The final selection of the most important and notable events in 2022 related to open projects and information security:
Conflicts: A split among the founders of the elementary OS project. Departure of Norbert Preining from Debian. SFC’s call to stop using GitHub. A split in the Urho3D community. Criticism of the SPO Foundation’s policy towards firmware. Apache PLC4X transition to paid development model. Introduction and removal of the ban on the sale of open source software in the Microsoft Store. Attempt to return Tornado Cash.
Forks: Angie – fork of Nginx, LeanQt – fork of Qt 5, libSQL – fork of SQLite, Forgejo – fork of Gitea, Pulsar – fork of Atom.
Takeovers: Perforce took over Puppet. Intel took over Linutronix (linux-rt). Mozilla bought Active Replica and Pulse.
Litigation: Litigation by the Netfilter developers. Litigation due to GitHub Copilot. Litigation with Vizio for GPL infringement. Daniel Bernstein’s lawsuit related to the standardization of cryptalgorithms. Completion of proceedings between Stockfish and ChessBase on violation of the GPL. Claim for hosting the Youtube-dl project. Litigation related to the Neo4j project and the AGPL.
Copyright: PostgreSQL Trademark Conflict. Debian sued the debian.community domain, and Red Hat tried to take the WeMakeFedora.org domain. Invalidation of a patent used to attack GNOME. An attempt to create a patent pool for Opus.
The ProtestWare Phenomenon. Making destructive changes to the colors and faker NPM packages.
Licenses: Movement against Fedora’s CC0 license. License change to SIMH in response to criticism. Illegal removal of additional terms to the AGPL license.
Development platforms: Paid apps on Flathub. SourceHut prohibits the placement of projects related to cryptocurrencies. Termination of the hosting of free projects Fosshost. Moving towards mandatory two-factor authentication in GitHub, NPM, PyPI and Ruby Gems.
Creation of a national open source repository and a state certification authority with its own TLS root certificate. Overture Maps open map data project.
Programming languages and compilers: GCC 12, LLVM 15, HPVM 2.0, Java 18/19, Ruby 3.2, PHP 8.2, Julia 1.8, Crystal 1.6, Go 1.19, Perl 5.36, .NET 7, Glibc 2.36, Cosmopolitan 2.0 (library for portable executable files). Perl 7 branch plans. New ALBS build system.
New languages: Carbon and Hare.
Python: Python 3.11. New compilers Codon, S6, Nuitka 1.0, Pyston-lite. PikaScript is a variant of Python for microcontrollers. Memray memory profiler.
Rust Language Expansion: Bringing Rust support into the Linux kernel and GCC. Development of Android, Mesa, GStreamer, Ruby components on Rust. Development of an NVMe driver in Rust. First stable release of Arti, the official Rust implementation of Tor.
System components: systemd 252/251. A proposal to modernize the partitioning of boot partitions. New Linux verified boot architecture. Redbean 2.0 (applications in ZIP archive).
Hardware: Linux adaptation progress for Apple M1 and M2 chips. Raspberry Pi Pico W. Open GPU VeriGPU. Initiatives for the free production of trial batches of open chips. Intel has joined in the development of technologies based on the RISC-V architecture. Platform for creating robots OpenBot.
Firmware: Debian has approved the distribution of proprietary firmware in installation media and the ability to hold secret ballots. PSE block firmware code for Intel Elkhart Lake chips has been opened. Sound Open Firmware 2.2. The OSFF Foundation was created to coordinate the development of open source firmware. The firmware code for Framework laptops is open. Intel microcode decryption.
Network Infrastructure: PSP Secure Network Protocol. TMO mechanism that saves 20-32% of memory on servers.
Standards: UCIe is an open standard for chiplets. HTTP/3.0. Web Assembly 2.0. Vulcan 1.3. The decision to suspend the synchronization of the world’s atomic clocks with astronomical time.
Security Mechanisms: Caliptra is an open IP box for building trustworthy chips. Additional process memory protection in OpenBSD. Security Improvement Initiative 10,000 Open Projects. Porting the pledge to Linux. TUF is a framework for secure delivery of updates. Means for safe work with buffers in C++.
New OS: KataOS (Google’s secure OS), Essence, dahliaOS (Linux and Fuchsia hybrid), DentOS (for switches), Capyloon (Firefox OS based), DBOS (DBMS based OS), Phantom. Solaris edition for free use.
BSD: FreeBSD 13.1/12.4, OpenBSD 7.2, DragonFlyBSD 6.2, NetBSD 9.3. Pledge/unveil, NetLink implementations, and new WireGuard VPN code for FreeBSD. MyBee is a FreeBSD distribution for virtual machines.
Mobile platforms: Android 13, Android Go 13, LineageOS 19, /e/OS 1.0, webOS 2.19, KDE Plasma Mobile 22.11, postmarketOS, GNOME Shell for mobile devices. Support for RISC-V in Android.
Distributions: Ubuntu 5.17: new performance management system for AMD processors, ability to recursively map user IDs in filesystems, support for portable compiled BPF programs, switching the pseudo-random number generator to the BLAKE2s algorithm, rtla utility for analyzing real-time execution, new fscache backend for caching network file systems, the ability to attach names to anonymous mmap operations.
