RHEL 9.4 is here updated with Python 3.12, PHP 8.2, Podman 4.9, new Identity Management features, enhanced security, and more. https://linuxiac.com/rhel-9-4-released/
The Gnome Project is a wall-garden, but not of the Apple kind. It's a club of mostly #Redhat programmers & a few select others, and either you're in it, or you're not. Your user needs, your bug reports, your patches, all end up on /dev/null. They listen to no one. Never have, never will.
Why must the #UX of any kind of #cryptography related tooling on our systems suck so much?
Today's task - manage CA certificates on our clusters' base-systems using #Ansible.
The canonical way on #RHEL systems seems to be, to use #p11kit's "trust" CLI.
"--help" says to use "trust list" - that sounds easy. I'll just compare those certificate serials against my desired state and then import the delta into the trust store…
But: the unique identifier of "trust list"'s output is a PKCS11 URI!
@flameeyes I feel like I understand how those #UX shortcomings occur.
People deep down in the crypto rabbit-hole might work under the assumption, that anyone operating at their depth will know surely what they're dealing with, so there's no need to explain the basic primitives everywhere.
But I don't get it from the perspective of an enterprise provider like #RedHat - cryptography is a fundamental aspect to operate their product.
Not even a junior should fail at this basic task due to poor #UX
Anecdote: None of my systems are affected since I stick with #Debian stable. So if you use any of the services I host on my home server, we're still all good here.
Headline: #RedHat warns of backdoor in XZ tools used by most #Linux distros
Quote: "PLEASE IMMEDIATELY STOP USAGE OF ANY FEDORA 41 OR FEDORA RAWHIDE INSTANCES for work or personal activity," Red Hat warned on Friday.
Again the FOSS world has proven to be vigilant and proactive in finding bugs and backdoors, IMHO. The level of transparency is stellar, especially compared to proprietary software companies. What the FOSS world has accomplished in 24 hours after detection of the backdoor code in #xz deserves a moment of humbleness. Instead we have flamewars and armchair experts shouting that we must change everything NOW. Which would introduce even more risks. Progress is made iteratively. Learn, adapt, repeat.
A Microsoft engineer discovered a backdoor in the latest Linux release of xz, a popular compression format. Both Debian and Red Hat has issued security advisories for these and a 10/10 CVE was generated for this.
As we at #RedHat made very clear, no versions of RHEL (Red Hat Enterprise Linux) were affected by the #xz backdoor. My two production servers run on RHEL. So I am relaxed. #Goodnight (and before you complain: you can get RHEL for free for up to 16 machines with the developer subscription for individuals)
TL;DR #XZ has been backdoored in 5.6.0 and 5.6.1. While Fedora Rawhide and Fedora 41 packages are affected, Red Hat Enterprise Linux is NOT affected. Updates (well, technically downgrades to 5.4.x) for Fedora are being made available through the regular update channels. Our Security Alert explains more details. https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users
Check if your machine is affected: run xz --version and see if it returns 5.6.0 or 5.6.1. If it shows a lower version, you are safe, as far as we can see now.
And yes, some people might even attack me for supposedly downplaying this VERY DANGEROUS situation, because I MUST be part of the conspiracy, as I work at #RedHat since almost 19 years!1!! :) I also know THAT dance all too well.
> Although Fedora 40 beta contained the 5.6 version of xz in an update, the build environment prevents the injection from correctly occurring, and has not been shown to be compromised. Fedora 40 has now reverted to the 5.4.x versions of xz.
The first six #RedHat cookie cutters are printed. Many more to come :) Now to get some ingredients and food Color to actually make and bake the cookies :)