The GNOME Foundation's long search for a new executive director has finallycome to an end: Neil McGovern has taken the job."McGovern is an experienced leader in Free Software projects and is bestknown for his role as Debian Project Leader from 2014-15. He has been onthe Boards of numerous organizations, including Software in the PublicInterest, Inc. and the Open Rights Group."
Version 3.1.2 of the Krita painting application has been released. Thisversion features audio support for animations along with other improvementsand bug fixes. "Audio is not yet available in the Linux appimages. It is an experimental feature, with no guarantee that it works correctly yet — we need your feedback!"
Last year, three new umbrella organizations for free and open-sourcesoftware (and hardware) projects emerged in Europe. Their aim is tocater to the needs of the community by providing a legal entity forprojects to join, leaving the projects free to focus on technical and communitytasks. These organizations(Public Software CIC, [The Commons Conservancy],and the Center for the Cultivation of Technology)will take on the overhead of actually running alegal entity themselves.
Arch Linux has updated salt (two vulnerabilities).CentOS has updated libtiff (C7; C6: multiple vulnerabilities).Debian has updated libgd2 (multiple vulnerabilities), ruby-archive-tar-minitar (file overwrites), and wordpress (multiple vulnerabilities).Debian-LTS has updated ikiwiki (three vulnerabilities), libplist (two vulnerabilities), and wordpress (multiple vulnerabilities).Gentoo has updated pcsc-lite (privilege escalation).openSUSE has updated openssh(42.2: multiple vulnerabilities).Oracle has updated libtiff (OL7; OL6: multiple vulnerabilities).Red Hat has updated libtiff(RHEL6,7: multiple vulnerabilities).SUSE has updated gnutls(SLE12-SP1,2: multiple vulnerabilities) and java-1_8_0-openjdk (SLE12-SP1,2: multiple vulnerabilities).Ubuntu has updated openssl (multiple vulnerabilities).
The LEDE project, working on a fork of the OpenWrt router distribution, has announced its first release candidate. "With this release, the LEDE development team closes out an intenseeffort to modernize many parts of OpenWrt and incorporate many newmodules, packages, and technologies." Click below for a terse listof changes; they include the significant WiFi performance improvementsdescribed in this article.
Version 5.3 of the LibreOffice office suite is out. "LibreOffice 5.3 represents a significant step forward in the evolutionof the software: it offers an introduction to new features such asonline with collaborative editing, which increase the competitivepositioning of the application, and at the same time providesincremental improvements, to make the program more reliable,interoperable and user friendly."
Google has announcedthat Google Earth Enterprise (GEE) will be published on GitHub under theApache2 license in March. GEE is an enterprise product that allowsdevelopers to build and host their own private maps and 3D globes. Thisrelease includes GEE Fusion, GEE Server, and GEE Portable Server sourcecode. "Feedback is important to us and we’ve heard from ourcustomers that GEE remains in-use in mission-critical applications. Manycustomers have not transitioned to other technologies. Open-sourcing GEEallows our customer community to continue to improve and evolve the projectin perpetuity. Note that the Google Earth Enterprise Client, Google MapsJavaScript® API V3 and Google Earth API will not be open sourced. TheEnterprise Client will continue to be made available and updated. However,since GEE Fusion and GEE Server are being open-sourced, the imagery andterrain quadtree implementations used in these products will allowthird-party developers to build viewers that can consume GEE ServerDatabases." (Thanks to Paul Wise)
The Python Software Foundation has announcedthat python.org and related sites will begin disabling the old TLS versions1.0 and 1.1. "This change was imposed on us by our content deliverynetwork, Fastly, in response to a change imposed on them by the Payment Card Industry Security Standards Council. In order to continue serving websites that take credit card payments, Fastly is required to disable the old, insecure versions of TLS. Since the PSF's servers, including PyPI, use Fastly, the old versions of TLS will be disabled as well."
Debian has updated chromium-browser (multiple vulnerabilities).Debian-LTS has updated libarchive (denial of service), ruby-archive-tar-minitar (file overwrites), and tcpdump (multiple vulnerabilities).Fedora has updated flatpak (F24: sandbox escape), irssi (F25; F24: multiple vulnerabilities), kernel (F25; F24: multiple vulnerabilities), and python-crypto (F25; F24: denial of service).Gentoo has updated ansible (code execution) and harfbuzz (multiple vulnerabilities).openSUSE has updated lcms2 (42.1:heap memory leak) and virtualbox (42.1: multiple vulnerabilities).Red Hat has updated kernel(RHEL7.2: two vulnerabilities), kernel (RHEL6.6; RHEL6.2 (code execution), and nagios (RHELOSP7 for RHEL7; RHELOSP6 for RHEL7; RHELOSP5 for RHEL6; RHELOSP5 for RHEL7: multiple vulnerabilities).SUSE has updated kernel(SLE11-SP2: multiple vulnerabilities).
The KDE project has announced therelease of the Plasma 5.9 desktop environment with a number of newfeatures. "Global Menus have returned. KDE's pioneering feature toseparate the menu bar from the application window allows for new userinterface paradigm with either a Plasma Widget showing the menu or neatlytucked away in the window bar."
David Egts reviews theOrange Pi at Opensource.com. "Compared to a $5 Raspberry Pi Zero, the Orange Pi Zero is only a few dollars more expensive, but it is much more useful out of the box because it has onboard Internet connectivity and four CPU cores instead of one. This onboard networking capability also makes the Orange Pi Zero a better gift than a Raspberry Pi Zero because the Raspberry Pi Zero needs Micro-USB-to-USB adapters and a Wi-Fi USB adapter to connect to the Internet. When giving IoT devices as gifts, you want the recipient to enjoy the product as quickly and easily as possible, instead of giving something incomplete that will just end up on a shelf."
The 4.10-rc6 kernel prepatch is out fortesting. Linus is worried that the patch activity has increased this timearound. "It's still not all that big by historical standards, since4.10 has generally been pretty calm, but it's a bit distressing. I washoping to do the usual 'rc7 is the last rc' release schedule for once (withboth 4.8 and 4.9 pushing out to rc8), and I really want things to calm downfor that to happen." The codename has changed again, now it's"Fearless Coyote".
Kernel.org has announced that it will be shutting down FTP access to its archives in two stages: March 1 will see the end of ftp.kernel.org, while December 1 is the termination date for mirrors.kernel.org.Let's face it -- while kinda neat and convenient, offering a public NFS/CIFS server was a Pretty Bad Idea, not only because both these protocols are pretty terrible over high latency connections, but also because of important security implications.Well, 19 years later we're thinking it's time to terminate another service that has important protocol and security implications -- our FTP servers. Our decision is driven by the following considerations:
CentOS has updated firefox (C7; C6; C5: multiple vulnerabilities), mysql(C6: three vulnerabilities), squid (C7:information leak), and squid34 (C6:information leak).Debian has updated libxpm (code execution).Debian-LTS has updated asterisk(denial of service from 2014), firefox-esr(multiple vulnerabilities), lcms2 (denial of service), and libxpm (code execution).Mageia has updated firefox (multiple vulnerabilities),gstreamer (code execution), and php-phpmailer (two vulnerabilities).openSUSE has updated apache2(42.2: denial of service) and gstreamer-0_10-plugins-good (42.1: multiple vulnerabilities).Red Hat has updated chromium-browser (RHEL6: multiple vulnerabilities) and puppet-swift (OSP10.0: information disclosure).Slackware has updated mozilla-thunderbird (multiple vulnerabilities).
