lwn.net

LWN.net is a comprehensive source of news and opinions from
and about the Linux community. This is the main LWN.net feed,
listing all articles which are posted to the site front page.
URL: https://lwn.net
업데이트: 1시간 17분 지남
Security updates for Monday
Security updates have been issued by Debian (ca-certificates, flatpak, golang-1.7, golang-1.8, mupdf, pygments, and tiff), Fedora (containerd, golang-github-containerd-cri, mingw-gdk-pixbuf, mingw-glib2, mingw-jasper, mingw-python-jinja2, mingw-python-pillow, mingw-python3, python-django, python-pillow, and python2-pillow), Mageia (git, mediainfo, netty, python-django, and quartz), openSUSE (crmsh, git, glib2, kernel-firmware, openldap2, stunnel, and wpa_supplicant), Oracle (qemu), Red Hat (openvswitch2.11, openvswitch2.13, pki-core, rh-nodejs10-nodejs, rh-nodejs12-nodejs, rh-nodejs14-nodejs, and wpa_supplicant), Slackware (kernel), SUSE (apache2, crmsh, glib2, s390-tools, and slurm_20_11 and pdsh), and Ubuntu (python2.7, python3.7, python3.8).
Kernel prepatch 5.12-rc3
The third 5.12 kernel prepatch is out for
testing. "So rc3 is pretty big this time around, but that's entirely
artificial, and due to how I released rc2 early. So I'm not going to read
anything more into this, 5.12 still seems to actually be on the smaller
side overall."
[$] Lockless patterns: an introduction to compare-and-swap
In the first part of this series, I showed you the theory behind
concurrent memory models and how that theory can be applied to
simple loads and stores. However, loads and stores alone are not
a practical tool for the building of higher-level synchronization primitives
such as spinlocks, mutexes, and condition variables.
Even though it is possible to synchronize two threads using the
full memory-barrier pattern that was introduced last week (Dekker's
algorithm), modern processors provide a way that is
easier, more generic, and faster—yes, all three of them—the
compare-and-swap operation.
Security updates for Friday
Security updates have been issued by Debian (mupdf and pygments), Fedora (arm-none-eabi-newlib, nodejs, python3.10, and suricata), Mageia (ansible, ceph, firejail, glib2.0, gnuplot, libcaca, mumble, openssh, postgresql, python-cryptography, python-httplib2, python-yaml, roundcubemail, and ruby-mechanize), Scientific Linux (wpa_supplicant), Slackware (git), SUSE (crmsh, libsolv, libzypp, yast2-installation, zypper, openssl-1_0_0, python, and stunnel), and Ubuntu (pillow).
Asahi Linux progress report
The Asahi Linux project, which is working to build a distribution for
M1-based Apple systems, has published a
progress report for January and February. "Apple Silicon Macs
boot in a completely different way from PCs. The way they work is more akin
to embedded platforms (like Android phones, or, of course, iOS devices),
but with quite a few bespoke mechanisms thrown in. However, Apple has taken
a few steps to make this boot process feel closer to that of an Intel Mac,
so there has been a lot of confusion around how things actually work. For
example, did you know that Apple Silicon Macs cannot boot from external
storage at all, in the traditional sense? Or that the bootloader on Apple
Silicon Macs cannot show a graphical user interface at all, and that the
“Boot Picker” is in fact a full-screen macOS app, not part of the
bootloader?"
More stable kernels
[$] Creating an SSH honeypot
Many developers use SSH to access their systems, so it is not surprising
that SSH servers are widely attacked. During the FOSDEM 2021 conference,
Sanja Bonic and Janos Pasztor reported
on their experiment using containers as a way to easily create
SSH honeypots — fake servers that allow administrators to observe the actions of
attackers without risking a production system. The
conversational-style talk walked the audience through the process of
setting up an SSH server to play the role of the honeypot, showed what
SSH attacks look like, and gave a number of suggestions on how to
improve the security of SSH servers.
Security updates for Thursday
Security updates have been issued by Debian (zeromq3), Oracle (dotnet, dotnet3.1, python3, and wpa_supplicant), and Red Hat (wpa_supplicant).
[$] LWN.net Weekly Edition for March 11, 2021
The LWN.net Weekly Edition for March 11, 2021 is available.
[$] A vulnerability in Git
A potentially nasty vulnerability in the Git
distributed revision-control system was disclosed on March 9. There are enough
qualifiers in the description of the vulnerability that it may appear to be
fairly narrowly focused—and it is. That may make it less worrisome, but
it is not entirely clear. As with most vulnerabilities, it all depends on how
the software is being used and the environment in which it is running.
