• Welcome to TechPowerUp Forums, Guest! Please check out our forum guidelines for info related to our community.

New BootHole Vulnerability Affects Billions of Devices, Compromises GRUB2 Boot-loader

btarunr

Editor & Senior Moderator
Staff member
Joined
Oct 9, 2007
Messages
46,277 (7.69/day)
Location
Hyderabad, India
System Name RBMK-1000
Processor AMD Ryzen 7 5700G
Motherboard ASUS ROG Strix B450-E Gaming
Cooling DeepCool Gammax L240 V2
Memory 2x 8GB G.Skill Sniper X
Video Card(s) Palit GeForce RTX 2080 SUPER GameRock
Storage Western Digital Black NVMe 512GB
Display(s) BenQ 1440p 60 Hz 27-inch
Case Corsair Carbide 100R
Audio Device(s) ASUS SupremeFX S1220A
Power Supply Cooler Master MWE Gold 650W
Mouse ASUS ROG Strix Impact
Keyboard Gamdias Hermes E2
Software Windows 11 Pro
Even if you don't have more than one operating system installed, your PC has a boot-loader, a software component first executed by the system BIOS, which decides which operating system to boot with. This also lets users toggle between different run-levels or configurations of the same OS. The GRUB2 boot-loader is deployed across billions of computers, servers, and pretty much any device that uses a Unix-like operating system. Cybersecurity researchers with Oregon-based firm Eclypsium, discovered a critical vulnerability with GRUB2 that can compromise a device's operating system. They named the vulnerability BootHole. This is the same firm behind last year's discovery of the Screwed Drivers vulnerability. It affects any device that uses the GRUB2 boot-loader, including when combined with Secure Boot technology.

BootHole exploits a design flaw with two of the key components of GRUB2, bison, a parser generator, and flex, a lexical analyzer. Eclypsium discovered that these two can have "mismatched design assumptions" that can lead to buffer overflow. This buffer overflow can be exploited to execute arbitrary code. Devices with modern UEFI and Secure Boot enabled typically wall off even administrative privileged users off from tampering with boot processes, however, in case of BootHole, the boot-loader parses a configuration file located in the EFI partition of the boot device, which can be modified by any user (or malicious process) that has admin privileges. Thankfully, patched versions of GRUB2 are already out, and the likes of SUSE have started distributing it for all versions of SUSE Linux. Expect practically every other *nix vendor, server manufacturer, to release patches to their end-users. Find a technical run-down of the vulnerability in this PDF by Eclypsium.



View at TechPowerUp Main Site
 
Joined
Feb 15, 2019
Messages
1,525 (0.82/day)
System Name Personal Gaming Rig
Processor Ryzen 7800X3D
Motherboard MSI X670E Carbon
Cooling MO-RA 3 420
Memory 32GB 6000MHz
Video Card(s) RTX 4090 ICHILL FROSTBITE ULTRA
Storage 4x 2TB Nvme
Display(s) Samsung G8 OLED
Case Silverstone FT04
Finally not an intel specific bug.
 
Joined
Mar 6, 2017
Messages
3,204 (1.24/day)
Location
North East Ohio, USA
System Name My Ryzen 7 7700X Super Computer
Processor AMD Ryzen 7 7700X
Motherboard Gigabyte B650 Aorus Elite AX
Cooling DeepCool AK620 with Arctic Silver 5
Memory 2x16GB G.Skill Trident Z5 NEO DDR5 EXPO (CL30)
Video Card(s) XFX AMD Radeon RX 7900 GRE
Storage Samsung 980 EVO 1 TB NVMe SSD (System Drive), Samsung 970 EVO 500 GB NVMe SSD (Game Drive)
Display(s) Acer Nitro XV272U (DisplayPort) and Acer Nitro XV270U (DisplayPort)
Case Lian Li LANCOOL II MESH C
Audio Device(s) On-Board Sound / Sony WH-XB910N Bluetooth Headphones
Power Supply MSI A850GF
Mouse Logitech M705
Keyboard Steelseries
Software Windows 11 Pro 64-bit
Benchmark Scores https://valid.x86.fr/liwjs3
Are windows users safe from this one?
Yes. However, the theory behind open source's million eyes idea is a load of bunk. I've said it before and I'll say it again, for open source to really work you need people willing to actually look at the code. The funny thing is you generally need to pay people to do that sort of work. Something about needing that silly thing called food and you generally need money to get that food.

