KDE Plasma 5.6 has been released.This version brings many improvements to the task manager, KRunner,activities, and Wayland support. The look and feel has been enhanced witha slicker Plasma theme and smoother widgets. For those that missed havinga weather widget, that feature has returned. See the changelogfor details.
Ars Technica reportsthat former Intel CEO, chairman, and first employee hired Andy Grove has died."Intel may have been a footnote in history were it not for Grove. The company started its life making DRAM chips. With this business under pressure from dumped Japanese DRAM, Grove changed the company's direction, deciding to build microprocessors instead. After a few early iterations, this work led to the development of the x86 processor line that made Intel a household name and one of the largest companies in the world. Grove was also instrumental in persuading IBM to use Intel's x86 processors for its newly invented Personal Computer."
CentOS has updated openssh (C7; C6: two vulnerabilities).Fedora has updated gnome-photos(F23: code execution) and seamonkey (F23: multiple vulnerabilities).openSUSE has updated shotwell (Leap42.1; 13.2: validate TLS certificates).Oracle has updated openssh (OL7; OL6: two vulnerabilities).Red Hat has updated openssh (RHEL7; RHEL6: two vulnerabilities).Scientific Linux has updated openssh (SL7; SL6: two vulnerabilities).Ubuntu has updated git (codeexecution) and webkitgtk (15.10, 14.04: multiple vulnerabilities).
The Free Software Foundation has announcedthe winners of its 2015 Software Freedom Awards: the Library Freedom Project wonthe award for projects of social benefit, while GnuPG maintainer WernerKoch received the award for the advancement of free software.
InfoWorld takesa look at Redox OS. "Redox uses Rust for its kernel-level code to provide more memory safety considerations than C allows by default. But the project doesn't simply rewrite Linux in a new language. Redox discards as much from Linux's version of the Unix tradition as it keeps.As explained in the project's wiki and design documents, Redox uses a minimal set of syscalls -- a deliberately smaller subset than what Linux supports so as to avoid legacy bloat. The OS also uses a microkernel design to stay slender, in contrast to Linux's monolithic kernel."
At his blog, Alexander Larsson announcesthe release of version 0.5 of the GNOME xdg-app application sandboxingframework. The mailinglist announcement provides a bit more detail on what is new, suchas an API for creating graphical xdg-app front-ends, support forAppData metadata, and a new helper tool for those building appbundles. Larsson notes that his initial goals for the project were"make it possible for 3rd parties to create and distribute applications that work on multiple distributions" and "run applications with as little access as possible to the host. (For example access to the network or the users files.)" With the 0.5 release, he said,he considers the first goal met.
The information is unsurprising, since it has been strongly suspected for years, but its method of disclosure is rather amusing: Edward Snowden was the target when the US government went after the Lavabit email service. In the response to a request that the government unseal more documents in its case against him, Lavabit owner Ladar Levison got more than he bargained for—the target email address, Ed_Snowden@lavabit.com, was not redacted in one place, as WIRED reports. "WIRED spoke with Levison, prior to his learning that the government had made the redaction error, about his struggle to obtain transparency. 'Three years later, I still cannot tell you who they were after. I keep getting asked the question, and I can't answer.'Now, it appears he doesn't have to. The government has answered for him."
CentOS has updated bind (C5; C6; C7: two vulnerabilities), bind97 (C5: two vulnerabilities), kernel (C5: two vulnerabilities, one from2013), and thunderbird (C5; C6; C7:multiple vulnerabilities).Mageia has updated dropbear(information disclosure), nss (codeexecution), putty (code execution), shotwell (multiple vulnerabilities), and thunderbird (multiple vulnerabilities).openSUSE has updated bsh2 (42.1:code execution), cgit (42.1, 13.2: two codeexecution flaws), git (42.1, 13.2: two codeexecution flaws), graphite2 (13.2: multiplevulnerabilities), and rubygem-actionview-4_2 (42.1: code execution).Oracle has updated bind (OL5; OL6; OL7: two vulnerabilities), bind97 (OL5: two vulnerabilities), kernel (OL5: two vulnerabilities, one from2013), and thunderbird (OL6; OL7: multiple vulnerabilities).Red Hat has updated bind (twovulnerabilities), bind97 (RHEL5: twovulnerabilities), and thunderbird (multiplevulnerabilities).Scientific Linux has updated bind(two vulnerabilities) and thunderbird(multiple vulnerabilities).SUSE has updated git (SLE11SP4; SLE12SP1: two code execution flaws).Ubuntu has updated pam(regression in earlier security update).
