Brief items
Security
Bad Binder: Android In-The-Wild Exploit (Project Zero)
Over on the Project Zero blog, Maddie Stone has a lengthy post about a zero-day exploit that was found and fixed in the Android Binder interprocess communication mechanism. The post details the search for the problem, which was apparently being used in the wild, its fix, and how it can be exploited. This is all part of an effort to "make zero-day hard"; one of the steps the project is taking is to disseminate more information on these bugs. "
Complete detailed analysis of the 0-days from the point of view of bug hunters and exploit developers and share it back with the community. Transparency and collaboration are key. We want to share detailed root cause analysis to inform developers and defenders on how to prevent these types of bugs in the future and improve detection. We hope that by publishing details about the exploit and its methodology, this can inform threat intelligence and incident responders. Overall, we want to make information that’s often kept in silos accessible to all."
Two malicious Python libraries caught stealing SSH and GPG keys (ZDNet)
ZDNet reports that two more malicious modules have been removed from the Python Package Index. "The two libraries were created by the same developer and mimicked other more popular libraries -- using a technique called typosquatting to register similarly-looking names. The first is 'python3-dateutil,' which imitated the popular 'dateutil' library. The second is 'jeIlyfish' (the first L is an I), which mimicked the 'jellyfish' library." The latter of the two had been in PyPI for nearly a year.
Security quotes of the week
The tech companies, data brokers, and advertisers behind this surveillance,
and the technology that drives it, are largely invisible to the average
user. Corporations have built a hall of one-way mirrors: from the inside,
you can see only apps, web pages, ads, and yourself reflected by social
media. But in the shadows behind the glass, trackers quietly take notes on
nearly everything you do. These trackers are not omniscient, but they are
widespread and indiscriminate. The data they collect and derive is not
perfect, but it is nevertheless extremely sensitive.
— Bennett
Cyphers and Gennie Gebhart in the introduction to an EFF study on the
"technology of corporate surveillance"
Captain Elle Ekman is a US Marine Corps logistics officer; in a New York
Times op-ed, she describes how the onerous conditions imposed by
manufacturers on the US armed forces mean that overseas troops are not
permitted to fix their own mission-critical gear, leaving them stranded and
disadvantaged.
— Cory Doctorow
Instead of fixing their equipment as armies have done since the time of the Caesars, US armed forces personnel ship their faulty gear back to the USA for warranty repair, waiting months to get it back into service. She describes maintenance bays full of broken equipment and idle 3D printers, water-jets cutters, and lathes that were once used to effect field repairs. Now, the gear just waits to be shipped stateside.
Kernel development
Kernel release status
The 5.5 merge window is currently open after the release of 5.4 on November 24. Significant features in 5.4 include the haltpoll CPU governor, the iocost (formerly io.weight) I/O controller, the EROFS filesystem, an implementation of the exFAT filesystem that may yet be superseded by a better version, the fs-verity file integrity mechanism, support for the BPF compile once, run everywhere mechanism, the dm-clone device mapper target, the virtiofs filesystem, kernel lockdown support (at last), kernel symbol namespaces, and a new random-number generator meant to solve the early-boot entropy problem. See the KernelNewbies 5.4 page for a lot more details.Stable updates have not been in short supply. 5.3.12, 4.19.85, and 4.14.155 were released on November 21; 5.3.13, 4.19.86, 4.14.156, 4.9.203, and 4.4.203 came out on the 25th; 5.4.1, 5.3.14, 4.19.87, 4.14.157, 4.9.204, and 4.4.204 showed up on December 1; and 4.9.205 and 4.4.205 followed 30 seconds later.
The 4.14.158, 4.9.206, and 4.4.206 updates are in the review process; they are due on December 6.
Quote of the fortnight
It turns out that there are essentially no upstream development
resources dedicated to x86_32 Linux. Perhaps unsurprisingly, it was
badly broken. [...]
— Andy
Lutomirski
To those of you who actually support x86_32: please either consider stopping supporting it or finding and paying someone to give it serious upstream attention. We need real CI resources and we need developers to test things for real, fix what’s broken, and generally keep it up to date. And the developers in question should have an appropriate degree of nostalgic adoration of segments, gates, and other delights from the i386 era.
Distributions
Distribution quote of the week
Saying that something is obsolete in the free software world is
essentially a forecast. Because free software can always form the basis
for additional development, it's making a *prediction* that no one is
going to use that specific piece of software as a basis for future
development or keep it working for new use cases. It's difficult to make
predictions, especially about the future.
— Russ Allbery
Development
Firefox 71
Firefox 71 is available. New features include improvements to the Lockwise integrated password manager and native MP3 decoding. The release notes have more details.PHP 7.4.0 released
Version 7.4.0 of the PHP language has been released. New features include typed properties, arrow functions, weak references, and more; see the release announcement and migration guide for more information.Soller: Real hardware breakthroughs, and focusing on rustc
On the Redox site, creator Jeremy Soller gives an update on the Unix-like operating system written in Rust. It is running on a System76 Galaga Pro laptop: "This particular hardware has full support for the keyboard, touchpad, storage, and ethernet, making it easy to use with Redox." Meanwhile, he and the other Redox developers have been focusing on making it self-hosting: "
Building Redox OS on Redox OS has always been one of the highest priorities of the project. Rustc seems to be only a few months of work away, after which I can begin to improve the system while running on it permanently, at least on one machine. With Redox OS being a microkernel, it is possible that even the driver level could be recompiled and respawned without downtime, making it incredibly fast to develop for. With this in place, I would work more efficiently on porting more software and tackling more hardware support issues, such as filling in the USB stack and adding graphics drivers. But, more importantly than what I will be able to do, is the contributions by others that will be unlocked by having a fully self-hosted, microkernel Operating System written in Rust, Redox OS."
Development quotes of the fortnight
In summary, for me, for 2020, Rust's already very inclusive approach to its community needs to turn outward and look for ways to increase the chances that it can be included into other projects such as Linux distributions. I see this as increasing the inclusivity of the project by including into our worldview the particular needs of these other projects and communities and ensuring that by treating them as first-class consumers of Rust, we can become first-class members of their projects and communities as well.
— Daniel Silverstone
In general, it feels like hacking is today dogmatic instead of pragmatic. Surely if everything was open-source... or distributed... or blockchain-based, immutable and lock-free with a pinch of functional programming... written this or this other way, then we would have a better, enlightened society.
— Angelo
Pesce (Thanks to Paul Wise)
And it's not a joke, it's not an entirely a fringe phenomenon, there are vast arrays of engineers that are honestly invested in trying to change the world, but honestly think that solutions are to be found in the technical infrastructure of things.
Miscellaneous
Wielaard: A public discussion about GNU
Mark Wielaard has posted a summary of the discussion thus far on the governance of the GNU project. "The mentoring and apprenticeship discussion focused on the GNU maintainers as being the core of the GNU project. But as was pointed out there are also webmasters, translators, infrastructure maintainers (partially paid FSF staff and volunteers), education and conference organizers, etc. All these people are GNU stakeholders. And how we organize governance of the GNU project should also involve them."
Page editor: Jake Edge
Next page:
Announcements>>