AMD has launched"gpuopen.com" to support open graphics development (on AMD GPUs,naturally). "The second is a commitment to open source software. Thegame and graphics development community is an active hub of enthusiasticindividuals who believe in the value of sharing knowledge. Full andflexible access to the source of tools, libraries and effects is a keypillar of the GPUOpen philosophy. Only through open source access aredevelopers able to modify, optimize, fix, port and learn from software. Thegoal? Encouraging innovation and the development of amazing graphicstechniques and optimizations in PC games."
As expected, Linus released the 4.5-rc1development kernel and closed the merge window for this cycle on January 24. Less than 2,000changes were pulled since last week'ssummary, but there were some significant changes to be found amongthem. Click below (subscribers only) for the final part of LWN's 4.5 mergewindow coverage.
Arch Linux has updated ecryptfs-utils (privilege escalation), linux-lts (privilege escalation), privoxy (two denial of service flaws), python-rsa (signature forgery), and python2-rsa (signature forgery).CentOS has updated ntp (C7; C6: missing check for zero originate timestamp).Debian has updated claws-mail (code execution).Debian-LTS has updated foomatic-filters (buffer overflows), imlib2 (denial of service), pound (multiple vulnerabilities, one from 2009), and privoxy (two denial of service flaws).Fedora has updated bind (F23: twodenial of service flaws), bind99 (F23:denial of service), chrony (F23: packetmodification), dhcp (F22: denial ofservice), java-1.8.0-openjdk (F23:unspecified), mod_nss (F22: enablesinsecure ciphersuites), owncloud (F23; F22:multiple vulnerabilities), python-rsa (F22:signature forgery), and qemu (F23: multiple vulnerabilities).Mageia has updated virtualbox (unspecified vulnerabilities).openSUSE has updated bind (13.1:denial of service), cgit (13.1: threevulnerabilities), giflib (13.1: heap-basedbuffer overflow), jasper (13.2; 13.1: denial of service), libvirt (Leap42.1, 13.2; 13.1: path traversal), openldap2 (13.2: two vulnerabilities), roundcubemail (Leap42.1; 13.2; 13.1: code execution), and tiff (13.2; 13.1: denial of service).Oracle has updated ntp (OL7: missing check for zero originate timestamp).Red Hat has updated ntp (RHEL6,7:missing check for zero originate timestamp).Scientific Linux has updated ntp(SL6,7: missing check for zero originate timestamp).SUSE has updated bind(SLES10-SP4: four denial of service vulnerabilities), openldap2 (SLE12-SP1: two vulnerabilities),and kernel (SLE12: privilege escalation).
Matt Mackall, the creator of the Mercurial source-code management system,has announced thathe is ready to move on to a new project. "So over the course of thisyear, I'm going to gradually remove myself from daily involvement in theproject. As lots of people and companies have a lot invested in Mercurial,I'm doing this over a long period of time to make sure it goessmoothly."
Linus has released the 4.5-rc1 prepatch andclosed the merge window for this development cycle. "It's a fairlynormal release - neither unusually big or unusually small. The statisticslook fairly normal too, with drivers being a bit over 70% of the bulk (thebig driver areas being gpu, networking, sound, staging, fbdev, but its allover)."
The4.3.4,4.1.16,3.14.59, and3.10.95 stable kernel updates have beenreleased. They are the first in just over one month, and they contain afair number of important fixes.
On his blog, Peter Hutterer answers the perennial "is Wayland ready yet?" question by pointing out that it really is not the right question. "The protocol is stable and has been for a while. But not every compositor and/or toolkit/application speak Wayland yet, so it may not be sufficient for your use-case. So rather than asking 'Is Wayland ready yet', you should be asking: 'Can I run GNOME/KDE/Enlightenment/etc. under Wayland?' That is the right question to ask, and the answer is generally 'It depends what you expect to work flawlessly.' This also means 'people working on Wayland' is often better stated as 'people working on Wayland support in ....'. "
Just a quick note to point out that the very first LWN Weekly Edition came out onJanuary 22, 1998. So we have now been at it for eighteen years. Tosay we would have been surprised by that idea in 1998 is a seriousunderstatement. Many thanks to LWN's reader community for keeping us goingfor all this time!
Linux Foundation leader Jim Zemlin explainsthe recent changes in the organization's by-laws. "First, TheLinux Foundation Board structure has not changed. The same individualsremain as directors, and the same ratio of corporate to community directorscontinues as well. What we did do was to act on a long-discussed perceptionthat the value we provide to individual supporters could be improved, forthe first time in a decade. And that the process for recruiting communitydirectors should be changed to be in line with other leading organizationsin our community and industry." He also speaks out against thepersonal attacks that have appeared in conversations about this change.
Version1.6 of the Rust programming language has been released. "The largest new feature in 1.6 is that libcore is now stable! Rust’s standard library is two-tiered: there’s a small core library, libcore, and the full standard library, libstd, that builds on top of it. libcore is completely platform agnostic, and requires only a handful of external symbols to be defined. Rust’s libstd builds on top of libcore, adding support for memory allocation, I/O, and concurrency. Applications using Rust in the embedded space, as well as those writing operating systems, often eschew libstd, using only libcore.libcore being stabilized is a major step towards being able to write the lowest levels of software using stable Rust."
On his blog, Matthew Garrett has noted that the Linux Foundation (LF) has dropped the community representatives to its board that were elected by the individual LF members. "The by-laws were amended to drop the clause that permitted individual members to elect any directors. Section 3.3(a) now says that no affiliate members may be involved in the election of directors, and section 5.3(d) still permits at-large directors but does not require them[2]. The old version of the bylaws are here - the only non-whitespace differences are in sections 3.3(a) and 5.3(d).These changes all happened shortly after Karen Sandler [executive director of the Software Freedom Conservancy] announced that she planned to stand for the Linux Foundation board during a presentation last September [YouTube link]. A short time later, the "Individual membership" program was quietly renamed to the "Individual supporter" program and the promised benefit of being allowed to stand for and participate in board elections was dropped (compare the old page to the new one)." Garrett speculates that the GPL enforcement suit that the Software Freedom Conservancy is funding against VMware, which is an LF member, is ultimately behind the move.He also notes (the [2] above) that there is still a community representative from the Technical Advisory Board (TAB) that sits on the LF board.
OSNews reportsthat the Dutch consumer protection advocacy agency Consumentenbond hassued Samsung, demanding updates for its Android phones. "The Consumentenbond had been in talks with Samsung about this issue for a while now, but no positive outcome was reached, and as such, they saw no other option but to file suit.The Consumentenbond is demanding that Samsung provides two years of updatesfor all its Android devices, with the two-year period starting not at thedate of market introduction of the device, but at the date of sale. Thismeans that devices introduced one or even more years ago that are stillbeing sold should still get two years' worth of updates startingtoday." (Thanks to Paolo Bonzini)
Unused code is untested code, which probably means that it harborsbugs—sometimes significant security bugs. That lesson has been reinforced by the recent OpenSSH"roaming" vulnerability. Leaving a half-finished feature only in the clientside of the equation might seem harmless on a cursory glance but, ofcourse, is not. Those who mean harm can run servers that "implement" thefeature to tickle the unused code. Given that the OpenSSH project has astrong security focus (and track record), it is truly surprising that ablunder like this could slip through—and keep slipping through for roughly six years.Subscribers can click below to read the full story from the week's edition.
Arch Linux has updated kernel (privilege escalation).CentOS has updated kernel (C5: two remote denial of service vulnerabilities).Debian has updated bind9 (denial of service) and ecryptfs-utils (privilege escalation).Debian-LTS has updated bind9 (denial of service), ecryptfs-utils (privilege escalation), and librsvg (out-of-bounds heap read).Fedora has updated libxmp (F23; F22:multiple vulnerabilities), mbedtls (F23; F22:memory leak), qemu (F22: multiple vulnerabilities), and radicale (F23; F22: multiple vulnerabilities).openSUSE has updated cups-filters(Leap42.1: code execution).Oracle has updated kernel (OL5:two remote denial of service vulnerabilities).Scientific Linux has updated kernel (SL5: two remote denial of service vulnerabilities).SUSE has updated bind (SLE12-SP1:denial of service).Ubuntu has updated bind9 (denialof service), ecryptfs-utils (privilegeescalation), kernel (15.10; 15.04; 14.04:privilege escalation), libxml2 (twovulnerabilities), linux-lts-trusty (12.04:privilege escalation), linux-lts-utopic(14.04: privilege escalation), linux-lts-vivid (14.04: privilege escalation),linux-lts-wily (14.04: privilegeescalation), and linux-raspi2 (15.10: privilege escalation).
