Language Selection

English French German Italian Portuguese Spanish

Gentoo

Calculate Linux 18 released

Filed under
Gentoo

We are happy to announce the release of Calculate Linux 18!

In this latest version, Calculate Utilities were ported to Qt5, your network is managed in a different way, and binary packages get checked using their index signature.

Calculate Linux Desktop featuring KDE (CLD), Cinnamon (CLDC), Mate (CLDM), or Xfce (CLDX) environments, Calculate Linux Scratch (CLS), Calculate Directory Server (CDS) and Calculate Scratch Server (CSS) are available for download.

Read more

CLIP OS, Like Chrome OS, is Based on Gentoo

Filed under
Gentoo

ANSSI, the National Cybersecurity Agency of France, has released the sources of CLIP OS, that aims to build a hardened, multi-level operating system, based on the Linux kernel and a lot of free and open source software. We are happy to hear that it is based on Gentoo Hardened!

Read more

A brief discussion about package installation times in Gentoo Linux

Filed under
Gentoo

I thought that perhaps users of binary-based Linux distributions who are contemplating trying out the source-based distribution Gentoo Linux might be interested to know a bit about installation times in contrast to binary distributions. I am not going to go into great detail here; this is just to give interested people a quick idea of possible package installation times in Gentoo Linux.

The package manager of a binary-based distribution such as Ubuntu downloads and installs binary (i.e. pre-built) packages. On the other hand, Gentoo’s package manager Portage downloads source-code packages and builds the binaries (executables) on your machine. Nevertheless, a small number of Portage packages contain binaries rather than source code, either because the source code could take many hours to build on older hardware or because the source code is simply not available in the public domain. An example of the first scenario is Firefox, which is available in Gentoo both as the source code package www-client/firefox and as the binary package www-client/firefox-bin so that the user can choose which to install (‘merge’, in Gentoo parlance). An example of the second scenario is TeamViewer, which is only available as the binary package net-misc/teamviewer because TeamViewer is closed-source software (i.e. the company that develops TeamViewer does not release its source code).

Read more

Security Issues at Gentoo Narrowed Down to Crappy Password

Filed under
Gentoo
Security
  • Linux experts are crap at passwords!

    Fortunately, Gentoo’s GitHub respository wasn’t the primary source for Gentoo code, and few, if any, Gentoo users were relying on it for software updates.

  • Gentoo publishes detailed report after its GitHub was compromised

    You may have seen the news towards the end of June that Gentoo, a fairly advanced Linux distribution, had its GitHub repository compromised after an attacker managed to gain access to one of the connected accounts. Now, Gentoo has published a comprehensive report about the incident and it turns out that the gaff was due to not following rudimentary security tips.

  • Weak Admin Password Caused Compromise of Gentoo GitHub repository

    Gentoo have finished their investigation of the hack that affected their project last week on GitHub. The point of vulnerability has turned out to be a weak Administrator password. upon compromise the hackers added the Linux killer command “rm -rf /” so when users cloned the project to their computers all their data will be erased.

Microsoft, the NSA, and GitHub

Filed under
Gentoo
Microsoft
Security
  • Gentoo hacker's code changes unlikely to have worked

    Linux distribution Gentoo's maintainers say attempts by attackers last week to sabotage code stored on Github is unlikely to have worked.

    Gentoo's Github account was compromised in late June.

    The attacker was able to gain administrative privileges for Gentoo's Github account, after guessing the password for it.

    Gentoo's maintainers were alerted to the attack early thanks to the attacker removing all developers from the Github account, causing them to be emailed.

  • NSA Exploit "DoublePulsar" Patched to Work on Windows IoT Systems

    An infosec researcher who uses the online pseudonym of Capt. Meelo has modified an NSA hacking tool known as DoublePulsar to work on the Windows IoT operating system (formerly known as Windows Embedded).

    The original DoublePulsar is a hacking tool that was developed by the US National Security Agency (NSA), and was stolen and then leaked online by a hacking group known as The Shadow Brokers.

    At its core, DoublePulsar is a Ring-0 kernel mode payload that acts like a backdoor into compromised systems. DoublePulsar is not meant to be used on its own, but together with other NSA tools.

  • Predictable password blamed for Gentoo GitHub organisation takeover [Ed: when Microsoft takes over the NSA gets all these passwords. (NSA PRISM)]

    Gentoo has laid out the cause and impact of an attack that saw the Linux distribution locked out of its GitHub organisation.

    The attack took place on June 28, and saw Gentoo unable to use GitHub for approximately five days.

