LWN.net

Arch Linux has updated bind (denial of service) and firefox (multiple vulnerabilities).CentOS has updated grub2 (C7: code execution).Debian has updated bind9 (denial of service) and cups-filters (command execution).Debian-LTS has updated pygments (shell injection).Fedora has updated kernel (F23; F22: multiple vulnerabilities) and seamonkey (F23; F22: multiple vulnerabilities).Oracle has updated grub2 (OL7:code execution) and kernel (OL6: multiple vulnerabilities).Scientific Linux has updated kernel (SL6: multiple vulnerabilities), libreoffice (SL6: multiple vulnerabilities), and openssl (SL6; SL5: multiple vulnerabilities).Slackware has updated bind(multiple vulnerabilities), libpng (two vulnerabilities), firefox (multiple vulnerabilities), and openssl (multiple vulnerabilities).Ubuntu has updated bind9 (denialof service), firefox (multiplevulnerabilities), git (code execution), and grub2 (code execution).

The PhotoFlow imageeditor is a relative newcomer to the field of free-softwarephotography tools. The project was started in 2014, and some peoplemight consider it an odd choice of undertaking—given that thereare, these days, quite a few capable raw-photo editors to choosefrom. But PhotoFlow does bring something new to the table.Click below (subscribers only) for the full review.

Mozilla has released Firefox 43. This version features improvements toPrivate Browsing and Tracking Protection, search suggestions, improved APIsupport for m4v video playback, and more. The releasenotes contain more information.

AnandTech reportson AMD's plans for Linux graphics driver support. In short: more opencode, but some proprietary components will remain. "The significantchange here is that by having the RTG closed source driver based around theopen source driver, the company is now only maintaining a single code base,is pushing as much as possible into open source, and that the open sourcedriver is receiving these features far sooner than it was previously. Thisgreatly improves the quality of life for open source driver users, but it’salso reciprocal for RTG: it’s a lot easier to keep up to date with Linuxkernel changes with an open source kernel mode driver than a closed sourcedriver, and quickly integrate improvements submitted by otherdevelopers."

Greg KH has released stable kernels 4.3.3,4.2.8, and 4.1.15. All of them contain important fixes.This will be the last 4.2.y kernel. Users of the 4.2 kernel should upgradeto the 4.3.y kernel series.Update: Canonical's kernel team will pick upstable maintenance of 4.2 where Greg left off.

CentOS has updated libreoffice (C7; C6: multiple vulnerabilities) and openssl (C7; C6; C5: multiple vulnerabilities).Debian has updated chromium-browser (multiple vulnerabilities).Oracle has updated libreoffice (OL7; OL6:multiple vulnerabilities) and openssl (OL5:multiple vulnerabilities).Red Hat has updated grub2 (RHEL7:code execution) and kernel (RHEL6; RHEL6.5: multiple vulnerabilities).

Collabora and ownCloud have announced a partnership, and, as an openingmove, have released the "Collabora Online Development Edition." This is acombined distribution consisting of LibreOffice Online and ownCloudServer. "The purpose of CODE is to giveinterested developers from any field an easy way to get early accessto the very latest untested feature additions and updates toLibreOffice Online, in order to enable them to develop, test, andcontribute." See this page for moreinformation and screenshots.

The CentOS project has announced the release of CentOS Linux 7 (1511),derived from Red Hat Enterprise Linux 7.2. "This release supersedes all previously released content for CentOSLinux 7, and therefore we highly encourage all users to upgrade theirmachines. Information on different upgrade strategies and how tohandle stale content is included in the Release Notes."

Here is a lengthy postingfrom Dan Luu on why it is so hard to safely write files on Unix-likesystems. It comes down to a combination of POSIX semantics and filesystembugs. "Something to note here is that while btrfs’s semantics aren’tinherently less reliable than ext3/ext4, many more applications corruptdata on top of btrfs because developers aren’t used to coding againstfilesystems that allow directory operations to be reordered (ext2 was theonly other filesystem that allowed that reordering). We’ll probably see asimilar level of bug exposure when people start using NVRAM drives thatonly have byte-level atomicity. People almost always just run some tests tosee if things work, rather than making sure they’re coding against what’slegal in a POSIX filesystem."

Debian has updated bouncycastle (invalid curve attack) and libphp-phpmailer (header injection).Debian-LTS has updated grub2 (code execution).Fedora has updated grub2 (F23:code execution), LibRaw (F22: twovulnerabilities), moodle (F23; F22: multiple vulnerabilities), openssl (F22: multiple vulnerabilities), pax-utils (F22: multiple vulnerabilities), pcre (F22: denial of service), proftpd(F23; F22:denial of service), qemu (F23: denial ofservice), and wget (F22: information leak).openSUSE has updated libpng12(13.2, 13.1: denial of service), libpng16(13.2, 13.1: denial of service), libraw(13.2, 13.1: unspecified), and mbedtls(Leap42.1: code execution).Oracle has updated openssl (OL7; OL6: multiple vulnerabilities).Red Hat has updated chromium-browser (RHEL6: multiplevulnerabilities), glibc (RHEL7.1: multiplevulnerabilities), libpng (RHEL6: multiplevulnerabilities), libreoffice (RHEL6,7:multiple vulnerabilities), openshift(RHOSE3: information leak), and openssl (RHEL6,7; RHEL5: multiple vulnerabilities).SUSE has updated java-1_7_1-ibm(SLE12: many vulnerabilities) and java-1_8_0-ibm (SLE12: many vulnerabilities).Ubuntu has updated libxml2 (multiple vulnerabilities).

Ars technica reportsthat the Purism Librem 13 laptop will be available with thevirtualization-based Qubes distribution. "Qubes wants to lower thebarrier of entry for new users, including security-conscious enterpriseusers who might want to buy a number of laptops for their staff. Inaddition to the Librem 13, Qubes plans to certify the larger Librem 15,plus other laptops that are 'as diverse as possible in terms of geography,cost, and availability.'" LWN looked atQubes 3.0 back in May.

Linus has released the 4.4-rc5 prepatch."If you have all your Christmas shopping done, I wouldheartily recommend giving rc5 a whirl in between the eggnogs and thedecorations. And if you're not celebrating the holidays, you have noexcuse for not testing it all out."

Mozilla has announced the first round of projects to receive support from the organization's new “Foundational Technology” grant program. The program offers funding to open-source projects outside of Mozilla that are regarded as important building blocks for work done within Mozilla. The recipients announced are Buildbot, CodeMirror, Discourse, Read The Docs, Mercurial, Django, and Bro. The post contains further details on the specific development goals associated with each grant. More selections are yet to come, and applications are open.

Arch Linux has updated keepassx (information disclosure).Fedora has updated knot (F23; F22:out-of-bound read).Mageia has updated chromium-browser-stable (M5: multiple vulnerabilities), imagemagick (M5: multiple vulnerabilities), and libraw (M5: multiple vulnerabilities).openSUSE has updated xen (Leap 21.1; 13.2: multiple vulnerabilities).Oracle has updated kernel (O7; O6: multiple vulnerabilities).Ubuntu has updated oxide-qt(14.04, 15.04, 15.10: multiple vulnerabilities).

Over at Opensource.com, Seth Kenlon looks at realtime video editing with Open Broadcast Studio (OBS). The article describes OBS sources and scenes, compositing, filters, output options, and more. "It may be a relatively niche market, but not all video editing is done in post production. There are use cases for live, on-the-fly video editing and basic compositing. You've seen it done yourself, whether you realize it or not—news broadcasts, live webcasts, and live TV events usually use multiple-camera setups controlled by one central software suite.Open Broadcast Studio (formerly Open Broadcaster Software) is an open source central control room for live, realtime video editing. It features instant encoding using x264 (an open source h.264 encoder) and AAC and streams to services like YouTube, DailyMotion, Twitch, your own streaming server, or just to a file."

Greg Kroah-Hartman has released the 4.3.2stable kernel. It fixes a problem with time validation in X.509certificate handling that has been present since 4.3.0 (CVE-2015-5327). Ifyou are not using those certificates, though, you don't need to upgradefrom 4.3.1; others should upgrade.

Arch Linux has updated flashplugin (many vulnerabilities) and libxml2 (multiple vulnerabilities).Debian has updated chromium-browser (many vulnerabilities) and xen (multiple vulnerabilities).Debian-LTS has updated arts(privilege escalation) and kdelibs(privilege escalation).Fedora has updated pax-utils(F23: multiple vulnerabilities).openSUSE has updated flash-player(13.2, 13.1: many vulnerabilities), gpg2(42.1: two vulnerabilities), mariadb (13.2; 13.1:multiple vulnerabilities), mysql (many vulnerabilities), and thunderbird (13.2, 13.1: multiple vulnerabilities).Oracle has updated libpng (OL7; OL6: twovulnerabilities) and libpng12 (OL7: two vulnerabilities).Scientific Linux has updated libpng (SL6: three vulnerabilities).SUSE has updated flash-player (SLE11SP4, SLE11SP3; SLE12SP1, SLE12: many vulnerabilities).

The LWN.net Weekly Edition for December 10, 2015 is available.

There have been no kernel updates from Greg Kroah-Hartman since earlyNovember, but that has ended with a bang:4.3.1,4.2.7,4.1.14,3.14.58, and3.10.94 are all available with the usualset of important fixes.

Arch Linux has updated chromium (multiple vulnerabilities).CentOS has updated libpng (C6:code execution).Debian-LTS has updated dhcpcd (multiple vulnerabilities), foomatic-filters (code execution), gnutls26 (padding oracle attack), and libphp-phpmailer (header injection).Fedora has updated ImageMagick(F23: multiple vulnerabilities) and potrace (F23; F22: denial of service).Mageia has updated chromium-browser-stable (multiple vulnerabilities) and flash-player-plugin (multiple vulnerabilities).openSUSE has updated kernel(Leap42.1: multiple vulnerabilities).Oracle has updated git (OL7: codeexecution) and kernel (OL7: multiple vulnerabilities).Red Hat has updated flash-plugin(RHEL5,6: multiple vulnerabilities), kernel(RHEL7.1: multiple vulnerabilities), libpng(RHEL7: code execution), and libpng12(RHEL7: multiple vulnerabilities).

Version 4.4 of the WordPress blogging platform (and, these days, general content-managementsystem) has been released.Highlights in this update include responsive image displays,integration of a REST API into Wordpress core, improved caching forcomment queries, and provider support for the oEmbedcontent-embedding format. Provider support means that "now youcan embed your posts on other WordPress sites. Simply drop a post URLinto the editor and see an instant embed preview, complete with thetitle, excerpt, and featured image if you’ve set one. We’ll eveninclude your site icon and links for comments and sharing." Accompanying the release is a new default theme named "Twenty Sixteen"that was "built to look great on any device. A fluid griddesign, flexible header, fun color schemes, and more, will all makeyour content shine."

TechCrunch reportsthat the Firefox OS phone experiment has come to an end. "Firefox OSproved the flexibility of the Web, scaling from low-end smartphones all theway up to HD TVs. However, we weren’t able to offer the best userexperience possible and so we will stop offering Firefox OS smartphonesthrough carrier channels."

Opensource.com takesa look at a court case in Germany addressing the GPLv3 terminationprovisions. "In the Halle court case, the defendant, a higher education institution in Germany, offered certain software for download to its employees and students. The plaintiff provided a written warning of copyright infringement based on a GPL violation to the defendant, including a cease-and-desist declaration with a penalty clause. The defendant refused to sign the declaration but removed the software from its website. The plaintiff filed for a preliminary injunction.The court ruled that the plaintiff was entitled to a preliminary injunction. The defendant had made the plaintiff's copyrighted software publicly available and was in violation of both GPLv2 and GPLv3 as the defendant had not accompanied the software with the license text and the complete corresponding source code."

Given the processing requirements for high-speed networking, it is notsurprising that there is interest in offloading some of that work todedicated hardware. Linux has always carefully limited the supportprovided for such offloading, though; it has been just over ten years sincesupport for TCP offload engines wasdefinitively blocked from entering theLinux network stack. That rejection was driven by a number of concerns,with a reluctance to entrust network-protocol processing to closed-source,unextendable, unfixable software being near the top of the list. Nearly ten years later,offload engines are again the topic of fierce discussion. The hardware haschanged, but the concerns have not; indeed, some of the problems beingworked around now show why those concerns were valid in the first place.

CentOS has updated libxml2 (C6: multiple vulnerabilities).Debian-LTS has updated bouncycastle (invalid curve attack) and linux-2.6 (multiple vulnerabilities).Fedora has updated audiofile(F22: buffer overflow), LibRaw (F23: twovulnerabilities), and python-django (F23: information disclosure).openSUSE has updated thunderbird(Leap42.1: multiple vulnerabilities).Oracle has updated libxml2 (OL7; OL6: multiple vulnerabilities).Red Hat has updated git (RHEL7:code execution) and kernel (RHEL7: denial of service).SUSE has updated java-1_7_0-ibm(SLE11SP3: many vulnerabilities).Ubuntu has updated libsndfile (multiple vulnerabilities).

Version 3.6.0 of theNetHack dungeon adventure game has been released. This is the firstofficial release in over ten years. "Unlike previous releases,which focused on the general game fixes, this release consists of a seriesof foundational changes in the team, underlying infrastructure and changesto the approach to game development. Those of you expecting a huge raft ofnew features will probably be disappointed. Although we have included anumber of new features, the focus of this release was to get the foundationestablished so that we can build on it going forward." There hasbeen enough change, though, that old save files will not work with thisversion.

For a far-outside view, it's hard to beat thisVentureBeat article, wherein a venture capitalist talks about how"open-source companies" are taking over. "The OSS companies thatwill be pillars of IT in the future are the companies that leverage asuccessful OSS project for sales, marketing, and engineering prioritizationbut have a product and business strategy that includes some proprietaryenhancements. They’ve figured out that customers are more than happy to payfor an enterprise-grade version of the complete product, which may havesecurity, management, or integration enhancements and come withsupport. And they also understand that keeping this type of functionalityproprietary won’t alienate the community supporting the project the waysomething such as a performance enhancement would."

Apple has released its Swift programming language under the Apache 2.0 license, and it's available for Linux. The code can be found on GitHub. "Swift makes it easy to write software that is incredibly fast and safe by design. Now that Swift is open source, you can help make the best general purpose programming language available everywhere."

Version 17.3 of theUbuntu-based Linux Mint Cinnamon distribution has been released. This is along-term support release, with support planned until 2019. There is along listof new features for this release, many of which come with theCinnamon 2.8 desktop environment.

Fedora has updated lxdm (F23: two vulnerabilities), openssl (F23: multiple vulnerabilities), p7zip (F23: directory traversal), php-symfony (F23; F22: two vulnerabilities), php-twig (F23; F22: two vulnerabilities), and rubygem-flexmock (F23: unspecified vulnerability).Red Hat has updated libxml2 (RHEL7; RHEL6: multiple vulnerabilities).Scientific Linux has updated libxml2 (SL6: multiple vulnerabilities).Ubuntu has updated cups-filters (15.10, 15.04, 14.04: code execution), foomatic-filters (12.04: code execution), and openssl (multiple vulnerabilities).

Day7 in the ongoing Perl 6 advent calendar is concerned with how thelanguage handles Unicode. "However, Perl 6 does this work for you,keeping track of these collections of codepoints internally, so that youjust have to think in terms of what you would see the characters as. Ifyou’ve ever had to dance around with substring operations to make sure youdidn’t split between a letter and a diacritic, this will be your happiestday in programming."

The 4.4-rc4 prepatch is out."Another week, another rc. We had a few more commits than last week(mostly due to the networking fixes merge), but on the whole it's beenpretty calm."

Arch has updatednodejs (two denial-of-service vulnerabilities),openssl (four CVEs), andpython-django (information disclosure).Mageia has updatedcups-filters (code execution),moodle (nine CVEs),openssl (four CVEs), andpython-django (information disclosure).Ubuntu has updated kernel (twodenial-of-service vulnerabilities) andlinux-lts-vivid (ditto).

The OpenSSL project has released versions 0.9.8zh, 1.0.0t, 1.0.1q, and1.0.2e with fixes for a number of "moderate" security issues. Theannouncement also notes that this will be the last update for the 0.9.8 and1.0.0 branches, so users of those versions are advised to upgrade.

Version 2.1.10 of the GNU Privacy Guard is out. There are a number of new features in this release; they include a trust-on-first-usekey acceptance mechanism and the ability to fetch public keysanonymously via Tor.

Debian has updated openssl(multiple vulnerabilities) and redis(denial of service).Debian-LTS has updated openssl (memory leak).openSUSE has updated cyrus-imapd (13.1: integer overflow), LibVNCServer (Leap 42.1: multiplevulnerabilities), and python-django (13.2, 13.1: information leak).Red Hat has updated chromium-browser (RHEL6: multiplevulnerabilities) and openshift (RHOSE3.0, 3.1: information leak).SUSE has updated java-1_6_0-ibm (SLE12: multiple vulnerabilities), java-1_7_1-ibm (SLE11: multiple vulnerabilities), and kernel (SLE12: multiple vulnerabilities).

This lengthypaper from Phillip Rogaway tries to describe the moral responsibilitiesof the cryptographic community — responsibilities that, he believes, thatcommunity has failed to live up to. Worth a read."We need to erect a much expanded commons on the Internet. We need torealize popular services in a secure, distributed, and decentralized way,powered by free software and free/open hardware. We need to build systemsbeyond the reach of super-sized companies and spy agencies. Such servicesmust be based on strong cryptography. Emphasizing that prerequisite, weneed to expand our cryptographic commons."

On his blog, Lubomir Rintel discusses IPv6 privacy issues and how they are being handled by NetworkManager. "Creation of a privacy stable address relies on a pseudo-random key that’s only known the the host itself and never revealed to other hosts in the network. This key is then hashed using a cryptographically secure algorithm along with values specific for a particular network connection. It includes an identifier of the network interface, the network prefix and possibly other values specific to the network such as the wireless SSID. The use of the secret key makes it impossible to predict the resulting address for the other hosts while the network-specific data causes it to be different when entering a different network.This also solves the duplicate address problem nicely. The random key makes collisions unlikely. If, in spite of this, a collision occurs then the hash can be salted with a DAD failure counter and a different address can be generated instead of failing the network connectivity. Now that’s clever."

PHP 7 has been released. Along with some new language features, the biggest change is said to be much better performance and reduced memory use. "PHP 7.0 brings you unprecedented levels of real-world performance and throughput by utilizing the new and advanced Zend Engine 3.0, designed and refactored for speed and reduced memory consumption. This translates to real-world benefits: greatly decreased response times, superior user experiences, and the ability to serve more users with fewer servers to maximize the power of your PHP 7.0 deployment." We looked at the new features in PHP 7 in an article in this week's edition.

The Electronic Frontier Foundation has announcedthe public beta test of the Let's Encrypt initiative, which aims to makeencrypted web traffic the norm. "There are a number of flaws in theCA system, but when it comes to encrypting the Web, two in particular standout: cost and difficulty. Most CAs today charge for certificates. Whilesome are very cheap, every dollar of expense means a large swath of peoplewho can't afford to host a secure website. The larger barrier, though, isdifficulty. Once someone has purchased a certificate, they need to installit on their website, a time consuming and error-prone process that requiressignificant technical skill, which is a cost in itself. Let's Encrypt isnot only free but also automated, in order to make HTTPS encryption moreaccessible than ever."

CentOS has updated jakarta-commons-collections (C6: codeexecution) and libreport (C6: information leak).Debian has updated cups-filters(code execution).Fedora has updated keepass (F22:password locking options removed) and thunderbird (F23: multiple vulnerabilities).Slackware has updated libpng (twovulnerabilities) and mozilla (multiple vulnerabilities).Ubuntu has updated linux-lts-trusty (12.04: two vulnerabilities), openjdk-6 (12.04: multiple vulnerabilities), and qemu (multiple vulnerabilities).

The LWN.net Weekly Edition for December 3, 2015 is available.

While the event had a certain amount of drama surrounding it, the announcement of the end for the Debian Live project seems likely to haveless of an impact than it first appeared. The loss of the leaddeveloper will certainly be felt—and the treatment he and the projectreceived seems rather baffling—but the project looks like it will continuein some form. So Debian will still have tools to create live CDs and other media goingforward, but what appears to be a long-simmering dispute between projectfounder and leader DanielBaumann and the Debian CD and installer teams has been "resolved", albeitin an unfortunate fashion. Subscribers can click below for the full story from this week's Distributions page.

Arch Linux has updated chromium (multiple vulnerabilities).Debian has updated gnutls26 (padding oracle attack), icedove (multiple vulnerabilities), and putty (memory corruption).Fedora has updated putty (F23; F22: memory corruption).openSUSE has updated dracut(Leap42.1: multiple issues) and znc (SPH for SLE12; Leap42.1: denial of service).SUSE has updated dhcpcd(SLE11SP2,3,4: multiple vulnerabilities), java-1_6_0-ibm (SLE11SP3: multiplevulnerabilities), and java-1_7_1-ibm(SLE12: multiple vulnerabilities).Ubuntu has updated kernel (14.04:denial of service) and linux-lts-utopic(14.04: denial of service).

CryptoPeak Solutions is suing many tech and retail giants, claiming theirHTTPS websites infringe an encryption patent titled "Auto-Escrowable andAuto-Certifiable Cryptosystems". Ars Technica reports:"The latest batch of cases was lodged November 25. The cases name AT&T, Costco, Expedia, GoPro, Groupon, Netflix, Pinterest, Shutterfly, Starwood Hotels, Target, and Yahoo, among others. All the lawsuits include virtually identical language."Defendant has committed direct infringement by its actions that compriseusing one or more websites that utilize Elliptic Curve Cryptography (“ECC”)Cipher Suites for the Transport Layer Security (“TLS”) protocol (the“Accused Instrumentalities”)," according to the lawsuits."

Debian-LTS has updated libphp-snoopy (command execution).Fedora has updated ca-certificates (F22: certificate update), grub2 (F22: Secure Boot circumvention),imapsync (F23; F22; F21:information leak), libxml2 (F22: multiplevulnerabilities), perl-HTML-Scrubber (F23; F22; F21: cross-site scripting), rpm (F22: denial of service), and wget (F23: information leak).Oracle has updated apache-commons-collections (OL7: codeexecution) and jakarta-commons-collections(OL6: code execution).Red Hat has updated apache-commons-collections (RHEL7: codeexecution), jakarta-commons-collections(RHEL6: code execution), and rh-java-common-apache-commons-collections(RHSCL2: code execution).Scientific Linux has updated apache-commons-collections (SL7: codeexecution) and jakarta-commons-collections(SL6: code execution).Ubuntu has updated gnutls26(14.04, 12.04: padding oracle attack) and thunderbird (15.10, 15.04, 14.04, 12.04: multiple vulnerabilities).

Mozilla leader Mitchell Baker has announced that the Thunderbird emailclient projectwill, eventually, be spun out of Mozilla. "Therefore I believe Thunderbird should would thrive best by separating itself from reliance on Mozilla development systems and in some cases, Mozilla technology. The current setting isn’t stable, and we should start actively looking into how we can transition in an orderly way to a future where Thunderbird and Firefox are un-coupled."

Debian-LTS has updated imagemagick (denial of service), libsndfile (multiple vulnerabilities), libxml2 (multiple vulnerabilities), and nss (code execution).Fedora has updated abrt (F23: twovulnerabilities), mingw-libpng (F23;F22; F21:denial of service), python-pycurl (F22:use-after-free vulnerability), and seamonkey (F21: multiple vulnerabilities).Mageia has updated lightdm (denial of service), python-cryptography (denial of service), and thunderbird (multiple vulnerabilities).openSUSE has updated cyrus-imapd(Leap42.1, 13.2: two vulnerabilities), ffmpeg (Leap42.1: multiple vulnerabilities),GnuPG (13.2, 13.1: two vulnerabilities), libksba (Leap42.1: denial of service), libpng12 (Leap42.1: two vulnerabilities), libpng16 (Leap42.1: denial of service), libsndfile (Leap42.1: multiplevulnerabilities), ppp (Leap42.1, 13.2,13.1: denial of service), and virtualbox(13.1: two vulnerabilities).Oracle has updated kernel 3.8.13 (OL7; OL6: multiple vulnerabilities) and thunderbird (OL7; OL6: multiple vulnerabilities).Scientific Linux has updated thunderbird (SL5,6,7: multiple vulnerabilities).

Matthew Garrett arguesthat meritocracy does not work as intended in development communities."When people criticise meritocracy, they're not criticising theconcept of treating contributions based on their merit. They're criticisingthe idea that humans are sufficiently self-aware that they will be able toidentify and reject every subconscious prejudice that will affect theirtreatment of others. It's not a criticism of a desirable goal, it's acriticism of a flawed implementation."

The 4.4-rc3 kernel prepatch is out fortesting. "I don't think there's anything particularly exciting,although that obviously depends on whether some particular issue ended upaffecting you or not. Most of it is pretty tiny random fixups."