Look at OpenSSL, millions of people use it across the globe yet for the longest time there was only one man tasked with maintaining the code and not only that but a man in his sixties no less. It was only until high profile vulnerability came along that significant funding found its way to the group that was tasked with maintaining OpenSSL to hire additional developers. They have no idea when or if additional funding will find its way to the OpenSSL group again.

Open source is nice and all, until you have to pay the bills and then... oh yeah, we didn't think that far ahead.
 
Joined
Jan 25, 2006
Messages
1,470 (0.22/day)
Processor Ryzen 1600AF @4.2Ghz 1.35v
Motherboard MSI B450M PRO-A-MAX
Cooling Deepcool Gammaxx L120t
Memory 16GB Team Group Dark Pro Sammy-B-die 3400mhz 14.15.14.30-1.4v
Video Card(s) XFX RX 5600 XT THICC II PRO
Storage 240GB Brave eagle SSD/ 2TB Seagate Barracuda
Display(s) Dell SE2719HR
Case MSI Mag Vampiric 011C AMD Ryzen Edition
Power Supply EVGA 600W 80+
Software Windows 10 Pro
I think I need my coffee though it's only 6.20am here, I had to double take as I thought it said bootyhole vulnerability o_O
 

TheLostSwede

News Editor
Joined
Nov 11, 2004
Messages
16,001 (2.26/day)
Location
Sweden
System Name Overlord Mk MLI
Processor AMD Ryzen 7 7800X3D
Motherboard Gigabyte X670E Aorus Master
Cooling Noctua NH-D15 SE with offsets
Memory 32GB Team T-Create Expert DDR5 6000 MHz @ CL30-34-34-68
Video Card(s) Gainward GeForce RTX 4080 Phantom GS
Storage 1TB Solidigm P44 Pro, 2 TB Corsair MP600 Pro, 2TB Kingston KC3000
Display(s) Acer XV272K LVbmiipruzx 4K@160Hz
Case Fractal Design Torrent Compact
Audio Device(s) Corsair Virtuoso SE
Power Supply be quiet! Pure Power 12 M 850 W
Mouse Logitech G502 Lightspeed
Keyboard Corsair K70 Max
Software Windows 10 Pro
Benchmark Scores https://valid.x86.fr/5za05v

Corvid

New Member
Joined
Jun 24, 2020
Messages
4 (0.00/day)
Yes. However, the theory behind open source's million eyes idea is a load of bunk. I've said it before and I'll say it again, for open source to really work you need people willing to actually look at the code. The funny thing is you generally need to pay people to do that sort of work. Something about needing that silly thing called food and you generally need money to get that food.

Look at OpenSSL, millions of people use it across the globe yet for the longest time there was only one man tasked with maintaining the code and not only that but a man in his sixties no less. It was only until high profile vulnerability came along that significant funding found its way to the group that was tasked with maintaining OpenSSL to hire additional developers. They have no idea when or if additional funding will find its way to the OpenSSL group again.

Open source is nice and all, until you have to pay the bills and then... oh yeah, we didn't think that far ahead.

None of these problems are problems with open source. They are problems with a lack of qualified/interested programmers, capitalism, and the profit motive.

There's plenty of open source projects out there with tons of funding and dedicated developers, but companies tend to forget about "little" projects that run their entire goddamn infrastructure like OpenSSL and GRUB
 
Joined
Jul 5, 2013
Messages
25,559 (6.52/day)
After having read into it more closely, this is yet another vulnerability that requires physical access to implement and has a level of difficulty that can not be discounted. This is not something the average user needs worry about.
 
