pnutzh4x0r

The Linux Mint 22.1 distribution was slated for release in December 2024 with a revamped Cinnamon theme and better package management.

Slated for release in December 2024, near the Christmas holidays, Linux Mint 22.1 will ship with the soon-to-be-released Cinnamon 6.4 desktop environment featuring a revamped theme that’s much darker and contrasted than before, rounded elements, redesigned dialogs, and a gap between the applets and the panel.

More from the Mint Monthly News: September 2024

The transition towards Aptkit and Captain is now finished. Starting with Linux Mint 22.1, set to be released this December, none of our projects will depend on aptdaemon, synaptic, gdebi or apturl anymore.

Exploit of a combination of several bugs - Overhyped but not that severe - Fixes already available

...

Canonical’s security team has acted immediately to quickly apply the patches which Michael Sweet (author and maintainer of CUPS) had already prepared for CUPS, cups-browsed, libcups-filters, libppd, and cups-filters (in the time from the first report until then I was some days off and I was also on the Open Source Summit Europe, thanks, Michael Sweet, for stepping in, also thanks to Zdenek Dohnal from Red Hat) to the appropriate in all supported Ubuntu versions, so that at the time of disclosure most fixes were already in place. They also reported in an Ubuntu blog. They tell users what to do, from turning off cups-browsed or at least its legacy CUPS browsing support to updating their systems as the fixes were already available. Thanks a lot to Seth Arnold, Marc Deslauriers, Diogo Sousa, Mark Esler, Luci Stanescu, and more.

...

The X post really overhyped the vulnerability. Attacks from the internet are not very probable due to the fact that servers on the internet do not have cups-browsed and CUPS installed and CUPS/cups-browsed setups are there usually only in NAT-protected local networks with desktop machines and print servers. And the remote code execution is also rather restricted, as CUPS filters are not running as root, but as the system user “lp” which cannot even read user’s home directories. In addition, the remote code execution only happens when a user actually prints a job on the fake printer. Actually assigned scores ended up between 8.4 and 9.1.

There's been talk of this unauthenticated RCE vulnerability coming with a CVSS 9.9 rating but none of the technical details were publicly known until it was made public just now at the top of the hour. Simone Margaritelli discovered this vulnerability and has shared a write-up around this potentially very impactful Linux vulnerability.

This vulnerability, fortunately, doesn't affect the Linux kernel but rather CUPS... The print server commonly used on Linux systems and other platforms.

...

From Attacking UNIX Systems via CUPS, Part I:

"A remote unauthenticated attacker can silently replace existing printers’ (or install new ones) IPP urls with a malicious one, resulting in arbitrary command execution (on the computer) when a print job is started (from that computer)."

...

This remote code execution issue can be exploited across the public Internet via a UDP packet to port 631 without needing any authentication, assuming the CUPS port is open through your router/firewall. LAN attacks are also possible via spoofing zeroconf / mDNS / DNS-SD advertisements.

Besides CUPS being used on Linux distributions, it also affects some BSDs, Oracle Solaris, Google Chrome OS, and others.

As of writing there is no Linux fix available for this high profile security issue. In the meantime it's recommended to disable and remove the "cups-browsed" service, updating CUPS, or at least blocking all traffic to UDP port 631.

cross-posted from: https://lemmy.ndlug.org/post/1167059

COSMIC’s Alpha 2 release builds upon that work with functionality built out for Files, additional Settings pages, considerable infrastructure work for screen reader support+, and some highly requested window management features. System76 is ecstatic at the level of excitement and collaboration so far with alpha testers and early app & applet developers, and we look forward to seeing what comes from these new additions.

...

The second COSMIC alpha will be released on September 26th. Those participating in Alpha 1 on Pop!_OS can simply update through the COSMIC App Store to transition. This alpha will be followed by monthly alpha releases until all core features have been built out.

More coverage:

• COSMIC DE Alpha 2 Released, This is What’s New

• COSMIC Alpha 2 Released with Bluetooth Settings, Much-Improved File Manager

• Cosmic Desktop Alpha 2: BIG PROGRESS for a month of work!

In the second finding of the 2024 Tidelift state of the open source maintainer survey, we found that the more maintainers are paid, the more improvements they make to their projects.

...

In the previous finding, we reported that 60% of maintainers describe themselves as unpaid hobbyists, and 36% of maintainers describe themselves as paid (professional or semi-professional) maintainers, earning some or all of their income from their open source work.

...

When you break down the paid maintainers into professional (earning most or all of their income from their maintenance work) and semi-professional (earning some of their income from maintaining projects), it becomes clear that the amount of money a maintainer is making for their work has a large impact on the types of improvements they are able to make. Across nearly all major categories, professional maintainers are on average over 20 percentage points more likely to make key improvements to their projects than semi-professional maintainers.

...

In the previous study, 81% percent of professional maintainers earning most or all of their income from maintaining projects spend more than 20 hours a week maintaining their projects. This year, the percentage was nearly identical (82%).

Conversely, in last year’s survey, we found that the vast majority of unpaid hobbyists spend ten hours or less per week on their maintenance work (81%). This percentage also stayed consistent in this year’s survey, with 78% of unpaid hobbyist maintainers working ten hours or less per week.

...

We’ve heard from many maintainers that how they are paid for their work also matters. For many maintainers there is a huge difference between getting a one-time “airdrop” of money, perhaps right after a high profile incident where people are paying attention to their projects, compared to ongoing recurring income that they can count on. So this year for the first time we asked maintainers to tell us whether they would prefer to get predictable monthly income or a one-time lump payment.

An overwhelming majority of maintainers prefer to receive predictable monthly income, with 81% choosing that option.

Element is launching the world’s first communications platform based on the upcoming Matrix 2.0 release. The result is blazing performance which outperforms the mainstream alternatives - across a decentralised system that enables self-hosting and end-to-end encryption - as well as open standard interoperability to revolutionise real time communication between large organisations.

Built on Matrix 2.0, Element X now rivals the performance of centralised consumer messaging apps, empowering organisations to address the shadow IT issues caused by consumer-grade messaging apps in the workplace.

The new Element communications solution consists:

• Element X, our next-gen app with an array of new features
• Element Call fully integrated into Element X, for native Matrix-encrypted voice and video
• Element Server Suite, our backend hosting solution for powerful admin control and Matrix 2.0 performance

Linus Torvalds Speaks on the the divide between Rust and C Linux developers an the future Linux. Will things like fragmentation among the open source community hurt the Linux Kernel? We'll listen to the Creator of Linux.

For the full key note, checkout: Keynote: Linus Torvalds in Conversation with Dirk Hohndel

The Register's summary: Torvalds weighs in on 'nasty' Rust vs C for Linux debate

cross-posted from: https://lemmy.ndlug.org/post/1104312

The upcoming Ubuntu 24.10 operating system promises a new feature called “permissions prompting” for an extra layer of privacy and security.

The new permissions prompting feature in Ubuntu will let users control, manage, and understand the behavior of apps running on their machines. It leverages Ubuntu’s AppArmor implementation and enables fine-grained access control over unmodified binaries without having to change the app’s source code.

From Ubuntu Discourse: Ubuntu Desktop’s 24.10 Dev Cycle - Part 5: Introducing Permissions Prompting

This solution consists of two new seeded components in Ubuntu 24.10, prompting-client and desktop-security-center alongside deeper changes to snapd and AppArmor available in the upcoming snapd 2.65. The first is a new prompting client (built in Flutter) that surfaces the prompt requests from the application via snapd. The second is our new Security Center:

In this release the Security Center is the home for managing your prompt rules, over time we will expand its functionality to cover additional security-related settings for your desktop such as encryption management and firewall control.

...

With prompting enabled, an application that has access to the home interface in its AppArmor profile will trigger a request to snapd to ask the user for more granular permissions at the moment of access:

As a result, users now have direct control over the specific directories and file paths an application has access to, as well its duration. The results of prompts are then stored in snapd so they can be queried and managed by the user via the Security Center.

How does Linux move from an awake machine to a hibernating one? How does it then manage to restore all state? These questions led me to read way too much C in trying to figure out how this particular hardware/software boundary is navigated.

elementary OS may not be as much as popular as it used to be.

That being said, elementary OS 8 release is still on the horizon with some useful changes based on Ubuntu 24.04 LTS.

...

However, amidst disagreement between co-founders during the pandemic in 2022, co-founder Cassidy quit the elementary OS team.

Right after that, the development pace took a big hit, and we saw elementary OS 7 being released almost a year after Ubuntu 22.04 LTS came up.

...

A good indicator about its development activity is its upcoming major release, elementary OS 8, based on Ubuntu 24.04 LTS.

I took a sneak peek at it using the daily build, and elementary OS 8 is almost ready to have an RC release.

...

You can expect things like:

• The settings app handles system updates (instead of AppCenter)
• AppCenter is now Flatpak only
• New toggle menu icon giving you easy access to the screen reader, onscreen keyboard, font size, and other system settings
• WireGuard VPN support

I have completed an initial new port of systemd to musl. This patch set does not share much in common with the existing OpenEmbedded patchset. I wanted to make a fully updated patch series targeting more current releases of systemd and musl, taking advantage of the latest features and updates in both. I also took a focus on writing patches that could be sent for consideration of inclusion upstream.

The final result is a system that appears to be surprisingly reliable considering the newness of the port, and very fast to boot.

...

And that is how I became the first person alive to see systemd passing its entire test suite on a big-endian 64-bit PowerPC musl libc system.

...

While the system works really well, and boots in 1/3rd the time of OpenRC on the same system, it isn’t ready for prime time just yet.

...

There aren’t any service unit files written or packaged yet, other than OpenSSH and utmps. We are working with our sponsor on an effort to add -systemd split packages to any of the packages with -openrc splits. We should be able to rely on upstream units where present, and lean on Gentoo and Fedora’s systemd experts to have good base files to reference when needed. I’ve already landed support for this in abuild.

This work is part of Adélie Linux

For those unfamiliar with it, power-profiles-daemon is a low-level component to provide power handling over DBus. Ever used the Power Mode options in the Quick Settings menu in GNOME Shell? Those options interface through this.

From 0.22 Release Notes:

Since this release power-profiles-daemon is also battery-level aware and some drivers use this value to be smarter at tuning their optimizations. In particular both the AMD panel power action now uses a progressive approach, changing the the ABM based on the battery percentage.

AMD p-state received various features and improvements:

• it supports core performance boost when not in power-saver mode.
• uses minimum frequency to lowest non-linear frequency
• it is more impervious to faulty firmware and kernel bugs

This should be included in the upcoming Ubuntu 24.10 release.