Я уже писал, что выступаю осенью на двух конфах

- На SafeCode (online) с воркшопом https://safecodeconf.ru/talks/aae5116ee0fc4c8f8b921ebb46a14231/
- На DevOops (online+offline) с докладом https://devoops.ru/talks/c6ba44b7c18b411f9753c06873cc606e/

Если кто хочет, но ещё в раздумьях, то напишите в личку (@rusdacent) попробую помочь со скидкой на билет.

9.4 CRITICAL

The SQL Expressions experimental feature of Grafana allows for the evaluation of `duckdb` queries containing user input. These queries are insufficiently sanitized before being passed to `duckdb`, leading to a command injection and local file inclusion vulnerability. Any user with the VIEWER or higher permission is capable of executing this attack. The `duckdb` binary must be present in Grafana's $PATH for this attack to function; by default, this binary is not installed in Grafana distributions.

https://nvd.nist.gov/vuln/detail/CVE-2024-9264

PoC

This PoC demonstrates the exploitation of CVE-2024-9264 using an authenticated user to perform a DuckDB SQL query and read an arbitrary file on the filesystem.

https://github.com/nollium/CVE-2024-9264

Спасибо подписчику за ссылку

Тут внутри bitwarden что-то происходит 🌝

Пару дней назад создали issue

Desktop version 2024.10.0 is no longer free software
https://github.com/bitwarden/clients/issues/11611

Краткая суть её в том, не смотря на то что клиент opensource, но теперь не собирается без проприетарного компонента bitwarden-sdk.

На это Kyle Spearrin, CTO Bitwarden, ответил (xxkylexx, ник на Reddit)

However, our goal is to make sure that the SDK is used in a way that maintains GPL compatibility. 

- the SDK and the client are two separate programs
- code for each program is in separate repositories
- the fact that the two programs communicate using standard protocols does not mean they are one program for purposes of GPLv3

Being able to build the app as you are trying to do here is an issue we plan to resolve and is merely a bug.

https://www.reddit.com/r/Bitwarden/comments/1g7uwa2/comment/lstss5i/

Но в issue, которую я указал выше, так же вспомнили о лицензии, которую меняли летом
https://github.com/bitwarden/sdk/issues/898. Хотя теперь и туда, под закрытую issue, опять пришли с вопросами и заявлениями 🌝

> From Bitwarden's response, we can tell that they are willing to suppress freedom of speech at all costs in order to keep the software closed-source.
https://github.com/bitwarden/sdk/issues/898#issuecomment-2425011669

Ответ развёрнутый по лицензии дан в этом комментарии (со ссылками на Reddit)
https://github.com/bitwarden/sdk/issues/898#issuecomment-2425052091

В vaultwarden, альтернативной реализации серверной части Bitwarden, есть обсуждение, но пока там спокойно достаточно
https://github.com/dani-garcia/vaultwarden/discussions/5115

За наводку спасибо подписчику

🫡

Неделю назад в IDE выскочило сообщение, что у меня закончилась лицензия, хотя я точно знал что она оплачена на несколько месяцев вперед.

Компания JetBrains начала блокировать оплаченные лицензии пользователей, находящихся на территории РФ
https://habr.com/ru/news/852254/

Ну это было ожидаемо после этих новостей

https://xn--r1a.website/tech_b0lt_Genona/4545
https://xn--r1a.website/tech_b0lt_Genona/4655

https://lore.kernel.org/linuxppc-dev/CAHk-=wiUaWnHGgusaMOodypgm7bVztMVQkB6JUvQ0HoYJqDNYA@mail.gmail.com/

Вот, и Линус тоже считает их "ненастоящими"!

"Honestly, I'm pretty damn fed up with buggy hardware and completely theoretical attacks that have never actually shown themselves to be used in practice.

So I think this time we push back on the hardware people and tell them it's *THEIR* damn problem, and if they can't even be bothered to say yay-or-nay, we just sit tight.

Because dammit, let's put the onus on where the blame lies, and not just take any random shit from bad hardware and say "oh, but it *might* be a problem""

Безопастность такая безопастность.

У меня в сборках ядра mitigations=off на уровне кода, чтобы даже случайно не пролезло - https://github.com/pg83/ix/blob/main/pkgs/bin/kernel/t/2/ix.sh#L21

🫡

Removal of (mostly Russian) email addresses from MAINTAINERS

Posted Oct 21, 2024 13:57 UTC (Mon) by paulbarker (subscriber, #95785)
Parent article: Kernel prepatch 6.12-rc4

This was merged for v6.12-rc4: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/...
"Remove some entries due to various compliance requirements. They can come
back in the future if sufficient documentation is provided."

