Videos from the NetDev 1.1 conference are now availableon YouTube. "It took us a while to edit and to upload these ~100 Gbytes of videos,so thanks for your patience." LWN coveredseveral sessions from this event.
As was discussed at the 2015 Kernel Summit,there are essentially no commercial Android devices running mainlinekernels. At the recently concluded Linaro Connect event, though, JohnStultz demonstrateda Nexus 7 tablet running mainline with just a few patches. Iteven has accelerated graphics via the freedreno driver."This is really great, because we now have a very-close to mainlinetest bed on a actual consumer device. So we can make sure upstream doesn'tintroduce any regressions (just recently, two ABI breaks that affectedandroid were recently caught) and allows us to make sure when we pushAndroid functionality upstream, that any interface changes required bymaintainers can be properly tested to make sure what lands upstream reallyworks."
Linus has released the 4.5 kernel."So this is later on a Sunday than my usual schedule, because I justcouldn't make up my mind whether I should do another rc8 or not, andkept just waffling about it. In the end, I obviously decided not to,but it could have gone either way."Some of the headline features from the development cycle aredm-verity forward errorcorrection,optional mandatory locking,the new copy_file_range() systemcall,the SOCK_DESTROY operation,another set of persistent-memoryimprovements,extended address-space layout randomizationon 32-bit systems,the MADV_FREE option formadvise(),the UBSAN checker tool,some extensions toepoll_wait(),project quotas for the ext4 filesystem,and more.
Michael Catanzaro lamentsthe poor level of security provided by free-software applications,focusing on TLS verification issues in particular."In the case of Shotwell, the issue has been fixed in git, but itmight never be released because nobody works on Shotwell anymore. Iinformed distributors of the Shotwell vulnerability three months ago viathe GNOME distributor list, our official mechanism for communicating withdistributions, and advised them to update to a git snapshot. Mostdistributions ignored it. This is completely typical; to my knowledge, thestable releases of all Linux distributions except Fedora are stillvulnerable."
Ars technica reportsthat TP-Link will block the loading of third-party firmware on itsrouters, citing new US Federal Communications Commission rules."The FCC says it doesn't intend to ban the use of third-partyfirmware such as DD-WRT and OpenWRT; in theory, router makers can stillallow loading of open source firmware as long as they also deploy controlsthat prevent devices from operating outside their allowed frequencies,types of modulation, power levels, and so on. But open source users fearedthat hardware makers would lock third-party firmware out entirely, sincethat would be the easiest way to comply with the FCC requirements."
The Free Software Foundation (FSF) has posted an initialanalysis of the public feedback submitted in response to its callfor suggestions about what software projects deserve to be on the high-priorityprojects list. Several of the existing projects on the list arelikely to be removed, such as a replacement for Google Earth and anautomatic-transcription application. Multiple potential additions tothe list are also described, such as a free-software "Siri"-likepersonal assistant and a free-software implementation of advanced PDFfeatures. Further input is welcome; the page notes that the FSF"will strive to recommend projects that are actionable. Suchprojects document ways for members of the free software community toget involved and make the project succeed, with any kind of concretecontributions, from money donation, to code patches, advocacy, etc."
The White House has announced a draft policy addressing how the U.S. federal government will share and release custom software. "This policy requires that, among other things: (1) new custom code whose development is paid for by the Federal Government be made available for reuse across Federal agencies; and (2) a portion of that new custom code be released to the public as Open Source Software (OSS)."The full policy document is available at sourcecode.cio.gov, where it has been made available for public comment. The relevant passage regarding public source releases begins by outlining a pilot program. "Each covered agency shall release at least 20 percent of its newly-developed custom code each year as OSS. Custom code is defined as code for all custom software projects, modules, and add-ons that are self-contained. [...] Although the minimum requirement for OSS release is 20 percent of custom code, covered agencies are strongly encouraged to publish as much custom-developed code as possible to further the Federal Government’s commitment to transparency, participation, and collaboration."
Last year, guest author Linda Jacobson participated as an intern in theOutreachy program. She shares her experiences along with those of other participants in this project that is targeted at helping to increase diversity in the open-source world.Subscribers can click below for the full article from this week's edition.
