The year-2038 apocalypse is now just under21 years away. For those who are curious about how the GNU C Libraryplans to deal with this problem, there is adraft design document out for review. "In order to avoidduplicating APIs for 32-bit and 64-bit time, glibc will provide either onebut not both for a given application; the application code will have tochoose between 32-bit or 64-bit time support, and the same set of symbols(e.g. time_t or clock_gettime) will be provided in both cases."
The 2017 Linux Plumbers Conference is set for September 13 to 15 in LosAngeles, California. The core of this event is the microconferences,focused gatherings that address a specific range of problems. The callfor microconferences for the 2017 event is now out. "Goodmicroconferences result in solutions to these problems and concerns, whilethe best microconferences result in patches that implement thosesolutions."
A group of Google developers has announcedthe release of (an early version of) a new global filesystem called"Upspin". "Upspin looks a bit like a global file system, but itsreal contribution is a set of interfaces, protocols, and components fromwhich an information management system can be built, with properties suchas security and access control suited to a modern, networked world. Upspinis not an 'app' or a web service, but rather a suite of softwarecomponents, intended to run in the network and on devices connected to it,that together provide a secure, modern information storage and sharingnetwork."
David Egts takesa look at the ESP8266 WiFi chip, on Opensource.com. "What isthe ESP8266 exactly? The ESP8266 is a 32-bit RISC CPU made by Espressif Systems. Its clock runs at80MHz, and it supports up to 16MB of flash RAM for program storage. Thesespecifications are quite impressive when compared to an Arduino UNO, whichruns at 16MHz, only has 32KB of RAM, and is several times moreexpensive. Another big difference is that the ESP8266 requires only 3.3volts of power while most Arduinos require 5 volts. Keep this voltagedifference in mind when extending your existing Arduino knowledge andprojects to the ESP8266 to prevent magic smoke."
After taking a few years off, Jon Masters is restartinghis kernel podcast. "In this week’s edition: Linus Torvaldsannounces Linux 4.10, Alan Tull updates his FPGA manager framework, andIntel’s latest 5-level paging patch series is posted for review. We willhave this, and a summary of ongoing development in the first of the newlyrevived Linux Kernel Podcast."
Debian-LTS has updated gst-plugins-bad0.10 (two vulnerabilities), gst-plugins-base0.10 (two vulnerabilities), gst-plugins-good0.10 (two vulnerabilities), gst-plugins-ugly0.10 (two vulnerabilities),and wireshark (denial of service).Fedora has updated bind (F24:denial of service), python-peewee (F25; F24:largely unspecified), sshrc (F25:unspecified), and zoneminder (F25;F24: information disclosure).Gentoo has updated glibc (multiple vulnerabilities,most from 2014 and 2015), mupdf (threevulnerabilities), and ntfs3g (privilege escalation).Mageia has updated gnutls (multiple vulnerabilities),gtk-vnc (two vulnerabilities), iceape (multiple vulnerabilities), jitsi (user spoofing), libarchive (denial of service), libgd (multiple vulnerabilities), lynx (URL spoofing), mariadb (multiple vulnerabilities, almost all unspecified), netpbm (multiple vulnerabilities), openjpeg2 (multiple vulnerabilities), tomcat (information disclosure), and viewvc (cross-site scripting).openSUSE has updated chromium(42.2, 42.1: multiple vulnerabilities), firebird(42.2, 42.1: access restriction bypass), java-1_7_0-openjdk (42.2, 42.1: multiple vulnerabilities), mcabber (42.2: user spoofing), mupdf (42.2, 42.1: multiple vulnerabilities), open-vm-tools (42.1: CVE with no descriptionfrom 2015), opus (42.2, 42.1: codeexecution), tiff (42.2, 42.1: codeexecution), and vim (42.1: code execution).Red Hat has updated openssl(RHEL7&6: two vulnerabilities).Scientific Linux has updated openssl (SL7&6: two vulnerabilities).SUSE has updated kernel (SLE12: denial of service) and kernel (SLE11:multiple vulnerabilities, some from 2004, 2012, and 2015).Ubuntu has updated python-crypto(16.10, 16.04, 14.04: regression in previous update).
Linus has released the 4.10 kernel."On the whole, 4.10 didn't end up as small as it initially looked.After the huge release that was 4.9, I expected things to be prettyquiet, but it ended up very much a fairly average release by modernkernel standards."Features of note in this release include some long-awaitedwriteback throttling work,the ability to attach a BPF network filterto a control group,encryption in UBIFS filesystems,Intel cache-allocation technology support,and more. See theKernelNewbies 4.10 page for lots of details.