I guess this is something to do with sanctions, but I think the folks removed from the MAINTAINERS file deserve a little more informative notice than that!

https://lwn.net/Articles/994868/

Коммит
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=6e90b675cf942e50c70e8394dfb5862975c3b3b2

🫡

Stiver, ты был хорош.

Согласно его последней публикации, Stiver ушёл из жизни с помощью эвтаназии, разрешённой в Германии. «Если не отпишусь в понедельник, значит сработало :)», — сказано в сообщении.

Умер создатель онлайн-библиотеки Flibusta
https://www.fontanka.ru/2024/10/22/74242946/

This is very vague...
What are "various compliance requirements"?
What does "sufficient documentation" mean?

I can guess, but I think it's better to spell out the rules, as Linux kernel development is done "in the open".  I am also afraid this is opening the door for further (ab)use...

This patch is one such instance where we find ourselves questioning the  legitimacy and indeed, the feasibility, of an international, open, and  open source project. Vagueness breeds distrust.

It's not difficult to deduce what the "various compliance requirements" are and I'm sure Greg is aware of this. The Linux Foundation, if interested in continuing their governance role over the Linux kernel, should be ready to explain themselves over this decision. Greg and Linus, I'm not sure if I'm ready to believe that this is supposed to be a political show - but if this is the case, please leave the ground for the Foundation - they should be the one responsible and receiving the scrutiny (or insult, as I'm sure many - myself included - find this patch insulting).

So I repeat - call the decision-makers out and ask for their explanation.

Haha, I received a similar off-list reply.

I deeply sympathize with Greg-kh's situation and his unspoken difficulties, although I don't understand why the MAINTAINERS file, as part of the kernel code, should be off-limits to non-maintainer developers, especially when this clearly isn't just about 'modifying the MAINTAINERS file.'

If any Linux developer tacitly approves of this, they're essentially giving a green light to some shady political actors from a certain country to coerce people into betraying it's constitution.

That's absurd. Again, my heart goes out to all (including Greg-kh) that affected by this.

I mean no offense to anyone, but this action will completely destroy the trust that developers worldwide have in the Linux kernel project and the entire Linux Foundation, and the politicians forcing you to do this 
clearly don't care about that.

To avoid becoming pawns in a political game and to prevent alienating all the developers who have contributed to the Linux kernel, I sincerely suggest that you maintainers revert this commit and promise not to do something like this again.

And I urge everyone who agrees that this is unreasonable to reply to "[PATCH] Revert "MAINTAINERS: Remove some entries due to various compliance requirements." with their own "Reviewed-by".

Remember: What sets humans apart from animals is our undying spirit of resistance. We cannot be domesticated or tamed by others.

Finally, I'd like to share a quote from Norse mythology: Only warriors who die in battle are worthy of entering Valhalla.

Эти и другие сообщения в мэйл листах
https://lore.kernel.org/all/CpPiTF0xZwq_zhrYVO2pCA9TxAmJi_zwVBmyl9Z1RHKCjgf332fcmsc86C_1CMaZPNLlIDcvqOIWa1vR2lr2qMaZpcyIisxLqL1IVvq9ZNQ=@proton.me/T/#u

🫡

$ curl -s -w "%{http_code}" https://us.download.nvidia.com/Windows/566.03/566.03-notebook-win10-win11-64bit-international-dch-whql.exe

403

При открытии окна загрузки на официальном сайте Nvidia, в сообщении говорится, что запрос заблокирован файерволом Edgecast WAF.

В сентябре 2022 года правительство США проинформировало американскую компанию Nvidia о введении новых лицензий на экспорт в отношении Китая и России.

Nvidia запретила россиянам обновлять видеокарты
https://www.bfm.ru/news/560584

UPD:
https://xn--r1a.website/tech_b0lt_Genona/4756

Линус отписался

Ok, lots of Russian trolls out and about.

It's entirely clear why the change was done, it's not getting reverted, and using multiple random anonymous accounts to try to "grass root" it by Russian troll factories isn't going to change anything.

And FYI for the actual innocent bystanders who aren't troll farm accounts - the "various compliance requirements" are not just a US thing.

If you haven't heard of Russian sanctions yet, you should try to read the news some day. And by "news", I don't mean Russian state-sponsored spam.

As to sending me a revert patch - please use whatever mush you call brains. I'm Finnish. Did you think I'd be *supporting* Russian aggression? Apparently it's not just lack of real news, it's lack of history knowledge too.

https://lore.kernel.org/all/CAHk-=whNGNVnYHHSXUAsWds_MoZ-iEgRMQMxZZ0z-jY4uHT+Gg@mail.gmail.com/

Этот пост я давно хотел написать, но чо та всё никак не получалось нормально засесть за него. А тут на волне приключений с ядром Linux (https://xn--r1a.website/tech_b0lt_Genona/4750, https://xn--r1a.website/tech_b0lt_Genona/4754) вроде как и в тему что ли.

