Language Selection

English French German Italian Portuguese Spanish

Security: Patches, Reproducible Builds, Hijacking of Perl's Site

Filed under
Security
  • Security updates for Friday

    Security updates have been issued by Fedora (389-ds-base, dogtag-pki, dpdk, freeipa, isync, openvswitch, pki-core, and screen), Mageia (bind, chromium-browser-stable, gnome-autoar, jasper, openldap, openssl and compat-openssl10, screen, webkit2, and xpdf), Oracle (grub2), Red Hat (java-1.7.1-ibm, java-1.8.0-ibm, nodejs:10, and nodejs:12), SUSE (freeradius-server), and Ubuntu (wpa).

  • Reproducible Builds: Reproducible Builds in February 2021

    Welcome to the report from the Reproducible Builds project for February 2021. In our monthly reports, we try to outline the most important things that have happened in the world of reproducible builds. If you are interested in contributing to the project, though, please visit our Contribute page on our website.

    [...]

    A few days earlier, Eric Brewer, Rob Pike, Abhishek Arya, Anne Bertucio and Kim Lewandowski wrote a post on the Google Security Blog proposing an industry-wide framework they call “Know, Prevent, Fix” which aims to improve how the industry might think about vulnerabilities in open source software, including “Consensus on metadata and identity standards” and — more relevant to the Reproducible Builds project — “Increased transparency and review for critical software”...

  • The Hijacking of Perl.com

    For a week we lost control of the Perl.com domain. Now that the incident has died down, we can explain some of what happened and how we handled it. This incident only affected the domain ownership of Perl.com and there was no other compromise of community resources. This website was still there, but DNS was handing out different IP numbers.

    First, this wasn’t an issue of not renewing the domain. That would have been a better situation for us because there’s a grace period.

    Second, to be very clear, I’m just an editor for the website that uses the Perl.com domain. This means that I’m not actually the “injured party” in legal terms. Tom Christiansen is the domain registrant, and should legal matters progress, there’s no reason for me, nor anyone else, to know all of the details. However, I’ve talked to many of the people involved in the process.

More in Tux Machines

today's leftovers

     
  • What is Raspberry Pi 4 “Model B”? [Ed: I'm still waiting for them to formally apologise for going behind customers' backs, making secret deals with Microsoft to put Microsoft malware on all those devices]

    Raspberry Pi has conquered the world of SoC (System on a Chip). It has already garnered millions of followers since its release in 2012. Not only is it inexpensive, but it’s also versatile, modular, and multi-purpose. It has become popular not only as a credit-sized computer board but also as a controller in electronic, robotics, and IoT projects. The size, features, and price drive the popularity of the Pi, especially in the DIY community. To keep up with the current technological trends, the tiny board has undergone plenty of upgrades over the years, and there have been many varieties so it can cater to the needs and demands of its users. In 2019, the Raspberry Pi Foundation released the fourth generation of the multi-purpose board, the Raspberry Pi 4 B. It is the most powerful Pi to date, sporting huge upgrades from its predecessors. The compact board is touted to deliver a PC-level performance, and it didn’t disappoint.

  • Kentaro Hayashi: Grow your ideas for Debian Project

    There may be some "If it could be ..." ideas for Debian Project. If idea is concreate and worth to make things forward, it should make a proposal for Project Funding. [...] I'm not confident whether mechanism works, but Debian needs change.

  • Sam Thursfield: Calliope, slowly building steam

    There are some interesting complexities to this, and in 12 hours of hacking I didn’t solve them all. Firstly, Bandcamp artist and album names are not normalized. Some artist names have spurious “The”, some album names have “(EP)” or “(single)” appended, so they don’t match your tags. These details are of interest only to librarians, but how can software tell the difference? The simplest approach is use Musicbrainz, specifically cpe musicbrainz resolve-ids. By comparing ids where possible we get mostly good results. There are many albums not on Musicbrainz, though, which for now turn up as false positives. Resolving Musicbrainz IDs is a tricky process, too — how do we distinguish Multi-Love (album) from Multi-Love (single) if we only have an album name? If you want to try it out, great! It’s still aimed at hackers — you’ll have to install from source with Meson and probably fix some bugs along the way. Please share the fixes!

  • Neovide Is A Graphical Neovim Client Written In Rust

    Neovide is a really cool GUI client for Neovim. Although it essentially functions like Neovim in the terminal, Neovide does add some nice graphical improvements such as cursor animations and smooth scrolling. It even has me thinking about making it my new "vim" alias.

Linux 5.11.13, 5.10.29, 5.4.111, 4.19.186, 4.14.230, 4.9.266, and 4.4.266

Get involved with Mageia, become a Packager

With Mageia 8 just released and development for Mageia 9 getting underway in Cauldron, the unstable branch of Mageia, now is a great time to get involved with packaging. We are starting to look at the features that we want to include for Mageia 9, and as it is so early in the development cycle, now is the time for major developments, or big updates to key pieces of software. This is a great time to join the project as you can propose features you would like to see, help to implement large changes or see how a distribution evolves through development, stabilisation and then is released. If there is an application that you are interested in, if you want to help maintain part of the distribution, or if you want to learn something new, there are many opportunities to do so with the packaging team. Read more

Google does not want you to tell your players about your donation page

I recently updated Pixel Wheels banner image on Google Play. That triggered a review of the game: shortly after the update I received a message telling me Pixel Wheels was "not compliant with Google Play Policies". What nefarious activity does the game engage in? Sneak on users? Mine bitcoins? [...] Meanwhile you can still get the game from F-Droid or itch.io, since they do not have a problem with a link to a donation page. Read more