Language Selection

English French German Italian Portuguese Spanish

Security

Security: Updates, DOD and Red Hat on "Security Hardening Rules"

Filed under
Red Hat
Security
  • Security updates for Thursday
  • Year-old router bug exploited to steal sensitive DOD drone, tank documents

     

    In May, a hacker perusing vulnerable systems with the Shodan search engine found a Netgear router with a known vulnerability—and came away with the contents of a US Air Force captain's computer. The purloined files from the captain—the officer in charge (OIC) of the 432d Aircraft Maintenance Squadron's MQ-9 Reaper Aircraft Maintenance Unit (AMU)at Creech Air Force Base, Nevada—included export-controlled information regarding Reaper drone maintenance.

  • Security Hardening Rules

    Many users of Red Hat Insights are familiar with the security rules we create to alert them about security vulnerabilities on their system, especially concerning high-profile issues such as Spectre/Meltdown or Heartbleed. In this post, I'd like to talk about the other category of security related rules, those related to security hardening.

    In all of the products we ship, we make a concerted effort to ship thoughtful, secure default settings to minimize the amount of configuration needed to do the work you want to do. With complex packages such as Apache httpd, however, every installation will require some degree of customization before it's ready for deployment to production, and with more complex configurations, there's a chance that a setting or the interaction between several settings can have security implications which aren't immediately evident. Additionally, sometimes systems are configured in a manner that aids rapid development, but those configurations aren't suitable for production environments.

    With our hardening rules, we detect some of the most common security-related configuration issues and provide context to help you understand the represented risks, as well as recommendations on how to remediate the issues.

Security: BGP Hijack Factory, IDN, Microsoft Windows Back Doors and Intel Defects

Filed under
Security
  • Shutting down the BGP Hijack Factory

    It started with a lengthy email to the NANOG mailing list on 25 June 2018: independent security researcher Ronald Guilmette detailed the suspicious routing activities of a company called Bitcanal, whom he referred to as a “Hijack Factory.” In his post, Ronald detailed some of the Portuguese company’s most recent BGP hijacks and asked the question: why Bitcanal’s transit providers continue to carry its BGP hijacked routes on to the global [I]nternet?

    This email kicked off a discussion that led to a concerted effort to kick this bad actor, who has hijacked with impunity for many years, off the [I]nternet.

  • Malformed Internationalized Domain Name (IDN) Leads to Discovery of Vulnerability in IDN Libraries

    The Punycode decoder is an implementation of the algorithm described in section 6.2 of RFC 3492. As it walks the input string, the Punycode decoder fills the output array with decoded code point values. The output array itself is typed to hold unsigned 32-bit integers while the Unicode code point space fits within 21 bits. This leaves a remainder of 11 unused bits that can result in the production of invalid Unicode code points if accidentally set. The vulnerability is enabled by the lack of a sanity check to ensure decoded code points are less than the Unicode code point maximum of 0x10FFFF. As such, for offending input, unchecked decoded values are copied directly to the output array and returned to the caller.

  • GandCrab ransomware adds NSA tools for faster spreading

    "It no longer needs a C2 server (it can operate in airgapped environments, for example) and it now spreads via an SMB exploit -- including on XP and Windows Server 2003 (along with modern operating systems)," Beaumont wrote in a blog post. "As far as I'm aware, this is the first ransomware true worm which spreads to XP and 2003 -- you may remember much press coverage and speculation about WannaCry and XP, but the reality was the NSA SMB exploit (EternalBlue.exe) never worked against XP targets out of the box."

  • Intel Discloses New Spectre Flaws, Pays Researchers $100K

    Intel disclosed a series of vulnerabilities on July 10, including new variants of the Spectre vulnerability the company has been dealing with since January.

    Two new Spectre variants were discovered by security researchers Vladimir Kiriansky and Carl Waldspurger, who detailed their findings in a publicly released research paper tilted, "Speculative Buffer Overflows: Attacks and Defenses."

    "We introduce Spectre1.1, a new Spectre-v1 variant that leverages speculative stores to create speculative buffer over-flows," the researchers wrote. "We also present Spectre 1.2 on CPUs that do not enforce read/write protections, speculative stores can overwrite read-only data and code pointers to breach sandboxes."

