pnutzh4x0r

I saw plenty of efforts that aim to create a Linux distribution for non-enthusiasts, for people who just want to use their computers, and not care about the details - A Desktop for All on the GNOME blog, most recently. While I commend the effort, my own experience is that these efforts are futile, and start off from a fundamentally wrong premise: that people are willing (let alone wanting) to manage their own operating systems.

...

My family is using Linux because that’s the system I can maintain for them. Apart from my Dad, they never installed Linux, and never will. They don’t install software, they don’t upgrade, they don’t change settings either. All of that is something I do for them. And to do so effectively, I need a distribution I am familiar with, one that is also flexible enough to fine-tune for every member of the family, because they prefer fundamentally different things!

...

The common pattern between all these three is that neither of them maintains their own systems. I do. As such, how beginner friendly the distribution is, is meaningless. The users of the system don’t care, they’ll never see those parts. They’ll have a preconfigured system maintained by someone else, and that’s exactly what they want. To make this work, I’m using distributions I am familiar with. For my parents, that’s Debian, because I was a Debian person when their systems were installed. For my Wife, it is NixOS, because I’m a NixOS person now. For the Twins, it will likely be NixOS too.

A new patch series posted today to the Linux kernel mailing list would block kernel modules/drivers from TUXEDO Computers from accessing GPL-only symbols in the kernel.

TUXEDO Computers maintains a set of kernel drivers currently out-of-tree for their various laptops for additional functionality around power profiles, keyboard backlight controls, WMI, sensor monitoring, the embedded controller, and other functionality. They have said they want to eventually mainline these drivers but in the name of allowing for rapid hardware support they maintain them out-of-tree and ship them with their Ubuntu-based TUXEDO OS and also have the driver sources available via GitLab.

The issue at hand though is that these kernel drivers marked as GPLv3+ and that conflicts with the upstream Linux kernel code licensed as GPLv2. There was a commit to change the driver license from GPLv3 to GPL(v2) but was reverted by TUXEDO Computers on the basis of "until the legal stuff is sorted out."

If you love exploit mitigations, you may have heard of a new system call named mseal landing into the Linux kernel’s 6.10 release, providing a protection called “memory sealing.” Beyond notes from the authors, very little information about this mitigation exists. In this blog post, we’ll explain what this syscall is, including how it’s different from prior memory protection schemes and how it works in the kernel to protect virtual memory. We’ll also describe the particular exploit scenarios that mseal helps stop in Linux userspace, such as stopping malicious permissions tampering and preventing memory unmapping attacks.

Memory sealing allows developers to make memory regions immutable from illicit modifications during program runtime. When a virtual memory address (VMA) range is sealed, an attacker with a code execution primitive cannot perform subsequent virtual memory operations to change the VMA’s permissions or modify how it is laid out for their benefit.

...

mseal digresses from prior memory protection schemes on Linux because it is a syscall tailored specifically for exploit mitigation against remote attackers seeking code execution rather than potentially local ones looking to exfiltrate sensitive secrets in-memory.

...

From the disallowed operations, we can discern two particular exploit scenarios that memory sealing will prevent:

• Tampering with a VMA’s permissions. Notably, not allowing executable permissions to be set can stop the revival of shellcode-based attacks.
• “Hole-punching” through arbitrary unmapping/remapping of a memory region, mitigating data-only exploits that take advantage of refilling memory regions with attacker-controlled data.

...

There are likely many other use cases and scenarios that we didn’t cover. After all, mseal is the newest kid on the block in the Linux kernel! As the glibc integration completes and matures, we expect to see improved iterations for the syscall to meet particular demands, including fleshing out the ultimate use of the flags parameter.

Drivers passing through San Francisco have a new roadside distraction to consider: billboards calling out businesses that don't cough up for the open source code that they use.

The signs are the work of the Open Source Pledge – a group that launched earlier this month. It asks businesses that make use of open source code to pledge $2,000 per developer to support projects that develop the code. So far, 25 companies have signed up – but project co-founder Chad Whitacre wants bigger firms to pay their dues, too.

Google is developing a Terminal app for Android that'll let you run Linux apps. It'll download and run Debian in a VM for you.

...

Engineers at Google started work on a new Terminal app for Android a couple of weeks ago. This Terminal app is part of the Android Virtualization Framework (AVF) and contains a WebView that connects to a Linux virtual machine via a local IP address, allowing you to run Linux commands from the Android host. Initially, you had to manually enable this Terminal app using a shell command and then configure the Linux VM yourself. However, in recent days, Google began work on integrating the Terminal app into Android as well as turning it into an all-in-one app for running a Linux distro in a VM.

...

Google is still working on improving the Terminal app as well as AVF before shipping this feature. AVF already supports graphics and some input options, but it’s preparing to add support for backing up and restoring snapshots, nested virtualization, and devices with an x86_64 architecture. It’s also preparing to add some settings pages to the Terminal app, which is pretty barebones right now apart from a menu to copy the IP address and stop the existing VM instance. The settings pages will let you resize the disk, configure port forwarding, and potentially recover partitions.

...

If you’re wondering why you’d want to run Linux apps on Android, then this feature is probably not for you. Google added Linux support to Chrome OS so developers with Chromebooks can run Linux apps that are useful for development. For example, Linux support on Chrome OS allows developers to run the Linux version of Android Studio, the recommended IDE for Android app development, on Chromebooks. It also lets them run Linux command line tools safely and securely in a container.

cross-posted from: https://lemmy.ndlug.org/post/1225458

Powered by the latest Linux 6.11 kernel series, Ubuntu 24.10 features the latest and greatest GNOME 47 desktop environment for the Ubuntu Desktop flavor with additional patches for Mutter and GNOME Shell to enhance stability and performance. In addition, the Ubuntu Dock now visualizes Snap refreshes and includes better handling for PWAs installed via the Chromium Snap.

...

Under the hood, Ubuntu 24.10 comes with an updated toolchain that includes GCC 14.2, GNU Binutils 2.43.1, GNU C Library 2.40, LLVM 19, Rust 1.80, Go 1.23, OpenSSL 3.3, systemd 256.5, Netplan 1.1, and .NET 8. The Ubuntu Desktop installer was also updated with support for local file paths for autoinstall import.

...

Ubuntu 24.10 will be supported for only nine months, until July 2025. If you’re looking for long-term support, you should download and install Ubuntu 24.04 LTS (Noble Numbat), which is supported until at least 2029.

Official Website: Ubuntu 24.10 (Oracular Oriole)

The Linux Mint 22.1 distribution was slated for release in December 2024 with a revamped Cinnamon theme and better package management.

Slated for release in December 2024, near the Christmas holidays, Linux Mint 22.1 will ship with the soon-to-be-released Cinnamon 6.4 desktop environment featuring a revamped theme that’s much darker and contrasted than before, rounded elements, redesigned dialogs, and a gap between the applets and the panel.

More from the Mint Monthly News: September 2024

The transition towards Aptkit and Captain is now finished. Starting with Linux Mint 22.1, set to be released this December, none of our projects will depend on aptdaemon, synaptic, gdebi or apturl anymore.

Exploit of a combination of several bugs - Overhyped but not that severe - Fixes already available

...

Canonical’s security team has acted immediately to quickly apply the patches which Michael Sweet (author and maintainer of CUPS) had already prepared for CUPS, cups-browsed, libcups-filters, libppd, and cups-filters (in the time from the first report until then I was some days off and I was also on the Open Source Summit Europe, thanks, Michael Sweet, for stepping in, also thanks to Zdenek Dohnal from Red Hat) to the appropriate in all supported Ubuntu versions, so that at the time of disclosure most fixes were already in place. They also reported in an Ubuntu blog. They tell users what to do, from turning off cups-browsed or at least its legacy CUPS browsing support to updating their systems as the fixes were already available. Thanks a lot to Seth Arnold, Marc Deslauriers, Diogo Sousa, Mark Esler, Luci Stanescu, and more.

...

The X post really overhyped the vulnerability. Attacks from the internet are not very probable due to the fact that servers on the internet do not have cups-browsed and CUPS installed and CUPS/cups-browsed setups are there usually only in NAT-protected local networks with desktop machines and print servers. And the remote code execution is also rather restricted, as CUPS filters are not running as root, but as the system user “lp” which cannot even read user’s home directories. In addition, the remote code execution only happens when a user actually prints a job on the fake printer. Actually assigned scores ended up between 8.4 and 9.1.

There's been talk of this unauthenticated RCE vulnerability coming with a CVSS 9.9 rating but none of the technical details were publicly known until it was made public just now at the top of the hour. Simone Margaritelli discovered this vulnerability and has shared a write-up around this potentially very impactful Linux vulnerability.

This vulnerability, fortunately, doesn't affect the Linux kernel but rather CUPS... The print server commonly used on Linux systems and other platforms.

...

From Attacking UNIX Systems via CUPS, Part I:

"A remote unauthenticated attacker can silently replace existing printers’ (or install new ones) IPP urls with a malicious one, resulting in arbitrary command execution (on the computer) when a print job is started (from that computer)."

...

This remote code execution issue can be exploited across the public Internet via a UDP packet to port 631 without needing any authentication, assuming the CUPS port is open through your router/firewall. LAN attacks are also possible via spoofing zeroconf / mDNS / DNS-SD advertisements.

Besides CUPS being used on Linux distributions, it also affects some BSDs, Oracle Solaris, Google Chrome OS, and others.

As of writing there is no Linux fix available for this high profile security issue. In the meantime it's recommended to disable and remove the "cups-browsed" service, updating CUPS, or at least blocking all traffic to UDP port 631.

cross-posted from: https://lemmy.ndlug.org/post/1167059

COSMIC’s Alpha 2 release builds upon that work with functionality built out for Files, additional Settings pages, considerable infrastructure work for screen reader support+, and some highly requested window management features. System76 is ecstatic at the level of excitement and collaboration so far with alpha testers and early app & applet developers, and we look forward to seeing what comes from these new additions.

...

The second COSMIC alpha will be released on September 26th. Those participating in Alpha 1 on Pop!_OS can simply update through the COSMIC App Store to transition. This alpha will be followed by monthly alpha releases until all core features have been built out.

More coverage:

• COSMIC DE Alpha 2 Released, This is What’s New

• COSMIC Alpha 2 Released with Bluetooth Settings, Much-Improved File Manager

• Cosmic Desktop Alpha 2: BIG PROGRESS for a month of work!

cross-posted from: https://lemmy.ndlug.org/post/1153465

In the second finding of the 2024 Tidelift state of the open source maintainer survey, we found that the more maintainers are paid, the more improvements they make to their projects.

...

In the previous finding, we reported that 60% of maintainers describe themselves as unpaid hobbyists, and 36% of maintainers describe themselves as paid (professional or semi-professional) maintainers, earning some or all of their income from their open source work.

...

When you break down the paid maintainers into professional (earning most or all of their income from their maintenance work) and semi-professional (earning some of their income from maintaining projects), it becomes clear that the amount of money a maintainer is making for their work has a large impact on the types of improvements they are able to make. Across nearly all major categories, professional maintainers are on average over 20 percentage points more likely to make key improvements to their projects than semi-professional maintainers.

...

In the previous study, 81% percent of professional maintainers earning most or all of their income from maintaining projects spend more than 20 hours a week maintaining their projects. This year, the percentage was nearly identical (82%).

Conversely, in last year’s survey, we found that the vast majority of unpaid hobbyists spend ten hours or less per week on their maintenance work (81%). This percentage also stayed consistent in this year’s survey, with 78% of unpaid hobbyist maintainers working ten hours or less per week.

...

We’ve heard from many maintainers that how they are paid for their work also matters. For many maintainers there is a huge difference between getting a one-time “airdrop” of money, perhaps right after a high profile incident where people are paying attention to their projects, compared to ongoing recurring income that they can count on. So this year for the first time we asked maintainers to tell us whether they would prefer to get predictable monthly income or a one-time lump payment.

An overwhelming majority of maintainers prefer to receive predictable monthly income, with 81% choosing that option.

Linus Torvalds Speaks on the the divide between Rust and C Linux developers an the future Linux. Will things like fragmentation among the open source community hurt the Linux Kernel? We'll listen to the Creator of Linux.

For the full key note, checkout: Keynote: Linus Torvalds in Conversation with Dirk Hohndel

The Register's summary: Torvalds weighs in on 'nasty' Rust vs C for Linux debate