Posts
190
Following
77
Followers
2195
repeated

Bert Hubert NL 🇺🇦🇪🇺

Over vorige post, je kan ook zeggen dat het kabinet "geen grip heeft op de migratie" (naar de cloud). https://berthub.eu/articles/posts/de-hele-overheid-naar-de-cloud-dat-is-een-politiek-besluit/

0
1
0
repeated

Thorsten Leemhuis (acct. 1/4)

Jeremy Allison writes:

'" The data shows that “frozen” vendor kernels, created by branching off a release point and then using a team of engineers to select specific patches to back-port to that branch, are buggier than the upstream “stable” Linux created by Greg Kroah-Hartman. '"

https://ciq.com/blog/why-a-frozen-linux-kernel-isnt-the-safest-choice-for-security/

7
6
1
repeated

Get out of the way of your developers or lose them to someone who will.

— Adrian Cockcroft

0
2
1
repeated

I just got a few ideas for the next idiotic DMCA takedown notice I have to respond to...

https://bsky.app/profile/cola.baby/post/3ksffq2k5kb22

1
2
0
repeated

"hi I am Greg, this is wrong, everything I say is public information and *not* under NDA" - @gregkh on stage of the

2
3
2
repeated

Saturday's stable kernel updates https://lwn.net/Articles/969732/

0
1
0
repeated
repeated

Krzysztof Kozlowski

Just a reminder: only a week to hear me babbling about Linux kernel DTS validation and shared reset GPIOs on Embedded Open Source Summit/OSSNA 2024. Don't miss it and come to say hi!
EOSS: https://sched.co/1aBEf
OSSNA: https://sched.co/1aPvr
0
3
5
repeated

Well, I finally have data to back my model of the software world out there. And the data is relatively solid and shows what I keep saying.

You are all on our turf now. Please accept that you have no idea what you are talking about. Sit down. Listen. Ask questions.

But respect our work. We are trying to keep the world running, 1h per month.

https://www.softwaremaxims.com/blog/open-source-hobbyists-turf

4
7
2
repeated
repeated
For your Sunday reading: https://arxiv.org/pdf/2402.05212.pdf "An Investigation of Patch Porting Practices of the
Linux Kernel Ecosystem" in which different distros, and Android, are evaluated as to how up to date they stay with upstream fixes. Note that RHEL or CentOS is not evaluated "because of the lack of public git repositories or insufficient data."

About time someone started writing papers about this stuff...
3
16
32
repeated
Edited 2 months ago

We're at the @openssf !

Our mission is to ensure the security of open source software for all.

Are you a seasoned Technical Program Manager excited about and who wants a full-time ?

Apply: https://openssf.jobboard.io/jobs/314008394-technical-program-manager-at-openssf

0
3
0
repeated
I feel terrible, but I haven't laughed this hard in a long time.
8
26
67
repeated

So we got @gregkh on the show to explain Linux Kernel security, both proactive and reactive, and why they sort of can't treat security bugs special (TL;DR: Linux is on everything, so a prenotification list to tell people secretly doesn't work when you tell thousands of people... and that's one of the easier problems), the whole thing and more on the with @joshbressers and @kurtseifried https://opensourcesecurity.io/2024/02/25/episode-417-linux-kernel-security-with-greg-k-h/ TL;DR: just run an up to date stable Kernel, the era of trying to cherry-pick and backport security fixes is coming to an end.

7
5
4
repeated

Thorsten Leemhuis (acct. 1/4)

Did a quick *rough* check:

* 65 CVE announcements from Greg so far

* 55 of those refer to a mainline commit

* 10 of those were marked for backporting to stable/longterm

And that's why Greg backports a lot of mainline commits to stable/longterm that are *not* tagged for backporting -- and why "only backport changes mainline developers[1] tagged for backporting" is a bad idea.

[1] reminder, such tagging is optional, as participation in stable/longterm is optional

2
2
1
repeated

The kernel developers are now issuing their own, more accurate Common Vulnerabilities and Exposures bulletins. https://opensourcewatch.beehiiv.com/p/linux-gets-cve-security-business by @sjvn

The Linux kernel developers are now in charge of its Common Vulnerabilities and Exposures (CVE) security problems.

0
1
1
repeated

Computer folks, remember the precedence of operators! Consult this handy list if in doubt:

() [] -> .
! ~ ++ --
* / %
+ -
<< >>
< <= > >=
== != &=
=== &&& |||
?: ??= ( ^..^)ノ
(╯°□°)╯︵ ┻━┻

3
11
2
repeated

Last time I did a Linux kernel security flaw lifetime analysis was back in 2021. It showed the average time between flaw introduction and fix was 5.5 years for 108 "high priority" CVEs:
https://outflux.net/slides/2021/lss/kspp.pdf

I refreshed my dataset today and was surprised to see that now with 103 more CVEs, it's still holding at 5.5 years. This actually means Linux is getting faster at finding issues, but the (diminishing) technical debt of the past is still dragging down the average.

1
8
3
Show older