CentOS has updated firefox (C7; C6; C5: multiple vulnerabilities), mysql(C6: three vulnerabilities), squid (C7:information leak), and squid34 (C6:information leak).Debian has updated libxpm (code execution).Debian-LTS has updated asterisk(denial of service from 2014), firefox-esr(multiple vulnerabilities), lcms2 (denial of service), and libxpm (code execution).Mageia has updated firefox (multiple vulnerabilities),gstreamer (code execution), and php-phpmailer (two vulnerabilities).openSUSE has updated apache2(42.2: denial of service) and gstreamer-0_10-plugins-good (42.1: multiple vulnerabilities).Red Hat has updated chromium-browser (RHEL6: multiple vulnerabilities) and puppet-swift (OSP10.0: information disclosure).Slackware has updated mozilla-thunderbird (multiple vulnerabilities).
Renderosity Magazine talkswith Boudewijn Rempt about the Krita painting application."Well, we make Krita for artists who want to create images. It's notan image editor with a brush engine, it's really meant for sketching,painting, illustrating. So that is what we optimize the workflow for. Andpeople tell us that that works very well for them!"
Renderosity Magazine talkswith Boudewijn Rempt about the Krita painting application."Well, we make Krita for artists who want to create images. It's notan image editor with a brush engine, it's really meant for sketching,painting, illustrating. So that is what we optimize the workflow for. Andpeople tell us that that works very well for them!"
KDE has announced a partnership with Slimbook, a Spanish laptop retailer, to create the KDE Slimbook."The KDE Slimbook allows KDE to offer our users a laptop which has been tested directly by KDE developers, on the exact same hardware and software configuration that the users get, and where any potential hardware-related issues have already been ironed out before a new version of our software is shipped to them. This gives our users the best possible way to experience our software, as well as increasing our reach: The easier it is to get our software into users' hands, the more it will be used." The laptop is available for pre-order with systems shipping mid-March.
KDE has announced a partnership with Slimbook, a Spanish laptop retailer, to create the KDE Slimbook."The KDE Slimbook allows KDE to offer our users a laptop which has been tested directly by KDE developers, on the exact same hardware and software configuration that the users get, and where any potential hardware-related issues have already been ironed out before a new version of our software is shipped to them. This gives our users the best possible way to experience our software, as well as increasing our reach: The easier it is to get our software into users' hands, the more it will be used." The laptop is available for pre-order with systems shipping mid-March.
Here's anO'Reilly article describing the Jupyter project and what it hasaccomplished."Project Jupyter aims to create an ecosystem of open source tools forinteractive computation and data analysis, where the direct participationof humans in the computational loop—executing code to understand a problemand iteratively refine their approach—is the primary consideration."
Here's anO'Reilly article describing the Jupyter project and what it hasaccomplished."Project Jupyter aims to create an ecosystem of open source tools forinteractive computation and data analysis, where the direct participationof humans in the computational loop—executing code to understand a problemand iteratively refine their approach—is the primary consideration."
Greg Kroah-Hartman has announced the release of the 4.9.6 and 4.4.45 stable kernels. They contain fixesthroughout the tree, as normal, and users of those kernel series should upgrade.
Greg Kroah-Hartman has announced the release of the 4.9.6 and 4.4.45 stable kernels. They contain fixesthroughout the tree, as normal, and users of those kernel series should upgrade.
Arch Linux has updated ed (denialof service).Debian has updated firefox-esr (multiple vulnerabilities).Debian-LTS has updated ming (multiple vulnerabilities) and pdns (multiple vulnerabilities).Fedora has updated ansible (F25; F24: twovulnerabilities), firefox (F24: multiple vulnerabilities), and qemu (F24: multiple vulnerabilities).openSUSE has updated gstreamer-0_10-plugins-bad (42.1: codeexecution), systemd (42.2: privilegeescalation), and tigervnc (42.2, 42.1: codeexecution).Oracle has updated firefox (OL7; OL6; OL5: multiple vulnerabilities).Red Hat has updated ansible(RHOSP10.0: code execution) and kernel(RHEL6.4: code execution).Ubuntu has updated openjdk-8(16.10, 16.04: multiple vulnerabilities).
