Brief items

Security quotes of the week

In this blog, we detail new vulnerabilities discovered in the Bosch Rexroth NXA015S-36V-B, a popular smart nutrunner (pneumatic torque wrench) used in automotive production lines. We demonstrate that these vulnerabilities could make it possible to implant ransomware on the device, which could be used to cause production line stoppages and potentially large-scale financial losses to asset owners. Another exploitation would allow the threat actor to hijack tightening programs while manipulating the onboard display, causing undetectable damage to the product being assembled or making it unsafe to use. Given that the NXA015S-36V-B is certified for safety-critical tasks, an attacker could compromise the safety of the assembled product by inducing suboptimal tightening, or cause damage to it due to excessive tightening.

— Nozomi Networks Labs lists, but does not detail, an eye-opening number of vulnerabilities in these devices

It's true that compromised computers are a real and terrifying problem. Your computer is privy to your most intimate secrets and an attacker who can turn it against you can harm you in untold ways. But the widespread redesign of our computers to treat us as their enemies gives rise to a range of completely predictable and – I would argue – even worse harms. Building computers that treat their owners as untrusted parties is a system that works well, but fails badly.

First of all, there are the ways that trusted computing is designed to hurt you. The most reliable way to enshittify something is to supply it over a computer that runs programs you can't alter, and that rats you out to third parties if you run counter-programs that disenshittify the service you're using. That's how we get inkjet printers that refuse to use perfectly good third-party ink and cars that refuse to accept perfectly good engine repairs if they are performed by third-party mechanics [...]

— Cory Doctorow

Comments (none posted)

Kernel release status

The current development kernel is 6.8-rc1, released on January 21. Linus said:

So this wasn't the most pleasant merge window, but most of the unpleasantness was entirely unrelated to the code base and almost entirely related to nasty weather. Just a few technical hiccups. And after a very big 6.7 release, 6.8 looks to actually be smaller than average, although not really all that significantly so.

Stable updates: 6.7.1, 6.6.13, and 6.1.74 were released on January 20.

The 6.7.2, 6.6.14, 6.1.75, 5.15.148, 5.10.209, 5.4.268, and 4.19.148 stable updates are all in the review process; they are due at any time.

Comments (none posted)

Quotes of the week

Death To List Heads! They're the perfect data structure for a 1995 era CPU. They leave 90% of your CPUs performance on the table if you bought your CPU in the last five years. If list heads make rust sad, then that's just one more reason to abolish them.

— Matthew Wilcox

The man I was then presented papers with benchmarks showing that ReiserFS was faster than ext2. The man I am now would start his papers crediting them for being faster than the filesystems of other operating systems, and thanking them for the years we used their filesystem to write ours. Not doing that was my first serious social mistake in the Linux community, and it was completely unnecessary.

— Hans Reiser writes from prison

Comments (6 posted)

Clarifying Misunderstandings of Slowroll (openSUSE News)

The openSUSE News site has put up a brief article on how Slowroll fits into the spectrum of openSUSE distributions.

The idea behind Slowroll is to offer a distribution that improves stability without losing access to new features in the base packages such as the kernel, desktop environments and packaging. These slower update cycles allow for more extensive testing and validation of packages before their inclusion. Think of Slowroll as more of a skip than a Leap.

Comments (1 posted)

Firefox 122.0 released

Version 122.0 of the Firefox browser is out. Changes include improved search suggestions, improvements to the in-browser translation feature, better line-breaking compatibility, and a shiny new .deb package.

Comments (40 posted)

SourceHut outage post-mortem

SourceHut has published a post-mortem of its outage earlier this month. The post-mortem covers the causes of the outage and what steps SourceHut took to mitigate it, ending by saying:

As unfortunate as these events were, we welcome opportunities to stress-test our emergency procedures; we found them to be compatible with our objectives for the alpha and we learned a lot of ways to improve our reliability further for the future. We are going to continue working on our post-incident tasks, building up our infrastructure’s resilience, reliability, and scalability as planned. Once we address the high-priority tasks, though, our first order of business in the immediate future will be to get some rest.

Comments (8 posted)

Villa: Will the new judicial ruling in the Vizio lawsuit strengthen the GPL?

Luis Villa writes about the recent ruling in the Software Freedom Conservancy's GPL-violation lawsuit against Vizio, wherein the judge refused to agree that the SFC lacks standing to sue.

In some sense, not much has changed: if you were obligated to comply with the GPL two weeks ago, you have the same obligations today. If you didn’t have obligations then, you don’t have them now.

What has changed is who can enforce those obligations. Two weeks ago, we mostly believed that enforcement could only come from the authors of the code. Those folks rarely had time, money, or interest for litigation, and they might also face a lot of pressure from their peers and employers to avoid litigation.

If this ruling holds up at the end of the case, the number of potential enforcers just went way up.

Comments (36 posted)

Dave Mills RIP

Internet pioneer and Network Time Protocol (NTP) inventor Dave Mills has died, as reported by Vint Cerf:

His daughter, Leigh, just sent me the news that Dave passed away peacefully on January 17, 2024. He was such an iconic element of the early Internet. Network Time Protocol, the Fuzzball routers of the early NSFNET, INARG taskforce lead, COMSAT Labs and University of Delaware and so much more.

More information about Mills can be found on his Wikipedia page.

Comments (3 posted)