Matthew Garrett'stake on the Debian-XScreenSaver disagreement is worth a read."Free software doesn't benefit from distributions antagonising theirupstreams, even if said upstream is a cranky nightclub owner. Debian'susers are Debian's highest priority, but those users are going to suffer ifdevelopers decide that not using free licenses improves their quality oflife. Kneejerk reactions around specific instances aren't helpful, but nowis probably a good time to start thinking about what value Debian bring toits upstream authors and how that can be increased."
The Linux Foundation has announced the Civil Infrastructure Platform,"an open source framework that will provide the software foundationneeded to deliver essential services for civil infrastructure and economicdevelopment on a global scale." Civil infrastructure systemsdeliver critical services such as electric power, oil and gas, water,health care, communications, transportation and more. "The CivilInfrastructure Platform will aim to work upstream with the Linux kernel and other open source projects to establish a “base layer†ofindustrial-grade software. This base layer will enable the use of softwarebuilding blocks that meet safety, security, reliability and otherrequirements that are critical to industrial and civil infrastructureprojects."
Arch Linux has updated squid (denial of service).Debian has updated lhasa (code execution) and srtp (denial of service).Fedora has updated apache-commons-collections (F23; F22: codeexecution), bind (F22: multiplevulnerabilities), bind99 (F22: multiplevulnerabilities), and NetworkManager (F23: multiple vulnerabilities).Gentoo has updated qemu (multiplevulnerabilities) and xalan (code executionfrom 2014).openSUSE has updated krb5 (13.2: null pointer dereference).Oracle has updated openssh (OL5:two vulnerabilities).Scientific Linux has updated krb5(SL7: three vulnerabilities) and mariadb(SL7: multiple vulnerabilities).Slackware has updated mercurial (three vulnerabilities) and php (multiple vulnerabilities).
Linus has released the second 4.6prepatch."You all know the drill by now - another week, another rc. I'd say thatthings look fairly normal at this point: it's not a big rc2, butthat's been true lately (rc3 tends to be a bit bigger - probably justbecause it takes time for people to start noticing issues)."
Version 1.5 of the Discourse open-source discussion-and-commenting system has beenreleased.Significant work went into rewriting the top-level "topics" page,resulting in a five-fold speed increase. Administrators can nowchange and customize every object label used in the interface. "Want topics to be 'threads'? Users to be'funkatrons'? Like to be 'brofist'? Well, Discourse is yourhuckleberry." Support for email comments has also been improved, and usergroups can now exchange private messages. The badge system, which isused to denote user roles and to mark popular posts, received avisual refresh and new documentation; user summary pages were also refreshed.
At the Mono Project blog, Miguel de Icaza announced that the Mono runtime has been relicensed, moving from a dual-license slate (with LGPLv2 and proprietary optiona) to the MIT license. The Mono compiler and class libraries were already under the MIT license and will remain so. "Moving the Mono runtime to the MIT license removes barriers to the adoption of C# and .NET in a large number of scenarios, embedded applications, including embedding Mono as a scripting engine in game engines or other applications." De Icaza notes that Xamarin (which was recently acquired by Microsoft) had developed several proprietary Mono modules in recent years; these will also now be released under the MIT license.
The web-development community was briefly thrown into chaos in lateMarch when a lone Node.js developer suddenly unpublished a short butwidely used package from the Node Package Manager (npm) repository.The events leading up to that developer's withdrawal arecontroversial in their own right, but the chaotic effects raise evenmore serious questions for the Node.js and npm user communities.
NetworkWorld reportsthat software developed at MIT Media Lab will be open source by default. "This effort does away with developers having to get such licenses approved first by an internal committee, which [Lab Director Joi Ito] says "always allowed our developers to open-source their work" anyway."
Dustin Kirkland announcesthe availability of the Ubuntu user space on Windows 10 — acooperative project with Microsoft. "Finally, I imagine some of you-- long time Windows and Ubuntu users alike -- are still wondering,perhaps, 'Why?!?' Having dedicated most of the past two decades of mycareer to free and open source software, this is an almost surrealendorsement by Microsoft on the importance of open source to developers.Indeed, what a fantastic opportunity to bridge the world of free and opensource technology directly into any Windows 10 desktop on theplanet."
Arch Linux has updated jdk8-openjdk (sandbox bypass), jre8-openjdk (sandbox bypass), and jre8-openjdk-headless (sandbox bypass).Debian has updated dhcpcd (multiple vulnerabilities) and kamailio (code execution).Fedora has updated openssh (F22:command injection) and webkitgtk (F22: multiple vulnerabilities).Oracle has updated kernel-uek (OL7; OL6: unspecified).Red Hat has updated chromium-browser (RHEL6: multiple vulnerabilities) and openvswitch (RHELOSP6 for RHEL7; RHELOSP5 for RHEL7: code execution).SUSE has updated firefox, nspr,nss (SLE11-SP2: multiple vulnerabilities) and kernel (SLE11-SP4: multiple vulnerabilities).Ubuntu has updated pcre3 (multiple vulnerabilities).
