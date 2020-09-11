Security Leftovers
Ransomware to blame for nearly half the cyber-insurance claims filed in early 2020
Ransomware attacks were the cause of 41% of the cyber-insurance claims filed over the first six months of 2020, according to a report published by Coalition, a cyber-insurance vendor that compiled the data based on findings from 25,000 small and medium-sized companies in the U.S. and Canada. Coalition reported a 47% increase in the number of ransomware attacks, with the average size of the demand jumping by 46% over the time period in question.
Reproducible wheels at SecureDrop
SecureDrop workstation project's packages are reproducible. We use prebuilt wheels (by us) along with GPG signatures to verify and install them using pip during the Debian package building step. But, the way we built those wheels (standard pip command), they were not reproducible.
To fix this problem, Jennifer Helsby (aka redshfitzero) built a tool and the results are available at https://reproduciblewheels.com/. Every night her tool is building the top 100 + our dependency packages on Debian Buster and verifies the reproducibly of them. She has a detailed write up on the steps.
New vulnerability fixes in Python 2.7 (and PyPy)
As you probably know (and aren’t necessarily happy about it), Gentoo is actively working on eliminating Python 2.7 support from packages until end of 2020. Nevertheless, we are going to keep the Python 2.7 interpreter much longer because of some build-time dependencies. While we do that, we consider it important to keep Python 2.7 as secure as possible.
The last Python 2.7 release was in April 2020. Since then, at least Gentoo and Fedora have backported CVE-2019-20907 (infinite loop in tarfile) fix to it, mostly because the patch from Python 3 applied cleanly to Python 2.7. I’ve indicated that Python 2.7 may contain more vulnerabilities, and two days ago I’ve finally gotten to audit it properly as part of bumping PyPy.
GNOME 3.37.92 Released

Hi, The second release candidate for 3.38 is here! Remember this is the end of this development cycle; enjoy it as fast as you can, the final release is scheduled for this coming week! The corresponding flatpak runtimes have been published to Flathub. If you'd like to target the GNOME 3.38 platform, you can test your application against the 3.38beta branch of the Flathub Beta repository. You can also try the experimental VM image, available here for a limited time only (Note: If you use Boxes, you need a recent version (=> 3.37.90)): https://gnome-build-meta.s3.amazonaws.com/3.37.92/gnome_os_installer.iso We remind you we are string frozen, no string changes may be made without confirmation from the l10n team (gnome-i18n@) and notification to both the release team and the GNOME Documentation Project (gnome-doc-list@). Hard code freeze is also in place, no source code changes can be made without approval from the release-team. Translation and documentation can continue. If you want to compile GNOME 3.37.92, you can use the official BuildStream project snapshot. Thanks to BuildStream's build sandbox, it should build reliably for you regardless of the dependencies on your host system: https://download.gnome.org/teams/releng/3.37.92/gnome-3.37.92.tar.xz The list of updated modules and changes is available here: https://download.gnome.org/core/3.37/3.37.92/NEWS The source packages are available here: https://download.gnome.org/core/3.37/3.37.92/sources/ WARNING! WARNING! WARNING! -------------------------- This release is a snapshot of development code. Although it is buildable and usable, it is primarily intended for testing and hacking purposes. GNOME uses odd minor version numbers to indicate development status. For more information about 3.38, the full schedule, the official module lists and the proposed module lists, please see our colorful 3.38 page: https://www.gnome.org/start/unstable For a quick overview of the GNOME schedule, please see: https://wiki.gnome.org/Schedule Cheers, Javier Jardón Cabezas GNOME Release Team
