Security

LINUX IN THE NEWS

Hunting for Kernel Glitches, DevSec Tools, Edge for Linux, More Ubuntu Outlets

Linux software review

Today LinuxInsider introduces a bimonthly news column to summarize some of the Linux and open-source consumer and enterprise events scattered around the Linux Sphere.

Look forward to an assortment of topics that will keep Linux users and open-source supporters up to speed with new developments. We will cover items of interest for Linux desktop users, distro hoppers, software developers, and — well anyone considering a migration to the Linux computing platform.

Let’s get started.

Google Ups Ante for Linux Kernel Vulnerabilities

Google has been pushing to increase security efforts in recent months with numerous announcements to support Linux kernel security. Eduardo Vela, a member of Google’s Bug Hunters Team, on Nov. 1 announced in his security blog that until Jan. 31, 2022, Google will pay security researchers more bounty to exploit both patched and unpatched vulnerabilities in Google’s lab environment.

Those researchers who succeed in presenting exploits will receive a bounty. The goal is performing a privileged escalation with a patched vulnerability, or using a previously unpatched vulnerability, or demonstrating a new exploit technique. For the next three months, Google will build on top of its bounty hunting program from last year by tripling the previous reward amounts.

“We are constantly investing in the security of the Linux Kernel because much of the internet, and Google — from the devices in our pockets, to the services running on Kubernetes in the cloud — depend on the security of it. We research its vulnerabilities and attacks, as well as study and develop its defenses,” wrote Vela.

This increased bounty award is the latest effort to expand Google’s partnership with the open-source security community to foster greater security and safety on the Internet.

The base reward for each publicly patched vulnerability is US$31,337 for one exploit per vulnerability. The reward can go up to $50,337 in two cases. One, if the vulnerability was otherwise unpatched in the Kernel (zero day), and two, if the exploit uses a new attack or technique, as determined by Google.

See Vela’s blog for details on the mechanics of participating in the rewards program

Open Source Devs Gain Access to New, Free Security Tools

The Linux Foundation on Nov. 2 announced an enhanced free LFX Security platform. The goal is to enable open-source projects coders to secure their code and reduce non-inclusive language.

The LFX platform hosts community tools for security, fundraising, community growth, project health, mentorship, and more. It supports projects and empowers open-source teams to write better, more secure code, drive engagement, and grow sustainable ecosystems.

The LFX Security module now includes automatic scanning for secrets-in-code and non-inclusive language, adding to its existing comprehensive automated vulnerability detection capabilities.

Software security firm BluBracket contributed this functionality to open-source software projects under LFX as part of its mission to make software safer and more secure.

This functionality builds on contributions from security developer firm Snyk to make LFX the leading vulnerability detection platform for the open-source community, according to LF.

The need for a community-supported and freely available code scanning is clear, especially in light of recent attacks on core software projects and recent the White House Executive Order calling for improved software supply chain security.

LFX is the first and only community tool designed to make software projects of all kinds more secure and inclusive.

“The enhancement of LFX Security builds on its extensive functionality in vulnerability detection to add critical support for secrets-in-code and non-inclusive language,” said Jim Zemlin, executive director of the Linux Foundation. “It is up to all of us to secure our software supply chain.”

LFX Security now includes detection tools for:

  • Vulnerabilities — Detect vulnerabilities in open-source components and dependencies and provide fixes and recommendations to those vulnerabilities. LFX tracks how many known vulnerabilities have been found in open-source Projects, identifies if those vulnerabilities have been fixed in code commits, and then reports on the number of fixes per project through an intuitive dashboard. This helps cleanse software supply chains at their source and greatly enhances the quality and security of code further downstream in development pipelines.
  • Code Secrets — Detect secrets-in-code such as passwords, credentials, keys, and access tokens both pre-and post-commit. These secrets are used by hackers to gain entry to repositories and other important code infrastructure.
  • Non-Inclusive Language — Detect non-inclusive language used in project code, which is a barrier in creating a welcoming and inclusive community.

“Securing our software supply chain has become the most critical task facing the software industry. We believe the Linux Foundation’s LFX security project is the absolute best way for critical software projects to secure their code,” said Prakash Linga, founder and CEO of BluBracket.

Fortifying our global software supply chain is more crucial than ever, added Jill Wilkins, senior director of global technical alliances at Snyk. Leveraging the LFX Community Platform will help millions of developers worldwide to innovate securely.

LFX Security will further scale-out in 2022 to help solve challenges for hundreds of thousands of critical open-source projects under the Open Source Security Foundation at Linux Foundation. LFX Security is free and now available for use.

New Knative Project Lets Devs Use Event-Driven Architecture With Serverless Apps

Knative, an enterprise-grade open-source serverless platform originally developed at Google, is an open-source project that adds components for deploying, running, and managing serverless, cloud-native applications to Kubernetes.

