Language Selection

English French German Italian Portuguese Spanish

Security and Some FUD/Alarmist Slant

Filed under
Security

           

  • Reproducible Builds (diffoscope): diffoscope 154 released

    The diffoscope maintainers are pleased to announce the release of diffoscope version 154. This version includes the following changes:

    [ Chris Lamb ]
    
    
    
    
    * Add support for F2FS filesystems.
      (Closes: reproducible-builds/diffoscope#207)
    * Allow "--profile" as a synonym for "--profile=-".
    * Add an add_comment helper method so don't mess with our _comments list
      directly.
    * Add missing bullet point in a previous changelog entry.
    * Use "human-readable" over unhyphenated version.
    * Add a bit more debugging around launching guestfs.
    * Profile the launch of guestfs filesystems.
    * Correct adding a comment when we cannot extract a filesystem due to missing
      guestfs module.
    
  • BootHole fixes causing boot problems across multiple Linux distros
  •        

  • Red Hat Security Update Renders Systems Unbootable

    Update, shared by PAjamian: Red Hat is now recommending that users do not apply grub2, fwupd, fwupdate or shim updates until new packages are available.

  • Red Hat and CentOS systems aren’t booting due to BootHole patches

    Early this morning, an urgent bug showed up at Red Hat's bugzilla bug tracker—a user discovered that the RHSA_2020:3216 grub2 security update and RHSA-2020:3218 kernel security update rendered an RHEL 8.2 system unbootable. The bug was reported as reproducible on any clean minimal install of Red Hat Enterprise Linux 8.2.

  • Bug in widely used bootloader opens Windows, Linux devices to persistent compromise

    CVE-2020-10713, named “BootHole” by the researchers who discovered it, can be used to install persistent and stealthy bootkits or malicious bootloaders that will operate even when the Secure Boot protection mechanism is enabled and functioning.

    “The vulnerability affects systems using Secure Boot, even if they are not using GRUB2. Almost all signed versions of GRUB2 are vulnerable, meaning virtually every Linux distribution is affected,” the researchers explained.

    “In addition, GRUB2 supports other operating systems, kernels and hypervisors such as Xen. The problem also extends to any Windows device that uses Secure Boot with the standard Microsoft Third Party UEFI Certificate Authority. Thus the majority of laptops, desktops, servers and workstations are affected, as well as network appliances and other special purpose equipment used in industrial, healthcare, financial and other industries. This vulnerability makes these devices susceptible to attackers such as the threat actors recently discovered using malicious UEFI bootloaders.”

    The researchers have done a good job explaining in detail why the why, where and how of the vulnerability, and so did Kelly Shortridge, the VP of Product Management and Product Strategy at Capsule8. The problem effectively lies in the fact that a GRUB2 configuration file can be modified by attackers to make sure that their own malicious code runs before the OS is loaded.

  • Security updates for Friday

    Security updates have been issued by Debian (grub2 and mercurial), Fedora (chromium, firefox, and freerdp), Oracle (firefox and kernel), Red Hat (firefox), Scientific Linux (firefox, grub2, and kernel), and SUSE (ghostscript and targetcli-fb). 

  •  

  • Linux warning: TrickBot malware is now infecting your systems [Ed: "Linux warning" is alarmism because it does not do anything on its own, it's just exploiting already-compromised servers, e.g. weak password and misconfiguration]
  • Beware! TrickBot Malware Is Now Infecting Linux Devices

More in Tux Machines

Linux Foundation Broadens Relationship With Surveillance

  • Facebook joins The Linux Foundation as a platinum member

    Most web-based companies are built on Linux and open-source software. Two-billion member social network Facebook is no different. For years, Facebook has not only relied on open-source, it's been an active contributor to major open-source projects. These include the React JavaScript library; the Open Compute Project, which open sources data-center hardware; and Linux's cGroup2 container software. Now Facebook is joining The Linux Foundation membership at the Platinum level. [...] While Facebook has been criticized for how it deals with privacy and politics, it has impeccable open-source credentials. It was already the lead contributor of many Linux Foundation-hosted projects, such as Presto, GraphQL, Osquery, and ONNX. The company also employs many Linux kernel key developers and maintainers.

  • Amundsen Joins LF AI as New Incubation Project

    LF AI Foundation (LF AI), the organization building an ecosystem to sustain open source innovation in artificial intelligence (AI), machine learning (ML), and deep learning (DL), today is announcing Amundsen as its latest Incubation Project.

  • LF AI Accepts Amundsen as Incubation Project

    The Amundsen data discovery project has joined the LF AI as an incubation project. Amundsen is a data discovery and metadata engine aiming to improve the productivity of data analysts, data scientists and engineers by indexing data resources. “Think of it as Google search for data,” the LF AI announcement said.

Graphics: Mesa 20.2 RC2 and DXVK 1.7.1

  • mesa 20.2.0-rc2
    Hi list,
    
    Available today is mesa 20.2.0-rc2. This is the second release candidate for
    the 20.2 release. Currently our open to close ratio on blocking bugs is looking
    really good. This release is dominated by changes to radeonsi, radv, and aco,
    with a few additional changes sneaking in for freedreno, meson,  etnaviv,
    st/mesa, anv, and a few utility fixes.
    
    Dylan
    
    
  • Mesa 20.2-RC2 Released With Many Fixes For RadeonSI + RADV Drivers

    The second weekly release candidate of the forthcoming Mesa 20.2 is now available for testing. Mesa 20.2 is aiming for release around the end of August or early September depending upon how the bug situation plays out. This quarterly feature release to Mesa3D brings many new Vulkan extensions, the RADV driver using ACO by default, initial support for Navi 2 GPUs, initial support for Intel Rocket Lake and DG1, OpenGL 4.3 for LLVMpipe, and much more as outlined in last week's article.

