Notices by Ludovic Courtès (civodul@toot.aquilenet.fr)

This once temperate place in the south of France is becoming hostile.

#ClimateChange

Instead of disabling unprivileged user namespaces plain and simple, Ubuntu since 24.04 restricts them with an AppArmor profile, which is known to be insufficient:
https://seclists.org/oss-sec/2025/q1/253

Yet, people writing code relying on unprivileged user namespaces have to deal with Ubuntu specifics where things don’t behave as documented. Latest example:
https://codeberg.org/guix/guix/issues/679#issuecomment-5659997

How do folks deal with it?

#Linux #containers #rootless

Today’s question: can proprietary software vendors be nice enough to let people run said software when they want?
https://chaos.social/@dpk/114744619214060687

Capitalism with a human face. (Known as “freedom 0” to those free software leftists.)

It’s been one month since #Guix migrated to Codeberg.

We’ve had 138 code contributors on that month compared to 102 on the previous month according to Git, or +35%.

Of course it’s too small a sample to draw any conclusion but let’s hope it continues that way.

@khinsen Heh, that’s the spirit. :-)

And also, at long last, formal proofs for the masses: look, everyone’s proving “things”!

⚠ #Guix privilege escalation vulnerabilities (CVE-2025-46415, CVE-2025-46416) 👇
https://guix.gnu.org/en/blog/2025/privilege-escalation-vulnerabilities-2025/

Just saw a nice talk about Miralis, a minimal hypervisor designed to isolate firmware code on RISC-V:
https://miralis-firmware.github.io/docs/introduction

The motivation was along the lines of “why bother with seL4-style verification if we keep running opaque buggy firmware beneath it?”

So, there’s much to be said about these vulnerabilities…
https://guix.gnu.org/en/blog/2025/privilege-escalation-vulnerabilities-2025/

First, thanks to fellow Nix and Lix hackers for sending us a heads-up, for sharing Snyk’s detailed report, and for coordinating with us. 👍

The fix has been 3 months in the making (!) and that was far from trivial.

Reepca (whose review work on the rootless guix-daemon had been instrumental) has been doing almost all the development work in Guix.

It’s an impressive piece of work, including in terms of the size of the diff—the biggest in the entire history of ‘guix-daemon’.

Reepca will share their thoughts on this later, but it’s hundreds of lines of code 👇

25 files changed, 2855 insertions(+), 550 deletions(-)

… to “just” work around a couple of Linux design flaws.

We’re plugging a user-level network stack (slirp4netns) + namespaces + seccomp filters just because abstract Unix-domain sockets are (1) ambient authority in a global name space, and (2) associated with “network namespaces” instead of some IPC namespace.

Yesterday @rougier and I gave an informal #ReproducibleResearch workshop at Inria with ~20 scientists, half of whom working in HPC, the rest of them working on user interfaces, computer graphics, number theory, and robotics—very insightful to see how each community approaches these issues.

@rougier had excellent examples to get the discussion started. I followed up on computational reproducibility with #HPC examples and a touch of #Guix and #SoftwareHeritage:
https://gitlab.inria.fr/lcourtes/atelier-recherche-reproductible

“When Personal Becomes Profitable: Sensitive Targeting on X”
https://aiforensics.org/work/sensitive-targeting-x

Mildly surprised unfortunately to see targeted ad based on ethnicity, beliefs, sexual orientation, etc. despite it being supposedly illegal in the EU.

Still insightful to see which organizations used such sensitive criteria, and which ones they used—kudos to the European Commission for its political targeting (page 9).

www.gnu.org has been more or less down for a couple of weeks.

The latest stage of a project that keeps spiraling down while the movement it once shaped is striving.

@lanodan Alors oui, t’as pas tort sur le fond, mais n’empêche :
https://fr.wikipedia.org/wiki/Publicit%C3%A9_mensong%C3%A8re#France

Une pub qu’EDF nous impose dans la rue dit « Plus d’électricité, c’est moins de pétrole à l’horizon. » 🍃🦄

Or ça ne s’est jamais vérifié 👇 et c’est donc sinon mensonger au moins trompeur.

https://fr.wikipedia.org/wiki/Ressources_et_consommation_%C3%A9nerg%C3%A9tiques_mondiales
https://fr.wikipedia.org/wiki/Transition_%C3%A9nerg%C3%A9tique#Critique_du_concept

Àskip y a une loi contre la pub mensongère.

It’s been a couple of hours and there’s already 2 issues and 14 pull requests opened, as if people had been waiting for this moment. :-)

@janneke As far as Forgejo is concerned, “GET and POST” is just as accurate as “point and click” :-)
https://codeberg.org/api/swagger#/

Which means that beyond interfaces like fj.el, we can do things specifically tailored to our needs, as I did here:
https://issues.guix.gnu.org/78568

@zimoun @lynn

#Guix 24h later: 46 pull requests and 7 issues.

We’re used to a high volume of patches and bug reports but I think this is above the average.

#Guix migration to #Codeberg complete! 🎉
https://git.guix.gnu.org/guix

The 🐑 #Shepherd 1.0.5 is out, with fewer 🐛 and coming straight from its new 🏡!
https://gnu.org/software/shepherd/news/2025/05/herding-to-codeberg/