LWN.net

Sigal is a "simple static gallery generator" with a straightforwarddesign, a nice feature set, and great themes. It was started as a toyproject, but has nevertheless grown into a sizable and friendlycommunity. After struggling withmaintenance using half a dozen photo gallery projects along the way,guest author Antoine Beaupré has found a nice little gem that he would liketo share with LWN readers.

Nathan Willis looksbeyond open web fonts on opensource.com. "For starters, it's critical to understand that Google Fonts and Open Font Library offer a specialized service—delivering fonts in web pages—and they don't implement solutions for other use cases. That is not a shortcoming on the services' side; it simply means that we have to develop other solutions.There are a number of problems to solve. Probably the most obvious example is the awkwardness of installing fonts on a desktop Linux machine for use in other applications. You can download any of the web fonts offered by either service, but all you will get is a generic ZIP file with some TTF or OTF binaries inside and a plaintext license file. What happens next is up to you to guess."

Security updates have been issued by Arch Linux (dhclient and dhcp), Debian (tomcat7 and xen), Fedora (dhcp), Mageia (glibc and xerces-c), SUSE (xen), and Ubuntu (irssi, memcached, postgresql-9.3, postgresql-9.5, postgresql-9.6, and twisted).

Virtual private networks (VPNs) offer a lot in the way of increasedsecurity and privacy. They have also tended to offer less desirablefeatures like administrative complexity and reduced performance, though; asa result, many potential VPN users decide not to bother. A relatively newproject called WireGuard hopes toaddress both of those problems with an in-kernel solution that is bothsimple and fast.

Greg Kroah-Hartman has released stable kernels 4.14.24, 4.9.86, 4.4.120, and 3.18.98. They all contain important fixes andusers should upgrade.

Security updates have been issued by Arch Linux (busybox and mkinitcpio-busybox), Debian (dovecot, freexl, kernel, libjgraphx-java, libvpx, trafficserver, and xen), Fedora (ruby), Mageia (phpmyadmin and xv), openSUSE (go), SUSE (ansible, cups, and xen), and Ubuntu (dovecot and qemu).

The 4.16-rc4 kernel prepatch is out fortesting. "Hmm. A reasonably calm week".

Linux Journal has a look at Qubes 4, which is due to be released in the next month or so. It has undergone a refactoring of sorts. "Another major change in Qubes 4 relates to the GUI VM manager. In past releases, this program provided a graphical way for you to start, stop and pause VMs. It also allowed you to change all your VM settings, firewall rules and even which applications appeared in the VM's menu. It also provided a GUI way to back up and restore VMs. With Qubes 4, a lot has changed. The ultimate goal with Qubes 4 is to replace the VM manager with standalone tools that replicate most of the original functionality."

The fourth update to the Ubuntu 16.04 long-term support distribution has been released; it is available from the "Get Ubuntu" web page. "As usual, this point release includes many updates, and updatedinstallation media has been provided so that fewer updates will need tobe downloaded after installation. These include security updates andcorrections for other high-impact bugs, with a focus on maintainingstability and compatibility with Ubuntu 16.04 LTS.Kubuntu 16.04.4 LTS, Xubuntu 16.04.4 LTS, Mythbuntu 16.04.4 LTS,Ubuntu GNOME 16.04.4 LTS, Lubuntu 16.04.4 LTS, Ubuntu Kylin 16.04.4 LTS,Ubuntu MATE 16.04.4 LTS and Ubuntu Studio 16.04.4 LTS are also nowavailable." Information about what has changed can be found in the overall release notes and in the release notes for the various Ubuntu flavors.

Security updates have been issued by Debian (freexl and simplesamlphp), Fedora (krb5, libvirt, php-phpmyadmin-motranslator, php-phpmyadmin-sql-parser, and phpMyAdmin), Mageia (krb5, leptonica, and libvirt), Slackware (dhcp and ntp), and Ubuntu (isc-dhcp).

This is the fourth article of a seriesdiscussing various methods of reducing the size of the Linux kernel to make it suitable for smallenvironments. Reducing the kernel binary has its limits and we have pushedthem as far as possible at this point. Still, our goal, which is to be ableto run Linux entirely from the on-chip resources of a microcontroller, hasnot been reached yet. This article will conclude this series by looking atthe problem from the perspective of making the kerneland user space fit into a resource-limited system.

As leading-edge rolling distributions go, OpenSUSE Tumbleweed is relativelystable, but it is still true that some snapshots are better than others.Jimmy Berry has announced the creation of a web site trackingthe quality of each day's snapshot. "By utilizing a variety ofsources of feedback pertaining to snapshots a stability score isestimated. The goal is to err on the side of caution and to allow users toavoid troublesome releases."

Security updates have been issued by Debian (xmltooling), Fedora (mbedtls), openSUSE (freexl), Oracle (quagga and ruby), Red Hat (.NET Core, quagga, and ruby), Scientific Linux (quagga and ruby), SUSE (glibc), and Ubuntu (libreoffice).

The LWN.net Weekly Edition for March 1, 2018 is available.

The Free Software Foundation has announcedthe availability of its 2016 annual report. "The Annual Reportreviews the Foundation's activities, accomplishments, and financial picturefrom October 1, 2015 to September 30, 2016. It is the result of a fullexternal financial audit, along with a focused study of programresults." It may lack punctuality, but it makes up for it inglitz.

Should we host in the cloud or on our own servers? This question wasat the center of Dmytro Dyachuk's talk, givenduring KubeCon + CloudNativeCon last November. While many servicessimply launch in the cloud without the organizations behind themconsidering other options, large content-hosting services have actually moved back to their own data centers: Dropboxmigrated in 2016 and Instagramin 2014. Because such transitions can be expensive and risky, understanding the economics of hosting is a critical partof launching a new service. Actual hosting costs are oftenmisunderstood, or secret, so it is sometimes difficult to get thenumbers right. In this article, we'll use Dyachuk's talk to try toanswer the "million dollar question": "buy or rent?"

Security updates have been issued by Arch Linux (mbedtls), CentOS (gcab and java-1.7.0-openjdk), Debian (drupal7, lucene-solr, wavpack, and xmltooling), Fedora (dnsmasq, gcab, gimp, golang, knot-resolver, ldns, libsamplerate, mingw-OpenEXR, mingw-poppler, python-crypto, qt5-qtwebengine, sblim-sfcb, systemd, unbound, and wavpack), Mageia (ioquake3, TiMidity++, tomcat, tomcat-native, and wireshark), openSUSE (systemd and zziplib), Red Hat (erlang and openstack-nova and python-novaclient), and SUSE (kernel).

Stable kernels 4.15.7, 4.14.23, 4.9.85, 4.4.119, and 3.18.97 have been released. They all containimportant fixes and users should upgrade.

Keeping up with the free-software development community requires followinga lot of mailing lists. For many years, the Gmane email archive has helped your editor todo that without going any crazier than he already is, but Gmane is becomingan increasingly unreliable resource. A recent incident increased thepriority of a longstanding goal to find (or create) an alternative toGmane. That, in turn, led to the discovery of public-inbox.

License violations are generally not done by malice, but simply bymistake. But correcting those mistakes can be messy, so it would be betterfor large (and small) organizations not to make them in the first place. Totry to head off license problems, Andreas Schreiber and his colleagues at Germany's aeronautics and space research center, DLR, haveput together educational materials and worked on training. Schreiber spokeabout this work at FOSDEM 2018.<p>Subscribers can read on for a report on the talk by guest author Tom Yates.

Security updates have been issued by Fedora (exim, irssi, php-phpmyadmin-motranslator, php-phpmyadmin-sql-parser, phpMyAdmin, and seamonkey), Mageia (cups, flatpak, golang, jhead, and qpdf), Oracle (gcab, java-1.7.0-openjdk, and kernel), Red Hat (gcab, java-1.7.0-openjdk, and java-1.8.0-ibm), Scientific Linux (gcab and java-1.7.0-openjdk), and Ubuntu (sensible-utils).

What if real-life chores could gain you fake internet points like in anonline role-playing game? That's the premise of Habitica, a productivity applicationdisguised as a game. It's a self-improvement application where players canlist their daily tasks or to-do items in the game; every time one ischecked-off, the game rewards the player with points or game items.

The kernel development process tends to be focused on addition: each newrelease supports more drivers, more features, and often new processorarchitectures. As a result, almost every kernel release has been larger than itspredecessor. But occasionally even the kernel needs to slim down a bit.Upcoming kernel releases are likely to see the removal of support for anumber of unloved architectures and, in an unrelated move, the removal ofsupport for some older compilers.

Security updates have been issued by Arch Linux (lib32-wavpack, phpmyadmin, unixodbc, and wavpack), Debian (drupal7, golang, imagemagick, libdatetime-timezone-perl, libvpx, and tzdata), Fedora (exim, irssi, kernel, milkytracker, qt5-qtwebengine, seamonkey, and suricata), Mageia (advancecomp, apache-commons-email, freetype2, ghostscript, glpi, jackson-databind, kernel, mariadb, and postgresql), openSUSE (dhcp, GraphicsMagick, lame, php5, phpMyAdmin, timidity, and wireshark), and Oracle (kernel).

The 4.16-rc3 kernel prepatch is out fortesting. Linus says: "rc3 is larger than rc2 was, but as mentionedlast week, that's expected - rc2 really was tiny. People have startedfinding things to fix, but there's nothing that really stands out asparticularly scary here."

Another set of relatively large stable kernel updates has been released:4.15.6,4.14.22,4.9.84,4.4.118, and3.18.96.It would appear that the post-Meltdown backlog of important fixes is stillbeing worked through.

Opensource.com looks at the availability of open educational resources (OERs), where to find them, and what the advantages of OERs are. Math and computer science professor David Usinski is a strong advocate for OERs and was interviewed for the article. "The ability to customize the curriculum is one of David's favorite benefits of OER. 'The intangible aspect is that OER has allowed me to reinvent my curriculum and take ownership of the content. With a textbook, I am locked into the chapter-by-chapter approach by one or two authors,' he says. Because of OER 'I am no longer hindered or confined by published materials and now have the flexibility to create the curriculum that truly addresses the course outcomes.' By freely sharing the content he creates, other instructors can also benefit."

On his blog, Patrick Uiterwijk writes about about Fedora packaging and how the distribution works to ensure its users get valid updates. Packages are signed, but repository metadata is not (yet), but there are other mechanisms in place to keep users from getting outdated updates (or to not get important security updates). "However, when a significant security issue is announced and we have repositories that include fixes for this issue, we have an 'Emergency' button. When we press that button, we tell our servers to immediately regard every older repomd.xml checksum as outdated.This means that when we press this button, every mirror that does not have the very latest repository data will be regarded as outdated, so that our users get the security patches as soon as possible. This does mean that for a period of time only the master mirrors are trusted until other mirrors sync their data, but we prefer this solution over delaying getting important fixes out to our users and making them vulnerable to attackers in the meantime."

The 4.4.117, 4.9.83, 4.14.21, and 4.15.5 stable kernels have been released.They contain a large number of updates throughout the tree; users shouldupgrade.

Security updates have been issued by Debian (cups, gcc-6, irssi, kernel, and squid3), Fedora (mupdf), Mageia (irssi, mpv, qpdf, and quagga), openSUSE (libmad and postgresql95), SUSE (kernel and php5), and Ubuntu (kernel, linux-lts-trusty, linux-raspi2, and wavpack).

The BPF virtual machine is working its way into an increasing number ofkernel subsystems. The previous article inthis series introduced the BPF Compiler Collection (BCC), whichprovides a set of tools for working with BPF. But there is more to BCCthan a set of administrative tools; it also provides a developmentenvironment for those wanting to create their own BPF-based utilities.Read on for an exploration of that environment and how it can be used tocreate programs and attach them to tracepoints.

Security updates have been issued by Arch Linux (strongswan), Fedora (torbrowser-launcher), openSUSE (libdb-4_5, libdb-4_8, postgresql96, python3-openpyxl, and xv), Red Hat (rh-maven35-jackson-databind), and Ubuntu (kernel, libreoffice, linux, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon, linux-hwe, linux-azure, linux-gcp, linux-oem, and linux-lts-xenial, linux-aws).

The LWN.net Weekly Edition for February 22, 2018 is available.

The XFS filesystem has been in the kernel for fifteen years and was used inproduction on IRIX systems for five years before that. But it might justbe time to teach that "old dog" of a filesystem some new tricks, DaveChinner said, at the beginning of his linux.conf.au 2018 presentation.There are a number of features that XFS lacks when compared to more modernfilesystems, such as snapshots and subvolumes; but he has been thinking—andwriting code—on a path to get them into XFS.

Terms like "cloud-native" and "web scale" are often usedand understood as pointless buzzwords. Under the layers of marketing, though,cloud systems do work best with a new and different way of thinking about systemadministration. Much of the tool set used for cloud operations is freesoftware, and Linux is the platform of choice for almost all cloud applications. While just about any distribution can be made to work, there areseveral projects working to create a ground-up system specifically for cloudhosts. One of the best known of these is Project Atomic from Red Hat and theFedora Project.

<p>Some days it seems that wherever two or more free-software enthusiastsgather together, there also shall be licensing discussions. One such,which can get quite heated, is the question of whether a givenfree-software license is a license, or whether it is really a contract. This distinction is important, because most legal systems treat the twodifferently. I know from personal experience that that discussion can goon, unresolved, for long periods, but it had not previously occurred tome to wonder whether this might be due to the answer being different indifferent jurisdictions. Fortunately, it has occurred to some lawyersto wonder just that, and three of them came together at FOSDEM 2018 topresent their conclusions.<p>Subscribers can read on for a report on the talk by guest author Tom Yates.

At this year's FOSDEM in Brussels,Jan Tobias Mühlberg gave a talk on thelatest work on Sancus, aproject that was originally presentedat the USENIX Security Symposium in 2013. The project is a fullyopen-source hardware platform to support "trustedcomputing" and other security functionality. It is designed to be used forinternet of things (IoT)devices, automotive applications, critical infrastructure, and otherembedded devices where trusted code is expected to be run.

Security updates have been issued by Arch Linux (libmspack), Debian (zziplib), Fedora (ca-certificates, firefox, freetype, golang, krb5, libreoffice, monit, patch, plasma-workspace, ruby, sox, tomcat, and zziplib), openSUSE (dovecot22, glibc, GraphicsMagick, libXcursor, mbedtls, p7zip, SDL_image, SDL2_image, sox, and transfig), Red Hat (chromium-browser), and Ubuntu (cups, libvirt, and qemu).

Anders Hovmöller has posted an account of migrating a large application to Python 3. There were multiple steps on the journey and plenty of lessons learned. "Our philosophy was always to go py2 -> py2/py3 -> py3 because we just could not realistically do a big bang in production, an intuition that was proven right in surprising ways. This meant that 2to3 was a non starter which I think is probably common. We tried a while to use 2to3 to detect Python 3 compatibility issues but quickly found that untenable too. Basically it suggests changes that will break your code in Python 2. No good.The conclusion was to use six, which is a library to make it easy to build a codebase that is valid in both in Python 2 and 3."

