All posts by jake

[$] Supporting PGP keys and signatures in the kernel

Post Syndicated from jake original https://lwn.net/Articles/882426/rss

A few weeks back, we looked at a proposal
to add an integrity-management feature to Fedora. One of the selling
points was that the integrity checking could be done using the PGP
signatures that are already embedded into the RPM package files that Fedora
uses. But the kernel needs to be able to verify PGP signatures in order
for the Fedora feature to work. That addition to the kernel has been proposed, but
some in the kernel-development community seem less than completely
enthusiastic about bringing PGP support into the kernel itself.

Netfilter project: Settlement with Patrick McHardy

Post Syndicated from jake original https://lwn.net/Articles/882397/rss

The netfilter project,
which works on packet-filtering for the Linux kernel, has announced that it
has reached a settlement
(English
translation
) with Patrick McHardy that is “legally
binding and it governs any legal enforcement
activities
” on netfilter programs and libraries as well as the
kernel itself. McHardy has been employing
questionable practices
in doing GPL enforcement in Germany over the
last six years or more. The practice has been called “copyright trolling” by some and is
part of what led to the creation of The Principles of Community-Oriented GPL Enforcement.

This settlement establishes that any decision-making around
netfilter-related enforcement activities should be based on a majority
vote. Thus, each active coreteam member
at the time of the
enforcement request holds one right to vote. This settlement covers
past and new enforcement, as well as the enforcement of contractual
penalties related to past declarations to cease-and-desist.

Security updates for Monday

Post Syndicated from jake original https://lwn.net/Articles/882396/rss

Security updates have been issued by Debian (chromium, golang-1.7, golang-1.8, pillow, qtsvg-opensource-src, util-linux, and wordpress), Fedora (expat, harfbuzz, kernel, qt5-qtsvg, vim, webkit2gtk3, and zabbix), Mageia (glibc, kernel, and kernel-linus), openSUSE (bind, chromium, and zxing-cpp), Oracle (kernel), Red Hat (java-11-openjdk and kpatch-patch), Scientific Linux (java-11-openjdk), SUSE (bind, clamav, zsh, and zxing-cpp), and Ubuntu (aide, dbus, and thunderbird).

Security updates for Friday

Post Syndicated from jake original https://lwn.net/Articles/882119/rss

Security updates have been issued by Debian (aide, flatpak, kernel, libspf2, and usbview), Fedora (kernel, libreswan, nodejs, texlive-base, and wireshark), openSUSE (aide, cryptsetup, grafana, permissions, rust1.56, and stb), SUSE (aide, apache2, cryptsetup, grafana, permissions, rust1.56, and webkit2gtk3), and Ubuntu (aide, thunderbird, and usbview).

Security updates for Thursday

Post Syndicated from jake original https://lwn.net/Articles/881956/rss

Security updates have been issued by Debian (drupal7), Fedora (kernel, libreswan, nodejs, and wireshark), openSUSE (busybox, firefox, kernel, and python-numpy), Oracle (gegl, gegl04, httpd, java-17-openjdk, kernel, kernel-container, and libreswan), Red Hat (kernel, kernel-rt, and libreswan), Slackware (wpa_supplicant), SUSE (busybox, firefox, htmldoc, kernel, kubevirt, virt-api-container, virt-controller-container, virt-handler-container, virt-launcher-container, virt-operator-container, openstack-monasca-agent, spark, spark-kit, zookeeper, and python-numpy), and Ubuntu (curl, linux, linux-aws, linux-aws-5.11, linux-aws-5.4, linux-azure, linux-azure-5.11, linux-azure-5.4, linux-bluefield, linux-gcp, linux-gcp-5.11, linux-gcp-5.4, linux-gke, linux-gke-5.4, linux-gkeop, linux-gkeop-5.4, linux-hwe-5.4, linux-ibm, linux-kvm, linux-oem-5.10, linux-oem-5.13, linux-oem-5.14, linux-oracle, linux-oracle-5.11, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, openvswitch, and qtsvg-opensource-src).

[$] Resurrecting fbdev

Post Syndicated from jake original https://lwn.net/Articles/881827/rss

The Linux framebuffer device (fbdev) subsystem has long languished in
something of a purgatory; it was listed as “orphaned” in the
MAINTAINERS file and saw fairly minimal maintenance, mostly driven
by developers working elsewhere in the kernel graphics stack. That all
changed, in an eye-opening way, on January 17, when Linus Torvalds
merged a change
to make Helge Deller the new maintainer of the subsystem. But it turns out
that the problems in fbdev run deep, at least according to much of the rest
of the kernel graphics community. By seeming to take on the maintainer role in order to
revert the removal of some buggy features from fbdev, Deller has created
something of a controversy.

[$] Python sets, frozensets, and literals

Post Syndicated from jake original https://lwn.net/Articles/881599/rss

A Python “frozenset” is simply a set
object
that is immutable—the objects it contains are determined at
initialization time and cannot be changed thereafter. Like sets, frozensets are
built into the language, but unlike most of the other standard Python
types, there is no way to create a literal frozenset object. Changing that,
by providing a mechanism to do so, was the topic
of a recent discussion on the python-ideas mailing list.

