LinuxVoice has an interview with Perl creator Larry Wall. "So I was the language designer, but I was almost explicitly told: 'Stay out of the implementation! We saw what you did made out of Perl 5, and we don’t like it!' It was really funny because the innards of the new implementation started looking a whole lot like Perl 5 inside, and maybe that’s why some of the early implementations didn’t work well."
Opensource.com has an interviewwith Bradley Kuhn. "I continued on in my professional career, which included developing and supporting proprietary software, but I found that the lack of source code and/or the ability to rebuild it myself constantly hampered my ability to do my job. Proprietary software companies today are more careful to give "some open source"; thus, many technology professionals don't realize until it's too late how crippling proprietary software can be when you rely on it every day. In the mid 1990s, hardly any business software license gave us software freedom, so denying our rights to practice our profession (i.e, fix software) made many of us hate our jobs. I considered leaving the field of software entirely because I disliked working with proprietary software so much.Those experiences made me a software freedom zealot. I made a vow that I never wanted any developer or sysadmin to feel the constraints of proprietary software licensing, which limits technologists by what legal agreements their company's lawyers can negotiate rather than their technical skill."
ITNews reportsthat the US National Security Agency is in the process of releasing itssystems integrity management platform - SIMP. "SIMP helps to keep networked systems compliant with security standards, the NSA said, and should form part of a layered, "defence-in-depth" approach to information security.NSA said it released the tool to avoid duplication after US governmentdepartments and other groups tried to replicate the product in order tomeet compliance requirements set by US Defence and intelligencebodies." Currently only RHEL and CentOS versions 6.6 and 7.1 are supported.
Slightly less than one year ago, the Debian community had an extended discussion on whether the FFmpeg multimedia library should return tothe distribution. Debian had followed the contentious libav fork when it happened in 2011, but somecommunity members were starting to have second thoughts about that move.At the time, the discussion died out without any changes being made, but the seeds hadevidently been planted; on July 8, the project's multimedia developersannounced that not only was FFmpegreturning to Debian, but it would be replacing libav.Click below (subscribers only) for a look at how this decision was made.
The second 4.2 prepatch is available fortesting. "This is not a particularly big rc, and things have beenfairly calm. We definitely did have some problems in -rc1 that bit people,but they all seemed to be pretty small, and let's hope that -rc2 ends uphaving fewer annoying issues."
Here's adiscouraging blog post from Dave Jones on why he will no longer bedeveloping the Trinity fuzz tester. "It’s no coincidence that thenumber of bugs reported found with Trinity have dropped off sharply sincethe beginning of the year, and I don’t think it’s because the Linux kernelsuddenly got lots better. Rather, it’s due to the lack of real ongoingdevelopment to 'try something else' when some approaches dry up. Sadly wenow live in a world where it’s easier to get paid to run someone else’sfuzzer these days than it is to develop one."
ZDNet has an interview about "microservices" with Red Hat VP of engineering for middleware, Dr. Mark Little. Microservices are a relatively recent software architecture that relies on small, easily replaced components and is an alternative to the well-established service-oriented architecture (SOA)—but it is not a panacea:"'Just because you adopt microservices doesn't suddenly mean your badly architected ball of mud is suddenly really well architected and no longer a ball of mud. It could just be lots of distributed balls of mud,' Little said.'That worries me a bit. I've been around service-oriented architecture for a long time and know the plus points and the negative points. I like microservices because it allows us to focus on the positive points but it does worry me that people see it as the answer to a lot of problems that it's never going to be the answer for.'"
Greg Kroah-Hartman has announced the release of the 4.1.2, 4.0.8,3.14.48, and 3.10.84 stable kernels. All contain importantfixes and users should upgrade. In addition, this is the second to last4.0.x release (i.e. there will be a 4.0.9, but that's the last), so usersshould be making plans to move to 4.1.x.
Arch Linux has updated openssl(certificate verification botch).CentOS has updated php (C6: manyvulnerabilities, some from 2014).Debian has updated pdns (full fixfor denial of service) and pdns-recursor(full fix for denial of service).Gentoo has updated adobe-flash(multiple vulnerabilities, one from 2014), chromium (multiple vulnerabilities), mysql (multiple vulnerabilities), net-snmp (denial of service from 2014), openssl (certificate verification botch), oracle-jre-bin (multiple vulnerabilities, somefrom 2014), perl (denial of service from2013), portage (certificate verificationbotch from 2013), pypam (code executionfrom 2012), and t1utils (multiple vulnerabilities).Mageia has updated openssl(certificate verification botch).openSUSE has updated MariaDB(13.2, 13.1: many vulnerabilities, some from 2014).Oracle has updated php (OL6: manyvulnerabilities, some from 2014).Red Hat has updated php (RHEL6:many vulnerabilities, some from 2014) and php54-php (RHSC2: multiple vulnerabilities).Scientific Linux has updated php(SL6: many vulnerabilities, some from 2014).Slackware has updated openssl(certificate verification botch).Ubuntu has updated firefox(15.04, 14.10, 14.04: multiple vulnerabilities) and nss (two vulnerabilities).