Last edited:
Joined
Mar 6, 2017
Messages
3,204 (1.24/day)
Location
North East Ohio, USA
System Name My Ryzen 7 7700X Super Computer
Processor AMD Ryzen 7 7700X
Motherboard Gigabyte B650 Aorus Elite AX
Cooling DeepCool AK620 with Arctic Silver 5
Memory 2x16GB G.Skill Trident Z5 NEO DDR5 EXPO (CL30)
Video Card(s) XFX AMD Radeon RX 7900 GRE
Storage Samsung 980 EVO 1 TB NVMe SSD (System Drive), Samsung 970 EVO 500 GB NVMe SSD (Game Drive)
Display(s) Acer Nitro XV272U (DisplayPort) and Acer Nitro XV270U (DisplayPort)
Case Lian Li LANCOOL II MESH C
Audio Device(s) On-Board Sound / Sony WH-XB910N Bluetooth Headphones
Power Supply MSI A850GF
Mouse Logitech M705
Keyboard Steelseries
Software Windows 11 Pro 64-bit
Benchmark Scores https://valid.x86.fr/liwjs3
They are problems with a lack of qualified/interested programmers, capitalism, and the profit motive.
If it's the choice between providing for yourself and your family, most good programmers will take a job at places like Microsoft, Google, Apple, IBM, or any other Fortune 500 company and rightfully so. Nobody likes starving.
There's plenty of open source projects out there with tons of funding and dedicated developers
Oh yes but outside of the big projects like Ubuntu, WordPress, Apache, MySQL/MariaDB, PHP, LibreOffice, and of course... (the most popular of them all) the Linux kernel itself, most open source projects die within a year of starting due to lack of funding. Just look at the graveyard that is GitHub, a good 98% of projects have died. And for those projects that have made it, they often get funding from big-name companies.
 
Joined
Nov 1, 2008
Messages
4,213 (0.75/day)
Location
Vietnam
System Name Gaming System / HTPC-Server
Processor i7 8700K (@4.8 Ghz All-Core) / R7 5900X
Motherboard Z370 Aorus Ultra Gaming / MSI B450 Mortar Max
Cooling CM ML360 / CM ML240L
Memory 16Gb Hynix @3200 MHz / 16Gb Hynix @3000Mhz
Video Card(s) Zotac 3080 / Colorful 1060
Storage 750G MX300 + 2x500G NVMe / 40Tb Reds + 1Tb WD Blue NVMe
Display(s) LG 27GN800-B 27'' 2K 144Hz / Sony TV
Case Xigmatek Aquarius Plus / Corsair Air 240
Audio Device(s) On Board Realtek
Power Supply Super Flower Leadex III Gold 750W / Andyson TX-700 Platinum
Mouse Logitech G502 Hero / K400+
Keyboard Wooting Two / K400+
Software Windows 10 x64
Benchmark Scores Cinebench R15 = 1542 3D Mark Timespy = 9758
Yes. However, the theory behind open source's million eyes idea is a load of bunk. I've said it before and I'll say it again, for open source to really work you need people willing to actually look at the code. The funny thing is you generally need to pay people to do that sort of work. Something about needing that silly thing called food and you generally need money to get that food.

Look at OpenSSL, millions of people use it across the globe yet for the longest time there was only one man tasked with maintaining the code and not only that but a man in his sixties no less. It was only until high profile vulnerability came along that significant funding found its way to the group that was tasked with maintaining OpenSSL to hire additional developers. They have no idea when or if additional funding will find its way to the OpenSSL group again.

Open source is nice and all, until you have to pay the bills and then... oh yeah, we didn't think that far ahead.

