|
|
Log in / Subscribe / Register

Brief items

Security

Security quotes of the week

Independent researcher Ahmed Hassan, however, has shown how the feature can be abused to divulge exactly where you are. Using readily available software and a rooted Android device, he’s able to spoof the location his device reports to Telegram servers. By using just three different locations and measuring the corresponding distance reported by People Nearby, he is able to pinpoint a user’s precise location.

Telegram lets users create local groups within a geographical area. Hassan said that scammers often spoof their location to crash such groups and then peddle fake bitcoin investments, hacking tools, stolen social security numbers, and other scams.

Dan Goodin at Ars Technica

So, yes, the site may be coming back, but to say that it takes privacy seriously, while asking for social security numbers, hosted on a dodgy host, with a DDoS provider best known for its Russian home-base and its willingness to provide services to terrorists and online criminals... I would suggest that anyone who thinks of Parler as supportive of privacy, do so at their own risk.
Mike Masnick

Comments (none posted)

Kernel development

Kernel release status

The current development kernel is 5.11-rc4, released on January 17. "Things continue to look fairly normal for this release: 5.11-rc4 is solidly average in size, and nothing particularly scary stands out."

Stable updates: 5.10.8, 5.4.90, 4.19.168, 4.14.216, 4.9.252, and 4.4.252 were released on January 17, followed by 5.10.9, 5.4.91, and 4.19.169 on January 19.

Comments (none posted)

An update on minimum GCC versions

For reasons described in this article, the minimum GCC compiler version for the arm64 architecture has been increased to 5.1 to avoid a nasty bug. While there was discussion of raising the minimum to 5.1 for all architectures, that is not happening for the 5.11 kernel release. According to Linus Torvalds, though, that change may well happen during the 5.12 merge window. "So the arm64 issue is a bug-fix, the follow-up of just upgrading gcc requirements in general would be a 'keep up with the times, and allow those variable declarations in loops'."

Comments (none posted)

Distributions

The Debian tech committee allows Kubernetes vendoring

Back in October, LWN looked at a conversation within the Debian project regarding whether it was permissible to ship Kubernetes bundled with some 200 dependencies. The Debian technical committee has finally come to a conclusion on this matter: this bundling is acceptable and the maintainer will not be required to make changes:

Our consensus is that Kubernetes ought to be considered special in the same way that Firefox is considered special -- we treat the package differently from most other source packages because (i) it is very large and complex, and (ii) upstream has significantly more resources to keep all those moving parts up-to-date than Debian does.

In the end, allowing this vendoring seemed like the only feasible way to package Kubernetes for Debian.

Comments (10 posted)

Red Hat expands no-cost RHEL options

Red Hat has announced a new set of options meant to attract current CentOS users who are unhappy with the shift to CentOS Stream. "While CentOS Linux provided a no-cost Linux distribution, no-cost RHEL also exists today through the Red Hat Developer program. The program’s terms formerly limited its use to single-machine developers. We recognized this was a challenging limitation. We’re addressing this by expanding the terms of the Red Hat Developer program so that the Individual Developer subscription for RHEL can be used in production for up to 16 systems. That’s exactly what it sounds like: for small production use cases, this is no-cost, self-supported RHEL."

Comments (13 posted)

Distribution quotes of the week

I agree with the original proposal to make it easier to find an installer that works (technically) on a broader range of systems, while simultaneously being irritated that non-free nonsense is required for most commercially-available systems. Our current approach seems to have an odd logic gap to me:

  1. Everything should be free software (yes)
  2. Non-free firmware is not free software (yes)
  3. Requiring it is a bug (yes)
  4. Therefore we will make it tedious and annoying to install Debian on systems with that bug (?!)
  5. ???
  6. More systems will stop requiring non-free software (profit!)

We've been wandering around in step 5 for a long time now. I'm not sure it's working.

