Language Selection

English French German Italian Portuguese Spanish

Debian

Security: Updates, Cmd, Supermicro, Reproducible Builds and Qualcomm Binary Blobs

Filed under
Security
Debian
Ubuntu
  • Security updates for Tuesday
  • Linux security: Cmd provides visibility, control over user activity
  • Supermicro hardware weaknesses let researchers backdoor an IBM cloud server

    In short, BMCs are motherboard-attached microcontrollers that give extraordinary control over servers inside datacenters. Using the Intelligent Platform Management Interface, admins can reinstall operating systems, install or modify apps, and make configuration changes to large numbers of servers, without physically being on premises and, in many cases, without the servers being turned on. In 2013, researchers warned that BMCs that came preinstalled in servers from Dell, HP, and other name-brand manufacturers were so poorly secured that they gave attackers a stealthy and convenient way to take over entire fleets of servers inside datacenters.

    Researchers at security firm Eclypsium on Tuesday plan to publish a paper about how BMC vulnerabilities threaten a premium cloud service provided by IBM and possibly other providers. The premium service is known as bare-metal cloud computing, an option offered to customers who want to store especially sensitive data but don't want it to intermingle on the same servers other customers are using. The premium lets customers buy exclusive access to dedicated physical servers for as long as needed and, when the servers are no longer needed, return them to the cloud provider. The provider, in theory, wipes the servers clean so they can be safely used by another bare-metal customer.

  • Reproducible builds folks: Reproducible Builds: Weekly report #200

    Holger Levsen submitted the Reproducible Builds project to the May/August 2019 round of Outreachy. Outreachy provides internships to work free software. Internships are open to applicants around the world, working remotely and are not required to move. Interns are paid a stipend of $5,500 for the three month internship and have an additional $500 travel stipend to attend conferences/events. So far, we received more than ten initial requests from candidates. The closing date for applicants is April 2nd. More information is available on the application page.

  • Ubuntu Touch OTA-8 Won't Move To Mir 1.1 + Unity 8 Due To Qualcomm Binary Blob Issues

    The Ubuntu Touch community team has put out their latest questions/answers about this effort continuing to let the Ubuntu effort live on for mobile devices like the Nexus and other hardware as well as looking ahead to get this mobile operating system running on the likes of Librem 5 and Pine64 phones.

It Soon May Be Easier Building Debian Packages On Fedora

Filed under
Red Hat
Debian
  • It Soon May Be Easier Building Debian Packages On Fedora

    While Fedora is deeply rooted around RPMs, the necessary components for building Debian binary packages may soon end up in the Fedora repository -- they're currently undergoing the package review process. Developer Dridi Boukelmoune was fed up with the current situation and took to improving the Debian packaging options for Fedora to make it easier spinning Debian packages there without resorting to VMs or other avenues. This can be useful in cases of commercial/internal software and other practices where you may be needing to build both RPMs and Debs and desire to do so from a single stack.

  • Ditch RPM in favor of DPKG

    I know how important RPM is to the Fedora Project, but it breaks everything downstream and we'd be better off using DPKG as we should have from day one. I'm calling this initiative fedpkg: Fedora Embraces DPKG. A bit of background here: I build both RPMs and DEBs for $DAYJOB and until recently my workflow was quite painful because I needed extra steps between git checkout and git push that involves a VM, because what we ship as apt is in reality apt-rpm. It finally got enough on my nerves to locally build the things I needed and after a month I have already amortized my efforts with the time I save not having to deal with needless extra hoops. In order to successfully build debs on Fedora I needed 4 packages that I'm now submitting for review: https://bugzilla.redhat.com/show_bug.cgi?id=gnu-config https://bugzilla.redhat.com/show_bug.cgi?id=strip-nondeterminism https://bugzilla.redhat.com/show_bug.cgi?id=sbuild https://bugzilla.redhat.com/show_bug.cgi?id=apt I need more than reviews here. Three of those packages are heavy on Perl code, and I'm not a Perl Monk. I tried to CC perl-sig as per the guidelines [1] (also tried with the mailing list address) but bugzilla replied kindly: CC: perl-sig did not match anything Apt is a mix of C, Perl and C++ code, so I would be reassured if I could have a C++ co-maintainer too. I'm only a C developer so if something goes wrong outside of the C realm that would be helpful. Two of those packages should be runtime dependencies of debhelper. The current apt package should be renamed to apt-rpm, I will look up the procedure for that to happen. I understand that when someone sees they should run "apt-get install foo" somewhere on the web it's helpful for non-savvy users that this JustWorks(tm) [2], but apt-rpm is dead upstream and it shouldn't be advertised as apt. I hope I CC'd everyone that should get this heads up, and hope to find help for the reviews and co-maintainership. The packaging does nothing fancy, there are quirks here and there but overall it was rather easy to put together. And of course I would be happy to help with reviews too in exchange. And thanks again to the mock developers, its design is so much better than either sbuild or pdebuild that I barely have pain points left when it comes to RPM packaging. Thanks, Dridi

