Norway’s northernmost region has asked the European Commission to grant it permission to establish a time zone with 26-hour days.

Excuse me? Say that again.

Traditional (boring) 24-hour days: out. Modern (revolutionary) 26-hour days: in.

The bizarre plan, promoted by a local town mayor in the Arctic Circle near the Russian border, aims to boost local values, increase family time and attract new residents to the region. All nice ideas, but in practice, the details remain at best fuzzy.

In its letter to the European Commission — which confirmed that it has received the request — the region is asking the EU body to instruct Norwegian authorities to approve the creation of a time zone with 26-hour days instead of 24-hour days.

How would the new time zones work in practice? Wenche Pedersen, the mayor of Vadsø who authored the letter, is unsure.

“We haven’t thought a lot about that” she said. “The clock will go from 12 to 13… and we have to see how this will go. I don’t think they’re going to say yes so we haven’t thought about all the details.”

Right.

According to Pedersen, the region has been struggling to attract new residents. But the mayor is hoping this will change by showcasing the area’s unique values.

“Through our ‘MOREtime’ project, we aim to celebrate and promote this unique way of life, offering individuals the opportunity to enjoy more quality time engaging in activities such as fishing, hunting, learning new languages, or simply being with loved ones,” Vadsø said in a letter.

“What is the good thing about living here? It’s the time,” she told POLITICO.

“We don’t run after the buses or after the trains or have to take a long time to travel to work and so on,” she added. “We are very satisfied with living in a part of Norway where we have more time to be with our friends, with our family and together.”

By extending the length of the days, Pedersen hopes that more people will be inspired to move to the remote region. Ensuring that the area is populated is “more important than ever” in light of Russia’s war against Ukraine, Pedersen added.

“We like our lifestyle and we think that could be very exciting, especially for families with small children,” the mayor said. “I think it’s a more calm and better everyday life than for example in a big city.”

Could it actually happen?

Norway is not an EU member, but the country is part of the European Economic Area (EEA). While a EU directive regulates summer time arrangements, whether it has authority over creating separate time zones is another question.

According to a Commission official, time zones are a matter for countries themselves, so it’s unlikely that the EU will be able to grant the region’s request.

Nevertheless, Pedersen is hoping to at least spread the word about the uniqueness of northern Norway.

“In this respect we are one of the richest regions in Europe because […] we have more time,” Pedersen said.

In breaking news that dropped just after our weekly security column went live, a backdoor has been discovered in the xz package, that could potentially compromise SSH logins on Linux systems. The most detailed analysis so far seems to be by [Andres Freund] on the oss-security list.

The xz release tarballs from 5.6.0 in late February and 5.6.1 on March 9th both contain malicious code. A pair of compressed files in the repository contain the majority of the malicious patch, disguised as test files. In practice, this means that looking at the repository doesn’t reveal anything amiss, but downloading the release tarballs gives you the compromised code.

This was discovered because SSH logins on a Debian sid were taking longer, with more CPU cycles than expected. And interestingly, Valgrind was throwing unexpected errors when running on the liblzma library. That last bit was first discovered on February 24th, immediately after the 5.6.0 release. The xz-utils package failed its tests on Gentoo builds.

One of the xz maintainers, [Jia Tan], weighed in on that Gentoo bug, suggesting that it was a GCC bug causing the Valgrind errors. This is the same developer that pushed the malicious archive files and minted the tainted releases. And as if to clear up any remaining doubts, the developer doubled down in a GitHub commit, working around the Valgrind errors, and linking to a completely unrelated GCC bug report claiming it to be this issue.

At this point, the only reasonable conclusion is that the person in control of the [JiaT75] GitHub account is a malicious actor and is completely untrustworthy. What’s unclear is if this is still the same developer that has been co-maintaining the project since August 2022. It’s possible that [Jia Tan] has always been a bad actor, or that account may be completely compromised.

What About SSH?

What may not be clear is the connection to SSH. And it’s a trip. Many Linux distros patch sshd to add systemd features, and libsystemd pulls the liblzma library. That means the liblzma initialization code gets run when sshd starts. In the malicious code, the library checks argv[0], which is the name of the program being executed, for /usr/bin/sshd. Additionally it seems to check for debugging tools like rr and gdb. If the checks are green, liblzma replaces a few function calls with its own code. It’s a complicated dance, but the exploit is specifically looking to replace RSA_public_decrypt.

That’s a very interesting function to clobber, as it is one of the functions used to validate SSH keys. It’s not hard to imagine how malicious code here could check for a magic signature, and bypass the normal login process. The full analysis is still being done, and expect more information in the coming days.

But the bottom line is that a machine with a patched sshd binary, that also has xz packages version 5.6.0 or 5.6.1, is vulnerable to unauthenticated SSH logins. The good news is that only a few distributions have shipped the 5.6.x series of xz packages. Fedora Rawhide/41 them, and Debian Testing and Unstable shipped these versions as well. If you’re on an affected system, look for an update right away.

It’s unclear what the path forwards is for the xz project. This is obviously an important system utility for Linux systems, and its current maintainers seem to be asleep at the wheel — or intentionally steering towards disaster. Expect one or more hard forks, and then a lot of cleanup work.

This is a developing story. For more, see the Redhat security alert, the Debian alert, and the oss-security thread on the subject.

Get ready to watch an AdaBox 021 Unboxing take-over on Ask an Engineer! Join John Park at 8pm ET / 5pm PT TONIGHT! Wednesday, 3/20/2024 for the live Unboxing of AdaBox 021 — Ladyada and Mr. Ladyada will be in the chat to answer your questions!

Live text chat in discord in the #livebroadcast channel, and we’ll have live video on Youtube, Twitch, and Facebook.

Can’t wait to find out what’s in the box? Head over to the AdaBox 021 Learn Guide to see what’s inside!

#MAKEWITHDIGIKEY
@digikey

From the GitHub release page:

This is CircuitPython 9.0.0, the latest major revision of CircuitPython, and is a new stable release.

WARNING for nRF52 boards only: If your board has an nRF52 UF2 bootloader whose version is before 0.6.1, you will not be able to load CircuitPython 8.2.0 and later, due to increased size of the firmware. See these instructions for updating your bootloader.

Notable changes to 9.0.0 since 8.x.x

Incompatibility warnings

• New storage management. See Internal below about possible new memory errors with existing programs.
• Filesystems such as SD cards must now be mounted on an existing directory as a mount point. See Storage below.
• Incompatible change in socket behavior: Sockets must be explictly made reusable. See Networking below.
• displayio.*Display.show() has been removed. Use *Display.root_group = instead.
• I2CPeripheral is now I2CTarget.

Audio

• Add synthio.Note .loop_start and .loop_end properties.
• Add synthio.Synthesizer.note_state.
• Add I2S MCLK support on Espressif.
• Allow signed amplitude in synthio.

Built-in modules

• Add OrderedDict.move_to_end().
• Add warnings module, similar to what is in CPython.
• Add locale.getlocale().
• Add codeop.compile_command().
• Remove 8.x.x deprecations: displayio.*.show(), I2CPeripheral renamed to I2CTarget.

Graphics

• Reorganize and split displayio. 8.x.x naming structure is available in 9.x.x, but will be removed in 10.0.0.
• Add jpegio JPEG decoder support.
• Add bitmapfilter image manipulation.

Internal

• New split-heap internal dynamic storage mechanism. Some CircuitPython programs may fail with MemoryError. If you encounter programs that work in 8.x.x but get MemoryError exceptions, consider filing an issue with details.
• Merge updates from MicroPython v1.19.1, v1.20.0, and v1.21.0.
• Espressif: update to ESP-IDF v5.1.3.

Networking

• Allow specifying protocol for raw sockets.
• Add mDNS TXT record support.
• Make SD cards available over web workflow.
• Allow fetching of associated stations in access-point mode.
• Incompatible change: Require explicit socket port reuse. Use socket.setsockopt(pool.SOL_SOCKET, pool.SO_REUSEADDR, 1), as in CPython.

Python interpreter

• Use terser error messages on small builds.

Storage

• CIRCUITPY drives now mount on Android.
• Increased file capacity on CIRCUITPY drives <= 128kB.
• Incompatible change: Require filesystem mounts to be on existing directories. Create /sd in fresh filesystems to provide a mount point.

Supervisor

• Add repl.py, which runs just before the REPL starts up.

USB

• Video device (“Webcam”, UVC) support.
• HID can wake up sleeping host computer.
• Further USB host support, on i.MX and RP2040.
• Allow setting USB HID interface name.

Download from circuitpython.org

Firmware downloads are available from the downloads page on circuitpython.org. The site makes it easy to select the correct file and language for your board.

Installation

To install follow the instructions in the Welcome to CircuitPython! guide. To install the latest libraries, see this page in that guide.

Try the latest version of the Mu editor for creating and editing your CircuitPython programs and for easy access to the CircuitPython serial connection (the REPL).

Documentation

Documentation is available in readthedocs.io.

Port status

CircuitPython has a number of “ports” that are the core implementations for different microcontroller families. Stability varies on a per-port basis. As of this release, these ports are consider stable (but see Known Issues below):

• atmel-samd: Microchip SAMD21, SAMx5x
• cxd56: Sony Spresense
• espressif: Espressif ESP32, ESP32-S2, ESP32-S3, ESP32-C3
• nrf: Nordic nRF52840, nRF52833
• raspberrypi: Raspberry Pi RP2040
• stm: ST STM32F4 chip family

These ports are considered alpha and will have bugs and missing functionality:

• broadcom: Raspberry Pi boards such as RPi 4, RPi Zero 2W
• litex: fomu
• mimxrt10xx: NXP i.MX RT10xxx
• silabs: Silicon Labs MG24 family
• stm: ST non-STM32F4 chip families

Changes since 9.0.0-rc.1

Fixes and enhancements

• Allow ctrl-C of adafruit_bus_device.spi_device.SPIDevice awaiting lock. #9055. Thanks @dhalbert.

Port and board-specific changes

Broadcom

Espressif

i.MX

nRF

RP2040

SAMx

SiLabs

Spresense

STM

Individual boards

• M5Stack Cardputer: fix board.I2S_DATA pin name typo. #9020. Thanks @RetiredWizard.

Documentation changes

Build and infrastructure changes

Translation additions and improvements

New boards since 9.0.0-rc.1

Known issues

• See https://github.com/adafruit/circuitpython/issues for other issues, including issues still to be addressed for:
  • 9.0.0
  • 9.0.x
  • 9.x.x
  • long term

Thanks

Thank you to all who used, tested, and contributed since 9.0.0-rc.1, including the contributors above, and many others on GitHub and Discord. Join us on the Discord chat to collaborate.