Outsiders like myself can do some things to take advantage of this program. Using software that is confirmed to get patches is the best option, but that can’t cover all use cases. Use Chromium to watch videos[1], listen to audio and read PDF/text/HTML documents, use Firefox to edit PDFs, use the latest Linux kernel from Greg Kroah-Hartman (not Linus’s tree) from kernel.org or the repos of e.g. Debian testing or Arch Linux. I don’t have a suggestion for reading `.epub` E-Books, except writing a Haskell program using pure functions from the pandoc project to convert to PDF, though this seems not to always work.
Note that you will need to keep all this software as up to date as possible, but this may make you more vulnerable to supply chain attacks. You will need to do this until a few weeks after the end of the Glasswing project. Be careful of how you source program updates, and don’t blindly update dependencies. Use upstream lock files if possible to get fixes to vulnerabilities not disclosed outside of Project Glasswing.
My most important comment here is on the nature of VMs running under Linux. The KVM hypervisor is part of the Linux kernel, and therefore is part of project Glasswing. What I’m not sure about is the surrounding userspace software that runs on the host and usually isn’t sandboxed (very well) like QEMU, libvirt, and swtpm. Note that I’m nearly certain that Mythos developed a privilege escalation that could go from a RCE in any of these projects to complete control over the host system, or at least root/write access to all filesystems. I would like a statement from one of the companies involved in project Glasswing that they have tested the host userspace programs around KVM, not just KVM itself. This is important because if the interior of the VM is compromised, it can communicate with virtual devices these software packages provide, e.g. virtual drives and security devices.
If there’s information this is getting worked on, then consider me suggesting that you should run programs that you don’t think are getting Project Glasswing support in a KVM/libvirt VM on the newest stable Linux kernel. Note that everything that comes out of these VMs needs to be considered contaminated, and must only be opened in e.g. Chromium or another known-Glasswing-patched program. You may need to E-Mail these files to other people however, and I don’t have a solution to that.
This seems to work now even for some `.mkv` files, but I don’t think this is general. You can try to convert them to `.webm` using FFMpeg in a VM, but note that all files that come out of the VM are considered contaminated, and therefore need to be played back in Chromium, not a standard media player that doesn’t feature Chromium’s strong (and Glasswing tested) sandbox. See later for VM security considerations.
I’m somewhat concerned about the possible problems that the recent increased load of patches may cause during the creation of the Linux 7.0.1 release. In theory it’s just a matter of checking the applicability of the entire set of patches to Linus’s tree, but given the situation I think the consequence of something getting missed is higher than normal[1].
I think an alternative solution of using the 6.19.XX series from Greg K-H until a few days after its last release is a better idea, but it’s close, ~0.35 that it ends up worse[2]. I think better automation is needed.
This may require building the kernel for yourself unless Greg K-H ends the series early, but until then here are the required file changes for Debian 13:
Note that I’ve tested this and it doesn’t seem to work correctly when your system is set up to build kernel modules from source to install into this new kernel, because it causes other dependencies to update to the testing version. Otherwise, I tested it to work on multiple systems.
Outsiders like myself can do some things to take advantage of this program. Using software that is confirmed to get patches is the best option, but that can’t cover all use cases. Use Chromium to watch videos[1], listen to audio and read PDF/text/HTML documents, use Firefox to edit PDFs, use the latest Linux kernel from Greg Kroah-Hartman (not Linus’s tree) from kernel.org or the repos of e.g. Debian testing or Arch Linux. I don’t have a suggestion for reading `.epub` E-Books, except writing a Haskell program using pure functions from the pandoc project to convert to PDF, though this seems not to always work.
Note that you will need to keep all this software as up to date as possible, but this may make you more vulnerable to supply chain attacks. You will need to do this until a few weeks after the end of the Glasswing project. Be careful of how you source program updates, and don’t blindly update dependencies. Use upstream lock files if possible to get fixes to vulnerabilities not disclosed outside of Project Glasswing.
My most important comment here is on the nature of VMs running under Linux. The KVM hypervisor is part of the Linux kernel, and therefore is part of project Glasswing. What I’m not sure about is the surrounding userspace software that runs on the host and usually isn’t sandboxed (very well) like QEMU, libvirt, and swtpm. Note that I’m nearly certain that Mythos developed a privilege escalation that could go from a RCE in any of these projects to complete control over the host system, or at least root/write access to all filesystems. I would like a statement from one of the companies involved in project Glasswing that they have tested the host userspace programs around KVM, not just KVM itself. This is important because if the interior of the VM is compromised, it can communicate with virtual devices these software packages provide, e.g. virtual drives and security devices.
If there’s information this is getting worked on, then consider me suggesting that you should run programs that you don’t think are getting Project Glasswing support in a KVM/libvirt VM on the newest stable Linux kernel. Note that everything that comes out of these VMs needs to be considered contaminated, and must only be opened in e.g. Chromium or another known-Glasswing-patched program. You may need to E-Mail these files to other people however, and I don’t have a solution to that.
This seems to work now even for some `.mkv` files, but I don’t think this is general. You can try to convert them to `.webm` using FFMpeg in a VM, but note that all files that come out of the VM are considered contaminated, and therefore need to be played back in Chromium, not a standard media player that doesn’t feature Chromium’s strong (and Glasswing tested) sandbox. See later for VM security considerations.
I’m somewhat concerned about the possible problems that the recent increased load of patches may cause during the creation of the Linux 7.0.1 release. In theory it’s just a matter of checking the applicability of the entire set of patches to Linus’s tree, but given the situation I think the consequence of something getting missed is higher than normal[1].
I think an alternative solution of using the 6.19.XX series from Greg K-H until a few days after its last release is a better idea, but it’s close, ~0.35 that it ends up worse[2]. I think better automation is needed.
This may require building the kernel for yourself unless Greg K-H ends the series early, but until then here are the required file changes for Debian 13:
Config
/etc/apt/preferences.d/testingToChangePriority/etc/apt/preferences.d/testingKernelBackport/etc/apt/sources.list.d/debian.sourcesNote that I’ve tested this and it doesn’t seem to work correctly when your system is set up to build kernel modules from source to install into this new kernel, because it causes other dependencies to update to the testing version. Otherwise, I tested it to work on multiple systems.
Where normally the churn might be in an obscure driver where failures causes problems for few users.
E.g. what happened here? https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-6.6.y&id=5a1e865e51063d6c56f673ec8ad4b6604321b455