Несколько лет назад на базе ИСП РАН (https://www.ispras.ru/) была создана инициативная группа, которая в конце 2023 года выросла в "Центр исследований безопасности системного программного обеспечения".

https://portal.linuxtesting.ru/ (сертификат Минцифры)

Основной целью центра является повышение безопасности ядра Linux

На данный момент список патчей в ядро Linux равен 420 (список положу ещё отдельно в комментарии). Для понимания темпов с марта по октябрь было отправлено около 100 патчей.

https://portal.linuxtesting.ru/LVCImprovements.html#fixed-bugs

В рамках рабочих групп проводятся:

- Статический анализ
- Системное и модульное тестирование
- Фаззинг-тестирование
- Анализ помеченных данных
- и т.д.

Сейчас центр уже перерос ядро Linux и созданы группы по разным направлениям. Например:

- Qemu
- Nginx
- libvirt
- runc
- .NET6/8
- NodeJS

Полный список доступен тут (сертификат не Минцифры)

В телеге есть канал информирующий о найденных проблемах и их статусе в рамках продуктов - @sdl_for_upstream

Отмена

$ curl -s -w "%{http_code}" https://us.download.nvidia.com/Windows/566.03/566.03-notebook-win10-win11-64bit-international-dch-whql.exe

200

Ох уж эти ебучие кеширующие сервера. Управы на них нет.

Как сообщил глава Роскомнадзора Андрей Липов в кулуарах конференции «Спектр-2024», служба фиксирует падение трафика у YouTube на сетях фиксированной связи. Он связал это с работой установленных на этих сетях кеширующих серверов Google (Google Global Cache, GGC). «У Google в России было очень много серверов: практически каждый узел, где достаточно много абонентов, был присоединен к серверу GGC. Компания эти серверы перестала поддерживать с момента, как ушла из России, и никто в них не вкладывается. Серверы деградируют, где-то выключились. Мы видим падение трафика в сторону YouTube в первую очередь на сетях фиксированной связи», — рассказал Липов. То, что на мобильных сетях трафик YouTube остался прежним, по его мнению, может быть связано с тем, что рядом с узлами сотовых операторов Google могла устанавливать «более мощные серверы».

> 23 окт, 17:31
https://www.rbc.ru/technology_and_media/23/10/2024/6718fc469a7947f3be50635b

> * linux: Goodbye from a Linux community volunteer
> @ 2024-10-24 4:27 Serge Semin

Hello Linux-kernel community,

I am sure you have already heard the news caused by the recent Greg' commit 6e90b675cf942e ("MAINTAINERS: Remove some entries due to various compliance requirements."). As you may have noticed the change concerned some of the Ru-related developers removal from the list of the official kernel maintainers, including me.

The community members rightly noted that the _quite_ short commit log contained very vague terms with no explicit change justification. No matter how hard I tried to get more details about the reason, alas the senior maintainer I was discussing the matter with haven't given an explanation to what compliance requirements that was. I won't cite the exact emails text since it was a private messaging, but the key words are "sanctions", "sorry", "nothing I can do", "talk to your (company) lawyer"... I can't say for all the guys affected by the change, but my work for the community has been purely _volunteer_ for more than a year now (and less than half of it had been payable before that). For that reason I have no any (company) lawyer to talk to, and honestly after the way the patch has been merged in I don't really want to now. Silently, behind everyone's back, _bypassing_ the standard patch-review process, with no affected developers/subsystem notified - it's indeed the worse way to do what has been done. No gratitude, no credits to the developers for all these years of the devoted work for the community. No matter the reason of the situation but haven't we deserved more than that? Adding to the GREDITS file at least, no?..

I can't believe the kernel senior maintainers didn't consider that the patch wouldn't go unnoticed, and the situation might get out of control with unpredictable results for the community, if not straight away then in the middle or long term perspective. I am sure there have been plenty ways to solve the problem less harmfully, but they decided to take the easiest path. Alas what's done is done. A bifurcation point slightly initiated a year ago has just been fully implemented. The reason of the situation is obviously in the political ground which in this case surely shatters a basement the community has been built on in the first place. If so then God knows what might be next (who else might be sanctioned...), but the implemented move clearly sends a bad signal to the Linux community new comers, to the already working volunteers and hobbyists like me.
. . . 

I also wish to say huge thanks to the community members trying to defend the kicked off maintainers and for support you expressed in these days. It means a lot.

