or1k

Windows 11 will get a built-in sudo command 😀 Microsoft is testing (https://www.windowslatest.com/2024/02/01/first-look-windows-11-is-getting-native-macos-or-linux-like-sudo-command/) a built-in sudo command (superuser do) in Windows 11 insider builds. The command will be accessible through the developer settings. This option will allow you to manage settings that require administrative privileges. It is expected that it will be possible to customize the behavior of sudo commands by setting preferences for the operation of commands run using this utility. It is not yet clear when the sudo command will appear in stable builds of Windows 11.

In this thread you can share free-form funny Linux memes with other users

A vulnerability (https://github.com/opencontainers/runc/security/advisories/GHSA-xr7r-f8xq-vfvv) CVE-2024-21626 has been found in the runc isolated container toolkit (https://github.com/opencontainers/runc/) that allows access to the file system of a host environment from within an isolated container. During an attack, an attacker could overwrite some executable files in the host environment and thus achieve execution of his code outside the container. The vulnerability has been fixed in the runc 1.1.12 release (https://github.com/opencontainers/runc/releases/tag/v1.1.12). In the case of Docker or Kubernetes, the attack can be accomplished by preparing a specially crafted container image, after installing and running it from the container it is possible to access an external FS. With Docker, it is possible to exploit via a specially designed Dockerfile. In addition, five more vulnerabilities (CVE-2024-23651, CVE-2024-23652, CVE-2024-23653, CVE-2024-23650, CVE-2024-24557) have been identified (https://www.docker.com/blog/docker-security-advisory-multiple-vulnerabilities-in-runc-buildkit-and-moby/) in Docker toolkit components, which have already been fixed.

In 2023, Red Hat discontinued support for publishing the source code of packages of already released releases in the CentOS repository. Only the repositories of CentOS Stream, the "perpetual beta" of future RHEL releases, remain publicly available. The company's new practice has a (https://www.phoronix.com/news/CentOS-RHEL-Kernel-Headaches) negative impact on the activities of developers close to it. Specifically, the Kmods SIG group, which maintains additional kernel modules for CentOS Stream and RHEL, is currently "unable to create packages for Red Hat Enterprise Linux for legal reasons." The developers are trying to resolve the issue with Red Hat and resume operations, but no specific timeline has been given. The CentOS Hyperscale SIG group, which now relies on Fedora rather than the CentOS/RHEL tree, has also encountered difficulties.

Vulnerability in glibc allowing root access on the system A vulnerability (CVE-2023-6246) in the standard C library Glibc allows to get its code executed with elevated privileges through manipulation of running SUID applications. Researchers were able to develop a working exploit that allows to gain root privileges by manipulating command line arguments when running the su utility. The vulnerability has been confirmed in Debian 12/13, Ubuntu 23.04/23.10 and Fedora 37-39. The vulnerability can only be exploited locally. A fix for the vulnerability is included in the Glibc code base and will be included in tomorrow's Glibc 2.39 update, along with fixes for two other vulnerabilities (CVE-2023-6779, CVE-2023-6780). ✅ You can test your system's exposure to the vulnerability with the following command: $ (exec -a "printf '%0128000x' 1" /usr/bin/su < /dev/null)

After three months of development, the UBports project, which took over the development of the Ubuntu Touch mobile platform after Canonical pulled out, has unveiled the OTA-4 Focal (over-the-air) firmware. This is the fourth release of Ubuntu Touch, based on the Ubuntu 20.04 package base (older releases were based on Ubuntu 16.04). The project is also developing an experimental port of the Unity 8 desktop, which has been renamed Lomiri. Changes. Ubuntu Touch OTA-4 Focal update will be shaping up in the coming days for Asus Zenfone Max Pro M1, Fairphone 3/3+ and 4, F(x)tec Pro1 X, Google Pixel 3a/3a XL devices, Vollaphone 22, Vollaphone X23, Vollaphone X, Vollaphone, JingPad A1, Oneplus One/5/6, Sony Xperia X, Samsung Galaxy S7, Xiaomi Poco X3 NFC / X3, Xiaomi Redmi Note 9, 9 Pro, 9 Pro Max and 9S, Xiaomi Poco M2 Pro. Builds for the Pine64 PinePhone, PinePhone Pro and PineTab and PineTab2 are in the beta testing stage.

▪️ How to handle directories with a large number of files You may have encountered this problem: you have tried to run ls on a directory with a very large number of files, but the command gives the error "argument list is too long". There are several ways to get around this limitation. - Using the built-in command line Built-in Bash does not have the ARG_MAX limitation. - Use "find" when you need formatting parameters. find /data/test_xargs -type f -ls -printf '%name' Or with formatting that mimics ls: find /data/test_xargs -type f -printf '%f\n ▪️ Suppose you want to compress all the files in a given directory from the previous example. You need a way to regulate the number of compression requests so that you don't run more processes than the number of processors you have. Let's try to do this with find and xargs: find /data/test_xargs -type f -print0| xargs -0 -P $(($(nproc)-1)) -I % gzip % ▪️ Match your processor to a set of tasks to maximize execution time Despite CPU limits, some intensive tasks can slow down other processes on your computer as they search for resources. There are a few things you can do to keep server performance under control, such as using taskset. The taskset command is used to set or get the CPU binding of a running process given its pid, or to start a new command with a given CPU binding. In general, we always want to leave one of the processors "free" for operating system tasks. Usually the kernel does a pretty good job of binding running processes to a specific processor to avoid context switching, but if you want to enforce which processors your process will run on, you can use taskset. taskset -c 1,2,3,4,5,6,7 find /data/test_xargs -type f -print0| xargs -0 -P $(($(nproc)-1)) -I % gzip %

Twelve years after the last test version and 16 years after the formation of the last stable release, Damn Small Linux 2024 (https://www.damnsmalllinux.org/) has been published. It is intended for use on low-power systems and obsolete hardware. The new release has alpha quality and is prepared in builds for the i386 architecture. The size of the bootable build is 665 MB (for comparison, the last version was 50 MB). The build is based on the AntiX 23 Live distribution and offers a choice of environments based on the Fluxbox and JWM window managers. Three web-browsers are included: BadWolf, Dillo and Links2. A set of office applications is formed by text editor AbiWord, table processor Gnumeric, e-mail client Sylpheed and PDF viewer Zathura. For multimedia content, MPV and XMMS are included. The distribution also includes the mtPaint graphic editor, the zzzFM file manager, the gFTP/SFTP client, and the Leafpad text editor. Among console applications: file manager Ranger, table processor VisiData, terminal multiplexer Tmux, mail client Mutt, music player Cmus, CD/DVD burning program CDW, search system SurfRaw, text editors Vim and Nano, browsers W3M and Links2.

Information about a vulnerability (CVE-2023-6200 (https://security-tracker.debian.org/tracker/CVE-2023-6200)) in the Linux kernel networking stack has been disclosed. Under certain circumstances, it allows a local network attacker to achieve code execution by sending a specially crafted ICMPv6 packet with an RA (Router Advertisement) message designed to announce information about a router. The vulnerability occurs on systems with IPv6 support enabled and the sysctl parameter "net.ipv6.conf.<network_interface_name>.accept_ra" active (you can check it with the command "sysctl net.ipv6.conf| grep accept_ra"), which is disabled by default in RHEL and Ubuntu for external network interfaces, but enabled for the loopback interface, allowing an attack from the same system. The vulnerability has been present since branch 6.6 and has been fixed in versions 6.6.9 and 6.7. Distributions that ship packages with kernel 6.6 include Arch Linux, Gentoo, Fedora, Slackware, OpenMandriva, and Manjaro.

