Brief items
Security
Security quotes of the week
The findings show that in every docker image we scanned, we found
vulnerable versions of system libraries. The official Node.js image ships
580 vulnerable system libraries, followed by the others each of which ship
at least 30 publicly known vulnerabilities.
— Liran
Tal summarizes some of the findings in a Snyk
security report [PDF]
ETSI backed down,
and the next revision of their weakened variant will be
called "ETS" instead. Instead of thinking of this as "Enterprise Transport
Security," which the creators say the acronym stands for, you should think
of it as "Extra Terrible Security."
— Jacob
Hoffman-Andrews in the Electronic Frontier Foundation (EFF) blog
Internet security as a whole is greatly improved by forward secrecy. It's indefensible to make it worse in the name of protecting a few banks from having to update their legacy decrypt systems. Decryption makes networks less secure, and anyone who tells you differently is selling something (probably a decryption middlebox). Don't use ETS, don't implement it, and don't standardize it.
We built a fake network card that is capable of interacting with the
operating system in the same way as a real one, including announcing itself
correctly, causing drivers to attach, and sending and receiving network
packets. To do this, we extracted a software model of an Intel E1000 from
the QEMU full-system emulator and ran it on an FPGA. Because this is a
software model, we can easily add malicious behaviour to find and exploit
vulnerabilities.
— Theo
Markettos
We found the attack surface available to a network card was much richer and more nuanced than was previously thought. By examining the memory it was given access to while sending and receiving packets, our device was able to read traffic from networks that it wasn't supposed to. This included VPN plaintext and traffic from Unix domain sockets that should never leave the machine.
Kernel development
Kernel release status
The current development kernel is 5.0-rc8, released instead of the expected 5.0-final on February 24. Linus said: "This may be totally unnecessary, but we actually had more patches come in this last week than we had for rc7, which just didn't make me feel the warm and fuzzies. And while none of the patches looked all that scary, some of them were to pretty core files, so it wasn't all just random rare drivers (although those kinds also existed)."
Stable updates: 4.20.12, 4.19.25, 4.14.103, 4.9.160, 4.4.176, and 3.18.136 were released on February 23, followed by 4.20.13, 4.19.26, 4.14.104, and 4.9.161 on February 27.
Quotes of the week
eBPF is and will be a tool for the masses to customize and control
their systems however they want, and with whatever policies they
see fit. It is a technology that has truly relinquished control
from system software engineers over to the users, where it belongs.
— David
Miller
I am relieved to know that when my mail client embeds HTML tags
into raw text, it will only be the second most annoying thing I've
done on e-mail.
— Greg Kerr
Distributions
Distribution quote of the week
The effort required to properly participate in Discourse
conversations vs regular mailing lists was higher, and high enough
that the majority of developers just simply stopped communicating
outside of IRC. This made asynchronous communication very difficult.
Moreover, the total communication between developers/contributors and
users went down over the past couple of years because of this.
— Neal
Gompa (OpenMandriva gives up on Discourse)
Development
GCC 8.3 Released
Version 8.3 of the GNU Compiler Collection has been released. "GCC 8.3 is a bug-fix release from the GCC 8 branch containing important fixes for regressions and serious bugs in GCC 8.2 with more than 153 bugs fixed since the previous release."
Git v2.21.0
Git v2.21.0 has been released. "It is comprised of 500 non-merge commits since v2.20.0, contributed by 74 people, 20 of which are new faces." The release notes are included in the announcement.
Go 1.12 released
Version 1.12 of the Go language has been released. "Some of the highlights include opt-in support for TLS 1.3, improved modules support (in preparation for being the default in Go 1.13), support for windows/arm, and improved macOS & iOS forwards compatibility". See the release notes for details.
Development quote of the week
make debug, again, … yay, the test is failing, we have a reproducer! Quick, to the gdb-mobile (it's like the bat-mobile, but less cool, and with a GNU instead of a bat)!
— Julien
Voisin (Thanks to Paul Wise)
Miscellaneous
The Linux Foundation Launches ELISA Project Enabling Linux In Safety-Critical Systems
The Linux Foundation has announced the formation of the Enabling Linux in Safety Applications (ELISA) project to create tools and processes for companies to use to build and certify safety-critical Linux applications. "Building off the work being done by SIL2LinuxMP project and Real-Time Linux project, ELISA will make it easier for companies to build safety-critical systems such as robotic devices, medical devices, smart factories, transportation systems and autonomous driving using Linux. Founding members of ELISA include Arm, BMW Car IT GmbH, KUKA, Linutronix, and Toyota. To be trusted, safety-critical systems must meet functional safety objectives for the overall safety of the system, including how it responds to actions such as user errors, hardware failures, and environmental changes. Companies must demonstrate that their software meets strict demands for reliability, quality assurance, risk management, development process, and documentation. Because there is no clear method for certifying Linux, it can be difficult for a company to demonstrate that their Linux-based system meets these safety objectives."
Page editor: Jake Edge
Next page:
Announcements>>