No Starch Press recently released a book about working withautomotive software systems: The Car Hacker's Handbook: A Guidefor the Penetration Tester, written by Craig Smith. The bookis an expansion of Smith's popular and widely circulated e-book of the sametitle. The old version remains available online at no cost, but thereis considerably more content in the new revision—enough to makeit a tempting purchase not just for automotive-software fans ingeneral, but for those interested in embedded-device security and inreverse engineering other classes of consumer product.
The kernel's control-group mechanism allowsprocesses to be divided into groups for the purposes of tracking and resource control. Both the API andunderlying implementation of this mechanism have been going throughconsiderable change in recent years. As part of that change, the newer control-group API has lost theability to separately manage threads within a process, a loss that is not welcome in somequarters. Current work to replace that functionality is not finding anentirely warm reception either, though.
The CyanogenMod Android distribution has finally moved into the"Marshmallow" era with CM13.0Release 1. "We left the M release builds in the oven longerthan we thought, but nothing a little graham cracker and chocolate can’tmake that much better. CM13.0 brings Android 6.0.1 (r17) goodies such asthe battery saving ‘doze’ functionality and new permissions model,alongside the CM features you’d expect."Other changes include the removal ofWhisperPush, the removal of the "quick unlock" feature,a switch to the standard Android messaging app, a new "Snap" camera app,and more.
Videos from the NetDev 1.1 conference are now availableon YouTube. "It took us a while to edit and to upload these ~100 Gbytes of videos,so thanks for your patience." LWN coveredseveral sessions from this event.
As was discussed at the 2015 Kernel Summit,there are essentially no commercial Android devices running mainlinekernels. At the recently concluded Linaro Connect event, though, JohnStultz demonstrateda Nexus 7 tablet running mainline with just a few patches. Iteven has accelerated graphics via the freedreno driver."This is really great, because we now have a very-close to mainlinetest bed on a actual consumer device. So we can make sure upstream doesn'tintroduce any regressions (just recently, two ABI breaks that affectedandroid were recently caught) and allows us to make sure when we pushAndroid functionality upstream, that any interface changes required bymaintainers can be properly tested to make sure what lands upstream reallyworks."
Linus has released the 4.5 kernel."So this is later on a Sunday than my usual schedule, because I justcouldn't make up my mind whether I should do another rc8 or not, andkept just waffling about it. In the end, I obviously decided not to,but it could have gone either way."Some of the headline features from the development cycle aredm-verity forward errorcorrection,optional mandatory locking,the new copy_file_range() systemcall,the SOCK_DESTROY operation,another set of persistent-memoryimprovements,extended address-space layout randomizationon 32-bit systems,the MADV_FREE option formadvise(),the UBSAN checker tool,some extensions toepoll_wait(),project quotas for the ext4 filesystem,and more.
Michael Catanzaro lamentsthe poor level of security provided by free-software applications,focusing on TLS verification issues in particular."In the case of Shotwell, the issue has been fixed in git, but itmight never be released because nobody works on Shotwell anymore. Iinformed distributors of the Shotwell vulnerability three months ago viathe GNOME distributor list, our official mechanism for communicating withdistributions, and advised them to update to a git snapshot. Mostdistributions ignored it. This is completely typical; to my knowledge, thestable releases of all Linux distributions except Fedora are stillvulnerable."
Ars technica reportsthat TP-Link will block the loading of third-party firmware on itsrouters, citing new US Federal Communications Commission rules."The FCC says it doesn't intend to ban the use of third-partyfirmware such as DD-WRT and OpenWRT; in theory, router makers can stillallow loading of open source firmware as long as they also deploy controlsthat prevent devices from operating outside their allowed frequencies,types of modulation, power levels, and so on. But open source users fearedthat hardware makers would lock third-party firmware out entirely, sincethat would be the easiest way to comply with the FCC requirements."
The Free Software Foundation (FSF) has posted an initialanalysis of the public feedback submitted in response to its callfor suggestions about what software projects deserve to be on the high-priorityprojects list. Several of the existing projects on the list arelikely to be removed, such as a replacement for Google Earth and anautomatic-transcription application. Multiple potential additions tothe list are also described, such as a free-software "Siri"-likepersonal assistant and a free-software implementation of advanced PDFfeatures. Further input is welcome; the page notes that the FSF"will strive to recommend projects that are actionable. Suchprojects document ways for members of the free software community toget involved and make the project succeed, with any kind of concretecontributions, from money donation, to code patches, advocacy, etc."