The SystemTap team has announced the 3.1 release of the tool that allows extracting performance and debugging information at runtime from the kernel as well as various user-space programs. New features include support for adding probes to Python 2 and 3 functions, Java probes now convert all parameters to strings before passing them to probes, a new @variance() statistical operator has been added, new sample scripts have been added, and more.
The Go team has announced therelease of Go 1.8. "The compiler back end introduced in Go 1.7 for 64-bit x86 is now usedon all architectures, and those architectures should see significant performanceimprovements. For instance, the CPU time required by our benchmarkprograms was reduced by 20-30% on 32-bit ARM systems. There are also somemodest performance improvements in this release for 64-bit x86 systems. Thecompiler and linker have been made faster. Compile times should be improvedby about 15% over Go 1.7. There is still more work to be done in this area:expect faster compilation speeds in future releases." See the release notes for more details.
Arch Linux has updated gvim (codeexecution) and vim (code execution).Red Hat has updated openstack-cinder,openstack-glance, and openstack-nova (OSP7.0: denial of service from 2015).SUSE has updated kernel (SLE12:many vulnerabilities, some from 2015 and 2014).Ubuntu has updated libgc (codeexecution) and openjdk-6 (12.04: multiple vulnerabilities).
Mark Radcliffe surveysthe most important legal issues surrounding free and open-sourcesoftware on opensource.com. "The challenge for the Linux communityis to decide when to bring litigation to enforce the GPLv2. What it meansin many situations is that to be compliant is currently left to individualcontributors rather than being based on a set of community norms. AsTheodore Ts'o noted, this issue really concerns projectgovernance. Although permitting individual contributors to make thesedecisions may be the Platonic ideal, the tradeoff is ambiguity for userstrying to be compliant as well as the potential for rogue members of thecommunity (like McHardy) to create problems. The members of the Linuxcommunity and other FOSS communities need to consider how they can bestassist the members of their community to understand what compliance meansand to determine when litigation might be useful in furtherance of thecommunity's goals."
The TensorFlow1.0 release is available, bringing an API stability guarantee to thismachine-learning library from Google. "TensorFlow 1.0 introduces ahigh-level API for TensorFlow, with tf.layers, tf.metrics, and tf.lossesmodules. We've also announced the inclusion of a new tf.keras module thatprovides full compatibility with Keras, another popular high-level neuralnetworks library."
Tom Callaway seems to be a very nice person who has beenoverclocked to about 140% normal human speed. In only 20 minutes he gavean interesting and highly-amusing talk that could have filled a 45-minuteslot on the legal principles that underpin Fedora, how they got that way, and howthey work out in practice. <p>Subscribers can click below for the full report from FOSDEM by guest author Tom Yates.
CentOS has updated bind (C7: denial of service).Debian has updated libevent (three vulnerabilities).Debian-LTS has updated libevent (three vulnerabilities).Fedora has updated lynx (F25:invalid URL parsing) and xen (F25: multiple vulnerabilities).Oracle has updated bind (OL7: denial of service).Red Hat has updated bind (RHEL7:denial of service), flash-plugin (RHEL6:multiple vulnerabilities), and kernel(RHEL7.1: code execution).Scientific Linux has updated bind(SL7: denial of service).SUSE has updated java-1_8_0-ibm(SLE12-SP1,2: multiple vulnerabilities) and kernel (SLE12-SP1: multiple vulnerabilities).Ubuntu has updated php5 (14.04,12.04: multiple vulnerabilities).
TechRepublic reportsthat the Munich, Germany city council has voted to begin the move back toproprietary desktop software. "Under a proposal backed by the general council, the administration will investigate how long it will take and how much it will cost to build a Windows 10 client for use by the city's employees.Once this work is complete, the council will vote again on whether toreplace LiMux, a custom version of the Linux-based OS Ubuntu, across theauthority from 2021."
David Malcolm takesa look at the testing going into the upcoming GCC 7.0 release. "The other new approach is in unit-testing: GCC’s existing testing was almost all done by verifying the externally-visible behavior of the program, but we had very little direct coverage of specific implementation subsystems; this was done in a piecemeal fashion using testing plugins.To address this, I’ve added a unit-testing suite to GCC 7, which is run automatically during a non-release build. Compilers use many data structures, so the most obvious benefit is that we can directly test corner-cases in these. As a relative newcomer to the project, one of my “pain points†learning GCC’s internals was the custom garbage collector it uses to manage memory. So, I’m very happy that the test suite now has specific test coverage for various aspects of the collector, which should make the compiler more robust when handling very large input files."