5.18: major cleanup of obsolete functionality, deprecated Reiserfs FS, implemented user process tracing events, added support for Intel IBT exploit blocking mechanism, enabled buffer overflow detection mode when using memcpy() function, added fprobe function call tracking mechanism, improved scheduler performance tasks on the AMD Zen CPU, includes a driver for controlling the functionality of the Intel CPU (SDS), integrated some patches for restructuring header files, approved the use of the C11 standard.
5.19: support for LoongArch processor architecture, integration of “BIG TCP” patches, “on-demand” mode in fscache, ability to use ZSTD for firmware compression, interface for controlling memory eviction from user space, improved reliability and performance of the pseudo-random number generator, support for Intel extensions IFS (In-Field Scan), AMD SEV-SNP (Secure Nested Paging), Intel TDX (Trusted Domain Extensions) and ARM SME (Scalable Matrix Extension).
6.0: XFS asynchronous buffered write support, ublk block driver, task scheduler optimizations, kernel validation mechanism, ARIA block cipher support.
6.1: support for the development of drivers and modules in the Rust language, modernization of the mechanism for determining the used memory pages, a special memory manager for BPF programs, the KMSAN memory problem diagnostic system, the KCFI (Kernel Control-Flow Integrity) protection mechanism, the introduction of the Maple tree structure.
Encryption: NIST has approved quantum-resistant encryption algorithms and is deriving SHA-1 from the specifications. New libraries: liblithium (Tesla), Kryptology (Coinbase) and Paranoid (Google). Readiness of the system of cryptographic verification of the Sigstore code.
Problems with cryptography: The failure of the SIKE crypto algorithm. Compromise of end-to-end encryption in Matrix clients. Disable encryption on LUKS2 partitions. Bypass UEFI Secure Boot via GRUB2. Android lock screen bypass. Vulnerabilities in XKCP, OpenSSL and LibKSBA. Ability to generate bogus ECDSA signatures in Java SE.
Processor and hardware vulnerabilities: Retbleed, Hertzbleed, SQUIP, AEPIC Leak, BHI, AMD and Intel-specific (MMIO) vulnerabilities. Compromise of the Starlink terminal. Vulnerability in UEFI firmware. Laptops crash when playing music by Janet Jackson.
Attack methods: Listening through an optical cable passing through the premises. Identification of smartphones by Bluetooth activity. Using smartphone motion sensors to listen. Identification based on GPU information. An attack on Node.js through JavaScript object prototype manipulation. Phishing through the simulation of the browser interface.
Research: Analysis of incorrect use of commas in Python code. Simulation of the full size Tor network. A device for detecting the hidden inclusion of a microphone. Analysis of malicious code in exploits.
Local vulnerabilities: snap, Linux kernel (i915, io_uring, MCTP, tmpfs, POSIX CPU timer, cls_route, nf_tables, lockdown, garbage collector, netfilter, perf, O_RDONLY, cgroups v1, ucount, VFS, XFS, eBPF), systemd-coredump , xterm, pixman, Enlightenment, firejail, uclibc, networkd-dispatcher, CRI-O, PolKit.
Remote Vulnerabilities: FreeBSD ping, Linux kernel (ksmbd, Bluetooth, mac80211, TIPC), Bitbucket, Samba, Netatalk, NTFS-3G, Git, FFmpeg, Redis, Cargo, GitLab, muhttpd, rsync, django, unrar, MediaTek ALAC decoders and Qualcomm, libinput, Spring Framework, zlib, OpenBSD IPv6 stack, OpenSSH, Expat, Magento
Remote vulnerabilities in APC Smart-UPS, devices based on SoC Realtek, Zyxel equipment, NetGear, Juniper, webOS, firmware based on InsydeH2O.
Hacks: NPM, NVIDIA, Samsung, LastPass. Twilio SMS service compromised to attack Signal.
Privacy: Mozilla is developing a mechanism for transmitting telemetry to ad networks. Shufflecake to create hidden encrypted disk partitions. Restricting VPN apps in the Play Store. Toolkit for collecting telemetry from GNOME.
Continued detection of malicious packages in NPM, PyPI, crates.io repositories and directories. 1600 malicious images on Docker Hub. Malicious code in an ad-blocking add-on for Twitch. Wave of forks with malicious changes on GitHub. Distribution of malicious files through GIMP ads on Google. 73 thousand tokens and passwords of open projects in Travis CI public logs. Vulnerabilities in RubyGems.org and NPM. Failed due to a backward compatibility violation in a popular NPM package.
Infrastructure attacks: UEFI firmware code leak for Intel Alder Lake chips. Attacks on NPM and GitHub. Dropbox repositories leaked.
Incidents: Hyundai’s IVI system was authenticated with a key from the OpenSSL manual. Samsung, LG, and MediaTek certificates have been used to authenticate malicious Android apps. Publication on GitHub of the access key to the Toyota T-Connect user base. Removing the Atomicwrites package from PyPI due to the introduction of two-factor authentication. Revocation of 2 million Let’s Encrypt certificates. Linuxfx revealed a hardcoded password to access the user base.
During the year, 1566 news were published on OpenNET, on which 156213 comments were left. In the fall of 2022, the OpenNET project turned 26 years old.