Brief items
Security
Security quotes of the week
Physically removing features and components works, but the results are
increasingly unacceptable. The NSA could take [US President Joe] Biden’s Peloton and rip out
the camera, microphone, and Internet connection, and that would make it
secure — but then it would just be a normal (albeit expensive) stationary
bike. Maybe Biden wouldn’t accept that, and he’d demand that the NSA do
even more work to customize and secure the Peloton part of the
bicycle. Maybe Biden’s security agents could isolate his Peloton in a
specially shielded room where it couldn’t infect other computers, and warn
him not to discuss national security in its presence.
— Bruce
Schneier
Remember when America spent a year and a half hyperventilating about a
Chinese teen dancing app instead of securing American infrastructure from
Russian hackers or other threats? Remember when a bunch of GOP officials
with a long track record of not
caring whatsoever about consumer privacy or
internet security exploited xenophobic fears about the app to land
political allies Oracle and Walmart a major windfall? Remember when 90% of
the press couldn't be bothered to inform readers this was all performative
cronyism by an unqualified nitwit? Good times.
— Karl
Bode
This morning the Wall Street Journal announced that the much hyped deal to sell ByteDance-owned TikTok to Oracle and Walmart is looking unsurprisingly dead in the wake of previous legal challenges and Trump's election loss. Instead, the government appears poised to do what made sense from the start: focus on the broader problem of lax privacy and dodgy security standards across the board in telecom/adtech/tech, instead of singling out a teen dancing app [...]
I still think of it as more of a vision -- a goal for what an internet
could be, rather than a declaration of what it was. It was a shining star
for what the internet might be possible to achieve, with an underlying
recognition that policymakers and regulators who never truly understood the
internet and its usefulness, would seek to undermine or destroy. People can
see in it whatever they wish to see -- good or bad -- and that too is part
of the promise and wonder of today's modern internet.
— Mike
Masnick celebrates the 25th anniversary of A Declaration of the
Independence of Cyberspace
Kernel development
Kernel release status
The current development kernel is 5.11-rc7, released on February 7. Linus said: "Anyway, this is hopefully the last rc for this release, unless some surprise comes along and makes a travesty of our carefully laid plans. It happens. Nothing hugely scary stands out, with the biggest single part of the patch being some new self-tests. In fact, about a quarter of the patch is documentation and selftests."
Stable updates: 5.10.13, 5.4.95, 4.19.173, 4.14.219, 4.9.255, and 4.4.255 were released on February 4. Then came the 4.9.256 and 4.4.256 updates on the next day; they contained no patches, but did include an experimental attempt to solve the minor-version number overflow problem. 5.10.14, 5.4.96, 4.19.174, and 4.14.220 followed on February 8, and 5.10.15, 5.4.97, 4.19.175, 4.14.221, 4.9.257, and 4.4.257 showed up on the 10th. That should be about enough stability for anybody.
Cook: security things in Linux v5.8
Kees Cook catches up with the security-related changes in the 5.8 kernel release. "With this in place, Jump-Oriented Programming (JOP, where code gadgets are chained together with jumps and calls) is no longer available to the attacker. An attacker’s code must make direct function calls. This basically reduces the 'usable' code available to an attacker from every word in the kernel text to only function entries (or jump targets). This is a 'low granularity' forward-edge Control Flow Integrity (CFI) feature, which is important (since it greatly reduces the potential targets that can be used in an attack) and cheap (implemented in hardware). It’s a good first step to strong CFI, but (as we’ve seen with things like CFG) it isn’t usually strong enough to stop a motivated attacker."
Jordan: ktest: Automated Testing For Kernel Programmers
Daniel Jordan looks at ktest on the Oracle Linux blog. "Where ktest is especially useful, though, is in its ability to do these things for each patch in a series, thereby freeing you from a significant amount of tedium. For your chosen configs, the series will be cleanly bisectable and won't trigger upstream build bots with easily avoided errors and warnings mid-series. (Those bots are nice for less common configs though.) Code reviewers' moods improve too because each patch will stand alone with all the necessary code."