Arch Linux has updated ed (denialof service).Debian has updated firefox-esr (multiple vulnerabilities).Debian-LTS has updated ming (multiple vulnerabilities) and pdns (multiple vulnerabilities).Fedora has updated ansible (F25; F24: twovulnerabilities), firefox (F24: multiple vulnerabilities), and qemu (F24: multiple vulnerabilities).openSUSE has updated gstreamer-0_10-plugins-bad (42.1: codeexecution), systemd (42.2: privilegeescalation), and tigervnc (42.2, 42.1: codeexecution).Oracle has updated firefox (OL7; OL6; OL5: multiple vulnerabilities).Red Hat has updated ansible(RHOSP10.0: code execution) and kernel(RHEL6.4: code execution).Ubuntu has updated openjdk-8(16.10, 16.04: multiple vulnerabilities).
The election to pick two members of the openSUSE board has been suspended due to "technicalproblems". The problems do indeed appear to be technical in nature, withat least some voters being presented strange and confusing ballots. Theelection was restarted on the 21st in anunsuccessful attempt to fix the problems; now it is on indefinite hold. The current board willcontinue to serve, possibly deferring any major decisions, until theissue is resolved.
Version 2.0 of the WineWindows emulation system has been released. "This release representsover a year of development effort and around 6,600 individual changes. Themain highlights are the support for Microsoft Office 2013, and the 64-bitsupport on macOS."
Mozilla has released Firefox 51.0. This version adds support for FLACplayback and WebGL2, along with many improvements and securityfixes. See the releasenotes for details.
Package managers are at the core of Linux distributions, but they arecurrently engulfed in a wave of changes and it's not clear how things willend up. Kristoffer Grönlund started his 2017 linux.conf.au talk on thesubject by putting up a slide saying that "everything isterrible awesome". There are a number of frustrationsthat result from the current state of package management, but thatfrustration may well lead to better things in the future.
Debian-LTS has updated hesiod (two vulnerabilities) and tiff (multiple vulnerabilities).Fedora has updated gd (F25; F24: two denial of service flaws) and kernel (F25; F24: privilege escalation).Gentoo has updated adodb (twovulnerabilities), firejail (threevulnerabilities), icu (threevulnerabilities), libraw (twovulnerabilities from 2015), libwebp(integer overflows), and t1lib (multiplevulnerabilities from 2011).openSUSE has updated python3-sleekxmpp (42.2: two vulnerabilities)and virtualbox (42.2: multiple unspecified vulnerabilities).Red Hat has updated mysql (RHEL6:three vulnerabilities), squid (RHEL7:information leak), and squid34 (RHEL6:information leak).Scientific Linux has updated java-1.8.0-openjdk (SL6,7: multiplevulnerabilities), mysql (SL6: threevulnerabilities), squid (SL7: informationleak), and squid34 (SL6: information leak).Slackware has updated firefox(multiple vulnerabilities).Ubuntu has updated pcsc-lite (privilege escalation) and tomcat6, tomcat7, tomcat8 (multiple vulnerabilities).
Sebastian Krahmer has reported that systemdv228 is vulnerable to a trivial local root exploit that was silently fixeda year ago. It is believed that it mostly affects v228, but he recommendsthat distributions check to ensure they have the fix. No CVE was requestedby the project so the SUSE security team requested one and it was assignedCVE-2016-10156. "The analysis says that is a 'possible DoS', but itsa local root exploit indeed. Mode 07777 also contains the suid bit, so filescreated by touch() are world writable suids, root owned. Suchas /var/lib/systemd/timers/stamp-fstrim.timer thats found on a non-nosuidmount."
Lineage OS, the successor to CyanogenMod, is gearing up tomake weekly builds available for a number of Marshmallow and Nougat capabledevices. "Additionally, our Download Portal, Install stats page (yep, that’s50k+ unofficial installs already!) and Wiki are all live. Notably, all threeof these sites (and this blog) are open sourced - you can contribute tothem via our Gerrit instance! Bear with us if these sites look bare at themoment, they will grow with content and design as we continue marchingforward."
