Release goals for 20.XX
sampablokuper at posteo.net
Fri Jul 31 09:39:47 EDT 2020
On Fri, Jul 31, 2020 at 01:37:00PM +0200, baptiste at bitsofnetworks.org wrote:
> 3) organisational: switch to gitlab?
> While there was a vote about it,
Hi, do you happen to have a link to that discussion/vote?
> I don't know if this is planned for 20.XX. I think it makes sense:
> we could start using gitlab to track 20.XX bug reports, and
> possibly drop 18.06 bug reports from flyspray. But if it is not
> ready, it should probably not block the 20.XX release.
I would encourage delaying such a move.
My reason is that although Gitlab is free as in freedom (good!), it does
pages (bad!). (By "the functionality in its web pages", I mean as
opposed to, say, the functionality exposed through its API.)
This means that any visitor/developer who needs to interact with a
Gitlab instance via its webpages is forced to increase their attack
This in turn means that if the server running the Gitlab instance gets
compromised by an attacker, then the attacker would be able to pivot to
malware. This might in principle allow the attacker to e.g.:
- steal the visitor's/developer's private keys if present in the cache
or RAM of that person's PC; or
- gain privileged code execution on that person's PC, allowing for
installation of a remote access tool (RAT) and consequent ability to
exfiltrate private keys or otherwise masquerade as the PC's owner.
Clearly, such an attack if carried out would have serious implications
for the future integrity of OpenWRT.
Such malware, especially if it exploits unfixable hardware
vulnerabilities in client CPUs (e.g. Spectre, Meltdown, etc) can be
although this protection works well when visiting the *current* OpenWRT
websites (wiki, bug tracker, etc), it would *NOT* be viable if OpenWRT
switches to Gitlab. (This is because of Gitlab's reliance on
Sadly, this is not only theoretical. Attacks along roughly these lines
are known to have been conducted in the past, in order to insert
vulnerabilities into networks and codebases.
OpenWRT is widely used, especially by people who value security and
therefore choose it over proprietary alternatives. Consequently, it is
a "target-rich environment".
For this reason, I would urge the OpenWRT devs *not* to switch to any
 "Research showed that microarchitectural attacks like cache attacks
W3C and browser vendors responded to this significant threat by
inefficacy of this mitigation by finding and evaluating a wide range of
new sources of timing information. We develop measurement methods that
exceed the resolution of official timing sources by 3 to 4 orders of
magnitude on all major browsers, and even more on Tor browser. Our
timing measurements do not only re-enable previous attacks to their full
extent but also allow implementing new attacks."
 "side-channel attacks allow to detect the exact location of kernel
software bug and the knowledge of these addresses can lead to privileged
"We demonstrate a fully automated attack that requires nothing but a
we can gain unrestricted access to systems of website visitors. We show
that the attack works on off-the-shelf systems. Existing
countermeasures fail to protect against this new Rowhammer attack."
A: When it messes up the order in which people normally read text.
Q: When is top-posting a bad thing?
() ASCII ribbon campaign. Please avoid HTML emails & proprietary
/\ file formats. (Why? See e.g. https://v.gd/jrmGbS ). Thank you.
More information about the openwrt-devel