The fourth 4.2 prepatch is out for testing.Linus says: "I really wish that things were calming down, but ithasn't happened quite yet. It's not like this is particularly big or scary,but it's also not at the stage where it's really starting to get quiet andthe bugs are really small and esoteric."
Here is theannouncement for Plasma Mobile, a KDE-based platform for smartphones."The goal for Plasma Mobile is to give the user full use of thedevice. It is designed as an inclusive system, intended to support allkinds of apps. Native apps are developed using Qt; it will also supportapps written in GTK, Android apps, Ubuntu apps, and many others, if thelicense allows and the app can be made to work at a technicallevel." There is a prototype build available for Nexus 5phones.
The etcd 2.1release is out. "For a quick overview, etcd is an open source,distributed, consistent key value store for shared configuration, servicediscovery, and scheduler coordination. By using etcd, applications canensure that even in the face of individual servers failing, the applicationwill continue to work. "New features include a new authentication/authorization API, variousrobustness improvements, better logging, and a new metrics API.
The GNUnet blog has thisstory about recent resistance from the IETF toward thestandardization of "special use" domain names (such as .onion or.gnu) "to reduce the likelihood of ICANN accidentally creating aconflicting gTLD assignment."Despite the provisions made in RFC 6761, the articlenotes that "there are also a number of DNS-centric people with atotally lack of alacrity in the dnsop WG to continue to stall theprocess by repeating arguments that were exchanged dozens of times inhundreds of e-mails." Among those offering resistance, itreports, is Internet Architecture Board Chair Andrew Sullivan, who"says the IETF should not support special use domain namesthreatening the DNS business model."
The firstdevelopment release of the upcoming openSUSE 42.1 distribution is now available. "Milestone is being used to avoid the term Alphabecause the milestone is able to be deployed without the additional futureitems and subsystems that will become available when Leap is officiallyreleased."As reported in June, openSUSE 42.1 is a newversion of the distribution based on the SUSE Linux Enterprise core.
At his blog, Allan Day announcesthe first major update to the GNOME Human InterfaceGuidelines since the first GNOME 3 version (released in2014). Day notes that the GNOME 3 HIG is structured arounddesign patterns, in the hopes that it can be updated regularly toreflect current practices. "These new guidelines are the directresult of design work that has happened in the past year. They attemptto distill everything we’ve learned through our own process of trialand error." Furthermore, "the HIG now links to therelevant GTK+ API reference documentation for each designcomponent. This is nice for knowing which widget does what; and makesthe design guidelines a more effective accompaniment to thetoolkit."
Though it got a bit of a late start due to some registration woes, thefirst day of EuroPython 2015began with an engaging and well-received keynote. It recounted the historyof a project that got its start just a year ago when the first Django Girls workshop was held atEuroPython 2014 in Berlin. The two women who started theproject, Ola Sitarska and Ola Sendecka, spoke about how the workshopto teach women about Python and the Django web framework all cametogether—and the amazing progress that has been made by the organization inits first year.
Red Hat has announcedthe general availability of RHEL 6.7. "As the basis for large,complex IT deployments, Red Hat Enterprise Linux 6.7 offers enterprise ITteams new capabilities to bolster system security, proactively identify andresolve business-critical IT issues, and confidently embrace some of thelatest open source technologies, such as Linux containers, withoutsacrificing operational stability." The releasenotes contain details.
One of the many approaches to improving system security consists ofreducing the attack surface of a given program by restricting the range ofsystem calls available to it. If an application has no need for access tothe network, say, then removing its ability to use the socket() systemcall should cause no loss in functionality while reducing the scope of themischief that can be made should that application be compromised. In theLinux world, this kind of sandboxing can be done using a security module orthe seccomp() system call. OpenBSD has lacked this capability sofar, but it may soon gain it via a somewhat different approach than hasbeen seen in Linux.
The Linux Foundation has announcedthe Cloud Native Computing Foundation. "This new organization aims to advance the state-of-the-art for building cloud native applications and services, allowing developers to take full advantage of existing and to-be-developed open source technologies. Cloud native refers to applications or services that are container-packaged, dynamically scheduled and micro services-oriented.Founding organizations include AT&T, Box, Cisco, Cloud Foundry Foundation, CoreOS, Cycle Computing, Docker, eBay, Goldman Sachs, Google, Huawei, IBM, Intel, Joyent, Kismatic, Mesosphere, Red Hat, Switch SUPERNAP, Twitter, Univa, VMware and Weaveworks. Other organizations are encouraged to participate as founding members in the coming weeks, as the organization establishes its governance model."