People monetize open source all the time. Sure, you might be right about small, obscure open source programs, but when big companies use open source, they do scrutinize the code and they do get paid to do so.
 

sumolDeLaranja

New Member
Joined
Jul 14, 2020
Messages
6 (0.00/day)
Oh yes but outside of the big projects like Ubuntu, WordPress, Apache, MySQL/MariaDB, PHP, LibreOffice, and of course... (the most popular of them all) the Linux kernel itself, most open source projects die within a year of starting due to lack of funding. Just look at the graveyard that is GitHub, a good 98% of projects have died. And for those projects that have made it, they often get funding from big-name companies.
You think said projects get funding out of kindness in big-name companies' hearts, or because not having to reinvent the wheel lets them save money and pay for programmers to do real innovation? ;)
Please no jokes about our best and brightest spending their time creating adtech algorithms to sell you a fidget spinner...
It seems like megacorps see a place for open source, and clearly they do want to employ bright people and have them create new products and services, and not have them rewrite rather essential stuff like cryptography stacks and bootloaders over and over again...
 
Joined
Aug 20, 2007
Messages
20,709 (3.41/day)
System Name Pioneer
Processor Ryzen R9 7950X
Motherboard GIGABYTE Aorus Elite X670 AX
Cooling Noctua NH-D15 + A whole lotta Sunon and Corsair Maglev blower fans...
Memory 64GB (4x 16GB) G.Skill Flare X5 @ DDR5-6000 CL30
Video Card(s) XFX RX 7900 XTX Speedster Merc 310
Storage 2x Crucial P5 Plus 2TB PCIe 4.0 NVMe SSDs
Display(s) 55" LG 55" B9 OLED 4K Display
Case Thermaltake Core X31
Audio Device(s) TOSLINK->Schiit Modi MB->Asgard 2 DAC Amp->AKG Pro K712 Headphones or HDMI->B9 OLED
Power Supply FSP Hydro Ti Pro 850W
Mouse Logitech G305 Lightspeed Wireless
Keyboard WASD Code v3 with Cherry Green keyswitches
Software Windows 11 Enterprise (legit), Gentoo Linux x64
Yes. However, the theory behind open source's million eyes idea is a load of bunk.

It's not. his vulnerability however, is. If you control the bootloader you can just pass some kernel parameters to attain root, how is this a vulnerability? This is more like a concept in computing, lol.

Apparently not. Technically no OS is safe from this.

They are. Windows doesn't use GRUB, it uses NTLDR. Not that you can't uh, do the same kind of crap there. Bootloaders are not meant to be secure really. It's like having physical access to the machine at that point.

After having read into this more closely, this is yet another vulnerability that requires physical access to implement and has a level of difficulty that can not be discounted. This is not something the average user needs worry about.

I mean if you have root, you can always rewrite the bootloader. But again, this is like crying about how I got compromised because I was already compromised. It's BS.
 

bug

Joined
May 22, 2015
Messages
13,163 (4.07/day)
Processor Intel i5-12600k
Motherboard Asus H670 TUF
Cooling Arctic Freezer 34
Memory 2x16GB DDR4 3600 G.Skill Ripjaws V
Video Card(s) EVGA GTX 1060 SC
Storage 500GB Samsung 970 EVO, 500GB Samsung 850 EVO, 1TB Crucial MX300 and 2TB Crucial MX500
Display(s) Dell U3219Q + HP ZR24w
Case Raijintek Thetis
Audio Device(s) Audioquest Dragonfly Red :D
Power Supply Seasonic 620W M12
Mouse Logitech G502 Proteus Core
Keyboard G.Skill KM780R
Software Arch Linux + Win10
After having read into this more closely, this is yet another vulnerability that requires physical access to implement and has a level of difficulty that can not be discounted. This is not something the average user needs worry about.

Yes, you need to craft a grub.cfg file. You can only do that if you gain root privileges first. If an attacker gains root access on your machine, grub/secure boot is the least of your worries.

Good thing it was discovered though, many attacks these days are built around chaining together several innocuous and/or hard to exploit flaws like this.
 
