Hírolvasó

Az Ookla bizakodik, hogy a hálózatok nyernek.

Maradnak a sütik.

Az egyszerű felépítésű Chromecastok helyébe egy izmosabb set-top box léphet.

A fogyasztóvédelmi hatóságokat tömörítő uniós csoport szerint a Meta megtévesztő és agresszív gyakorlatokat alkalmaz.

A Wiz visszautasította a 23 milliárd dolláros felvásárlási ajánlatot, tőzsdére viszik a céget.

Red Hat, through members of the Fedora Workstation Working Group, has taken another swing at persuading the Fedora Project to allow metrics related to the real-world use of the Workstation edition to be collected. The first proposal, aimed for Fedora 40, was withdrawn to be reworked based on feedback. This time around, the proponents have shifted from asking for opt-out telemetry to opt-in metrics, with more detail about what would be collected and the policies that would govern data collection. The change seems to be on its way to approval by the Fedora Engineering Steering Council (FESCo) and is set to take effect for Fedora 42.

Security updates have been issued by Fedora (botan2, chromium, ffmpeg, fluent-bit, gtk3, httpd, suricata, tcpreplay, and thunderbird), Mageia (apache, chromium-browser-stable, libfm & libfm-qt, and thunderbird), Oracle (firefox, java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, java-21-openjdk, kernel, libndp, qt5-qtbase, ruby, skopeo, thunderbird, and virt:ol and virt-devel:rhel), Red Hat (containernetworking-plugins, firefox, libndp, qt5-qtbase, and thunderbird), SUSE (caddy, chromium, emacs, global, mockito, snakeyaml, testng, and opera), and Ubuntu (thunderbird).

A Microsoft szerint a cégnek az EU miatt muszáj kernelszintű hozzáférést adnia külső fejlesztésű védelmi szoftverek számára a Windowshoz.

Legalábbis a személyes ügyintézést illetően.

Fizet az Oracle, hogy rendezze a több száz millió felhasználó adatait tartalmazó „digitális dossziék” miatt indított csoportos keresetet.

A cégnél már javában fejlesztik a Blackwell kínai piacra szánt változatát.

Az összes windowsos szerver és munkaállomás kevesebb mint egy százalékát érintette a múlt heti fiaskó.

A sérülékeny szilikonharangok miatt a fülhallgató premierje heteket késhet.

In this commit, Rafael Sadowski (rsadowski@) merged libva 2.22.0 into OpenBSD, enabling VA-API to accelerate video decoding and other hardware assisted operations:

Read more…

In the future, computers will not crash due to bad software updates, even those updates that involve kernel code. In the future, these updates will push eBPF code.

Friday July 19th provided an unprecedented example of the inherent dangers of kernel programming, and has been called the largest outage in the history of information technology. Windows computers around the world encountered blue-screens-of-death and boot loops, causing outages for hospitals, airlines, banks, grocery stores, media broadcasters, and more. This was caused by a config update by a security company for their widely used product that included a kernel driver on Windows systems. The update caused the kernel driver to try to read invalid memory, an error type that will crash the kernel.

For Linux systems, the company behind this outage was already in the process of adopting eBPF, which is immune to such crashes. Once Microsoft's eBPF support for Windows becomes production-ready, Windows security software can be ported to eBPF as well. These security agents will then be safe and unable to cause a Windows kernel crash.

eBPF (no longer an acronym) is a secure kernel execution environment, similar to the secure JavaScript runtime built into web browsers. If you're using Linux, you likely already have eBPF available on your systems whether you know it or not, as it was included in the kernel several years ago. eBPF programs cannot crash the entire system because they are safety-checked by a software verifier and are effectively run in a sandbox. If the verifier finds any unsafe code, the program is rejected and not executed. The verifier is rigorous -- the Linux implementation has over 20,000 lines of code -- with contributions from industry (e.g., Meta, Isovalent, Google) and academia (e.g., Rutgers University, University of Washington). The safety this provides is a key benefit of eBPF, along with heightened security and lower resource usage.

