Travis CI flaw exposed thousands of open-source projects’ secrets

A flaw in popular software testing tool Travis CI exposed the secrets of thousands of open-source projects.

Travis CI is a hosted continuous integration service used to build and test software projects hosted on GitHub and Bitbucket.

For at least a week – between 3-10 Sept – open-source repos that used Travis CI had their keys, credentials, and tokens exposed.

Ethereum developer Felix Lange discovered a flaw with how Travis CI handled environmental...

Sonatype analysis reveals a 73 percent surge in open-source demand

A report from Sonatype has revealed a 73 percent surge in the demand for open-source despite a year of high profile vulnerabilities.

The growing use of open-source to keep up with the pace of modern development makes it a prime target for cybercriminals. We’ve seen this multiple times in practice over the past year with devastating attacks like that on SolarWinds even making national headlines for its widespread implications.

In fact, Sonatype’s report highlights a...

Linus Torvalds: GitHub creates ‘absolutely useless garbage’ merges

Linux and Git creator Linus Torvalds has criticised GitHub for creating “absolutely useless garbage merges”.

Torvalds’ comment can be viewed in an archive of a Linux development mailing list and was directed at Konstantin Komarov, Founder and CEO of Paragon Software, about the submission of its read-write NTFS driver for the upcoming 5.15 kernel.

“github creates absolutely useless garbage merges, and you should never ever use the github interfaces to merge...

Google wants to ‘advance cybersecurity’ by fixing open-source and increasing training

Google has committed $10 billion over the next five years to “advance cybersecurity” by fixing some of the key problems with open-source and offering more training.

The announcement follows Google’s participation in President Biden’s White House Cyber Security Meeting this week. Leading tech executives including Alphabet CEO Sundar Pichai put their heads together following an increasing prevalence and seriousness of cyberattacks.

Open-source is vital and speeds...

Checkmarx acquires Dustico in wake of increasing supply chain attacks

Developer-centric app security testing (AST) firm Checkmarx has acquired Dustico to help counter the increasing threat of supply chain attacks.

“We’re thrilled to welcome Dustico and its team to Checkmarx as the Israeli tech ecosystem continues to push the boundaries of cybersecurity innovation and talent,” said Emmanuel Benzaquen, CEO, Checkmarx.

“Blending Dustico’s differentiated approach to open source analysis with Checkmarx’s best-of-breed security...

Stanford Law and GitHub launch initiative to protect open-source developers

Stanford Law and GitHub are partnering on an initiative to protect the legal rights of open-source developers.

Section 1201 of the Digital Millennium Copyright Act from 1998 prohibits the circumvention of technological measures employed by, or on behalf of, copyright owners to protect access to their works.

Open-source developers regularly face takedown claims under Section 1201 but, rather than fight it, they often decide to avoid the cost and risk by just removing the...

Former NSA executive Jacob DePriest now heads GitHub’s security operations

GitHub has announced that former NSA (National Security Agency) senior executive Jacob DePriest is now heading its security operations.

Open source evangelist DePriest built the NSA’s Developer Experience from scratch and helped the agency’s developers contribute to the work of others. The NSA’s historically lengthy approval process was reduced from weeks to mere hours in some cases.

A 2019 post on the US Intelligence Careers website explains why DePriest has a...

Sonatype Lift uses deep code analysis to suggest bug fixes

Sonatype has launched a new deep code analysis platform called Lift which can detect a wide range of bug types.

Lift detects bugs ranging from style issues to complex coding errors commonly found in first-party source code and third-party open source libraries.

Research from Veracode last year found that open-source libraries cause security flaws in around 70 percent of apps. However, open-source libraries are often critical to projects.

Using a deep code...

Torvalds hopes future Linux 5.13 release candidates will ‘start shrinking’

Linux creator Linus Torvalds has expressed mild concern over the size of kernel 5.13 following its fifth release candidate.

“Hmm,” Torvalds opened his latest State of the Kernel post. “Things haven't really started to calm down very much yet, but rc5 seems to be fairly average in size. I'm hoping things will start shrinking now.”

In April, Torvalds warned that 5.13 would likely be “making up” for the smaller release of 5.12 – a position he maintained...

Chrome OS support for Linux apps will exit beta in a few weeks

Google has announced that Chrome OS support for Linux apps will finally exit beta in a few weeks.

Linux apps have been available on Chrome OS for three years, albeit in beta. Google is now ready to drop the beta label and declare the feature stable.

https://www.youtube.com/watch?v=a8kkzdOfAgU

Chrome OS supports running Chrome, Android, Linux, and even Windows apps (through a partnership between Google and Parallels) – making it one of the most versatile operating...