Joined
Jul 10, 2015
Messages
748 (0.23/day)
Location
Sokovia
System Name Alienation from family
Processor i7 7700k
Motherboard Hero VIII
Cooling Macho revB
Memory 16gb Hyperx
Video Card(s) Asus 1080ti Strix OC
Storage 960evo 500gb
Display(s) AOC 4k
Case Define R2 XL
Power Supply Be f*ing Quiet 600W M Gold
Mouse NoName
Keyboard NoNameless HP
Software You have nothing on me
Benchmark Scores Personal record 100m sprint: 60m

bug

Joined
May 22, 2015
Messages
13,163 (4.07/day)
Processor Intel i5-12600k
Motherboard Asus H670 TUF
Cooling Arctic Freezer 34
Memory 2x16GB DDR4 3600 G.Skill Ripjaws V
Video Card(s) EVGA GTX 1060 SC
Storage 500GB Samsung 970 EVO, 500GB Samsung 850 EVO, 1TB Crucial MX300 and 2TB Crucial MX500
Display(s) Dell U3219Q + HP ZR24w
Case Raijintek Thetis
Audio Device(s) Audioquest Dragonfly Red :D
Power Supply Seasonic 620W M12
Mouse Logitech G502 Proteus Core
Keyboard G.Skill KM780R
Software Arch Linux + Win10
Oh yes but outside of the big projects like Ubuntu, WordPress, Apache, MySQL/MariaDB, PHP, LibreOffice, and of course... (the most popular of them all) the Linux kernel itself, most open source projects die within a year of starting due to lack of funding. Just look at the graveyard that is GitHub, a good 98% of projects have died. And for those projects that have made it, they often get funding from big-name companies.
About 80% of all software projects are failures, open source has nothing to do with that.
 

TheLostSwede

News Editor
Joined
Nov 11, 2004
Messages
16,001 (2.26/day)
Location
Sweden
System Name Overlord Mk MLI
Processor AMD Ryzen 7 7800X3D
Motherboard Gigabyte X670E Aorus Master
Cooling Noctua NH-D15 SE with offsets
Memory 32GB Team T-Create Expert DDR5 6000 MHz @ CL30-34-34-68
Video Card(s) Gainward GeForce RTX 4080 Phantom GS
Storage 1TB Solidigm P44 Pro, 2 TB Corsair MP600 Pro, 2TB Kingston KC3000
Display(s) Acer XV272K LVbmiipruzx 4K@160Hz
Case Fractal Design Torrent Compact
Audio Device(s) Corsair Virtuoso SE
Power Supply be quiet! Pure Power 12 M 850 W
Mouse Logitech G502 Lightspeed
Keyboard Corsair K70 Max
Software Windows 10 Pro
Benchmark Scores https://valid.x86.fr/5za05v
They are. Windows doesn't use GRUB, it uses NTLDR. Not that you can't uh, do the same kind of crap there. Bootloaders are not meant to be secure really. It's like having physical access to the machine at that point.
The problem also extends to any Windows device that uses Secure Boot with the standard Microsoft Third Party UEFI Certificate Authority.
So YES, Windows is affected too. Maybe not as badly, but still.
 

bug

Joined
May 22, 2015
Messages
13,163 (4.07/day)
Processor Intel i5-12600k
Motherboard Asus H670 TUF
Cooling Arctic Freezer 34
Memory 2x16GB DDR4 3600 G.Skill Ripjaws V
Video Card(s) EVGA GTX 1060 SC
Storage 500GB Samsung 970 EVO, 500GB Samsung 850 EVO, 1TB Crucial MX300 and 2TB Crucial MX500
Display(s) Dell U3219Q + HP ZR24w
Case Raijintek Thetis
Audio Device(s) Audioquest Dragonfly Red :D
Power Supply Seasonic 620W M12
Mouse Logitech G502 Proteus Core
Keyboard G.Skill KM780R
Software Arch Linux + Win10
So YES, Windows is affected too. Maybe not as badly, but still.
It's unclear to me how this will affect a pure Windows install, since those don't include grub. Also unclear why the certificate authority is mentioned.
But I can see how this will affect dual-boot installs: once you botch the UEFI, it stays botched.
 
