GitLab and Gitorious have announcedthat GitLab will acquire Gitorious. "Starting today, Gitorious.org users can import their existing projects into GitLab.com by clicking the “Import projects from Gitorious.org†link when creating a new project. Gitorious.org will stay online until the end of May 2015 to give people time to migrate their repositories."
The 4.0-rc2 kernel prepatch is out. "So rc2 missed the usual Sunday afternoon timing, because I spent mostof the weekend debugging an issue that happened on an old Mac Mini Ihave around, and I hate making even early -rc releases with problemson machines that I have direct access to. Even if it only affected oldmachines that actual developers are unlikely to have or at least use.Today I got the patch from Daniel Vetter to fix it, so instead ofdoing a Sunday evening rc2, it's a Tuesday morning one. Go get it. Itworks better for the delay."
The IPython interactive developmentsystem project has announced its 3.0release. "Support for languages other than Python is greatlyimproved, notebook UI has been significantly redesigned, and a lot ofimprovement has happened in the experimental interactive widgets. Themessage protocol and document format have both been updated, whilemaintaining better compatibility with previous versions than priorupdates. The notebook webapp now enables editing of any text file, and evena web-based terminal (on Unix platforms)." (LWN looked at IPython in 2014).
Version 2.2.0 of the VLC media player has been released. According to the announcement, highlights in the new version include automatic, hardware-accelerated rotation of portrait-orientation videos such as those shot on smartphones, resuming playback at the last point watched in the previous session, in-application download and installation of extensions, support for interactive Blu-Ray menus, and "compatibility with a very large number of unusual codecs." The release is available for Linux, Android, and Android TV, plus various Windows and Apple platforms.
Version 3.6 of the LLVM compiler suite is out. Changes include "manymany bug fixes, optimization improvements, support for more proposed C++1z features in Clang, better native Windowscompatibility, embedding LLVM IR in native object files, Go bindings,and more." Details can be found in the LLVM 3.6release notes and the Clang3.6 release notes.
Ars Technica takes a look at Linux gaming and at what effect SteamOS has had already for gaming on Linux. The article also considers the future and where SteamOS might (or might not) take things. "This all brings up another major question for SteamOS followers: how long is this "beta" going to last, exactly? While Valve has unquestionably built a viable Linux gaming market from practically nothing, the company's lackadaisical development timeline might be holding the market back from growing even more. In the last year, the initial excitement behind the SteamOS beta launch seems to have given way to "Valve Time" malaise in some ways."
CentOS has updated thunderbird (C6; C5:multiple vulnerabilities).Debian has updated cups (codeexecution), iceweasel (multiplevulnerabilities), kfreebsd-9 (denial ofservice), and libgtk2-perl (code execution).Fedora has updated libhtp (F20:denial of service).Gentoo has updated samba(multiple vulnerabilities, some from 2012 and 2013).Mageia has updated apache-poi(denial of service), cabextract (privilegeescalation), e2fsprogs (two code executionflaws), firefox, thunderbird (multiplevulnerabilities), and sympa (information disclosure).openSUSE has updated cups (13.2,13.1: code execution)and snack (13.2, 13.1: code execution from 2012).Oracle has updated firefox (OL5:multiple vulnerabilities) and thunderbird(OL6: multiple vulnerabilities).Red Hat has announced that RHEL5.9 support will end on March 31.Scientific Linux has updated firefox (multiple vulnerabilities) and thunderbird (SL6, SL5: multiple vulnerabilities).Slackware has updated thunderbird(multiple vulnerabilities) and firefox(multiple vulnerabilities).SUSE has updated java-1_5_0-ibm(SLE10SP4: many vulnerabilities) and java-1_6_0-ibm (SLE11SP2: two unspecified vulnerabilities).Ubuntu has updated EC2 kernel(10.04: two vulnerabilities), firefox(14.10, 14.04, 12.04: many vulnerabilities), kernel (14.10; 14.04;12.04; 10.04: multiple vulnerabilities), linux-lts-trusty (12.04: multiplevulnerabilities), linux-lts-utopic (14.04:multiple vulnerabilities), and linux-ti-omap4 (12.04: multiple vulnerabilities).
The newest update to the Krita digitalpainting application has been released.Version 2.9 introduces several new user-interface features, updates to thelayers system, and a variety of tool and rendering improvements. The 2.9development cycle was also the project's first to be centered around acrowdfunding campaign.
CentOS has updated firefox (C7; C6; C5: multiple vulnerabilities).Debian-LTS has updated openjdk-6 (multiple vulnerabilities).Fedora has updated dump (F21; F20: code execution) and samba (F21; F20: root code execution).Gentoo has updated grep (denial of service).Mageia has updated freetype2 (many vulnerabilities) and samba (root code execution).openSUSE has updated samba (13.2,13.1: two vulnerabilities).Oracle has updated firefox (OL7; OL6: multiple vulnerabilities).Red Hat has updated firefox(RHEL5,6,7: multiple vulnerabilities) and thunderbird (RHEL5,6: multiple vulnerabilities).SUSE has updated Samba(SLE11 SP3: root code execution).Ubuntu has updated freetype (many vulnerabilities).
Mozilla has released Firefox 36.0. The releasenotes mention a few new features, including support for the fullHTTP/2 protocol. This version will no longer accept insecure RC4 cipherswhenever possible and certificates with 1024-bit RSA keys will be phasedout. See the release notes for more information.
A traditional feature of the tools track at the Linux Foundation'sCollaborationSummit is an update from the developers of the GNU C Library(glibc); that tradition was upheld in fine form at the 2015 event. Glibcdeveloper Roland McGrath noted that while the project is a criticalcomponent in vast numbers of Linux installations, it does not have a lot ofdevelopers working on it. Still, even with a relatively small developerbase, some real progress has been made over the last year.
The Beautiful Queen Marya Morevna is a Russian folk tale. The MorevnaProject makes anime videos about Morevna, using free software. This progressreport covers the status of their newest episode. "Our mainanimation tool is Synfig Studio and for the past years it was improved alot. I guess it’s needles to say, that the new episode will be producedusing the latest development version of Synfig. For current stage of theproject it is important to ensure that the tool is stable enough forproduction, so last weeks we were concentrated on fixing the criticalbugs. As result of this work, wehave published the first Release Candidate for the new stable versionof Synfig Studio, which is going to be numbered as 1.0 by the way."(Thanks to Paul Wise)
The first beta in the GNOME 3.15 development series has beenreleased. GNOME 3.15.90 features a new GNOME shell theme, redesignednotifications in GNOME shell, codec installation integrated ingnome-software, a login screen on Wayland, and more.
The Samba 4.1.17, 4.0.25 and 3.6.25releases are available; they fix an unpleasant code-executionvulnerability. See thisRed Hat security blog entry for more information. "CVE-2015-0240is a security flaw in the smbd file server daemon. It can be exploited by amalicious Samba client, by sending specially-crafted packets to the Sambaserver. No [authentication] is required to exploit this flaw. It can result inremotely controlled execution of arbitrary code as root."
Linus has closed the merge window for this release and released 4.0-rc1 — meaning, of course, that the currentplan is to call the release "4.0". "But nobody shouldnotice. Because moving to 4.0 does *not* mean that we somehow changed whatpeople see. It's all just more of the same, just with smaller numbers sothat I can do releases without having to take off my socks again."The codename has also changed to "Hurr durr I'ma sheep."
Ubuntu has announced the release of the second point release for its 14.04long-term support (LTS). 14.04.2 comes with an updated kernel and X Windowstack to support more hardware, along with "security updates andcorrections for other high-impact bugs" all on updated installationmedia "so that fewer updates will need tobe downloaded after installation". It is available for all of themembers of the Ubuntu clan: Kubuntu, Edubuntu, Xubuntu,Mythbuntu, Ubuntu GNOME, Lubuntu,Ubuntu Kylin, and Ubuntu Studio.One other note from the Ubuntu world: a featurefreeze is in effect for 15.04 ("Vivid Vervet"), which is due in April.
On his blog, Matthew Green gives an update on the plans to audit the TrueCrypt disk encryption tool. Green led an effort in 2013 to raise money for an audit of the TrueCrypt source code, which sort of ran aground when TrueCrypt abruptly shut down in May 2014. "It took us a while to recover from this and come up with a plan B that works within our budget and makes sense. We're now implementing this. A few weeks ago we signed a contract with the newly formed NCC Group's Cryptography Services practice (which grew out of iSEC, Matasano and Intrepidus Group). The project will evaluate the original Truecrypt 7.1a which serves as a baseline for the newer forks, and it will begin shortly. However to minimize price -- and make your donations stretch farther -- we allowed the start date to be a bit flexible, which is why we don't have results yet."
Version 7.9 of the GDB debugger is out. Changes include enhancements tothe Python scripting API, the ability to compile and inject code into thedebugged program, signal-handling improvements, and more.
Debian has updated libreoffice(denial of service).Fedora has updated cups (F20:code execution), dbus (F20: denial ofservice), and freetype (F21; F20: many vulnerabilities).Mageia has updated cpio(privilege escalation), kernel-linus (manyvulnerabilities, two from 2013), kernel-rt(many vulnerabilities, two from 2013), kernel-tmb (many vulnerabilities, twofrom 2013), kernel-vserver (manyvulnerabilities, two from 2013), ruby-sprockets (information disclosure), sudo (information disclosure), and tomcat (HTTP request smuggling).openSUSE has updated tigervnc(13.2: information leak/denial of service) and xorg-x11-server (13.2, 13.1: informationleak/denial of service).Red Hat has updated openstack-glance (access restriction bypass).SUSE has updated java-1_7_0-openjdk (many vulnerabilities, lotsunspecified).Ubuntu has updated nss(TLS certificate update).
Here is astatement from the Electronic Frontier Foundation on the revelationthat Lenovo has been shipping insecure man-in-the-middle malware on itslaptops. "Lenovo has not just injected ads in a wildly inappropriatemanner, but engineered a massive security catastrophe for its users. Theuse of a single certificate for all of the MITM attacks means that allHTTPS security for at least Internet Explorer, Chrome, and Safari forWindows, on all of these Lenovo laptops, is now broken." Foradditional amusement, see Lenovo'sstatement on the issue.There are a lot of Lenovo users in LWN's audience. Presumably most of themhave long since done away with the original software, but those who mighthave kept it around would be well advised to look into the issue; this site can evidently indicatewhether a machine is vulnerable or not.
Debian has updated bind9 (denialof service).Debian-LTS has updated linux-2.6(multiple vulnerabilities, one from 2013).Fedora has updated drupal7-path_breadcrumbs (F21; F20:access restriction bypass).openSUSE has updated perl-YAML-LibYAML (13.2, 13.1: multiplevulnerabilities, one each from 2013 and 2012) and php5 (13.2, 13.1: multiple vulnerabilities).SUSE has updated xntp (SLE10SP4:multiple vulnerabilities).Ubuntu has updated bind9 (14.10,14.04, 12.04: denial of service).
As several LWN readers have pointed out, John-Mark Gurney posted a message to the freebsd-current mailing list on February 17 noting that the random number generator (RNG) in the FreeBSD "current" kernel has been broken for the last four months. "If you are running a current kernel r273872 or later, please upgradeyour kernel to r278907 or later immediately and regenerate keys. I discovered an issue where the new framework code was not callingrandomdev_init_reader, which means that read_random(9) was not returninggood random data. read_random(9) is used by arc4random(9) which isthe primary method that arc4random(3) is seeded from.This means most/all keys generated may be predictable and must beregenerated. This includes, but not limited to, ssh keys and keysgenerated by openssl. This is purely a kernel issue, and a simplekernel upgrade w/ the patch is sufficient to fix the issue."
Opensource.com has an interviewwith John Sullivan, Executive Director of FSF. "I stay involved because I think it's one of the most important social movements in existence, and it needs help—a lot of help. As more and more of the world's social, cultural, economic, and political interactions are mediated by technology, control over the technology becomes incredibly important for the exercise of any basic individual freedoms. I love the people I meet in this work, and the enormity of the challenge."
