Zack’s Kernel News
Zack’s Kernel News
Chronicler Zack Brown reports on the latest news, views, dilemmas, and developments within the Linux kernel community.
Recently, the kernel.org servers were cracked by attackers who were able to gain root-level access. The attackers then inserted trojan horses into the source releases for certain Linux kernel release candidates (-rc releases). This attack caused a lot of work for the kernel. org system administrators and resulted in a number of discussion threads on the linux-kernel mailing list, considering ways to avoid similar security compromises in the future.
In one thread, Junio C Hamano, the Git maintainer, asked the kernel folks if there were any special Git features they wanted, that might increase the security of a Git archive that involved many contributors (e.g., the Linux kernel). He suggested providing the ability to cryptographically sign all pushes, as well as having Git produce more output on certain types of failure modes. Linus Torvalds replied, saying he liked the idea of increased verbosity; but, about cryptographic signatures, he said:
"I realize that cryptographic signatures sound very important right now, but in the end, *real* trust comes from people, not from signatures. Realistically, I checked a few signatures this time around due to the kernel.org issues, but at the same time, the thing that made me trust most of it was just looking at commits and the email messages. The unconscious and non-cryptographic 'signature' of a person acting like you expect a person to act."
"Technical measures can be subverted, and I think we should also think about the social side. Every time somebody mentions a signature,I want to also mention 'human readability', because I think that matters as much, if not more."
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
News
-
Kali Linux 2019.1 Released
The favorite Linux distro of Mr. Robot gets the first update of 2019.
-
Linux Foundation Releases a New Draft of OpenChain Spec
OpenChain provides a standard for open source compliance throughout the software supply chain.
-
Linux Kernel Continues To Offer Mitigation for Spectre Mitigation
Kernel 4.19 has added another family of Spectre vulnerabilities to its list of mitigating the mitigation.
-
SpeakUp Trojan Targets Linux Servers
It’s exploiting a known vulnerability.
-
KDE Plasma 5.15 Beta Arrives
Major improvements to software management.
-
Canonical Announces Latest Ubuntu Core for IoT
Now offers 10 years of support.
-
GitHub Offers Free Private Repositories
Popular source code collaboration site makes a major change to feature set.
-
Linus Torvalds Welcomes 2019 with Linux 5.x
Better support for GPUs and CPUs.
-
Keep your edge with these powerful Linux administration tools:
Keep All Your Linux Servers in Check
Watching the Bad Guys with Cowrie
Become a certified Linux Admin professional with the Linux Professional Institute LPIC-1 Systems Administrator certification.
-
Microsoft Gets an Open Source Web Browser
The company will use Google Chromium web browser as the foundation for its next browser.