Interesting tidbit about Rust as used in the Android OS: to prevent the trusting trust attack, and not rely on rust-lang.org build, they bootstrapped rustc 1.19 with mrustc (0.8.0), and then built all following rustc versions with their previous version.

https://cs.android.com/android/platform/superproject/main/+/main:prebuilts/rust/bootstrap/README.md

#RustLang #Android #Toolchains #Bootstrapping #TrustingTrust

Rust is is not a "silver bullet" that can solve all security problems, but it sure helps out a lot and will cut out huge swatches of Linux kernel vulnerabilities as it gets used more widely in our codebase.

That being said, we just assigned our first CVE for some Rust code in the kernel: https://lore.kernel.org/all/2025121614-CVE-2025-68260-558d@gregkh/ where the offending issue just causes a crash, not the ability to take advantage of the memory corruption, a much better thing overall.

Note the other 159 kernel CVEs issued today for fixes in the C portion of the codebase, so as always, everyone should be upgrading to newer kernels to remain secure overall.

Because you don't have a "network interface card", you have an ARM cpu, maybe even a whole-ass ARM SOC, handling ethernet frames on one side and talking PCI on the other.

You don't even have SD cards, because "memory cards" don't exist. That terabyte of storage the size of your thumbnail you bought? That's an ARM CPU managing the wear levels on its crap-ass flash backing storage while pretending to be a hard drive on the other side.

You don't know how many computers are in your computer.

Two different ways to help track kernel commits across the different kernel branches, depending on your use case (bash + big git repo, or binary + sqlite db). I use them both on a daily basis: http://www.kroah.com/log/blog/2025/12/15/tracking-kernel-commits-across-branches/

Starting to write up a series of articles about the Linux kernel CVE work that has happened in the past 2 years, starting with some "back to basics" information about how Linux kernels are numbered as many people/companies really don't know how we do this, and it matters a lot in tracking bugfixes and how to determine "vulnerable" and "fixed" kernel releases:
http://www.kroah.com/log/blog/2025/12/08/linux-cves-more-than-you-ever-wanted-to-know/
and
http://www.kroah.com/log/blog/2025/12/09/linux-kernel-version-numbers/

In the early 2000s the ReactOS team paused development for years; to engage in a project wide audit, under accusations that a developer may have SEEN leaked windows sourcecode.

In the 2020s folks keep insisting it's cool for #FLOSS devs to use AI's trained on random other projects to generate code; when it is known that such AI assistants occasionally reproduce code verbatim, without regard to the original software license. #llm #AI #eliza #generativeAI

Unpopular opinion: a vulnerability that was disclosed privately by researchers and had a coordinated response from vendors and service operators under an (albeit short) embargo is not a “0-day”.

#InfoSec #CVD

Next week I'll have a talk at Open Source Summit Japan 🇯🇵:

"We need an open source phone OS - postmarketOS!"

If you are there in-person, say hello, and otherwise a live stream (December 10th, 11:40 UTC+9) should be available, and the recording will appear also at some point!

https://ossjapan2025.sched.com/event/29Fpa/

#OSSummit #postmarketOS #MobileLinux #LinuxMobile #DigitalIndependence

The European Union has now published a great page about the Cyber Resilience Act that contains a 66 page FAQ about lots of things in "plain english": https://digital-strategy.ec.europa.eu/en/factpages/cyber-resilience-act-implementation

The last 5.4.y kernel release has now happened: https://lore.kernel.org/all/2025120319-blip-grime-93e8@gregkh/

Please don't use this branch anymore, it's really old, and pretty obsolete, and has over 1500 unfixed CVEs in it:
https://lore.kernel.org/all/2025120358-skating-outage-7c61@gregkh/

And if you are stuck with that kernel version for some reason, go ask your vendor to fix those 1500+ CVEs, otherwise you are paying for support that doesn't actually do anything for you...

Three stable kernels for Monday

https://lwn.net/Articles/1048755/ #LWN

@aho Very very common.

As pointed out on an irc channel, yet another example of kernel developers having to do crazy things to paper over hardware bugs: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f076ef44a44d02ed91543f820c14c2c7dff53716

It has now been 0 days since a AI-hallucinated "security report" was sent to the kernel security team.

Right now we seem to be averaging about 1 per week, not bad overall probably compared to other projects.

To be fair, a real security bug was recently found with an "ai tool", but the authors of that at least took the time to verify it was real before sending it to us, and they provided a patch, so not all is doom and gloom.

The European Union Agency for Cybersecurity (ENISA) is now a Root in the CVE Program

https://www.cve.org/PartnerInformation/ListofPartners/partner/ENISA

"If you're not using the stable kernel, your system is insecure. [...]
I'll call out Debian: Debian tracks our kernels very well. Debian runs the world. Over 70% of all servers in the world run Debian. Everything else is a rounding error [...]
👉 Debian: really, really good. I work with the Debian developers all the time. I can't recommend them enough. Their systems are good.
👉 RedHat, SUSE: they have their own weird systems -- talk to them, you're paying them."

@gregkh at https://youtu.be/dhu8HSOzxd8?t=1226

How big is lore.kernel.org? I counted 17,154,017 unique message-ids.

I think that's roughly how many emails @gregkh replies to every day.

The recording from the "#Kernel CVEs are Alive, but Do Not Panic!" talk @gregkh gave last week at #OSSummit Korea is online now:

https://www.youtube.com/watch?v=dhu8HSOzxd8

Sides:

https://git.sr.ht/~gregkh/presentation-cve-is-dead/blob/master/cve-alive.pdf

#Linux #LinuxKernel #kernel #OSSummitKorea #CVE

First time in South Korea. Three talks in two days. Over 200 minutes of public speaking. Two packed rooms. Made new connections. (My luggage arrived four days after me. 😅)

This week was very intense, and I’ll never forget this first visit to Seoul. I’m a bit exhausted right now, but really grateful.

Thanks, Korea! 🙏🏼🇰🇷♥️

Abstracts, slides and videos: https://embeddedor.com/blog/2025/11/08/presenting-at-open-source-summit-korea-2025/

Linux Kernel Self-Protection Project 🛡⚔️🐧
#OSSummit #OSSKorea #Linux #OpenSource

As seen in the Seoul Lablup office (https://www.lablup.com/) when visiting the other day right before the OSS Korea conference. Many thanks to them for the good conversations, and food and beer!