JustSomeGuy1

tronald said:

DAalseth said:

I am surprised that Apple would keep current with the OS packages. I figured once they split, they would keep things in house and proprietary. 

Why wouldn't they keep things up-to-date? The kernel is the primary thing that was forked, and at this point the macOS kernel (which is also used in all their other operating systems) is basically an Apple one-off. But, it produces a more-or-less standard Unix system call framework, threading and process model, and network stack. So, Unix and most Linux stuff can be compiled just fine. And, that stuff isn't Apple's differentiator. It is the graphical application layers that are Apple's differentiator. 

That said, Apple doesn't do that great of a job of keeping their open source Unix/Linux utilities all that up-to-date. They don't view them as a competitive differentiator, so they don't go out of their way to keep them forked and modified for their own purposes. But, they also don't seem to go out of their way to keep them up-to-date either. But that seems more of an attention issue than anything related to ideological or business motives. 

auxio said:

Yup, and I work with those languages because they're the only way to create native, cross-platform applications (core is C++ code, UI layer is native Swift/Kotlin/language du jour).  Memory management isn't hard once you come up with a model of ownership.  And modern C++ has reference counted pointers as part of the standard library, which is essentially what Objective-C (and, by proxy, Swift) has.

But anyways, strategies for dealing with memory management is a bit of a digression here.  The point is that, for smaller apps, auditing all sources of input data for buffer overflow/invalid data attacks, any external tools used for validity, etc, isn't a massive undertaking.  But yeah, it seems like this was something missed in a recent change/addition to sudo, not a security hole which has been in the tool for ages.

asdasd said:

auxio said:

Given how long these tools have been around (40+ years in some cases), how relatively simple the code is compared to modern software, and the fact that they're used in server environments, I'm very surprised they haven't been fully security audited by now.

They aren’t that simple. That’s the problem. They are written in unsafe languages like C and C++ where memory management was up to the code writer. 

glennh said:

Is not this like saying someone can burglarized your house once they are physically inside your house? /s

sdw2001 said:

"Journalist" and "Educator."  Give me a break.  She edited a journal called "La Opinion."  You can't make this stuff up.  And an educator?  Why, because she served on the Board of Regents and at Disney?  She's a social justice/progressive advocate who, according to Tim Cook, fights for a "more equitable future."   What a load of garbage.  Apple isn't thinking about a more "equitable" future when they are making phones in Chinese factory-cities, selling them for $1000.  Or when they are selling $10,000+ Mac Pros.  Or just about any other premium product.  They are the world's most valuable company by market cap.  They didn't get that way with their progressive PR bullshit.