|
|
Subscribe / Log in / New account

Brief items

Security

A Git security release

Several new versions of the Git source-code management system have been released; they fix a vulnerability that could allow a hostile remote repository to execute code locally during a clone operation. Only users with case-insensitive filesystems are affected, reducing the set of possible targets considerably, but an update still seems like a good idea.

Full Story (comments: 8)

The Linux Foundation's "sigstore" project

The Linux Foundation has announced a project called sigstore; its purpose is to protect against supply-chain attacks by signing (and verifying) release artifacts. "Very few open source projects cryptographically sign software release artifacts. This is largely due to the challenges software maintainers face on key management, key compromise / revocation and the distribution of public keys and artifact digests. In turn, users are left to seek out which keys to trust and learn steps needed to validate signing. Further problems exist in how digests and public keys are distributed, often stored on websites susceptible to hacks or a README file situated on a public git repository. sigstore seeks to solve these issues by utilization of short lived ephemeral keys with a trust root leveraged from an open and auditable public transparency logs."

Comments (37 posted)

Security quotes of the week

Somehow, the threat actor either knew that the exploits would soon become worthless or simply guessed that they would. So, in late February, the attacker changed strategy. Instead of simply exploiting targeted Exchange servers, the attackers stepped up their pace considerably by targeting tens of thousands of servers to install the web shell, an exploit that allows attackers to have remote access to a system. Microsoft then released the patch with very little warning on Mar. 2, at which point the attacker simply sought to compromise almost every vulnerable Exchange server on the Internet. The result? Virtually every vulnerable mail server received the web shell as a backdoor for further exploitation, making the patch effectively useless against the Chinese attackers; almost all of the vulnerable systems were exploited before they were patched.

This is a rational strategy for any actor who doesn’t care about consequences. When a zero-day is confidential and undiscovered, the attacker tries to be careful, only using it on attackers of sufficient value. But if the attacker knows or has reason to believe their vulnerabilities may be patched, they will increase the pace of exploits and, once a patch is released, there is no reason to not try to exploit everything possible.

Nicholas Weaver

We know that Microsoft shares advance information about updates with some organizations. I have long believed that they give the NSA a few weeks’ notice to do basically what the Chinese did: use the exploit widely, because you don’t have to worry about losing the capability.
Bruce Schneier

In theory cookies should have been very pro-privacy. After all, they're putting data on end user computers where they have control over them. Users can delete those cookies or block them from being placed. In theory. The reality, though, is that deleting or blocking cookies takes a lot of effort, and while there are some services that help you out, they're not always great. In an ideal world, we would have built tools that made it clearer to end users what information cookies were tracking, and what was being done with that information -- as well as consumer-friendly tools to adjust things. But that's not the world we ended up in. Instead, we ended up in a world where the hamfisted use of 3rd party cookies is generally just kinda creepy. In the past, I've referred to it as the uncanny valley of advertising: where the advertising is not so well targeted as to be useful, but just targeted enough to be creepy and annoying by reminding you that you're being tracked.
Mike Masnick

Comments (5 posted)

Kernel development

Kernel release status

The current development kernel is 5.12-rc2, released on March 5 — a little sooner than would normally be expected due to the problems with 5.12-rc1. "Other than that it all looks pretty normal".

Stable updates have not been in short supply. The massive 5.11.3, 5.10.20, 5.4.102, 4.19.178, 4.14.223, 4.9.259, and 4.4.259 updates were released on March 4. 5.11.4, 5.10.21, 5.4.103, 4.19.179, 4.14.224, 4.9.260, and 4.4.260 were released on March 7, followed by 5.11.5, 5.10.22, and 5.4.104 on March 9.

For good measure, the 5.11.6, 5.10.23, 5.4.105, 4.19.180, 4.14.225, 4.9.261, and 4.4.261 updates are in the review process; they are due on March 12.

Comments (none posted)

A warning about 5.12-rc1

Linus Torvalds has sent out a note telling people not to install the recent 5.12-rc1 development kernel; this is especially true for anybody running with swap files. "But I want everybody to be aware of because _if_ it bites you, it bites you hard, and you can end up with a filesystem that is essentially overwritten by random swap data. This is what we in the industry call 'double ungood'." Additionally, he is asking maintainers to not start branches from 5.12-rc1 to avoid future situations where people land in the buggy code while bisecting problems.

Full Story (comments: 57)

Quote of the week

Please remember, one of the big advantages of our open development processes is that we /do/ accept code with warty (but functional) interfaces now, and we can clean them up later. This is (IMHO) a good stress-reduction tactic, because each of us (ideally) should concentrate on getting the core algorithms right, and not focusing on rebasing code and smoothing over the same d*** merge conflicts over and over.

Yes, it's true that people think that a maintainer's only real power is to say 'no' in the hopes of forcing developers to fix everything now because they can't trust that a dev will ever come back with the promised updates, but I reject that 110%. I'm not going anywhere, and I /do/ trust that when the rest of you say that you'll be back with wart remover, you will.

Darrick Wong

Comments (none posted)

Development

Linaro to release monthly GNU Toolchain integration builds

Linaro Ltd has announced the first GNU Toolchain integration build. "Every six months, Arm releases the official GNU Toolchain release for Arm architectures for the purpose of production. Linaro will bridge the gap between the official releases by delivering monthly integration builds which offer users a snapshot of the upstream build. Although not supported, having access to these builds will allow developers to test features from a pre-built binary as soon as it lands upstream. The builds will also enable companies to check their BSP (Board Support Package) release will work with newer toolchains without having to wait for an official release."

Full Story (comments: none)

Miscellaneous

NGI POINTER offers funding for internet/web architects

The NGI POINTER organization, which is funded by the European Commission, has put out its second open call for providing development/research funding; the first open call was in April 2020. This time around, the organization is looking for individuals or projects that are working on "changing the Internet and Web with European Values at its core". The goal is to "support promising bottom-up projects that are able to build, on top of state-of-the-art research, scalable protocols and tools to assist in the practical transition or migration to new or updated technologies, whilst keeping European Values at the core". Those interested may want to look at some of the previously funded projects; more information can also be found in the Work Programme [PDF].

Comments (none posted)

Page editor: Jake Edge
Next page: Announcements>>


Copyright © 2021, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds