Brief items
Security
Hardening the Firefox frontend
Tom Schuster, Frederik Braun, and Christoph Kerschbaumer have published an article on the Firefox Security team's Attack & Defense blog that explains recent work to harden Firefox's frontend code.
We have rewritten over 600 JavaScript event handlers to mitigate XSS and other injection attacks in the main Firefox user interface. This mitigation will ship in Firefox 138. However, blocking the execution of scripts in the parent process is not the end - we will expand this technique to other contexts in the near future. There is still more work to do as the UI requires JavaScript APIs with a high level of privileges. However: We still eliminated a whole class of attacks, significantly raising the bar for attackers to exploit Firefox.
OpenSSH 10.0 released
OpenSSH 10.0 has been released. Support for the DSA signature algorithm, which was disabled by default beginning in 2015, has been removed. Other notable changes include using the post-quantum algorithm mlkem768x25519-sha256 for key agreement by default, support for systemd-style socket activation in Portable OpenSSH, and moving code for user authentication from the sshd-session binary to the new ssh-auth binary:
Splitting this code into a separate binary ensures that the crucial pre-authentication attack surface has an entirely disjoint address space from the code used for the rest of the connection. It also yields a small runtime memory saving as the authentication code will be unloaded after the authentication phase completes. This change should be largely invisible to users, though some log messages may now come from "sshd-auth" instead of "sshd-session". Downstream distributors of OpenSSH will need to package the sshd-auth binary.
The release notes also warn that "software that naively matches
versions using patterns like "OpenSSH_1*"
" may be confused by the
new version number.
Fifty Years of Open Source Software Supply Chain Security (Queue)
ACM Queue looks at the security problem in the light of a report on Multics security that was published in 1974.
We are all struggling with a massive shift that has happened in the past 10 or 20 years in the software industry. For decades, software reuse was only a lofty goal. Now it's very real. Modern programming environments such as Go, Node, and Rust have made it trivial to reuse work by others, but our instincts about responsible behaviors have not yet adapted to this new reality.The fact that the 1974 Multics review anticipated many of the problems we face today is evidence that these problems are fundamental and have no easy answers. We must work to make continuous improvements to open source software supply chain security, making attacks more and more difficult and expensive.
Security quotes of the week
Now imagine a time when governments do have this access, plus the ability to control AI agents on people's systems – perhaps by means of agentic AI backdoors. Based on the last fifty years of its lobbying, it is easy to imagine the copyright industry demanding from governments laws requiring AI agents to take on the role of copyright police that are installed on every cloud server and personal device, and whose deactivation would be illegal. There are various ways in which that could work. Agentic AI could search through a person's files for unauthorized copyright material – perhaps even contacting databases over the Internet to check whether a license is in place. AI agents could watch what users are doing online, and report them if they engage in allegedly illegal activity. With agentic AI, those capabilities could be rolled out across an entire population for the first time.— Glyn Moody
Getting scammed doesn't mean you were stupid, or careless. Frequently, it just means you were distracted, upset, or distraught. We're living through a moment of total, all-consuming chaos, and the scammers are sharpening their blades – not least because the people running the show are unabashed grifters who openly boast that when they get one over on you, "that makes me smart":— Cory Doctorowhttps://pluralistic.net/2024/12/04/its-not-a-lie/#its-a-premature-truth
Buyer beware – it's ugly out there, and it's gonna get a lot worse before it gets better.
Kernel development
Kernel release status
The current development kernel is 6.15-rc1, released on April 6. Linus said:
As expected, this was one of the bigger merge windows, almost certainly just because we had some pent-up development due to the previous releases being impacted by the holiday season. That said, while it's bigger than normal, it's not some kind of record-breaking thing.
In the end, 12.633 non-merge changesets were pulled into the mainline during this merge window.
Stable updates: 6.14.1, 6.13.10, 6.12.22, 6.6.86, and 6.1.133 were released on April 7.
The large 6.14.2, 6.13.11, 6.12.23, 6.6.87, 6.1.134, 5.15.180, 5.10.236, and 5.4.292 updates are all in the review process; they are due on April 10.
Distributions
FreeDOS 1.4 released
Version 1.4 of FreeDOS has been released. This is the first stable release since 2022, and includes improvements to the Fdisk hard-disk-management program, and reliability updates for the mTCP set of TCP/IP applications for DOS.
This version was much smoother because Jerome Shidel, our distribution manager, had an idea after FreeDOS 1.3 that we could have a rolling test release that collected all of the changes that people make over time. Previous to this, each new FreeDOS distribution (like 1.0, 1.1, 1.2, and 1.3) required bundling up packages into a "release candidate," and we would go through several iterations of updating the release candidates.
Jerome's method of building the FreeDOS distribution made it easier to automate a test release, which we decided to update every month. As the test releases accumulated enough changes to warrant a release, we could then make the next test release a "release candidate" which would iterate to the next version of the FreeDOS distribution. Since 2022, we've released monthly test releases. Thanks Jerome!
LWN covered FreeDOS last year for its 30th anniversary.
Development
OpenSSL 3.5.0 released
Version 3.5.0 of OpenSSL has been released. This release adds support for server-side QUIC (RFC 9000), a new configuration option (no-tls-deprecated-ec) that disables support for TLS groups deprecated in RFC 8422, and more.
Rust 1.86.0 released
Version 1.86.0 of the Rust language has been released. Changes include support for trait upcasting, the ability to index multiple elements of HashMaps and slices mutably, and a number of stabilized APIs.Development quotes of the week
I gave a talk at last month about the role of organising in Open Source. I have three obserpinions therefrom:
1. Going all-in on permissive licensing was a mistake that directly led to extractive behaviour
2. Copyleft not having a good answer to the actual concerns of people who chose permissive licensing was a mistake that directly led to people going all-in on permissive licensing
3. It's too late to care about licensing, so we need other forms of consequences/ways to encourage organising
Good thing I’m on my way to a conference of open source lawyers so I can hijack someone else’s session, put this on screen as my only slide, and watch the mix of meditating, sobbing, and knife-fighting that results.
— Luis Villa in reference to Neugebauer's post.
Page editor: Daroc Alden
Next page:
Announcements>>