Firefox 45.0 has been released. This release features instant browser tabsharing through Hello, Tabs synced via Firefox Accounts from other devicesare now shown in dropdown area of Awesome Bar when searching, Synced Tabsbutton in button bar, introduces a new preference(network.dns.blockDotOnion) to allow blocking .onion at the DNS level, andmore. See the releasenotes for details.
Version 3.8 of the LLVM compiler suite has been released. "This release contains the work of the LLVM community over the past sixmonths: deprecated autoconf build, shrink-wrapping on by default,overhauled MSVC-compatible exception handling, updated Kaleidoscopetutorial, emutls, OpenMP supported by default, as well as improvedoptimizations, many bug fixes, and more." Seethe LLVMrelease notes and theClang release notes for lots of details.
In the first of two parts Opensource.com talkswith Frank Karlitschek about the sale of his network of more than 30community sites to Blue Systems. "Although he doesn't know much about the future plans Blue Systems has for the websites, Karlitschek says the new owner is interested in continuing to run the websites and develop them in a direction that makes sense for the users and the ecosystem."Part 2 looksat the SourceForge and Slashdot communities and how the differentowners have interacted with them. "[Logan] Abbott got off on theright foot with open source developers with his SourceForge post in earlyFebruary, SourceForge Acquisition and Future Plans. "Our first order of business was to terminate the 'DevShare' program," he wrote. " ... We want to restore our reputation as a trusted home for open source software, and this was a clear first step towards that. We're more interested in doing the right thing than making extra short-term profit," he added."
Version 9.0 of ownCloud hasbeen released, with many performance improvements, bug fixes, cleanup,and new features. "[Full Federation] is one of the main goals of ownCloud, since the beginning, to enable everyone to run their own server but still collaborate and share with others. Sharing between different ownCloud servers is possible for a while now. But this is easier than ever with cross-server user name auto complete, trusted servers and more. Once you’ve shared with another ownCloud server, it will be added as a trusted server, exchanging user names. This will enable ownCloud to auto complete names from users of all shared servers. Admins have control over these features, so they can add trusted servers manually and disable the automatic addition."
Mageia has updated botan (multiple vulnerabilities), exempi, exiv2 (denial of service), jasper (multiple vulnerabilities), and perl (ambiguous environment).openSUSE has updated Chromium(13.1: multiple vulnerabilities).Red Hat has updated python-django(RHELOSP7: information disclosure).Slackware has updated php (multiple vulnerabilities).SUSE has updated OpenSSL(SLES10-SP4: multiple vulnerabilities) and postgresql94 (SLE11-SP4: multiplevulnerabilities, one from 2007).Ubuntu has updated bsh (codeexecution), samba (multiplevulnerabilities), thunderbird (multiplevulnerabilities), and python-django(15.10, 14.04: regression in previous update).
William Stein introducesSageMath, a mathematical software system for researchers, teachers,computer programmers, and engineers. "I wanted SageMath to be a powerful tool for my students. It wasn't initially intended to be something hundred of thousands of people used! But as I began building the project, and as more professors and students started contributing to it, I realized these were problems many others were striving to solve as well. SageMath was desperately needed, and that wide interest became the driving force behind getting it up and off the ground. Over 500 contributors have participated and help make SageMath a real solution avaliable to students and teachers around the world."
For all of you who have been wanting SQL Server for Linux, thelong wait is over, or will be around the middle of 2017 (a preview isavailable now). "'SQL Server’s proven enterprise experience andcapabilities offer a valuable asset to enterprise Linux customers aroundthe world,' said Paul Cormier, President, Products and Technologies, RedHat. 'We believe our customers will welcome this news and are happy to seeMicrosoft further increasing its investment in Linux.'"
Linus has released 4.5-rc7 and hasindicated that things seem to be on track for a final release next week. "So things have finally calmed down this past week, and I think we'llend up with a normal release where rc7 is the last rc."
The MAME (Multiple Arcade Machine Emulator) project has announced a license change,moving from the old, unique "MAME License" to the GNU GPLv2-or-laterfor the full codebase, with many individual components available underthe 3-clause BSD License. The announcement notes that a considerableeffort went into the relicensing process: "We have spent thelast 10 months trying to contact all people that contributed to MAMEas developers and external contributors and get information aboutdesired license." The old license[Wayback link] had prohibited commercial sale and use.
The Debian "Stretch" release isn't expected for more than a year, but itjust has been pushed back a couple of months, with the full freeze nowscheduled for February 5 of next year. The reason is to be able toship with the first kernel of the year (expected to be 4.10) that, bycurrent plans, should be a long-term support release."For the avoidance of doubt, this change is a one-off to align withan expected release of Linux only. We aren't in a position to tryand accommodate other projects, however much we'd like to be ableto."
Greg Kroah-Hartman has announced the release of the 4.4.4, 3.14.63, and 3.10.99 stable kernels. As usual, theycontain fixes throughout the tree and users should upgrade.
KDE.news has an announcement of a new program to foster better cooperation between KDE and distributions. "KDE is distro-agnostic. We do not prefer any distributions over others, and want our software to run everywhere. This extends beyond Linux; we want our software to work for our users on Windows, Mac, BSD and Android as well. Our focus is always on our users having the best experience possible.We are aware that the more closely we cooperate, the better the experience for all, including those who package our software, and we think that open and free communication is the best way to cooperate. KDE developers should be able to tell distributions what our software needs from a distribution in order to work best. And in turn, distributions should be able to tell us what makes our software easy to distribute. " A new mailing list has been created to host these conversations.
Over at LinuxGizmos, Eric Brown notes some new "Internet of Things" (IoT) projects from Mozilla that were described in a recent blog post by Ari Jaaksi, Mozilla Senior VP for Connected Devices. "The first projects include a Project Start Home framework for a home automation system, as well as a Project Link personal user agent and Vaani voice interface that would work within such a framework. Finally, there’s a crowdsourced Project SensorWeb for tracking air pollution. Interestingly, the term “Firefox OS†is not used in the latest announcement, despite the reference to Firefox OS Connected Devices in the previous post. Still, all the projects appear to use Firefox OS or Mozilla’s underlying Boot to Gecko (b2g) codebase. Mozilla is seeking testers, developers, and advisers, for all these open source projects."
CentOS has updated postgresql (C7; C6: denial of service).Fedora has updated kernel (F23:denial of service) and pcs (F22: two vulnerabilities).Mageia has updated asterisk(denial of service), drupal (multiple vulnerabilities), openssl (multiple vulnerabilities), perl-FCGI (denial of service from 2012), phpmyadmin (cross-site scripting), postgresql (two vulnerabilities), tomcat (multiple vulnerabilities), wireshark (multiple vulnerabilities), xdelta3 (code execution from 2014), and xerces-c (code execution).openSUSE has updated libopenssl0_9_8 (42.1, 13.2: many vulnerabilities, somefrom 2013 and 2014), libssh2_org (13.2:insecure sessions), and openssl (13.1; 11.4: multiple vulnerabilities).Oracle has updated postgresql (OL7; OL6: denial of service).Red Hat has updated postgresql (RHEL7; RHEL6:denial of service), postgresql92-postgresql(RHSC: denial of service), and rh-postgresql94-postgresql(RHSC: denial of service).Scientific Linux has updated postgresql (SL7; SL6: denial of service).Slackware has updated mailx (dropSSLv2 support), openssl (multiple vulnerabilities), and php (multiple vulnerabilities).SUSE has updated compat-openssl097g (SLE11SP4: multiple vulnerabilities), java-1_7_0-ibm (SLE11SP3: multiple vulnerabilities), and openssl (SLE12, SLE12SP1: multiple vulnerabilities).Ubuntu has updated pixman (14.04,12.04: code execution from 2014).
Five Google developers share the lessons from ten years of containerdevelopment in thisACM Queue article. "To cope with these kinds of requirements, configuration-managementsystems tend to invent a domain-specific configuration language that(eventually) becomes Turing complete, starting from the desire to performcomputation on the data in the configuration (e.g., to adjust the amount ofmemory to give a server as a function of the number of shards in theservice). The result is the kind of inscrutable 'configuration is code'that people were trying to avoid by eliminating hard-coded parameters inthe application's source code. It doesn't reduce operational complexity ormake the configurations easier to debug or change; it just moves thecomputations from a real programming language to a domain-specific one,which typically has weaker development tools (e.g., debuggers, unit testframeworks, etc)."