A little bit statics of my kernel-work at the end:

Signed-off patches:    518
Reviewed and Acked patches:  253
Tested patches:      80

You might say not the greatest achievement for seven years comparing to some other developers. Perhaps. But I meant each of these tags, be sure.

I guess that's it. If you ever need some info or consultation regarding the drivers I used to maintain or the respective hardware or the Synopsys IP-cores (about which I've got quite comprehensive knowledge by this time), feel free to reach me out via this email. I am always willing to help to the community members.

Hope we'll meet someday in more pleasant circumstances and drink a couple or more beers together. But now it's time to say good bye. Sorry for a long-read text. I wish good luck on your Linux-way.

Полностью текст письма доступен тут
https://lore.kernel.org/netdev/2m53bmuzemamzc4jzk2bj7tli22ruaaqqe34a2shtdtqrd52hp@alifh66en3rj/T/#mdef37a4707eca10bf6e3a58271d28767d280c5ee

Дорогие подписчики!

Я понимаю, что последние сообщения по теме разработки ядра Linux вызвали бурную реакцию, но большая просьба не тащить сюда политоту (ну или хотя бы не устраивать философский кружок у меня в комментах).

Я в течении часа, если не больше, разбирался во всём написанном, что бы хоть как-то привести комменты в порядок.

Срачи технические по прежнему максимально одобряю 🌝

From: Aleksandr Mezin @ 2024-10-23 20:12 UTC (permalink / raw)

I'm a Russian troll. So remove myself from the maintainers list.

Signed-off-by: Aleksandr Mezin <mezin.alexander@gmail.com>
---
Never did a good job as a driver maintainer anyway.

Maybe Jonas Malaco or Aleksa Savic will be interested in picking up
the driver.

Apologies for any inconvenience.
. . .

I'm Russian. Whether I'm a troll or not - depends on your perception,
I guess. After reading recent emails on the topic, I decided I don't
want to contribute anymore.

I haven't been that active, it was just a hobby, sending a small patch
from time to time. I think you'll not lose much. After all, maybe I
should have been removed anyway - but was overlooked because my e-mail
isn't on a ".ru" domain.
. . .
Could you remove me correctly with a patch description that you like,
please? I can't make up anything good-looking and non-political. And
I'm not going to submit any patches anymore. Sorry.

https://lore.kernel.org/all/CADnvcf++bWv=Ohwc=dwSA-Hy5_G3jNS5hjWgA_-yx5HSiS1f4A@mail.gmail.com/T/#t

ЗЫ

Там уже понеслось

Господи, спаси и сохрани раба Твоего заблуждшего Линуса и ближних его во веки веков; аминь!

https://lore.kernel.org/all/20241024095339.GA32487@imap.altlinux.org/

Grandpa, take the pills or you'll get your ass kicked.

Дед, пей таблетки, а не то получишь по жопе

https://lore.kernel.org/all/3448a096-849a-4f61-8017-c03a83e22c38@gmail.com/

Извините, но пока у меня других новостей для вас нет

Follow 6e90b67, remove some entries due to various compliance requirements. They cannot come back in the future as huawei is sanctioned by most freedom countries in the world.

Update MAINTAINERS #988
https://github.com/torvalds/linux/pull/988

We finally got clearance to publish the actual advice:

   If your company is on the U.S. OFAC SDN lists, subject to an OFAC sanctions program, or owned/controlled by a company on the list, our ability to collaborate with you will be subject to restrictions, and you cannot be in the MAINTAINERS file.

> What are "various compliance requirements"?
> What does "sufficient documentation" mean?

The documentation Greg is looking for (which a group of Lawyers at the LF will verify) is that someone in the removed list doesn't actually work for an OFAC SDN sanctioned entity.

> I can guess, but I think it's better to spell out the rules, as Linux
> kernel development is done "in the open". I am also afraid this is
> opening the door for further (ab)use...

I agree we should have been more transparent about this but I think it would be hard for someone other than Greg to get a Maintainer removed on the "compliance issue" grounds so it's probably not that open to
abuse.

https://lore.kernel.org/all/7ee74c1b5b589619a13c6318c9fbd0d6ac7c334a.camel@HansenPartnership.com/

OFAC (Office of Foreign Assets Control) это подразделение Минфина США, которое, собственно, за санкции (и не только) и отвечает.

Искать нужные компании можно тут
https://sanctionssearch.ofac.treas.gov/
+
Теперь в мейл листах пришли спрашивать за Huawei. Мол, почему они есть в списке, а их не выпиливают
https://sanctionssearch.ofac.treas.gov/Details.aspx?id=30947

Продолжаем наблюдение 🌝