Linux Foundation announces Open Source Security Foundation
20 hours ago, lwn

The Linux Foundation has announced the formation of the Open Source Security Foundation (OpenSSF). The foundation aims to improve the security of open source software. "The OpenSSF brings together the industry’s most important open source security initiatives and the individuals and companies that support them. The Linux Foundation’s Core Infrastructure Initiative (CII), founded in response to the 2014 Heartbleed bug, and the Open Source Security Coalition, founded by the GitHub Security Lab, ar...

[$] Some statistics from the 5.8 kernel cycle
22 hours ago, lwn

Linus Torvalds released the 5.8 kernel on August 2, concluding another nine-week development cycle. By the time the work was done, 16,306 non-merge changesets had been pulled into the mainline repository for this release. That happens to be a record, beating the previous record holder (4.9, released in December 2016) by 92 changesets. It was, in other words, a busy development cycle. It's time for our traditional look into where that work came from to see what might be learned....

Julia 1.5 has been released
23 hours ago, lwn

Version 1.5 of the Julia programming language has been released. On the Julia blog, Jeff Bezanson and Stefan Karpinski describe the highlights of the release, which includes struct layout improvements for decreasing heap allocations, stabilization of the multithreading API, faster random numbers, changes to the scoping rules in the read-eval-print loop (REPL), and more. "Julia excels at simulations, so random numbers are important to a lot of users of the language. For this release Rafael Four...

Debian 10.5 released
1 day ago, lwn

Debian 10 "buster" received a fifth update. In addition to the usual security and bug fixes, this point release addresses Debian Security Advisory: DSA-4735-1 grub2. This security update covers multiple CVE issues regarding the GRUB2 UEFI SecureBoot 'BootHole' vulnerability....

The 5.8 kernel is out
1 day ago, lwn

Linus has released the 5.8 kernel. "So I considered making an rc8 all the way to the last minute, but decided it's not just worth waiting another week when there aren't any big looming worries around." Headline features in this release include: branch target identification and shadow call stacks for the arm64 architecture, the BPF iterator mechanism, inline encryption support in the block layer, the CAP_PERFMON and CAP_BPF capabilities, a generalized kernel event-notification subsystem, the KCS...

[$] Netgpu and the hazards of proprietary kernel modules
3 days ago, lwn

On its face, the netgpu patch set appears to add a useful feature: the ability to copy network data directly between a network adapter and a GPU without moving it through the host CPU. This patch set has quickly become an example of how not to get work into the kernel, though; it has no chance of being merged in anything like its current form and has created a backlash designed to keep modules like it from ever working in mainline kernels. It all comes down to one fundamental mistake: basing k...

Stable kernels 5.7.12, 5.4.55, 4.19.136, 4.14.191, 4.9.232, and 4.4.232
3 days ago, lwn

Greg Kroah-Hartman has released the 5.7.12, 5.4.55, 4.19.136, 4.14.191, 4.9.232, and 4.4.232 stable kernels. As usual, these contain lots of important fixes throughout the tree; users should upgrade....

X.org security fixes address potential ASLR bypass, heap corruption
3 days ago, lwn

The X.Org project has announced two security advisories that impact Xserver and libX11. The first advisory for X server is regarding uninitialized memory in AllocatePixmap() that could lead to address space layout randomization bypass. The second, impacting libX11, is a heap corruption caused by integer overflows and signed/unsigned comparisons....

systemd 246 released
4 days ago, lwn

Systemd 246 has been released. There is an incredibly long list of new features, many of which have to do with support for encrypted and signed disk volumes. "Various command line parameters and configuration file settings that configure key or certificate files now optionally take paths to AF_UNIX sockets in the file system. If configured that way a stream connection is made to the socket and the required data read from it. This is a simple and natural ...

[$] Go filesystems and file embedding
5 days ago, lwn

The Go team has recently published several draft designs that propose changes to the language, standard library, and tooling: we covered the one on generics back in June. Last week, the Go team published two draft designs related to files: one for a new read-only filesystem interface, which specifies a minimal interface for filesystems, and a second design that proposes a standard way to embed files into Go binaries (by building on the filesystem interface). Embedding files into Go binaries is i...