Mel Gorman introducesSUSE's kernel performance-testing system. "Marvin is a system thatcontinually runs performance-related tests and is named after another robotdoomed with repetitive tasks. When tests are complete it generates aperformance comparison report that is publicly available but rarelylinked. The primary responsibility of this system is to check SUSE Linuxfor Enterprise kernels for performance regressions but it is alsoconfigured to run tests against mainline releases."
Ian Jackson has announced the availability of dgit 1.0. "dgit allows you to treat the Debian archive as if it were a gitrepository, and get a git view of any package. If you have theappropriate access rights you can do builds and uploads from git, andother dgit users will see your git history."
The third 4.2 kernel prepatch is out fortesting. Linus says: "Normal Sunday release schedule, and a fairlynormal rc release. There was some fallout from the x86 FPU cleanups, butthat only hit CPU's with the xsaves instruction, and it should be all goodnow."
At the Mozilla Blog, Julien Vehent announcesthat Mozilla will be conducting a second round of its "Winter ofSecurity" mentoring program. Aimed at college students, the programallows participants to work on security-related free software foruniversity credit, with guidance provided by Mozilla project members.This year's targetedproject list includes some high-profile projects like Let's Encrypt and Mozilla'sdigital forensics tool MiG.Applications are due August 15.
The idea of a truck or bus factor (or number) has been—morbidly, perhaps—bandied about in development projects for many years. It is a rough measure of how many developers would have to be lost (e.g. hit by a bus) to effectively halt the project. A new paper [PDF] outlines a method to try to calculate this number for various GitHub projects. Naturally, it has its own GitHub project with a description of the methodology used and some of the results. It was found that 46% of the projects looked at had a truck factor of 1, while 28% were at 2. Linux scored the second highest at 90, while the Mac OS X Homebrew package manager had the highest truck factor at 159.
CentOS has updated java-1.7.0-openjdk (C7; C6; C5: many vulnerabilities),java-1.8.0-openjdk (C7; C6: many vulnerabilities), and kernel (C6: multiple vulnerabilities, one from2011).Debian-LTS has updated python-django (three vulnerabilities).Fedora has updated cryptopp (F22; F21:information disclosure), drupal7-feeds (F22; F21:three vulnerabilities), rsyslog (F22:denial of service), and springframework (F22; F21:denial of service).openSUSE has updated bind (13.2; 13.1:three vulnerabilities, one from 2014).Oracle has updated java-1.7.0-openjdk (OL7; OL6: unspecified),java-1.8.0-openjdk (OL7; OL6: unspecified), kernel 3.8.13 (OL7; OL6: two vulnerabilities),kernel 2.6.39 (OL6; OL5: two vulnerabilities),and kernel 2.6.32 (OL6; OL5: denial of service).Scientific Linux has updated java-1.7.0-openjdk (SL5; SL6&7: many vulnerabilities), java-1.8.0-openjdk (SL6&7: manyvulnerabilities), and kernel (SL6: multiplevulnerabilities, one from 2011).
Version0.7.0 of the rkt container runtime system is available. "Thisrelease includes new subcommands for a rkt image to manipulate images fromthe local store, a new build system based on autotools and integration withSELinux. These new capabilities improve the user experience, make it easierto build future features and improve security isolation betweencontainers."
It has been nearly a year and a half since the last major Python release,which was 3.4 in March 2014—that means it is about time forPython 3.5. We looked at some of the newfeatures in 3.4 at the time of its first release candidate, so the announcement of the penultimate beta releasefor 3.5 seems like a good time to see what will be coming in the new release.Subscribers can click below to see the full article from this week's edition.
Linux.com has an interviewwith Bruce Schneier. "Schneier: The most important takeaway is that we are all vulnerable to this sort of attack. Whether it's nation-state hackers (Sony), hactivists (HB Gary Federal, Hacking Team), insiders (NSA, US State Department), or who-knows-who (Saudi Arabia), stealing and publishing an organization's internal documents can be a devastating attack. We need to think more about this tactic: less how to prevent it -- we're already doing that and it's not working -- and more how to deal with it. Because as more people wake up and realize how devastating an attack it is, the more we're going to see it."
The Free Software Foundation (FSF) and Software Freedom Conservancy (SFC) have both put out statements about a change to the Canonical, Ltd. "intellectual property" policy that was negotiated over the last two years (FSF statement and SFC statement). Effectively, Canonical has added a "trump clause" that clarifies that the licenses of the individual packages override the Canonical policy when there is a conflict. Though, as SFC points out: "While a trump clause is a reasonable way to comply with the GPL in a secondary licensing document, the solution is far from ideal. Redistributors of Ubuntu have little choice but to become expert analysts of Canonical, Ltd.'s policy. They must identify on their own every place where the policy contradicts the GPL. If a dispute arises on a subtle issue, Canonical, Ltd. could take legal action, arguing that the redistributor's interpretation of GPL was incorrect. Even if the redistributor was correct that the GPL trumped some specific clause in Canonical, Ltd.'s policy, it may be costly to adjudicate the issue." While backing the change made, both FSF and SFC recommend further changes to make the situation even more clear.
