Hírolvasó

Readers have been pointing us to HashiCorp's announcement that it is moving to its own "Business Source License" for some of its (formerly) open-source products. Like other companies (example) that have taken this path, HashiCorp is removing the freedom to use its products commercially in ways that it sees as competitive. This is, in a real sense, an old and tiresome story.

The lessons to be drawn from this change are old as well. One is to beware of depending on any platform, free or proprietary, that is controlled by a single company. It is a rare company that will not try to take advantage of that control at some point.

The other is to beware of contributor license agreements. HashiCorp's agreement used to read that it existed "to ensure that our projects remain licensed under Free and Open Source licenses"; the current version doesn't say that anymore. But both versions give HashiCorp the right to play exactly this kind of game with any code contributed by outsiders. Developers who were contributing to a free-software project will now have their code used in a rather more proprietary setting. When a company is given the right to take somebody else's code proprietary, many of them will eventually make use of that right.

The call for topics for the Linux Kernel Maintainers Summit went out on August 15; one proposed topic has generated some interesting discussion about security-bug reporting for the kernel. A recent patch to the kernel's documentation about how to report security bugs recommends avoiding posting to the linux-distros mailing list because its goals and rules do not mesh well with kernel security practices. That led Jiri Kosina to suggest a discussion on security reporting, especially with regard to Linux distributions.

The 6.4.11, 6.1.46, 5.15.127, 5.10.191, 5.4.254, 4.19.292, and 4.14.323 stable kernels have all been released; each contains another set of important fixes.

On August 16, 1993, Ian Murdock announced a new distribution to the comp.os.linux.development Usenet newsgroup:

This is just to announce the imminent completion of a brand-new Linux release, which I'm calling the Debian Linux Release. This is a release that I have put together basically from scratch; in other words, I didn't simply make some changes to SLS and call it a new release. I was inspired to put together this release after running SLS and generally being dissatisfied with much of it, and after much altering of SLS I decided that it would be easier to start from scratch. The base system is now virtually complete (though I'm still looking around to make sure that I grabbed the most recent sources for everything), and I'd like to get some feedback before I add the "fancy" stuff.

After 30 years, Debian is still going strong.

The Debian project has added the LoongArch architecture to its ports collection.

After an initial manual bootstrap of roughly 200 packages, two buildds are now building packages for the newly added "loong64" port with the help of qemu-user. After enough packages have been built for the port to be self-hosting, we're planning to replace these two buildds with real hardware hosted at Loongson.

Security updates have been issued by Debian (datatables.js and openssl), Fedora (ghostscript, java-11-openjdk, java-latest-openjdk, microcode_ctl, and xen), Red Hat (redhat-ds:11), SUSE (java-1_8_0-openj9, kernel, krb5, pcre2, and perl-HTTP-Tiny), and Ubuntu (gstreamer1.0, mysql-8.0, tiff, and webkit2gtk).

"Subinterpreters", which are separate Python interpreters running in the same process that can be created using the C API, have been a part of Python since the previous century (version 1.5 in 1997), but they are largely unknown and unused. Eric Snow has been on something of a quest, since 2015 or so, to bring better multicore processing to Python by way of subinterpreters (or "multiple interpreters"). He has made it part of the way there, with the adoption of a separate global interpreter lock (GIL) for each subinterpreter, which was added for Python 3.12. Back in April, Snow gave a talk (YouTube video) at PyCon about multiple interpreters, their status, and his plans for the feature in the future.

Version 5.0 ("Daedalus") of the Debian-based Devuan distribution has been released. "This is the result of many months of painstaking work by the Team and detailed testing by the wider Devuan community." The announcement lists a couple of new features but mostly defers to the Debian 12 ("bookworm") release notes.

The 2023 Maintainers Summit will be held on November 16 in Richmond, VA, immediately after the Linux Plumbers Conference.

As in previous years, the Maintainers Summit is invite-only, where the primary focus will be process issues around Linux Kernel Development. It will be limited to 30 invitees and a handful of sponsored attendees.

The call for topics has just gone out, with the first invitations to be sent within a couple of weeks or so.

Security updates have been issued by Debian (samba), Red Hat (.NET 6.0, .NET 7.0, rh-dotnet60-dotnet, rust, rust-toolset-1.66-rust, and rust-toolset:rhel8), and SUSE (kernel and opensuse-welcome).

A CISA szövetséges nemzetek kiberbiztonsági ügynökségeivel közösen tájékoztatást adott a 2022 során leggyakrabban kihasznált sérülékenységekről.

The post Ezek voltak a legtöbbször kihasznált sérülékenységek 2022-ben first appeared on Nemzeti Kibervédelmi Intézet.

