MoreRSS

site iconLWNModify

Dev linux Digest
A site dedicated to producing the best coverage from within the Linux and free software development communities.
RSS: https://lwn.net/headlines/rss
Please copy the RSS to your reader, or quickly subscribe to:

Inoreader Feedly Follow Feedbin Local Reader

Rss preview of Blog of LWN

Huston: Revisiting time

2026-03-08 04:52:34

Geoff Huston looks at the network time protocol, and efforts to secure it, in detail.

NTP operates in the clear, and it is often the case that the servers used by a client are not local. This provides an opportunity for an adversary to disrupt an NTP session, by masquerading as a NTP server, or altering NTP payloads in an effort to disrupt a client's time-of-day clock. Many application-level protocols are time sensitive, including TLS, HTTPS, DNSSEC and NFS. Most Cloud applications rely on a coordinated time to determine the most recent version of a data object. Disrupting time can cause significant chaos in distributed network environments.

While it can be relatively straightforward to secure a TCP-based protocol by adding an initial TLS handshake and operating a TLS shim between TCP and the application traffic, it's not so straightforward to use TLS in place of a UDP-based protocol for NTP. TLS can add significant jitter to the packet exchange. Where the privacy of the UDP payload is essential, then DTLS might conceivably be considered, but in the case of NTP the privacy of the timestamps is not essential, but the veracity and authenticity of the server is important.

NTS, a secured version of NTP, is designed to address this requirement relating to the veracity and authenticity of packets passed from a NTS server to an NTS client. The protocol adds a NTS Key Establishment protocol (NTS-KE) in additional to a conventional NTPv4 UDP packet exchange (RFC 8915).

[$] Fedora shares strategy updates and "weird research university" model

2026-03-07 01:33:13

In early February, members of the Fedora Council met in Tirana, Albania to discuss and set the strategic direction for the Fedora Project. The council has published summaries from its strategy summit, and Fedora Project Leader (FPL) Jef Spaleta, as well as some of the council members, held a video meeting to discuss outcomes from the summit on February 25. Topics included a plan to experiment with Open Collective to raise funds for specific Fedora projects, tools to build image-based editions, and more. Spaleta also explained his model for Fedora governance.

OpenWrt 25.12.0 released

2026-03-06 22:39:42

Version 25.12.0 of the OpenWrt router distribution is available; this release has been dedicated to the memory of Dave Täht. Changes include a switch to the apk package manager, the integration of the attended sysupgrade method, and support for a long list of new targets.

Security updates for Friday

2026-03-06 22:17:56

Security updates have been issued by Debian (chromium), Fedora (freerdp, libsixel, opensips, and yt-dlp), Mageia (python-django, rsync, and vim), Red Hat (go-rpm-macros and osbuild-composer), SUSE (7zip, assertj-core, autogen, c3p0, cockpit-machines, cockpit, cockpit-repos, containerized-data-importer, cpp-httplib, docker, docker-stable, expat, firefox, gnutls, go1.25-openssl, golang-github-prometheus-prometheus, haproxy, ImageMagick, incus, kernel, kubevirt, libsoup, libsoup2, mchange-commons, ocaml, openCryptoki, openvpn, php-composer2, postgresql14, postgresql15, python-Authlib, python-azure-core, python-nltk, python-urllib3_1, python311-Django4, python311-pillow-heif, python311-PyPDF2, python313, python313-Django6, qemu, rhino, roundcubemail, ruby4.0-rubygem-rack, sdbootutil, and wicked2nm), and Ubuntu (less, nss, python-bleach, qtbase-opensource-src, and zutty).

Rust 1.94.0 released

2026-03-06 03:43:09

Version 1.94.0 of the Rust language has been released. Changes include array windows (an iterator for slices), some Cargo enhancements, and a number of newly stabilized APIs.

A GitHub Issue Title Compromised 4,000 Developer Machines (grith.ai)

2026-03-06 03:21:21

The grith.ai blog reports on an LLM prompt-injection vulnerability that led to 4,000 installations of a compromised version of the Cline utility.

For the next eight hours, every developer who installed or updated Cline got OpenClaw - a separate AI agent with full system access - installed globally on their machine without consent. Approximately 4,000 downloads occurred before the package was pulled.

The interesting part is not the payload. It is how the attacker got the npm token in the first place: by injecting a prompt into a GitHub issue title, which an AI triage bot read, interpreted as an instruction, and executed.