Brief items
Security
The malicious "rustdecimal" crate
The Rust Blog warns developers of a malicious crate named rustdecimal, which was evidently targeted at GitLab users who mistype rust_decimal.
The crate contained identical source code and functionality as the legit rust_decimal crate, except for the Decimal::new function.When the function was called, it checked whether the GITLAB_CI environment variable was set, and if so it downloaded a binary payload into /tmp/git-updater.bin and executed it. The binary payload supported both Linux and macOS, but not Windows.
Security quotes of the week
— Lance R. Vick (Thanks to Paul Wise.)
- Buy expired NPM maintainer email domains.
- Re-create maintainer emails
- Take over packages
- Submit legitimate security patches that include package.json version bumps to malicious dependency you pushed
- Enjoy world domination.
Nuclear disarmament is “real geopolitics,” while the Internet is still, even now, seen as vaguely magical, and something that can be “fixed” by having the nerds yank plugs out of a wall.— Bruce Schneier and Tarah Wheeler
Kernel development
Kernel release status
The current development kernel is 5.18-rc6, released on May 8. "Please do go test it all out - because things may look good now, but continued testing is the only thing that will make sure."
Stable updates: 5.17.6, 5.15.38, 5.10.114, and 5.4.192 were released on May 9.
The 5.17.7, 5.15.39, 5.10.115, 5.4.193, 4.19.242, 4.14.278, and 4.9.313 stable updates are all in the review process; they are due on May 12.
NVIDIA Transitioning To Official, Open-Source Linux GPU Kernel Driver (Phoronix)
Phoronix reports that the days of proprietary NVIDIA graphics drivers are coming to a close.
NVIDIA's open kernel modules is already considered "production ready, opt-in" for data center GPUs. For GeForce and workstation GPUs, the open kernel module code is considered "alpha quality" but will be ramped up moving forward with future releases. NVIDIA has already deprecated the monolithic kernel module approach for their data center GPU support to focus on this open kernel driver solution (and their existing proprietary kernel module using the GSP). Only Turing and newer GPUs will be supported by this open-source kernel driver. Pre-Turing GPUs are left to using the existing proprietary kernel drivers or the Nouveau DRM driver for that matter.
The user-space code remains proprietary, though, which could inhibit the eventual merging of this code into the mainline kernel.
Update: here is NVIDIA's press release on the new drivers.
Quotes of the week
Given the goal of sending money to cryptographers, I'm pretty sure we want the answer to be a security-audit nightmare, so let me suggest the following idea. There's SIGWINCH to notify processes about window-size changes, so there should also be a signal for RNG changes, which should be called SIGRINCH, and there should be a different mechanism to address RNG output cloning inside the kernel, and there should be endless papers on Grinch Attacks, including papers that sort of prove security against Grinch Attacks, and deployment of software that's sort of protected against Grinch Attacks, and fear of the bad PR from abandoning anything labeled as protection, because, hey, _maybe_ the protection accomplishes something, and it's not as if anyone is going to be blamed for whatever damage is caused by the systems-level effect of the added complexity.— Daniel J. Bernstein
The relatively recent siphash-based bad random32.c code was added in response to concerns that the prior random32.c was too deterministic. Out of fears that random.c was (at the time) too slow, this code was anonymously contributed by somebody who was likely reusing the alias of long time anonymous contributor George Spelvin. Then out of that emerged a kind of shadow entropy gathering system, with its own tentacles throughout various net code, added willy nilly.— Jason DonenfeldStop👏making👏crappy👏bespoke👏random👏number👏generators👏.
I'd like to break the catch-22 of "ask for a new driver to be written in rust but the rust support isn't landed" vs "the rust support isn't landed because there aren't enough drivers". It really feels like "release early, release often" is needed here; it's hard to develop against -next. :)— Kees Cook on merging Rust in 5.19
Distributions
Fedora 36 released
The Fedora 36 release is now available. Improvements include GNOME 42, Wayland support by default on systems with NVIDIA graphics, Podman 4.0, Ansible 5, the removal of support for legacy ifcfg configuration files, GCC 12, and more; see the release notes for details.Poettering: Fitting Everything Together
Lennart Poettering designs his ideal desktop operating system in great detail:
First and foremost, I think the focus must be on an image-based design rather than a package-based one. For robustness and security it is essential to operate with reproducible, immutable images that describe the OS or large parts of it in full, rather than operating always with fine-grained RPM/dpkg style packages. That's not to say that packages are not relevant (I actually think they matter a lot!), but I think they should be less of a tool for deploying code but more one of building the objects to deploy.
Red Hat Enterprise Linux 9 released
On May 10, Red Hat announced the release of Red Hat Enterprise Linux 9 (RHEL 9). Not surprisingly, the announcement is rather buzzword-heavy and full of marketing, though there are some technical details scattered in it. The release notes for the RHEL 9 beta are available, which have a lot more information. "The platform will be generally available in the coming weeks."
Building on decades of relentless innovation, the latest version of the world’s leading enterprise Linux platform is the first production release built from CentOS Stream, the continuously delivered Linux distribution that tracks just ahead of Red Hat Enterprise Linux. This approach helps the broader Red Hat Enterprise Linux ecosystem, from partners to customers to independent users, provide feedback, code and feature updates to the world’s leading enterprise Linux platform.
Development
GCC 12.1 Released
The GCC project has made the first release of the GCC 12 series, GCC 12.1. As the announcement notes, this month is the 35th anniversary of the GCC 1.0 release. There are lots of changes and fixes in this release, including:This release deprecates support for the STABS debugging format and introduces support for the CTF debugging format. The C and C++ frontends continue to advance with extending support for features in the upcoming C2X and C++23 standards and the C++ standard library improves support for the experimental C++20 and C++23 parts. The Fortran frontend now fully supports TS 29113 for interoperability with C.[...] On the security side GCC can now initialize stack variables implicitly using -ftrivial-auto-var-init to help tracking down and mitigating uninitialized stack variable flaws. The C and C++ frontends now support __builtin_dynamic_object_size compatible with the clang extension. The x86 backend gained mitigations against straight line speculation with -mharden-sls. The experimental Static Analyzer gained uninitialized variable use detection and many other improvements.
McQueen: Evolving a GNOME strategy for 2022 and beyond
Robert McQueen describes some initiatives being taken by the GNOME Foundation to attract more users and developers to the platform.
There are many different threats to free access to computing and information in today’s world. The GNOME desktop and apps need to give users convenient and reliable access to technology which works similarly to the tools they already use everyday, but keeps them and their data safe from surveillance, censorship, filtering or just being completely cut off from the Internet. We believe that we can seek both philanthropic and grant funding for this work. It will make GNOME a more appealing and comprehensive offering for the many people who want to protect their privacy.
The 2022 Python Language Summit (PSF blog)
Over on the Python Software Foundation (PSF) blog, Alex Waygood has a report from this year's Python Language Summit. There are reports from each of the nine sessions, including "Python without the GIL", The 'Faster CPython' project: 3.12 and beyond", "F-Strings in the grammar", lightning talks, and more.
Page editor: Jake Edge
Next page:
Announcements>>