Python fejlesztők figyelmébe: az urllib.parse könyvtár 3.11 előtti verziói távoli kódfuttatást (RCE) tehetnek lehetővé illetéktelenek számára.

The post Súlyos Python hibáról érkezett figyelmeztetés first appeared on Nemzeti Kibervédelmi Intézet.

For those who find the 6.x kernel intimidating, Seiya Nuta has written a look at the 0.01 kernel, which reflects a simpler time.

By the way, there's an interesting comment about the scheduler:

* 'schedule()' is the scheduler function. This is GOOD CODE! There * probably won't be any reason to change this, as it should work well * in all circumstances (ie gives IO-bound processes good response etc).

Yes it's indeed good code. Unfortunately (or fortunately), this prophecy is false. Linux became one of most practical and performant kernel which has introduced many new scheduling improvements and algorithms over the years, like Completely Fair Scheduler (CFS).

The Linux fast user-space mutex ("futex") subsystem debuted with the 2.6.0 kernel; it provides a mechanism that can be used to implement user-space locking. Since futexes avoid calling into the kernel whenever possible, they can indeed be fast, especially in the uncontended case. The API used to access futexes has never been seen as one of Linux's strongest points, though, so there has long been a desire to improve it. This patch series from Peter Zijlstra shows what the future of futexes may look like.

Security updates have been issued by Debian (gst-plugins-ugly1.0, libreoffice, linux-5.10, netatalk, poppler, and sox), Fedora (chromium, ghostscript, java-1.8.0-openjdk-portable, java-11-openjdk, java-11-openjdk-portable, java-17-openjdk-portable, java-latest-openjdk-portable, kernel, linux-firmware, mingw-python-certifi, ntpsec, and php), Oracle (.NET 6.0, .NET 7.0, 15, 18, bind, bind9.16, buildah, cjose, curl, dbus, emacs, firefox, go-toolset and golang, go-toolset:ol8, grafana, iperf3, java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, kernel, libcap, libeconf, libssh, libtiff, libxml2, linux-firmware, mod_auth_openidc:2.3, nodejs, nodejs:16, nodejs:18, open-vm-tools, openssh, postgresql:12, postgresql:13, python-requests, python27:2.7, python3, python38:3.8 and python38-devel:3.8, python39:3.9 and python39-devel:3.9, ruby:2.7, samba, sqlite, systemd, thunderbird, virt:ol and virt-devel:rhel, and webkit2gtk3), SUSE (docker, java-1_8_0-openj9, kernel, kernel-firmware, libyajl, nodejs14, openssl-1_0_0, poppler, and webkit2gtk3), and Ubuntu (golang-yaml.v2, intel-microcode, linux, linux-aws, linux-aws-5.4, linux-gcp, linux-gcp-5.4, linux-gkeop, linux-iot, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux, linux-aws, linux-azure, linux-gcp, linux-ibm, linux-kvm, linux-lowlatency, linux-oracle, linux-raspi, linux-oem-6.1, pygments, and pypdf2).

A zsarolósvírusokról hírhedt Clop csoport torrenteket használ a MOVEit támadások során ellopott adatok kiszivárogtatására. Az aktorok május 27-től adatlopási támadások hullámát indították el, kihasználva a MOVEit Transfer nulladik napi sebezhetőségét, amelynek következtében közel 600 szervezettől tudtak adatokat lopni az észlelések előtt. Június 14-én kezdték el zsarolni az áldozataikat, majd lassan elkezdték a Tor oldalukon közzétenni […]

The post A Clop torrentet használ a gyorsabb adatszivárogtatásra first appeared on Nemzeti Kibervédelmi Intézet.

The 6.5-rc6 kernel prepatch is out for testing.

So apart from the regularly scheduled hardware mitigation patches, everything looks fairly normal. And I guess the hw mitigation is to be considered normal too, apart from the inevitable fixup patches it then causes because the embargo keeps us from testing it widely and keeps it from all our public automation. Sigh.

LWN recently covered a discussion on file-position locking that demonstrated the hazards that can result from unexpected concurrency. It turns out that this discussion had not yet fully run its course. Since that article was written, additional changes intended to address a performance regression evolved into a core virtual filesystem (VFS) layer API change to carry out some much-delayed housecleaning.

Greg Kroah-Hartman has announced the release of the 6.4.10, 6.1.45, 5.10.190, 5.4.253, 4.19.291, and 4.14.322 stable kernels. Note that 5.15.126 was also in the review process for this batch, but has not (yet) been released. Meanwhile, the rest of the batch all have important fixes throughout the kernel tree, as usual.

Update: the 5.15.126 announcement has now gone out as well.