul>
								<li><a href="#key-ssh-update-20240401">SSH Key Update</a></li>
							</ul>
						<li><a href="#2024-02-01">2024-02-01</a></li>
							<ul>
								<li><a href="#mirror-codeberg">Source Code Mirror - Codeberg</a></li>
							</ul>
					</ul>
			</nav>
			<section id="2024-04-01">
				<h2><a href="#2024-04-01">2024-04-01</a></h2>
					<article id="key-ssh-update-20240401">
						<h3><a href="#key-ssh-update-20240401">SSH Key Update</a></h3>
							<p>On 2024-03-29, a backdoor was discovered in the
							<a href="https://git.tukaani.org/?p=xz.git">xz-utils</a>
							software. Inferencium systems <strong><em>did</em></strong> have the affected versions of
							this software installed, and the tools were used. The software has since been downgraded to
							the last-known safe version.</p>
							<p>After extensive research, it
							<a href="https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27">has been discovered</a>
							that specific criteria must be met for the backdoor to be effective. Based on
							<strong><em>what is known</em></strong>, Inferencium systems are unaffected by this attack
							for the following reasons:</p>
								<ul>
									<li>Inferencium systems run Gentoo Linux, which does not include Debian and Red Hat
									OpenSSH patches.</li>
									<li>Inferencium systems use musl libc, not glibc. As musl does not support glibc's
									non-standard <code>IFUNC</code> functionality, the backdoor cannot run.</li>
									<li>Inferencium systems use Clang as the system compiler, and lld as the system
									linker, not GCC and ld.</li>
									<li>Inferencium systems use OpenRC as the init system, not systemd. libsystemd and
									systemd-notify do not work with OpenRC.</li>
								</ul>
							<p>The <em>only</em> criteria met by Inferencium systems is amd64 as the system
							architecture; this is not enough for the backdoor to be effective. Even if all criteria
							other than running glibc were met, Inferencium systems would still be unaffected by this
							attack due to musl not supporting the required <code>IFUNC</code> functionality.</p>
							<p><strong>Despite the evidence, it is unknown exactly what this malicious code does and is
							capable of in entirety. As a precautionary measure, I have generated a new SSH key and
							classifed the previous key as compromised. You can find my new key on the
							<a href="key.xhtml#ssh-current-2">Key webpage</a>.</strong></p>
							<p>There is no evidence that my previous key was compromised, so this is entirely a
							precautionary measure. All files and Git commits, tags, and releases signed with the
							previous key, even after discovery of the backdoor, up to 2024-04-01, are secure and validly
							signed by me; the key should not be trusted after this date.</p>
					</article>
			</section>
			<section id="2024-02-01">
				<h2><a href="#2024-02-01">2024-02-01</a></h2>
					<article id="mirror-codeberg">
						<h3><a href="#mirror-codeberg">Source Code Mirror - Codeberg</a></h3>
							<p><a href="https://src.inferencium.net/Inferencium">Inferencium source code repositories</a>
							are now mirrored at
							<a href="https://codeberg.org/Inferencium">Codeberg</a>.
							In case of service disruption of the main Inferencium source code repositories, the mirrors
							can be used to access the source code.</p>
							<p>Due to terms of service restrictions, proprietary code and related repositories, such as
							firmware, are unable to be mirrored to Codeberg.</p>
					</article>
			</section>
		<div class="sitemap-small"><a href="sitemap.xhtml">Sitemap</a></div>
	</body>
</html>
Add webpage "News" version "1.0.0-beta.1" 2024-03-04 03:54:27 +00:00			`<!DOCTYPE html>`

			`<!-- Inferencium - Website - News -->`
Update webpage "News" from version "1.0.1-beta.1" to "1.1.0-beta.1" 2024-04-01 17:13:24 +00:00			`<!-- Version: 1.1.0-beta.1 -->`
Add webpage "News" version "1.0.0-beta.1" 2024-03-04 03:54:27 +00:00
			`<!-- Copyright 2024 Jake Winters -->`
			`<!-- SPDX-License-Identifier: BSD-3-Clause -->`


			`<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">`
Update webpage "News" from version "1.0.0-beta.1" to "1.0.1-beta.1" 2024-03-18 03:04:07 +00:00			`<head>`
			`<meta charset="utf-8"/>`
			`<meta name="viewport" content="width=device-width, initial-scale=1"/>`
			`<link rel="stylesheet" href="main.css"/>`
			`<link rel="icon shortcut" href="asset/img/logo/inferencium-notext.png"/>`
			`<title>Inferencium - News</title>`
			`</head>`
			`<body>`
			`<nav class="navbar">`
			`<div class="logo"><a href="index.xhtml"><img src="asset/img/logo/inferencium-notext.png" alt="Inferencium logo"/></a></div>`
			`<div class="title"><a href="index.xhtml">Inferencium</a></div>`