    Due a lack of two-factor authentication, once the attacker guessed an admin's password, the organisation was in trouble.

Security: Open Source Security Podcast and Inaccurate Gentoo Coverage

Filed under
Gentoo
Security
  • Open Source Security Podcast: Episode 103 - The Seven Properties of Highly Secure Devices

    We take a real world view into how to secure our devices. What works, what doesn't work, and why this list is actually really good.

  • Github code repository for Gentoo Linux hacked [Ed: Lots of inaccuracies here]

    The Gentoo Linux distribution's Github repository was hacked last June 28, with the attackers modifying the code there.

    Github is a repository for all sorts of source code projects in a variety of programming languages. Gentoo Linux is one such project, stored in Github.

    Gentoo Linux administrators updated users as soon as the issue was found out.

  • Gentoo warning after GitHub hack [Ed: Crack, not "hack"]

    A key Gentoo Linux source code repository should be considered compromised after “unknown individuals” gained access to Gentoo’s Github organisation.

    In an email to the Gentoo announcement list, developer Alec Warner said that the individuals had seized control of the GitHub Gentoo organisation “and modified the content of repositories as well as pages there”.

Gentoo Needs to Delete GitHub

Filed under
Gentoo
Security
  • Gentoo GitHub mirror hacked and considered compromised

    Linux distribution Gentoo has had its GitHub mirror broken into and taken over, with GitHub pages changed and ebuilds replaced.

    In an alert, Gentoo said the attacker gained control of the Github Gentoo organisation at June 28, 20:20 UTC.

    "All Gentoo code hosted on github should for the moment be considered compromised," the alert said.

  • Et tu, Gentoo? Horrible gits meddle with Linux distro's GitHub code

    If you have fetched anything from Gentoo's GitHub-hosted repositories today, dump those files – because hackers have meddled with the open-source project's data.

    The Linux distro's officials sounded the alarm on Thursday, revealing someone managed to break into its GitHub organization account to modify software and webpages.

    Basically, if you downloaded and installed materials from Gentoo via GitHub, you might be compromised by bringing in malicious code. And until the all clear is given, you should avoid fetching anything from the project's 'hub org account.

    "Today, 28 June, at approximately 20:20 UTC unknown individuals have gained control of the Github Gentoo organization, and modified the content of repositories as well as pages there," Gentoo dev Alec Warner said in a bulletin.

  • Gentoo Linux GitHub organisation hacked, content modified

    The GitHub organisation of the Gentoo Linux distribution has been compromised and the project behind Gentoo is warning users not to use code from this source.

    In a statement, the Gentoo leadership said some unknown individuals had gained control of the GitHub Gentoo organisation on 28 June at 20.20 UTC and modified the content and pages.

    Gentoo is a Linux distribution meant for advanced users. The source is compiled locally depending on user preferences and is often optimised for specific hardware.

Gentoo-Based Porteus Kiosk 4.7 Brings More Mitigations Against Spectre Flaws

Filed under
Gentoo

Powered by the long-term supported Linux 4.14.50 kernel, Porteus Kiosk 4.7.0 is the second release of the operating system in 2018 and comes five months after version 4.6 to introduce more mitigations against the Spectre security vulnerabilities, though the next-gen Spectre flaws require microcode firmware updates for Intel CPUs.

"Newly discovered "Spectre Next Generation" vulnerabilities require updated microcode from Intel which is not available yet. Please consider enabling automatic updates service for your kiosks to receive latest fixes and patches as soon as they become available," reads today's announcement.

Read more

The story of Gentoo management

Filed under
Gentoo

I have recently made a tabular summary of (probably) all Council members and Trustees in the history of Gentoo. I think that this table provides a very succinct way of expressing the changes within management of Gentoo. While it can’t express the complete history of Gentoo, it can serve as a useful tool of reference.

What questions can it answer? For example, it provides an easy way to see how many terms individuals have served, or how long Trustee terms were. You can clearly see who served both on the Council and on the Board and when those two bodies had common members. Most notably, it collects a fair amount of hard-to-find data in a single table.

Read more

A short history of Gentoo copyright

Filed under
Gentoo
Legal

As part of the recent effort into forming a new copyright policy for Gentoo, a research into the historical status has been conducted. We've tried to establish all the key events regarding the topic, as well as the reasoning behind the existing policy. I would like to shortly note the history based on the evidence discovered by Robin H. Johnson, Ulrich Müller and myself.