Version5.8 of the Qt graphics toolkit is out. "Qt 5.8 is a rather largerelease, containing quite a large set of new functionality." Thatfunctionality includes a new configuration system that makes it easy tobuild cut-down versions of Qt, full support for the Wayland compositor,experimental text-to-speech support, and more.
The free software community tends to focus its spotlight on developersand userswhile paying rather less attention to the maintainers that keep ourprojects going. Nadia Eghbal spent a year and a half studying how the communityworks, and has concluded that we have a problem with maintainership; her2017 linux.conf.au keynote was dedicated to explaining the problem and howwe might want to deal with it. But first, she talked about lobsters.
The linux.conf.au 2017 organizers have put up videos ofthe talks in near-record time. There's a lot of good stuff there, someof which will be written up for LWN in the near future.
Linus has released the 4.10-rc5 kernelprepatch for testing, noting that "everything looks nominal".He also changed the codename from the short-lived "Roaring Lionus" to"Anniversary Edition".
Matthias Clasen looks at how to debug an application built into a Flatpak. Since the runtime environment for a Flatpak application is quite different than normal, even running GDB requires taking some different steps. "Now for the last trick: I was complaining about stacktraces without symbols at the beginning. In rpm-based distributions, the debug symbols are split off into debuginfo packages. Flatpak does something similar and splits all the debug information of runtimes and apps into separate â€runtime extensionsâ€, which by convention have .Debug appended to their name. So the debug info for org.gnome.Recipes is in the org.gnome.Recipes.Debug extension.When you use the –devel option, flatpak automatically includes the Debug extensions for the application and runtime, if they are available. So, for the most useful stacktraces, make sure that you have the Debug extensions for the apps and runtimes in question installed."
Arch Linux has updated php (threevulnerabilities), powerdns (MV), and powerdns-recursor (three vulnerabilities).Debian has updated mysql-5.5(multiple unspecified vulnerabilities).Debian-LTS has updated libphp-swiftmailer (code execution).Gentoo has updated curl (MV, twofrom 2014), cvs (code execution from 2012),icedtea-bin (MV), irssi (MV), and nss (MV, three from 2015).openSUSE has updated pdns-recursor (42.2, 42.1: denial of service)and squid (42.1: two vulnerabilities, onefrom 2014).Red Hat has updated java-1.8.0-openjdk (RHEL7&6: MV),openstack-cinder (OSP6.0 for RHEL7; OSP5.0 for RHEL7; OSP5.0 for RHEL6: denial of service from 2015), and python-XStatic-jquery-ui (OSP7.0 for RHEL7:cross-site scripting).SUSE has updated gstreamer-0_10-plugins-good (SLE12SP2: MV).
Daniel Vetter has posted the text ofhis linux.conf.au talk on kernel maintenance. "At least for me,review isn’t just about ensuring good code quality, but also aboutdiffusing knowledge and improving understanding. At first there’s maybe oneperson, the author (and that’s not a given), understanding the code. Aftergood review there should be at least two people who fully understand it,including corner cases. And that’s also why I think that groupmaintainership is the only way to run any project with more than oneregular contributor."
On his blog, Alexander Larsson begins a description of flatpak security. "Long story short, flatpak uses bubblewrap to create a filesystem namespace for the sandbox. This starts out with a tmpfs as the root filesystem, and in this we bind-mount read-only copies of the runtime on /usr and the application data on /app. Then we mount various system things like a minimal /dev, our own instance of /proc and symlinks into /usr from /lib and /bin. We also enable all the available namespaces so that the sandbox cannot see other processes/users or access the network.On top of this we use seccomp to filter out syscalls that are risky. For instance ptrace, perf, and recursive use of namespaces, as well as weird network families like DECnet.In order for the application to be able to write data anywhere we bind mount $HOME/.var/app/$APPID/ into the sandbox, but this is the only persistent writable location."
LWN.net