Brief items
Security
Verified cryptography for Firefox 57
The Mozilla Security Blog announces that Firefox 57 will benefit from the addition of a formally verified crypto package. "The first result of this collaboration, an implementation of the Curve25519 key establishment algorithm (RFC7748), has just landed in Firefox Nightly. Curve25519 is widely used for key-exchange in TLS, and was recently standardized by the IETF. As an additional bonus, besides being formally verified, the HACL* Curve25519 implementation is also almost 20% faster on 64 bit platforms than the existing NSS implementation (19500 scalar multiplications per second instead of 15100) which represents an improvement in both security and performance to our users."
Moore: The 2017 Linux Security Summit
Paul Moore has posted his notes from the 2017 Linux Security Summit, held September 14 and 15 in Los Angeles. "LinuxKit was designed to make it easy for people to create their own Linux distribution, with a strong focus on minimal OS installs such as one would use in a container hosting environment. LinuxKit has several features that make it interesting from a security perspective, the most notable being the read-only rootfs which is managed using external tooling. Applications are installed via signed container images."
Malicious software libraries found in PyPI
An advisory from the National Security Authority of Slovakia warns that they have found fake packages in PyPI, posing as well known libraries. "Copies of several well known Python packages were published under slightly modified names in the official Python package repository PyPI (prominent example includes urllib vs. urrlib3, bzip vs. bzip2, etc.). These packages contain the exact same code as their upstream package thus their functionality is the same, but the installation script, setup.py, is modified to include a malicious (but relatively benign) code." The administrators of PyPI were informed and the fake packages are gone now, however they were available from June 2017 to September 2017. (Thanks to Paul Wise)
Security quote of the week
Moderator and TechCrunch Senior Editor Frederic Lardinois asked [Google’s
Manager of Information Security Heather] Adkins if
she thinks of the NSA as a state-sponsored threat in the same way as China
and Russia. She confirmed, yes, she considers the US' National Security
Agency in that way. Does she worry about the NSA? Yes, she does and it’s
good to worry about them because if they can attack, other organizations
can attack too.
— Matt
Burns in TechCrunch
She goes on to say that she thinks less about individual threats and rather focuses on the techniques and the surface available to be attacked.
"A technique the NSA can use can easily be used by a Mexican cartel against our users," she said. "All of these actors have these tools available to them."
Kernel development
Kernel release status
The current development kernel is 4.14-rc1, released on September 16. Linus said: "Yes, I realize this is a day early, and yes, I realize that if I had waited until tomorrow, I would also have hit the 26th anniversary of the Linux-0.01 release, but neither of those undeniable facts made me want to wait with closing the merge window."
Stable updates: 4.13.2, 4.12.13, 4.9.50, 4.4.88, and 3.18.71 were all released on September 14. Among other things, these updates contain the fix for the recently disclosed Bluetooth vulnerability. 4.13.3, 4.12.14, and 4.9.51 followed on September 20. Note that 4.12.14 will be the final update in the 4.12.x series.
2nd RDMA Miniconference Summary
Leon Romanovsky provides a summary of the RDMA miniconference at Linux Plumbers Conference. "Special thanks goes to Ram Amrani who did an excellent job to summarize the discussions and to Jason Gunthrope together with Christoph Lameter who helped me to organize and run this conference. The original etherpad is located at https://etherpad.openstack.org/p/LPC2017_RDMA and below you will find the copy of those notes"
Distributions
Distribution quotes of the week
If we *did* drop armel as a release architecture, we'd be the first
port in Debian to voluntarily do so. Do we need a new term for that?
("Vancouver" is already in use; "Montréal" maybe? *grin*).
— Steve McIntyre
Simply put: if you had enabled dnf-automatic in Fedora 25 or earlier, using the standard mechanism it provided – edit /etc/dnf/automatic.conf to configure the behaviour you want, and run systemctl enable dnf-automatic.timer – then you upgraded to Fedora 26, then it probably just stopped working entirely. If you were relying on it to install updates for you…it probably hasn’t been.
— Adam
Williamson
Development
Robinson: The state of open source accelerated graphics on ARM devices
Peter Robinson looks at the state of open source accelerated graphics on ARM devices. "Despite the two bad examples above there’s actually been a lot of good change in the last five years. We now have a number of options for fully accelerated 2D/3D graphics on ARM SoCs and I run GNOME Shell on Wayland, yes the full open source shiny, on a number of different devices regularly."
Schaller: Launching Pipewire
Christian Schaller announces Pipewire, a media system that is meant to eventually replace PulseAudio and handle video as well. "Anyway as work progressed Wim decided to also take a look at Jack, as supporting the pro-audio usecase was an area PulseAudio had never tried to do, yet we felt that if we could ensure Pipewire supported the pro-audio usecase in addition to consumer level audio and video it would improve our multimedia infrastructure significantly and ensure pro-audio became a first class citizen on the Linux desktop." A video-only version will be shipping in Fedora 27.
Purism and KDE to work together on free smartphone
Purism and KDE are working together to adapt Plasma Mobile to Purism's Librem 5 smartphone. "The shared vision of freedom, openness and personal control for end users has brought KDE and Purism together in a common venture. Both organisations agree that cooperating will help bring a truly free and open source smartphone to the market. KDE and Purism will work together to make this happen."
GNOME Foundation partners with Purism to support its efforts to build the Librem 5 smartphone
Last week KDE announced that they were working with Purism on the Librem 5 smartphone. The GNOME Foundation has also provided its endorsement and support of Purism’s efforts to build the Librem 5. "As part of the collaboration, if the campaign is successful the GNOME Foundation plans to enhance GNOME shell and general performance of the system with Purism to enable features on the Librem 5. Various GNOME technologies are used extensively in embedded devices today, and GNOME developers have experienced some of the challenges that face mobile computing specifically with the Nokia 770, N800 and N900, the One Laptop Per Child project’s XO laptop and FIC’s Neo1973 mobile phone."
Development quote of the week
I do find it ironic that the open source community is so irate about having to compile software from source to customize it the way they want.
— Matt
Holt
Miscellaneous
EME is now a W3C recommendation
The World Wide Web Consortium has put out a press release trumpeting its publication of the "Encrypted Media Extensions" as an official recommendation and enshrining DRM into what was previously a standard for open communication. See the EFF's open letter for a less rosy view of this development. "Today, the W3C bequeaths an legally unauditable attack-surface to browsers used by billions of people. They give media companies the power to sue or intimidate away those who might re-purpose video for people with disabilities. They side against the archivists who are scrambling to preserve the public record of our era. The W3C process has been abused by companies that made their fortunes by upsetting the established order, and now, thanks to EME, they’ll be able to ensure no one ever subjects them to the same innovative pressures."
An intro to machine learning (Opensource.com)
Ulrich Drepper, once again an engineer at Red Hat, writes about machine learning on opensource.com. "Machine learning and artificial intelligence (ML/AI) mean different things to different people, but the newest approaches have one thing in common: They are based on the idea that a program's output should be created mostly automatically from a high-dimensional and possibly huge dataset, with minimal or no intervention or guidance from a human. Open source tools are used in a variety of machine learning and artificial intelligence projects. In this article, I'll provide an overview of the state of machine learning today."
Page editor: Jake Edge
Next page:
Announcements>>