Debian: INN 2.6.3, Netplan and LTS Work

Filed under
Debian
  • INN 2.6.3

    INN 2.6.3 has been released. This is a bug fix and minor feature release over INN 2.6.2, and the upgrade should be painless. The main ISC downloads page will be updated shortly; in the meantime, you can download the new release from ftp.isc.org or my personal INN pages. The latter also has links to the full changelog and the other INN documentation.

    The big change in this release is support for Python 3. Embedded Python filtering and authentication hooks for innd and nnrpd can now use version 3.3.0 or later of the Python interpreter. Python 2.x is still supported (2.3.0 or later).

  • Netplan support in FAI

    The new version FAI 5.8.1 now generates the configuration file for Ubuntu's netplan tool. It's a YAML description for setting up the network devices, replacing the /etc/network/interfaces file. The FAI CD/USB installation image for Ubuntu now offers two different variants to be installed, Ubuntu desktop and Ubuntu server without a desktop environment. Both are using Ubuntu 18.04 aka Bionic Beaver.

  • Raphaël Hertzog: Freexian’s report about Debian Long Term Support, January 2019

    Like each month, here comes a report about the work of paid contributors to Debian LTS.

Slax 9.8 Linux Distro Released with Various Updates from Debian GNU/Linux 9.8

Filed under
Linux
Debian

Slax 9.8 is now available for download and comes about three weeks after the release of Slax 9.7, which improved compatibility with new USB devices and made the ISO image even smaller by using 1MB blocks to compress the SquashFS filesystem.

Slax 9.8 is based on the recently released Debian GNU/Linux 9.8 operating system and incorporates all of the upstream security updates and miscellaneous bug fixes that were included in the Debian GNU/Linux 9.8 "Stretch" point release.

Read more

Debian: Sway in Experimental and More

Filed under
Debian
  • Sway in experimental

    A couple of days ago the 1.0-RC2 version of Sway, a Wayland compositor, landed in Debian experimental. Sway is a drop in replacement for the i3 tiling window manager for wayland. Drop in replacement means that, apart from minor adaptions, you can reuse your existing i3 configuration file for Sway. On the Website of sway you can find a short introduction video that shows the most basic concepts of using Sway, though if you have worked with i3 you will feel at home soon.

    In the video the utility swaygrab is mentioned, but this tool is not part of Sway anymore. There is another screenshot tool now though, called grim which you can combine with the tool slurp if you want to select regions for screenshots. The video also mentions swaylock, which is a screen locking utility similar to i3lock. It was split out of the main Sway release a couple of weeks ago but there also exists a Debian package by now. And there is a package for swayidle, which is a idle management daemon, which comes handy for locking the screen or for turning of your display after a timeout. If you need clipboard manager, you can use wl-clipboard. There is also a notification daemon called mako (the Debian package is called mako-notifier and is in NEW) and if you don’t like the default swaybar, you can have a look at waybar (not yet in Debian, see this RFS). If you want to get in touch with other Sway users there is a #sway IRC channel on freenode. For some tricks setting up Sway you can browse the wiki.

  • The Sway Wayland Compositor Is Now Available From Debian Experimental

    For those that have been wanting to try out the near-final Sway 1.0, this Wayland compositor has made its way into the Debian archive albeit only in the "experimental" section for now.

    At the end of January was the start of the upstream Debian packaging work around Sway and it's kept up with the latest release candidates. Available from Debian Experimental is now the latest Sway 1.0-RC2.

  • Making debug symbols discoverable and fetchable

    Michael wrote a few days ago about the experience of debugging programs on Debian. And he is certainly not the only one, who found it more difficult to find debug symbols on Linux systems in general.

    But fortunately, it is a fixable problem. Basically, we just need a service to map a build-id to a downloadable file containing that build-id. You can find the source code to my (prototype) of such a dbgsym service on salsa.debian.org.