CentOS has updated java-1.7.0-openjdk (C7; C6; C5: multiple vulnerabilities).Debian has updated tomcat7 (denial of service), tomcat8 (denial of service), and vim (buffer overflow).Debian-LTS has updated tomcat7 (denial of service).Fedora has updated bind (F25:denial of service), kernel (F25; F24: two vulnerabilities), netpbm (F25: three vulnerabilities), tcpdump (F25: multiple vulnerabilities), vim (F25: buffer overflow), and w3m (F25: unspecified).Gentoo has updated openssl (multiple vulnerabilities) and virtualbox (multiple vulnerabilities).openSUSE has updated kernel (42.2; 42.1: multiple vulnerabilities).Oracle has updated java-1.7.0-openjdk (OL7; OL6; OL5: multiple vulnerabilities).
For some years, OpenWrt has arguablybeen the most active router-oriented distribution.Things changed in May of last year, though, when a group of OpenWrtdevelopers split off to form the competingLEDE project. While the LEDEdevelopers have been busy, the project has yet to make its first release.That situation is about to change, though, as evidenced by the LEDE v17.01.0-rc1 release candidate, whichcame out on February 1.
Arch Linux has updated ffmpeg(two vulnerabilities), kdenetwork-kopete (social engineering attacks), and webkit2gtk (multiple vulnerabilities).Debian-LTS has updated openjdk-7 (multiple vulnerabilities) and vim (buffer overflow).Fedora has updated epiphany (F24:password extraction sweep attack).Gentoo has updated gnutls(multiple vulnerabilities), graphviz(multiple vulnerabilities from 2014), and lsyncd (command injection from 2014).Mageia has updated audacious-plugins (multiple vulnerabilities), calibre (information leak), and nagios (two vulnerabilities).openSUSE has updated irssi (42.2,42.1: memory leak), libxml2 (42.2: threevulnerabilities), and tigervnc (42.2, 42.1:denial of service).Oracle has updated kernel 3.8.13 (OL7; OL6:multiple vulnerabilities), kernel 2.6.39 (OL6; OL5: multiple vulnerabilities).Red Hat has updated java-1.7.0-openjdk (RHEL5,6,7: multiple vulnerabilities).Scientific Linux has updated java-1.7.0-openjdk (SL5,6,7: multiple vulnerabilities).Slackware has updated bind (denial of service), openssl (three vulnerabilities), php (multiple vulnerabilities), and tcpdump (multiple vulnerabilities).
Linus has released one more kernel prepatch, 4.10-rc8, rather than the final 4.10 releasethat had been expected. He said that 4.10 could have come out this week, but hethought better of it. "But I decided that there's also no hugeoverriding reason to do so (other than getting back to the usual "rc7 isthe last rc" schedule, which would have been nice), and with travel comingup, I decided that I didn't really need to open the merge window. I've donemerge windows during travel before, but I just prefer not to."
Sailfish OS 2.1.0 Iijoki has been released. "Iijoki bringsmajor architectural changes to Sailfish OS by introducing Qt 5.6 UIframework, BlueZ 5 Bluetooth stack and basic implementations of 64-bitarchitecture. It also brings improvements to the camera software withfaster shutter speeds, initial support for Virtual Private Networks (VPN),option to enlarge UI fonts to different levels and last but not least, alarge number of bug and error fixes mostly reported by ourcommunity." The releasenotes contain additional details.
Arch Linux has updated bind(denial of service).Debian has updated jasper (multiple vulnerabilities).Debian-LTS has updated mysql-5.5(code execution) and viewvc (cross-site scripting).Fedora has updated bitlbee (F24:denial of service), gnome-boxes (F24:password disclosure), gtk-vnc (F25: twovulnerabilities), iio-sensor-proxy (F24:authentication bypass), java-1.8.0-openjdk-aarch32 (F25; F24: multiple vulnerabilities),libwmf (F25: multiple vulnerabilities), mariadb (F24: multiple vulnerabilities), openssl (F24: three vulnerabilities), quagga (F25: denial of service), spice(F25; F24:two vulnerabilities), viewvc (F24:cross-site scripting), and wireshark (F25:two denial of service flaws).Gentoo has updated firejail(incomplete fix for previous vulnerability).SUSE has updated opus (SLE12:code execution) and kernel (SLE11: multiple vulnerabilities).Ubuntu has updated linux-raspi2(16.10: multiple vulnerabilities), linux-ti-omap4 (12.04: twovulnerabilities), and nova-lxd (16.04: ).