If your software deals with untrusted user input, it's a good idea to run a fuzzer against the program. For the Linux kernel, the most effective fuzzer of recent years has been Dave Jones's Trinity system call tester. But there's a new system call fuzzer in town, Dmitry Vyukov's syzkaller, and early results from it look promising — over 150 bugs uncovered in the mainline kernel (plus several dozen in Google's internal kernels) in a few months of operation.Click below (subscribers only) for the full article by David Drysdale.
The Raspberry Pi 3 has beenreleased and is on sale now for $35. "For Raspberry Pi 3,Broadcom have supported us with a new SoC, BCM2837. This retains the samebasic architecture as its predecessors BCM2835 and BCM2836, so all thoseprojects and tutorials which rely on the precise details of the RaspberryPi hardware will continue to work. The 900MHz 32-bit quad-core ARMCortex-A7 CPU complex has been replaced by a custom-hardened 1.2GHz 64-bitquad-core ARM Cortex-A53. Combining a 33% increase in clock speed withvarious architectural enhancements, this provides a 50-60% increase inperformance in 32-bit mode versus Raspberry Pi 2, or roughly a factor often over the original Raspberry Pi." (Thanks to Forrest Cook)
The OpenSSL project has disclosed a newhigh-profile vulnerability. This one, known as CVE-2016-800, or "DROWN", affects servers that stillhave the old SSLv2 protocol enabled. Yes, it has its own domain name andlogo. "DROWN allows attackers to break the encryption and read orsteal sensitive communications, including passwords, credit card numbers,trade secrets, or financial data. Our measurements indicate 33% of allHTTPS servers are vulnerable to the attack." The solution is tojust disable SSLv2 completely. Note that there are several othervulnerabilities (with a lower presumed severity) fixed in the OpenSSL1.0.2g and 1.0.1s releases.
David Malcolm takesa look at a new compiler warning in GCC 6,-Wmisleading-indentation. "At a high level, the underlying implementation looks at control statements (if/else, while, for), and if it sees them guard a single statement without braces, it looks at the followup statement. It complains if both have the same indentation.That’s a simplified description – we spent a fair amount of time working on heuristics in the warning, to try to ensure that it warns for all cases that are reasonable to warn for, whilst not complaining unduly for indentation that’s merely bad (rather than being actively misleading). We’ve also tested it with a variety of coding styles: GNU, K&R, Linux kernel, etc."
Harald Welte attended the court hearing in the GPL violation/infringementcase that Christoph Hellwig brought against VMware. This is his report."There was quite some debate about the question whether or not the plaintiff has shown that he actually holds a sufficient amount of copyrighted materials.The question here is not, whether Christoph has sufficient copyrightable contributions on Linux as a whole, but for the matter of this legal case it is relevant which of his copyrighted works end up in the disputed product VMware ESXi.Due to the nature of the development process where lots of developers make intermittent and incremental changes, it is not as straight-forward to demonstrate this, as one would hope. You cannot simply print an entire C file from the source code and mark large portions as being written by Christoph himself. Rather, lines have been edited again and again, were shifted, re-structured, re-factored. For a non-developer like the judges, it is therefore not obvious to decide on this question."(Thanks to Paul Wise)
The 4.5-rc6 kernel prepatch is out fortesting. "I'd like to say that things are on track for the usual release timing,but let's see how things look next week. If rc7 hasn't started toshrink, I may end up deciding that this is one of the releases when wedo an rc8 too. Too early to tell. There's nothing particularly scarygoing on, but I'd have liked it even calmer this week."
The Software Freedom Law Center weighsin on the ZFS controversy with a long and somewhat academic posting.The TL;DR is that it depends on what the kernel developers want."No existing record conclusively or convincingly demonstrates whetherthe only relevant licensing community, the holders of kernel copyright,intends a literal or equitable interpretation of its license terms underpresent circumstances. As so often in the long history of our law, bothliteral and equitable postures of interpretation are completely tenable,and reasonable people in the relevant roles may justifiably disagree. Thematter is smaller than that which divided the Pharisees from the Saducees,but from a legal theory point of view it is of the same fundamentalkind."