Read more

Syndicate content

More in Tux Machines

Browsing the web with Min, a minimalist open source web browser

Does the world need another web browser? Even though the days of having a multiplicity of browsers to choose from are long gone, there still are folks out there developing new applications that help us use the web. One of those new-fangled browsers is Min. As its name suggests (well, suggests to me, anyway), Min is a minimalist browser. That doesn't mean it's deficient in any significant way, and its open source, Apache 2.0 license piques my interest. Read more

Security: Patches, FUD and Voting Machines

  • libssh 0.8.4 and 0.7.6 security and bugfix release

    libssh versions 0.6 and above have an authentication bypass vulnerability in the server code. By presenting the server an SSH2_MSG_USERAUTH_SUCCESS message in place of the SSH2_MSG_USERAUTH_REQUEST message which the server would expect to initiate authentication, the attacker could successfully authentciate without any credentials.

  • A Cybersecurity Weak Link: Linux and IoT [Ed: Blaming "Linux" for companies that put default passwords on all their products? Windows has back doors.]
  • Undetectably bypass voting machines' anti-tamper mechanism with a bit of a soda-can

    But University of Michigan grad student Matt Bernhard has demonstrated that he can bypass the tamper-evident seals in seconds, using a shim made from a slice of a soda can. The bypass is undetectable and doesn't damage the seal, which can be resecured after an attacker gains access to the system.

  • Security Seals Used to Protect Voting Machines Can Be Easily Opened With Shim Crafted from a Soda Can

    Bernhard, who is an expert witness for election integrity activists in a lawsuit filed in Georgia to force officials to get rid of paperless voting machines used in that state, said the issue of security ties and seals came up in the lawsuit earlier this year when Fulton County Elections Director Richard Barron told the court that his Georgia county relies on tamper-evident metal and plastic ties to seal voting machines and prevent anyone with physical access to the machines from subverting them while they sit in polling places days before an election.

    [...]

    He noted that defeating ties and seals in non-tamper-evident ways isn’t the only method to wreak havoc on an election in Michigan. The state has a unique law that prohibits ballots from being used in a recount if the number of voters doesn't match the number of ballots cast at a precinct or if the seal on a ballot box is broken or has a different serial number than what it should have. Someone who wanted to wreak havoc on an election or alter an election outcome in Michigan could purposely tamper with ballot box seals in a way that is evident or simply replace them with a seal bearing a different serial number in order to get ballots excluded from a recount. The law came into sharp relief after the 2016 presidential election when Green Party candidate Jill Stein sought to get a statewide recount in Michigan and two other critical swing states and found that some precincts in Wayne County couldn't be recounted because the number of voters who signed the poll books—which get certified with a seal signed by officials—didn't match the number of ballots scanned on the voting machines.

OSS: Hedera Hashgraph, Service Providers, and Renaming the Bro Project

  • Hedera Hashgraph Distributed Ledger Technology Shares New Open-Source SDK [Ed: Hedera needs to delete GitHub, however, as the new head of GitHub killed Java projects like Hedera's]
    Hedera Hashgraph, one of the DApp facilitators within the blockchain industry recently announced that it has released its Software Development Kit (SDK) in Java.
  • Service Providers Should Adapt to Open Source World
    Finding differing opinions on open source with the telecom industry isn't hard to do, especially where orchestration is concerned. That's why a panel discussion on open source and MANO at the Light Reading NFV-Carrier SDN event in Denver seemed an odd place to find such outspoken agreement on that topic, but there it was. Four smart guys, none shy with their opinions, all seemed to agree on key points around open source, the need for standards, the role of vendors and the lack of internal software skills. But they also agreed that telecom service providers are struggling a bit to understand how to proceed in an open source world and still need some fundamental internal changes.
  • Renaming the Bro Project
    More than 20 years ago I chose the name "Bro" as "an Orwellian reminder that monitoring comes hand in hand with the potential for privacy violations", as the original Bro paper put it. Today that warning is needed more than ever ... but it's clear that now the name "Bro" is alas much more of a distraction than a reminder. On the Leadership Team of the Bro Project, we heard clear concerns from the Bro community that the name "Bro" has taken on strongly negative connotations, such as "Bro culture". These send a sharp, anti-inclusive - and wholly unintended and undesirable - message to those who might use Bro. The problems were significant enough that during BroCon community sessions, several people have mentioned substantial difficulties in getting their upper management to even consider using open-source software with such a seemingly ill-chosen, off-putting name.

Back End: Apache Kafka, 'Serverless'