Security: Updates, GNU/Linux, Spectre and DRM

Filed under
Security
  • Security updates for Wednesday
  • Another Linux distro poisoned with malware

    Last time it was Gentoo, a hard-core, source-based Linux distribution that is popular with techies who like to spend hours tweaking their entire operating sytem and rebuilding all their software from scratch to wring a few percentage points of performance out of it.

  • Arch Linux AUR packages found to be laced with malware

    Three Arch Linux packages have been pulled from AUR (Arch User Repository) after they were discovered to contain malware. The PDF viewer acroread and two other packages that are yet to be named were taken over by a malicious user after they were abandoned by their original authors.

  • ​The return of Spectre

    The return of Spectre sounds like the next James Bond movie, but it's really the discovery of two new Spectre-style CPU attacks.

    Vladimir Kiriansky, a Ph.D. candidate at MIT, and independent researcher Carl Waldspurger found the latest two security holes. They have since published a MIT paper, Speculative Buffer Overflows: Attacks and Defenses, which go over these bugs in great detail. Together, these problems are called "speculative execution side-channel attacks."

    These discoveries can't really come as a surprise. Spectre and Meltdown are a new class of security holes. They're deeply embedded in the fundamental design of recent generations of processors. To go faster, modern chips use a combination of pipelining, out-of-order execution, branch prediction, and speculative execution to run the next branch of a program before it's called on. This way, no time is wasted if your application goes down that path. Unfortunately, Spectre and Meltdown has shown the chip makers' implementations used to maximize performance have fundamental security flaws.

  • Mercury Security Introduces New Linux Intelligent Controller Line

    Mercury Security, a leader in OEM access control hardware and part of HID Global, announces the launch of its next-generation LP intelligent controller platform built on the Linux operating system.

    The new controllers are said to offer advanced security and performance, plus extensive support for third-party applications and integrations. The controllers are based on an identical form factor that enables seamless upgrades for existing Mercury-based deployments, according to the company.

  • Latest Denuvo Version Cracked Again By One Solo Hacker On A Personal Mission

    Denuvo is... look, just go read this trove of backlinks, because I've written far too many of these intros to be able to come up with one that is even remotely original. Rather than plagiarize myself, let me just assume that most of you know that Denuvo is a DRM that was once thought to be invincible but has since been broken in every iteration developed, with cracking times often now down to days and hours rather than weeks or months. Key in this post is that much if not most of the work cracking Denuvo has been done by a single person going by the handle Voksi. Voksi is notable not only for their nearly singlehandedly torpedoing the once-daunting Denuvo DRM, but also for their devotion to the gaming industry and developers that do things the right way, even going so far as to help them succeed.

    Well, Voksi is back in the news again, having once again defeated the latest build of Denuvo DRM.

  • Latest Denuvo Anti-Piracy Protection Falls, Cracker ‘Voksi’ On Fire

    The latest variant of the infamous Denuvo anti-piracy system has fallen. Rising crack star Voksi is again the man behind the wheel, defeating protection on both Puyo Puyo Tetris and Injustice 2. The Bulgarian coder doesn't want to share too many of his secrets but informs TorrentFreak that he won't stop until Denuvo is a thing of the past, which he hopes will be sooner rather than later.

Chrome 67 to Counter Spectre on Mac, Windows, Linux, Chrome OS via Site Isolation

Filed under
Google
Security
  • Chrome 67 to Counter Spectre on Mac, Windows, Linux, Chrome OS via Site Isolation

    The Spectre and Meltdown vulnerabilities, discovered earlier this year, caught everyone off guard including hardware and software companies. Since then, several vendors have patched them, and today, Google Chrome implemented measures to protect the browser against Spectre. The exploit uses the a feature found in most CPUs to access parts of memory that should be off-limits to a piece of code and potentially discover the values stored in that memory. Effectively, this means that untrustworthy code may be able to read any memory in its process’s address space. In theory, a website could use such an attack to steal information from other websites via malicious JavaScript code. Google Chrome is implementing a technique known as site isolation to prevent any future Spectre-based attacks from leaking data.

  • Google Chrome is getting a Material Design revamp – here’s how to test the new features

    Google has been promising a Material Design revamp of its desktop Chrome web browser for quite some time – and now we have our first look.

    An update to the experimental Chrome Canary browser on Windows, Linux and Mac, offers a preview of what we can expect when Google builds the changes into the main browser later this year.