Arch Linux has updated lib32-libssh2 (man-in-the-middle).Debian has updated gajim(message interception) and xerces-c(code execution).Debian-LTS has updated xerces-c (code execution).openSUSE has updated libreoffice (13.2: multiple vulnerabilities).SUSE has updated kernel (SLE12: multiple vulnerabilities).
On his blog, Harald Welte has a report on a hearing in Germany regarding VMware's alleged GPL violations. Welte is a former kernel developer as well as the founder of gpl-violations.org, so he has quite an interest in the case, which was brought by Christoph Hellwig and is being funded by the Software Freedom Conservancy. To Welte's eye, it seems that there are two questions at issue: whether vmklinux and vmkernel are considered to be one or separate works (in a copyright sense) and whether Hellwig has the standing to sue: "This situation is used by the VMware defense in claiming that overall, they could only find very few functions that could be attributed to Christoph, and that this may altogether be only 1% of the Linux code they use in VMware ESXi.The court recognized this as difficult, as in German copyright law there is the concept of fading. If the original work by one author has been edited to an extent that it is barely recognizable, his original work has faded and so have his rights. The court did not state whether it believed that this has happened. To the contrary, the indicated that it may very well be that only very few lines of code can actually make a significant impact on the work as a whole. However, it is problematic for them to decide, as they don't understand source code and software development.So if (after further briefs from both sides and deliberation of the court) this is still an open question, it might very well be the case that the court would request a [technical] expert report to clarify this to the court."
Matthew Garrett digs intoa Linux-running light bulb and is not impressed with what he finds."The OS detection reported Linux, which wasn't hugely surprising -there was no GPL notice or source code included with the box, but I'm waypast the point of shock at that. It also reported that there was a telnetdaemon running. I connected and got a login prompt. And then I typed adminas the username and admin as the password and got a root prompt. So,there's that."
The Software Freedom Conservancy (SFC) has put out an analysis of the recently announced plans of Canonical to provide and support ZFS as part of Ubuntu 16.04. There are some license-compatibility questions within the community, but Canonical believes that it is within its rights to distribute the CDDLv1-licensed zfs.ko kernel module with the GPLv2-licensed kernel. SFC, however, disagrees: "We are sympathetic to Canonical's frustration in this desire to easily support more features for their users. However, as set out below, we have concluded that their distribution of zfs.ko violates the GPL. We have written this statement to answer, from the point of view of many key Linux copyright holders, the community questions that we've seen on this matter.Specifically, we provide our detailed analysis of the incompatibility between CDDLv1 and GPLv2 — and its potential impact on the trajectory of free software development — below. However, our conclusion is simple: Conservancy and the Linux copyright holders in the GPL Compliance Project for Linux Developers believe that distribution of ZFS binaries is a GPL violation and infringes Linux's copyright. We are also concerned that it may infringe Oracle's copyrights in ZFS. As such, we again ask Oracle to respect community norms against license proliferation and simply relicense its copyrights in ZFS under a GPLv2-compatible license."
Arch Linux has updated libgcrypt(key leak) and libssh2 (insecure sessions).Debian has updated icedove (multiple vulnerabilities).Debian-LTS has updated libfcgi(denial of service), libfcgi-perl (denial of service), pixman (code execution from 2014), and postgresql-8.4 (denial of service).Fedora has updated hamster-time-tracker (F22: denial of service), postgresql (denial of service), and qemu (three vulnerabilities).Mageia has updated libssh(insecure sessions).openSUSE has updated gummi (42.1,13.2: insecure tmp files), libgcrypt (13.2:key leak),and postgresql94 (42.1: three vulnerabilities, one from 2007).Oracle has updated openssh (OL5:denial of service from 2010).SUSE has updated firefox(SLE11SP4: denial of service).Ubuntu has updated ca-certificates (15.10, 14.04, 12.04: 1024-bitRSA key removal), glib-networking (15.10,14.04, 12.04: update for certificate changes), gnutls (14.04, 12.04: update for certificate changes), and openssl (14.04, 12.04: update for certificate changes).
LWN.net