IEEE Spectrum interviewsLinus Torvalds. "The kernel is actually doing very well. Peoplecontinue to worry about things getting too complicated for people tounderstand and fix bugs. It’s certainly an understandable worry. But at thesame time, we have a lot of smart people involved. The fact that the systemhas grown so big and complicated and so many people depend on it has forcedus to have a lot of processes in place. It can be very challenging to getbig and have invasive changes accepted, so I wouldn’t call it one big happyplace, but I think kernel development is working."
Version 2.8.0 of the Git version control system has been released. Itcontains a long list of new features and the removal of thersync:// transport mechanism which, apparently, has been broken forsome time without complaints from users.
Andrew Brinker looksat string types in Rust."Another important thing to note is that because the “owned†sorts of strings abstract away the underlying buffer, they can grow or shrink, possibly allocating a new underlying buffer and copying their contents to this new buffer. The “slice†sorts of strings cannot be resized, as they may not even be on the heap.The “slice†sort strings can only be accessed via what’s called a “fat pointer.†This is because slices are “dynamically-sized types,†meaning they do not carry information about their own length. They are simply some collection of contiguous memory. A “fat pointer†to a slice stores both a pointer to the memory in question and the length of the data stored at that memory location. This is all handled automatically by Rust, but it means that the “slice†sort of strings are interacted with via references, rather than being handled directly."
The Arch Linux developers recently released version 5.0 of the pacmanpackage manager with some useful new features: "The release ofpacman-5.0 brought support for transactional hooks. These will allow us to(e.g.) run font cache updates a single time during an update rather thanafter each font package installation. This will both speed up the updateprocess, but also reduce packaging burden for the Developers and TrustedUsers." Unfortunately, once they start using these hooks, olderversions of pacman will no longer understand the resulting packages. Thatwill happen on April 23, so all Arch users need to have upgraded bythen.
Version 3.0 of the SystemTap kernel tracing system has been released. Significant changes include aninteractive script-building mechanism, a "monitor" mode allowing ongoingdisplay of accumulated statistics, much faster associative arrays, functionoverloading, a lot of tapset improvements, and more.
Linus has released the 4.6-rc1 kernelprepatch and closed the merge window for this development cycle."So I'm closing the merge window a day early, partly because I havesome upcoming travel, but partly because this has actually been one ofthe bigger merge windows in a while, and if somebody was planning ontrying to sneak in any last-minute features, I really don't want tohear about it any more."
Version 1.8 of the GStreamer multimedia framework is nowavailable. New is support for hardware-accelerated zero-copyvideo decoding on Android, a new tracing system that will support moreadvanced debugging tools, initial support for the Vulkan API, and thedebut of the new, simplified GstPlayer playback API (which we looked at in October). There are manyother additions and improvement; see the release notes for full details.
It has been said that an important part of a maintainer's role is tosay "no". Just how this "no" is said can define the style andeffectiveness of a maintainer. Linus Torvalds recently displayed justhow effective his style can be when saying "no" to a pair of fairlyinnocuous patchesto add a new ioctl() command for block devices — patches intheir fifth revision that had already received "Reviewed-by" tags fromChristoph Hellwig.Subscribers can click below to see Neil Brown's look at how this all played out.
The security circus continues to get sillier, it seems. WIRED is reporting on the "Badlock" bug that is being "reported" by SerNet—with the requisite catchy name, logo, and web site—but without any details for three weeks. "But another bug is on the horizon that is setting a new bar for brand-name bug disclosures. It’s called Badlock and it’s already receiving a lot of controversial attention, even though the exact nature of the bug—and most importantly, the patches to fix it—won’t be disclosed for another three weeks.The bug affects unknown versions of the Windows operating system and Samba, free open-source software that integrates Linux or Unix servers and Windows computers across a network." Josh Bressers's blog post also has some thoughts on the "disclosure": "The thing everyone always should remember in a situation like this is there are a lot of really smart people on the planet. If you think of something clever or discover something new, there are huge odds someone else did too. 3 weeks almost guarantees someone else can figure out whatever it is you found. It's especially interesting in this case since we have a name "Badlock" so we know it probably involves locking. We know it affects Samba and Windows. And we know who it was found by so we can look at which bits of Samba they've been working on lately. That's a lot of information for a clever person."
CentOS has updated foomatic (C6:three vulnerabilities, one from 2010), git (C7; C6: twocode execution flaws), kernel (C6: twovulnerabilities), krb5 (C6: twovulnerabilities), and tomcat6 (C6: SecurityManager bypass from 2014).Debian has updated inspircd(denial of service), pidgin-otr (?:), andredmine (multiple unspecified informationdisclosure flaws).Fedora has updated dropbear (F23; F22:information disclosure), kernel (F22; F23:three vulnerabilities), putty (F23; F22: code execution), and qemu (F23: multiple vulnerabilities).openSUSE has updated dropbear(42.1, 13.2: information disclosure), graphite2 (42.1: three vulnerabilities), libssh (13.2: insecure sessions), perl (13.2: two vulnerabilities), pidgin-otr (42.1, 13.2: code execution), quagga (13.2: code execution), samba (42.1: ACL bypass), thunderbird (42.1, 13.2: multiplevulnerabilities), and tomcat (42.1:multiple vulnerabilities).Oracle has updated git (OL7;OL6: two code execution flaws) andkernel 3.8.13 (OL7; OL6: two vulnerabilities).Red Hat has updated python-django (RHOSP7OT for RHEL7; RHOSP7 for RHEL7; RHOSP6 for RHEL7; RHOSP5 forRHEL7; RHOSP5 forRHEL6: two vulnerabilities).SUSE has updated rubygem-actionview-4_2 (OSC6, ES2.1: codeexecution) and xen (SLE12SP1: manyvulnerabilities, some from 2014 and 2013).Ubuntu has updated quagga (twovulnerabilities, one from 2013) and tiff(multiple vulnerabilities).
Citus Data has announcedthat its CitusDBdistributed database has been released, under an open-source license(AGPLv3),as a PostgreSQL extension. "First, Citus 5.0 now fully uses thePostgreSQL extension APIs. In other words, Citus becomes the firstdistributed database in the world that doesn't fork the underlyingdatabase. This means Citus users can immediately benefit from new featuresin PostgreSQL, such as semi-structured data types (json, jsonb), UPSERT, orwhen 9.6 arrives no more full table vacuums. Also, users can keep workingwith their existing Postgres drivers and tools."
GNOME 3.20 has been released. "This release brings significantimprovements to many of our core applications, such as system upgrades and reviews in Software, simplephoto editing in Photos and improved search in Files.Improvements to our platform include shortcut help windows which arenow available in many applications, a refined font and better controlof location services." See the release notesfor details.
KubeCon EU, held in LondonMarch 10th, was the second conference dedicated to the Kubernetes containerorchestration system. The sold-out attendance of 500 showed how popularthe project has become since the release ofversion 1.0 by Google in July 2015. One week after the conference, version 1.2 was released,which included many long-awaited features.Subscribers can click below for part 1 of our coverage—two talks about new 1.2 features—by guest author Josh Berkus.
KDE Plasma 5.6 has been released.This version brings many improvements to the task manager, KRunner,activities, and Wayland support. The look and feel has been enhanced witha slicker Plasma theme and smoother widgets. For those that missed havinga weather widget, that feature has returned. See the changelogfor details.
Ars Technica reportsthat former Intel CEO, chairman, and first employee hired Andy Grove has died."Intel may have been a footnote in history were it not for Grove. The company started its life making DRAM chips. With this business under pressure from dumped Japanese DRAM, Grove changed the company's direction, deciding to build microprocessors instead. After a few early iterations, this work led to the development of the x86 processor line that made Intel a household name and one of the largest companies in the world. Grove was also instrumental in persuading IBM to use Intel's x86 processors for its newly invented Personal Computer."
CentOS has updated openssh (C7; C6: two vulnerabilities).Fedora has updated gnome-photos(F23: code execution) and seamonkey (F23: multiple vulnerabilities).openSUSE has updated shotwell (Leap42.1; 13.2: validate TLS certificates).Oracle has updated openssh (OL7; OL6: two vulnerabilities).Red Hat has updated openssh (RHEL7; RHEL6: two vulnerabilities).Scientific Linux has updated openssh (SL7; SL6: two vulnerabilities).Ubuntu has updated git (codeexecution) and webkitgtk (15.10, 14.04: multiple vulnerabilities).
The Free Software Foundation has announcedthe winners of its 2015 Software Freedom Awards: the Library Freedom Project wonthe award for projects of social benefit, while GnuPG maintainer WernerKoch received the award for the advancement of free software.
InfoWorld takesa look at Redox OS. "Redox uses Rust for its kernel-level code to provide more memory safety considerations than C allows by default. But the project doesn't simply rewrite Linux in a new language. Redox discards as much from Linux's version of the Unix tradition as it keeps.As explained in the project's wiki and design documents, Redox uses a minimal set of syscalls -- a deliberately smaller subset than what Linux supports so as to avoid legacy bloat. The OS also uses a microkernel design to stay slender, in contrast to Linux's monolithic kernel."
At his blog, Alexander Larsson announcesthe release of version 0.5 of the GNOME xdg-app application sandboxingframework. The mailinglist announcement provides a bit more detail on what is new, suchas an API for creating graphical xdg-app front-ends, support forAppData metadata, and a new helper tool for those building appbundles. Larsson notes that his initial goals for the project were"make it possible for 3rd parties to create and distribute applications that work on multiple distributions" and "run applications with as little access as possible to the host. (For example access to the network or the users files.)" With the 0.5 release, he said,he considers the first goal met.
The information is unsurprising, since it has been strongly suspected for years, but its method of disclosure is rather amusing: Edward Snowden was the target when the US government went after the Lavabit email service. In the response to a request that the government unseal more documents in its case against him, Lavabit owner Ladar Levison got more than he bargained for—the target email address, Ed_Snowden@lavabit.com, was not redacted in one place, as WIRED reports. "WIRED spoke with Levison, prior to his learning that the government had made the redaction error, about his struggle to obtain transparency. 'Three years later, I still cannot tell you who they were after. I keep getting asked the question, and I can't answer.'Now, it appears he doesn't have to. The government has answered for him."
CentOS has updated bind (C5; C6; C7: two vulnerabilities), bind97 (C5: two vulnerabilities), kernel (C5: two vulnerabilities, one from2013), and thunderbird (C5; C6; C7:multiple vulnerabilities).Mageia has updated dropbear(information disclosure), nss (codeexecution), putty (code execution), shotwell (multiple vulnerabilities), and thunderbird (multiple vulnerabilities).openSUSE has updated bsh2 (42.1:code execution), cgit (42.1, 13.2: two codeexecution flaws), git (42.1, 13.2: two codeexecution flaws), graphite2 (13.2: multiplevulnerabilities), and rubygem-actionview-4_2 (42.1: code execution).Oracle has updated bind (OL5; OL6; OL7: two vulnerabilities), bind97 (OL5: two vulnerabilities), kernel (OL5: two vulnerabilities, one from2013), and thunderbird (OL6; OL7: multiple vulnerabilities).Red Hat has updated bind (twovulnerabilities), bind97 (RHEL5: twovulnerabilities), and thunderbird (multiplevulnerabilities).Scientific Linux has updated bind(two vulnerabilities) and thunderbird(multiple vulnerabilities).SUSE has updated git (SLE11SP4; SLE12SP1: two code execution flaws).Ubuntu has updated pam(regression in earlier security update).
No Starch Press recently released a book about working withautomotive software systems: The Car Hacker's Handbook: A Guidefor the Penetration Tester, written by Craig Smith. The bookis an expansion of Smith's popular and widely circulated e-book of the sametitle. The old version remains available online at no cost, but thereis considerably more content in the new revision—enough to makeit a tempting purchase not just for automotive-software fans ingeneral, but for those interested in embedded-device security and inreverse engineering other classes of consumer product.
The kernel's control-group mechanism allowsprocesses to be divided into groups for the purposes of tracking and resource control. Both the API andunderlying implementation of this mechanism have been going throughconsiderable change in recent years. As part of that change, the newer control-group API has lost theability to separately manage threads within a process, a loss that is not welcome in somequarters. Current work to replace that functionality is not finding anentirely warm reception either, though.
The CyanogenMod Android distribution has finally moved into the"Marshmallow" era with CM13.0Release 1. "We left the M release builds in the oven longerthan we thought, but nothing a little graham cracker and chocolate can’tmake that much better. CM13.0 brings Android 6.0.1 (r17) goodies such asthe battery saving ‘doze’ functionality and new permissions model,alongside the CM features you’d expect."Other changes include the removal ofWhisperPush, the removal of the "quick unlock" feature,a switch to the standard Android messaging app, a new "Snap" camera app,and more.
Videos from the NetDev 1.1 conference are now availableon YouTube. "It took us a while to edit and to upload these ~100 Gbytes of videos,so thanks for your patience." LWN coveredseveral sessions from this event.
As was discussed at the 2015 Kernel Summit,there are essentially no commercial Android devices running mainlinekernels. At the recently concluded Linaro Connect event, though, JohnStultz demonstrateda Nexus 7 tablet running mainline with just a few patches. Iteven has accelerated graphics via the freedreno driver."This is really great, because we now have a very-close to mainlinetest bed on a actual consumer device. So we can make sure upstream doesn'tintroduce any regressions (just recently, two ABI breaks that affectedandroid were recently caught) and allows us to make sure when we pushAndroid functionality upstream, that any interface changes required bymaintainers can be properly tested to make sure what lands upstream reallyworks."
Linus has released the 4.5 kernel."So this is later on a Sunday than my usual schedule, because I justcouldn't make up my mind whether I should do another rc8 or not, andkept just waffling about it. In the end, I obviously decided not to,but it could have gone either way."Some of the headline features from the development cycle aredm-verity forward errorcorrection,optional mandatory locking,the new copy_file_range() systemcall,the SOCK_DESTROY operation,another set of persistent-memoryimprovements,extended address-space layout randomizationon 32-bit systems,the MADV_FREE option formadvise(),the UBSAN checker tool,some extensions toepoll_wait(),project quotas for the ext4 filesystem,and more.
Michael Catanzaro lamentsthe poor level of security provided by free-software applications,focusing on TLS verification issues in particular."In the case of Shotwell, the issue has been fixed in git, but itmight never be released because nobody works on Shotwell anymore. Iinformed distributors of the Shotwell vulnerability three months ago viathe GNOME distributor list, our official mechanism for communicating withdistributions, and advised them to update to a git snapshot. Mostdistributions ignored it. This is completely typical; to my knowledge, thestable releases of all Linux distributions except Fedora are stillvulnerable."
Ars technica reportsthat TP-Link will block the loading of third-party firmware on itsrouters, citing new US Federal Communications Commission rules."The FCC says it doesn't intend to ban the use of third-partyfirmware such as DD-WRT and OpenWRT; in theory, router makers can stillallow loading of open source firmware as long as they also deploy controlsthat prevent devices from operating outside their allowed frequencies,types of modulation, power levels, and so on. But open source users fearedthat hardware makers would lock third-party firmware out entirely, sincethat would be the easiest way to comply with the FCC requirements."
The Free Software Foundation (FSF) has posted an initialanalysis of the public feedback submitted in response to its callfor suggestions about what software projects deserve to be on the high-priorityprojects list. Several of the existing projects on the list arelikely to be removed, such as a replacement for Google Earth and anautomatic-transcription application. Multiple potential additions tothe list are also described, such as a free-software "Siri"-likepersonal assistant and a free-software implementation of advanced PDFfeatures. Further input is welcome; the page notes that the FSF"will strive to recommend projects that are actionable. Suchprojects document ways for members of the free software community toget involved and make the project succeed, with any kind of concretecontributions, from money donation, to code patches, advocacy, etc."
The White House has announced a draft policy addressing how the U.S. federal government will share and release custom software. "This policy requires that, among other things: (1) new custom code whose development is paid for by the Federal Government be made available for reuse across Federal agencies; and (2) a portion of that new custom code be released to the public as Open Source Software (OSS)."The full policy document is available at sourcecode.cio.gov, where it has been made available for public comment. The relevant passage regarding public source releases begins by outlining a pilot program. "Each covered agency shall release at least 20 percent of its newly-developed custom code each year as OSS. Custom code is defined as code for all custom software projects, modules, and add-ons that are self-contained. [...] Although the minimum requirement for OSS release is 20 percent of custom code, covered agencies are strongly encouraged to publish as much custom-developed code as possible to further the Federal Government’s commitment to transparency, participation, and collaboration."
Last year, guest author Linda Jacobson participated as an intern in theOutreachy program. She shares her experiences along with those of other participants in this project that is targeted at helping to increase diversity in the open-source world.Subscribers can click below for the full article from this week's edition.
Firefox 45.0 has been released. This release features instant browser tabsharing through Hello, Tabs synced via Firefox Accounts from other devicesare now shown in dropdown area of Awesome Bar when searching, Synced Tabsbutton in button bar, introduces a new preference(network.dns.blockDotOnion) to allow blocking .onion at the DNS level, andmore. See the releasenotes for details.
LWN.net