The Knative community on Nov. 4 announced the release of Knative 1.0. The event-driven architecture is based on the concept of decoupled relationships between event producers that create events, and event consumers, or sinks, that receive events.

Knative provides highly scalable, stable event-driven architecture. Knative’s two main components are Knative Serving and Knative Eventing. Knative Serving builds on Kubernetes to support deploying and serving serverless applications and functions. Knative Eventing enables developers to use an event-driven architecture with serverless applications.

Knative 1.0 provides the following capabilities:

  • Stand up scalable, secure, stateless services in seconds;
  • Focused API with higher-level abstractions for common app use-cases;
  • Pluggable components to bring your own logging and monitoring, networking, and service mesh;
  • Run Knative anywhere Kubernetes runs without worrying about vendor lock-in;
  • Supports GitOps, DockerOps, ManualOps, plus many common tools and frameworks such as Django, Ruby on Rails, Spring, and many more.

“I want to congratulate the Knative community on reaching 1.0,” said Sebastien Gosguen, TriggerMesh co-founder and head of product. “TriggerMesh runs on Knative, which makes it an easy platform to deploy and operate.

TriggerMesh is a cloud-native integration for deploying serverless platforms.

Ubuntu Pro-Based Microsoft SQL Server Instances for Azure

Canonical on Monday announced joint support with Microsoft for Microsoft SQL Server with Ubuntu Pro on the Microsoft Azure cloud. The solution offers a cost-effective alternative for enterprise data management.

“Our customers need ways to run enterprise-grade, highly demanding, and business-critical data workloads on Ubuntu. This need is fully addressed with Microsoft SQL Server on Ubuntu Pro and Azure. This solution is a logical extension of our continued collaboration with Microsoft,” said Alex Gallagher, vice president of cloud alliances at Canonical.

SQL Server on Ubuntu Pro uses the XFS filesystem with Direct I/O and Forced Unit Access (FUA) for reliable synchronization with underlying NVMe SSD storage media. Additionally, SQL Server takes advantage of persistent memory (PMEM) when this is available. SQL Server on Ubuntu Pro 20.04 LTS includes support for high availability scenarios through Corosync and Pacemaker with a specialized fencing agent for Azure.

SQL Server on Ubuntu Pro delivers an alternative, highly cost-effective, and fully supported RDBMS option. It is ideal for high-performance, highly transactional workloads. The solution also offers a low-friction path for existing SQL Server users to benefit from adopting Ubuntu Pro, according to Canonical.

Microsoft Partially Pushes Linux to the Edge

Microsoft’s growing integration with the Linux computing platform now has a new browser to add to the Linux desktop. Its stable release of the Edge browser based on the open-source Chromium project was made available for Linux users at the end of October. Microsoft first announced a beta version of Edge for Linux in May.

Perhaps its main attraction is providing Linux users with an alternative web browser with some features not yet found in Google’s Chrome app. It also brings a direct path to Microsoft’s computing culture instead of the Google ecosystem.

Some interesting features include sleeping tabs (to save resources), vertical tabs, collections, and tracking prevention. Edge on Linux supports the family safety option when configured with your Microsoft account. But that support so far falls short of providing every feature found in the Microsoft Windows Edge edition.

Depending on what Linux flavor you run, Edge may not be available to use. The official site for Microsoft Edge does not offer the Linux edition, however. But Microsoft’s official repositories so far have downloads for Linux distros running DEB and RPM packages.

Ubuntu Tour Online Again

Once upon a time, you could rummage around Github to find a current Ubuntu tour distribution that ran in a web browser. But wait, history often repeats itself.

Now you can go to Launchpad to experience a forked web-based Ubuntu 21.10 desktop remake of the Github offering. You can find a similar experience on Github. Both locations let you try the latest Ubuntu edition remake.

Do not expect a hassle-free experience. It is not as simple as sampling dozens of Linux distros on Distrotest.net. For instance, the setup for Ubuntu Online works both on and offline. But you really need the files to be hosted in a web server for the best experience.

Ubuntu Online 21.10 is compatible with touch devices such as tablets and mobile phones. Expect some glitches with window resize, though.

The remake edition sports these features:

  • Multi-window to open the same application in two or more
  • Resizable, draggable windows
  • Changeable wallpapers

Overall, the limited interface resembles the GNOME 40 desktop of Ubuntu 21.10 “Impish Indri.”

Jack M. Germain

Jack M. Germain has been an ECT News Network reporter since 2003. His main areas of focus are enterprise IT, Linux and open-source technologies. He is an esteemed reviewer of Linux distros and other open-source software. In addition, Jack extensively covers business technology and privacy issues, as well as developments in e-commerce and consumer electronics. Email Jack.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by Jack M. Germain
More in Security

LinuxInsider Channels