Russ Allbery

But having a non-free installer where the use of non-free packages is optional, perhaps that might be a sufficient compromise that we could make that installer more easily findable, instead of leaving it in a "locked filing cabinet stuck in a disused lavatory with a sign on the door saying ‘Beware of the Leopard.'".
Theodore Ts'o

Comments (none posted)

Development

Banon: License changes to Elasticsearch and Kibana

Shay Banon first announced that Elastic would move its Apache 2.0-licensed source code in Elasticsearch and Kibana to be dual licensed under Server Side Public License (SSPL) and the Elastic License. "To be clear, our distributions starting with 7.11 will be provided only under the Elastic License, which does not have any copyleft aspects. If you are building Elasticsearch and/or Kibana from source, you may choose between SSPL and the Elastic License to govern your use of the source code."

In another post Banon added some clarification. "SSPL, a copyleft license based on GPL, aims to provide many of the freedoms of open source, though it is not an OSI approved license and is not considered open source."

There is also this article on why the change was made. "So why the change? AWS and Amazon Elasticsearch Service. They have been doing things that we think are just NOT OK since 2015 and it has only gotten worse. If we don’t stand up to them now, as a successful company and leader in the market, who will?"

The FAQ has additional information. "While we have chosen to avoid confusion by not using the term open source to refer to these products, we will continue to use the word “Open” and “Free and Open.” These are simple ways to describe the fact that the product is free to use, the source code is available, and also applies to our open and collaborative engagement model in GitHub. We remain committed to the principles of open source - transparency, collaboration, and community."

Comments (49 posted)

GNU Radio 3.9.0.0 released

Version 3.9.0.0 of the GNU Radio software-defined radio system has been released. "All in all, the main breaking change for pure GRC users will consist in a few changed blocks – an incredible feat, considering the amount of shift under the hood."

Comments (none posted)

Wine 6.0 released

Version 6.0 of the Wine Windows not-an-emulator has been released. "This release is dedicated to the memory of Ken Thomases, who passed away just before Christmas at the age of 51. Ken was an incredibly brilliant developer, and the mastermind behind the macOS support in Wine. We all miss his skills, his patience, and his dark sense of humor." Significant features include core modules built as PE executables, an experimental Direct3D renderer, DirectShow support, a new text console, and more.

Comments (4 posted)

Development quotes of the week

Every time this bug is re-introduced, someone pipes up and says something like, "So what, it was a bug, they've fixed it." That's really missing the point. The point is not that such a bug existed, but that such a bug was even possible. The real bug here is that the design of the system even permits this class of bug. It is unconscionable that someone designing a critical piece of security infrastructure would design the system in such a way that it does not fail safe.

Especially when I have given them nearly 30 years of prior art demonstrating how to do it right, and a two-decades-old document clearly explaining What Not To Do that coincidentally used this very bug as its illustrative strawman!

Jamie Zawinski (Thanks to Christof Damian)

This is an essential, non-negotiable requirement of free and open-source software, and a reality you must face if you want to reap the benefits of the FOSS ecosystem. Anyone can monetize your code. That includes you, and me, all of your contributors, your competitors, Amazon and Google, and everyone else. [...]

This makes sense in terms of karmic justice, as it were. One of the most important advantages of making your software FOSS is that the global community can contribute improvements back to it. The software becomes more than your organization can make it alone, both through direct contributions to your code, and through the community which blossoms around it. If the sum of its value is no longer entirely accountable to your organization, is it not fair that the commercial exploitation of that value shouldn’t be entirely captured by your organization, either? This is the deal that you make when you choose FOSS.

Drew DeVault (Thanks to Paul Wise)

Comments (none posted)

Miscellaneous

Stenberg: Food on the table while giving away code

Daniel Stenberg writes about getting paid to work on curl — 21 years after starting the project. "I ran curl as a spare time project for decades. Over the years it became more and more common that users who submitted bug reports or asked for help about things were actually doing that during their paid work hours because they used curl in a commercial surrounding – which sometimes made the situation almost absurd. The ones who actually got paid to work with curl were asking the unpaid developers to help them out."

Comments (5 posted)

Page editor: Jake Edge
Next page: Announcements>>


Copyright © 2021, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds