The Electronic Frontier Foundation has a reviewof patent lawsuits in 2016. "We saw mixed results in the courtsthis year. The Supreme Court issued a gooddecision cutting back on out of control damages in design patentcases. Meanwhile, the Federal Circuit issued a very disappointingdecision that allows patent owners to undermine ownership by assertingpatent rights even after selling a patented good. Fortunately, the SupremeCourt has agreed to review that ruling. We will file an amicus briefsupporting the fundamental principle that once you buy something, you ownit."
Darktable 2.2.0 has beenreleased. This version includes the new automatic perspectivecorrection module, a liquify tool for all your fancy pixel moving, a newimage module to use a Color Look Up Table (CLUT) to change colors in theimage, and much more.
Jim Hall has announced therelease of FreeDOS 1.2. "The FreeDOS 1.2 release is an updated,more modern FreeDOS. You'll see that we changed many of the packages. Somepackages were replaced, deprecated by newer and better packages. We alsoadded other packages. And we expanded what we should include in the FreeDOSdistribution. Where FreeDOS 1.0 and 1.1 where fairly spartan distributionswith only "core" packages and software sets, the FreeDOS 1.2 distributionincludes a rich set of additional packages. We even include games."There is also a new installer.
Linus has released the 4.10-rc1 kernelprepatch and closed the merge window for this release. "Everythinglooks pretty normal, although we had an unusual amount of tree-wide finalcleanups in the last days of the merge window. But the general statisticslook fairly common: a bit over half is drivers, maybe slightly less archupdates than normal, and a fair amount of documentation updates due to thesphinx conversion."
As expected, Cyanogen Inc has announcedthe shutdown of the CyanogenMod servers as of the end of the year. A groupof community developers has declared afork, though few details are available at this point. "Embracingthat spirit, we the community of developers, designers, device maintainersand translators have taken the steps necessary to produce a fork of the CMsource code and pending patches. This is more than just a ‘rebrand’. Thisfork will return to the grassroots community effort that used to define CMwhile maintaining the professional quality and reliability you have come toexpect more recently."
Over at opensource.com, MáirÃn Duffy has a lengthy overview of the open-source creative tools available. She covers the core applications (GIMP, Inkscape, Scribus, MyPaint, Blender, and Krita) for design, as well as tools for video, photography, 2D animation, audio, music, and more. "These six applications are the juggernauts of open source design tools. They are well-established, mature projects with full feature sets, stable releases, and active development communities. All six applications are cross-platform; each is available on Linux, OS X, and Windows, although in some cases the Linux versions are the most quickly updated. These applications are so widely known, I've also included highlights of the latest features available that you may have missed if you don't closely follow their development.If you'd like to follow new developments more closely, and perhaps even help out by testing the latest development versions of the first four of these applications—GIMP, Inkscape, Scribus, and MyPaint—you can install them easily on Linux using Flatpak."
It's not entirely clear that the title is justified, but Wired does cover some progress on the encryption front in 2016. "End-to-end encryption, which ensures that the only people who can see your communications are you and the person on the receiving end, certainly isn’t new. But in 2016, encryption went mainstream, reaching billions of people all over the world. Even more significantly, it overcame its most aggressive legal challenge yet, in a prolonged standoff between Apple and the FBI. And just this week, a Congressional committee affirmed the importance of encryption, giving hope that future laws around the topic will include at least a modicum of sanity.There’s still a long way to go, and any gains that were made could potentially be rolled back, but for now it’s worth taking a step back to appreciate just how far encryption came this year. As far as silver linings go, you could do a lot worse."
The Python 3.6.0 release is out. Enhancements in this release includeformatted string literals ("f-strings"), variable type annotations,asynchronous generators and comprehensions, and more; see the "what's new"document for details.
Arch Linux has updated openssh(multiple vulnerabilities) and samba (three vulnerabilities).Debian-LTS has updated nss(timing side-channel).Fedora has updated botan (F25; F24:integer overflow), gdk-pixbuf2 (F25:unspecified), kernel (F25; F24: denial of service), samba (F25: two vulnerabilities), and xen (F24: multiple vulnerabilities).Mageia has updated libgd (twovulnerabilities), php (twovulnerabilities), and squid (two vulnerabilities).SUSE has updated dnsmasq (OSCC5:denial of service from 2015), ImageMagick (SLE12: multiple vulnerabilities, one from 2014), kernel (SLE11SP2; SLE11SP3: two vulnerabilities), and libgme (SLE12: multiple vulnerabilities).