Security updates have been issued by Debian (libav), Gentoo (chromium, firefox, libreoffice, mysql, and ruby), SUSE (kernel), and Ubuntu (bind9).

The Linux kernel currently supports two separate network packet-filteringmechanisms: iptables and nftables. For the last few years, it has beengenerally assumed that nftables would eventually replace the older iptablesimplementation; few people expected that the kernel developers would,instead, add a third packet filter. But that would appear to be what ishappening with the newly announced bpfiltermechanism. Bpfilter may eventually replace both iptables and nftables, butthere are a lot of questions that will need to be answered first.

Security updates have been issued by Arch Linux (irssi), Debian (bind9, gcc-4.9, plasma-workspace, quagga, and tomcat-native), Fedora (p7zip), Mageia (nasm), openSUSE (exim, ffmpeg, irssi, mpv, qpdf, quagga, rrdtool, and rubygem-puppet), and SUSE (p7zip and xen).

SuiteCRM is a fork of the formerlyopen-source SugarCRM customer relationship management system.The 7.10 releasehas been announced. "SuiteCRM 7.10 includes a long list ofenhancements, improving user experience, adding new functionality andproviding a new REST API. This edition of SuiteCRM also assists companiesto be ready for GDPR, including opt-in functionality to track the consentof individuals."

The second 4.16 kernel prepatch is out."Go out and test, it all looks fine."

The4.15.4,4.14.20,4.9.82,4.4.116, and3.18.95stable kernel updates have all been released. These kernels contain arelatively large set of important fixes and updates.

Thefifth version of the patch series addingthe boot-constraint subsystem is under review on the linux-kernel mailing list. The purpose of this subsystem is tohonor the constraints put on devices by thebootloader before those devices arehanded over to the operating system (OS) — Linux in our case. If theseconstraints are violated, devices may fail to work properly once the kernelstarts reconfiguring the hardware; by tracking and enforcing thoseconstraints, instead, we can ensure that hardware continues to workproperly until the kernel is fully operational.

Security updates have been issued by Debian (quagga), Mageia (freetype2, kernel-linus, and kernel-tmb), openSUSE (chromium, GraphicsMagick, mupdf, openssl-steam, and xen), Slackware (irssi), SUSE (glibc and quagga), and Ubuntu (quagga).

For as long as the kernel has included tracepoints, developers have arguedover whether those tracepoints are part of the kernel's ABI. Tracepointchanges have had to be reverted in the past because they broke existinguser-space programs that had come to depend on them; meanwhile, fears ofsetting internal code in stone have made it difficult to add tracepoints toa number of kernel subsystems. Now, a new tracing functionality is beingproposed as a way to circumvent all of those problems.

Linux Journal takes a look at the newly announced LinuxBoot project. LWN covered a related talk back in November. "Modern firmware generally consists of two main parts: hardware initialization (early stages) and OS loading (late stages). These parts may be divided further depending on the implementation, but the overall flow is similar across boot firmware. The late stages have gained many capabilities over the years and often have an environment with drivers, utilities, a shell, a graphical menu (sometimes with 3D animations) and much more. Runtime components may remain resident and active after firmware exits. Firmware, which used to fit in an 8 KiB ROM, now contains an OS used to boot another OS and doesn't always stop running after the OS boots. LinuxBoot replaces the late stages with a Linux kernel and initramfs, which are used to load and execute the next stage, whatever it may be and wherever it may come from. The Linux kernel included in LinuxBoot is called the 'boot kernel' to distinguish it from the 'target kernel' that is to be booted and may be something other than Linux."

Security updates have been issued by Debian (jackson-databind, leptonlib, libvorbis, python-crypto, and xen), Fedora (apache-commons-email, ca-certificates, libreoffice, libxml2, mujs, p7zip, python-django, sox, and torbrowser-launcher), openSUSE (libreoffice), SUSE (libreoffice), and Ubuntu (advancecomp, erlang, and freetype).