Re: Now hang on, please!
Devuan killed it, dismembered it, but left some small and bloody body parts scattered around the distro. Now we need a clean up crew.
A security bug in Systemd can be exploited over the network to, at best, potentially crash a vulnerable Linux machine, or, at worst, execute malicious code on the box. The flaw therefore puts Systemd-powered Linux computers – specifically those using systemd-networkd – at risk of remote hijacking: maliciously crafted DHCPv6 …
Oh my sweet olfactory system it really exists. WE DON'T NEED ANOTHER AUDIO SUBSYSTEM THERE ARE LIKE 5 ALREADY... sndio, alsa, pulse, oss, jack...
"It aims to support the usecases currently handled by both PulseAudio and Jack and at the same time provide same level of powerful handling of Video input and output."
Ah, Gunther, remove me from this mortal coil immediately. And after that, lunch.
This post has been deleted by its author
Stringing up the Potty pour encourager les autres seems quite reasonable to me, but we need to realise that there will always be a sufficient supply of fucktards whose egos massively outstrip their abilities, and who are willing to implement the most deranged ideas, like hijacking the init system to execute a massive land grab, under the guise of "modernising it".
New lamps for old.
That so many supposedly technical people have gone along with this is very disappointing, but it's entirely in line with our being doomed by our own stupidity, so nothing new.
That it punches thru NAT routers enabling all your little goodies behind them as directly accessible.
MS even supplies tunneling (Ivp4 to Ivp6) so if using Linux in a VM on a MS system you may still have it anyway.
NAT was always recommended to be used in hardening your system, I prefer to keep all my idIoT devices behind one.
As they are just Idiot devices.
In future I will need a NAT that acts as a DNS and offers some sort of solution to keeping Ivp4.
While I've not played with it much, it shouldn't be too difficult to set up the router/gateway as v6 but everything behind it on v4. Only do V4 DHCP etc, firewall blocks any v6 on the wrong side of the fence.
At least till some potty thing comes along and breaks security yet again.
You can use NAT with IPv6.
You can, but why would you want to.
NAT is schtick for connecting a whole LAN to a WAN using a single IPv4 address (useful with IPv4 because most ISPs don't give you a /24 when you sign up). If you have a native IPv6 address you'll have something like 2^64 addresses, so machines on your LAN can have an actual WAN-visible address of their own without needing a trick like NAT.
Using NAT with IPv6 is just missing the point.
"so machines on your LAN can have an actual WAN-visible address of their own without needing a trick like NAT."
Avoiding that configuration is exactly the use case for using NAT with IPv6. As others have pointed out, you can accomplish the same thing with IPv6 router configuration, but NAT is easier in terms of configuration and maintenance. Given that, and assuming that you don't want to be able to have arbitrary machines open ports that are visible to the internet, then why not use NAT?
Also, if your goal is to make people more likely to move to IPv6, pointing out IPv4 methods that will work with IPv6 (even if you don't consider them optimal) seems like a really, really good idea. It eases the transition.
'tis you who misses the point.
I don't want every machine on my lan having it's own world-visible address. It serves no benefit to me, means I have to spend a lot more time faffing around with firewalls etc (rather than having just one decent gateway), can never be fully sure a machine is fully secured, have no protection against friends/family coming in other than to deny them access to the network.
With NAT I need to be sure my borders are secure, but I need not worry about anything inside my borders. The holes through my borders are ones I make knowingly. Ones made by bugs are much harder to exploit with NAT than with a leaky firewall, of which I might find winth v6 that I have a dozen to fix in a small amount of time (and of course since the firewall is the machine's only protection, I can't as easily isolate it until I have something better installed as I can with NAT).
I still run OK firewalls on each machine as I do have guests on my network, but I don't need to work nearly as hard at protecting my machines from them as I do at protecting my machines from outsiders. And with IPV6 I have to do that work on every machine.
NAT makes my life a lot easier, and that's the point of keeping it around. I don't have a use for machines being able to bypass my gateway, and I don't want them to. At some stage I expect to go IPV6 at the gateway, but I will remain on NAT/v4 inside.
My NAT router statefully firewalls incoming IPv6 by default, which I consider equivalently secure. NAT adds security mostly by accident, because it de-facto adds a firewall that blocks incoming packets. It's not the address translation itself that makes things more secure, it's the inability to route in from the outside.