  • Google Chrome Gets A Big Material Design Makeover, Here's How To Try It On Windows, Linux And macOS

    Google's dominate Chrome web browser is set to receive a big Material Design makeover later this year. However, if you want to give a try right now, you can do so by downloading the latest build of Chrome Canary. For those not in the know, Canary is the developmental branch of Chrome where new features are tested before they roll out widely to the public.

    As you can see in the image below, this is a total revamp of the browser, with a completely new address bar and look for the tabs interface. Tabs have a more rounded shape and colors have been refreshed through the UI.

  • Chrome 67 features Site Isolation to counter Spectre on Mac, Windows, Linux, Chrome OS

    Following the disclosure of Spectre and Meltdown CPU vulnerabilities earlier this year, the entire tech industry has been working to secure devices. In the current stable version of Chrome, Google has widely rolled out a security feature called Site Isolation to protect desktop browsers against Spectre.

Security: D-Link, DOD, and GNU/Linux

Filed under
Security

Security: SELinux, Dirk Hohndel, Gentoo, Arch Linux AUR Package Repository

Filed under
Security
  • Lukas Vrabec: Why do you see DAC_OVERRIDE SELinux denials?
  • With So Many Eyeballs, Is Open Source Security Better? [Ed: Ask a FOSS company. Not VMware. VMware puts back doors in its proprietary software blobs.]

    Back in 1999, Eric Raymond coined the term "Linus' Law," which stipulates that given enough eyeballs, all bugs are shallow.

    Linus' Law, named in honor of Linux creator Linus Torvalds, has for nearly two decades been used by some as a doctrine to explain why open source software should have better security. In recent years, open source projects and code have experienced multiple security issues, but does that mean Linus' Law isn't valid?

    According to Dirk Hohndel, VP and Chief Open Source Officer at VMware, Linus' Law still works, but there are larger software development issues that impact both open source as well as closed source code that are of equal or greater importance.

  • The aftermath of the Gentoo GitHub hack [Ed: What a bad choice of password leads to.]

    Late last month (June 28), the Gentoo GitHub repository was attacked after someone gained control of an admin account. All access to the repositories was soon removed from Gentoo developers. Repository and page content were altered. But within 10 minutes of the attacker gaining access, someone noticed something was going on, 7 minutes later a report was sent, and within 70 minutes the attack was over. Legitimate Gentoo developers were shut out for 5 days while the dust settled and repairs and analysis were completed.

  • New Variant of Spectre Security Flaw Discovered: Speculative Buffer Overflows

    Security researchers Vladimir Kiriansky (MIT) and Carl Waldspurger (Carl Waldspurger Consulting) have published a paper to disclose a new variant of the infamous Spectre security vulnerability, which creates speculative buffer overflows.

    In their paper, the two security researchers explain the attacks and defenses for the new Spectre variant they discover, which they call Spectre1.1 (CVE-2018-3693), a new variant of the first Spectre security vulnerability unearthed earlier this year and later discovered to have multiple other variants.

    The new Spectre flaw leverages speculative stores to create speculative buffer overflows. Similar to the classic buffer overflow security flaws, the new Spectre vulnerability is also known as "Bounds Check Bypass Store" or BCBS to distinguish it from the original speculative execution attack.

  • AT&T acquires open-source threat intelligence firm

    As AT&T continues down its network virtualization efforts using the open-source Open Networking Automation Platform (ONAP), the operator has acquired cybersecurity firm AlienVault, which uses open-source software to provide what the companies call “threat intelligence.” Financial details of the transaction were not disclosed; AT&T expects the deal to close in Q3 this year.

  • Malware Found in Arch Linux AUR Package Repository

    Malware has been discovered in at least three Arch Linux packages available on AUR (Arch User Repository), the official Arch Linux repository of user-submitted packages.

    The malicious code has been removed thanks to the quick intervention of the AUR team.

  • Amateur bid to add code to Arch Linux packages found and squashed

Security: Updates, SELinux, Fobs, PoS, TimeHop, AUR

Filed under
Security
  • Security updates for Tuesday
  • Fun with DAC_OVERRIDE and SELinux
  • Why you might want to wrap your car key fob in foil

    Given that the best way to store your car keys at night is by putting them in a coffee can, what's an ex-FBI agent's advice to protect cars from theft during the day?

    Wrap car fobs in aluminum foil.

    [...]

    He held up his fob and said, “This should be something we don’t need to wrap with foil. It’s 2018. Car companies need to find a way so no one can replicate the messages and the communication between the key and the vehicle.”