The KDE project has announceda new framework called the Kirigami UI; it appears to be oriented towardthe needs of mobile applications. "Kirigami UI isn't just a set ofcomponents, it's also a philosophy: It defines precise UI/UX patterns toallow developers to quickly develop intuitive and consistent apps thatprovide a great user experience."
The OpenBSD 5.9 release is available. There are a lot of enhancements andimprovements. Perhaps most significant is the addition of thepledge() system call, which can be used by a process to limit itsfuture capabilities. LWN looked at an earlyversion of this work, back when it was called tame().
For many aspiring projects, getting accepted and shipped by populardistributions is an important step toward a long and successful life. Buteven large and established projects can struggle in this area. The distributionoutreach program recently launched by the KDE project hosted adiscussion making it clear that KDE cannot count on the support ofdistributions without supporting them in turn. If the participants are tobe believed, KDE's second-place position in the desktop competition can at least partially be attributed tohow the project works with distributors.
Debian has updated openvswitch (code execution).openSUSE has updated gdk-pixbuf(13.2: three vulnerabilities).SUSE has updated samba(SLES11-SP2: ACL ownership overwrite).
IEEE Spectrum interviewsLinus Torvalds. "The kernel is actually doing very well. Peoplecontinue to worry about things getting too complicated for people tounderstand and fix bugs. It’s certainly an understandable worry. But at thesame time, we have a lot of smart people involved. The fact that the systemhas grown so big and complicated and so many people depend on it has forcedus to have a lot of processes in place. It can be very challenging to getbig and have invasive changes accepted, so I wouldn’t call it one big happyplace, but I think kernel development is working."
Version 2.8.0 of the Git version control system has been released. Itcontains a long list of new features and the removal of thersync:// transport mechanism which, apparently, has been broken forsome time without complaints from users.
Andrew Brinker looksat string types in Rust."Another important thing to note is that because the “owned†sorts of strings abstract away the underlying buffer, they can grow or shrink, possibly allocating a new underlying buffer and copying their contents to this new buffer. The “slice†sorts of strings cannot be resized, as they may not even be on the heap.The “slice†sort strings can only be accessed via what’s called a “fat pointer.†This is because slices are “dynamically-sized types,†meaning they do not carry information about their own length. They are simply some collection of contiguous memory. A “fat pointer†to a slice stores both a pointer to the memory in question and the length of the data stored at that memory location. This is all handled automatically by Rust, but it means that the “slice†sort of strings are interacted with via references, rather than being handled directly."
The Arch Linux developers recently released version 5.0 of the pacmanpackage manager with some useful new features: "The release ofpacman-5.0 brought support for transactional hooks. These will allow us to(e.g.) run font cache updates a single time during an update rather thanafter each font package installation. This will both speed up the updateprocess, but also reduce packaging burden for the Developers and TrustedUsers." Unfortunately, once they start using these hooks, olderversions of pacman will no longer understand the resulting packages. Thatwill happen on April 23, so all Arch users need to have upgraded bythen.
Version 3.0 of the SystemTap kernel tracing system has been released. Significant changes include aninteractive script-building mechanism, a "monitor" mode allowing ongoingdisplay of accumulated statistics, much faster associative arrays, functionoverloading, a lot of tapset improvements, and more.
Linus has released the 4.6-rc1 kernelprepatch and closed the merge window for this development cycle."So I'm closing the merge window a day early, partly because I havesome upcoming travel, but partly because this has actually been one ofthe bigger merge windows in a while, and if somebody was planning ontrying to sneak in any last-minute features, I really don't want tohear about it any more."
Version 1.8 of the GStreamer multimedia framework is nowavailable. New is support for hardware-accelerated zero-copyvideo decoding on Android, a new tracing system that will support moreadvanced debugging tools, initial support for the Vulkan API, and thedebut of the new, simplified GstPlayer playback API (which we looked at in October). There are manyother additions and improvement; see the release notes for full details.
It has been said that an important part of a maintainer's role is tosay "no". Just how this "no" is said can define the style andeffectiveness of a maintainer. Linus Torvalds recently displayed justhow effective his style can be when saying "no" to a pair of fairlyinnocuous patchesto add a new ioctl() command for block devices — patches intheir fifth revision that had already received "Reviewed-by" tags fromChristoph Hellwig.Subscribers can click below to see Neil Brown's look at how this all played out.
