Brief items
Security
Backdoor code found in 11 Ruby libraries (ZDNet)
ZDNet reports on the discovery of a set of malicious libraries in the RubyGems repository. "The individual behind this scheme was active for more than a month, and their actions were not detected. Things changed when the hacker managed to gain access to the RubyGems account of one of the rest-client developers, which he used to push four malicious versions of rest-client on RubyGems. However, by targeting such a high-profile project that has over 113 million total downloads on RubyGems, the hacker also brought a lot of light to their operation, which was taken down within a few hours after users first spotted the malicious code in the rest-client library."
Backdoors in Webmin
Anybody using Webmin, a web-based system-administration tool, will want to update now, as it turns out that the system has been backdoored for over a year. "At some time in April 2018, the Webmin development build server was exploited and a vulnerability added to the password_change.cgi script. Because the timestamp on the file was set back, it did not show up in any Git diffs. This was included in the Webmin 1.890 release."
Security quote of the week
[US Attorney General William] Barr repeated a common fallacy about a
difference between military-grade encryption and consumer encryption:
"After all, we are not talking about protecting the nation's nuclear launch
codes. Nor are we necessarily talking about the customized encryption used
by large business enterprises to protect their operations. We are talking
about consumer products and services such as messaging, smart phones,
e-mail, and voice and data applications."
— Bruce
Schneier
The thing is, that distinction between military and consumer products largely doesn't exist. All of those "consumer products" Barr wants access to are used by government officials -- heads of state, legislators, judges, military commanders and everyone else -- worldwide. They're used by election officials, police at all levels, nuclear power plant operators, CEOs and human rights activists. They're critical to national security as well as personal security.
Kernel development
Kernel release status
The current development kernel is 5.3-rc6, released on August 25, the 28th anniversary of the initial Linux announcement. "I’m doing a (free) operating system (more than just a hobby) for 486 AT clones and a lot of other hardware. This has been brewing for the last 28 years, and is still not done. I’d like any feedback on any bugs introduced this release (or older bugs too, for that matter)."
Stable updates: 5.2.10, 4.19.68, 4.14.140, 4.9.190, and 4.4.190 were also released on August 25. The 5.2.11, 4.19.69, and 4.14.141 updates are in the review process; they are due on August 29.
Microsoft to put exFAT support into the kernel
Linux support for the exFAT filesystem has had a long and troubled history; Microsoft has long asserted patents in this area that have prevented that code from being merged into the kernel. Microsoft has just changed its tune, announcing that upstreaming exFAT is now OK: "It’s important to us that the Linux community can make use of exFAT included in the Linux kernel with confidence. To this end, we will be making Microsoft’s technical specification for exFAT publicly available to facilitate development of conformant, interoperable implementations. We also support the eventual inclusion of a Linux kernel with exFAT support in a future revision of the Open Invention Network’s Linux System Definition, where, once accepted, the code will benefit from the defensive patent commitments of OIN’s 3040+ members and licensees."
Quote of the week
Reviewed-by is the lamest sort of credit.
— Dan Carpenter
It should be that reviewers get credit for finding bugs in patches (no credit for complaining about checkpatch issues, that is its own reward).
Distributions
Distribution quote of the week
For myself I try to publish pristine upstream tarballs when it's
reasonably convenient, because I feel that this is a thing that some
people value, even though I myself think the value is very limited.
That's part of playing nice in a community like Debian.
— Ian Jackson
If we are going to mandate something - or even, if we are going to change our current stance (which seems to be that this is a "nice to have"), then a discussion of the upsides and downsides - particularly, with a practical focus - is necessary.
Development
GNOME Foundation launches Coding Education Challenge
The GNOME Foundation, with support from Endless, has announced the Coding Education Challenge, a competition aimed to attract projects that offer educators and students new and innovative ideas to teach coding with free and open source software. "Anyone is encouraged to submit a proposal. Individuals and teams will be judged through three tiers of competition. Twenty winners will be selected from an open call for ideas and will each receive $6,500 in prize money. Those winners will progress to a proof of concept round and build a working prototype. Five winners from that round will be awarded $25,000 and progress to the final round where they will turn the prototype into an end product. The final winner will receive a prize of $100,000 and the second placed product a prize of $25,000."
Rust is the future of systems programming, C is the new Assembly (Packt)
Packt has published a lengthy writeup of a talk by Josh Triplett on work being done to advance the Rust language for system-level programming. "Systems programming often involves low-level manipulations and requires low-level details of the processors such as privileged instructions. For this, Rust supports using inline Assembly via the 'asm!' macro. However, it is only present in the nightly compiler and not yet stabilized. Triplett in a collaboration with other Rust developers is writing a proposal to introduce more robust syntax for inline Assembly."
Development quote of the week
Secondly, you can’t claim you will only use "trusted" open source. There are now a number of vendors who tell you if you come sit by their fire everything will be OK. They’re a safe space and the open source they have is only the finest quality artisan open source crafted by Himalayan monks, but only on Tuesdays because that’s the day the open source karma is best. I don’t think these vendors are trying to mislead, I think they’re just as confused as the rest of us.
— Josh
Bressers
Page editor: Jake Edge
Next page:
Announcements>>