    [...]

    While auto industry engineers know a lot about traditional safety, quality, compliance and reliability challenges, cyber is an “adaptive adversary,” said Faye Francy, executive director of the nonprofit Automotive Information Sharing and Analysis Center, which specializes in cybersecurity strategies. “Automakers are starting to implement security features in every stage of design and manufacturing. This includes the key fob.”

  • Crooks install skimmer on point-of-sale machine in 2 seconds
  • Facebook add-on TimeHop has been pwned by hackers [sic]

    The big problem doesn't affect UK users, but will be making our US cousins sweat - phone numbers were leaked. TimeHop recommends adding a PIN to your phone account because if abused, this could be used for identity theft - starting with, but not limited to, porting the number without permission.`

  • Arch Linux AUR Repository Found to Contain Malware

    The Arch Linux user-maintained software repository called AUR has been found to host malware. The discovery was made after a change in one of the package installation instructions was made. This is yet another incident that showcases that Linux users should not explicitly trust user-controlled repositories.

  • Malware found in the Arch Linux AUR repository

    Here's a report in Sensors Tech Forum on the discovery of a set of hostile packages in the Arch Linux AUR repository system. AUR contains user-contributed packages, of course; it's not a part of the Arch distribution itself.

KDE Plasma bugfix release 5.12.6 is now available for Kubuntu 18.04 LTS

Filed under
KDE
Security

The Kubuntu Community is please to announce that KDE Plasma 5.12.6, the latest bugfix release for Plasma 5.12 was made available for Kubuntu 18.04 LTS (the Bionic Beaver) users via normal updates.

The full changelog for 5.12.6 contains scores of fixes, including fixes and polish for Discover and the desktop.

These fixes should be immediately available through normal updates.

The Kubuntu team wishes users a happy experience with the excellent 5.12 LTS desktop, and thanks the KDE/Plasma team for such a wonderful desktop to package.

Read more

Also: Kubuntu 18.04 LTS Users Can Now Update to the KDE Plasma 5.12.6 LTS Desktop

Security: NotSoSecure, Security Keys, Reproducible Builds and Hyped Malware

Filed under
Security
  • Claranet Buys NotSoSecure

    Claranet, a managed service provider with services focused on western Europe and Brazil, has purchased NotSoSecure, a firm specializing in penetration testing and ethical hacker training.

    The purchase follows Claranet's 2017 acquisition of SEC-1, a security firm based in the United Kingdom. According to a Claranet statement announcing the purchase, the security acquisitions, together with the opening of a security operations center in Portugal, are part of the company's intention to increase their overall security services capabilities.

  • Firefox, Security Keys, U2F, and Google Advanced Protection

    Advanced Protection for Google Accounts uses a legacy web technology that is only partially supported in Firefox. Here is how you get started with physical security keys and extra protections for your Google Account in Firefox.

    [...]

    Before you can enroll in the Google Advanced Protection program, you must have at least two security keys at the ready. You can use the same keys for multiple Google Accounts, and even reuse the same keys with different U2F-enabled web services.

    You should keep a record of which of your keys are registered with which websites. If you loose a key or want to decommission one, you’ll need this record to know all the accounts you’ll need to update.

    You can use any FIDO U2F security keys as long as they’re compatible with your devices. Google recommend you get one regular key with USB as your backup token, and one mobile-capable with wireless Bluetooth and NFC as the primary key you carry around with you. Specifically, Google recommends the YubiKey U2F (USB) and either the Feitan Multipass (Bluetooth/NFC/USB) or YubiKey Neo (NFC/USB). Bluetooth is more compatible with a wider range of devices, but the Bluetooth capabilities requires you to charge the key. NFC is less compatible with cheaper smartphones and other devices. However, neither NFC nor USB modes require you to charge the keys for them to operate.

  • Reproducible Builds: Weekly report #167
  • WellMess: This Go-based Malware Attacks Both Linux And Windows Machines [Ed: If the user actually needs to install it, then the threat is the user, not the program]

Malware Found On The Arch User Repository (AUR)

Filed under
Security

On June 7, an AUR package was modified with some malicious code, reminding Arch Linux users (and Linux users in general) that all user-generated packages should be checked (when possible) before installation.

