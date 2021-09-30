Kernel: PCLinuxOS Updates, EROFS-Utils 1.4, and More
Kernel Updates Available » PCLinuxOS
The following Kernels are available for PCLinuxOS. Kernel 5.15.4, Kernel 5.14.21 (EOL), Kernel LTS 5.10.81 and Kernel LTS 5.4.161.
EROFS-Utils 1.4 Adds Experimental FSCK, MicroLZMA Compression - Phoronix
EROFS-Utils as the collection of open-source user-space utilities for the read-only EROFS file-system is out with a big update.
EROFS continues maturing well since its original introduction two years ago by Huawei. This read-only file-system continues to be geared for use with Android and the needs of other embedded and container environments. Following the recent Linux 5.16 merge window where EROFS added LZMA/MicroLZMA compression support and other improvements, EROFS-Utils 1.4 is now available with the latest user-space utilities.
Linux has no fair-share scheduling that really works for compute servers
I was recently contacted by someone who has a small group of compute servers and wanted a simple way to do some sort of fair share scheduling for them, without the various overheads of an actual job allocation system like SLURM. This person was drawn to me because of my entry on how we do per-user CPU and memory resource limits on Ubuntu 18.04. Unfortunately the real answer to their questions is that you cannot really do useful resource management and fair-share scheduling of compute servers with only standard Linux facilities.
Kernel Karnage – Part 4 (Inter(ceptor)mezzo)
In the previous blogpost of this series, we combined the functionality of two drivers, Evilcli and Interceptor, to partially bypass $vendor2. In this post we took a closer look at Interceptor’s capabilities and future features that are in development. In the upcoming blogposts, we’ll see how Interceptor as a fully standalone driver is able to conquer not just $vendor2, but other EDR products as well.
Apple and Microsoft Leftovers
On CVE-2019-5021
A few years ago, it was discovered that the root account was not locked out in Alpine’s Docker images. This was not the first time that this was the case, an actually exploitable case of this was first fixed with a hotfix in 2015, but when the hotfix was replaced with appropriate use of /etc/securetty, the regression was inadvertently reintroduced for some configurations. It should be noted that I said some configurations there. Although CVE-2019-5021 was issued a CVSSv2 score of 9.8, in reality I have yet to find any Alpine-based docker image that is actually vulnerable to CVE-2019-5021. Of course, this doesn’t mean that Alpine shouldn’t have been locking out the root user on its minirootfs releases: that was a mistake, which I am glad was quickly rectified. Lately, however, there have been a few incidents involving CVE-2019-5021 involving less than honest actors in the security world. For example, a person named Donghyun Lee started mass-filing CVEs against Alpine-based images without actually verifying if the image was vulnerable or not, which Jerry Gamblin called out on Twitter last year. Other less than honest actors, have focused instead on attempting to use CVE-2019-5021 to sell their remediation solutions, implying a risk of vulnerability, where most likely none actually exists.
Claws Mail 4 in experimental
A full month has passed since Claws Mail 4.0.0 was uploaded to Debian experimental, and, somewhat surprisingly, I've received no bug report about it. This of course can be either because nobody has been brave enough to install it or because well, it works really nice. For those who don't know what I'm talking about, just note that this version is the first Debian upload for the GTK+3 version of Claws Mail. There was an initial upstream release, namely 3.99, but it was less polished and also I was very busy, so I decided not to upload it. Since then I've been using git's 'gtk3' branch daily without problems, so, for me, it's as stable as its GTK+2 counterpart. There's still some rough edges, of course.
Run your Ubuntu in US Government Clouds
In August 2016, the United States government announced a new federal source-code policy, which mandates that at least 20% of custom source code developed by or for any agency of the federal government must be released as open-source software (OSS). The memo of this policy also states that the Federal Government spends more than $6 billion each year on software through more than 42,000 transactions. Obviously, this is a huge business for all open-source developers. The question is “how can you get the business from the Federal Government?” The answer is FIPS. Federal Information Processing Standards (FIPS) are standards and guidelines for federal computer systems that are developed by National Institute of Standards and Technology (NIST). Certain federal-related applications are required to be FIPS compliant, and many non-government organizations also follow FIPS standards. Ubuntu Pro provides you with cryptographic packages that are tested and attested by atsec Information Security, a NIST accredited laboratory. And Google automatically encrypts traffic between VMs that travels between Google data centers using FIPS 140-2 validated encryption. Your workloads can easily be FIPS compliant if you properly deploy your workloads on Ubuntu Pro in Google Cloud. Ubuntu 18.04 Pro offers you two FIPS options: FIPS and FIPS-updates. Let’s SSH into your Ubuntu Pro virtual machine. If you haven’t yet upgraded your Ubuntu LTS to Ubuntu Pro, please follow this tutorial. In less than One Minute, you will be able to get your Ubuntu Pro machine without losing any of your mission-critical workloads. Also: History of Open Source Identity Management (part 2)
