Security updates have been issued by Debian (roundcube), Fedora (chromium, firefox, and ngircd), Oracle (firefox and thunderbird), Scientific Linux (firefox), Slackware (seamonkey), SUSE (djvulibre, ffmpeg, firefox, freetds, gd, gstreamer-plugins-base, icu, java-11-openjdk, libEMF, libexif, librsvg, LibVNCServer, libvpx, Mesa, nasm, nmap, opencv, osc, perl, php7, python-ecdsa, SDL2, texlive-filesystem, and thunderbird), and Ubuntu (cinder, python-os-brick).
Google has announced the creation of the Open Usage Commons, which is intended to help open-source projects manage their trademarks. From the organization's own announcement: "We created the Open Usage Commons because free and fair open source trademark use is critical to the long-term sustainability of open source. However, understanding and managing trademarks takes more legal know-how than most project maintainers can do themselves. The Open Usage Commons is therefore dedicated to creating a model where everyone in the open source chain – from project maintainers to downstream users to ecosystem companies – has peace of mind around trademark usage and management. The projects in the Open Usage Commons will receive support specific to trademark protection and management, usage guidelines, and conformance testing." Initial members include the Angular, Gerrit, and Istio projects.
The Cloudflare blog is running an overview of sandboxing with seccomp(), culminating in a tool written there to sandbox any existing program. "We really liked the 'zero code seccomp' approach with systemd SystemCallFilter= directive, but were not satisfied with its limitations. We decided to take it one step further and make it possible to prohibit any system call in any process externally without touching its source code, so came up with the Cloudflare sandbox. It’s a simple standalone toolkit consisting of a shared library and an executable. The shared library is supposed to be used with dynamically linked applications and the executable is for statically linked applications."
Static web-site generators take page content written in a markup language and render it into fully baked HTML, making it easy for developers to upload the result and serve a web site simply and securely. This article looks at Hugo, a static-site generator written in Go and optimized for speed. It is a flexible tool that can be configured for a variety of use cases: simple blogs, project documentation, larger news sites, and even government services.
When support for classic BPF was added to the kernel many years ago, there was no question of whether BPF programs could block in their execution. Their functionality was limited to examining a packet's contents and deciding whether the packet should be forwarded or not; there was nothing such a program could do to block. Since then, BPF has changed a lot, but the assumption that BPF programs cannot sleep has been built deeply into the BPF machinery. More recently, classic BPF has been pushed aside by the extended BPF dialect; the wider applicability of extended BPF is now forcing a rethink of some basic assumptions.