  • DXVK 1.7.1 Released With Many Game Fixes For Direct3D Over Vulkan

    It's been nearly three months without a new DXVK release for mapping Direct3D 9/10/11 atop the Vulkan API while finally today there is a big feature release out. DXVK 1.7.1 was released a few minutes ago as the first update since May. While the version number isn't significant, this version does have many changes.

  • Direct3D to Vulkan translation layer DXVK 1.7.1 is out, lots of game fixes

    After a few months since 1.7 went out, DXVK 1.7.1 is now live to further improve Direct3D to Vulkan translation. This is the project that helps to power Proton, the compatibility layer for Steam Play. This release adds support for newer Vulkan extensions, fixes bugs and has new GPU driver requirements. On the driver side, the VK_EXT_transform_feedback extension is now required which has been supported in drivers on Linux since late 2018 / early 2019. Specifically you will need at least NVIDIA 415.22 and for AMD / Intel it looks like Mesa 19 covers both.

Devices/Embedded: Raspberry Pi and Android Devices

  • Indoor air quality HAT for Raspberry Pi boasts high-res TVOC sensor

    Avnet’s $49.95 “Renesas ZMOD4410 Indoor Air Quality HAT for Raspberry Pi” can be used to measure volatile organic compounds, humidity, and temperature, as well as estimate carbon dioxide levels. Avnet has launched a Renesas ZMOD4410 Indoor Air Quality HAT for Raspberry Pi (AES-RHSEN-ZM44-G) that joins other indoor air quality measurement add-ons for the Pi including Metriful’s $44.50 Sense module and Pimoroni’s $57 Enviro+ pHAT. The ZMOD4410 HAT lacks some of the extras of those boards, but appears to offer a higher quality total volatile organic compound (TVOC) sensor with its Renesas ZMOD4410, which offers resolution ranging from parts-per-billion to parts-per-million.

  • Tiny module and dev kit run RT Linux on STM32MP1

    Exor’s 25.4 x 25.4mm, extended temp “NanoSOM nS02” module runs real-time Linux and its XPlatform industrial IoT software on a soldered, 800MHz STM32MP157 with up to 1GB DDR3L and 32GB eMMC. An “OpenHMI nS02” dev kit with 5-inch touchscreen is optional. Italian embedded technology firm Exor Embedded has launched a NanoSOM nS02 module that runs real-time Linux on the new 800MHz version of ST’s dual-core, Cortex-A7 based STM32MP157. As with the recent, Apollo Lake based, FPGA-enabled GigaSOM GS01 module, Exor announced the product with Arrow, which will be distributing the module and an OpenHMI nS02 Development Kit (see farther below).

  • Zidoo Z10 Pro & Z9X Realtek RTD1619DR 4K Android Media Players Launched for $229 and up

    We previously wrote about some upcoming Realtek RTD1619 media players targeting the videophone and audiophile crowd, and expected them to launch very soon with models from Zidoo and Dune HD. Zidoo has now launched two models with the awaited Zidoo Z9X and a new, higher-end Zidoo Z10 Pro which can be purchased on Aliexpress for respectively $229 and $349 with free shipping.

  • Snapdragon 626 Powered Rugged Tablet Comes with NFC, RFID and Barcode Readers

    Estone Technology has launched another rugged tablet with UA-80 IP-67 waterproof rated, and MIL-STD-810G compliant rugged Android tablet powered by a Qualcomm Snapdragon 626 mobile platform driving an 8″ capacitive touchscreen display.

Python Programming

  • Announcing the new Jupyter Book

    Jupyter Book is an open source project for building beautiful, publication-quality books, websites, and documents from source material that contains computational content. With this post, we’re happy to announce that Jupyter Book has been re-written from the ground up, making it easier to install, faster to use, and able to create more complex publishing content in your books. It is now supported by the Executable Book Project, an open community that builds open source tools for interactive and executable documents in the Jupyter ecosystem and beyond.

  • Holdgraf: Announcing the new Jupyter Book

    On the Jupyter blog, Chris Holdgraf announces a rewrite of the Jupyter Book project. LWN looked at Jupyter and its interactive notebooks for Python and other languages back in 2018; Jupyter Book extends the notebook idea.

  • EuroPython 2020: Live Stream Recordings available

    We’re happy to announce the public availability of the live stream recordings from EuroPython 2020. They were already available to all conference attendees since the sprint days.

  • Learn Any Programming Language with This Learning Plan

    All it takes to master any programming language is the right learning plan. If you know anything about programming you should be aware that often you can’t tell whether what you are doing is wrong until it’s too late. That’s what makes programming a frustrating skill to master — long hours doing the wrong things. But hey, whether you want to make programming your full-time job or just a hobby, you can always make the learning curve less steep. The secret to getting it right with coding is this: have a learning plan! While the plan will not do the hard lifting for you, it will definitely provide the much-needed elbow grease to keep you grounded and focused as you learn programming.

  • Deploying Django to AWS ECS with Terraform

    In this tutorial, we'll look at how to deploy a Django app to AWS ECS with Terraform.

  • Matt Layman: Rendering Calendars - Building SaaS #68

    In this episode, I worked on rendering a calendar of important events in a school year. We built out the appropriate data structures, and I wrote some new model methods and added tests. On the last stream, I created a new model to track breaks in the school year. The app now shows the calendar for the school year, and I want to display the breaks on the calendar. Before digging too far into the code, I provided my thoughts about using Docker for development from a question that came from the chat.