Joined
Mar 6, 2017
Messages
3,204 (1.24/day)
Location
North East Ohio, USA
System Name My Ryzen 7 7700X Super Computer
Processor AMD Ryzen 7 7700X
Motherboard Gigabyte B650 Aorus Elite AX
Cooling DeepCool AK620 with Arctic Silver 5
Memory 2x16GB G.Skill Trident Z5 NEO DDR5 EXPO (CL30)
Video Card(s) XFX AMD Radeon RX 7900 GRE
Storage Samsung 980 EVO 1 TB NVMe SSD (System Drive), Samsung 970 EVO 500 GB NVMe SSD (Game Drive)
Display(s) Acer Nitro XV272U (DisplayPort) and Acer Nitro XV270U (DisplayPort)
Case Lian Li LANCOOL II MESH C
Audio Device(s) On-Board Sound / Sony WH-XB910N Bluetooth Headphones
Power Supply MSI A850GF
Mouse Logitech M705
Keyboard Steelseries
Software Windows 11 Pro 64-bit
Benchmark Scores https://valid.x86.fr/liwjs3
Sure, you might be right about small, obscure open source programs
What about OpenSSL? That thing is something that the whole entire Internet is practically built on, it's the one piece of software that literally makes secure eCommerce possible. Yet, it never got the attention that it deserved until all of a sudden, some nasty big security hole was found (Heartbleed) and THEN it got the funding it needed. Where was the funding before? Oh sure, they got some scraps thrown their way every once in a great while; but in the end it was just scraps. Oh here, we had some money in our end-of-the-year budgets, let's throw it their way.

And OpenSSL wasn't the only big-name project that damn near failed. Ever heard of OpenBSD? Yeah, back in January of 2014 they didn't even know if they were going to be able to keep the lights on and pay the electricity bill. It was only after a $100,000 bailout by none other than Microsoft that saved OpenBSD from oblivion. And I'm pretty damn sure that Microsoft didn't give the money over out of the goodness of their hearts. If you believe that, I've got some bottom land to sell you; just don't ask me what it's at the bottom of.

Outside of the big-name projects like I mentioned before (Ubuntu, WordPress, etc.), open source is a joke. Writing good software is hard! It takes time, people, and money.

Just look at the forum software that powers this very forum, XenForo. It's written in PHP however it's $160 a year for the base package. If you add some addons, it's $345 a year. And it's not open source. Sure, there's phpBB and Simple Machines Forum but yeah right.
 
Last edited:

bug

Joined
May 22, 2015
Messages
13,163 (4.07/day)
Processor Intel i5-12600k
Motherboard Asus H670 TUF
Cooling Arctic Freezer 34
Memory 2x16GB DDR4 3600 G.Skill Ripjaws V
Video Card(s) EVGA GTX 1060 SC
Storage 500GB Samsung 970 EVO, 500GB Samsung 850 EVO, 1TB Crucial MX300 and 2TB Crucial MX500
Display(s) Dell U3219Q + HP ZR24w
Case Raijintek Thetis
Audio Device(s) Audioquest Dragonfly Red :D
Power Supply Seasonic 620W M12
Mouse Logitech G502 Proteus Core
Keyboard G.Skill KM780R
Software Arch Linux + Win10
Outside of the big-name projects like I mentioned before (Ubuntu, WordPress, etc.), open source is a joke. Writing good software is hard! It takes time, people, and money.
Gtk/Gnome, Qt/KDE, GIMP, Darktable, Blender, Apache Kafka (et comp), Elasticsearch, Mozilla, Chromium, OpenWRT, pfSense, PuTTY, Keepass, ffmpeg, VLC, git, gcc...
But you're right, aside from a few hundred projects, open source is totally a joke.
 
