Vue normale
GitHub comments used to distribute malware (BleepingComputer)
BleepingComputer reported on April 20 that some malware was being distributed via GitHub. Uploading files as part of a comment gives them a URL that appears to be associated with a repository, even if the comment is never posted.
A GitHub flaw, or possibly a design decision, is being abused by threat actors to distribute malware using URLs associated with Microsoft repositories, making the files appear trustworthy.
While most of the malware activity has been based around the Microsoft GitHub URLs, this "flaw" could be abused with any public repository on GitHub, allowing threat actors to create very convincing lures.
QEMU 9.0 released
This release contains 2700+ commits from 220 authors." The list of improvements is long; see the announcement and the changelog for details.
[$] Existential types in Rust
For several years, contributors to the Rust project have been working to improve support for asynchronous code. The benefits of these efforts are not confined to asynchronous code, however. Members of the Rust community have been working toward adding explicit existential types to Rust since 2017. Existential types are not a common feature of programming languages (something the RFC acknowledges), so the motivation for their inclusion might be somewhat obscure.
Security updates for Wednesday
[$] A change in direction for security-module stacking?
[$] Rust for embedded Linux kernels
Security updates for Tuesday
The Open Home Foundation launches
We created the Open Home Foundation to fight for the fundamental principles of privacy, choice, and sustainability for smart homes. And every person who lives in one.Ahead of today, we've transferred over 240 projects, standards, drivers, and libraries—Home Assistant, ESPHome, Zigpy, Piper, Improv Wi-Fi, Wyoming, and so many more—to the Open Home Foundation. This is all about looking into the future. We've done this to create a bulwark against surveillance capitalism, the risk of buyout, and open-source projects becoming abandonware. To an extent, this protection extends even against our future selves—so that smart home users can continue to benefit for years, if not decades. No matter what comes.
Andreas Tille elected as Debian project leader
[$] Linus and Dirk chat about AI, XZ, hardware, and more
One of the mainstays of the the Linux Foundation's Open Source Summit is the "fireside chat" (sans fire) between Linus Torvalds and Dirk Hohndel to discuss open source and Linux kernel topics of the day. On April 17, at Open Source Summit North America (OSSNA) in Seattle, Washington, they held with tradition and discussed a range of topics including proper whitespace parsing, security, and the current AI craze.
Hutterer: udev-hid-bpf: quickstart tooling to fix your HID devices with eBPF
eBPF was originally written for network packet filters but as of kernel v6.3 and thanks to Benjamin, we have BPF in the HID subsystem. HID actually lends itself really well to BPF because, well, we have a byte array and to fix our devices we need to do complicated things like "toggle that bit to zero" or "swap those two values".
See this article for more information on the BPF-HID mechanism.
Security updates for Monday
Kernel prepatch 6.9-rc5
But if you ignore those oddities, it all looks pretty normal and things appear fairly calm. Which is just as well, since the first part of the week I was on a quick trip to Seattle, and the second part of the week I've been doing a passable imitation of the Fontana di Trevi, except my medium is mucus.
[$] Weighted memory interleaving and new system calls
Gregory Price recently posted a patch set that adds support for weighted memory interleaving — allowing a process's memory to be distributed between non-uniform memory access (NUMA) nodes in a more controlled way. According to his performance measurements, the patch set could provide a significant improvement for computers with network-attached memory. The patch set also introduces new system calls and paves the way for future extensions intended to give processes more control over their own memory.
Security updates for Friday
[$] Gentoo bans AI-created contributions
Gentoo Council member Michał Górny posted
an RFC to the gentoo-dev mailing
list in late February about banning "'AI'-backed (LLM/GPT/whatever)
contributions
" to the Gentoo Linux project. Górny wrote that the spread of the
"AI bubble
" indicated a need for Gentoo to formally take a stand on AI
tools. After a lengthy discussion, the Gentoo Council voted
unanimously this week to adopt his proposal and ban contributions generated with AI/ML tools.