AUR, or the Arch (Linux) User Repository contains package descriptions, also known as PKGBUILDs, which make compiling packages from source easier. While these packages are very useful, they should never be treated as safe, and users should always check their contents before using them, when possible. After all, the AUR webpage states in bold that "AUR packages are user produced content. Any use of the provided files is at your own risk."

The discovery of an AUR package containing malicious code proves this. acrored was modified on June 7 (it appears it was previously "orphaned", meaning it had no maintainer) by an user named "xeactor" to include a curl command that downloaded a script from a pastebin. The script then downloaded another script and installed a systemd unit to run that script periodically.

Read more

Also: Security updates for Monday

Syndicate content

More in Tux Machines

Cloud-Native/Kubernetes/Container/OpenShift

  • 10 Key Attributes of Cloud-Native Applications
    Cloud-native platforms, like Kubernetes, expose a flat network that is overlaid on existing networking topologies and primitives of cloud providers. Similarly, the native storage layer is often abstracted to expose logical volumes that are integrated with containers. Operators can allocate storage quotas and network policies that are accessed by developers and resource administrators. The infrastructure abstraction not only addresses the need for portability across cloud environments, but also lets developers take advantage of emerging patterns to build and deploy applications. Orchestration managers become the deployment target, irrespective of the underlying infrastructure that may be based on physical servers or virtual machines, private clouds or public clouds. Kubernetes is an ideal platform for running contemporary workloads designed as cloud-native applications. It’s become the de facto operating system for the cloud, in much the same way Linux is the operating system for the underlying machines. As long as developers follow best practices of designing and developing software as a set of microservices that comprise cloud-native applications, DevOps teams will be able to package and deploy them in Kubernetes. Here are the 10 key attributes of cloud-native applications that developers should keep in mind when designing cloud-native applications.
  • Google Embraces New Kubernetes Application Standard
    Once an organization has a Kubernetes container orchestration cluster running, the next challenge is to get applications running. Google is now aiming to make it easier for organizations to deploy Kubernetes applications, through the Google Cloud Platform Marketplace. The new marketplace offerings bring commercial Kubernetes-enabled applications that can be run in the Google cloud, or anywhere else an organization wants. All a user needs to do is visit the GCP marketplace and click the Purchase Plan button to get started. "Once they agree to the terms, they'll find instructions on how to deploy this application on the Kubernetes cluster of their choice, running in GCP or another cloud, or even on-prem," Anil DhawanProduct Manager, Google Cloud Platform, told ServerWatch. "The applications report metering information to Google for billing purposes so end users can get one single bill for their application usage, regardless of where it is deployed."
  • Challenges and Requirements for Container-Based Applications and Application Services
    Enterprises using container-based applications require a scalable, battle-tested, and robust services fabric to deploy business-critical workloads in production environments. Services such as traffic management (load balancing within a cluster and across clusters/regions), service discovery, monitoring/analytics, and security are a critical component of an application deployment framework. This blog post provides an overview of the challenges and requirements for such application services.