A controversy erupted this week over Google engineer Steven Rostedt's proposals for using "inode" in file systems. An inode is a unique metadata identifier in Linux. For weeks there has been a debate on the kernel mailing list about the role and purpose of inode. Many believe that they are still needed for archiving files with the tar utility. However, Torvalds expressed the opposite opinion, stating that it is time to abandon the outdated concept, since inode numbers are no longer truly unique in modern file systems. Despite this, Rostedt suggested implementing global uniqueness of all inode numbers in Linux to solve potential problems. Torvalds then accused (https://lkml.org/lkml/2024/1/26/1013) the engineer of misunderstanding and over-complicating the code, as well as copying the VFS layer features of the file system without realizing the consequences. The full message is in the image. After the criticism, Rostedt admitted his gaps in understanding inode and promised to look into the matter. Torvalds, in his turn, did not continue the argument, citing lack of time due to other tasks.

The first release of the Niri composite server (https://github.com/YaLTeR/niri/releases/tag/v0.1.0) has been published (https://github.com/YaLTeR/niri). The project implements the tiling method, in which windows are grouped into an infinitely scrolling ribbon. Opening a new window causes the ribbon to expand, and previously added windows never change their size. The project code is written in Rust and is distributed under the GPLv3 license. Packages are built for Fedora, NixOS, Arch Linux, and FreeBSD. The reason for creating a separate composite manager is the impossibility to realize separate work with monitors in PaperWM because of GNOME Shell peculiarities (binding to global window coordinates). The main difference between Niri and PaperWM is that each monitor has its own ribbon of windows, which do not overlap with each other. Niri supports HiDPI and can run on systems with multiple GPUs (e.g. hybrid systems with a discrete graphics card and an embedded GPU).

The main focus in 2024 will be on implementing support for the Wayland protocol and developing a Wayland-only branch of Budgie 11. In the first quarter of 2024, plan to shape the release of Budgie 10.9 and finalize the addition of Wayland capability in all base applets. In the second quarter, work is scheduled to implement Wayland support in the configurator (Budgie Control Center) and on the desktop. In the third and fourth quarters, work will be focused on Wayland-only releases, which will be gradually brought to the desired state. Other plans include work on a new Budgie Control Center configurator, expanded applet functionality, and a redesign of the panel. (https://buddiesofbudgie.org/blog/state-of-the-budgie-2023)

An open source Bash script designed to help system administrators and developers protect Linux servers on which they will deploy any web application or service. JSHielder automates the process of installing all the necessary packages to host a web application and secure a Linux server with minimal user interaction. 📌 https://github.com/Jsitech/JShielder

▪️ Improved support of input methods. Improved implementation of SendInput() function, added XInputGetCapabilitiesEx function, completely rewritten XInputGetCapabilities function. ▪️ Improved support for Diffie-Hellman (DH) key exchange protocol. Added the ability to configure and retrieve DH parameters. Implemented handlers for creating public and private key pairs. ▪️ Improved detection of keyboards with Dvorak layout. And other changes. (https://www.winehq.org/)

Flathub is positioned as a vendor-independent platform for distributing packages in Flatpak format. There are more than 2400 applications in the catalog, of which more than 850 have received the status of verified, i.e., maintained by the original authors. The total number of package downloads is estimated at 1.6 billion. In counting (https://docs.flathub.org/blog/over-one-million-active-users-and-growing/) active users, instead of collecting metrics from user systems, an analysis of statistics available only on the infrastructure side of Flathub was used. To predict the number of active users, a tie to the number of installations of runtime-sets that provide a generic environment for isolated application launching was used. In particular, the number of runtime downloads with FreeDesktop components and its updates to the latest version were estimated to determine the number of active installations.

As someone who has to use a laptop for work, I keep my laptop plugged in 8 hours or more a day, 7 days a week. The laptop's battery during these days would discharge and charge, slowly degrading the battery because only the last ~ 20% would be charged and discharged. To remedy this issue some devices now have charge thresholds where a user or firmware can configure a charge limit to stop the battery from getting constantly charged. The most commonly found solution is to set a stop charge limit at 80% of the battery capacity. (Green part is never charged) Another approach is to set a start and stop charge threshold where the battery charges till for example 80% but will only start when below 60%. The 60-80% region marks a "charge free zone". This is ideal for users who keep their laptop plugged in 24/7. The Linux kernel supports these kinds of charge thresholds via a sysfs interface /sys/class/power_supply/BAT*/charge_control_{start,end}_threshold depending on hardware and driver support. Users can set their own charge control thresholds by echoing a value between 0-100 to the sysfs entry via for example a systemd unit or using a tool such as TLP. That is usable for power users who know what thresholds to set and who also remember to turn it off when you for travel for a longer period of time and want to make full use of your battery. As a GNOME user however I would like to have a visual indication that my battery is being charge limited and an easy switch to turn this on and off. GNOME obtains devices battery information in the shell and GNOME settings via UPower, a daemon which runs in the background and exposes device information from sysfs to DBus. UPower is also used by other popular DE's such as Cinnamon, Phosh, Mate, Lxqt, Xfce and Deepin. My merge request for UPower implements detecting if a battery supports charge limits (start and stop) and allows for enabling set limits via a DBus method on the battery object. The limits are configurable via hwdb as UPower sets known good values 60-80% by default, users and vendors can override these limits with a simple hwdb rule. For GNOME's settings, this merge request implements the UI design from Allan Day as can be seen below. (note: the label still needs some changes) For those interested, I will be giving a presentation at FOSDEM in the Kernel devroom with more technical details. In the future I plan to work on a visual indicator in the GNOME Shell when charge limiting is enabled, implementing battery calibration and exposing charge thresholds on the Framework laptop.

A preview version of Plasma 6.0 is now offered (https://blog.neon.kde.org/2024/01/25/kdes-6th-megarelease-with-kde-neon-testing-edition) not only in the unstable, but also in the Neon test update channel - users will receive it automatically with the system update.

Docker Scout allows you to prevent and address flaws where they start. By identifying issues earlier in the software development lifecycle and displaying information in Docker Desktop and the command line, Docker Scout reduces interruptions and rework. Supply chain security is a big focus in software development, with attention from enterprises and governments. Software is complex, and when security, reliability, and stability issues arise, they’re often the result of an upstream library. So developers don’t just need to address issues in the software they write but also in the software their software uses. These concerns apply just as much to open source projects as proprietary software. But the focus on improving the software supply chain results in an unfunded mandate for open source developers. A research study by the Linux Foundation found that almost 25% of respondents said the cost of security gaps was “high” or “very high.” Most open source projects don’t have the budget to address these gaps. With Docker Scout, we can reduce the burden on open source projects.

Radix cross Linux version 1.9.367 (https://radix.pro/platform/install/) is prepared for devices based on ARM/ARM64, RISC-V and x86/x86_64 architecture. The distribution is built using the proprietary Radix. pro build system, which simplifies the formation of distributions for embedded systems. In the new version the distribution includes packages with MPlayer, VLC, MiniDLNA, Transmission (Qt & HTTP-server), Rdesktop, FreeRDP and GIMP (2.99.16), which allow to use the user environment of the distribution not only as a programmer's workplace, but also as a resting place in a home network. Boot images for Repka pi3, Orange pi5, Leez-p710, TF307 v4 based on Baikal M1000, VisionFive2, EBOX-3350dx2, as well as for i686 and x86_64 systems have been prepared. It is possible to create builds working in Live mode.

On systems with an X server, using the xrandr utility, you can organize the placement of information on a monitor screen mounted not only horizontally or vertically, but also at an arbitrary angle. ▪️ For example, you can rotate the monitor 45 degrees: xrandr --output HDMI-3 --transform 0.707106781186548,-0.707106781186548,0,0.707106781186548,0.707106781186548,0,0,0,1 ▪️ or 22 degrees: xrandr --output HDMI-3 --transform 0.927183854566787,-0.374606593415912,0,0.374606593415912,0.927183854566787,0,0,0,1 The values specified in the "--transform" parameter are calculated using the formula "cos(x),-sin(x),shift_left,sin(x),cos(x),shift_up,0,0,1", where "x" is the required rotation angle.

According to analytical agency IDC, Apple's iPhones were the most popular smartphones in China in the fourth quarter and all of 2023, despite pressure from local manufacturers and expanding government bans. The company's success is attributed to a smaller slump in demand and well-timed discounts and promotions. Overall, smartphone sales in China fell by 5%, but Huawei still managed to return to the top five manufacturers. Apple also regained the title of the largest smartphone vendor, but iPhone 15 sales in the Chinese market continue to fall due to the expansion of government bans.

Google has unveiled a new AI video generator called Lumiere, which is based on a spatio-temporal diffusion model for realistic video generation. It is capable of generating dynamic images from a textual description and is arguably the most powerful to date. A unique feature of Google Lumiere is its ability to generate video in a single pass, unlike other models that work with multiple keyframes and then interpolate over time. Lumiere can convert text to video, convert static images to dynamic images, create videos in a specific style, edit existing video based on written prompts, and animate certain areas of a static image. The model is trained on a dataset of 30 million video clips with text descriptions. The output is 5-second clips with a resolution of 1024 × 1024 pixels. Google recognizes the threat posed by such projects and emphasizes the importance of developing tools to detect bias and malicious use of the technology to ensure the model runs safely. Lumiere.mp4

Orca Security has discovered (https://orca.security/resources/blog/sys-all-google-kubernetes-engine-risk-example/) a vulnerability in Google Kubernetes Engine (GKE). It allows attackers with a Google account to gain control of a Kubernetes cluster. The issue has been codenamed Sys:All. It is estimated that about 250,000 active GKE clusters are affected by the vulnerability. The problem lies in a common misconception about the system:authenticated group in GKE. This is a special group that includes all authenticated objects, including users and service accounts. Many people believe that the group only includes authenticated users, when in fact it includes any Google account. External attackers can use their Google OAuth 2.0 token to gain control of the cluster and then use it for a variety of purposes, including cryptomining, denial-of-service attacks, and theft of sensitive data. Additionally, this approach leaves no trace that can be traced back to a specific Gmail or Google Workspace account. Various sensitive data is at risk, including JWT tokens, GCP API keys, AWS keys, Google OAuth credentials, private keys, and access to container registries, which could lead to malware injection into container images. Google has already taken steps to address the flaw by disallowing the binding of the system:authenticated group to the cluster-admin role in GKE versions 1.28 and above. The company also recommends that users not bind the system:authenticated group to any RBAC (role-based access control) roles and check to see if their clusters are associated with the group.

The source code of Zed (https://github.com/zed-industries/zed), a multi-user code editor (https://zed.dev/) developed under the guidance of the author of the Atom project (the basis of VS Code), is open (https://github.com/zed-industries/zed). Only macOS is supported so far (Linux, Windows and Web support is under development). The Zed editor is notable for its focus on real-time collaborative development and achieving maximum refinement, performance and responsiveness of the interface. Zed attempts to combine a lightweight editor and the functionality of modern integrated development environments in a single product. Zed's high performance is achieved through active use of multithreading with the use of all available CPU cores, as well as window rasterization on the GPU side. In the tests performed, the reaction time to a keystroke in Zed is estimated at 58 ms, for comparison, in Sublime Text 4 this indicator is 75 ms, in CLion - 83 ms, and in VS Code - 97 ms. Zed's startup time was estimated at 338 ms, Sublime Text 4 at 381 ms, VS Code at 1444 ms, and CLion at 3001 ms. Memory consumption of Zed was 257 MB, Sublime Text 4 - 219 MB, VS Code - 556 MB, CLion - 1536 MB.