The White House has announced a draft policy addressing how the U.S. federal government will share and release custom software. "This policy requires that, among other things: (1) new custom code whose development is paid for by the Federal Government be made available for reuse across Federal agencies; and (2) a portion of that new custom code be released to the public as Open Source Software (OSS)."The full policy document is available at sourcecode.cio.gov, where it has been made available for public comment. The relevant passage regarding public source releases begins by outlining a pilot program. "Each covered agency shall release at least 20 percent of its newly-developed custom code each year as OSS. Custom code is defined as code for all custom software projects, modules, and add-ons that are self-contained. [...] Although the minimum requirement for OSS release is 20 percent of custom code, covered agencies are strongly encouraged to publish as much custom-developed code as possible to further the Federal Government’s commitment to transparency, participation, and collaboration."
Last year, guest author Linda Jacobson participated as an intern in theOutreachy program. She shares her experiences along with those of other participants in this project that is targeted at helping to increase diversity in the open-source world.Subscribers can click below for the full article from this week's edition.
Firefox 45.0 has been released. This release features instant browser tabsharing through Hello, Tabs synced via Firefox Accounts from other devicesare now shown in dropdown area of Awesome Bar when searching, Synced Tabsbutton in button bar, introduces a new preference(network.dns.blockDotOnion) to allow blocking .onion at the DNS level, andmore. See the releasenotes for details.
Version 3.8 of the LLVM compiler suite has been released. "This release contains the work of the LLVM community over the past sixmonths: deprecated autoconf build, shrink-wrapping on by default,overhauled MSVC-compatible exception handling, updated Kaleidoscopetutorial, emutls, OpenMP supported by default, as well as improvedoptimizations, many bug fixes, and more." Seethe LLVMrelease notes and theClang release notes for lots of details.
In the first of two parts Opensource.com talkswith Frank Karlitschek about the sale of his network of more than 30community sites to Blue Systems. "Although he doesn't know much about the future plans Blue Systems has for the websites, Karlitschek says the new owner is interested in continuing to run the websites and develop them in a direction that makes sense for the users and the ecosystem."Part 2 looksat the SourceForge and Slashdot communities and how the differentowners have interacted with them. "[Logan] Abbott got off on theright foot with open source developers with his SourceForge post in earlyFebruary, SourceForge Acquisition and Future Plans. "Our first order of business was to terminate the 'DevShare' program," he wrote. " ... We want to restore our reputation as a trusted home for open source software, and this was a clear first step towards that. We're more interested in doing the right thing than making extra short-term profit," he added."
Version 9.0 of ownCloud hasbeen released, with many performance improvements, bug fixes, cleanup,and new features. "[Full Federation] is one of the main goals of ownCloud, since the beginning, to enable everyone to run their own server but still collaborate and share with others. Sharing between different ownCloud servers is possible for a while now. But this is easier than ever with cross-server user name auto complete, trusted servers and more. Once you’ve shared with another ownCloud server, it will be added as a trusted server, exchanging user names. This will enable ownCloud to auto complete names from users of all shared servers. Admins have control over these features, so they can add trusted servers manually and disable the automatic addition."
Mageia has updated botan (multiple vulnerabilities), exempi, exiv2 (denial of service), jasper (multiple vulnerabilities), and perl (ambiguous environment).openSUSE has updated Chromium(13.1: multiple vulnerabilities).Red Hat has updated python-django(RHELOSP7: information disclosure).Slackware has updated php (multiple vulnerabilities).SUSE has updated OpenSSL(SLES10-SP4: multiple vulnerabilities) and postgresql94 (SLE11-SP4: multiplevulnerabilities, one from 2007).Ubuntu has updated bsh (codeexecution), samba (multiplevulnerabilities), thunderbird (multiplevulnerabilities), and python-django(15.10, 14.04: regression in previous update).
William Stein introducesSageMath, a mathematical software system for researchers, teachers,computer programmers, and engineers. "I wanted SageMath to be a powerful tool for my students. It wasn't initially intended to be something hundred of thousands of people used! But as I began building the project, and as more professors and students started contributing to it, I realized these were problems many others were striving to solve as well. SageMath was desperately needed, and that wide interest became the driving force behind getting it up and off the ground. Over 500 contributors have participated and help make SageMath a real solution avaliable to students and teachers around the world."
For all of you who have been wanting SQL Server for Linux, thelong wait is over, or will be around the middle of 2017 (a preview isavailable now). "'SQL Server’s proven enterprise experience andcapabilities offer a valuable asset to enterprise Linux customers aroundthe world,' said Paul Cormier, President, Products and Technologies, RedHat. 'We believe our customers will welcome this news and are happy to seeMicrosoft further increasing its investment in Linux.'"
Linus has released 4.5-rc7 and hasindicated that things seem to be on track for a final release next week. "So things have finally calmed down this past week, and I think we'llend up with a normal release where rc7 is the last rc."
