Language Selection

English French German Italian Portuguese Spanish

Security: Patches, CVE Prioritisation, Oracle and Debian LTS

Filed under
Security
  • Security updates for Wednesday

    Security updates have been issued by Debian (e2fsprogs, ruby2.1, and weechat), Fedora (java-1.8.0-openjdk and webkit2gtk3), openSUSE (apache2-mod_auth_openidc, glibc, mcpp, nghttp2, and skopeo), Oracle (libvncserver and thunderbird), and SUSE (keepalived).

  • Securing open source through CVE prioritisation

    According to a recent study, 96% of applications in the enterprise market use open-source software. As the open-source landscape becomes more and more fragmented, the task to assess the impact of potential security vulnerabilities for an organisation can become overwhelming. Ubuntu is known as one of the most secure operating systems, but why? Ubuntu is a leader in security because, every day, the Ubuntu Security team is fixing and releasing updated software packages for known vulnerabilities. It is a continuous 24/7 effort. In fact, on average, the team is providing more than 3 updates each day, and the most vital updates are prepared, tested and released within 24 hours. To achieve that result, Canonical designed a robust process to review, prioritise and fix the most crucial software vulnerabilities first. Software vulnerabilities are tracked as part of the Common Vulnerabilities and Exposures (CVE) system, and almost all security updates published by the Ubuntu Security team (via Ubuntu Security Notices – USNs) are in response to a given public CVE.

  • Oracle Engineers Send Out Linux Patches For Trenchboot Secure Late-Launch Kernel Support

    Going back to over a year ago were discussions by Oracle engineers and others about a secure launch boot protocol for the Linux kernel to in turn tie into the Trenchboot open-source project working on various system integrity features. We are now finally seeing new patches out of Oracle for wiring more Trenchboot support into the Linux kernel.

  • Freexian’s report about Debian Long Term Support, February 2020

    Like each month, here comes a report about the work of paid contributors to Debian LTS.

More in Tux Machines

Openwashing and SUSE

Debian: ledger2beancount, Reproducible Builds and Debian Project Leader Race

  • Martin Michlmayr: ledger2beancount 2.1 released

    I released version 2.1 of ledger2beancount, a ledger to beancount converter.

  • Reproducible Builds in March 2020

    Welcome to the March 2020 report from the Reproducible Builds project. In our reports we outline the most important things that we have been up to over the past month and some plans for the future.

  • Jonathan Carter: Free Software Activities for 2020-03

    On the 12th of March, I posted my self-nomination for the Debian Project Leader election. This is the second time I’m running for DPL, and you can read my platform here. The campaign period covered the second half of the month, where I answered a bunch of questions on the debian-vote list. The voting period is currently open and ends on 18 April. [...] At DebConf19 I wanted to ramp up the efforts to make a Debian PeerTube instance a reality. I spoke to many people about this and discovered that some Debianites are already making all kinds of Debian videos in many different languages. Some were even distributing them locally on DVD and have never uploaded them. I thought that the Debian PeerTube instance could not only be a good platform for DebConf videos, but it could be a good home for many free software content creators, especially if they create Debian specific content. I spoke to Rhonda about it, who’s generally interested in the Fediverse and wanted to host a instances of Pleroma (microblogging service) and PixelFed (free image hosting service that resembles the Instagram site), but needed a place to host them. We decided to combine efforts, and since a very large amount of fediverse services end with .social in their domain names, we ended up calling this project Debian Social. We’re also hosting some non-fediverse services like a WordPress multisite and a Jitsi instance for video chatting.

Programming: Perl and More

  • 2020.14 More perspectives

    Andrew Shitov has even been more busy than the past weeks. Apart from adding more and more views to the Covid-19 Observer, so many that there’s now an impressive “What’s new” page. But Andrew didn’t stop at that: an article on Perl.com titled “Observing Coronavirus Pandemic with Raku” (/r/perl comments) explains to the readers how some of the unique features of Raku were applied in processing all of the data. And in the meantime Andrew still found time to publish Chapter 7 of their compiler book.