[$] Python exception groups
Exceptions in
Python are a mechanism used to report errors (of an
exceptional variety); programs can be and are written to expect and handle
certain types of exceptions using try and except. But
exceptions were originally meant to report a single error event and, these
days, things are a tad more complicated than that. A recent Python
Enhancement Proposal (PEP) targets adding exception groups, as well as new
syntax to catch and handle the groups.
Security updates for Wednesday
Security updates have been issued by Debian (kernel and privoxy), Fedora (libtpms, privoxy, and x11vnc), openSUSE (chromium), Red Hat (.NET 5.0, .NET Core, .NET Core 2.1, .NET Core 3.1, dotnet, and dotnet3.1), SUSE (git, kernel, openssl-1_1, and wpa_supplicant), and Ubuntu (git and openssh).
The Linux Foundation's "sigstore" project
The Linux Foundation has announced
a project called sigstore; its purpose is
to protect against supply-chain attacks by signing (and verifying) release
artifacts. "Very few open source projects cryptographically sign
software release artifacts. This is largely due to the challenges software
maintainers face on key management, key compromise / revocation and the
distribution of public keys and artifact digests. In turn, users are left
to seek out which keys to trust and learn steps needed to validate
signing. Further problems exist in how digests and public keys are
distributed, often stored on websites susceptible to hacks or a README file
situated on a public git repository. sigstore seeks to solve these issues
by utilization of short lived ephemeral keys with a trust root leveraged
from an open and auditable public transparency logs."
A Git security release
Several new versions of the Git source-code management system have been
released; they fix a vulnerability that could allow a hostile remote
repository to execute code locally during a clone operation.
Only users with case-insensitive filesystems are affected, reducing
the set of possible targets considerably, but an update still seems like a
good idea.
Linaro to release monthly GNU Toolchain integration builds
Linaro Ltd has announced the first GNU Toolchain integration build. "Every six months, Arm releases the official GNU Toolchain release for Arm architectures for the purpose of production. Linaro will bridge the gap between the official releases by delivering monthly integration builds which offer users a snapshot of the upstream build. Although not supported, having access to these builds will allow developers to test features from a pre-built binary as soon as it lands upstream. The builds will also enable companies to check their BSP (Board Support Package) release will work with newer toolchains without having to wait for an official release."
Three stable kernels
Security updates for Tuesday
Security updates have been issued by Fedora (firefox, kernel, kernel-headers, kernel-tools, libebml, and wpa_supplicant), openSUSE (mbedtls), Oracle (kernel, kernel-container, and screen), Red Hat (curl, kernel, kernel-rt, kpatch-patch, nss-softokn, python, and virt:rhel and virt-devel:rhel), Scientific Linux (screen), SUSE (389-ds, crmsh, openldap2, openssl-1_0_0, and wpa_supplicant), and Ubuntu (glib2.0, gnome-autoar, golang-1.10, golang-1.14, and libzstd).
[$] Linux 5.12's very bad, double ungood day
The -rc kernels released by Linus Torvalds exist for a reason: after 10,000
or so changes flow into the kernel over a two-week merge window, there will
surely be some bugs in need of squashing. The -rc kernels provide an
opportunity for wider testing after all those patches have been
integrated. Most of the time, -rc kernels (even the initial -rc1 releases)
are surprisingly safe to run. Occasionally, though, something goes wrong,
giving early testers reason to reconsider their life choices. The 5.12-rc1
kernel, as it turns out, was one of those.
Security updates for Monday
Security updates have been issued by Debian (activemq, libcaca, libupnp, mqtt-client, and xcftools), Fedora (ceph, mupdf, nagios, python-PyMuPDF, and zathura-pdf-mupdf), Mageia (cups, kernel, pngcheck, and python-pygments), openSUSE (bind, chromium, gnome-autoar, kernel, mbedtls, nodejs8, and thunderbird), and Red Hat (nodejs:10, nodejs:12, nodejs:14, screen, and virt:8.2 and virt-devel:8.2).
NGI POINTER offers funding for internet/web architects
The NGI POINTER organization, which
is funded by the European Commission, has put out its second open call
for providing development/research funding; the first open call
was in April 2020. This time around, the organization is looking for
individuals or projects that are working on "changing the Internet
and Web with European Values at its core". The goal is to
"support promising bottom-up projects that are able to build, on top
of state-of-the-art research, scalable protocols and tools to assist in the
practical transition or migration to new or updated technologies, whilst
keeping European Values at the core". Those interested may want to
look at some of the previously funded
projects; more information can also be found
in the Work
Programme [PDF].