Debian has updated openjdk-7(multiple vulnerabilities), php5 (multiple vulnerabilities), and viewvc (cross-site scripting).Fedora has updated bitlbee (F25:denial of service), mariadb (F25: multiple vulnerabilities), redis (F25: two vulnerabilities), and viewvc (F25: cross-site scripting).openSUSE has updated libplist(42.2, 42.1: two vulnerabilities), opera(42.2, 42.1: multiple vulnerabilities), and rubygem-minitar(42.2: file overwrite).Red Hat has updated java-1.8.0-ibm (RHEL7&6: multiple vulnerabilities).SUSE has updated firefox (SLE11; SLE12: multiple vulnerabilities).Ubuntu has updated openjdk-7(14.04: multiple vulnerabilities) and oxide-qt (16.10, 16.04,14.04: multiple vulnerabilities).
High-speed networking was once, according to Andy Wingo in his 2017linux.conf.au presentation, the domain of "the silicon people". But thatsituation is changing, and now any hacker can work with networking at thehighest speeds. There is one little catch: one must dispense with thekernel's network stack and do the work in user space. Happily, not all ofthe solutions in this area are proprietary; he was there to talk about theSnabb networking toolkit andwhat can be done with it.
Debian-LTS has updated php5 (multiple vulnerabilities).Fedora has updated calibre (F25; F24:information leak), gnome-boxes (F25:password disclosure), and openssl (F25: three vulnerabilities).openSUSE has updated irssi(SPH for SLE12: memory leak) and spice (42.2; 42.1: two vulnerabilities).SUSE has updated mariadb (SLE12-SP1,2; SLES12: multiple vulnerabilities).
Greg Kroah-Hartman has released an unexpected3.18 kernel update, despite the fact that 3.18 is no longer supported."Turns out there was a bug in 3.18.47 in one of the backports. And abug in 3.18.27 as well, with one of the backports there. And a very minorissue in the 3.18.28 release, but no one cares about the debug messages fora specific scsi driver, so you can just ignore that issue..."
Michael Catanzaro looksat how distributors have improved (or not) their security support forthe WebKit browser engine in the last year. "So results are clearlymixed. Some distros are clearly doing well, and others are struggling, andDebian is Debian. Still, the situation on the whole seems to be much betterthan it was one year ago. Most importantly, Ubuntu’s decision to startupdating WebKitGTK+ means the vast majority of Linux users are nowreceiving updates."
Kenton Varda reportsthat Sandstorm, as a company, is no more, but community development liveson. LWN covered the Sandstorm personalcloud platform in June 2014.Many people also know that Sandstorm is a for-profit startup, with a business model centered on charging for enterprise-oriented features, such as LDAP and SAML single-sign-on integration, organizational access control policies, and the like. This product was called “Sandstorm for Workâ€; it was still open source, but official builds hid the features behind a paywall. Additionally, we planned eventually to release a scalable version of Sandstorm for big enterprise users, based on the same tech that powers Sandstorm Oasis, our managed hosting service.As an open source project, Sandstorm has been successful: We have a thriving community of contributors, many developers building and packaging apps, and thousands of self-hosted servers running in the wild. This will continue.However, our business has not succeeded. To date, almost no one has purchased Sandstorm for Work, despite hundreds of trials and lots of interest expressed. Only a tiny fraction of Sandstorm Oasis users choose to pay for the service – enough to cover costs, but not much more.
Luis Villa talks aboutthe open-source lawyer career path on opensource.com."First, going to law school is a gamble. Recent American law schoolgraduates must fight fiercely for one of the few jobs that can cover theirmassive debt, and roughly 50% fail the California bar. And, the open sourcegamble is bigger, because the opportunities are even fewer."
The grsecurity developers have announced thefirst release of the "Reuse Attack Protector" (RAP) patch set, aimed atpreventing return-oriented programming and other attacks. "RAP isour patent-pending and best-in-breed defense mechanism against code reuseattacks. It is the result of years of research and development into ControlFlow Integrity (CFI) technologies by PaX. The version of RAP present in thetest patch released to the public today under the GPLv2 is nowfeature-complete."
Kodi 17.0 (Krypton) has been released. Kodi is a software mediacenter for playing videos, music, pictures, games, and more. This releasefeatures a new skin, an updated video engine, improvements to the musiclibrary, numerous improvements to Live TV and PVR functionality, and more.