The MAME (Multiple Arcade Machine Emulator) project has announced a license change,moving from the old, unique "MAME License" to the GNU GPLv2-or-laterfor the full codebase, with many individual components available underthe 3-clause BSD License. The announcement notes that a considerableeffort went into the relicensing process: "We have spent thelast 10 months trying to contact all people that contributed to MAMEas developers and external contributors and get information aboutdesired license." The old license[Wayback link] had prohibited commercial sale and use.
The Debian "Stretch" release isn't expected for more than a year, but itjust has been pushed back a couple of months, with the full freeze nowscheduled for February 5 of next year. The reason is to be able toship with the first kernel of the year (expected to be 4.10) that, bycurrent plans, should be a long-term support release."For the avoidance of doubt, this change is a one-off to align withan expected release of Linux only. We aren't in a position to tryand accommodate other projects, however much we'd like to be ableto."
Greg Kroah-Hartman has announced the release of the 4.4.4, 3.14.63, and 3.10.99 stable kernels. As usual, theycontain fixes throughout the tree and users should upgrade.
KDE.news has an announcement of a new program to foster better cooperation between KDE and distributions. "KDE is distro-agnostic. We do not prefer any distributions over others, and want our software to run everywhere. This extends beyond Linux; we want our software to work for our users on Windows, Mac, BSD and Android as well. Our focus is always on our users having the best experience possible.We are aware that the more closely we cooperate, the better the experience for all, including those who package our software, and we think that open and free communication is the best way to cooperate. KDE developers should be able to tell distributions what our software needs from a distribution in order to work best. And in turn, distributions should be able to tell us what makes our software easy to distribute. " A new mailing list has been created to host these conversations.
Over at LinuxGizmos, Eric Brown notes some new "Internet of Things" (IoT) projects from Mozilla that were described in a recent blog post by Ari Jaaksi, Mozilla Senior VP for Connected Devices. "The first projects include a Project Start Home framework for a home automation system, as well as a Project Link personal user agent and Vaani voice interface that would work within such a framework. Finally, there’s a crowdsourced Project SensorWeb for tracking air pollution. Interestingly, the term “Firefox OS†is not used in the latest announcement, despite the reference to Firefox OS Connected Devices in the previous post. Still, all the projects appear to use Firefox OS or Mozilla’s underlying Boot to Gecko (b2g) codebase. Mozilla is seeking testers, developers, and advisers, for all these open source projects."
CentOS has updated postgresql (C7; C6: denial of service).Fedora has updated kernel (F23:denial of service) and pcs (F22: two vulnerabilities).Mageia has updated asterisk(denial of service), drupal (multiple vulnerabilities), openssl (multiple vulnerabilities), perl-FCGI (denial of service from 2012), phpmyadmin (cross-site scripting), postgresql (two vulnerabilities), tomcat (multiple vulnerabilities), wireshark (multiple vulnerabilities), xdelta3 (code execution from 2014), and xerces-c (code execution).openSUSE has updated libopenssl0_9_8 (42.1, 13.2: many vulnerabilities, somefrom 2013 and 2014), libssh2_org (13.2:insecure sessions), and openssl (13.1; 11.4: multiple vulnerabilities).Oracle has updated postgresql (OL7; OL6: denial of service).Red Hat has updated postgresql (RHEL7; RHEL6:denial of service), postgresql92-postgresql(RHSC: denial of service), and rh-postgresql94-postgresql(RHSC: denial of service).Scientific Linux has updated postgresql (SL7; SL6: denial of service).Slackware has updated mailx (dropSSLv2 support), openssl (multiple vulnerabilities), and php (multiple vulnerabilities).SUSE has updated compat-openssl097g (SLE11SP4: multiple vulnerabilities), java-1_7_0-ibm (SLE11SP3: multiple vulnerabilities), and openssl (SLE12, SLE12SP1: multiple vulnerabilities).Ubuntu has updated pixman (14.04,12.04: code execution from 2014).
Five Google developers share the lessons from ten years of containerdevelopment in thisACM Queue article. "To cope with these kinds of requirements, configuration-managementsystems tend to invent a domain-specific configuration language that(eventually) becomes Turing complete, starting from the desire to performcomputation on the data in the configuration (e.g., to adjust the amount ofmemory to give a server as a function of the number of shards in theservice). The result is the kind of inscrutable 'configuration is code'that people were trying to avoid by eliminating hard-coded parameters inthe application's source code. It doesn't reduce operational complexity ormake the configurations easier to debug or change; it just moves thecomputations from a real programming language to a domain-specific one,which typically has weaker development tools (e.g., debuggers, unit testframeworks, etc)."
LWN.net