News briefs for April 9, 2019.

GRUB 2.04-rc1 has been released. Phoronix reports that after nearly two years of development, this release will bring tons of changes, including "supporting multiple early initrd images, support for the F2FS file-system, a verifier framework, RISC-V support, UEFI Secure Boot shim support, Btrfs Zstd improvements, Btrfs RAID5/RAID6 support, Xen PVH support, UEFI TPM 1.2/2.0 support, and a lot of other work." If you want to try out GRUB 2.04-rc1, you can get the sources here.

Mozilla is working on designing better security messages for Firefox. See Meridel Walkington's article "Designing Better Security Warnings" for a discussion of the old vs. new designs and the goals for the new messages. Meridel writes, "3% of Firefox users encounter a security certificate message on a daily basis. Nearly all users who see a security message see one of five different message types. So, it's important that these messages are clear, accurate, and effective in educating and empowering users to make the informed (ideally, safer) choice."

Security researchers recently discovered "a back door into an open source framework that has been downloaded roughly 28 million times by building a malicious version that masquerades as the real thing." cyberscoop reports that a compromised version of bootstrap-sass was published to the RubyGems repository. The article quotes Chris Wysopalm, chief technology officer at app security company Veracode, "That doesn't mean there are something like 27 million apps out there using this. [But] when you're using open source packages to build your applications, you're inheriting many of the vulnerabilities....But bootstrap-sass is a popular component used by enterprises and startups so there's potentially thousands of applications affected by this."

Lutris, the open-source game launcher, has a new release. According to GamingonLinux, some of the changes in version 0.5.2 include "avoid a crash if the lutris config file is corrupted", "install Asian fonts by default on Wine prefix creation", "add Vulkan ICD loaders in system options", "replace joystick panel with Wine config panel" and more. See the Lutris site and GitHub repository for more information.

OpenVPN 3 Linux v5 beta release is now available. Highlights of this release include "built against OpenSSL by default", "improved configurations without client certificate", "openvpn2 command line interface improvements" and much more. See the release announcement for details and links to the git repositories and source tarballs.