The security circus continues to get sillier, it seems. WIRED is reporting on the "Badlock" bug that is being "reported" by SerNet—with the requisite catchy name, logo, and web site—but without any details for three weeks. "But another bug is on the horizon that is setting a new bar for brand-name bug disclosures. It’s called Badlock and it’s already receiving a lot of controversial attention, even though the exact nature of the bug—and most importantly, the patches to fix it—won’t be disclosed for another three weeks.The bug affects unknown versions of the Windows operating system and Samba, free open-source software that integrates Linux or Unix servers and Windows computers across a network." Josh Bressers's blog post also has some thoughts on the "disclosure": "The thing everyone always should remember in a situation like this is there are a lot of really smart people on the planet. If you think of something clever or discover something new, there are huge odds someone else did too. 3 weeks almost guarantees someone else can figure out whatever it is you found. It's especially interesting in this case since we have a name "Badlock" so we know it probably involves locking. We know it affects Samba and Windows. And we know who it was found by so we can look at which bits of Samba they've been working on lately. That's a lot of information for a clever person."
CentOS has updated foomatic (C6:three vulnerabilities, one from 2010), git (C7; C6: twocode execution flaws), kernel (C6: twovulnerabilities), krb5 (C6: twovulnerabilities), and tomcat6 (C6: SecurityManager bypass from 2014).Debian has updated inspircd(denial of service), pidgin-otr (?:), andredmine (multiple unspecified informationdisclosure flaws).Fedora has updated dropbear (F23; F22:information disclosure), kernel (F22; F23:three vulnerabilities), putty (F23; F22: code execution), and qemu (F23: multiple vulnerabilities).openSUSE has updated dropbear(42.1, 13.2: information disclosure), graphite2 (42.1: three vulnerabilities), libssh (13.2: insecure sessions), perl (13.2: two vulnerabilities), pidgin-otr (42.1, 13.2: code execution), quagga (13.2: code execution), samba (42.1: ACL bypass), thunderbird (42.1, 13.2: multiplevulnerabilities), and tomcat (42.1:multiple vulnerabilities).Oracle has updated git (OL7;OL6: two code execution flaws) andkernel 3.8.13 (OL7; OL6: two vulnerabilities).Red Hat has updated python-django (RHOSP7OT for RHEL7; RHOSP7 for RHEL7; RHOSP6 for RHEL7; RHOSP5 forRHEL7; RHOSP5 forRHEL6: two vulnerabilities).SUSE has updated rubygem-actionview-4_2 (OSC6, ES2.1: codeexecution) and xen (SLE12SP1: manyvulnerabilities, some from 2014 and 2013).Ubuntu has updated quagga (twovulnerabilities, one from 2013) and tiff(multiple vulnerabilities).
Citus Data has announcedthat its CitusDBdistributed database has been released, under an open-source license(AGPLv3),as a PostgreSQL extension. "First, Citus 5.0 now fully uses thePostgreSQL extension APIs. In other words, Citus becomes the firstdistributed database in the world that doesn't fork the underlyingdatabase. This means Citus users can immediately benefit from new featuresin PostgreSQL, such as semi-structured data types (json, jsonb), UPSERT, orwhen 9.6 arrives no more full table vacuums. Also, users can keep workingwith their existing Postgres drivers and tools."
GNOME 3.20 has been released. "This release brings significantimprovements to many of our core applications, such as system upgrades and reviews in Software, simplephoto editing in Photos and improved search in Files.Improvements to our platform include shortcut help windows which arenow available in many applications, a refined font and better controlof location services." See the release notesfor details.
KubeCon EU, held in LondonMarch 10th, was the second conference dedicated to the Kubernetes containerorchestration system. The sold-out attendance of 500 showed how popularthe project has become since the release ofversion 1.0 by Google in July 2015. One week after the conference, version 1.2 was released,which included many long-awaited features.Subscribers can click below for part 1 of our coverage—two talks about new 1.2 features—by guest author Josh Berkus.
KDE Plasma 5.6 has been released.This version brings many improvements to the task manager, KRunner,activities, and Wayland support. The look and feel has been enhanced witha slicker Plasma theme and smoother widgets. For those that missed havinga weather widget, that feature has returned. See the changelogfor details.
Ars Technica reportsthat former Intel CEO, chairman, and first employee hired Andy Grove has died."Intel may have been a footnote in history were it not for Grove. The company started its life making DRAM chips. With this business under pressure from dumped Japanese DRAM, Grove changed the company's direction, deciding to build microprocessors instead. After a few early iterations, this work led to the development of the x86 processor line that made Intel a household name and one of the largest companies in the world. Grove was also instrumental in persuading IBM to use Intel's x86 processors for its newly invented Personal Computer."
CentOS has updated openssh (C7; C6: two vulnerabilities).Fedora has updated gnome-photos(F23: code execution) and seamonkey (F23: multiple vulnerabilities).openSUSE has updated shotwell (Leap42.1; 13.2: validate TLS certificates).Oracle has updated openssh (OL7; OL6: two vulnerabilities).Red Hat has updated openssh (RHEL7; RHEL6: two vulnerabilities).Scientific Linux has updated openssh (SL7; SL6: two vulnerabilities).Ubuntu has updated git (codeexecution) and webkitgtk (15.10, 14.04: multiple vulnerabilities).