Joined
Mar 6, 2017
Messages
3,204 (1.24/day)
Location
North East Ohio, USA
System Name My Ryzen 7 7700X Super Computer
Processor AMD Ryzen 7 7700X
Motherboard Gigabyte B650 Aorus Elite AX
Cooling DeepCool AK620 with Arctic Silver 5
Memory 2x16GB G.Skill Trident Z5 NEO DDR5 EXPO (CL30)
Video Card(s) XFX AMD Radeon RX 7900 GRE
Storage Samsung 980 EVO 1 TB NVMe SSD (System Drive), Samsung 970 EVO 500 GB NVMe SSD (Game Drive)
Display(s) Acer Nitro XV272U (DisplayPort) and Acer Nitro XV270U (DisplayPort)
Case Lian Li LANCOOL II MESH C
Audio Device(s) On-Board Sound / Sony WH-XB910N Bluetooth Headphones
Power Supply MSI A850GF
Mouse Logitech M705
Keyboard Steelseries
Software Windows 11 Pro 64-bit
Benchmark Scores https://valid.x86.fr/liwjs3
Mozilla is funded by huge donations from Google. Chromium is obviously by Google. But that’s why I said, outside of the big-name projects open source is generally a joke. Most projects on GitHub die within a year due to lack of funding.
 
Joined
Aug 20, 2007
Messages
20,709 (3.41/day)
System Name Pioneer
Processor Ryzen R9 7950X
Motherboard GIGABYTE Aorus Elite X670 AX
Cooling Noctua NH-D15 + A whole lotta Sunon and Corsair Maglev blower fans...
Memory 64GB (4x 16GB) G.Skill Flare X5 @ DDR5-6000 CL30
Video Card(s) XFX RX 7900 XTX Speedster Merc 310
Storage 2x Crucial P5 Plus 2TB PCIe 4.0 NVMe SSDs
Display(s) 55" LG 55" B9 OLED 4K Display
Case Thermaltake Core X31
Audio Device(s) TOSLINK->Schiit Modi MB->Asgard 2 DAC Amp->AKG Pro K712 Headphones or HDMI->B9 OLED
Power Supply FSP Hydro Ti Pro 850W
Mouse Logitech G305 Lightspeed Wireless
Keyboard WASD Code v3 with Cherry Green keyswitches
Software Windows 11 Enterprise (legit), Gentoo Linux x64
So YES, Windows is affected too. Maybe not as badly, but still.

Ah. The grub2 commentary confused me.

What about OpenSSL? That thing is something that the whole entire Internet is practically built on, it's the one piece of software that literally makes secure eCommerce possible. Yet, it never got the attention that it deserved until all of a sudden, some nasty big security hole was found (Heartbleed) and THEN it got the funding it needed.

It had funding the whole time, it just had a big bug in a complex software. This happens, money or not.

Most projects on GitHub die within a year due to lack of funding.

A lack of a maintainer does not make them useless.
 
Joined
Mar 6, 2017
Messages
3,204 (1.24/day)
Location
North East Ohio, USA
System Name My Ryzen 7 7700X Super Computer
Processor AMD Ryzen 7 7700X
Motherboard Gigabyte B650 Aorus Elite AX
Cooling DeepCool AK620 with Arctic Silver 5
Memory 2x16GB G.Skill Trident Z5 NEO DDR5 EXPO (CL30)
Video Card(s) XFX AMD Radeon RX 7900 GRE
Storage Samsung 980 EVO 1 TB NVMe SSD (System Drive), Samsung 970 EVO 500 GB NVMe SSD (Game Drive)
Display(s) Acer Nitro XV272U (DisplayPort) and Acer Nitro XV270U (DisplayPort)
Case Lian Li LANCOOL II MESH C
Audio Device(s) On-Board Sound / Sony WH-XB910N Bluetooth Headphones
Power Supply MSI A850GF
Mouse Logitech M705
Keyboard Steelseries
Software Windows 11 Pro 64-bit
Benchmark Scores https://valid.x86.fr/liwjs3
It had funding the whole time, it just had a big bug in a complex software. This happens, money or not.
Not according to the one man who was maintaining it. There was only one man who was babysitting the code of OpenSSL and he was in his sixties. He wanted to retire for God's sake yet with not enough funding being brought in, he couldn't hand the project off.

Something that involves a library of code as huge as OpenSSL is needs more than one person to scan the lines of code, I'd go so far as to say that it needs a team of people doing code audits at least twice a year if not more than that. OpenSSL is like the water and sewer pipes of the Internet, if that breaks all hell breaks loose.
 
Joined
Aug 20, 2007
Messages
20,709 (3.41/day)
System Name Pioneer
Processor Ryzen R9 7950X
Motherboard GIGABYTE Aorus Elite X670 AX
Cooling Noctua NH-D15 + A whole lotta Sunon and Corsair Maglev blower fans...
Memory 64GB (4x 16GB) G.Skill Flare X5 @ DDR5-6000 CL30
Video Card(s) XFX RX 7900 XTX Speedster Merc 310
Storage 2x Crucial P5 Plus 2TB PCIe 4.0 NVMe SSDs
Display(s) 55" LG 55" B9 OLED 4K Display
Case Thermaltake Core X31
Audio Device(s) TOSLINK->Schiit Modi MB->Asgard 2 DAC Amp->AKG Pro K712 Headphones or HDMI->B9 OLED
Power Supply FSP Hydro Ti Pro 850W
Mouse Logitech G305 Lightspeed Wireless
Keyboard WASD Code v3 with Cherry Green keyswitches
Software Windows 11 Enterprise (legit), Gentoo Linux x64
Not according to the one man who was maintaining it. There was only one man who was babysitting the code of OpenSSL and he was in his sixties. He wanted to retire for God's sake yet with not enough funding being brought in, he couldn't hand the project off.

Something that involves a library of code as huge as OpenSSL is needs more than one person to scan the lines of code, I'd go so far as to say that it needs a team of people doing code audits at least twice a year if not more than that. OpenSSL is like the water and sewer pipes of the Internet, if that breaks all hell breaks loose.

So you have one example, that isn't an open source specific problem, but a funding one?
 
Joined
Mar 6, 2017
Messages
3,204 (1.24/day)
Location
North East Ohio, USA
System Name My Ryzen 7 7700X Super Computer
Processor AMD Ryzen 7 7700X
Motherboard Gigabyte B650 Aorus Elite AX
Cooling DeepCool AK620 with Arctic Silver 5
Memory 2x16GB G.Skill Trident Z5 NEO DDR5 EXPO (CL30)
Video Card(s) XFX AMD Radeon RX 7900 GRE
Storage Samsung 980 EVO 1 TB NVMe SSD (System Drive), Samsung 970 EVO 500 GB NVMe SSD (Game Drive)
Display(s) Acer Nitro XV272U (DisplayPort) and Acer Nitro XV270U (DisplayPort)
Case Lian Li LANCOOL II MESH C
Audio Device(s) On-Board Sound / Sony WH-XB910N Bluetooth Headphones
Power Supply MSI A850GF
Mouse Logitech M705
Keyboard Steelseries
Software Windows 11 Pro 64-bit
Benchmark Scores https://valid.x86.fr/liwjs3
So you have one example, that isn't an open source specific problem, but a funding one?
OK, but I also mentioned OpenBSD that was saved only by Microsoft coming along with $100,000 in their pockets.

The problem that most open source projects have is that they have lot of "takers" but not a lot of "givers". If you like an open source program/project, you need to do what is right and by that, I mean donate to the project be it direct donations or if they have a merch store, buy something there. Buy a coffee cup or a t-shirt for God's sake! Every little bit helps.

Like it or not, open source projects live and die on their budgets (or should I say, lack of budgets). The unfortunate thing is that a majority of people are freakin' cheapskates. They don't donate, they don't pay, yet they're the first to start yelling when things go wrong.
 
Joined
Mar 10, 2015
Messages
3,984 (1.21/day)
System Name Wut?
Processor 3900X
Motherboard ASRock Taichi X570
Cooling Water
Memory 32GB GSkill CL16 3600mhz
Video Card(s) Vega 56
Storage 2 x AData XPG 8200 Pro 1TB
Display(s) 3440 x 1440
Case Thermaltake Tower 900
Power Supply Seasonic Prime Ultra Platinum
Outside of the big-name projects like I mentioned before (Ubuntu, WordPress, etc.), open source is a joke. Writing good software is hard! It takes time, people, and money.

WordPress is still a joke.
 
Top