KDE has announced a partnership with Slimbook, a Spanish laptop retailer, to create the KDE Slimbook."The KDE Slimbook allows KDE to offer our users a laptop which has been tested directly by KDE developers, on the exact same hardware and software configuration that the users get, and where any potential hardware-related issues have already been ironed out before a new version of our software is shipped to them. This gives our users the best possible way to experience our software, as well as increasing our reach: The easier it is to get our software into users' hands, the more it will be used." The laptop is available for pre-order with systems shipping mid-March.
Here's anO'Reilly article describing the Jupyter project and what it hasaccomplished."Project Jupyter aims to create an ecosystem of open source tools forinteractive computation and data analysis, where the direct participationof humans in the computational loop—executing code to understand a problemand iteratively refine their approach—is the primary consideration."
Here's anO'Reilly article describing the Jupyter project and what it hasaccomplished."Project Jupyter aims to create an ecosystem of open source tools forinteractive computation and data analysis, where the direct participationof humans in the computational loop—executing code to understand a problemand iteratively refine their approach—is the primary consideration."
Greg Kroah-Hartman has announced the release of the 4.9.6 and 4.4.45 stable kernels. They contain fixesthroughout the tree, as normal, and users of those kernel series should upgrade.
Greg Kroah-Hartman has announced the release of the 4.9.6 and 4.4.45 stable kernels. They contain fixesthroughout the tree, as normal, and users of those kernel series should upgrade.
Arch Linux has updated ed (denialof service).Debian has updated firefox-esr (multiple vulnerabilities).Debian-LTS has updated ming (multiple vulnerabilities) and pdns (multiple vulnerabilities).Fedora has updated ansible (F25; F24: twovulnerabilities), firefox (F24: multiple vulnerabilities), and qemu (F24: multiple vulnerabilities).openSUSE has updated gstreamer-0_10-plugins-bad (42.1: codeexecution), systemd (42.2: privilegeescalation), and tigervnc (42.2, 42.1: codeexecution).Oracle has updated firefox (OL7; OL6; OL5: multiple vulnerabilities).Red Hat has updated ansible(RHOSP10.0: code execution) and kernel(RHEL6.4: code execution).Ubuntu has updated openjdk-8(16.10, 16.04: multiple vulnerabilities).
Arch Linux has updated ed (denialof service).Debian has updated firefox-esr (multiple vulnerabilities).Debian-LTS has updated ming (multiple vulnerabilities) and pdns (multiple vulnerabilities).Fedora has updated ansible (F25; F24: twovulnerabilities), firefox (F24: multiple vulnerabilities), and qemu (F24: multiple vulnerabilities).openSUSE has updated gstreamer-0_10-plugins-bad (42.1: codeexecution), systemd (42.2: privilegeescalation), and tigervnc (42.2, 42.1: codeexecution).Oracle has updated firefox (OL7; OL6; OL5: multiple vulnerabilities).Red Hat has updated ansible(RHOSP10.0: code execution) and kernel(RHEL6.4: code execution).Ubuntu has updated openjdk-8(16.10, 16.04: multiple vulnerabilities).
The election to pick two members of the openSUSE board has been suspended due to "technicalproblems". The problems do indeed appear to be technical in nature, withat least some voters being presented strange and confusing ballots. Theelection was restarted on the 21st in anunsuccessful attempt to fix the problems; now it is on indefinite hold. The current board willcontinue to serve, possibly deferring any major decisions, until theissue is resolved.
Version 2.0 of the WineWindows emulation system has been released. "This release representsover a year of development effort and around 6,600 individual changes. Themain highlights are the support for Microsoft Office 2013, and the 64-bitsupport on macOS."
Mozilla has released Firefox 51.0. This version adds support for FLACplayback and WebGL2, along with many improvements and securityfixes. See the releasenotes for details.
Package managers are at the core of Linux distributions, but they arecurrently engulfed in a wave of changes and it's not clear how things willend up. Kristoffer Grönlund started his 2017 linux.conf.au talk on thesubject by putting up a slide saying that "everything isterrible awesome". There are a number of frustrationsthat result from the current state of package management, but thatfrustration may well lead to better things in the future.
Debian-LTS has updated hesiod (two vulnerabilities) and tiff (multiple vulnerabilities).Fedora has updated gd (F25; F24: two denial of service flaws) and kernel (F25; F24: privilege escalation).Gentoo has updated adodb (twovulnerabilities), firejail (threevulnerabilities), icu (threevulnerabilities), libraw (twovulnerabilities from 2015), libwebp(integer overflows), and t1lib (multiplevulnerabilities from 2011).openSUSE has updated python3-sleekxmpp (42.2: two vulnerabilities)and virtualbox (42.2: multiple unspecified vulnerabilities).Red Hat has updated mysql (RHEL6:three vulnerabilities), squid (RHEL7:information leak), and squid34 (RHEL6:information leak).Scientific Linux has updated java-1.8.0-openjdk (SL6,7: multiplevulnerabilities), mysql (SL6: threevulnerabilities), squid (SL7: informationleak), and squid34 (SL6: information leak).Slackware has updated firefox(multiple vulnerabilities).Ubuntu has updated pcsc-lite (privilege escalation) and tomcat6, tomcat7, tomcat8 (multiple vulnerabilities).
Sebastian Krahmer has reported that systemdv228 is vulnerable to a trivial local root exploit that was silently fixeda year ago. It is believed that it mostly affects v228, but he recommendsthat distributions check to ensure they have the fix. No CVE was requestedby the project so the SUSE security team requested one and it was assignedCVE-2016-10156. "The analysis says that is a 'possible DoS', but itsa local root exploit indeed. Mode 07777 also contains the suid bit, so filescreated by touch() are world writable suids, root owned. Suchas /var/lib/systemd/timers/stamp-fstrim.timer thats found on a non-nosuidmount."
Lineage OS, the successor to CyanogenMod, is gearing up tomake weekly builds available for a number of Marshmallow and Nougat capabledevices. "Additionally, our Download Portal, Install stats page (yep, that’s50k+ unofficial installs already!) and Wiki are all live. Notably, all threeof these sites (and this blog) are open sourced - you can contribute tothem via our Gerrit instance! Bear with us if these sites look bare at themoment, they will grow with content and design as we continue marchingforward."
Version5.8 of the Qt graphics toolkit is out. "Qt 5.8 is a rather largerelease, containing quite a large set of new functionality." Thatfunctionality includes a new configuration system that makes it easy tobuild cut-down versions of Qt, full support for the Wayland compositor,experimental text-to-speech support, and more.
The free software community tends to focus its spotlight on developersand userswhile paying rather less attention to the maintainers that keep ourprojects going. Nadia Eghbal spent a year and a half studying how the communityworks, and has concluded that we have a problem with maintainership; her2017 linux.conf.au keynote was dedicated to explaining the problem and howwe might want to deal with it. But first, she talked about lobsters.
The linux.conf.au 2017 organizers have put up videos ofthe talks in near-record time. There's a lot of good stuff there, someof which will be written up for LWN in the near future.
Linus has released the 4.10-rc5 kernelprepatch for testing, noting that "everything looks nominal".He also changed the codename from the short-lived "Roaring Lionus" to"Anniversary Edition".
Matthias Clasen looks at how to debug an application built into a Flatpak. Since the runtime environment for a Flatpak application is quite different than normal, even running GDB requires taking some different steps. "Now for the last trick: I was complaining about stacktraces without symbols at the beginning. In rpm-based distributions, the debug symbols are split off into debuginfo packages. Flatpak does something similar and splits all the debug information of runtimes and apps into separate â€runtime extensionsâ€, which by convention have .Debug appended to their name. So the debug info for org.gnome.Recipes is in the org.gnome.Recipes.Debug extension.When you use the –devel option, flatpak automatically includes the Debug extensions for the application and runtime, if they are available. So, for the most useful stacktraces, make sure that you have the Debug extensions for the apps and runtimes in question installed."
Arch Linux has updated php (threevulnerabilities), powerdns (MV), and powerdns-recursor (three vulnerabilities).Debian has updated mysql-5.5(multiple unspecified vulnerabilities).Debian-LTS has updated libphp-swiftmailer (code execution).Gentoo has updated curl (MV, twofrom 2014), cvs (code execution from 2012),icedtea-bin (MV), irssi (MV), and nss (MV, three from 2015).openSUSE has updated pdns-recursor (42.2, 42.1: denial of service)and squid (42.1: two vulnerabilities, onefrom 2014).Red Hat has updated java-1.8.0-openjdk (RHEL7&6: MV),openstack-cinder (OSP6.0 for RHEL7; OSP5.0 for RHEL7; OSP5.0 for RHEL6: denial of service from 2015), and python-XStatic-jquery-ui (OSP7.0 for RHEL7:cross-site scripting).SUSE has updated gstreamer-0_10-plugins-good (SLE12SP2: MV).
Daniel Vetter has posted the text ofhis linux.conf.au talk on kernel maintenance. "At least for me,review isn’t just about ensuring good code quality, but also aboutdiffusing knowledge and improving understanding. At first there’s maybe oneperson, the author (and that’s not a given), understanding the code. Aftergood review there should be at least two people who fully understand it,including corner cases. And that’s also why I think that groupmaintainership is the only way to run any project with more than oneregular contributor."
On his blog, Alexander Larsson begins a description of flatpak security. "Long story short, flatpak uses bubblewrap to create a filesystem namespace for the sandbox. This starts out with a tmpfs as the root filesystem, and in this we bind-mount read-only copies of the runtime on /usr and the application data on /app. Then we mount various system things like a minimal /dev, our own instance of /proc and symlinks into /usr from /lib and /bin. We also enable all the available namespaces so that the sandbox cannot see other processes/users or access the network.On top of this we use seccomp to filter out syscalls that are risky. For instance ptrace, perf, and recursive use of namespaces, as well as weird network families like DECnet.In order for the application to be able to write data anywhere we bind mount $HOME/.var/app/$APPID/ into the sandbox, but this is the only persistent writable location."
Nobody starts a free-software project hoping that it will fail, so it is arare project indeed that plans for its eventual demise. But not allprojects succeed, and a project that doesn't plan for failure risks is doingits users harm. Dan Callahan joined Mozilla to work on the Personaauthentication project, and he was there for its recent shutdown. At the 2017linux.conf.au in Hobart, Tasmania, he used his keynote slot to talk aboutthe lessons that have been learned about designing a project for failure.
Arch Linux has updated webkit2gtk (multiple vulnerabilities).CentOS has updated qemu-kvm (C7: denial of service).Debian-LTS has updated icoutils (multiple vulnerabilities).Fedora has updated icoutils (F25; F24:three vulnerabilities), mingw-libgsf (F25:denial of service), and php-PHPMailer (F24:three vulnerabilities).openSUSE has updated bind (42.2, 42.1; 13.2: three denial of service flaws), libgit2 (13.2: two vulnerabilities), openjpeg2 (13.2: multiple vulnerabilities), pdns (42.2, 42.1, 13.2: multiplevulnerabilities), qemu (42.2: multiplevulnerabilities), and squid (42.2: threevulnerabilities, one from 2014).Oracle has updated kernel (OL7:three vulnerabilities) and qemu-kvm (OL7: denial of service).Red Hat has updated docker(RHEL7: privilege escalation), docker-latest (RHEL7: privilege escalation),kernel (RHEL7: three vulnerabilities),kernel-rt (RHEL7; RHEMRG2.5: three vulnerabilities), qemu-kvm (RHEL7: denial of service), and runc (RHEL7: privilege escalation).Scientific Linux has updated kernel (SL7: three vulnerabilities) and qemu-kvm (SL7: denial of service).SUSE has updated kernel(SLE12-SP2: multiple vulnerabilities).Ubuntu has updated nvidia-graphics-drivers-304 and nvidia-graphics-drivers-340 (denial of service).
The Free Software Foundation has reworked its high-priorityproject list to reflect its view of computing in 2017. See thechangelog for a list of the changes that were made. Among otherthings, the Gnash flash player has fallen off the list. "Smart phones are the mostwidely used form of personal computer today. Thus, the need for a fullyfree phone operating system is crucial to the proliferation of softwarefreedom."
Keith Packard is the chief architect for The Machine project at HPE; wecovered his talk on this project back in2015. At the 2017 linux.conf.au Kernel Miniconf, Packard focused on onespecific aspect of The Machine's hardware and software configuration: howstorage is managed and presented to applications. Like much that is beingdone with this project, its storage architecture is an interestingcombination of new ideas and long-established techniques.
Alexandre Prokoudine looks atuser-visible changes for the GNU Image Manipulation Program (GIMP) over2016. Changes include better handling of layers, channels, masks, andpaths, remembering defaults across sessions, improved configurability,color management, and more.
Calligra 3.0 has been released.The Calligra Suite includes office, graphics, and project managementapplications. "We havechosen to cut back on the number of applications. Krita has left us to beindependent and although it was emotional it was also done with completesupport from both sides. We are saying goodbye to Author, which neverdifferentiated itself from Words. We also removed Brainstorm the purpose ofwhich will be better fitted by a new application (nothing planned from ourside). Flow and Stage has gone in this release but we intend to bring themback in the future." The 3.x series updates the applications to useKDE Frameworks 5 and Qt5.
The Linux Test Project test suite stable release for January 2017 is out.There are new test cases, a new shell test library and many tests rewrittento make use of it, and much more. LWN looked at LTP last December.
Arch Linux has updated libgit2 (multiple vulnerabilities), nginx (privilege escalation), nginx-mainline (privilege escalation), and wordpress (multiple vulnerabilities).Debian has updated icoutils(three vulnerabilities), pdns (multiplevulnerabilities), pdns-recursor (denial ofservice), python-bottle (regression inprevious update), and tiff (multiple vulnerabilities).Debian-LTS has updated botan1.10(integer overflow), gcc-mozilla (update toGCC 4.8), icedove (multiplevulnerabilities), libx11 (denial ofservice), otrs2 (code execution), python-bottle (regression in previous update),wireless-regdb (radio regulations updates), and xen (two vulnerabilities).Fedora has updated bind (F25:three denial of service flaws), bind99(F25: three denial of service flaws), ca-certificates (F25; F24:certificate update), docker-latest (F25:privilege escalation), gnutls (F24:multiple vulnerabilities), libgit2 (F25: multiple vulnerabilities), and onionshare (F25; F24: file injection).Gentoo has updated apache(multiple vulnerabilities, one from 2014).Mageia has updated golang (denial of service) and irssi (multiple vulnerabilities).Red Hat has updated bind (RHEL7; RHEL5,6: denial of service) and bind97 (RHEL5: denial of service).Scientific Linux has updated java-1.6.0-openjdk (SL5,6,7: multiple vulnerabilities).SUSE has updated qemu (SLE12-SP2:multiple vulnerabilities).
The 4.10-rc4 kernel prepatch is out fortesting. "Things are still looking fairly normal, and this is theusual weekly Sunday rc release. We're up to rc4, and people are clearlystarting to find the regressions. Good, good."
Google has posted an overview of its infrastructure security. It includes information about low-level details, such as physical security and secure boot, encryption of data at rest as well as communications between services and to users, keeping employee devices and credentials safe, and more. Undoubtedly there are lessons here for many different organizations. "This document gives an overview of how security is designed into Google’s technical infrastructure. This global scale infrastructure is designed to provide security through the entire information processing lifecycle at Google. This infrastructure provides secure deployment of services, secure storage of data with end user privacy safeguards, secure communications between services, secure and private communication with customers over the internet, and safe operation by administrators.Google uses this infrastructure to build its internet services, including both consumer services such as Search, Gmail, and Photos, and enterprise services such as G Suite and Google Cloud Platform."
Wired covers the release of Qbsolv as open-source software (under the Apache License v2) by D-Wave, which is a company that makes quantum computing hardware. Qbsolv is "designed to help developers program D-Wave machines without needing a background in quantum physics". Further:Qbsolv joins a small but growing pool of tools for would-be quantum computer programmers. Last year Scott Pakin of Los Alamos National Laboratory–and one of Qbsolv’s first users–released another free tool called Qmasm, which also eases the burden of writing code for D-Wave machines by freeing developers from having to worry about addressing the underlying hardware. The goal, Ewald says, is to kickstart a quantum computing software tools ecosystem and foster a community of developers working on quantum computing problems. In recent years, open source software has been the best way to build communities of both independent developers and big corporate contributors.Of course to actually run the software you create with these tools, you’ll need access to one of the very few existing D-Wave machines. In the meantime, you can download a D-Wave simulator that will let you test the software on your own computer. Obviously this won’t be the same as running it on a piece of hardware that uses real quantum particles, but it’s a start.
Over at Techdirt, Mike Masnick writes about a libel suit filed against the site: "As you may have heard, last week we were sued for $15 million by Shiva Ayyadurai, who claims to have invented email. We have written, at great length, about his claims and our opinion — backed up by detailed and thorough evidence — that email existed long before Ayyadurai created any software. We believe the legal claims in the lawsuit are meritless, and we intend to fight them and to win.There is a larger point here. Defamation claims like this can force independent media companies to capitulate and shut down due to mounting legal costs. Ayyadurai's attorney, Charles Harder, has already shown that this model can lead to exactly that result. His efforts helped put a much larger and much more well-resourced company than Techdirt completely out of business."
Greg Kroah-Hartman has announced the release of the 4.9.3 and 4.4.42 stable kernels. As usual, there arefixes throughout the tree and users of those kernel series should upgrade.
Debian has updated bind9 (threevulnerabilities), ikiwiki (threevulnerabilities), and python-pysaml2 (XMLexternal entity attack).Debian-LTS has updated libav (twovulnerabilities).Fedora has updated compat-guile18 (F25; F24:insecure directory creation), mingw-flac(F25: three vulnerabilities from 2015), qpid-java (F25: information disclosure), andspringframework-security (F25: securityconstraint bypass).openSUSE has updated flash-player(13.2: multiple vulnerabilities).Red Hat has updated memcached(RHMAP4.2: two vulnerabilities).Slackware has updated bind(denial of service), gnutls (multiplevulnerabilities), and irssi (multiple vulnerabilities).SUSE has updated bind (SLE12-SP2,SP1; SLE12; SLE11-SP4,SP3: three vulnerabilities) and flash-player (SLE12-SP1: multiple vulnerabilities).Ubuntu has updated bind9 (threevulnerabilities) and libvncserver (two vulnerabilities).
The Ansible project is currently posting release candidates for the 2.1.4and 2.2.1 releases. They fix an important security bug:"CVE-2016-9587 is rated as HIGH in risk, as a compromised remotesystem being managed via Ansible can lead to commands being run on theAnsible controller (as the user running the ansible or ansible-playbookcommand)." Until this release is made, it would make sense to beespecially careful about running Ansible against systems that might havebeen compromised.Update: see thisadvisory for much more detailed information.
The appearance of a "Python 2.8" got the attention of the Python coredevelopers in early December. It is based on Python 2.7, withfeatures backported from Python 3.x. In general, there was littlesupport for the effort—core developers tend to clearly see Python 3 asthe way forward—but no opposition to it either. The Python license makesit clear that these kinds of efforts are legal and evenencouraged—any real opposition to the project lies in its name.Subscribers can click below for the full article from this week's edition.
LWN.net