LinuxVoice has an interview with Perl creator Larry Wall. "So I was the language designer, but I was almost explicitly told: 'Stay out of the implementation! We saw what you did made out of Perl 5, and we don’t like it!' It was really funny because the innards of the new implementation started looking a whole lot like Perl 5 inside, and maybe that’s why some of the early implementations didn’t work well."
Opensource.com has an interviewwith Bradley Kuhn. "I continued on in my professional career, which included developing and supporting proprietary software, but I found that the lack of source code and/or the ability to rebuild it myself constantly hampered my ability to do my job. Proprietary software companies today are more careful to give "some open source"; thus, many technology professionals don't realize until it's too late how crippling proprietary software can be when you rely on it every day. In the mid 1990s, hardly any business software license gave us software freedom, so denying our rights to practice our profession (i.e, fix software) made many of us hate our jobs. I considered leaving the field of software entirely because I disliked working with proprietary software so much.Those experiences made me a software freedom zealot. I made a vow that I never wanted any developer or sysadmin to feel the constraints of proprietary software licensing, which limits technologists by what legal agreements their company's lawyers can negotiate rather than their technical skill."
ITNews reportsthat the US National Security Agency is in the process of releasing itssystems integrity management platform - SIMP. "SIMP helps to keep networked systems compliant with security standards, the NSA said, and should form part of a layered, "defence-in-depth" approach to information security.NSA said it released the tool to avoid duplication after US governmentdepartments and other groups tried to replicate the product in order tomeet compliance requirements set by US Defence and intelligencebodies." Currently only RHEL and CentOS versions 6.6 and 7.1 are supported.
Slightly less than one year ago, the Debian community had an extended discussion on whether the FFmpeg multimedia library should return tothe distribution. Debian had followed the contentious libav fork when it happened in 2011, but somecommunity members were starting to have second thoughts about that move.At the time, the discussion died out without any changes being made, but the seeds hadevidently been planted; on July 8, the project's multimedia developersannounced that not only was FFmpegreturning to Debian, but it would be replacing libav.Click below (subscribers only) for a look at how this decision was made.
The second 4.2 prepatch is available fortesting. "This is not a particularly big rc, and things have beenfairly calm. We definitely did have some problems in -rc1 that bit people,but they all seemed to be pretty small, and let's hope that -rc2 ends uphaving fewer annoying issues."
Here's adiscouraging blog post from Dave Jones on why he will no longer bedeveloping the Trinity fuzz tester. "It’s no coincidence that thenumber of bugs reported found with Trinity have dropped off sharply sincethe beginning of the year, and I don’t think it’s because the Linux kernelsuddenly got lots better. Rather, it’s due to the lack of real ongoingdevelopment to 'try something else' when some approaches dry up. Sadly wenow live in a world where it’s easier to get paid to run someone else’sfuzzer these days than it is to develop one."
ZDNet has an interview about "microservices" with Red Hat VP of engineering for middleware, Dr. Mark Little. Microservices are a relatively recent software architecture that relies on small, easily replaced components and is an alternative to the well-established service-oriented architecture (SOA)—but it is not a panacea:"'Just because you adopt microservices doesn't suddenly mean your badly architected ball of mud is suddenly really well architected and no longer a ball of mud. It could just be lots of distributed balls of mud,' Little said.'That worries me a bit. I've been around service-oriented architecture for a long time and know the plus points and the negative points. I like microservices because it allows us to focus on the positive points but it does worry me that people see it as the answer to a lot of problems that it's never going to be the answer for.'"
Greg Kroah-Hartman has announced the release of the 4.1.2, 4.0.8,3.14.48, and 3.10.84 stable kernels. All contain importantfixes and users should upgrade. In addition, this is the second to last4.0.x release (i.e. there will be a 4.0.9, but that's the last), so usersshould be making plans to move to 4.1.x.