This article from CysecLabs starts a series explaining how return-oriented programming (ROP)can be used to exploit vulnerabilities in the kernel. "ROPtechniques take advantage of code misalignment to identify newgadgets. This is possible due to x86 language density, i.e., the x86instruction set is large enough (and instructions have different lengths),that almost any sequence of bytes can be interpreted as a validinstruction."
Back in 2014, LWN looked at the Meteor webapplication framework. Now, Meteor's developers are contemplatingwhy it failed to take over the world. "New developers love howeasy it is to get started with it, but can get discouraged when they startstruggling with more complex apps. And purely from a financial standpoint,it’s hard to build a sustainable business on the back of new developershacking on smaller apps. On the other hand, many of the more experienceddevelopers who’d be able to handle (and help solve) Meteor’s trickierchallenges are turned off by its all-in-one approach, and never even giveit a chance in the first place." They promise the imminentunveiling of a new approach that is going to address these problems.
The CyanogenMod developers have announcedthat they will be shutting down the WhisperPush secure messaging system (covered here in 2013). "We’veultimately made the decision that we will no longer be supportingWhisperPush functionality directly within CyanogenMod. Further, WhisperPushservices will be end-of-lifed beginning Feb 1st 2016. As this is a serverside implementation, all branches of CM from CM10.2 and forward will beaffected."
Two of the earliest figures in the Linux community were Lars Wirzenius andJoey Hess. So when the former offered us an interview with the latter, wewere quick to accept. Click below (subscribers only) for Joey's views onhis departure from Debian, Haskell development, off-the-grid living, andmore.
Debian has updated kernel(multiple vulnerabilities, including one from 2013).Debian-LTS has updated isc-dhcp(denial of service), passenger (environmentvariable injection), and srtp (denial of service).openSUSE has updated mbedtls(42.1: signature forgery), perl-Module-Signature (13.2, 13.1: multiplevulnerabilities), and polarssl (13.2:signature forgery).Red Hat has updated kernel(RHEL5: two remote denial of service vulnerabilities) and kernel (RHEL6.2: two denial of service vulnerabilities).SUSE has updated samba (SLE11SP4,SLE11SP3: multiple vulnerabilities) and kernel (SLE12: multiple vulnerabilities).
Perception Point disclosesa use-after-free vulnerability in the kernel's keyring subsystem; it isexploitable for local privilege escalation. "If a process causes thekernel to leak 0x100000000 references to the same object, it can latercause the kernel to think the object is no longer referenced andconsequently free the object. If the same process holds another legitimatereference and uses it after the kernel freed the object, it will cause thekernel to reference deallocated, or a reallocated memory. This way, we canachieve a use-after-free, by using the exact same bug from before. A lothas been written on use-after-free vulnerability exploitation in thekernel, so the following steps wouldn’t surprise an experiencedvulnerability researcher." This bug, introduced in 3.8, looks likea good one to patch quickly; of course, for vast numbers of users of mobile and embeddedsystems, that may not be an option.
Here is a longand detailed post from Andy Wingo on how he improved numericalperformance in the Guile language by carefully removing runtime typeinformation ("unboxing"). "If Guile did native compilation, it wouldalways be a win to unbox any integer operation, if only because you wouldavoid polymorphism or any other potential side exit. For bignums that arewithin the unboxable range, the considerations are similar to thefloating-point case: allocation costs dominate, so unboxing is almostalways a win, provided that you avoid double-boxing. Eliminating oneallocation can pay off a lot of instruction dispatch."
Swapnil Bhartiya takesa look at Mycroft AI and talks with CTO Ryan Sipes, on Linux.com. "Earlier this month, the developers released the Adapt intent parser as open source. When many people look at Mycroft, they think voice recognition is the important piece, but the brain of Mycroft is the Adapt intent. It takes natural language, analyzes the ultimate sentence, and then decides what action needs to be taken. That means when someone says “turn the lights off in the conference room,†Adapt grabs the intent “turn off†and identifies the entity as “conference room.†So, it makes a decision and then reaches out to whatever device is controlling the lights in the conference rooms and tells it to turn them off.That’s complex work. And, the Mycroft developers just open sourced the biggest and most powerful piece of their software."
Version 1.2 of the MyPaint natural-media-painting application hasbeen released.Changes include new tools for smooth-stroke inking and flood filling,automatic file backup and recovery, the ability to group layers, andGTK+3 support. Ubuntu packages are already available through theproject's official testingPPA; builds will follow shortly for other distributions andplatforms. In the meantime, source bundles are provided at theproject's GitHub page.
Core Bitcoin developer Mike Hearn writesthat the Bitcoin experiment has failed. "In a company, someonewho did not share the goals of the organisation would be dealt with in asimple way: by firing him. But Bitcoin Core is an open source project, nota company. Once the 5 developers with commit access to the code had beenchosen and Gavin [Andresen] had decided he did not want to be the leader,there was no procedure in place to ever remove one. And there was nointerview or screening process to ensure they actually agreed with theproject’s goals." If Bitcoin is indeed failing as the article says,it's failing due to project governance issues rather than technical orregulatory problems.
Over at Opensource.com, VM (Vicky) Brasseur and Josh Berkus give advice to conference organizers on how they can improve their conferences for attendees. There are ten different areas they address, including "Clear communications", "Have a Code of Conduct (and train staff on what that means)", "Fix your darn badges", and "Working Wi-Fi (here be dragons)". "When asked, attendees have a lot of strong opinions on the subject of conference badges, and the majority of those opinions are not positive. Badges serve multiple purposes, but the single most important one is allowing attendees to identify each other. Yet, despite that, few conference badges do a good job of performing this one deceptively simple duty."
The Linux Foundation and Goodwill are working together to bring free Linux training and certification to adult students in Texas."The scholarship program will begin with The Goodwill Excel Center and the Goodwill Career and Technical Academy in Central Texas and is expected to expand to other communities in the future. The Goodwill Excel Center is the first free public charter high school for adults in Texas. Students age 17-50 have the opportunity to earn their high school diploma, complete an in-demand professional certification and begin post-secondary education.The Extended Learning Linux Foundation Scholarship Program created by Linux Foundation and Goodwill includes free access to the Intro to Linux (LFS101x) and Essentials of System Administration (LFS201) courses, and the Linux Foundation Certified System Administrator exam at no cost. Hundreds of disadvantaged individuals from underserved communities and a variety of backgrounds are expected to enroll in the new program in the year ahead."
The 2016 Linux Plumbers Conference (LPC) has announced its Call for Microconferences. LPC will be held in Santa Fe, NM, USA on November 2-4, co-located with the Kernel Summit. "A microconference is a collection of collaborative sessions focused on problems in a particular area of the Linux plumbing, which includes the kernel, libraries, utilities, UI, and so forth, but can also focus on cross-cutting concerns such as security, scaling, energy efficiency, or a particular use case. Good microconferences result in solutions to these problems and concerns, while the best microconferences result in patches that implement those solutions."
Theo de Raadt suggests that a significant OpenSSH security issue is aboutto be exposed; the message reads, in full: "Important SSH patch comingsoon. For now, every on all operating systems, please do the following:Add undocumented 'UseRoaming no' to ssh_config or use '-oUseRoaming=no'to prevent upcoming #openssh client bug CVE-2016-0777. More later."Update: that important patch appears to be OpenSSH 7.1p2, available now. "The OpenSSH client code between 5.4 and 7.1 contains experimential support for resuming SSH-connections (roaming). The matching server code has never been shipped, but the client code was enabled by default and could be tricked by a malicious server into leaking client memory to the server, including private client user keys." There are a few other security fixes there as well.Update 2: see the Qualys advisory for vast amounts of detail.
The Qt Company has announced changes to the open source licensing andproduct structure of the Qt cross-platform application developmentframework. "New versions of Qt will be licensed under a commercial license, GPLv2, GPLv3, and LGPLv3, but no longer under LGPLv2.1. The updated open source licenses better ensure end user freedom when using open source licensed versions of Qt. LGPLv3 explicitly forbids the distribution of closed embedded devices. Distributing software under these terms includes a patent grant to all receivers of the software. Commercial Qt licensing removes these requirements and includes professional technical support from The Qt Company."
Arch Linux has updated libxslt (denial of service).Debian has updated isc-dhcp (denial of service).Debian-LTS has updated claws-mail (code execution).Fedora has updated openvpn (F22:multiple vulnerabilities), pitivi (F22: code execution), and shotwell (F23; F22: validate TLS certificates).openSUSE has updated ffmpeg(Leap42.1: multiple vulnerabilities).Slackware has updated dhcp (denial of service).Ubuntu has updated isc-dhcp(denial of service) and libvirt (multiple vulnerabilities).
The user namespaces feature is conceptuallyfairly straightforward—allow users to run as root in their own space, whilelimiting their privileges on the system outside that space—but theimplementation has, perhaps unsurprisingly, proven to be quite tricky. There are some assumptions about user IDs and howthey operate thatare deeply wired into the kernel in various subsystems; shaking those outhas taken some time, which led to some hesitation about enabling thefeature in distribution kernels. But that reluctance has largely passed atthis point, which makes the recent discoveryof a root-privilege escalation using user namespaces and the overlayfilesystem (overlayfs) that much more dangerous.Subscribers can click below for the full story from this week's edition.
Version 4.6 of theArdour audio editor is available. "4.6 includes some notable newfeatures - deep support for the Presonus FaderPort control surface,Track/Bus duplication, a new Plugin sidebar for the Mixer window - as wellas the usual dozens of fixes and improvements to all aspects of theapplication, particularly automation editing."The full list of enhancements is quite long; see the announcement fordetails.
Version 2.0 of theAnsible configuration management system has been released. "Thisis by far one of the most ambitious Ansible releases to date, and itreflects an enormous amount of work by the community, which continues toamaze me. Approximately 300 users have contributed code to what has beenknown as 'v2' for some time, and 500 users have contributed code to modulessince the last major Ansible release." New features includeplaybook-level exception handling, better error diagnostics, a new set ofOpenStack modules, and more. See thechangelog for more (terse) details.
Mark Radcliffe writesabout important legal developments from 2015, including the firstruling on GPLv3 (in Germany): "In this case, the user cured itsbreach within the necessary period, but refused to sign a 'cease anddesist' declaration which was sought by the plaintiff to ensure that thedefendant would have an incentive not to breach the terms of the GPLv3again. The court ruled that the reinstatement provision in Section 8 didnot eliminate the plaintiff's right to a preliminary injunction to preventfurther infringements, particularly if the defendant had refused to signthe plaintiff's cease-and-desist declaration."
Mozilla has announcedthat it will be shutting down the persona.org authentication service inNovember. It has been two years since Persona was "transitionedto community ownership"; now the other shoe has dropped. "Due tolow, declining usage, we are reallocating the project’s dedicated,ongoing resources and will shut down the persona.org services that we run.Persona.org and related domains will be taken offline on November 30th,2016." There is aset of "shutdown guidelines" to help sites still using Persona totransition to something else. (LWN looked atPersona in 2013).
Netcraft reportsthat the US Department of Defense (DoD) is still issuing SHA-1 signedcertificates, and using them to secure connections to .mil websites."The DoD is America's largest government agency, and is tasked with protecting the security of its country, which makes its continued reliance on SHA-1 particularly remarkable. Besides the well known security implications, this reliance could already prove problematic amongst the DoD's millions of employees. For instance, Mozilla Firefox 43 began rejecting all new SHA-1 certificates issued since 1 January 2016. When it encountered one of these certificates, the browser displayed an Untrusted Connection error, although this could be overridden. If DoD employees become accustomed to ignoring such errors, it could become much easier to carry out man-in-the-middle attacks against them."
Linus has, as expected, announced therelease of the 4.4 kernel. Some of the headline features in this release includethe mlock2() system call withsupport for deferred memory locking,I/O polling in the block layer,the LightNVM patches for low-level controlof solid-state storage devices,the ability for unprivileged users to loadBPF programs into the kernel, and much more.Some more information can be found on the KernelNewbies 4.4 page.
At his blog, Daniel Vrátil provides an extensive update on the status of Akonadi, the KDE project's personal information management (PIM) data service. He focuses on the changes made during the port to KDE Frameworks 5, starting with the switch from a text-based to a binary protocol. "This means we spent almost zero time on serialization and we are able to transmit large chunks of data between the server and the applications very, very efficiently." The ripple effects include changes to the database operations and, eventually, to the public API. Finally, he addresses the disappearance of the KJots note-taking application. "What we did not realize back then was that we will effectively prevent people from accessing their notes, since we don’t have any other app for that! I apologize for that to all our users, and to restore the balance in the Force I decided to bring KJots back. Not as a part of the main KDE PIM suite but as a standalone app."
PostgreSQL 9.5 has been releasedwith lots of new features for the database management system, includingUPSERT, row-level security, and several "big data" features. We previewedsome of these features back in July and August. "A most-requested feature by application developers for several years,'UPSERT' is shorthand for 'INSERT, ON CONFLICT UPDATE', allowing newand updated rows to be treated the same. UPSERT simplifies web andmobile application development by enabling the database to handleconflicts between concurrent data changes. This feature also removesthe last significant barrier to migrating legacy MySQL applications toPostgreSQL."
LWN.net