Debsources: browse/search sources of all Debian releases

Matthieu Caneill of Debian announced Debsources. Excerpt of announcement below, for full announcement, see the debian-devel-announce mailing list archives.


Announcing sources.debian.org

We’re happy to announce that Debsources, the Web application that allows to browse and search the entire source code of all Debian releases, is now hosted on the official Debian infrastructure and available at https://sources.debian.org . You may already know this service as previously hosted at sources.debian.net . We took the move to Debian hardware as the opportunity to officially announce it here.[…]


Hmm, “EFI” does not work as a search string, and there are Linux-centric UEFI commands that only use “EFI”, not “UEFI”…


proposal: add Security Version to Linux Shim

Gary Ching-Pang Lin of SuSE has submitted a proposal for Linux kernel and Shim to include a Security Version. In addition to below shim wiki page, there is active discussion on this on the Linux-EFI list.

Security Version

When a vulnerability is found, every distro will release the patch as soon as possible and push it into the update channel. However, since the signature of the old kernel is still valid, the attacker may trick the user to boot the old and insecure kernel to exploit the system. For the system with UEFI Secure Boot, although the admin can add the hashes of the insecure kernels into MokX, it could be burdensome to do this in large scale. Besides, it’s almost impossible to obsolete the kernels before a certain version. Not to mention that the old kernel sometimes might be useful for debugging. To keep the system secure and also flexible, we propose “Security Version”. The basic concept of Security Version is to use a whitelist to record the “version” of the latest known secure linux kernel. If the “version” of the kernel is lower than that in the whitelist, then the kernel is considered as “not secure”. The “version” in the whitelist can only be incremented monotonically unless the user decides to lower it.[…]



PS:  Hmm, Gmane’s linux-efi links aren’t working for me.


OEMs: support Linux firmware updates via fwupd

OEMs: users install Linux on some of the Windows boxes you sell. It is a PITA to update firmware from Linux if you only ship Windows EXEs. Rebooting into an ISO is slightly better. The proper solution for Linux is to support FWUpd.

(And the proper solution for Windows is to support Windows Update. But I heard that only a few OEMs support this, and still require OEM-centric tools to update their firmware. Sigh…)



Linux Plumbers Conference 2017: audio archives uploaded

Quoting the Phoronix post:
talks range from Linux power management and energy awareness to developments around kernel live patching, NUMA, the state of UEFI support, NVMe, DRM/KMS, and other areas of the Linux kernel. “




Linux Power Management summit

Juri Lelli of Red Hat announced the OSPM-Summit 2018, on the Linux-(pm,acpi,pci,rt-user,kernel) lists. Edited version of that announcement below.

Power Management and Scheduling in the Linux Kernel II edition (OSPM-summit 2018)
April 16-18, 2018
Scuola Superiore Sant’Anna
Pisa, Italy

Deadline for submitting topics/presentations is 9th of December 2017.

Focus: Power management and scheduling techniques to reduce energy consumption while meeting performance and latency requirements are still receiving considerable attention from the Linux Kernel development community. After the success of the first edition, II edition of the Power Management and Scheduling in the Linux Kernel (OSPM) summit aims at replicating such focused discussions, understanding what has been achieved and what instead still remains to be addressed. The summit is organised to cover three days of discussions and talks. Topics:

* Power management techniques
* Real-time and non real-time scheduling techniques
* Energy awareness
* Mobile/Server power management real-world use cases (successes and failures)
* Power management and scheduling tooling (configuration, integration, testing, etc.)
* Tracing
* Recap lightning talks (what has been achieved w.r.t. I edition?)


Full announcement:


Kees on Linux 4.14 security enhancements

Kees Cook has a new blog post, talking about new security features in Linux kernel 4.14.

vmapped kernel stack on arm64
set_fs() balance checking
SLUB freelist hardening
setuid-exec stack limitation
randstruct automatic struct selection
structleak passed-by-reference variable initialization
improved boot entropy
eBPF JIT for 32-bit ARM
seccomp improvements