One often hears the "infrastructure as code" refrain whenconfiguration-management systems are discussed. Normally, though, thatphrase doesn't bring into mind an image of infrastructure as Haskellcode. In his 2017 linux.conf.au talk, Joey Hess described his Propellor system and theinteresting features that a Haskell implementation makes possible, with aspecial focus on how Haskell's type-checking system can be pressed intoservice to detect configuration errors.
The Cloud Native Computing Foundation has announcedthat it has purchased the rights to the RethinkDB NoSQL database andcontributed it to the Linux Foundation. In the process, the code wasrelicensed from the Affero GPLv3 to the Apache license. "RethinkDBis an open source, NoSQL, distributed document-oriented database that is inproduction use today by hundreds of technology startups, consulting firmsand Fortune 500 companies, including NASA, GM, Jive, Platzi, theU.S. Department of Defense, Distractify and Matters Media. Some of SiliconValley’s top firms invested $12.2 million over more than eight years in theRethinkDB company to build a state-of-the-art database system, but wereunsuccessful in creating a sustainable business, and it shut down inOctober 2016."
Version 2.25 of the GNU C Library has been released. This release containsthe long-awaited support for thegetrandom() system call and a long list of other features;click below for the full announcement.
The 4.10-rc7 kernel prepatch has beenreleased for testing. "Hey, look at that - it's all been very quiet,and unless anything bad happens, we're all back to the regular schedulewith this being the last rc."
Arch Linux has updated qt5-webengine (multiple vulnerabilities) and tcpdump (multiple vulnerabilities).CentOS has updated thunderbird (C7; C6; C5: multiple vulnerabilities).Debian-LTS has updated ntfs-3g(privilege escalation) and svgsalamander(server-side request forgery).Fedora has updated openldap (F25:unintended cipher usage from 2015), and wavpack (F25: multiple vulnerabilities).Mageia has updated openafs(information leak) and pdns-recursor(denial of service).openSUSE has updated java-1_8_0-openjdk (42.2, 42.1: multiple vulnerabilities),mupdf (42.2; 42.1: three vulnerabilities), phpMyAdmin (42.2, 42.1: multiple vulnerabilities, one from 2015),and Wireshark (42.2: two denial of service flaws).Oracle has updated thunderbird (OL7; OL6: multiple vulnerabilities).Scientific Linux has updated libtiff (SL7&6: multiple vulnerabilities, one from 2015) and thunderbird (multiple vulnerabilities).Ubuntu has updated kernel (16.10; 14.04;12.04: multiple vulnerabilities), kernel, linux-raspi2, linux-snapdragon (16.04:two vulnerabilities), linux-lts-trusty(12.04: code execution), linux-lts-xenial(14.04: two vulnerabilities), and tomcat(14.04, 12.04: regression in previous update).
The Rust team has releasedversion 1.15 of the Rust programming language, which adds a custom derivefeature. "These kinds of libraries are extremely powerful, but relyon custom derive for ergonomics. While these libraries worked on Ruststable previously, they were not as nice to use, so much so that we oftenheard from users “I only use nightly because of Serde and Diesel.†The useof custom derive is one of the most widely used nightly-only features. Assuch, RFC 1681 was opened in July of last year to support this use-case. The RFC was merged in August, underwent a lot of development and testing, and now reaches stable today!"
In the acme-client-portable repository at GitHub, developer Kristaps Dz has a rather stinging indictment of trying to use seccomp sandboxing for the portable version of acme-client, which is a client program for getting Let's Encrypt certificates. He has disabled seccomp filtering in the default build for a number of reasons. "So I might use mmap, but the system call is mmap2? Great. This brings us to the second and larger problem. The C library. There are several popular ones on Linux: glibc, musl, uClibc, etc. Each of these is free to implement any standard function (like mmap, above) in any way. So while my code might say read, the C library might also invoke fstat. Great.In general, section 2 calls (system calls) map evenly between system call name and function name. (Except as noted above... and maybe elsewhere...) However, section 3 is all over the place. The strongest differences were between big functions like getaddrinfo(2).Then there's local modifications. And not just between special embedded systems. But Debian and Arch, both using glibc and both on x86_64, have different kernels installed with different features. Great.Less great for me and seccomp." (Thanks to Paul Wise.)
The 4.9.7 and 4.4.46 kernels have been released by GregKroah-Hartman. They contain fixes throughout the tree and users of thosekernel series should upgrade.
LWN.net