LWN.net

CentOS has updated thunderbird (C7; C6; C5: multiple vulnerabilities).Fedora has updated libpng (F23:two vulnerabilities).openSUSE has updated grub2 (42.1:code execution).Red Hat has updated kernel(RHEL6: two vulnerabilities).Scientific Linux has updated thunderbird (multiple vulnerabilities).Ubuntu has updated libpng (twovulnerabilities) and pygments (code execution).

Mozilla hasrun into a hitch with its plans to deprecate SHA-1 certificates."However, for Firefox users who are behind certain'man-in-the-middle' devices (including some security scanners and antivirusproducts), this change removed their ability to access HTTPS web sites.When a user tries to connect to an HTTPS site, the man-in-the-middle devicesends Firefox a new SHA-1 certificate instead of the server’s realcertificate. Since Firefox rejects new SHA-1 certificates, it can’tconnect to the server." An update backing out the SHA-1 deprecationhas been posted, but affected users will have to install it manually(assuming they don't use a distribution-supported version, of course).

The LWN.net Weekly Edition for January 7, 2016 is available.

Glyn Moody conducted an interview with Ian Murdock in 1999. In thisarticle on Ars Technica, Glyn looks back at Debian's early history, as Ianrecounted it in that interview. "When we spoke in 1999, he was delighted by how the project had continued to develop: "I often tell people that I didn't know that Debian would be a success until after I left. Because the whole idea was that Debian would be something that would take on a life of its own, and that if it could do that it would outlive my involvement. And it did, and in fact it's not just surviving, but it's thriving. And I'm very proud of that.""

Debian has updated git (code execution) and kernel (multiple vulnerabilities).Debian-LTS has updated linux-2.6(three vulnerabilities).Fedora has updated openvpn (F23: multiple vulnerabilities) and quassel (F23; F22: denial of service).Oracle has updated thunderbird (OL7; OL6: multiple vulnerabilities).Red Hat has updated thunderbird(RHEL5,6,7: multiple vulnerabilities).SUSE has updated samba(SLE11-SP2: multiple vulnerabilities).Ubuntu has updated kernel (15.10; 15.04:privilege escalation), ldb (twovulnerabilities), linux-lts-vivid (14.04:privilege escalation), linux-lts-wily(14.04: privilege escalation), linux-raspi2(15.10: privilege escalation), and samba (multiple vulnerabilities).

The kernel development community is organized as a hierarchy, withdevelopers submitting patches to maintainers who will, in turn, committhose patches to a repository and push them upstream to higher-level maintainers. Thishierarchy logically looks a lot like the directory hierarchy of the kernelsource itself; most maintainers look after one or more subtrees of thekernel source tree. But does that model really describe how patches makeit into the mainline? The kernel's git repository, with the aid of somescripting, holds an answer to that question.

Linux.com coverstwo announcements from the Linux Foundation Automotive Grade Linux (AGL)Collaborative Project. Four new major automotive OEMs have joinedthe project, and a new AGL Unified Code Base (UCB) distribution hasbeen released. "At CES, the AGL UCB will be featured as part of the GENIVI CES 2016 Demonstration Showcase in the Trump International Hotel on January 6-7, 2016. Demo applications for navigation, HVAC control, radio, media player and browser, settings and home screen are on display this week.This new distribution integrates the best components from AGL, Tizen, GENIVI and related open source code into a single AGL Unified Code Base, allowing carmakers to leverage a common platform for rapid innovation."

Fedora has updated bouncycastle(F22: invalid curve attack), jenkins (F23; F22:multiple vulnerabilities), libpng15 (F23; F22: twovulnerabilities), and pcre (F22: multiple vulnerabilities).openSUSE has updated xfsprogs(Leap42.1: information disclosure).SUSE has updated kvm (SLE11-SP3:two vulnerabilities).

The Git 2.7.0 release is now available, adding a number of enhancements tothis version-control system. The headline feature appears to be amuch-needed rework of gitk for better appearance on high-DPI displays, butthere are a number of other improvements as well.

Dan Gillmor describeshis experience moving to Ubuntu full-time. "So for anyone who’seven slightly interested in retaining significant independence in desktopand laptop computing, Linux is looking like the last refuge. (On anassortment of other devices, from supercomputers to servers to mobilephones to embedded systems, Linux is already a powerhouse.) I’m glad I madethis move."

RFC 1883, Internet Protocol, Version 6 (IPv6) Specification, was published20 years ago. Ars Technica takesa look at IPv6 adoption. "First the good news. According to Google's statistics, on December 26, the world reached 9.98 percent IPv6 deployment, up from just under 6 percent a year earlier. Google measures IPv6 deployment by having a small fraction of their users execute a Javascript program that tests whether the computer in question can load URLs over IPv6. During weekends, a tenth of Google's users are able to do this, but during weekdays it's less than 8 percent. Apparently more people have IPv6 available at home than at work."

Arch Linux has updated rtmpdump (code execution).Debian has updated samba (multiple vulnerabilities).Debian-LTS has updated cacti(regression in previous update), libvncserver (memory corruption), and samba (multiple vulnerabilities).Fedora has updated claws-mail(F22: code execution), conntrack-tools (F23; F22:denial of service), libpng12 (F23;F22: multiple vulnerabilities), mediawiki (F23: multiple vulnerabilities),mingw-giflib (F23; F22: heap-based buffer overflow), thunderbird (F22: multiple vulnerabilities),and xen (F22: multiple vulnerabilities).openSUSE has updated claws-mail(Leap42.1, 13.2, 13.1: code execution) and firefox (Leap42.1, 13.2, 13.1: signature forgery).SUSE has updated kvm (SLE11-SP4: two vulnerabilities).

As expected, Linus has released 4.4-rc8rather than the final 4.4 release. "Normally, me doing an eighthrelease candidate means that there is some unresolved issue that stillneeds more time to get fixed. This time around, it just means that I wantto make sure that everybody is back from the holidays and there isn'tanything pending, and that people have time to get their merge window pullrequests all lined up. No excuses about how you didn't have time to getthings done by the time the merge window opened, now."

James Bottomley is tryingto make life easier for projects that want to accept contributionsusing the developer certificateof origin as the contribution agreement, but which are concerned aboutpatent grants. "The lever that will help to make this move is asimple pledge, which can be published on a corporate website, that allowscorporations expecting to make legitimate contributions to patent bindinglicences under the DCO to do so properly without needing any additionalContributor Licence Agreements. Essentially it would be an explicitstatement that when their developers submit code to a project under the DCOusing a corporate signoff, they’re acting as agents for the necessarypatent and copyright grants, meaning you can always trust a DCO signofffrom that corporation."

Just over one year ago, LWN covered thedeliberations within the Python project on how to improve itsdevelopment workflow. Now, after much discussion, it has been announcedthat the project will be moving over to GitHub. "While there werepeople who publicly said they would prefer not to go with GitHub but wouldbegrudgingly use it if we chose to go that route, I had multiple core devsemail me privately saying they hoped I would choose GitHub. I think most ofthat stemmed from having used GitHub for other open source projects and/orwork, making even dormant core devs say they would be able to become activeagain if we switched to GitHub thanks to eliminating the barrier of havingto keep up with our custom workflow for code reviews and using hg forcommits."

The GIMP project has released its annual year-end retrospective, looking back on development on the GIMP editor itself, project infrastructure, and closely related software projects like the Generic Graphics Library (GEGL). Highlights from the past twelve months include the conversion of more tools to using GEGL operations, support for a new perceptual color space, and improvements to image-blending modes. Several new features were added to support painting (including on-screen-canvas flipping and rotation), and work was put into the UI themes.For its part, GEGL gained experimental support for multithreading and mipmaps. The GIMP site was also redesigned, with the launch timed to correspond to GIMP's 20th birthday. "Most of the work we did this year is available in v2.9.2, the first development release in 2.9.x series made in late November. Improved MyPaint Brush tool and visual changes (icon themes, dark theme) will be available in upcoming v2.9.4 release. We expect to continue finalizing the GEGL port and the existing feature set in 2016."

The first security updates of 2016 have arrived.Debian has updated ganeti(multiple vulnerabilities) and icedove(multiple vulnerabilities).Debian-LTS has updated ia32-libs (multiple vulnerabilities).openSUSE has updated mozilla-nss (13.1, 13.2, Leap 42.1:signature forgery) and MozillaThunderbird (13.1, 13.2, Leap 42.1: multiple vulnerabilities).

Brett Cannon continues his series of posts on Python 3 with a blog post likening the path of its adoption to the Kübler-Ross model (i.e. the five stages of grief). "Unfortunately people are running up against the classic problem of lacking buy-in from management. I regularly hear from people that they would switch if they could, but their manager(s) don't see any reason to switch and so they can't (or that they would do per-file porting, but they don't think they can convince their teammates to maintain the porting work). This can be especially frustrating if you use Python 3 in personal projects but are stuck on Python 2 at work. Hopefully Python 3 will continue to offer new features that will eventually entice reluctant managers to switch. Otherwise financial arguments might be necessary in the form of pointing out that porting to Python 3 is a one-time cost while staying on Python 2 past 2020 will be a perpetual cost for support to some enterprise provider of Python and will cost more in the long-term (e.g., paying for RHEL so that someone supports your Python 2 install past 2020). Have hope, though, that you can get buy-in from management for porting to Python 3 since others have and thus reached the "acceptance" stage."

Debian-LTS has updated cacti(regression in previous security fix).Fedora has updated arts (F22:privilege escalation), claws-mail (F23:code execution), cups-filters (F22: codeexecution), kdelibs3 (F22: privilegeescalation), libpng10 (F22: readunderflow), php-horde-Horde-Core (F22:cross-site scripting), php-horde-Horde-Perms (F22: cross-sitescripting), php-horde-Horde-Service-Weather(F22: cross-site scripting), phpmyadmin (F23; F22:installation path disclosure), and python-django (F22: information leak).Gentoo has updated inspircd(three largely unspecified vulnerabilities, one from 2012) and systemsettings (privilege escalation).openSUSE has updated flash-player(11.4: many vulnerabilities).

Opensource.com introducesthe latest open movie from the Blender Institute, Glass Half."Like all of the other open movie projects released by the Blender Institute, Glass Half has been released under a Creative Commons Attribution license, along with all of the assets (3D models, textures, animations, etc.) used to create the short. However, there are some key differences between this animated short and the Blender Institute's larger projects like Cosmos Laundromat. For one, the production time for this piece was much shorter. Although there were some concepts and storyboards being put together by the team as Cosmos Laundromat's year-long production was wrapping up, the actual production time for Glass Half was just around seven weeks."

Sad news: Ian Murdockhas passed away. "Ian was perhaps best known professionally asthe founder of the Debian project, which he created while still a studentat Purdue University, where he earned his bachelor’s degree in computerscience in 1996. Debian was one of the first Linux distros to be forged,and it is widely regarded as a one of the most successful open-sourceprojects ever launched. Ian helped pioneer the notion of a truly openproject and community, embracing open design and open contribution; in factthe formative document of the open source movement itself (the Open SourceDefinition) was originally a Debian position statement."See also: the DebianProject's page on Ian's passing.

Debian-LTS has updated mono (codeexecution from 2009).Fedora has updated arts (F23:privilege escalation), kdelibs3 (F23:privilege escalation), mono (F23: codeexecution from 2009), and ruby (F23: two vulnerabilities).Gentoo has updated clamav(multiple vulnerabilities), encfs (multiplevulnerabilities), firebird (code executionfrom 2013), firefox (many vulnerabilities),gstreamer (code execution), and mpfr (code execution).openSUSE has updated flash-player(13.2, 13.1: multiple vulnerabilities).SUSE has updated flash-player (SLE12-SP1; SLE11-SP3,4: multiple vulnerabilities) and grub2 (SLE12: code execution).

Stefano Zacchiroli was therecipient of a Shuttleworth Foundation Flash Grant in January 2015. Henow reportshow he spent the money. "On grant money I've attended LibrePlanet 2015 (2015-03-19-boston-libreplanet label in the financial reports below), where I've given the talk Distributions and the Free "Cloud", and FSFE's LLW 2015 (2015-04-15-barcelona-fsfe-legal) workshop. Furthermore I've used the grant to reimburse otherwise not reimbursed out of pocket expenses in a trip to San Francisco (2015-11-06-san-francisco-gsoc+osi) that have been otherwise sponsored by Google (to attend the Summer of Code Mentor Summit) and OSI (to attend a F2F meeting of the Board of Directors). Finally, I've used grant money to offer lunch to invited lecturers in my master-level Free Software class at the university (label 2015-foss-class)."

Arch Linux has updated flashplugin,lib32-flashplugin (multiple vulnerabilities), libpng (code execution), and openvpn (information disclosure).Fedora has updated activemq (F22:unsafe deserialization), bind99 (F22:denial of service), dhcp (F22: denial ofservice), gwenhywfar (F23; F22: certificate update), libpng10 (F23: read underflow), libvirt (F23: path traversal),nodejs-handlebars (F23; F22: cross-site scripting), php-horde-Horde-Core (F23: cross-sitescripting), php-horde-Horde-Perms (F23:cross-site scripting), php-horde-Horde-Service-Weather (F23:cross-site scripting), qemu (F22: denial ofservice), and sos (F23: privilege escalation).Mageia has updated blueman(privilege escalation), bouncycastle(invalid curve attack), flash-player-plugin(multiple vulnerabilities), libpng12 (read underflow), perl-HTML-Scrubber (cross-site scripting), subversion (code execution), and thunderbird (multiple vulnerabilities).openSUSE has updated bind (11.4:denial of service) and grub2 (11.4: code execution).Red Hat has updated flash-plugin(RHEL5,6: multiple vulnerabilities).SUSE has updated grub2 (SLE12-SP1; SLE11-SP4; SLE11-SP3: code execution).

Opensource.com looksat its top stories for 2015. "This year saw continuedgrowth for both use and adoption of open source software in theenterprise software market. Many companies made some of their software opensource, like Google, Facebook, Apple, Microsoft, and others. Also,Microsoft acquiredRevolution Analytics, an open source data analytics company. Fun fact: IBM made ~50 applications open source this year."

Arch Linux has updated mediawiki (multiple vulnerabilities), nghttp2 (code execution), and thunderbird (multiple vulnerabilities).Debian-LTS has updated cacti (SQLinjection), libpng (multiple vulnerabilities), and libxml2 (multiple vulnerabilities).Fedora has updated activemq (F23:unsafe deserialization), openstack-swift-plugin-swift3 (F23: replayattack), and samba (F22: multiple vulnerabilities).openSUSE has updated bind (13.2, 13.1; Leap42.1: denial of service), cups-filters (13.2: command execution), ffmpeg (Leap42.1: multiple vulnerabilities),grub2 (13.2, 13.1: code execution), gummi (Leap42.1, 13.2, 13.1: predictablefilenames in /tmp), krb5 (Leap42.1: memorycorruption regression), libxml2 (13.2, 13.1:multiple vulnerabilities), polarssl (13.2:code execution), Qt (Leap42.1: multiplevulnerabilities), subversion (13.2, 13.1:(code execution), subversion (Leap42.1:three vulnerabilities), and xulrunner(Leap42.1: multiple vulnerabilities).SUSE has updated bind (SLE12-SP1:denial of service).

Noting that "there is no rest for kernel developers," Linushas released the 4.4-rc7 prepatch. Still,it seems he plans to allow for a bit of rest in the near future: "Iexpect more of the same for next week, when I'd almost certainly ready tojust release the final 4.4, but will probably do an rc8 just to not openthe merge window while people are still recovering from theholidays."

The December24 entry in the Perl 6 advent calendar describes the "coming out"of Perl 6. "Of course, she’s still just 15. She does somethings really well now. Her communication skills are pretty good, and sheis very polite when she can’t understand you. She can carry on severalconversations at once. She’s getting pretty good at math, and shows skillin manipulating objects of various sorts. She loves foreign languages, andall those funny characters."The December 25entry follows with the Rakudo Perl 6 release. "This versionof the compiler targets the v6.c 'Christmas' specification of the Perl 6language. The Perl 6 community has been working toward this release overthe last 15 years."

Version2.0 of the darktable photo editor has been released. The list of newfeatures is long; see LWN's review fromNovember for the details.

Mageia has updated dpkg (codeexecution), keepassx (informationdisclosure), mediawiki (multiplevulnerabilities), php-phpmailer (messageinjection), and proftpd (denial of service).openSUSE has updated firefox(multiple vulnerabilities), glibc (13.2:pointer guard circumvention), ldb, samba,talloc, tdb, tevent (42.1: multiple vulnerabilities), and samba,ldb, talloc, tdb, tevent (13.2, 13.1: multiple vulnerabilities).Slackware has updated mozilla-thunderbird (multiple vulnerabilities).SUSE has updated the Linux Kernel(SLE11SP4: multiple vulnerabilities).

Qubes OS creator Joanna Rutkowska has announceda newpaper [PDF] describing a stateless laptop design that, she thinks, willaddress a number of the security problems she sees as being inherent in theIntel architecture. "The Trusted Stick, a small device of a 'USBstick' or an SD card form factor, is an element that the user alwayscarries with themselves and which contains all the 'state' for theplatform. This includes the (encrypted) user files and platformconfiguration. It also is expected to carry all the software and – what isunique as of today – firmware for the platform, and also enforceread-onlyness of these."

The LWN.net Weekly Edition for December 24, 2015 is available.

Dustin Kirkland feelsthat Ubuntu users have been undercounted, and so has put together acensus of his own. "Ever watch a movie on Netflix? You were servedby Ubuntu. Ever hitch a ride with Uber or Lyft? Your mobile app istalking to Ubuntu servers on the backend. Did you enjoy watching TheHobbit? Hunger Games? Avengers? Avatar? All rendered on Ubuntu at WETADigital." In the end, he says, there are over one billion Ubuntuusers.

Arch Linux has updated claws-mail (code execution).CentOS has updated qemu-kvm (C6: two vulnerabilities).Debian has updated libxml2 (multiple vulnerabilities).Fedora has updated kernel (F23:three vulnerabilities), subversion (F23:code execution), and xen (F23: three vulnerabilities).openSUSE has updated Chromium (Leap42.1, 13.2, 13.1; SPH for SLE12: code execution), compat-openssl098 (Leap42.1: memory leak), andquassel (Leap42.1, 13.2, 13.1: denial of service).Oracle has updated qemu-kvm (OL6:two vulnerabilities).Red Hat has updated qemu-kvm(RHEL6: two vulnerabilities) and qemu-kvm-rhev (RHELOSP5: two vulnerabilities).Scientific Linux has updated qemu-kvm (SL6: two vulnerabilities).Slackware has updated blueman (privilege escalation).

The Mozilla Add-ons blog takesa look at the work going on around the WebExtensions API. "WebExtensions is currently in an alpha state, so while this is a great time to get involved, please keep in mind that things might change if you decide to use it in its current state. Since August, we’ve closed 77 bugs and ramped up the WebExtensions team at Mozilla. With the release of Firefox 45 in March 2016, we’ll have full support for the following APIs: alarms, contextMenus, pageAction and browserAction. Plus a bunch of partially supported APIs: bookmarks, cookies, extension, i18n, notifications, runtime, storage, tabs, webNavigation, webRequest, windows."

Debian has updated foomatic-filters (command execution).Fedora has updated bind (F22: twovulnerabilities), bind-dyndb-ldap (F22: twovulnerabilities), dnsperf (F22: twovulnerabilities), firefox (F22: multiplevulnerabilities), jenkins (F22: multiplevulnerabilities), and kernel (F22: multiplevulnerabilities).Oracle has updated jakarta-commons-collections (OL5: code execution).Red Hat has updated openstack-ironic-discoverd (RHELOSP6: commandexecution), openstack-nova (RHELOSP7; RHELOSP5: insecure VM instances), and RHELOSP7 director (RHEL7: two vulnerabilities).Scientific Linux has updated abrt andlibreport (SL7: multiple vulnerabilities), autofs (SL7: privilege escalation), binutils (SL7: multiple vulnerabilities), chrony (SL7: multiple vulnerabilities), cpio (SL7: denial of service), cups-filters (SL7: code execution), curl (SL7: multiple vulnerabilities), file (SL7: multiple vulnerabilities), git (SL7: code execution), glibc (SL7: privilege escalation), glibc (SL7: multiple vulnerabilities), grep (SL7: heap buffer overrun), grub2 (SL7: Secure Boot circumvention), grub2 (SL7: code execution), jakarta-commons-collections (SL5: codeexecution), kernel (SL7: multiplevulnerabilities), kernel (SL7: twovulnerabilities), krb5 (SL7: twovulnerabilities), libpng (SL7: twovulnerabilities), libpng12 (SL7: multiplevulnerabilities), libssh2 (SL7: informationleak), libxml2 (SL7: multiplevulnerabilities), net-snmp (SL7: denial ofservice), netcf (SL7: denial of service),NetworkManager (SL7: two vulnerabilities),ntp (SL7: multiple vulnerabilities), openhpi (SL7: world writable /var/lib/openhpidirectory), openldap (SL7: unintendedcipher usage), openssh (SL7: multiplevulnerabilities), pacemaker (SL7: privilegeescalation), pcs (SL7: denial of service),python (SL7: multiple vulnerabilities), realmd (SL7: unsanitized input), rest (SL7: denial of service), rubygem-bundler, rubygem-thor (SL7: installsmalicious gem files), squid (SL7:certificate validation bypass), sssd (SL7:memory leak), tigervnc (SL7: twovulnerabilities), unbound (SL7: denial ofservice), wireshark (SL7: multiplevulnerabilities), and xfsprogs (SL7: information disclosure).SUSE has updated bind (SLE12; SLE11SP2,3,4: denial of service),firefox (SLE12SP1; SLE11SP3,4; SLE11SP2: multiple vulnerabilities), rubygem-passenger (SLE12: environment variableinjection), strongswan (SLE12SP1:authentication bypass), and kernel(SLE11SP4: multiple vulnerabilities).

Here's aninteresting article from cryptographer Matthew Green on how the Juniperbackdoor is the least interesting part of this whole episode. "ThusDual EC is safe only if you assume no tiny bug in the code couldaccidentally leak out 30 bytes or so of raw Dual EC output. If it did, thiswould make all subsequent seeding calls predictable, and thus render allnumbers generated by the system predictable. In general, this would spelldoom for the confidentiality of VPN connections. And unbelievably,amazingly, who coulda thunk it, it appears that such a bug does exist inmany versions of ScreenOS, dating to both before and after the'unauthorized code' noted by Juniper."

Ars Technica reportsthat Google has plans to bring Android to desktops and laptops. "We've Frankensteined together a little Android desktop setup using a Nexus 9 and a USB keyboard and mouse to see just how easy—or complicated—it was to use what is still formally a "mobile" operating system in a desktop context today, right now, without complicated changes or reconfigurations. It worked, but Android still has a ways to go before it can be called a real desktop operating system—quite a ways, in some cases.The biggest affordance Android makes for a desktop OS is that it supports a keyboard and mouse. Any Android device can pair with a Bluetooth mouse and keyboard, and if you want to go the wired route, just about any phone can plug in a mouse and keyboard via a USB OTG cable and a USB hub. Some OEMs even build Android devices with a keyboard and mouse, like the Asus Transformer series, which is a convertible laptop that runs Android."

CentOS has updated jakarta-commons-collections (C5: code execution).Debian has updated blueman (privilege escalation) and tomcat8 (Security Manager bypass).Fedora has updated bind (F23: twovulnerabilities), bind-dyndb-ldap (F23: twovulnerabilities), bind99 (F23: denial ofservice), cups-filters (F23: commandexecution), dhcp (F23: denial of service),dnsperf (F23: two vulnerabilities), libsndfile (F23: two vulnerabilities), p7zip (F22: directory traversal), xen (F22: multiple vulnerabilities), and xsupplicant (F23; F22: insecure temporary files).Gentoo has updated gdk-pixbuf (multiple vulnerabilities), grub (code execution), and openssh (multiple vulnerabilities).Mageia has updated bind (denial of service) and grub2 (code execution).openSUSE has updated libressl(Leap42.1, 13.2: two vulnerabilities) and libXfont (Leap42.1, 13.2, 13.1: regression inprevious update).Red Hat has updated jakarta-commons-collections (RHEL5: code execution).SUSE has updated ldb, samba, talloc, tdb, tevent (SLE12; SLE12SP1: multiple vulnerabilities).Ubuntu has updated kernel (15.10; 15.04;14.04; 12.04: multiple vulnerabilities), linux-lts-trusty (12.04: multiplevulnerabilities), linux-lts-utopic (14.04:multiple vulnerabilities), linux-lts-vivid(14.04: multiple vulnerabilities), linux-lts-wily (14.04: ), and linux-raspi2 (15.10: privilege escalation).

Anybody who has been paying attention to the net over the last week or so willcertainly have noticed an abundance of articles with titles like "Howto hack any Linux machine just using backspace". All this press doesindeed highlight an important vulnerability, but it may not be the one thatthey think they are talking about.Click below (no subscription required) for the full text.

The 4.4-rc6 kernel prepatch is out."Things remain fairly normal. Last week rc5 was very small indeed,this week we have a slightly bigger rc6. The main difference is that rc6had a network pull in it."

Over at KDE.News, Jonathan Riddell has announced the availability of the first live image [1.2GB ISO] of the KDE Plasma desktop running atop Wayland."The central component in this is our window manager, KWin, which has moved from drawing borders on the edges of windows to running the full compositor and talking the Wayland protocols which allow applications to draw on screen and be interacted with. Users of the image will notice some obvious glitches, it is certainly not ready for everyday use yet, but the advantages of more secure workspaces, easier feature extendibility and graphics free of tearing and gitches will be appreciated by everybody. Work on this has been ongoing since 2011 and is expected to take years rather than months before a completely transparent switch away from X will be possible. Find more about the project on the KWin Wayland wiki pages."

The Jolla company blog announces that thecompany has closed a new round of funding and will not be shutting downafter all. "This investment enables the continuation of Sailfish OSdevelopment, the community activities and other company operations. It’sclear that this recent struggle hit us hard and left some battle wounds butmost importantly this means that the development and life of Sailfish OSwill continue strong. This alone is worth a celebration!"

Arch Linux has updated python2-pyamf (denial of service).Debian has updated kernel (multiple vulnerabilities,including one from 2013).Debian-LTS has updated foomatic-filters (?:) and virtualbox-ose (no longer supported in Debian 6).Fedora has updated firefox (F23:multiple vulnerabilities), libldb (F23; F22: remote memory disclosure),libpng10 (F23; F22: code execution), libtalloc (F23; F22: remote memory disclosure),libtdb (F23; F22: remote memory disclosure), libtevent (F23; F22: remotememory disclosure), and samba (F23: multiple vulnerabilities).Gentoo has updated dnsmasq(information disclosure) and ipython (?:).Mageia has updated chromium-browser-stable (code execution) andpython-pygments (code execution).Red Hat has updated chromium-browser (RHEL6: code execution) and openshift (RHOSE2.2: information leak).Scientific Linux has updated bind(SL6: denial of service) and firefox(SL5&6: multiple vulnerabilities).Slackware has updated grub(password bypass) and libpng (read underflow).SUSE has updated kernel(SLE12SP1: multiple vulnerabilities).Ubuntu has updated linux-lts-wily(14.04: multiple vulnerabilities), linux-raspi2 (15.10: multiple vulnerabilities), linux-ti-omap4 (12.04: denial of service), andsosreport (15.10, 15.04, 14.04: twovulnerabilities, including one from 2014).

The Linux Foundation has announced a new collaborative project to "develop an enterprise grade, open source distributed ledger framework" to allow developers to build "robust, industry-specific applications, platforms and hardware systems to support business transactions". Twenty companies have joined the effort: Accenture, ANZ Bank, Cisco, CLS, Credits, Deutsche Börse, Digital Asset Holdings, DTCC, Fujitsu Limited, IC3, IBM, Intel, J.P. Morgan, London Stock Exchange Group, Mitsubishi UFJ Financial Group (MUFG), R3, State Street, SWIFT, VMware, and Wells Fargo. "Many of the founding members are already investing considerable research and development efforts exploring blockchain applications for industry. IBM intends to contribute tens of thousands of lines of its existing codebase and its corresponding intellectual property to this open source community. Digital Asset is contributing the Hyperledger mark, which will be used as the project name, as well as enterprise grade code and developer resources. R3 is contributing a new financial transaction architectural framework designed to specifically meet the requirements of its global bank members and other financial institutions. These technical contributions, among others from a variety of companies, will be reviewed in detail in the weeks ahead by the formation and Technical Steering Committees."

Arch Linux has updated ruby (codeexecution).CentOS has updated bind (C7; C6; C5: denial of service), bind97 (C5: denial of service), and firefox (C7; C6; C5: multiple vulnerabilities).Debian has updated cacti (SQLinjection), gdk-pixbuf (incomplete fix forearlier code execution flaw), grub2 (codeexecution), iceweasel (multiple vulnerabilities), subversion (code execution), and tryton-server (access check bypass).Debian-LTS has updated bind9 (denial of service).Fedora has updated grub2 (F22:code execution), qemu (F23: three vulnerabilities), andxen (F23: multiple vulnerabilities).Mageia has updated cups-filters(code execution), firefox (multiple vulnerabilities), libpng (two vulnerabilities), potrace (code execution), quassel (denial of service), and redis (denial of service).openSUSE has updated chromium (42.1, 13.2, 13.1; SPHSLE12: multiple vulnerabilities) andopenssl (42.1; 13.2,13.1: three vulnerabilities).Oracle has updated bind (OL7; OL6; OL5: denial of service), bind97 (OL5: denial of service), and firefox (OL7; OL6; OL5: multiple vulnerabilities).Red Hat has updated bind (RHEL6&7; RHEL5: denial of service), bind97 (RHEL5: denial of service), and firefox (multiple vulnerabilities).Scientific Linux has updated bind(SL5: denial of service) and bind97 (SL5: denial of service).Ubuntu has updated cups-filters(15.10, 15.04, 14.04: code execution), foomatic-filters (12.04: code execution),kernel (12.04; 14.04; 15.04;15.10: multiple vulnerabilities), linux-lts-trusty (12.04: threevulnerabilities), linux-lts-utopic (14.04:three vulnerabilities), and linux-lts-vivid(14.04: multiple vulnerabilities).

Brett Cannon reminds theworld why the Python developers decided to create Python 3 — andacknowledges that the transition could have been done better. "Thispoint of avoiding bugs is a big deal that people forget. The simplificationof the language and the removal of the implicitness of what a str objectmight represent makes code less bug-prone. The Zen of Python points outthat 'explicit is better than implicit' for a reason: ambiguity andimplicit knowledge that is not easily communicated code is easy to getwrong and leads to bugs. By forcing developers to explicitly separate outtheir binary data and textual data it leads to better code that has less ofa chance to have a certain class of bug."

The LWN.net Weekly Edition for December 17, 2015 is available.

The GRUB bootloader (versions 1.98 to 2.02) has aninteger underflow issue which can enable a local attacker to bypassauthentication on a locked-down system. "Grub2 is the bootloaderused by most Linux systems including some embedded systems. This results inan incalculable number of affected devices."

Back in early 2013, your editor dedicated asacrificial handset to the testing of the then-new Ubuntu Touchdistribution. At that time, things were so unbaked that the distributioncame with mocked-up data for unready apps; it even came with a set of faketweets. Nearly three years later, it seemed time to give Ubuntu Touchanother try on another sacrificial device. This distribution has certainlymade some progress in those years, but, sadly, it still seems far from beinga competitive offering in this space.