Brief items
Security
A malicious Pidgin plugin
The developers of the Pidgin chat program have announced that a malicious plugin had been listed on its third-party plugins list for over one month. This plugin included a key logger and could capture screenshots.
It went unnoticed at the time that the plugin was not providing any source code and was only providing binaries for download. Going forward, we will be requiring that all plugins that we link to have an OSI Approved Open Source License and that some level of due diligence has been done to verify that the plugin is safe for users.
Garrett: What is an SBAT and why does everyone suddenly care
Matthew Garrett describes the role of the Secure Boot Advanced Targeting mechanism and how it played into the recent Windows upgrade problems.
So why is this suddenly relevant? SBAT was developed collaboratively between the Linux community and Microsoft, and Microsoft chose to push a Windows update that told systems not to trust versions of grub with a security generation below a certain level. This was because those versions of grub had genuine security vulnerabilities that would allow an attacker to compromise the Windows secure boot chain, and we've seen real world examples of malware wanting to do that.
Security quote of the week
Telegram clearly fails to meet this stronger definition for a simple reason: it does not end-to-end encrypt conversations by default. If you want to use end-to-end encryption in Telegram, you must manually activate an optional end-to-end encryption feature called “Secret Chats” for every single private conversation you want to have. The feature is explicitly not turned on for the vast majority of conversations, and is only available for one-on-one conversations, and never for group chats with more than two people in them.
[...]
At the same time, Telegram CEO Pavel Durov has continued to aggressively market Telegram as a "secure messenger." Most recently he issued a scathing criticism of Signal and WhatsApp on his personal Telegram channel, implying that those systems were backdoored by the US government, and only Telegram’s independent encryption protocols were really trustworthy.
While this might be a reasonable nerd-argument if it was taking place between two platforms that both supported default end-to-end encryption, Telegram really has no legs to stand on in this particular discussion. Indeed, it no longer feels amusing to see the Telegram organization urge people away from default-encrypted messengers, while refusing to implement essential features that would widely encrypt their own users' messages. In fact, it's starting to feel a bit malicious.
Kernel development
Kernel release status
The current development kernel is 6.11-rc5, released on August 25. "Other than the timing, there's not a whole lot unusual here. The diffstat looks fairly flat, which means 'mostly pretty small changes'." Linus Torvalds added a note that today marks the 33rd anniversary of the first Linux announcement; "
A third of a century. And it *still* isn't ready".
Stable updates: none have been released in the last week. The 6.10.7, 6.6.48, and 6.1.107 updates are in the review process; they are due on August 29.
Quote of the week
Greg KH, with kernel builds quite slow— Konstantin Ryabitsev (with LLM help)
Found his builder was stuck in the snow.
Konstantin did fix
With API tricks
But Debian 11's still a no-go.
Distributions
Call for nominations: Ubuntu Community Council
Nominations are now
open for people interested in joining the Ubuntu
Community Council, "the highest governance body of the Ubuntu
project
". Any Ubuntu Member can
apply from now until Sunday, September 22 at 23:59 UTC.
The Ubuntu project turned 20 this year, but is still in constant flux. The advent of new communication platforms, new projects under our umbrella, and the ever-growing popularity of the project requires our community to evolve. We need to make sure Ubuntu is set to tackle the challenges of the next 20 years. It needs a strong and active community council to guide the project forwards.
See Merlijn Sebrechts's blog post, "A year in the Ubuntu community council", for an overview of what it's like to serve on the council.
Sovereign Tech Fund (STF) to invest in FreeBSD infrastructure modernization
The FreeBSD Foundation has announced that Germany's Sovereign Tech Fund (STF) has agreed to invest €686,400 toward improvements in the FreeBSD project's infrastructure, security, regulatory compliance, and developer experience:
The work commissioned by STF also aligns closely with the recent August 9, 2024 summary report released by the U.S. Office of the National Cyber Director (ONCD), consolidating feedback from the 2023 request for information on key priorities for securing the open source software ecosystem. By enhancing security controls and SBOM tooling, the FreeBSD Foundation is helping to keep FreeBSD at the forefront of improved vulnerability disclosure mechanisms and secure software foundations.
Distributions quote of the week
With this commit, we have completed an amusing mission of replacing the final parts of the original OpenBSD.
We have reached OpenBSD of Theseus.
Development
Calligra Office 4.0 released
KDE developer Carl Schwan has announced
the release of Calligra Office
version 4.0. The most significant changes in this release include a "major
overhaul
" of the office suite's user interface, and a transition to Qt 6 and KDE Frameworks 6.
Forgejo changes license to GPLv3+
The Forgejo project has announced that, starting from version 9.0, Forgejo will be released under the GPLv3 license (or a later version). Older versions of the software forge remain MIT-licensed.
A copyleft license makes reusing other copyleft software easier. Recently, we discovered that some of the dependencies we used were incompatible with the license Forgejo was distributed with, and they had to be removed for now. Choosing copyleft licenses enables us to reuse more work, and saves us precious time to focus on improving Forgejo itself.
LibreOffice 24.8 released
Version 24.8 of the LibreOffice office suite has been released. Changes include the ability to filter identifying information from exported files, easier creation of cross reference, better control over hyphenation, a number of new spreadsheet functions, accessibility improvements, and more.WineHQ to take over Mono
The Mono project was started in 2001 to develop a .NET environment for Linux systems. Microsoft has owned that project since 2016, but has not made a major release since 2019. The company has now announced that Mono is being handed over to the WineHQ organization, which will maintain the repository going forward. Microsoft, meanwhile, is steering users toward its "modern fork" that it continues to maintain.
Page editor: Daroc Alden
Next page:
Announcements>>