Security updates for Monday

Post Syndicated from jake original https://lwn.net/Articles/881545/rss

Security updates have been issued by Debian (chromium, firefox-esr, ghostscript, libreswan, prosody, sphinxsearch, thunderbird, and uriparser), Fedora (cryptsetup, flatpak, kernel, mingw-uriparser, python-celery, python-kombu, and uriparser), Mageia (htmldoc, mbedtls, openexr, perl-CPAN, systemd, thunderbird, and vim), openSUSE (chromium and prosody), Red Hat (httpd, kernel, and samba), Scientific Linux (kernel), Slackware (expat), SUSE (ghostscript), and Ubuntu (pillow).

Security updates for Thursday

Post Syndicated from jake original https://lwn.net/Articles/881303/rss

Security updates have been issued by Debian (epiphany-browser, lxml, and roundcube), Fedora (gegl04, mingw-harfbuzz, and mod_auth_mellon), openSUSE (openexr and python39-pip), Oracle (firefox and thunderbird), Red Hat (firefox and thunderbird), SUSE (apache2, openexr, python36-pip, and python39-pip), and Ubuntu (apache-log4j1.2, ghostscript, linux, linux-gcp, linux-gcp-5.4, linux-hwe-5.4, and systemd).

[$] Relocating Fedora’s RPM database

Post Syndicated from jake original https://lwn.net/Articles/881107/rss

The deadlines
for various kinds of Fedora 36 change proposals have mostly passed at
this point, which led to something of a flurry of postings to the
distribution’s devel mailing list over the last month. One of those, for a seemingly fairly
innocuous relocation of the RPM database from /var to
/usr, came in right at the buzzer for system-wide changes on
December 29. There were, of course, other things going on around that
time, holidays, vacations, and so forth, so the discussion was relatively
muted until recently. Proponents have a number of reasons why they would like
to see the move, but there is resistance, as well, that is due, at least in part, to the
longstanding “tradition” of the location for the database.

[$] An outdated Python for openSUSE Leap

Post Syndicated from jake original https://lwn.net/Articles/880859/rss

Enterprise distributions are famous for maintaining the same versions of
software throughout their, normally five-year-plus, support windows. But
many of the projects those distributions are based on have far shorter
support periods; part of what the enterprise distributions sell is patching
over those mismatches. But openSUSE Leap is not exactly an
enterprise distribution, so some users are chafing under the restrictions
that come from Leap being based on SUSE Enterprise Linux (SLE). In
particular, shipping Python 3.6, which reached its end of life at the
end of 2021, is seen as problematic for the upcoming Leap 15.4 release.

Security updates for Monday

Post Syndicated from jake original https://lwn.net/Articles/880807/rss

Security updates have been issued by Debian (ghostscript and roundcube), Fedora (gegl04, mbedtls, and mediawiki), openSUSE (kubevirt, virt-api-container, virt-controller-container, virt-handler-container, virt-launcher-container, virt-operator-container), SUSE (kubevirt, virt-api-container, virt-controller-container, virt-handler-container, virt-launcher-container, virt-operator-container and libvirt), and Ubuntu (apache2).

Security updates for Thursday

Post Syndicated from jake original https://lwn.net/Articles/880564/rss

Security updates have been issued by Fedora (log4j and quaternion), Mageia (gnome-shell and singularity), SUSE (libsndfile, libvirt, net-snmp, and python-Babel), and Ubuntu (linux, linux-aws, linux-aws-5.11, linux-azure, linux-azure-5.11, linux-gcp, linux-gcp-5.11, linux-hwe-5.11, linux-kvm, linux-oracle, linux-oracle-5.11, linux-raspi, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gcp, linux-gcp-5.4, linux-gke, linux-gke-5.4, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux, linux-aws, linux-aws-hwe, linux-azure-4.15, linux-dell300x, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, linux-raspi2, linux-snapdragon, linux, linux-aws, linux-kvm, linux-lts-xenial, linux-oem-5.10, and linux-oem-5.14).

[$] Restricting SSH agent keys

Post Syndicated from jake original https://lwn.net/Articles/880458/rss

The OpenSSH suite of tools for
secure remote logins is used widely within our communities; it also
underlies things like remote Git repository access.
A recent experimental feature for the upcoming OpenSSH 8.9 release
will help close a security hole
that can be exploited by attacker-controlled SSH servers (e.g. sshd) when the user is forwarding
authentication to a local ssh-agent. Instead
of allowing the keys held in the agent to be used for authenticating to any
host where they might work, SSH agent
restriction
will allow users to specify where and how those keys can be
used.

[$] Another Fedora integrity-management proposal

Post Syndicated from jake original https://lwn.net/Articles/880263/rss

File-integrity management for the Fedora distribution
has been the overarching theme of a number of different feature proposals
over the last year or so. In general, they have been met with skepticism,
particularly with regard to how well the features mesh with Fedora’s
goals, but also in how they will change the process of building RPM
packages. A new proposal that would allow systems to (optionally) perform remote
attestation
is likewise encountering headwinds; there are several
different concerns being raised in the discussion of it.