Brief items

Credential-leaking vulnerability in some Git credential managers

Security researcher RyotaK has shared a series of vulnerabilities that all have to do with how Git interfaces with external credential managers. In short, while Git guards against newline characters (\n) being injected into a repository's URL, some programming languages also treat carriage return characters (\r) as being newlines. Adding a carriage return to a repository's URL can cause Git and the credential manager to disagree on how the URL should be parsed, ultimately resulting in Git credentials being sent to the wrong host. Malicious repositories could include Git submodules with malformed URLs, triggering the bug. Only password-based authentication with an external credential manager is vulnerable to this attack; SSH-based authentication remains secure. The Git project has chosen to consider this a vulnerability in Git, given the large amount of external software affected. The project has fixed the bug on its end by releasing updates for all supported versions that ban carriage returns in URLs entirely.

Affected software includes GitHub Desktop, Git LFS, and possibly other Git utilities:

Since Git itself doesn't use .lfsconfig file, specifying the URL that contains the newline character in .lfsconfig causes Git LFS to insert the newline character into the message, while bypassing [...] Git's validation.

Comments (2 posted)

Security quotes of the week

The most insidious thing about Big Tech's takeover of the internet isn't the concentration of power—it's how it's trained us to beg for scraps from our digital overlords.

Every week brings a new chorus of voices demanding that [insert tech giant] must "do better" or that [insert government agency] needs to "crack down" or that [insert billionaire] should swoop in to save us. We've become digital peasants, petitioning various lords and kings to please, please fix the internet for us.

[...] We all saw the tech oligarchs lined up behind Donald Trump at the inauguration. Any plan that involves having any of them "saving" or "fixing" the internet is not going to lead to good results. It's just going to lead to more power for the powerful, and less for the rest of us.

Instead, we need to look for more ways for users to empower themselves and to get out of this state of learned helplessness and demanding some more powerful entity "fix" everything that goes wrong.

— Mike Masnick

Decentralization is itself a defensive countermeasure (code). When a service has diffuse power, it's harder for any one person to take it over. Federation adds another defensive layer, because users who don't like the way one server is run can move to another server, with varying degrees of data- and identity-portability. That makes it harder for server owners to squeeze users to make money (markets), and gives them an out if server owners try it anyway.

[...] That said, decentralization and federation are not perfect, set-and-forget defenses. Take email – the oldest, most successful federated system of them all. Email is nominally decentralized, but most email traffic goes through a handful of extremely large servers run by a cartel of companies (Google, Apple, Microsoft, and a few ISPs). These companies collude (or, more charitably, coordinate) to block email from non-cartel companies, in the name of fighting spam. This makes running your own mail server so hard that it is nearly impossible (that is, if you care about people actually receiving the email you send them).

— Cory Doctorow

Comments (10 posted)

Kernel release status

The 6.14 merge window remains open; it can be expected to close on February 2.

Stable updates: 6.12.11, 6.6.74, 6.1.127, and 5.15.177 were released on January 23.

Comments (none posted)

Quotes of the week

When a mechanism is introduced that makes it easy to disable a system feature in the LSM environment I start hearing voices saying "You can't use security and the cool thing together", and the developers of "the cool thing" wave hands and say "just disable it" and it never gets properly integrated. I have seen this so many times it makes me wonder how anything ever does get made to work in multiple configurations.

— Casey Schaufler

I'm stepping down from all my maintainer roles. My first commit feed9bab7b14 ("spi: omap2_mcspi PIO RX fix") to the kernel was back in 2008 for v2.6.24 so I have been here for a long time. Thank you everyone who I have worked with, there are too many to list here.

— Kalle Valo, wireless network driver maintainer, moves on

The DCO [developers certificate of origin] is a rather neat trick of legal hackery, and it works ok for Linux but the reason it works well in the Linux project is somewhat unique to Linux. The most important thing I want to draw the GDB community's attention to is that the DCO is specifically designed to shift the blame and burden for improperly licensed code ending up in the codebase *onto the individual developers personally*. This works great for companies, as it limits their liability. In practice, it's rare anyone gets sued, so Linux folks are ok with the legal hack. But I regularly urge developers to think carefully if they really want to take on such risk themselves.

— Bradley Kuhn

Comments (none posted)

Ubuntu developer discussion moving to Matrix

Ubuntu will be moving its "official realtime communications channels" from IRC to Matrix, beginning March 1, 2025, following a discussion on the ubuntu-devel mailing list.

"Official" communication, such as making realtime requests of privileged Ubuntu developer teams, could be expected to be actioned if requested on Matrix only. Similarly, you can consider your social responsibility to other developers in relation to your work in Ubuntu development to be fulfilled if you are present on that platform. And Canonical will follow in its requirement for its employed Ubuntu developers to be present on that agreed platform during their working hours.

Comments (none posted)

Distributions quote of the week

Today it is my honor to inform you that https://build.opensuse.org/request/show/1240106 was accepted, so only 5 years after it became EOL, python2 is finally gone and not used anymore for anything in openSUSE.

— Bernhard M. Wiedemann

Comments (1 posted)

Incus 6.9 released

Version 6.9 of the Incus container and virtual-machine management system has been released. Changes include a command to provide virtual machine memory dumps, ability to set network ACLs for instances on bridged networks, and more.

Comments (none posted)

Development quote of the week

So this is what I have been dreaming of lately: when you create a git repository on a forge platform, it nudges you towards adopting a governance model for your project, and proposes a selection of well-known ones that you can add in one click to the repository as a GOVERNANCE.md file. Just like it nudges you to adopt a license. Ideally, it could also set up the appropriate teams and apply other configuration settings implied by the governance model you picked. Unlike licenses, which are mostly meant to be copied verbatim and not modified, the governance model would be meant to be a starter template to be adapted to the needs of the project as it grows (by specifying how the governance model can be changed). An additional benefit of having such well-known starter packs is that it would help prospective users and contributors quickly grasp the general spirit of a governance model, without having to read it all (just like we have built a common understanding of what the MIT or GPL licenses are and we don't need to dissect them every time we interact with a project licensed as such).

— Antonin Delpeuch

Comments (1 posted)

LWN in EPUB format

For years we have had occasional requests to be able to receive LWN in a format for ebook readers. It took a while, but we are now happy to announce that all of LWN's feature content is available, to subscribers at the "professional hacker" level and above, in the EPUB format. To obtain the weekly edition as an EPUB file, just click the "Download EPUB" link in the left column. There is a separate RSS feed for the EPUB format as well. Any other feature content can be turned into an ebook by appending /epub to its URL.

We will also be creating special EPUB books at times. As an example of what is possible, our complete coverage from Kangrejos 2024 and the 2024 Linux Storage, Filesystem, Memory Management, and BPF Summit are available to all readers.

There are surely places where our EPUB books can be improved; please feel free to drop us a note (at lwn@lwn.net) with suggestions.

Comments (35 posted)

Linux-related discussion as a cybersecurity threat

The DistroWatch January 27 edition includes this interesting tidbit:

Starting on January 19, 2025 Facebook's internal policy makers decided that Linux is malware and labeled groups associated with Linux as being "cybersecurity threats". Any posts mentioning DistroWatch and multiple groups associated with Linux and Linux discussions have either been shut down or had many of their posts removed.

We've been hearing all week from readers who say they can no longer post about Linux on Facebook or share links to DistroWatch. Some people have reported their accounts have been locked or limited for posting about Linux.

One can only hope that this is a mistake that will be resolved soon.

Update: Meta has seemingly fixed the problem. It is sad, though, that nothing happened until a large, net-wide fuss forced the issue.

Comments (81 posted)