today's leftovers

Sunday 23rd of June 2019 02:25:29 AM
Misc
  • Google to Abandon Tablets in Favor of Chrome OS Laptops

    One reason that Google is moving away from tablets has to do with the fact that they are just not selling all that well.

  • Support for Jupyter notebooks has evolved in Cantor

    Hello everyone, it's been almost a month since my last post and there are a lot of changes that have been done since then.

    First, what I called the "minimal plan" is arleady done! Cantor can now load Jupyter notebooks and save the currently opened document in Jupyter format.

    Below you can see how one of the Jypiter notebooks I'm using for test purposes (I have mentioned them in previous post) looks in Jupyter and in Cantor.

  • Will Thompson: Rebasing downstream translations

    At Endless, we maintain downstream translations for an number of GNOME projects, such as gnome-software, gnome-control-center and gnome-initial-setup. 

    [...]

    Whenever we update to a new version of GNOME, we have to reconcile our downstream translations with the changes from upstream. We want to preserve our intentional downstream changes, and keep our translations for strings that don’t exist upstream; but we also want to pull in translations for new upstream strings, as well as improved translations for existing strings. Earlier this year, the translation-rebase baton was passed to me. My predecessor would manually reapply our downstream changes for a set of officially-supported languages, but unlike him, I can pretty much only speak English, so I needed something a bit more mechanical.

    I spoke to various people from other distros about this problem.1 A common piece of advice was to not maintain downstream translation changes: appealing, but not really an option at the moment. I also heard that Ubuntu follows a straightforward rule: once the translation for a string has been changed downstream, all future upstream changes to the translation for that string are ignored. The assumption is that all downstream changes to a translation must have been made for a reason, and should be preserved. This is essentially a superset of what we’ve done manually in the past.

    I wrote a little tool to implement this logic, pomerge. Its “rebase” mode takes the last common upstream ancestor, the last downstream commit, and a working copy with the newest downstream code. For each locale, for each string in the translation in the working copy, it compares the old upstream and downstream translations – if they differ, it merges the latter into the working copy.

  • GNOME 3.33.3 Released, Kernel Security Updates for RHEL and CentOS, Wine Developers Concerned with Ubuntu 19.10 Dropping 32-Bit Support, Bzip2 to Get an Update and OpenMandriva Lx 4.0 Now Available

    GNOME 3.33.3 was released yesterday. Note that this release is development code and is intended for testing purposes.

  • TenFourFox FPR15b1 available

    In honour of New Coke's temporary return to the market (by the way, I say it tastes like Pepsi and my father says it tastes like RC), I failed again with this release to get some sort of async/await support off the ground, and we are still plagued by issue 533. The second should be possible to fix, but I don't know exactly what's wrong. The first is not possible to fix without major changes because it reaches up into the browser event loop, but should be still able to get parsing and thus enable at least partial functionality from the sites that depend on it. That part didn't work either. A smaller hack, though, did make it into this release with test changes. Its semantics aren't quite right, but they're good enough for what requires it and does fix some parts of Github and other sites.

  • Cloudflare's random number generator, robotics data visualization, npm token scanning, and more news

    Is there such a thing as a truly random number? Internet security and services provider Cloudflare things so. To prove it, the company has formed The League of Entropy, an open source project to create a generator for random numbers.

    The League consists of Cloudflare and "five other organisations — predominantly universities and security companies." They share random numbers, using an open source tool called Drand (short for Distributed Randomness Beacon Daemon). The numbers are then "composited into one random number" on the basis that "several random numbers are more random than one random number." While the League's random number generator isn't intended "for any kind of password or cryptographic seed generation," Cloudflare's CEO Matthew Prince points out that if "you need a way of having a known random source, this is a really valuable tool."

OpenBSD Leftovers

  • OpenBSD Adds Initial User-Space Support For Vulkan
    Somewhat surprisingly, OpenBSD has added the Vulkan library and ICD loader support as their newest port. This new graphics/vulkan-loader port provides the generic Vulkan library and ICD support that is the common code for Vulkan implementations on the system. This doesn't enable any Vulkan hardware drivers or provide something new not available elsewhere, but is rare seeing Vulkan work among the BSDs. There is also in ports the related components like the SPIR-V headers and tools, glsllang, and the Vulkan tools and validation layers.
  • SSH gets protection against side channel attacks

    Implementation-wise, keys are encrypted "shielded" when loaded and then automatically and transparently unshielded when used for signatures or when being saved/serialised.

    Hopefully we can remove this in a few years time when computer architecture has become less unsafe.

  • doas environmental security

    Ted Unangst (tedu@) posted to the tech@ mailing list regarding recent changes to environment handling in doas (in -current): [...]