Some eBPF-based security startups (e.g., Oligo, Uptycs) have made their own statements about the recent outage, and the advantages of migrating to eBPF. Larger tech companies are also adopting eBPF for security. As an example, Cisco acquired the eBPF-startup Isovalent and has announced a new eBPF security product: Cisco Hypershield, a fabric for security enforcement and monitoring. Google and Meta already rely on eBPF to detect and stop bad actors in their fleet, thanks to eBPF's speed, deep visibility, and safety guarantees. Beyond security, eBPF is also used for networking and observability.

The worst thing an eBPF program can do is to merely consume more resources than is desirable, such as CPU cycles and memory. eBPF cannot prevent developers writing poor code -- wasteful code -- but it will prevent serious issues that cause a system to crash. That said, as a new technology eBPF has had some bugs in its management code, including a Linux kernel panic discovered by the same security company in the news today. This doesn't mean that eBPF has solved nothing, substituting a vendor's bug for its own. Fixing these bugs in eBPF means fixing these bugs for all eBPF vendors, and more quickly improving the security of everyone.

There are other ways to reduce risks during software deployment that can be employed as well: canary testing, staged rollouts, and "resilience engineering" in general. What's important about the eBPF method is that it is a software solution that will be available in both Linux and Windows kernels by default, and has already been adopted for this use case.

If your company is paying for commercial software that includes kernel drivers or kernel modules, you can make eBPF a requirement. It's possible for Linux today, and Windows soon. While some vendors have already proactively adopted eBPF (thank you), others might need a little encouragement from their paying customers. Please help raise awareness, and together we can make such global outages a lesson of the past.

Authors: Brendan Gregg, Intel; Daniel Borkmann, Isovalent; Joe Stringer, Isovalent; KP Singh, Google.

The Next Generation Internet (NGI) project, an initiative of the EU's European Commission (EC), provides funding in the form of grants for a wide variety of open-source software, including Redox, Briar, SourceHut, and many more. But the NGI project is not among those that would be funded under the current draft budget for 2025, as The Register reports. More than 60 organizations have signed on to an open letter asking the EC to reconsider:

We find this transformation incomprehensible, moreover when NGI has proven efficient and economical to support free software as a whole, from the smallest to the most established initiatives. This ecosystem diversity backs the strength of European technological innovation, and maintaining the NGI initiative to provide structural support to software projects at the heart of worldwide innovation is key to enforce the sovereignty of a European infrastructure. Contrary to common perception, technical innovations often originate from European rather than North American programming communities, and are mostly initiated by small-scaled organizations.

The NumPy project released version 2.0.0 on June 16, the first major release of the widely used Python-based numeric-computing library since 2006. The release has been planned for some time, as an opportunity to clean up NumPy's API. As with most NumPy updates, there are performance improvements to several individual functions. There are only a few new features, but several backward-incompatible changes, including a change to NumPy's numeric-promotion rules. Changes to the Python API require relatively minor changes to Python code using the library, but the changes to the C API may be more difficult to adapt to. In both cases, the official migration guide describes what needs to be adapted to the new version.

The kernel will not consent to execute just any file that happens to be sitting in a filesystem; there are formalities, such as the checking of execute permission and consulting security policies, to get through first. On some systems, security policies have been established to limit execution to specifically approved programs. But there are files that are not executed directly by the kernel; these include scripts fed to language interpreters like Python, Perl, or a shell. An attacker who is able to get an interpreter to execute a file may be able to bypass a system's security policies. Mickaël Salaün has been working on closing this hole for years; the latest attempt takes the form of a new flag to the execveat() system call.

Security updates have been issued by AlmaLinux (firefox, java-1.8.0-openjdk, java-17-openjdk, java-21-openjdk, libndp, openssh, qt5-qtbase, ruby, skopeo, and thunderbird), Debian (thunderbird), Fedora (dotnet6.0, httpd, python-django, python-django4.2, qt6-qtbase, rapidjson, and ruby), Red Hat (389-ds-base, firefox, java-1.8.0-openjdk, java-11-openjdk, libndp, qt5-qtbase, and thunderbird), Slackware (httpd), SUSE (apache2, chromium, and kernel), and Ubuntu (apache2, linux-aws, linux-azure-fde, linux-azure-fde-5.15, linux-hwe-5.15, linux-aws-6.5, linux-lowlatency-hwe-6.5, linux-oracle-6.5, linux-starfive-6.5, and linux-raspi, linux-raspi-5.4).

Jövő év augusztus után már nem fognak működni a goo.gl rövidített linkjei.