The bug will come as another argument against Systemd as the Linux management tool continues to fight for the hearts and minds of admins and developers alike.
Less against systemd (which should get attacked on the design & implementation level) or against IPv6 than against the use of buffer-overflowable languages in 2018 in code that processes input from the Internet (it's not the middle ages anymore) or at least very hard linting of the same.
But in the end, what did it was a violation of the Don't Repeat Yourself principle and lack of sufficently high-level datastructures. Pointer into buffer, and the remaining buffer length are two discrete variables that need to be updated simultaneously to keep the invariant and this happens in several places. This is just a catastrophe waiting to happen. You forget to update it once, you are out! Use structs and functions updating the structs correctly.
And use assertions in the code, this stuff all seems disturbingly assertion-free.
Excellent explanation by Felix Wilhelm:
The function receives a pointer to the option buffer buf, it's remaining size buflen and the IA to be added to the buffer. While the check at (A) tries to ensure that the buffer has enough space left to store the IA option, it does not take the additional 4 bytes from the DHCP6Option header into account (B). Due to this the memcpy at (C) can go out-of-bound and *buflen can underflow [i.e. you suddenly have a gazillion byte buffer, Ed.] in (D) giving an attacker a very powerful and largely controlled OOB heap write starting at (E).
why don't we stop writing code in languages that make it easy to screw up so easily like this?
There are plenty about nowadays, I'd rather my DHCP client be a little bit slower at processing packets if I had more confidence it would not process then incorrectly and execute code hidden in said packets...
The circus that is called "Linux" have forced me to Devuan and the likes however the circus is getting worse and worse by the day, thus I have switched to the BSD world, I will learn that rather than sit back and watch this unfold As many of us have been saying, the sudden switch to SystemD was rather quick, perhaps you guys need to go investigate why it really happened, don't assume you know, go dig and you will find the answers, it's rather scary, thus I bid the Linux world a farewell after 10 years of support, I will watch the grass dry out from the other side of the fence, It was destined to fail by means of infiltration and screw it up motive(s) on those we do not mention here.
As many of us have been saying, the sudden switch to SystemD was rather quick, perhaps you guys need to go investigate why it really happened, don't assume you know, go dig and you will find the answers, it's rather scary ...
Indeed, it was rather quick and is very scary.
But there's really no need to dig much, just reason it out.
It's like a follow the money situation of sorts.
I'll try to sum it up in three short questions:
Q1: Hasn't the Linux philosophy (programs that do one thing and do it well) been a success?
A1: Indeed, in spite of the many init systems out there, it has been a success in stability and OS management. And it can easily be tested and debugged, which is an essential requirement.
Q2: So what would Linux need to have the practical equivalent of the registry in Windows for?
A2: So that whatever the registry does in/to Windows can also be done in/to Linux.
Q3: I see. And just who would want that to happen? Makes no sense, it is a huge step backwards.
OK, so I was able to check through the link you provided, which says "up to and including 239", but I had just installed a systemd update and when you said there was already a fix written, working it's way through the distro update systems, all I had to do was check my log.
Linux Mint makes it easy.
But why didn't you say something such as "reported to affect systemd versions up to and including 239" and then give the link to the CVE? That failure looks like rather careless journalism.
I still don't understand on what systemd, gnome3, Networkd or all the stuff shiped with most of the distribution Linux available has in some point, improved efficiency, security, and management of the system... I experienced the exact reverse of this : system unstable, bug, loss of performance and control.
Finally ended with Gentoo which is finally the easiest distribution to manage and control amd offer something the other don't : Freedom.
Canonical's Linux distro for edge devices and the Internet of Things, Ubuntu Core 22, is out.
This is the fourth release of Ubuntu Core, and as you might guess from the version number, it's based on the current Long Term Support release of Ubuntu, version 22.04.
Ubuntu Core is quite a different product from normal Ubuntu, even the text-only Ubuntu Server. Core has no conventional package manager, just Snap, and the OS itself is built from Snap packages. Snap installations and updates are transactional: this means that either they succeed completely, or the OS automatically rolls them back, leaving no trace except an entry in a log file.
The UBPorts community is in the final stages of preparing its next release and it's calling for testers.
Many of them are a few years old now, so there's a good chance that you've already replaced them and they sit unloved and neglected in a drawer. The starred entries in the list of devices are the best supported and should have no show-stopping problems. In order of seniority, that means: the LG-made Google Nexus 5 (2013); the original Oneplus One (2014); two models of Sony Xperia X, the F5121 and F5122 (2016); and Google's Pixel 3a and 3a XL (2019).
