[go: up one dir, main page]
|
|
Log in / Subscribe / Register

Brief items

Security

Security quotes of the week

What Apple has done here is really interesting. It’s common to trade security off for usability, and the results of that are all over Apple’s operating systems—and everywhere else on the Internet. What they’re doing with Lockdown Mode is the reverse: they’re trading usability for security. The result is a user experience with fewer features, but a much smaller attack surface. And they aren’t just removing random features; they’re removing features that are common attack vectors.

There aren’t a lot of people who need Lockdown Mode, but it’s an excellent option for those who do.

Bruce Schneier

But, as is characteristic of public goods, market participants lack incentives to correct this inefficiency. Companies can profit from open source without expending any resources to improve it. Psychologists call this the bystander effect. When multiple parties have the capacity to solve a problem, each individual party feels less responsibility to take action. Although securing this public good is in every company’s self-interest, very few companies want to be the ones to take on that burden. There is little reason to think the market will correct itself without intervention.

Researchers have called for targeted investments from government and consumers of open-source projects to fund more full-time maintainers for important projects and entities offering open-source security services for free. The open-source community has requested upstream contributions from its consumers—support in the form of code review and improvement. The open-source community is doing the best it can to maintain the large, critical projects the public relies on. To avoid open-source potholes, its developers need resources for sustained maintenance. Tax dollars fund public roads and bridges. Open source deserves the same support.

Chinmayi Sharma

Comments (3 posted)

Kernel development

Kernel release status

The current development kernel is 5.19-rc8, released on July 24. Linus said: "There's nothing really surprising in here - a few smaller fixups for the retbleed mess as expected, and the usual random one-liners elsewhere."

Stable updates: 5.15.56, 5.10.132, 5.4.207, 4.19.253, 4.14,289, and 4.9.324 were released on July 21, with 5.18.13 catching up one day later. 5.18.14, 5.15.57, and 5.10.133, consisting mainly of backported Retbleed mitigations, came out on July 24.

Comments (none posted)

Vetter: Locking Engineering Principles

Daniel Vetter offers some advice for developers of locking schemes in the kernel.

Validating locking by hand against all the other locking designs and nesting rules the kernel has overall is nigh impossible, extremely slow, something only few people can do with any chance of success and hence in almost all cases a complete waste of time. We need tools to automate this, and in the Linux kernel this is lockdep.

Therefore if lockdep doesn’t understand your locking design your design is at fault, not lockdep. Adjust accordingly.

Comments (1 posted)

Distributions

Fedora to disallow CC0-licensed code

The Creative Commons CC0 license is essentially a public-domain declaration (or as close as is possible in jurisdictions that lack a public domain). The Fedora project has allowed the distribution of code under this license, but, as announced by Richard Fontana, that policy is changing and CC0 will no longer be allowed for code:

The reason for the change: Over a long period of time a consensus has been building in FOSS that licenses that preclude any form of patent licensing or patent forbearance cannot be considered FOSS. CC0 has a clause that says: "No trademark or patent rights held by Affirmer are waived, abandoned, surrendered, licensed or otherwise affected by this document."

Existing CC0-licensed packages may be grandfathered in, but that evidently has not yet been decided.

Comments (66 posted)

Development

Nethercote: Twenty years of Valgrind

Nicholas Nethercote marks the 20th anniversary of the Valgrind 1.0 release.

It’s both delightful and surreal to see that Valgrind is still in wide use today. Julian [Seward’s] original goal was to raise the bar when it came to correctness for C and C++ programs. This has clearly been a huge success. Memcheck has found countless bugs in countless programs, and is a standard part of the testing setup for many of them.

Comments (23 posted)

Miscellaneous

Debian.community domain name seized

The Debian project, Debian.ch, and Software in the Public Interest recently filed a WIPO action to take control of the "debian.community" domain name, which has been used by Daniel Pocock to attack the Debian project and its members. Red Hat had made a similar attempt to take control of WeMakeFedora.org earlier this year, but that attempt failed. The Debian action succeeded, though; on July 19, WIPO decided in favor of the action and ordered the domain name transferred. That domain name can no longer be used, but the attacks seem certain to continue.

Comments (27 posted)

Page editor: Jake Edge
Next page: Announcements>>


Copyright © 2022, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds