Linux Kernel Security Update Linux Kernel Security Update The Linux kernel security update is available today. The update, version 3.12.71-5, contains fixes for several issues, including a potential security issue with the networking subsystem and a problem with the page fault handler. The particular security issue that is being fixed is a potential elevation of privilege issue in the networking subsystem. If a user were to exploit this issue, they could gain access to resources on the system that they should

But that has changed—is changing—the role of the maintainers of all of that code; when "critical" infrastructure uses code from a FOSS project, suddenly, and perhaps without warning, that code itself becomes critical. Authentication using 2FA is not currently required for any packages, but PyPI plans to require it for maintainers of critical projects " ". Roughly 3500 projects have been identified in this manner and the maintainers of those projects are being offered a free security key to help them set up two-factor authentication (2FA) for their PyPI accounts. I'll need to confer with other contributors on a way forward, but probably it's to either help python-daemon maintainers replace their use of lockfile, or help ansible-runner maintainers replace their use of python-daemon. As more critical projects are identified, it is likely we will see more conflicts of this nature. There are multiple efforts these days to identify the most critical dependencies and to provide assistance to those projects so that they do not end up in the position of a pre-Heartbleed OpenSSL—or represent that one project in the classic xkcd. But many maintainers of that software are volunteers who did not set out to become beholden to the needs of large companies and organizations when they released their code, they were just scratching their itch—now lots of others are clamoring for theirs to be scratched as well. That, of course, has its own risk, in that a critical package may not be able to get the update it needs for some serious vulnerability because its maintainers failed to sign up for 2FA. (). Continue reading.

Related Hacker News news

You may also be interested in Engine Birds Work Algorithm The Monitor Nokia AMNH Year In Review