Brief items
Security
Security quote of the week
We already know what a platform that allows any software to be installed looks like: it’s how our computers work. Whether we use Windows, or MacOS, or Linux, there is no monopoly dictating what software we can or cannot use. We can run our computers securely, or we can choose not to. Far from it being the dangerous hellscape we’re told to fear, the results are actually pretty good. Yes, there is malware. Yes there are attacks. But there is security and safety as well. Hundreds of companies innovate in this space, developing new security and privacy technologies that we are free to install if we choose.— Bruce Schneier in a letter to the US Senate about app storesOut in the real world, we give people the freedom to choose their own level of risk. It might be objectively true that Disneyland is safer than a public park, but that doesn’t mean we should outlaw all public parks and give Disney a monopoly on park-like gathering places. People are free to visit Disneyland, and pay for the privilege. They are free to visit other companies’ commercial parks. And they are free to visit any of our nation’s public parks. Our laptops are like public parks, that we can arrange with whatever amenities and safeguards we choose. There is no reason our phones should not be as well.
Kernel development
Kernel release status
The current development kernel is 5.17-rc2, released on January 30. Linus said:
Nothing hugely surprising here - it's a bit on the bigger side for being an rc2, but maybe part of that is that there's a NFS client merge-window pull request that got merged late due to it having been marked as spam.
Stable updates have been abundantly available this week. 5.16.3, 5.15.17, 5.10.94, 5.4.174, 4.19.226, 4.14.263, 4.9.298, and 4.4.300 were released on January 27, followed by 5.16.4, 5.15.18, 5.10.95, 5.4.175, 4.19.227, 4.14.264, 4.9.299, and 4.4.301 on January 29, further followed by 5.16.5, 5.15.19, 5.10.96, and 5.4.176 on February 1.
The 4.4.302 update is in the review process; it is due on February 3. This is expected to be the final 4.4.x release.
Rosenzweig: Writing an open source GPU driver – without the hardware
Here's a war story from Alyssa Rosenzweig on the process of writing a free driver for Arm's "Valhall" GPUs without having the hardware to test it on.
In 2021, there were no Valhall devices running mainline Linux. While a lack of devices poses an obvious obstacle to device driver development, there is no better time to write drivers than before hardware reaches end-users. Developing and distributing production-quality drivers takes time, and we don’t want users to be reliant on closed source blobs. If development doesn’t start until a device hits shelves, that device could reach “end-of-life” by the time there are mature open drivers. But with a head start, we can have drivers ready by the time devices reach end users.
Kasper: a tool for finding speculative-execution vulnerabilities
The Systems and Network Security Group at Vrije Universiteit Amsterdam has announced a tool called Kasper that is able to scan the kernel source and locate speculative-execution vulnerabilities:
Namely, it models an attacker capable of controlling data (e.g., via memory massaging or value injection a la LVI), accessing secrets (e.g., via out-of-bounds or use-after-free accesses), and leaking these secrets (e.g., via cache-based, MDS-based, or port contention-based covert channels). As a result, Kasper discovered 1,379 previously unknown gadgets in the heavily-hardened Linux kernel.
The page includes a discussion of a vulnerability in the kernel's linked-list implementation as well as links to the code and the full paper. (Thanks to Paul Wise).
Quote of the week
This is the proposed LAST 4.4.y kernel release to happen under the rules of the normal stable kernel releases. After this one, it will be marked End-Of-Life as it has been 6 years and you really should know better by now and have moved to a newer kernel tree. After this one, no more security fixes will be backported and you will end up with an insecure system over time.— Greg Kroah-Hartman
Distributions
Debian tweaks its resolution process
The vote has concluded in the Debian project on a general resolution affecting the way such resolutions are discussed in the future. The changes, as proposed by Russ Allbery, have been adopted with the required three-to-one supermajority, though the overall level of voting was low. The new process is mostly as described in this article from October with a few changes. The end result may be to shorten the discussion period for controversial issues and make the end of that period more predictable.Nitrux 2.0.0 released
Version 2.0.0 of the Debian-based Nitrux distribution is available. "This new version brings together the latest software updates, bug fixes, performance improvements, and ready-to-use hardware support."
Development
LibreOffice 7.3 released
Version 7.3 of the LibreOffice "Community" edition is out. "In addition to the majority of code commits being focused on interoperability with Microsoft's proprietary file formats, there is a wealth of new features targeted at users migrating from Office, to simplify the transition".
GNU poke 2.0 released
Version 2.0 of GNU Poke, a binary-data editor, has been released. "A lot of things have changed and improved with respect to the 1.x series; we have fixed many bugs and added quite a lot of new exciting and useful features." Look below for an extensive list of changes.
Page editor: Jake Edge
Next page:
Announcements>>