Distributions
Distribution quote of the week
The ‘community’ of Linux users has a bit of a problem. It’s not really a community at all. The Linux ‘community’ is a bunch of individuals who have an affinity for running the OS. But there’s a whole set of people who don’t self-identify as part of that community, because they’re just using the thing as a tool, like you’d use a Dremel. I’m not aware of “Dremel User Groups” but then it wouldn’t surprise me if they exist, and there are splinter groups who eschew the electric devices for more manual ones, probably.
— Alan
Pope (Thanks to Paul Wise)
Similarly there’s no real wider unified ‘Free Software’ community either. There’s the Popular People’s Front of FSF and the People’s Popular front of Open Source who believe fundamentally different things and target different users. It’s a giant sliding scale, like any community of meatbags.
Development
Pattern matching accepted for Python
The Python steering council has, after some discussion, accepted the controversial proposal to add a pattern-matching primitive to the language. "We acknowledge that Pattern Matching is an extensive change to Python and that reaching consensus across the entire community is close to impossible. Different people have reservations or concerns around different aspects of the semantics and the syntax (as does the Steering Council). In spite of this, after much deliberation, reviewing all conversations around these PEPs, as well as competing proposals and existing poll results, and after several in-person discussions with the PEP authors, we are confident that Pattern Matching as specified in PEP 634, et al, will be a great addition to the Python language."
The Rust language gets a foundation
The newly formed Rust Foundation has announced its existence. "Today, on behalf of the Rust Core team, I’m excited to announce the Rust Foundation, a new independent non-profit organization to steward the Rust programming language and ecosystem, with a unique focus on supporting the set of maintainers that govern and develop the project. The Rust Foundation will hold its first board meeting tomorrow, February 9th, at 4pm CT. The board of directors is composed of 5 directors from our Founding member companies, AWS, Huawei, Google, Microsoft, and Mozilla, as well as 5 directors from project leadership, 2 representing the Core Team, as well as 3 project areas: Reliability, Quality, and Collaboration." Mozilla has transferred its trademarks and domains for Rust over to the foundation.
Development quotes of the week
I find that planning, in detail, beyond a week or two is likely to be useless. After that, too much changes that affects what I need to do, and how. Note the caveat of “in detail”: it’s fine to plan something like “over the next decade I will implement a backup program”, but planning to develop backups in September, restores in October, and adding encryption the first week in November is folly. What happens if in October you realize you need to learn and implement TCP/IP, HTTP, and TLS in your chosen language, because the existing implementations turn out not to work in the northern hemisphere? And what if I need to move to another country due to inheriting a castle in Spain?
— Lars
Wirzenius
Of course, we'd have all rather gone in person to FOSDEM like every other year. But, necessity is the mother of invention, and what the FOSDEM team has done proved that there is absolutely no reason that any online conference should require proprietary software. There is no reason going forward that we should accept excuses; those who claim to be helping Open Source by running proprietary-software-based FOSS-related conferences are now on notice: you are actively thwarting the adoption of proven and working FOSS solutions by any insistence of continuing with proprietary platforms for conferences, developer meetings, and interactive online collaboration.
— Bradley M. Kuhn
Rust is kind of cool, but it’s not a panacea. There are legitimate reasons to prefer C, both technical and moral, and Rust still needs a lot of work before it’s ready for the prime time in systems which prioritize stability, reliability, simplicity, and accessibility. Those of us who work with such systems, we feel like the Rust community has put its thumbs into its collective ears, sung “la la la” to our problems, and proceeded to stomp all over the software ecosystem like a toddler playing “Godzilla” with their Lego, all the while yelling at us old fogies for being old and fogey.
— Drew DeVault
Miscellaneous
The 2021 Season of Docs application for organizations is open
Google Open Source has announced the 2021 edition of Season of Docs. "In 2021, the Season of Docs program will continue to support better documentation in open source and provide opportunities for skilled technical writers to gain open source experience. In addition, building on what we’ve learned from the successful 2019 and 2020 projects, we’re expanding our focus to include learning about effective metrics for evaluating open source documentation." Open source organizations may apply to take part in Season of Docs until March 26.
Page editor: Jake Edge
Next page:
Announcements>>