The Free Software Foundation has announcedthe winners of its 2015 Software Freedom Awards: the Library Freedom Project wonthe award for projects of social benefit, while GnuPG maintainer WernerKoch received the award for the advancement of free software.
InfoWorld takesa look at Redox OS. "Redox uses Rust for its kernel-level code to provide more memory safety considerations than C allows by default. But the project doesn't simply rewrite Linux in a new language. Redox discards as much from Linux's version of the Unix tradition as it keeps.As explained in the project's wiki and design documents, Redox uses a minimal set of syscalls -- a deliberately smaller subset than what Linux supports so as to avoid legacy bloat. The OS also uses a microkernel design to stay slender, in contrast to Linux's monolithic kernel."
At his blog, Alexander Larsson announcesthe release of version 0.5 of the GNOME xdg-app application sandboxingframework. The mailinglist announcement provides a bit more detail on what is new, suchas an API for creating graphical xdg-app front-ends, support forAppData metadata, and a new helper tool for those building appbundles. Larsson notes that his initial goals for the project were"make it possible for 3rd parties to create and distribute applications that work on multiple distributions" and "run applications with as little access as possible to the host. (For example access to the network or the users files.)" With the 0.5 release, he said,he considers the first goal met.
The information is unsurprising, since it has been strongly suspected for years, but its method of disclosure is rather amusing: Edward Snowden was the target when the US government went after the Lavabit email service. In the response to a request that the government unseal more documents in its case against him, Lavabit owner Ladar Levison got more than he bargained for—the target email address, Ed_Snowden@lavabit.com, was not redacted in one place, as WIRED reports. "WIRED spoke with Levison, prior to his learning that the government had made the redaction error, about his struggle to obtain transparency. 'Three years later, I still cannot tell you who they were after. I keep getting asked the question, and I can't answer.'Now, it appears he doesn't have to. The government has answered for him."
CentOS has updated bind (C5; C6; C7: two vulnerabilities), bind97 (C5: two vulnerabilities), kernel (C5: two vulnerabilities, one from2013), and thunderbird (C5; C6; C7:multiple vulnerabilities).Mageia has updated dropbear(information disclosure), nss (codeexecution), putty (code execution), shotwell (multiple vulnerabilities), and thunderbird (multiple vulnerabilities).openSUSE has updated bsh2 (42.1:code execution), cgit (42.1, 13.2: two codeexecution flaws), git (42.1, 13.2: two codeexecution flaws), graphite2 (13.2: multiplevulnerabilities), and rubygem-actionview-4_2 (42.1: code execution).Oracle has updated bind (OL5; OL6; OL7: two vulnerabilities), bind97 (OL5: two vulnerabilities), kernel (OL5: two vulnerabilities, one from2013), and thunderbird (OL6; OL7: multiple vulnerabilities).Red Hat has updated bind (twovulnerabilities), bind97 (RHEL5: twovulnerabilities), and thunderbird (multiplevulnerabilities).Scientific Linux has updated bind(two vulnerabilities) and thunderbird(multiple vulnerabilities).SUSE has updated git (SLE11SP4; SLE12SP1: two code execution flaws).Ubuntu has updated pam(regression in earlier security update).
No Starch Press recently released a book about working withautomotive software systems: The Car Hacker's Handbook: A Guidefor the Penetration Tester, written by Craig Smith. The bookis an expansion of Smith's popular and widely circulated e-book of the sametitle. The old version remains available online at no cost, but thereis considerably more content in the new revision—enough to makeit a tempting purchase not just for automotive-software fans ingeneral, but for those interested in embedded-device security and inreverse engineering other classes of consumer product.
The kernel's control-group mechanism allowsprocesses to be divided into groups for the purposes of tracking and resource control. Both the API andunderlying implementation of this mechanism have been going throughconsiderable change in recent years. As part of that change, the newer control-group API has lost theability to separately manage threads within a process, a loss that is not welcome in somequarters. Current work to replace that functionality is not finding anentirely warm reception either, though.
The CyanogenMod Android distribution has finally moved into the"Marshmallow" era with CM13.0Release 1. "We left the M release builds in the oven longerthan we thought, but nothing a little graham cracker and chocolate can’tmake that much better. CM13.0 brings Android 6.0.1 (r17) goodies such asthe battery saving ‘doze’ functionality and new permissions model,alongside the CM features you’d expect."Other changes include the removal ofWhisperPush, the removal of the "quick unlock" feature,a switch to the standard Android messaging app, a new "Snap" camera app,and more.
LWN.net