Software: Music Tagger MusicBrainz, Pulseaudio, COPR, AV1

  • Music Tagger MusicBrainz Picard 2.0 Ported To Python 3 And PyQt5, Brings Improved UI And More
    MusicBrainz Picard version 2.0 was released after more than 6 years since the previous major release (1.0). The new version was ported to Python 3 and PyQt5 and includes Retina and HiDPI support, improved UI and performance, as well as numerous bug fixes. [...] MusicBrainz Picard 2.0 was ported to Python 3 (requires at least version 3.5) and PyQt5 (>= 5.7). The release announcement mentions that a side effect of this is that "Picard should look better and in general feel more responsive". Also, many encoding-related bugs were fixed with the transition to Python 3, like the major issue of not supporting non-UTF8 filenames.
  • Pulseaudio: the more things change, the more they stay the same
    Such a classic Linux story. For a video I'll be showing during tonight's planetarium presentation (Sextants, Stars, and Satellites: Celestial Navigation Through the Ages, for anyone in the Los Alamos area), I wanted to get HDMI audio working from my laptop, running Debian Stretch. I'd done that once before on this laptop (HDMI Presentation Setup Part I and Part II) so I had some instructions to follow; but while aplay -l showed the HDMI audio device, aplay -D plughw:0,3 didn't play anything and alsamixer and alsamixergui only showed two devices, not the long list of devices I was used to seeing. Web searches related to Linux HDMI audio all pointed to pulseaudio, which I don't use, and I was having trouble finding anything for plain ALSA without pulse. In the old days, removing pulseaudio used to be the cure for practically every Linux audio problem. But I thought to myself, It's been a couple years since I actually tried pulse, and people have told me it's better now. And it would be a relief to have pulseaudio working so things like Firefox would Just Work. Maybe I should try installing it and see what happens.
  • 4 cool new projects to try in COPR for July 2018
    COPR is a collection of personal repositories for software that isn’t carried in Fedora. Some software doesn’t conform to standards that allow easy packaging. Or it may not meet other Fedora standards, despite being free and open source. COPR can offer these projects outside the Fedora set of packages. Software in COPR isn’t supported by Fedora infrastructure or signed by the project. However, it can be a neat way to try new or experimental software. Here’s a set of new and interesting projects in COPR.
  • SD Times Open-Source Project of the Week: AV1
    Open source supporters and companies are teaming up to offer the next general of video delivery. The Alliance for Open Media (AOMEDIA) is made up of companies like Mozilla, Google, Cisco, Amazon and Netflix, and on a mission to create an open video format and new codec called AV1. In a blog post about the AOMedia Video, or AV1, video codec, Mozilla technical writer Judy DeMocker laid out the numbers; within the next few years, video is expected to account for over 80 percent of Internet traffic. And unbeknownst to many, all of that free, high-quality video content we’ve come to expect all across the Internet costs quite a bit for the people providing it via codec licensing fees. The most common, H.264, is used all over the place to provide the compression required to send video quickly and with quality intact.
  •  

KDE and GNOME: Kubuntu 18.04 Reviewed, Akademy, Cutelyst and GUADEC

  • Kubuntu 18.04 Reviewed in Linux ( Pro ) Magazine
    Kubuntu Linux has been my preferred Linux distribution for more than 10 years. My attraction to the KDE desktop and associated application set, has drawn from Kubuntu user, to a tester, teacher, developer, community manager and councilor. I feel really privileged to be part of, what can only be described as, a remarkable example of the free software, and community development of an exceptional product. This latest release 18.04, effectively the April 2018 release, is a major milestone. It is the first LTS Long Term Support release of Kubuntu running the “Plasma 5” desktop. The improvements are so considerable, in both performance and modern user interface ( UI ) design, that I was really excited about wanting to tell the world about it.
  • Going to Akademy
    Happy to participate in a tradition I’ve admired from afar but never been able to do myself… until this year. My tickets are bought, my passport is issued, and I’m going to Akademy! Hope to see you all there!
  • System76's New Manufacturing Facility, Ubuntu 17.10 Reaches End of Life, Google Cloud Platform Marketplace, Stranded Deep Now Available for Linux and Cutelyst New Release
    Cutelyst, a C++ web framework based on Qt, has a new release. The update includes several bug fixes and some build issues with buildroot. See Dantti's Blog for all the details. Cutelyst is available on GitHub.
  • GUADEC 2018 Videos: Help Wanted
    At this year’s GUADEC in Almería we had a team of volunteers recording the talks in the second room. This was organized very last minute as initially the University were going to do this, but thanks to various efforts (thanks in particular to Adrien Plazas and Bin Li) we managed to record nearly all the talks. There were some issues with sound on both the Friday and Saturday, which Britt Yazel has done his best to overcome using science, and we are now ready to edit and upload the 19 talks that took place in the 2nd room. To bring you the videos from last year we had a team of 5 volunteers from the local team who spent our whole weekend in the Codethink offices. (Although none of us had much prior video editing experience so the morning of the first day was largely spent trying out different video editors to see which had the features we needed and could run without crashing too often… and the afternoon was mostly figuring out how transitions worked in Kdenlive).
  • GUADEC 2018
    This year I attended my second GUADEC in beautiful Almería, Spain. As with the last one I had the opportunity to meet many new people from the extended GNOME community which is always great and I can’t recommend it enough for anybody involved in the project. [...] Flatpak continues to have a lot of healthy discussions at these events. @matthiasclasen made a post summarizing the BoF so check that out for the discussions of the soon landing 1.0 release. So lets start with the Freedesktop 18.07 (date based versioning now!) runtime which is in a much better place than 1.6 and will be solving lots of problems such as multi-arch support and just long term maintainability. I was really pleased to see all of the investment in BuildStream and the runtime from CodeThink which is really needed in the long term.

Red Hat and Fedora