Brief items
Security
Security quotes of the week
Even if you don't trust ByteDance/TikTok, you should be absolutely
concerned about this for multiple reasons: it's a clear and blatant abuse
of power by the President. Allowing any President to just declare a
foreign-owned company a problem and try to force it to sell to an American
company is going to cause all sorts of long-term problems for the
US. What's to stop foreign governments from doing the same to us? China is
probably just itching to do something similar in retaliation. Second, to
reach back two years and try to unwind a merger at this point based on this
flimsy legal theory is just crazy as well. It's clear that this is nothing
more than vindictiveness on the part of the President.
— Mike Masnick
If there are real security issues with TikTok, then there should be due process. There should be investigations and evidence. Not just a childish, narcissistic President suddenly declaring that an entire company must be sold.
Social media has made it possible to manipulate the masses via
disinformation and fake news at an unprecedented scale. This is
particularly alarming from a security perspective, as humans have proven to
be one of the weakest links when protecting critical infrastructure in
general, and the power grid in particular. Here, we consider an attack in
which an adversary attempts to manipulate the behavior of energy consumers
by sending fake discount notifications encouraging them to shift their
consumption into the peak-demand period. Using Greater London as a case
study, we show that such disinformation can indeed lead to unwitting
consumers synchronizing their energy-usage patterns, and result in
blackouts on a city-scale if the grid is heavily loaded. We then conduct
surveys to assess the propensity of people to follow-through on such
notifications and forward them to their friends. This allows us to model
how the disinformation may propagate through social networks, potentially
amplifying the attack impact. These findings demonstrate that in an era
when disinformation can be weaponized, system vulnerabilities arise not
only from the hardware and software of critical infrastructure, but also
from the behavior of the consumers.
— Gururaghav
Raman, Bedoor AlShebli, Marcin Waniek, Talal
Rahwan, and Jimmy Chih-Hsien Peng in the abstract of their "How
weaponizing disinformation can bring down a city’s power grid" paper
Kernel development
Kernel release status
The current development kernel is 5.9-rc1, released on August 16. "This merge window felt a lot more normal than 5.8, and all the stats confirm that it seems to be the usual size." In the end, 12,866 non-merge changesets were pulled for 5.9-rc1, as compared to 14,206 for 5.8-rc1.
Stable updates: the massive 5.8.2, 5.7.16, 5.4.59, and 4.19.140 updates were released on August 19.
Walleij: How the ARM32 Linux kernel decompresses
For those who are into the details: here is a step-by-step guide through the process of decompressing an Arm kernel and getting ready to boot from Linus Walleij. "Next the decompression code sets up a page table, if it is possible to fit one over the whole uncompressed+compressed kernel image. The page table is not for virtual memory, but for enabling cache, which is then turned on. The decompression will for natural reasons be much faster if we can use cache."
Walleij: How the ARM32 kernel starts
Linus Walleij continues his exploration of the boot process for the 32-bit Arm kernel. "BAM! The MMU is on. The next instruction (which is incidentally an instruction cache flush) will be executed from virtual memory. We don’t notice anything at first, but we are executing in virtual memory. When we return by jumping to the address passed in r13, we enter __mmap_switched at the virtual memory address of this function, somewhere below PAGE_OFFSET (typically 0xC0nnnnnn). We can now facilitate absolute addressing: the kernel is executing as intended."
Distributions
Distribution quote of the week
If every application or end-user package is kind of like a living organism, with its own cycles and behaviors and organs (dependent libraries) that make it possible...
— Federico
Mena Quintero
Why do distros expect all the living organisms on your machine to share The World's Single Lungs Service, and The World's Single Stomach Service, and The World's Single Liver Service?
You know, instead of letting every organism have its own slightly different version of those organs, customized for it? We humans know how to do vaccination campaigns and everything; maybe we need better tools to apply bug fixes where they are needed?
I know this metaphor is extremely imperfect and not how things work in software, but it makes me wonder.
Development
Holdgraf: Announcing the new Jupyter Book
On the Jupyter blog, Chris Holdgraf announces a rewrite of the Jupyter Book project. LWN looked at Jupyter and its interactive notebooks for Python and other languages back in 2018; Jupyter Book extends the notebook idea. "Jupyter Book is an open source project for building beautiful, publication-quality books, websites, and documents from source material that contains computational content. With this post, we’re happy to announce that Jupyter Book has been re-written from the ground up, making it easier to install, faster to use, and able to create more complex publishing content in your books. It is now supported by the Executable Book Project, an open community that builds open source tools for interactive and executable documents in the Jupyter ecosystem and beyond."
Kdenlive 20.08 released
Version 20.08 of the Kdenlive video editor is available. "Kdenlive 20.08 is out with nifty features like Interface Layouts, Multiple Audio Stream support, Cached data management and Zoombars in the Clip Monitor and Effects Panel but one may argue that the highlights of this release are stability and interface improvements".
QEMU 5.1.0 released
Version 5.1.0 of the QEMU processor emulator is out. "This release contains 2500+ commits from 235 authors." Enhancements consist mostly of additional hardware emulation, of course, but it doesn't stop there; see the changelog for lots of details.
The Rust language gets its own foundation
The Rust blog announces the creation of an independent foundation for the language. "This foundation’s first task will be something Rust is already great at: taking ownership. This time, the resource is legal, rather than something in a program. The various trademarks and domain names associated with Rust, Cargo, and crates.io will move into the foundation, which will also take financial responsibility for the costs they incur. We see this first iteration of the foundation as just the beginning. There’s a lot of possibilities for growing the role of the foundation, and we’re excited to explore those in the future."
Development quote of the week
If you are an upstream software developer, or a distributor of software to
users (eg, a distro maintainer), you have a lot of practical power. In
theory it is Free Software so your users could just change it
themselves. But for a user or downstream, carrying a patch is often an
unsustainable amount of work and risk. Most of us have patches we would
love to be running, but which we haven't even written because simply
running a nonstandard build is too difficult, no matter how technically
excellent our delta.
— Ian Jackson (Thanks
to Paul Wise)
As an upstream, it is very easy to get into a mindset of defending your code's existing behaviour, and to turn your project's guidelines into inflexible rules. Constant exposure to users who make silly mistakes, and rudely ask for absurd changes, can lead to core project members feeling embattled.
But there is no need for an upstream to feel embattled! You have the vast majority of the power over the software, and over your project communication fora. Use that power consciously, for good.
Page editor: Jake Edge
Next page:
Announcements>>