Programming: PNG, AArch64, Python and Tor

  • Segfaults and Twitter monkeys: a tale of pointlessness
    For a few years in the 1990s, when PNG was just getting established as a Web image format, I was a developer on the libpng team. One reason I got involved is that the compression patent on GIFs was a big deal at the time. I had been the maintainer of GIFLIB since 1989; it was on my watch that Marc Andreesen chose that code for use in the first graphics-capable browser in ’94. But I handed that library off to a hacker in Japan who I thought would be less exposed to the vagaries of U.S. IP law. (Years later, after the century had turned and the LZW patents expired, it came back to me.) Then, sometime within a few years of 1996, I happened to read the PNG standard, and thought the design of the format was very elegant. So I started submitting patches to libpng and ended up writing the support for six of the minor chunk types, as well as implementing the high-level interface to the library that’s now in general use. As part of my work on PNG, I volunteered to clean up some code that Greg Roelofs had been maintaining and package it for release. This was “gif2png” and it was more or less the project’s official GIF converter.
  • AArch64 support for ELF Dissector
    After having been limited to maintenance for a while I finally got around to some feature work on ELF Dissector again this week, another side-project of mine I haven’t written about here yet. ELF Dissector is an inspection tool for the internals of ELF files, the file format used for executables and shared libraries on Linux and a few other operating systems. [...] ELF Dissector had its first commit more than six years ago, but it is still lingering around in a playground repository, which doesn’t really do it justice. One major blocker for making it painlessly distributable however are its dependencies on private Binutils/GCC API. Using the Capstone disassembler is therefore also a big step towards addressing that, now only the use of the demangler API remains.
  • Weekly Python StackOverflow Report: (clxxxiii) stackoverflow python report
  • denemo @ Savannah: Release 2.3 is imminent - please test.
  • Arguments | Another way to work with user inputs – Part 7
  • Call for setting up new obfs4 bridges

    BridgeDB is running low on obfs4 bridges and often fails to provide users with three bridges per request. Besides, we recently fixed a BridgeDB issue that could get an obfs4 bridge blocked because of its vanilla bridge descriptor: <https://bugs.torproject.org/28655>

    We therefore want to encourage volunteers to set up new obfs4 bridges to help censored users. Over the last few weeks, we have been improving our obfs4 setup guide which walks you through the process: <https://trac.torproject.org/projects/tor/wiki/doc/PluggableTransports/obfs4proxy>p>

Security: Windows, 'DevSecOps', SSH, Bash and More

  • Electronic Health Records at 26 Hospitals Hit by Two-Hour Outage [iophk: "Windows TCO"]

    Universal, which manages more than 350 health-care facilities in the U.S. and U.K., declined to specify the technical issues or say how many patient records were affected. The problem lasted for less than two hours and the affected hospitals have returned to normal operations, said Eric Goodwin, chief information officer of the King of Prussia, Pennsylvania-based company.

  • DevSecOps: 4 key considerations for beginners
    Security used to be the responsibility of a dedicated team in the last development stage, but with development cycles increasing in number and speed, security practices need to be constantly updated. This has led to the rise of DevSecOps, which emphasizes security within DevOps. Companies need DevSecOps to make sure their initiatives run safely and securely. Without DevSecOps, DevOps teams need to rebuild and update all their systems when a vulnerability is found, wasting time and effort.
  • OpenSSH to Keep Private Keys Encrypted at Rest in RAM
    A commit for the OpenSSH project adds protection for private keys in memory when they are not in use, making it more difficult for an adversary to extract them through side-channel attacks leveraging hardware vulnerabilities. OpenSSH is the most popular implementation of the SSH (Secure Shell) protocol, being the default solution in many Linux distributions for encrypting connections to a remote system.
  • OpenSSH adds protection against Spectre, Meltdown, Rowhammer and RAMBleed attacks
  • GNU Bash Unsupported Characters Heap-Based Buffer Overflow Vulnerability [CVE-2012-6711]
    A vulnerability in the lib/sh/strtrans.c:anicstr function of GNU Bash could allow an authenticated, local attacker to execute code on a targeted system.The vulnerability is due buffer errors within the lib/sh/strtrans.c:anicstr function of the affected software. An attacker could exploit this vulnerability by providing print data through the echo built-in function. A successful exploit could allow the attacker to execute code on the targeted system.GNU Bash has confirmed this vulnerability and released a software patch.
  • Daily News Roundup: Malware in Your Pirated Software
    Researchers at ESET and Malwarebytes have discovered crypto mining malware hidden in pirated music production software.
  • A Method for Establishing Liability for Data Breaches
    Last month, the First American Financial Corporation—which provides title insurance for millions of Americans—acknowledged a cybersecurity vulnerability that potentially exposed 885 million private financial records related to mortgage deals to unauthorized viewers. These records might have revealed bank account numbers and statements, mortgage and tax records, Social Security numbers, wire transaction receipts, and driver’s license images to such viewers. If history is any guide, not much will happen and companies holding sensitive personal information on individuals will have little incentive to improve their cybersecurity postures. Congress needs to act to provide such incentives. The story is all too familiar, as news reports of data breaches involving the release of personal information for tens of millions of, or even a hundred million, Americans have become routine. A company (or a government agency) pays insufficient attention to cybersecurity matters despite warnings that the cybersecurity measures it takes are inadequate and therefore fails to prevent a breach that could be remediated by proper attention to such warnings. In the aftermath of such incidents, errant companies are required by law to report breaches to the individuals whose personal information has been potentially compromised. Frequently, these companies also offer free credit monitoring services to affected individuals for a year or two.

Enso OS, A Desktop Mix between Xubuntu and elementary OS

Enso OS is a relatively new GNU/Linux distro based on Ubuntu with XFCE desktop coupled with Gala Window Manager. Looking at Enso is like looking at a mix between Xubuntu and elementary OS. It features a Super key start menu called Panther and a global menu on its top panel, making the interface very interesting to try. This overview briefly highlights the user interface for you. Read more

