Leftovers: OSS and Sharing/Transparency
Open sourcing of data for Geographical Information System (GIS) mapping will create a huge potential for employment and transparency in administration, secretary of OSGEO-India V. Ravi Kumar has said.
Proprietary software for GIS costs up to Rs. .30 lakh. Instead, utilising tools developed using open software and training youth would help in creating employment locally, he said. Money will be spent on those working using GIS but not for the software, he said.
After the revision of Genode's most fundamental protocols in the previous release it was time to move our attention upwards the software stack. The current release largely revisits the integration of the C runtime with the Genode component API as well as the virtual-file-system (VFS) infrastructure. The two biggest challenges were making Genode's VFS capable to perform I/O asynchronously, and to make the C runtime compatible with the state-machine-based execution model of modern Genode components. This line of work is described in detail in Sections Enhanced VFS infrastructure and New execution model of the C runtime. One particularly exciting result is the brand-new ability to plug the Linux TCP/IP stack as a VFS plugin into any libc-using component by the sole means of component configuration.
Genode OS 17.02 has been released today as the latest version of this open-source operating system framework.
Accomplished for Genode OS 17.02 were ABI improvements, a much better virtual file-system (VFS) implementation, new input event processing capabilities, and a dynamic component-composition engine.
heads 0.0 is a preview live CD of what heads is going to be about. This release is not intended to be used from a security point of view, but as a showcase and testing point of view.
I am not even completely sure everything is torified, but hey, that's what testing is for, no?
Denmark’s Agency for Digitisation (Digitaliseringsstyrelsen - DIGST) is inviting comments on its draft IT architecture for digitalisation of the public sector. The document sets out the IT principles for the country’s 33 digitisation initiatives.
Norway’s government procurement centre (ANS) and the Agency for Public Management and e-Government (Difi) are preparing the country’s first procurement frameworks related to IT. The first call, on telephony services, will be published in the next few days. The second call, for telephony and PC workstations, is expected around 24 April. Calls will be published on both Norway’s and Europe’s procurement portals, Doffin and Ted.
The 2017-2019 Open Government Action Plan is being prepared by the government modernisation unit (Secretariat-General for Government Modernisation, SGMAP). This week, on Tuesday, SGMAP is hosting a public workshop, where it will present a draft of the plan. The final text is expected in September.
Agriculture production data should be public and the open source movement should be the model for analysing it, according to the Open Agriculture initiative at MIT Media Lab.
This could involve making the data from every farming IoT sensor public - so you could use the climate data to understand how best to grow what and where, or use other IoT data points to trace where the food has come from across the whole supply chain.
Security News
The European Union Agency for Network and Information Security (ENISA) has published an updated version of its Smartphone Secure Development Guidelines. This document details the risks faced by developers of smartphone application, and provides ways to mitigate these.
CloudLinux's Mykola Naugolnyi announced today the availability of a new Beta kernel for the CloudLinux 7 operating system series, which patches a recently discovered and critical security flaw.
LINUX FOUNDER Linus Torvalds was warned in 2005 that the use of the SHA-1 hash to sign code in Linux and Git was insecure and urged to shift to something better protected, but rejected the advice outright.
Free software evangelist John Gilmore warned Torvalds ten years ago that "SHA1 has been broken; it's possible to generate two different blobs that hash to the same SHA1 hash".
Gilmore penned his warning to Torvalds in April 2005, when MD5 had already been cracked and SHA1 remained "hard to crack" - but still crackable.
You probably saw the news last week that researchers at Google had found a scenario where they were able to break the SHA1 algorithm by creating two PDF files with differing content that produced the same hash. If you are following this story then you may have also seen that the Webkit Subversion repository had problems after a user committed these example files to their repository so that they could be used in test cases for SHA1 collisions.
git-annex has never used SHA1 by default. But, there are concerns about SHA1 collisions being used to exploit git repositories in various ways. Since git-annex builds on top of git, it inherits its foundational SHA1 weaknesses. Or does it?
OpenSSH (really, are there any other implementations?) requires Trust on First Use for fingerprint verification.
Verification can be especially problematic when using remote services like VPS or colocation.
How can you trust that the initial connection isn’t being Man In The Middle’d?
NEARLY OF THE VULNERABILITIES THAT AFFECT Microsoft's Windows operating system could be mitigated through a little careful control.
Avecto, a security company, is the source of the latest revelation in this direction, and it says that 94 per cent of security problems could have been killed off if admin rights had been removed from the affected computer.
This makes a lot of sense, since a computer that cannot be molested by a user cannot be molested by a third party. 94 per cent is just one example of the differences that can be made and Avecto says that in the case of Internet Explorer 100 per cent of risks are mitigated when rights are removed.
This blog has featured several stories about “overlay” card and PIN skimmers made to be placed atop Ingenico-brand card readers at store self-checkout lanes. I’m revisiting the topic again because a security technician at a U.S.-based retailer recently shared a few photos of several of these devices pulled from compromised card terminals, and the images and his story offer a fair bit more detail than in previous articles.
Linux and Linux Foundation
It's going on five years since there was the call for deprecating FBDEV within the mainline Linux kernel and various ongoing efforts to get more drivers to making use of the Direct Rendering Manager (DRM) rather than FBDEV. But with Linux 4.11, FBDEV still remains in place.
David Airlie sent in another pull request of DRM material for Linux 4.11, which follows last week's main DRM feature update for Linux 4.11.
GNOME News
We take a look at GNOME Night Light, a blue light filter that is included in the GNOME 3.24 desktop and adjusts the color temperature of the display.
As I mentioned in my previous post about the New Users Panel, we are happy to be able to include a new Printers panel in GNOME 3.24.
The Printers panel is also part of the GNOME Control Center redesign effort which intents to introduce the new shell in 3.26
Containerised applications solve these issues. Maybe. He mentioned Flatpak, snappy, and Appimage. The former is the oldest technology dating all the way back to 2003. The solutions have in common that they bundle the app and run it in some kind of container or sandbox. From his criteria, the compatibility issue is solved, because the libraries are in the bundles. Portability is solved, because all dependencies are shipped in the bundle. And the pace of change is up to the app developer.
Almost four years ago, in GNOME 3.12, the ability to have custom terminal titles was removed from gnome-terminal. As is wont to happen, users who dealt with scores of similar looking terminal tabs and windows were quick to express their grief at this loss.
