Brief items
Security
First handset with MTE on the market (Project Zero)
The Google Project Zero blog celebrates the launch of the Pixel 8 handset, the first to make use of Arm's Memory Tagging Extension (MTE). Linux has supported MTE since the 5.10 release in 2020, but that support has only now shown up (in experimental form) in an available handset.
I think this is a huge improvement for the general security of the device - many zero-click attack surfaces involve large amounts of unsafe C/C++ code, whether that's WebRTC for calling, or one of the many media or image file parsing libraries. MTE is not a silver bullet for memory safety - but the release of the first production device with the ability to run almost all user-mode applications with synchronous-MTE is a huge step forward, and something that's worth celebrating!
The article includes detailed instructions for how to turn the MTE feature on.
Sponsorship for the Openwall lists
Alexander "Solar Designer" Peslyak, the longtime maintainer of the oss-security and linux-distros mailing lists, has announced that this work has gained a sponsor:
After 15+ years of being a 100% volunteer effort, Openwall's maintenance of oss-security and (linux-)distros is finally sponsored by the OpenSSF, a project of the Linux Foundation. This sponsorship does not provide the Linux Foundation with the ability to set policies for community resources managed by Openwall. I am grateful for the support, which will help ensure continued operation of these resources on a new level while retaining independence.
As part of this arrangement, Peslyak is now producing statistics on vulnerability handling; the first set for 2023 has been posted.
Security quotes of the week
The Worm incident generated conflicting signals about the propriety of hacking into other people's systems and writing malware. Some people who knew the Worm's author rose to his defense, claiming he was demonstrating security problems and not doing anything wrong. Malware authors and system attackers commonly made that same claim in the decades following, with mixed responses from the community. It still colors the thinking of many in the field, justifying some very dubious behavior as somehow justified by results. Although there is nuance in some discussions, the grey areas around pen testing, companies selling spyware, and "ethical" hacking still enable plausible explanations for bad behavior.— Gene Spafford reflects on the 35th anniversary of the Morris worm (worth reading in full)
To ensure that cloud services do not learn more than they should, and that a breach of one does not pose a fundamental threat to our data, we need two types of decoupling. The first is organizational decoupling: dividing private information among organizations such that none knows the totality of what is going on. The second is functional decoupling: splitting information among layers of software. Identifiers used to authenticate users, for example, should be kept separate from identifiers used to connect their devices to the network.— Bruce Schneier and Barath RaghavanIn designing decoupled systems, cloud providers should be considered potential threats, whether due to malice, negligence, or greed. To verify that decoupling has been done right, we can learn from how we think about encryption: you've encrypted properly if you're comfortable sending your message with your adversary's communications system. Similarly, you've decoupled properly if you're comfortable using cloud services that have been split across a noncolluding group of adversaries.
Kernel development
Kernel release status
The 6.7 merge window remains open; it can be expected to close on November 12.Stable updates: 6.5.10 and 6.1.61 were released on November 2, followed by 6.6.1, 6.5.11, 6.1.62, 5.15.138, 5.10.200, 5.4.260, 4.19.298, and 4.14.329 on November 8.
The 2023 TAB election deadline is approaching
The reminder has gone out: the deadline for nominations for the Linux Foundation Technical Advisory Board is November 13. If you are interested in representing the kernel community on the TAB, now is the time to put together a self-nomination and get onto the ballot.Quote of the week
I guess that my traditional reply would be that if you are properly confused by all this, that just means that you were reading carefully.— Paul McKenney
Distributions
Fedora 39 released
Fedora 39 has been released, one day after the Fedora project's 20th anniversary. See the list of approved changes and this Fedora Magazine article for more information.
As always, we’ve updated many, many other packages as we work to bring you the best of everything the free and open source software world has to offer. Fedora Linux 39 includes gcc 13.2, binutils 2.40, glibc 2.38, gdb 13.2, and rpm 4.19. It also has updates to popular programming language stacks, including Python 3.12 and Rust 1.73.
OpenELA's first code drop
The Open Enterprise Linux Association, a joint venture founded by CIQ, Oracle, and SUSE, has announced its first code release.
OpenELA is excited to announce that the source code for all packages necessary for anyone to build a derivative Enterprise Linux operating system is now available. The initial focus is on EL8 and EL9, and packages for EL7 are forthcoming. The project is committed to ensuring the continued availability of EL sources to the community indefinitely.
The organization has also announced a technical
steering committee made up of "highly experienced individuals from
the founding companies
".
Canonical reveals more details about Ubuntu Core Desktop (Register)
The Register attended a talk about Ubuntu's upcoming Core Desktop immutable distribution.
We suspect that Core Desktop might yet be the tool that validates Canonical's Snap format and helps to overcome some of the resistance it faces. Snap's single-file distribution format is simple and enables transactional installation – including, critically, rollback – without a fancy filesystem underneath, or elaborate distribution methods such as libostree.
Development
Gawk 5.3.0 released
The GNU awk text-processing utility, gawk, has released version 5.3.0. The main new features add compatibility with "The One True Awk" (also known as "BWK awk"); version 5.3.0 adds CSV (comma-separated values) parsing and the ability to use \u escape sequences for Unicode code points. Read on for other changes in the release.Evans: Confusing git terminology
Julia Evans has posted a list of confusing Git terms and behavior along with explanations of what is actually going on.
“Your branch is up to date with ‘origin/main’”This message seems straightforward – it’s saying that your main branch is up to date with the origin!
But it’s actually a little misleading. You might think that this means that your main branch is up to date. It doesn’t. What it actually means is – if you last ran git fetch or git pull 5 days ago, then your main branch is up to date with all the changes as of 5 days ago.
So if you don’t realize that, it can give you a false sense of security.
Home Assistant 2023.11 released
Home Assistant 2023.11 is available. New features include a to-do list manager, Matter 1.2 support, customizable tile cards, new integrations, and more. (LWN looked at Home Assistant last month).Chamberlain v. Home Assistant
The developers of Home Assistant, which has recently been covered here, have announced that they will be removing support for Chamberlain and Liftmaster garage-door openers after being locked out by the company.
Because we cannot continue to work around Chamberlain Group if they keep blocking access to third parties, the MyQ integration will be removed from Home Assistant in the upcoming 2023.12 release on December 6, 2023. We are very disappointed that it has come to this and sincerely hope that Chamberlain Group is willing to reconsider its position.
Longtime readers may remember that Chamberlain tried to use the DMCA to block the use of third-party remotes nearly 20 years ago.
Page editor: Jake Edge
Next page:
Announcements>>