			`<div><a href="about.xhtml">About</a></div>`
			`<div><a href="news.xhtml">News</a></div>`
			`<div><a href="documentation.xhtml">Documentation</a></div>`
			`<div><a href="source.xhtml">Source</a></div>`
			`<div><a href="changelog.xhtml">Changelog</a></div>`
			`<div><a href="blog.xhtml">Blog</a></div>`
			`<div><a href="contact.xhtml">Contact</a></div>`
			`<div><a href="directory.xhtml">Directory</a></div>`
			`<div><a href="key.xhtml">Key</a></div>`
			`<div class="sitemap"><a href="sitemap.xhtml">Sitemap</a></div>`
			`</nav>`
			`<h1 id="news"><a href="#news">News</a></h1>`
			`<nav id="toc">`
			`<h2><a href="#toc">Table of Contents</a></h2>`
			`<ul>`
Update webpage "News" from version "1.0.1-beta.1" to "1.1.0-beta.1" 2024-04-01 17:13:24 +00:00			`<li><a href="#2024-04-01">2024-04-01</a></li>`
			`<ul>`
			`<li><a href="#key-ssh-update-20240401">SSH Key Update</a></li>`
			`</ul>`
Update webpage "News" from version "1.0.0-beta.1" to "1.0.1-beta.1" 2024-03-18 03:04:07 +00:00			`<li><a href="#2024-02-01">2024-02-01</a></li>`
			`<ul>`
			`<li><a href="#mirror-codeberg">Source Code Mirror - Codeberg</a></li>`
			`</ul>`
			`</ul>`
			`</nav>`
Update webpage "News" from version "1.0.1-beta.1" to "1.1.0-beta.1" 2024-04-01 17:13:24 +00:00			`<section id="2024-04-01">`
			`<h2><a href="#2024-04-01">2024-04-01</a></h2>`
			`<article id="key-ssh-update-20240401">`
			`<h3><a href="#key-ssh-update-20240401">SSH Key Update</a></h3>`
			`<p>On 2024-03-29, a backdoor was discovered in the`
			`<a href="https://git.tukaani.org/?p=xz.git">xz-utils</a>`
			`software. Inferencium systems <strong><em>did</em></strong> have the affected versions of`
			`this software installed, and the tools were used. The software has since been downgraded to`
			`the last-known safe version.</p>`
			`<p>After extensive research, it`
			`<a href="https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27">has been discovered</a>`
			`that specific criteria must be met for the backdoor to be effective. Based on`
			`<strong><em>what is known</em></strong>, Inferencium systems are unaffected by this attack`
			`for the following reasons:</p>`
			`<ul>`
			`<li>Inferencium systems run Gentoo Linux, which does not include Debian and Red Hat`
			`OpenSSH patches.</li>`
			`<li>Inferencium systems use musl libc, not glibc. As musl does not support glibc's`
			`non-standard <code>IFUNC</code> functionality, the backdoor cannot run.</li>`
			`<li>Inferencium systems use Clang as the system compiler, and lld as the system`
			`linker, not GCC and ld.</li>`
			`<li>Inferencium systems use OpenRC as the init system, not systemd. libsystemd and`
			`systemd-notify do not work with OpenRC.</li>`
			`</ul>`
			`<p>The <em>only</em> criteria met by Inferencium systems is amd64 as the system`
			`architecture; this is not enough for the backdoor to be effective. Even if all criteria`
			`other than running glibc were met, Inferencium systems would still be unaffected by this`
			`attack due to musl not supporting the required <code>IFUNC</code> functionality.</p>`
			`<p><strong>Despite the evidence, it is unknown exactly what this malicious code does and is`
			`capable of in entirety. As a precautionary measure, I have generated a new SSH key and`
			`classifed the previous key as compromised. You can find my new key on the`
			`<a href="key.xhtml#ssh-current-2">Key webpage</a>.</strong></p>`
			`<p>There is no evidence that my previous key was compromised, so this is entirely a`
			`precautionary measure. All files and Git commits, tags, and releases signed with the`
			`previous key, even after discovery of the backdoor, up to 2024-04-01, are secure and validly`
			`signed by me; the key should not be trusted after this date.</p>`
			`</article>`
			`</section>`
Update webpage "News" from version "1.0.0-beta.1" to "1.0.1-beta.1" 2024-03-18 03:04:07 +00:00			`<section id="2024-02-01">`
			`<h2><a href="#2024-02-01">2024-02-01</a></h2>`
			`<article id="mirror-codeberg">`
			`<h3><a href="#mirror-codeberg">Source Code Mirror - Codeberg</a></h3>`
			`<p><a href="https://src.inferencium.net/Inferencium">Inferencium source code repositories</a>`
			`are now mirrored at`
			`<a href="https://codeberg.org/Inferencium">Codeberg</a>.`
			`In case of service disruption of the main Inferencium source code repositories, the mirrors`
			`can be used to access the source code.</p>`
			`<p>Due to terms of service restrictions, proprietary code and related repositories, such as`
			`firmware, are unable to be mirrored to Codeberg.</p>`
			`</article>`
			`</section>`
			`<div class="sitemap-small"><a href="sitemap.xhtml">Sitemap</a></div>`
			`</body>`
Add webpage "News" version "1.0.0-beta.1" 2024-03-04 03:54:27 +00:00			`</html>`