All posts by jake

[$] OpenPGP in Thunderbird

Post Syndicated from jake original https://lwn.net/Articles/832183/rss

It is a pretty rare event to see a nearly 21-year-old bug be addressed—many
projects are nowhere near that old for one thing—but that is just what has
occurred for the Mozilla Thunderbird email
application. An enhancement
request
filed at the end of 1999 asked for a plugin to support email encryption, but it has mostly
languished since. The Enigmail plugin did come
along to fill the gap by providing OpenPGP support using GNU Privacy Guard (GnuPG or GPG), but was
never part of Thunderbird.
As part of Thunderbird 78,
though, OpenPGP is now fully supported within the mail user agent
(MUA).

[$] Removing run-time disabling for SELinux in Fedora

Post Syndicated from jake original https://lwn.net/Articles/831748/rss

Disabling SELinux
is, perhaps sadly in some ways, a time-honored tradition
for users of Fedora, RHEL, and other distributions that feature the
security mechanism. Over the years, SELinux has gotten easier to tolerate
due to the hard work of its developers and the distributions, but there are
still third-party packages that recommend or require disabling SELinux in
order to function. Up until fairly recently, the kernel has supported
disabling SELinux at run time, but that mechanism has been deprecated—in
part due to another kernel security feature. Now Fedora is planning
to eliminate the ability to disable SELinux at run time in Fedora 34, which sparked
some discussion in its devel mailing list.

[$] Key signing in the pandemic era

Post Syndicated from jake original https://lwn.net/Articles/831401/rss

The pandemic has changed many things in our communities, even though distance
has always played a big role in free software development. Annual in-person
gatherings for conferences and the like are generally paused at the moment,
but even after travel and congregating become reasonable again,
face-to-face meetings may be less frequent. There are both positives and
negatives to that outcome, of course, but some rethinking will be in order
if that comes to pass. The process of key signing is something that may need
to change as well; the Debian project, which uses signed keys,
has been discussing the subject.

[$] BPF in GCC

Post Syndicated from jake original https://lwn.net/Articles/831402/rss

The BPF virtual machine is being
used ever more widely in the kernel, but it has not been a target for
GCC until recently. BPF is currently generated using the LLVM
compiler suite.
Jose E. Marchesi gave a pair of presentations as part of the GNU Tools
track at the 2020 Linux
Plumbers Conference
(LPC) that provided attendees with a look at the
BPF for GCC project, which started around a
year ago. It has made some
significant progress, but there is, of course, more to do.

Security updates for Friday

Post Syndicated from jake original https://lwn.net/Articles/831283/rss

Security updates have been issued by Debian (python-pip), Fedora (kernel, libX11, and xen), openSUSE (go1.14), Oracle (libcroco, php:7.3, and postgresql:10), Red Hat (chromium-browser and httpd:2.4), and SUSE (gimp, golang-github-prometheus-prometheus, kernel, libxml2, pdsh, slurm_20_02, slurm, slurm_18_08, and tomcat).

[$] Preparing for the realtime future

Post Syndicated from jake original https://lwn.net/Articles/830660/rss

Unlike many of the previous gatherings of the Linux realtime developers, their
microconference at the virtual 2020 Linux Plumbers
Conference
had a
different feel about it. Instead of being about when and how to get the
feature into the mainline, the microconference had two sessions that looked at what
happens after the realtime patches are upstream. That has not quite happened
yet, but is likely for the 5.10 kernel, so the developers were
looking to the future of the stable realtime trees and, relatedly, plans
for continuous-integration (CI) testing for realtime kernels.

[$] Lua in the kernel?

Post Syndicated from jake original https://lwn.net/Articles/830154/rss

BPF is, of course, the language used for
network (and other) customization
in the Linux kernel, but some people have been using the Lua language for the networking side of that
equation. Two developers from Ring-0
Networks
, Lourival Vieira Neto and Victor Nogueira, came to the virtual
Netdev 0x14 to
present
that work
. It consists of a framework to allow the injection of Lua scripts
into the running kernel as well as two projects aimed at routers, one
of which is deployed on 20 million devices.

