[$] LWN.net Weekly Edition for May 16, 2024
16 mai 2024 à 03:01
The LWN.net Weekly Edition for May 16, 2024 is available.
Syed is known for her mission-driven leadership, focused on increasing transparency into the most powerful institutions in society. She comes to Mozilla after leading The Markup, an award-winning publication that challenges technology to serve the public good, from its launch through its successful acquisition in 2024.
In 2014, ESET researchers said the 2011 attack likely infected kernel.org servers with a second piece of malware they called Ebury. The malware, the firm said, came in the form of a malicious code library that, when installed, created a backdoor in OpenSSH that provided the attackers with a remote root shell on infected hosts with no valid password required. In a little less than 22 months, starting in August 2011, Ebury spread to 25,000 servers. Besides the four belonging to the Linux Kernel Organization, the infection also touched one or more servers inside hosting facilities and an unnamed domain registrar and web hosting provider.
Telemetry was added to create an aggregate count of searches by category to broadly inform search feature development."
So 6.9 is now out, and last week has looked quite stable (and the whole release has felt pretty normal)." Significant changes in this release include the ability to create pidfds for individual threads, the BPF arena subsystem, the BPF token security mechanism, truncate() support in io_uring, support for the Rust language on 64-bit Arm systems, weighted interleaving in the memory-management subsystem, the device-mapper virtual data optimizer target, initial FUSE passthrough support, and more. See the LWN merge-window summaries (part 1, part 2) for more information.
For example, when Go 1.20 deprecated math/rand's Read, we heard from developers who discovered (thanks to tooling pointing out use of deprecated functionality) they had been using it in places where crypto/rand's Read was definitely needed, like generating key material. Using Go 1.20, that mistake is a serious security problem that merits a detailed investigation to understand the damage. Where were the keys used? How were the keys exposed? Were other random outputs exposed that might allow an attacker to derive the keys? And so on. Using Go 1.22, that mistake is just a mistake.
When presenting the award to Haible, FSF executive director Zoë Kooyman commented on the significance of Haible's work, saying that Haible's work enabled free software programmers around the world to focus on the main, innovative portions of their program, thus facilitating the development of more and more free software.
The stats for 6.9 continue to look very normal, and nothing looks particularly alarming."
Rust now supports a #[diagnostic] attribute namespace to influence compiler error messages. These are treated as hints which the compiler is not required to use, and it is also not an error to provide a diagnostic that the compiler doesn't recognize. This flexibility allows source code to provide diagnostics even when they're not supported by all compilers, whether those are different versions or entirely different implementations.
So, in my ideal world, we'd have an OS entirely without SUID. Let's throw out the concept of SUID on the dump of UNIX' bad ideas. An execution context for privileged code that is half under the control of unprivileged code and that needs careful manual clean-up is just not how security engineering should be done in 2024 anymore.