Bryce Harrington has announcedthe release of Wayland 1.7.0. "The Wayland protocol may beconsidered "done" but that doesn't mean there's not work to be done. This release focused on major improvementsto Wayland's documentation, minor improvements to the testsuite, andsome scattered bugfixes to the code itself."
The Haskell.org site is currently reporting that its Debian packagerepository, deb.haskell.org, has been compromised."`deb.haskell.org` was already offline and suspended shortly afterthese traffic changes were detected by the host monitoring system, meaningthe window for package compromise was very very small. We're continuing toinvestigate the breach and the extent to which it might havespread."
When one thinks about the PHP language, terms like "strong typing" and"strict checking" do not normally come to mind. But, as the project workstoward its next major release (to be called PHP 7), it has becomeembroiled in a fierce debate over the proposed addition of some simpletyping features to the language. To some, PHP is growing up into a safer,better-defined language, while others see the changes as possiblydestroying the character of a historically freewheeling language.Click below (subscribers only) for the full article.
Do you have an opinion on whether the next kernel release should be called3.20 or 4.0? Linus is currently running apoll on Google+ to get a sense for what people would prefer. "So- continue with v3.20, because bigger numbers are sexy, or just move tov4.0 and reset the numbers to something smaller?"As of this writing, the 4.0 option appears to be winning.
Over at Linux Journal, Joey Bernard looks at Distro Astro, which is a Linux distribution for astronomy. It collects programs of interest to those running telescopes and planetariums, including various image collection and processing applications."After aiming your telescope, you need to collect some images or do some astrophotography. While you can do some of this with software like KStars, you have software specifically designed to do image capture. Some, like wxAstroCapture, are specifically written for use in astronomy. With it, you can set up automatic guiding and batch image collection. You then can go have a nice hot cup of coffee while your telescope collects your data. To help you keep track of all of these observations, you can use the Observation Manager, a logging program to maintain your records."
The free-software community has frequently advocated thedevelopment of new decentralized, federated network services—forexample, promoting XMPP as an alternative to AOL Instant Messenger,StatusNet as an alternative to Twitter, or Diaspora as an alternativeto Facebook. The recently launched Matrix project takes on a different service: IRC-like multi-user chat.
CentOS has updated kernel (C5: denial of service) and subversion (C7; C6: multiple vulnerabilities).Debian has updated ruby1.8 (denial of service).openSUSE has updated krb5 (13.2:multiple vulnerabilities) and xen (13.2: multiple vulnerabilities).Oracle has updated subversion (OL7; OL6: multiple vulnerabilities).Red Hat has updated chromium-browser (RHEL6 Supplementary:multiple vulnerabilities), kernel (RHEL5: denial of service), and subversion (RHEL7; RHEL6: multiple vulnerabilities).Scientific Linux has updated kernel (SL5: denial of service), shim (SL7: multiple vulnerabilities), and subversion (SL6: two vulnerabilities).Ubuntu has updated krb5 (multiplevulnerabilities) and oxide-qt (14.10,14.04: multiple vulnerabilities).
Last week the Red Hat developer blog looked at some changes coming with GCC5.This week's articlecovers how those changes will be handled in Fedora. "One consequence of this decision will be that Fedora 22 and Fedora 23 will both have GCC 5, but they’ll be fundamentally different. The C++ library (libstdc++.so) will becompatible between F22 and F23 (in fact, it will be almost exactly the same,modulo some extra patches from upstream that might be pulled into the later F23 build). The difference will be all the other DSOs that link to it. That’s important for Fedora developers to note.Specifically, FESCo’s decision means the C++ standard library headers installed by thelibstdc++-devel RPM will have a different default value for the _GLIBCXX_USE_CXX11_ABI macro (0 in F22 and 1 in F23) but the libstdc++.so library will be largely the same in F22 and F23, because that library contains all the symbol definitions for both the old ABI and the new ABI, so that the same library works for both cases."
Version8 of the ownCloud server is available. "This new release bringsimproved sharing and collaboration between clouds and introduces fasterways of getting at your files with favorites and improved search."See the feature page for details.
LWN.net