Linux from Scratch version 10.0 released

Post Syndicated from jake original https://lwn.net/Articles/830676/rss

On September 1, the Linux From Scratch (LFS) project announced the release of version 10.0 of LFS along with
Beyond Linux From Scratch (BLFS). LFS is “a project that provides you with step-by-step instructions for building your own customized Linux system entirely from source“; BLFS picks up where LFS leaves off. Both books are available online either with or without systemd: LFS System V, LFS systemd, BLFS System V, and BLFS systemd. “The LFS release includes updates to glibc-2.31, and binutils-2.34. A
total of 35 packages have been updated. A new package, zstd-1.4.4, has
also been added. Changes to text have been made throughout the book. The
Linux kernel has also been updated to version 5.5.3.

The BLFS version includes approximately 1000 packages beyond the base
Linux From Scratch Version 9.1 book. This release has over 840 updates
from the previous version in addition to numerous text and formatting
changes.”

GnuPG 2.2.23 released, fixing a critical security flaw

Post Syndicated from jake original https://lwn.net/Articles/830538/rss

GNU Privacy Guard (GnuPG or GPG) has released version 2.2.23 to fix a critical security bug affecting GnuPG 2.2.21 and 2.2.22, as well as Gpg4win 3.1.12. “Importing an OpenPGP key having a preference list for AEAD algorithms
will lead to an array overflow and thus often to a crash or other
undefined behaviour.

Importing an arbitrary key can often easily be triggered by an attacker
and thus triggering this bug. Exploiting the bug aside from crashes is
not trivial but likely possible for a dedicated attacker. The major
hurdle for an attacker is that only every second byte is under their
control with every first byte having a fixed value of 0x04.

Software distribution verification should not be affected by this bug
because such a system uses a curated list of keys.”

Security updates for Thursday

Post Syndicated from jake original https://lwn.net/Articles/830496/rss

Security updates have been issued by Debian (asyncpg and uwsgi), Mageia (cairo), openSUSE (chromium, kernel, and postgresql10), Red Hat (dovecot and squid:4), SUSE (curl, java-1_7_0-ibm, java-1_7_1-ibm, java-1_8_0-ibm, kernel, libX11, php7, squid, and xorg-x11-server), and Ubuntu (apport, libx11, and xorg-server, xorg-server-hwe-16.04, xorg-server-hwe-18.04).

[$] “Structural pattern matching” for Python, part 2

Post Syndicated from jake original https://lwn.net/Articles/828486/rss

We left the saga of PEP 622
(“Structural Pattern Matching“) at the end of June, but the
discussion of
a Python “match” statement—superficially similar to a C
switch but with extra data-matching features—continued. At this
point, the next steps are up to the Python steering
council
, which will determine the fate of the PEP. But there is lots
of discussion to catch up on from the last two months or so.

Security updates for Friday

Post Syndicated from jake original https://lwn.net/Articles/829847/rss

Security updates have been issued by Debian (bind9 and squid), Fedora (libX11 and wireshark), Gentoo (libX11 and redis), Mageia (firefox, libx11, qt4 and qt5base, and x11-server), openSUSE (gettext-runtime, inn, and webkit2gtk3), Oracle (firefox), SUSE (libqt5-qtbase, openvpn, openvpn-openssl1, postgresql10, and targetcli-fb), and Ubuntu (chrony, nss, and squid).

Krisman: Using the Linux kernel’s Case-insensitive feature in Ext4

Post Syndicated from jake original https://lwn.net/Articles/829737/rss

On the Collabora blog, Gabriel Krisman Bertazi writes about a feature he developed: case-insensitive ext4. He describes how to enable the feature in the kernel (>= 5.2), how to create an ext4 filesystem that will support case-insensitive lookups, as well as some gotchas; he starts with some justification for the idea: “A file name is a text string used to uniquely identify a file (in this context, ‘directory’ is the same as a file) at a specific level of the directory hierarchy. While, from the operating system point of view, it doesn’t matter what the file name is, as long as it is unique, meaningful file names are essential for the end user, since it is the main key to locate and retrieve data. In other words, a meaningful file name is what people rely upon to find their valuable documents, pictures and spreadsheets.

Traditionally, Linux (and Unix) filesystems have always considered file names as an opaque byte sequence without any special meaning, requiring users to submit the exact match of the file to find it in the filesystem. But that is not how humans operate. When people write titles, ‘important report.ods’ and ‘IMPORTANT REPORT.ods’ usually mean the same piece of data, and you don’t care how it was written when creating it. We care about the content and the semantics of the words IMPORTANT and REPORT.”