On his blog, Alexander Larsson reflects on the Flatpak 0.8 release and his plans for the application packaging and distribution format going forward."My goal is to get the 0.8 series into the Debian 9 release, and as many other distributions as possible, so that people who create flatpaks can consider the features it supports as a reliable baseline.Sandboxing has always been one of the pillars of Flatpak, but even more important to me is cross-distro application distribution, even if not sandboxed. This is important because it gives upstream developers a way to directly interact with their users, without having an intermediate distributor. With 0.8 I think we have reached a level where the support for this is solid. So, if you ever thought about experimenting with Flatpak, now is the time!
Over at opensource.com, Joshua Allen Holm writes about two projects (Privacy Friendly Apps and Simple Mobile Tools) that are producing Android apps that are open source, privacy respecting, and only request the privileges they need. "Below, I take a look at two projects producing a wide variety of Android apps designed to only request the permissions they require to function. These apps cover a wide range of functions with each app being focused on doing only one task and doing that task well. Users looking for well designed, functional apps with no extra features and no anti-features (i.e., advertisements) should consider checking these apps out. Developers, especially those just getting started with developing for Android, should take a look at the source code for these apps to learn about developing apps with a focus on using minimal permissions and respecting users' privacy."
CentOS has updated gstreamer-plugins-bad-free (C6: two codeexecution flaws), gstreamer-plugins-good(C6: multiple vulnerabilities), thunderbird (C7; C6: multiple vulnerabilities), and vim (C7; C6: code execution).Debian-LTS has updated imagemagick (multiple vulnerabilities) and libgd2 (code execution).Fedora has updated dovecot (F24:denial of service), msgpuck (F25; F24: two denial of service flaws), andtarantool (F25; F24: two denial of service flaws).openSUSE has updated gd (13.2:code execution), GraphicsMagick (twovulnerabilities), ImageMagick (13.2: multiple vulnerabilities),mcabber (42.2: information disclosure from2015), php5 (13.2: three vulnerabilities),qemu (42.2: multiple vulnerabilities), and shellinabox (HTTP fallback from 2015).Oracle has updated gstreamer-plugins-bad-free (OL6: two codeexecution flaws), gstreamer-plugins-good(OL6: multiple vulnerabilities), kernel 2.6.39 (OL6; OL5: two vulnerabilities), kernel3.8.13 (OL7; OL6: two vulnerabilities), kernel 4.1.12OL7; OL6:code execution), and thunderbird (OL7; OL6: multiple vulnerabilities).Red Hat has updated openstack-cinder/glance/nova (RHOSP8.0: denialof service from 2015).SUSE has updated firefox (SLE12; SLE11SP4&3; SLE11SP2: multiple vulnerabilities), kernel (SLE12: two vulnerabilities), andxen (SLE12; SLE12SP2; SLE12SP1; SLE11SP4: three vulnerabilities).
A summary of talks between the estranged OpenWrt and LEDE routerdistribution projects has been posted. It seems that progress is beingmade. "It is still not decided that both project will finally merge and wehaven't decided on the name to use, which parts of the infrastructureand many other things. In general we are agreeing on many parts and I amlooking forward to a good merged ending for all of us."
The AF_PACKET local privilege escalation (also known as CVE-2016-8655)has been fixed by most distributions atthis point; stable kernels addressing the problem were released on December 10. But, as adiscussion on the fedora-devel mailing list shows, systemd now providesoptions that could help mitigate CVE-2016-8655 and, more importantly, othervulnerabilities that remain undiscovered or have yet to be introduced. Thegenesis for the discussion was a blogpost from Lennart Poettering about the RestrictAddressFamiliesdirective, but recent systemd versions have other sandboxing features thatcould be used to head off the next vulnerability.
CentOS has updated kernel (C5:use after free), thunderbird (C5: multiplevulnerabilities), and xen (C5: privilege escalation).Debian has updated flightgear(file overwrites), php-ssh2 (problem withprevious php update), and python-bottle (CRLF attacks).Debian-LTS has updated dcmtk (buffer overflows/underflows).Fedora has updated mapserver (F25; F24: information leak).openSUSE has updated ceph (42.2:denial of service) and zlib (13.2: multiple vulnerabilities).Oracle has updated kernel (OL5:use after free), vim (OL7; OL6: code execution), and xen (OL5: privilege escalation).Red Hat has updated gstreamer-plugins-bad-free (RHEL6: codeexecution), gstreamer-plugins-good (RHEL6:multiple vulnerabilities), thunderbird(RHEL5,6,7: multiple vulnerabilities), and vim (RHEL6,7: code execution).Scientific Linux has updated gstreamer-plugins-bad-free (SL6: codeexecution), gstreamer-plugins-good (SL6:multiple vulnerabilities), thunderbird(SL5,6,7: multiple vulnerabilities), and vim (SL6,7: code execution).SUSE has updated kernel(SLE11-SP4: two vulnerabilities).Ubuntu has updated kernel (16.10; 16.04;14.04; 12.04: multiple vulnerabilities), linux-lts-trusty (12.04: two vulnerabilities),linux-lts-xenial (14.04: multiplevulnerabilities), linux-raspi2 (16.10; 16.04:multiple vulnerabilities), linux-snapdragon(16.04: multiple vulnerabilities), and linux-ti-omap4 (12.04: information leak).
A freenode volunteer identified a suspected compromise of their e-mailaccounts, which could have provided an unauthorized user with limited accessto some data sent through internal e-mail systems. "Naturally, weinstigated audit procedures immediately so as to ensure the security of theproduction network and accompanying infrastructure. The investigation isongoing, but at this time we have no reason to believe that any otherunauthorised access was gained. Nevertheless, in the interests oftransparency and security for our users, we wish to notify anyone who mayhave been affected." It is recommended that you change yourFreenode password as a precaution. (Thanks to Paul Wise)
Debian has updated tor (denial of service).Debian-LTS has updated tor (denial of service).Fedora has updated freeipa (F25:two vulnerabilities), game-music-emu (F25:multiple vulnerabilities), openjpeg2 (F25:two vulnerabilities), and xen (F25: multiple vulnerabilities).Red Hat has updated kernel(RHEL5: use after free) and xen (RHEL5: privilege escalation).Scientific Linux has updated kernel (SL5: use after free) and xen (SL5: privilege escalation).SUSE has updated dnsmasq(SLE11-SP4: denial of service).Ubuntu has updated samba (three vulnerabilities).
Here's anexercise in nostalgia: opensource.com looks at a bunch of olddistributions. "Debian is now famous for its package management system, but there are mere hints of that in this early release. The dpkg command exists, but it's an interactive menu-based system—a sort of clunky aptitude, with several layers of menu selections and, unsurprisingly, a fraction of available packages.Even so, you can sense the convenience factor in the design concept. You download three floppy images and end up with a bootable system, and then use a simple text menu to install more goodies."
Google has announcedthe release of a set of security tests that check cryptographic softwarelibraries for known weaknesses, called Project Wycheproof."Our first set of tests are written in Java, because Java has a common cryptographic interface. This allowed us to test multiple providers with a single test suite. While this interface is somewhat low level, and should not be used directly, we still apply a "defense in depth" argument and expect that the implementations are as robust as possible. For example, we consider weak default values to be a significant security flaw. We are converting as many tests into sets of test vectors to simplify porting the tests to other languages."
The Tor blog looks at somefeatures in Tor 0.2.9.8, the first stable version of the 0.2.9.xseries. The post covers Single Onion Services, Shared Randomness, and amandatory ntor handshake. The changeloghas more details.
OpenSSH 7.4 is out. It is primary a bugfix release, and four CVE numbers have been assigned for theissues it fixes. This release also removes server-side support for theancient v1 SSH protocol, adds a new proxy multiplexing mode, makes itpossible to disable all forwarding forevermore, and more.
The GoboLinux project has announced the release of GoboLinux 016. The distribution takes a different approach to filesystem organization so that multiple versions of programs can all be installed at the same time. GoboLinux 016 has a new feature called Runner to manage that: "Runner is a brand new filesystem virtualization tool, specifically designed for GoboLinux. It dynamically changes a process' view of /System/Index based on the program's Dependencies file.From day one, GoboLinux has always supported keeping multiple versions of a program installed on disk at the same time, but when two versions had conflicts, you had to choose which one would be activated in the system as the default.With Runner, you don't need to worry about which version of a given dependency is currently linked (or activated) in /System/Index: Runner gives the process its own virtual /System/Index with all the right dependencies." Other features include the GoboNet wireless network manager and a desktop based on the awesome window manager.
Ars Technica has areview of the Fedora 25 release."What's perhaps most remarkable for a change that's so low-level, andin fact one that's taking a lot of X functionality and moving lower downinto the stack, is how unlikely you are to notice it. During testing so far(encompassing about two weeks of use as I write this), the transition toWayland has been totally transparent. Even better, GNOME 3.22 feelsconsiderably smoother with Wayland."
Arch Linux has updated flashplugin (multiple vulnerabilities) and lib32-flashplugin (multiple vulnerabilities).Debian has updated libupnp (two vulnerabilities).Debian-LTS has updated firefox-esr (multiple vulnerabilities) and icu (two vulnerabilities, one from 2014).Fedora has updated chromium (F25; F24: multiple vulnerabilities),firefox (F25; F24: denial of service), gstreamer-plugins-bad-free (F24: codeexecution), gstreamer-plugins-good (F24:multiple vulnerabilities), and libgsf (F24: denial of service).Mageia has updated chromium-browser-stable (multiple vulnerabilities) and firefox (multiple vulnerabilities).
Donncha O'Cearbhaill hasdiscovered that Ubuntu's "apport" tool, which handles application crashdata, passes arbitrary data to the Python eval() function.There are a couple of other vulnerabilities as well, making it possible tofully compromise a system. The bugs (now known as CVE-2016-9949,CVE-2016-9950, and CVE-2016-9951) have been fixed; applying the updates ishighly recommended for Ubuntu users. "The computer security industryhas a serious conflict of interest right now. There is major financialmotivation for researchers to find and disclose vulnerability to exploitbrokers. Many of the brokers are in the business of keeping problemsunfixed. Code execution bugs are valuable. As a data point, I received anoffer of more than 10,000 USD from an exploit vendor for these Apportbugs."
Over at the Red Hat Security Blog, Ilya Etingof writes about code reviews, in general, along with some specific thoughts on Pythonic versus non-Pythonic idioms in code. "People coming from Java tend to turn everything into a class. That's probably because Java heavily enforces the OOP paradigm. Python programmers enjoy a freedom of picking a programming model that is best suited for the task.The choice of object-based implementations look reasonable to me when there is a clear abstraction for the task being solved. Statefulness and duck-typed objects are another strong reason for going the OOP way.If the author's priority is to keep related functions together, pushing them to a class is an option to consider. Such classes may never need instantiation, though.Free-standing functions are easy to grasp, concise and light. When a function does not cause side-effects, it's also good for functional programming."
The Domain Name System (DNS) is an amazing technological achievement,but it suffers from a historical excess of trust, which makes itpossible for people who rely on it to be lied to. The DNS Security Extensions (formally DNSSEC-bis, more usually justDNSSEC) are a mechanism for including robust trust information withinthe DNS. Here we discuss briefly what DNSSEC does, how it does it,and how (and whether) you can use it to secure your domains.
Version 3.1 of theKrita image editor is available. "Krita 3.1 is the result ofhalf a year of intense work and contains many new features, performanceimprovements and bug fixes. It’s now possible to use render animations(using ffmpeg) to gif or various video formats. You can use a curve editorto animate properties. Soft-proofing was added for seeing how your artworkwill look in print. A new color picker that allows selecting wide-gamutcolors. There is also a new brush engine that paints fast on largecanvases, a stop-based gradient editor." See the releasenotes for more information.
Back in 2007, the announcement that AMDintended to reverse its longstanding position and create an upstream driverfor its graphics processors was joyfully received by Linux usersworldwide. As 2017 approaches, an attempt by AMD to merge a driver for anupcoming graphics chip has been rejected by the kernel's graphics subsystemmaintainer — a decision that engendered rather less joy. A look at thisdiscussion reveals a pattern seen many times before; the positions and decisions taken can seem arbitrary to the wider world but theyare not without their reasons and will, hopefully, lead to a better kernelin the long run.
Nextcloud 11 has beenreleased with many security and scalability improvements. "Nextcloud 11 introduces Apache Solr powered Full Text Search, enabling users to find words or phrases in text, pdf and common office documents on internal, external, shared and encrypted storage. The next generation Federation technology introduces a central lookup server, enabling Nextcloud users to find each other irrespective of the server their account resides on. The experimental Spreed app integrates secure, peer to peer audio and video chat in Nextcloud."
KDE e.V. has released its community report for thesecond half of 2015. "Over nineteen years producing high quality free software, spreading open culture, and creating a thriving community, KDE has become a huge umbrella organization supporting all sorts of FOSS-related projects. As a consequence, an even more inclusive, diverse, and open community has grown, with opportunities we couldn't have envisioned some years ago."
CentOS Linux has released version 7.3-1611 of its Enterprise Linux clone. "This release supersedes all previously released content for CentOSLinux 7, and therefore we highly encourage all users to upgrade theirmachines. Information on different upgrade strategies and how tohandle stale content is included in the Release Notes."
Linus has released the 4.9 kernel, asexpected. Some of the headline features in 4.9 includeimproved security with virtually mapped kernelstacks,the memory-protection keys system calls,the BBR congestion-control algorithm,support for the Greybus bus architecture,shared extents in the XFS filesystem (which will be used to supportlightweight copy operations among other things),and much more.The code name has also been changed to "Roaring Lionus".In the end, 16,216 non-merge changesets were pulled for the 4.9 release,making this development cycle the busiest ever by far.
The stable kernel machine continues to crank out updates; 4.8.14 and 4.4.38 are now available with another set ofimportant fixes. These include, finally, the fix for CVE-2016-8655, a local-root exploit that hasbeen getting some attention.
Arch Linux has updated jasper(multiple vulnerabilities, two from 2015) and linux-zen (code execution).Debian-LTS has updated roundcube(code execution) and spip (cross-site scripting).Fedora has updated httpd (F25:denial of service).Mageia has updated phpmyadmin (multiple vulnerabilities).openSUSE has updated GraphicsMagick (42.2: multiple vulnerabilities, many from 2014), kernel (13.2: multiple vulnerabilities, two from 2015), and libXfixes (13.2: denial of service).Red Hat has updated python-XStatic-jquery-ui (RHOSP 9.0; RHOSP8.0: cross-site scripting), rh-mariadb100-mariadb (RHSC: multiple vulnerabilities), and rh-mariadb101-mariadb (RHSC: multiple vulnerabilities).SUSE has updated kernel (SLE12:three vulnerabilities).Ubuntu has updated oxide-qt(16.10, 16.04, 14.04: multiple vulnerabilities).
Greg Kroah-Hartman has announced the release of the 4.8.13 and 4.4.37 stable kernels. As usual, there arefixes throughout the tree and users of those kernel series should upgrade.Note that the fixfor the kernel code execution vulnerability usingAF_PACKET sockets (also known as CVE-2016-8655) has not made itinto these stable kernels. Those running systemd may want to check LennartPoettering's blogpost on how to mitigate the problem for services started by systemd.
Over at the Fedora Community Blog, Brian Proffitt writes about Fedora member Matthew Williams who passed away recently from cancer. "Matthew’s passion to constantly improve the software and hardware with which he worked created a tireless advocate for the Fedora Project, and his presence was felt at conferences across the nation: SCaLE, Ohio LinuxFest, and the former Indiana LinuxFest, an Indianapolis-based event that he helped found.Matthew also devoted time to interviewing and archiving notable figures in the free and open source software communities to learn what drove people to work on their projects. He was also very driven to share what he knew, launching the Open FOSS training site in 2015 to help new Linux users with getting involved with any Linux distribution. While he was active in the Fedora community, Matthew was also very involved with Ubuntu as well."
LWN.net