Comment Recently, The Register's Liam Proven wrote tongue in cheek about the most annoying desktop Linux distros. He inspired me to do another take.
Proven pointed out that Distrowatch currently lists 270 – count 'em – Linux distros. Of course, no one can look at all of those. But, having covered the Linux desktop since the big interface debate was between Bash and zsh rather than GNOME vs KDE, and being the editor-in-chief of a now-departed publication called Linux Desktop, I think I've used more of them than anyone else who also has a life beyond the PC. In short, I love the Linux desktop.
Opinion Broadcom has yet to close the deal on taking over VMware, but the industry is already awash with speculation and analysis as to how the event could impact the cloud giant's product availability and pricing.
If Broadcom's track record and stated strategy tell us anything, we could soon see VMware refocus its efforts on its top 600 customers and raise prices, and leave thousands more searching for an alternative.
The jury is still out as to whether Broadcom will repeat the past or take a different approach. But, when it comes to VMware's ESXi hypervisor, customer concern is valid. There aren't many vendor options that can take on VMware in this arena, Forrester analyst Naveen Chhabra, tells The Register.
At The Linux Foundation's Open Source Summit in Austin, Texas on Tuesday, Linus Torvalds said he expects support for Rust code in the Linux kernel to be merged soon, possibly with the next release, 5.20.
At least since last December, when a patch added support for Rust as a second language for kernel code, the Linux community has been anticipating this transition, in the hope it leads to greater stability and security.
In a conversation with Dirk Hohndel, chief open source officer at Cardano, Torvalds said the patches to integrate Rust have not yet been merged because there's far more caution among Linux kernel maintainers than there was 30 years ago.
Review The Reg FOSS desk took the latest update to openSUSE's stable distro for a spin around the block and returned pleasantly impressed.
As we reported earlier this week, SUSE said it was preparing version 15 SP4 of its SUSE Linux Enterprise distribution at the company's annual conference, and a day later, openSUSE Leap version 15.4 followed.
Microsoft has made it official. Windows Subsystem for Linux 2 distributions are now supported on Windows Server 2022.
The technology emerged in preview form last month and represented somewhat of an about-face from the Windows giant, whose employees had previously complained that while the tech was handy for desktop users, sticking it on a server might mean it gets used for things for which it wasn't intended.
(And Windows Server absolutely had to have the bloated user interface of its desktop stablemate as well, right?)
Version 21.3 of Manjaro - codenamed "Ruah" - is here, with kernel 5.15, but don't let its beginner-friendly billing fool you: you will need a clue with this one.
Manjaro Linux is one of the more popular Arch Linux derivatives, and the new version 21.3 is the latest update to version 21, released in 2021. There are three official variants, with GNOME 42.2, KDE 5.24.5 or Xfce 4.16 desktops, plus community builds with Budgie, Cinnamon, MATE, a choice of tiling window managers (i3 or Sway), plus a Docker image.
The Reg took its latest look at Arch Linux a few months ago. Arch is one of the older rolling-release distros, and it's also famously rather minimal. The installation process isn't trivial: it's driven from the command line, and the user does a lot of the hard work, manually partitioning disks and so on.
A bunch of almost unbelievably clever tech tricks come together into something practical with redbean 2: a webserver plus content in a single file that runs on any x86-64 operating system.
The project is the culmination – so far – of a series of remarkable, inspired hacks by programmer Justine Tunney: αcτµαlly pδrταblε εxεcµταblε, Cosmopolitan libc, and the original redbean. It may take a little time to explain what it does, so bear with us. We promise, you will be impressed.
To begin with, redbean uses a remarkable hack known as APE, which stands for Actually Portable Executable – which its author styles αcτµαlly pδrταblε εxεcµταblε. (If you know the Greek alphabet, this reads as "actmally pdrtable execmtable", but hey, it looks cool.)
A Linux distro for smartphones abandoned by their manufacturers, postmarketOS, has introduced in-place upgrades.
Alpine Linux is a very minimal general-purpose distro that runs well on low-end kit, as The Reg FOSS desk found when we looked at version 3.16 last month. postmarketOS's – pmOS for short – version 22.06 is based on the same version.
Biting the hand that feeds IT © 1998–2022