  • Dancer2 0.300001 Released

    On behalf of the Dancer Core Team, I’d like to announce the availability of Dancer2 0.300001. This maintenance release brings brings a revamped tutorial, fixing of a YAML-related regression, repair of an encoding bug, and a slew of documentation fixes.

  • Perl Weekly Challenge 054: Kth Permutation Sequence + Collatz Conjecture
  • You Need To Stop Using HTML Email

    We need to change this norm from the ground up as a grass roots effort. We'll never convince Gmail and others to automatically display emails in plain text for all users. Nor will we convince companies to stop sending HTML emails to their clients. The only way is to start sending plain text emails and setting up our email programs to only display our received emails as plain text.

    As more and more people do this the companies will begin to follow suite due the increasing number of people being unable to easily read their messages.

    It's also our duty as good email users to only every send emails as plain text because we can not always be sure that the receiver of our emails is using a program that will render out all the HTML instead of displaying it as a webpage.

    Keep in mind that by plain text I don't mean you should not encrypt your emails. If you need to encrypt them then please do; PGP and GPG work very well. When sending an encrypted message; type up your message, encrypt it, and the paste the encrypted output into the email as plain text.

  • Safer SSH agent forwarding

    As mentioned, a better alternative is to use the jump host feature: the SSH connection to the target host is tunneled through the SSH connection to the jump host. See the manual page and this blog post for more details.

    If you really need to use SSH agent forwarding, you can secure it a bit through a dedicated agent with two main attributes:

    it holds only the private key to connect to the target host, and

    it asks confirmation for each requested signature.

  • LLVM's Flang/F18 Fortran Compiler Might Be Back On Track For Merging Soon

    Since the "f18" open-source Fortran compiler front-end was approved last year for merging as the newest LLVM sub-project and using the Flang name, there have been a number of false starts in getting the code merged. This year alone Flang had multiple delays and cancelled merge plans as the developers worked to get the code ready for upstream. Now though it looks like it could be ready to cross that long sought after milestone for having an in-tree Fortran front-end. Richard Barton announced today that the team now believes F18 is ready to be merged. There still are some open items still being worked on, but should be easily resolved after the F18 code is within the tree as the new "Flang" compiler.

  • A Telegram bot in Haskell on Amazon Lambda

    So instead adding layers and complexities, can I solve this instead my making things simpler? If I compiler my bootstrap into a static Linux binary, it should run on any Linux, including Amazon Linux. [...] I am mostly happy with this setup: My game is now available to more people in more ways. I don’t have to maintain any infrastructure. When nobody is using this bot no resources are wasted, and the costs of the service are neglectible -- this is unlikely to go beyond the free tier, and even if it would, the cost per generated image is roughly USD 0.000021. There is one slight disappointment, though. What I find most intersting about Kaleidogen from a technical point of view is that when you play it in the browser, the images are not generated by my code. Instead, my code creates a WebGL shader program on the fly, and that program generates the image on your graphics card.

  • Cambridge Computing Education Research Symposium – recap of our online event
  • Digital Making at Home: Storytelling with code

Linux 5.6 I/O Scheduler Benchmarks: None, Kyber, BFQ, MQ-Deadline

While some Linux distributions are still using MQ-Deadline or Kyber by default for NVMe SSD storage, using no I/O scheduler still tends to perform the best overall for this speedy storage medium. In curious about the current state of the I/O schedulers with the newly-minted Linux 5.6 kernel, here are benchmarks of no I/O scheduler against MQ-Deadline, Kyber, BFQ, and BFQ low-latency. This round of tests were done on the high performance Corsair Force MP600 1TB PCIe 4.0 NVMe SSD while similar tests are still being conducted on SATA SSDs and HDDs off Linux 5.6. Read more