Brief items
Security
GnuPG 2.2.23 released, fixing a critical security flaw
GNU Privacy Guard (GnuPG or GPG) has released version 2.2.23 to fix a critical security bug affecting GnuPG 2.2.21 and 2.2.22, as well as Gpg4win 3.1.12. "Importing an OpenPGP key having a preference list for AEAD algorithms will lead to an array overflow and thus often to a crash or other undefined behaviour. Importing an arbitrary key can often easily be triggered by an attacker and thus triggering this bug. Exploiting the bug aside from crashes is not trivial but likely possible for a dedicated attacker. The major hurdle for an attacker is that only every second byte is under their control with every first byte having a fixed value of 0x04. Software distribution verification should not be affected by this bug because such a system uses a curated list of keys."
Security quote of the week
This week, to mark the fifteenth anniversary, I have checked the status of
the URLs in my thesis bibliography. Sadly, I find that 82 of them (57%) no
longer work.
— Richard Clayton
It’s not just random blog posts, or geocities (remember that?) sites that don’t work. Major companies, industrial research labs and even a number of computer science departments have reorganised their web presence and decided that maintaining old URLs as a courtesy to others is not worth their effort.
I fully expect that search engines would locate the new location in some cases, but many of the documents are gone — as indeed is the whole of the site that used to host them. In passing I will note that for $5000 you can buy the domain that used to hold policy documents issued by the Indian Government!
Kernel development
Kernel release status
The current development kernel is 5.9-rc4, released on September 6. Linus said: "So I certainly can't claim that things have calmed down, but hopefully this was pretty much it. Knock wood."
Stable updates: 5.8.6, 5.4.62, 4.19.143, 4.14.196, 4.9.235, and 4.4.235 were released on September 3, followed by 5.8.7 and 5.4.63 on September 5. 5.8.8, 5.4.64, 4.19.144, and 4.14.197 were then released on September 9.
Cook: Security things in Linux v5.6
Kees Cook catches up with the security-relevant changes in the 5.6 kernel release. "With my 'attack surface reduction' hat on, I remain personally suspicious of the io_uring() family of APIs, but I can’t deny their utility for certain kinds of workloads. Being able to pipeline reads and writes without the overhead of actually making syscalls is pretty great for performance. Jens Axboe has added the IORING_OP_OPENAT command so that existing io_urings can open files to be added on the fly to the mapping of available read/write targets of a given io_uring. While LSMs are still happily able to intercept these actions, I remain wary of the growing 'syscall multiplexer' that io_uring is becoming."
Distributions
Android 11 released
Android 11 has been released with the source pushed to the Android Open Source Project (AOSP). "For developers, Android 11 has a ton of new capabilities. You’ll want to check out conversation notifications, device and media controls, one-time permissions, enhanced 5G support, IME transitions, and so much more. To help you work and develop faster, we also added new tools like compatibility toggles, ADB incremental installs, app exit reasons API, data access auditing API, Kotlin nullability annotations, and many others."
Linux from Scratch version 10.0 released
On September 1, the Linux From Scratch (LFS) project announced the release of version 10.0 of LFS along with Beyond Linux From Scratch (BLFS). LFS is "a project that provides you with step-by-step instructions for building your own customized Linux system entirely from source"; BLFS picks up where LFS leaves off. Both books are available online either with or without systemd: LFS System V, LFS systemd, BLFS System V, and BLFS systemd. "
The LFS release includes updates to glibc-2.31, and binutils-2.34. A total of 35 packages have been updated. A new package, zstd-1.4.4, has also been added. Changes to text have been made throughout the book. The Linux kernel has also been updated to version 5.5.3. The BLFS version includes approximately 1000 packages beyond the base Linux From Scratch Version 9.1 book. This release has over 840 updates from the previous version in addition to numerous text and formatting changes."
Distribution quote of the week
Here’s hoping COVID-19 contact tracing will be obsolete by the time liben hits Debian stable.
— Alyssa
Rosenzweig
Development
Rosenzweig: Fun and Games with Exposure Notifications
Alyssa Rosenzweig looks at getting the Exposure Notifications System protocol, developed by Apple and Google for facilitating COVID-19 contact tracing on Android and iOS phones, running on GNU/Linux. "All in all, we end up with a Linux implementation of Exposure Notifications functional in Ontario, Canada. What’s next? Perhaps supporting contact tracing systems elsewhere in the world – patches welcome." The source code for liben is available "
for any one who dares go near".
GStreamer 1.18.0 released
The GStreamer team has announced a major feature release of GStreamer. "The 1.18 release series adds new features on top of the previous 1.16 series and is part of the API and ABI-stable 1.x release series of the GStreamer multimedia framework." There is a lengthy list of highlights in the announcement and more details in the release notes.
Development quote of the week
It is unfortunate that the people who implemented the newer editors chose
incompatibility with Emacs.
— Richard Stallman
Miscellaneous
FSF: Free Software Award nominations sought
The Free Software Foundation (FSF) has announced that nominations are open, until October 28, for the Free Software Awards. Winners will be announced at the annual LibrePlanet conference. "You might know of a contributor or organization who has done significant and user-empowering work on free software. We invite you to take a moment to show them (and tell us) that you care, by nominating them for an award in one of three categories: the Award for the Advancement of Free Software, the Award for Projects of Social Benefit, or the Award for Outstanding New Free Software Contributor. Don't assume that someone else will nominate them -- too often, everyone assuming someone else will express the appreciation means that it never happens. As taking initiative and speaking up for the community are important parts of free software, why not take the time yourself to make sure your voice is heard?"
Bottomley: Lessons from the GNOME Patent Troll Incident
James Bottomley got a copy of the patent-suit settlement between the GNOME Foundation and Leigh Rothschild and has posted an analysis. "Although the agreement achieves its aim, to rid all of Open Source of the Rothschild menace, it also contains several clauses which are suboptimal, but which had to be included to get a speedy resolution. In particular, Clause 10 forbids the GNOME foundation or its affiliates from publishing the agreement, which has caused much angst in open source circles about how watertight the agreement actually was. Secondly Clause 11 prohibits GNOME or its affiliates from pursuing any further invalidity challenges to any Rothschild patents leaving Rothschild free to pursue any non open source targets. Fortunately the effect of clause 10 is now mitigated by me publishing the agreement and the effect of clause 11 by the fact that the Open Invention Network is now pursuing IPR invalidity actions against the Rothschild patents."
Page editor: Jake Edge
Next page:
Announcements>>