Debian Developers' Updates and Python Bits

Filed under
Development
Debian

Updated Debian 9: 9.8 released

Filed under
Debian

The Debian project is pleased to announce the eighth update of its stable distribution Debian 9 (codename "stretch"). This point release mainly adds corrections for security issues, along with a few adjustments for serious problems. Security advisories have already been published separately and are referenced where available.

Please note that the point release does not constitute a new version of Debian 9 but only updates some of the packages included. There is no need to throw away old "stretch" media. After installation, packages can be upgraded to the current versions using an up-to-date Debian mirror.

Those who frequently install updates from security.debian.org won't have to update many packages, and most such updates are included in the point release.

Read more

Also: Debian 9.8 Released With Latest Security Fixes

Ubuntu-Centric Full Circle Magazine and Debian on the Raspberryscape

Filed under
Debian
Ubuntu
  • Full Circle Magazine: Full Circle Weekly News #121
  • Debian on the Raspberryscape: Great news!

    I already mentioned here having adopted and updated the Raspberry Pi 3 Debian Buster Unofficial Preview image generation project. As you might know, the hardware differences between the three families are quite deep ? The original Raspberry Pi (models A and Cool, as well as the Zero and Zero W, are ARMv6 (which, in Debian-speak, belong to the armel architecture, a.k.a. EABI / Embedded ABI). Raspberry Pi 2 is an ARMv7 (so, we call it armhf or ARM hard-float, as it does support floating point instructions). Finally, the Raspberry Pi 3 is an ARMv8-A (in Debian it corresponds to the ARM64 architecture).

    [...]

    As for the little guy, the Zero that sits atop them, I only have to upload a new version of raspberry3-firmware built also for armel. I will add to it the needed devicetree files. I have to check with the release-team members if it would be possible to rename the package to simply raspberry-firmware (as it's no longer v3-specific).

    Why is this relevant? Well, the Raspberry Pi is by far the most popular ARM machine ever. It is a board people love playing with. It is the base for many, many, many projects. And now, finally, it can run with straight Debian! And, of course, if you don't trust me providing clean images, you can prepare them by yourself, trusting the same distribution you have come to trust and love over the years.

Debian: Mint Debian Edition Cindy, Reproducible Builds and Markus Koschany's Free Software Activities in January 2019

Filed under
Debian
Syndicate content

More in Tux Machines

GNOME: Theming, Mutter and Sprint 1

  • App Devs Ask Linux Distros to “Stop Theming Our Apps”
    A group of independent Linux app developers have written an open letter to ask wider GNOME community to ask: “stop theming our apps”. The letter is addressed to the maintainers of Linux distributions who elect to ship custom GTK and icons themes by default in lieu of upstream defaults. By publicising the issues they feel stem from the practice of “theming” it’s hoped that distros and developers might work together to create a “healthier GNOME third party app ecosystem”.
  • A Group of Independent Linux App Developers Has Asked Wider GNOME Community To 'Stop Theming' Its Apps
  • GNOME's Mutter Makes Another Step Towards X11-Less, Starting XWayland On-Demand
    GNOME 3.34 feature development continues at full-speed with a lot of interesting activity this cycle particularly on the Mutter front. On top of the performance/lag/stuttering improvements, today Mutter saw the merging of the "X11 excision" preparation patches. The Mutter patches by longtime GNOME developer Carlos Garnacho around preparing for X11 excision were merged minutes ago.
  • Georges Basile Stavracas Neto: New Background panel, Calendar search engine, GTK4 shortcut engine (Sprint 1)
    GNOME To Do is full GTK4 these days. Which means it’s both a testbed for new GTK4 features, and also a way to give feedback as an app developer for the GTK team. Unfortunately, it also means To Do is blocked on various areas where GTK4 is lacking. One of these areas is keyboard shortcut. Last year, Benjamin wrote a major revamp for keyboard shortcuts. As part of this cycle, I decided to rebase and finish it; and also make To Do use the new API. Unfortunately, I failed to achieve what I set myself to. Turns out, adding a shortcuts engine to GTK4 is more involving and requires way more context than I had when trying to get it up to speed. I failed to predict that one week would have not been enough to finish it all. However, that does not mean all the efforts were wasted! The rebasing of the shortcuts engine was a non-trivial task successfully completed (see gtk!842), and I also fixed a few bugs while working on it. I also got a working prototype of GNOME To Do with the new APIs, and confirmed that it’s well suited — at least for a simpler application such as To Do. In retrospect, I believe I should have been more realistic (and perhaps slightly pessimistic) about the length and requirements of this task.