Grub2 updates for Red Hat systems are making some unbootable
5 days ago, lwn

As reported in the comments on the Grub2 secure-boot vulnerabilities report, the updates for grub2 for RHEL 8 and CentOS 8 are making some systems unbootable. The boot problems are seemingly unrelated to whether the system has secure boot enabled. It may be worth waiting a bit for that to shake out....

[$] LWN.net Weekly Edition for July 30, 2020
5 days ago, lwn

The LWN.net Weekly Edition for July 30, 2020 is available....

[$] Open-source CNCing
5 days ago, lwn

Last year Sienci Labs finished its Kickstarter campaign for the open-source LongMill Benchtop CNC Router — its second successful open-source CNC machine Kickstarter campaign. CNC routers allow users to mill things (like parts) from raw materials (like a block of aluminum) based on a 3D-model. The LongMill is a significant improvement over the original sold-out Mill One and makes professional-quality machining based entirely on open-source technology a reality. As an owner of a LongMill, I will w...

A long list of GRUB2 secure-boot holes
5 days ago, lwn

Several vulnerabilities have been disclosed in the GRUB2 bootloader; they enable the circumvention of the UEFI secure boot mechanism and the persistent installation of hostile software. Fixing the problem is not just a matter of getting a new GRUB2 installation, unfortunately. "It is important to note that updating the exploitable binaries does not in fact mitigate the CVE, since an attacker could bring an old, exploitable, signed copy of a grub binary onto a system with whatever kernel they wi...

[$] A look at Dart
6 days ago, lwn

Dart is a BSD-licensed programming language from Google with a mature open-source community supporting the project. It works with multiple architectures, is capable of producing native machine-code binaries, and can also produce JavaScript versions of its applications. Dart version 1.0 was released in 2013, with the most recent version, 2.8, released on June 3 (2.9 is currently in public beta). Among the open-source projects using Dart is the cross-device user-interface (UI) toolkit Flutter. We ...

GNU nano 5.0 released
6 days ago, lwn

Version 5.0 of the GNU nano text editor is out; it contains a number of improvements to the editing experience. "With --indicator (or -q or 'set indicator') nano will show a kind of scrollbar on the righthand side of the screen to indicate where in the buffer the viewport is located and how much it covers."...

[$] Lockless algorithms for mere mortals
6 days ago, lwn

Time, as some have said, is nature's way of keeping everything from happening at once. In today's highly concurrent computers, though, time turns out not to be enough to keep events in order; that task falls to an extensive set of locking primitives and, below those, the formalized view of memory known as the Linux kernel memory model. It takes a special kind of mind to really understand the memory model, though; kernel developers lacking that particular superpower are likely to make mistakes ...

Firefox 79.0
1 week ago, lwn

Firefox 79.0 has been released. This version has improved accessibility for people using screen readers. See the release notes for more details....

[$] TLS gets a boost from Arduino for IoT devices
1 week ago, lwn

Arduino devices are a favorite among do-it-yourself (DIY) enthusiasts to create, among other things, Internet of Things (IoT) devices. We have previously covered the Espressif ESP8266 family of devices that can be programmed using the Arduino SDK, but the Arduino project itself also provides WiFi-enabled devices such as the Arduino MKR WiFi 1010 board. Recently, the Arduino Security Team raised the problem of security shortcomings of IoT devices in a post, and how the Arduino project is working ...

Historical programming-language groups disappearing from Google
1 week ago, lwn

As Alex McDonald notes in this support request, Google has recently banned the old Usenet groups comp.lang.forth and comp.lang.lisp from the Google Groups system. "Of specific concern is the archive. These are some of the oldest groups on Usenet, and the depth & breadth of the historical material that has just disappeared from the internet, on two seminal programming languages, is huge and highly damaging. These are the history and collective memories of two communities that are being expunged, ...

Next