Brief items
Security
Malcolm: Prevent Trojan Source attacks with GCC 12
David Malcolm describes some GCC improvements to defend against bidirectional-text attacks in source code.
My colleague Marek Polacek and I implemented a new warning for GCC 12, -Wbidi-chars, for detecting Trojan Source attacks involving Unicode control characters. Marek implemented the guts of the warning, but when I tried it out on the examples provided by the Trojan Source researchers, I found I had trouble understanding the initial results—precisely because of the obfuscation itself.So for GCC 12, I've added a new flag to GCC diagnostics, indicating that the diagnostic itself relates to source code encoding. When any such diagnostic is printed, GCC will now escape non-ASCII characters in the source code.
Dev corrupts NPM libs 'colors' and 'faker' breaking thousands of apps(Bleeping Computer)
Bleeping Computer reports on the latest NPM mess: the developer of the "faker" module deleted the code and its development history from GitHub (with a force push), replaced it with a malicious alternative, and broke dependencies for numerous applications.
The reason behind this mischief on the developer's part appears to be retaliation—against mega-corporations and commercial consumers of open-source projects who extensively rely on cost-free and community-powered software but do not, according to the developer, give back to the community.
GitHub has evidently called this action a violation of its terms of service and disabled the owner's account; NPM has restored a previous version of the code.
Security quotes of the week
Microsoft's obviously in a position to ship a firmware update that modifies the TPM's behaviour - there would be no technical barrier to them shipping code that resulted in the TPM just handing out your disk encryption secret on demand. But Microsoft already control the operating system, so they already have your disk encryption secret. There's no need for them to backdoor the TPM to give them something that the TPM's happy to give them anyway. If you don't trust Microsoft then you probably shouldn't be running Windows, and if you're not running Windows Microsoft can't update the firmware on your TPM.— Matthew Garrett on Microsoft's Pluton security processorSo, as of now, Pluton running firmware that makes it look like a TPM just isn't a terribly interesting change to where we are already. It can't block you running software (either apps or operating systems). It doesn't enable any new privacy concerns. There's no mechanism for Microsoft to forcibly push updates to it if you're not running Windows.
Unfortunately for Canon, the global chip shortage has temporarily put a kink in the company's plan to annoy regular customers. The shortage means the company hasn't been able to buy enough chips used to determine whether a printer cartridge is "genuine" or "authorized," and therefore has had to start selling cartridges without DRM, and issue guidance helping users do an end around for the company's own obnoxious DRM warnings.— Karl Bode
I see this as another manifestation of the security problems that stem from all controls becoming software controls. Back when the physical buttons actually did things — like turn the power, the Wi-Fi, or the camera on and off — you could actually know that something was on or off. Now that software controls those functions, you can never be sure.— Bruce Schneier on a way to fake iPhone reboots
Kernel development
Kernel release status
The 5.16 kernel is out, released on January 9. Significant changes in 5.16 include the futex_waitv() system call, cluster-aware CPU scheduling, some internal memcpy() hardening, memory folios, the DAMON operating schemes user-space memory-management mechanism, and much more. See the LWN merge-window summaries (part 1, part 2) and the KernelNewbies 5.16 page for details.Stable updates: 5.15.14, 5.10.91, 5.4.171, 4.19.225, 4.14.262, 4.9.297, and 4.4.299 were all released on January 11.
Quote of the week
So I personally think this is worth going with, partly simply due to the reported improvements that have been measured.— Linus Torvalds tentatively green-lights the multi-generational LRUBut also to a large extent because the whole notion of doing multi-generational LRU isn't exactly some wackadoodle crazy thing. We already do active vs inactive, the whole multi-generational thing just doesn't seem to be so "far out".
Distributions
Anaconda is getting a new suit (Fedora Community Blog)
The GTK-based Anaconda installer has long been used to set up Fedora, CentOS, and RHEL systems. This Fedora Community Blog entry describes some significant changes that will appear in a future version of Anaconda:
We will rewrite the new UI as a web browser-based UI using existing Cockpit technology. We are taking this approach because Cockpit is a mature solution with great support for the backend (Anaconda DBus). The Cockpit team is also providing us with great support and they have significant knowledge which we could use. We thank them for helping us a lot with the prototype and creating a foundation for the future development.
Linux Mint 20.3 "Una" released
Linux Mint has announced its 20.3 ("Una") release for three different desktop environments: the Cinnamon, MATE, and Xfce editions. Mint 20.3 is a long-term support release, with support lasting until 2025. Each edition comes with a long list of new features (Cinnamon, MATE, and Xfce) and detailed release notes (Cinnamon, MATE, and Xfce).
Development
IPython 8.0 released
Version 8.0 of the IPython read-eval-print-loop implementation for Python is out.
This major release comes with many improvements to the existing codebase and several new features. These new features are code reformatting with Black in the CLI, ghost suggestions, and better tracebacks which highlight the error node, thus making complex expressions easier to debug.
Looking back at 2021, looking forward at 2022 (Libre Arts)
Here is a comprehensive look on the Libre Arts site at the current state of free software for creative artists.
The other reason is that, with a project like GIMP, it’s hard to do just one thing. The team is constantly bombarded with requests that are mostly doable once you have a team of 10 to 20 full-time developers, which is light years away from where GIMP is now. Which results in a lot of running around between under-the-hood work, UX fixes, featurettes, better file formats support etc. So you give everyone a little of what they want but you end up delaying an actual release because the big stuff still needs to happen.
Page editor: Jake Edge
Next page:
Announcements>>