Arch Linux has updated openssl(certificate verification botch).CentOS has updated php (C6: manyvulnerabilities, some from 2014).Debian has updated pdns (full fixfor denial of service) and pdns-recursor(full fix for denial of service).Gentoo has updated adobe-flash(multiple vulnerabilities, one from 2014), chromium (multiple vulnerabilities), mysql (multiple vulnerabilities), net-snmp (denial of service from 2014), openssl (certificate verification botch), oracle-jre-bin (multiple vulnerabilities, somefrom 2014), perl (denial of service from2013), portage (certificate verificationbotch from 2013), pypam (code executionfrom 2012), and t1utils (multiple vulnerabilities).Mageia has updated openssl(certificate verification botch).openSUSE has updated MariaDB(13.2, 13.1: many vulnerabilities, some from 2014).Oracle has updated php (OL6: manyvulnerabilities, some from 2014).Red Hat has updated php (RHEL6:many vulnerabilities, some from 2014) and php54-php (RHSC2: multiple vulnerabilities).Scientific Linux has updated php(SL6: many vulnerabilities, some from 2014).Slackware has updated openssl(certificate verification botch).Ubuntu has updated firefox(15.04, 14.10, 14.04: multiple vulnerabilities) and nss (two vulnerabilities).
Debian has updated python-django(two vulnerabilities).Mageia has updated bind (denialof service), cups-filters (two codeexecution vulnerabilities), flash-player-plugin (many vulnerabilities), openssh (access restriction bypass), and virtuoso-opensource (multiple unspecified vulnerabilities).openSUSE has updated flash-player(11.4: unspecified vulnerabilities), libwmf(13.2, 13.1: multiple vulnerabilities), mysql-community-server (13.2, 13.1: cipherdowngrade), tiff (13.2, 13.1: multiplevulnerabilities), and wireshark (13.2: twodenial of service vulnerabilities).Red Hat has updated flash-plugin(RHEL5&6: many vulnerabilities).SUSE has updated flash-player(SLE12: many vulnerabilities).Ubuntu has updated python-django(two vulnerabilities).
The OpenSSL project has disclosed a newcertificate validation vulnerability. "During certificateverification, OpenSSL (starting from version 1.0.1n and 1.0.2b) willattempt to find an alternative certificate chain if the first attempt tobuild such a chain fails. An error in the implementation of this logic canmean that an attacker could cause certain checks on untrusted certificatesto be bypassed, such as the CA flag, enabling them to use a valid leafcertificate to act as a CA and 'issue' an invalid certificate."This is thus a client-side, man-in-the-middle vulnerability.Note that the affected versions of OpenSSL were released in mid-June;anybody with an older release should not be vulnerable.
The Core Infrastructure Initiative (a Linux Foundation effort todirect resources to critical projects in need of help) has announced a censusproject to identify the development projects most in need ofassistance. "Unlike the Fed’s stress tests, which are opaque, all ofthe census data and analysis is open source. We are eager for communityinvolvement. We encourage developers to fork the project and experimentwith different data sources, different parameters, and different algorithmsto test out the concept of an automated risk assessment census. We are alsoeager for input to help sanitize and complete the data that was used inthis first iteration of the census."
The PostgreSQL 9.5alpha release is now available for testing. In this feature article,PostgreSQL core team member Josh Berkus discusses the need for an alpharelease and introduces a number of the new features that will show up in9.5. Click below (subscribers only) for the full article.
Arch Linux has updated bind (denial of service) and flashplugin (code execution).Debian has updated bind9 (denial of service).Debian-LTS has updated linux-ftpd-ssl (segmentation fault).openSUSE has updated flash-player(13.2, 13.1: code execution).Oracle has updated abrt (OL6: multiple vulnerabilities).Scientific Linux has updated abrt(SL6: multiple vulnerabilities).Slackware has updated bind(denial of service), cups (code execution), firefox (multiple vulnerabilities), and ntp (denial of service).SUSE has updated bind (SLE11SP3:denial of service) and Xen (SLES10SP4: two vulnerabilities).Ubuntu has updated bind9 (15.04,14.10, 14.04, 12.04: denial of service) and libwmf (15.04, 14.10, 14.04, 12.04: multiple vulnerabilities).
After nearly a year of consideration, theDebian project has decided to switch back to the ffmpeg multimedia libraryat the expense of its fork libav. See this wikipage for a summary of the current reasoning behind the switch.
In May, we noted the problems thatGIMP and other free-software projects have encountered of late withthe SourceForge project-hosting service. While there are plenty of alternativehosting providers to choose from, some developers will likely alwaysprefer to self-host their projects—precisely because an outsideservice provider can make just such an abrupt or surprising about-face. Gogs is one option for those taking theself-hosting approach: it provides a web-based front-end to a GitHub-like hosting service.Gogs offers quite a few features, but its choice of GitHub-like qualities may not be to everyone's tastes.
The ownCloud8.1 release is out. "This release marks significant under thehood improvements, such as increasing scalability and performance ofsyncing and file operations while making ownCloud a better platform fordevelopers to build upon. Security enhancements, integrated documentationlinks, more control in the admin panel over external storage, LDAP andencryption make ownCloud more secure and easier to use." See therelease notes for details.
LWN.net