Support us on Patreon to keep GamingOnLinux alive. This ensures we have no timed articles and no paywalls. Just good, fresh content! Alternatively, you can donate through Paypal, Flattr and Liberapay!

While I haven't seen it noted in any of the recent changelogs for the Steam Client Beta, it seems it has an updated Steam Runtime in need of some testing.

Sending word to us on Twitter, developer Timothee Besset said:

The beta branch of the steam client for GNU/Linux has received several updates to it's runtime for games. Make sure to test your favorite titles! CC @gamingonlinux @Plagman2

For those of you who want to ensure everyone has a good experience and to ensure games you love don't break with a new stable Steam Client release, it's time to get testing and reporting. It's probably a good idea to let Valve know of any issues on their Steam for Linux GitHub.

What is the Steam Runtime? From the GitHub:

A binary compatible runtime environment for Steam applications on Linux.

Essentially, it includes a set of libraries for game developers to link their games against. This is to give them a somewhat standard set of libs that should work across distributions for games shipped on Steam.

Article taken from GamingOnLinux.com.
19 Likes, Who?
We do often include affiliate links to earn us some pennies. We are currently affiliated with GOG and Humble Store. See more information here.
27 comments
Page: «3/3
  Go to:

beniwtv 26 October 2018 at 8:34 am UTC
devnullQuite frankly I'm at the point of blaming networks for turning off older TLS with no fallback.

The fallback is called "newer TLS version", and has been supported by OSes and applications for quite a while. Obviously old GnuTLS didn't support them. GnuTLS 2.6.6 was released on 2009-04-30, more than 9 years ago. We did not even know about the vulnerabilities back then.

Blaming networks for caring about your data's security and disabling these broken protocols seems a bit odd.

The issue here isn't GnuTLS or the networks, but the Steam runtime being so old and not being kept up to date (at least the security relevant parts of it should be updated).
devnull 26 October 2018 at 9:54 am UTC
liamdaweWas sent this about the update: https://gist.github.com/TTimo/b931f11bacbdba22d3ef8532caa96952

Not sure what was updated but the beta pulled down almost 200M

beniwtv
devnullQuite frankly I'm at the point of blaming networks for turning off older TLS with no fallback.

The fallback is called "newer TLS version", and has been supported by OSes and applications for quite a while. Obviously old GnuTLS didn't support them. GnuTLS 2.6.6 was released on 2009-04-30, more than 9 years ago. We did not even know about the vulnerabilities back then.

Depends which bugs you're refering to but they were certainly known, maybe not as public.

beniwtvBlaming networks for caring about your data's security and disabling these broken protocols seems a bit odd.

Do you know how TLS1.3 works? It's not a silver bullet and there was nothing stopping applications from enforcing security policy. I know because it's one of the first things I do on installs.


beniwtvThe issue here isn't GnuTLS or the networks, but the Steam runtime being so old and not being kept up to date (at least the security relevant parts of it should be updated).

I don't follow this at all for the simple fact I updated libgnutls to my own distro's "latest", and STILL have problems. While the steam runtime may be old, requiring bleeding edge rolling releases is ... assinine.

The issue with COMPILING TLS have NOTHING to do with Steam. What on Earth. Do you know what other dependencies that involves?
beniwtv 26 October 2018 at 10:42 am UTC
devnullDepends which bugs you're refering to but they were certainly known, maybe not as public.

I can obviously only speak of public disclosure of these bugs, for example POODLE was disclosed 2014: https://access.redhat.com/articles/1232123

Whether it was known in 2009, I don't know. At least us server admins/app devs did not know until that point.

devnullDo you know how TLS1.3 works? It's not a silver bullet and there was nothing stopping applications from enforcing security policy. I know because it's one of the first things I do on installs.

Agree, no security protocol will ever be perfect - but that doesn't mean we should just leave old broken protocols enabled. Yes you can take steps to mitigate things like POODLE or BEAST, but for example in the case of POODLE both server AND client have to be patched - just ensuring your local app policy is half the work.

Also SSLv3 client applications tend to be older and use weaker ciphers.

devnullI don't follow this at all for the simple fact I updated libgnutls to my own distro's "latest", and STILL have problems. While the steam runtime may be old, requiring bleeding edge rolling releases is ... assinine.

The issue with COMPILING TLS have NOTHING to do with Steam. What on Earth. Do you know what other dependencies that involves?

I have no idea what your distro's latest version is, so can't comment on that. It is of course possible GnuTLS has bugs of it's own making connections fail.

I don't think understand you last sentence - as an app dev you ARE responsible of keeping your dependencies up to date. Steam-runtime or not. Problem is, if developers only target the runtime, they will get outdated dependencies.
devnull 26 October 2018 at 12:36 pm UTC
beniwtv
devnullDepends which bugs you're refering to but they were certainly known, maybe not as public.

I can obviously only speak of public disclosure of these bugs, for example POODLE was disclosed 2014: https://access.redhat.com/articles/1232123

Whether it was known in 2009, I don't know. At least us server admins/app devs did not know until that point.

That particular attack was a downgrade as was BEAST before it.. Funny thing is TLS was supposed to solve it but would later produce vulnerable implementations.

beniwtv
devnullDo you know how TLS1.3 works? It's not a silver bullet and there was nothing stopping applications from enforcing security policy. I know because it's one of the first things I do on installs.

Agree, no security protocol will ever be perfect - but that doesn't mean we should just leave old broken protocols enabled. Yes you can take steps to mitigate things like POODLE or BEAST, but for example in the case of POODLE both server AND client have to be patched - just ensuring your local app policy is half the work.

Also SSLv3 client applications tend to be older and use weaker ciphers.

Restricting key use is part of setting security policy. It's why you have lovely strings like

EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!SRP:!DSS

Funny enough, Cloudflare publishes a recomended config that still enables TLSv1

beniwtv
devnullI don't follow this at all for the simple fact I updated libgnutls to my own distro's "latest", and STILL have problems. While the steam runtime may be old, requiring bleeding edge rolling releases is ... assinine.

The issue with COMPILING TLS have NOTHING to do with Steam. What on Earth. Do you know what other dependencies that involves?

I have no idea what your distro's latest version is, so can't comment on that. It is of course possible GnuTLS has bugs of it's own making connections fail.

GNUTLS 3.3.28

The forced deprecation started back in April. Individual applications were already forcing policies on users and with little to no notification as to what was WRONG. Chrome popping up a generic SSL error for example. Cloudflare along with many sites were supposed to drop TLS1.0/1.1 support as of June (Cloudflare on their API). PCI Compliance required it by EOM.

beniwtvI don't think understand you last sentence - as an app dev you ARE responsible of keeping your dependencies up to date. Steam-runtime or not. Problem is, if developers only target the runtime, they will get outdated dependencies.

That is IMPOSSIBLE. The whole reason code uses third party libs for things like SSL (collectively refering to all things "Secure this connection between two points") - is not worrying about it breaking.

There's a whole lot more to this then I care to write. I don't disagree the protocols had issues, I do however diagree with developers being on the perpetually on the hook for patching. It's not trivial nor are they all bug fixes but API too. Unlike a shim between TLS and SSL for POODLE and BEAST, it's pretty damned difficult to run a front end applicaiton proxy... unless you're one of the very few who can issue their own trusted certificates. Do that now and you run up against out of band validation problem (OSCP, HSTS, CRLs, etc).
beniwtv 26 October 2018 at 2:56 pm UTC
devnullThat is IMPOSSIBLE. The whole reason code uses third party libs for things like SSL (collectively refering to all things "Secure this connection between two points") - is not worrying about it breaking.

Well it's not impossible - but time consuming. A full-time job in itself for many applications. I agree 100% though that security-related libraries should not break API, unless there is REALLY REALLY no other way (or a completely new protocol that can't be represented with the current API).

In fact, any library not breaking API would be nice - but this is hard to do in itself. Sometimes conserving an old API is a great source of hold-back for a library.

I recently linked GnuTLS 3.0 to Proton that was compiled against GnuTLS 2.6, and things do work now, in many games. So I think at least the developers did try to conserve the API as much as possible in this specific case.
F.Ultra 26 October 2018 at 11:13 pm UTC
liamdaweWas sent this about the update: https://gist.github.com/TTimo/b931f11bacbdba22d3ef8532caa96952

Don't know if I'm misreading something here (not very found of git being a svn type of guy) but the list there seams to be very minor changes in revision only.

E.g gcc-4.6-base_4.6.3-1ubuntu5+srt5 in Steam Generally Available runtime is to be replaced by 4.6.3-1ubuntu5+steamrt1.1+srt1 from Steam Public Beta runtime

So still v4.6.3 and still with the Ubuntu revision 5 but with +steamrt1.1+srt1 and this is similar for everything on the list.


Last edited by F.Ultra at 26 October 2018 at 11:13 pm UTC
  Go to:
While you're here, please consider supporting GamingOnLinux on Patreon, Liberapay or Paypal. We have no adverts, no paywalls, no timed exclusive articles. Just good, fresh content. Without your continued support, we simply could not continue!

You can find even more ways to support us on this dedicated page any time. If you already are, thank you!

Due to spam you need to Register and Login to comment.


Or login with...

Livestreams & Videos
Community Livestreams
  • Sneaky Beaky: „Splinter Cell“ (via Wine & DXVK)
  • Date:
See more!
Popular this week
View by Category
Contact
Latest Comments
Latest Forum Posts