Programming: SVE2, Graphical Interface, Guile, Python and More

  • Arm SVE2 Support Aligning For GCC 10, LLVM Clang 9.0
    Given the significant performance benefits to Arm's Scalable Vector Extension 2 (SVE2), they are working on ensuring the open-source Linux compiler toolchains support these new CPU instructions ahead of SoCs shipping that support this big addition. Arm announced Scalable Vector Extension 2 (SVE2) recently as their latest advancement around SIMD programming and increasing data-level parallelism in programs. SVE2 is designed to ultimately deliver better SIMD performance than their long-available Neon extensions and to scale the performance with vector length increases as well as enabling auto-vectorization techniques. More details in this post on SVE2.
  • Intake: Discovering and Exploring Data in a Graphical Interface
    Do you have data that you’d like people to be able to explore on their own? Are you always passing around snippets of code to load specific data files? These are problems that people encounter all the time when working in groups and using the same datasources or when trying to distribute data to the public. Some users are comfortable interacting with data entirely programatically, but often it is helpful to use a GUI (Graphical User Interface) instead. With that in mind we have reimplemented the Intake GUI so that in addition to working in a jupyter notebook, it can be served as a web application next to your data, or at any endpoint.
  • lightening run-time code generation
    The upcoming Guile 3 release will have just-in-time native code generation. Finally, amirite? There's lots that I'd like to share about that and I need to start somewhere, so this article is about one piece of it: Lightening, a library to generate machine code.
  • Python Language Creator: “Male Attitude” Is Hurting The Programming Space
    Guido van Rossum is a famous name in the programming world. He is the creator of the Python programming language which was developed back in 1989. It is only since the last few years when this general-purpose programming language started gaining popularity. The number of Python users has increased significantly and it was not only named as the best programming language by IEEE but also the most asked-about language on Stack Overflow, overthrowing JavaScript — the all-time winner for decades.
  • Avant-IDLE: an experiment

Dear Ubuntu: Please Stop Packaging Epiphany If You Won’t Do It Properly

When users try Epiphany on Ubuntu, they receive a sub-par, broken browser. If you’re not willing to do this right, please just remove Epiphany from your repositories. We’d all be happier this way. You are the most popular distributor of Epiphany by far, and your poor packaging is making the browser look bad. Read more

Security Leftovers

  • Security updates for Friday
  • Episode 19: Democratizing Cybersecurity
    Katherine Druckman and Doc Searls talk to Alex Gounares of Polyverse Linux about Cybersecurity for everyone.
  • Introducing the Librem Tunnel
    You probably know by now that the Librem Tunnel is part of Librem One, a suite of privacy-protecting, no-tracking apps and services created by our team at Purism, which also includes Librem Mail, Librem Chat and Librem Social. Librem Tunnel offers an encrypted, no-logging, virtual private network tunnel, making sure all your network traffic is secure and your privacy fully protected. This means you can safely and conveniently use any public hotspot and not have to worry about how private your connection really is, using standards-based OpenVPN with any compatible client. You are not the product in Librem Tunnel: you will not be tracked, we do not sell your data, and we don’t advertise.
  • Trump Explains Why He Banned Huawei, And It’s Not Convincing
    The world’s two biggest economies are indulged in a trade war and the toll is being paid by the Chinese company Huawei, which is being erased from existence in the US. The US government has already blacklisted Huawei, causing a big blow to its growing smartphone business across the globe. After the temporary license ends in August, it won’t be able to do any business with US-based companies unless the ban is lifted.
  • Snort Alerts
    It was previously explained on LinuxHint how to install Snort Intrusion Detection System and how to create Snort rules. Snort is an Intrusion Detection System designed to detect and alert on irregular activities within a network. Snort is integrated by sensors delivering information to the server according to rules instructions. In this tutorial Snort alert modes will be explained to instruct Snort to report over incidents in 5 different ways (ignoring the “no alert” mode), fast, full, console, cmg and unsock. If you didn’t read the articles mentioned above and you don’t have previous experience with snort please get started with the tutorial on Snort installation and usage and continue with the article on rules before continuing this lecture. This tutorial assumes you have Snort already running.