Debian has updated python-django(two vulnerabilities).Mageia has updated bind (denialof service), cups-filters (two codeexecution vulnerabilities), flash-player-plugin (many vulnerabilities), openssh (access restriction bypass), and virtuoso-opensource (multiple unspecified vulnerabilities).openSUSE has updated flash-player(11.4: unspecified vulnerabilities), libwmf(13.2, 13.1: multiple vulnerabilities), mysql-community-server (13.2, 13.1: cipherdowngrade), tiff (13.2, 13.1: multiplevulnerabilities), and wireshark (13.2: twodenial of service vulnerabilities).Red Hat has updated flash-plugin(RHEL5&6: many vulnerabilities).SUSE has updated flash-player(SLE12: many vulnerabilities).Ubuntu has updated python-django(two vulnerabilities).
The OpenSSL project has disclosed a newcertificate validation vulnerability. "During certificateverification, OpenSSL (starting from version 1.0.1n and 1.0.2b) willattempt to find an alternative certificate chain if the first attempt tobuild such a chain fails. An error in the implementation of this logic canmean that an attacker could cause certain checks on untrusted certificatesto be bypassed, such as the CA flag, enabling them to use a valid leafcertificate to act as a CA and 'issue' an invalid certificate."This is thus a client-side, man-in-the-middle vulnerability.Note that the affected versions of OpenSSL were released in mid-June;anybody with an older release should not be vulnerable.
The Core Infrastructure Initiative (a Linux Foundation effort todirect resources to critical projects in need of help) has announced a censusproject to identify the development projects most in need ofassistance. "Unlike the Fed’s stress tests, which are opaque, all ofthe census data and analysis is open source. We are eager for communityinvolvement. We encourage developers to fork the project and experimentwith different data sources, different parameters, and different algorithmsto test out the concept of an automated risk assessment census. We are alsoeager for input to help sanitize and complete the data that was used inthis first iteration of the census."
The PostgreSQL 9.5alpha release is now available for testing. In this feature article,PostgreSQL core team member Josh Berkus discusses the need for an alpharelease and introduces a number of the new features that will show up in9.5. Click below (subscribers only) for the full article.
Arch Linux has updated bind (denial of service) and flashplugin (code execution).Debian has updated bind9 (denial of service).Debian-LTS has updated linux-ftpd-ssl (segmentation fault).openSUSE has updated flash-player(13.2, 13.1: code execution).Oracle has updated abrt (OL6: multiple vulnerabilities).Scientific Linux has updated abrt(SL6: multiple vulnerabilities).Slackware has updated bind(denial of service), cups (code execution), firefox (multiple vulnerabilities), and ntp (denial of service).SUSE has updated bind (SLE11SP3:denial of service) and Xen (SLES10SP4: two vulnerabilities).Ubuntu has updated bind9 (15.04,14.10, 14.04, 12.04: denial of service) and libwmf (15.04, 14.10, 14.04, 12.04: multiple vulnerabilities).
After nearly a year of consideration, theDebian project has decided to switch back to the ffmpeg multimedia libraryat the expense of its fork libav. See this wikipage for a summary of the current reasoning behind the switch.
In May, we noted the problems thatGIMP and other free-software projects have encountered of late withthe SourceForge project-hosting service. While there are plenty of alternativehosting providers to choose from, some developers will likely alwaysprefer to self-host their projects—precisely because an outsideservice provider can make just such an abrupt or surprising about-face. Gogs is one option for those taking theself-hosting approach: it provides a web-based front-end to a GitHub-like hosting service.Gogs offers quite a few features, but its choice of GitHub-like qualities may not be to everyone's tastes.
The ownCloud8.1 release is out. "This release marks significant under thehood improvements, such as increasing scalability and performance ofsyncing and file operations while making ownCloud a better platform fordevelopers to build upon. Security enhancements, integrated documentationlinks, more control in the admin panel over external storage, LDAP andencryption make ownCloud more secure and easier to use." See therelease notes for details.
Arch Linux has updated ntp (denial of service).CentOS has updated firefox (C7; C6; C5: multiple vulnerabilities).Debian has updated cups-filters (code execution) and libwmf (code execution).Gentoo has updated exiv2 (denial of service), icu (code execution), libvncserver (multiple vulnerabilities), libxml2 (denial of service), sqlite (three vulnerabilities), tor (denial of service), and unrtf (code execution).Red Hat has updated abrt (RHEL6:multiple vulnerabilities) and kernel(RHEL6.4: privilege escalation).Ubuntu has updated haproxy(15.04, 14.10: information leak), kernel (15.04; 14.10;14.04; 12.04: multiple vulnerabilities), linux-lts-trusty (12.04: multiplevulnerabilities), linux-lts-utopic (14.04:multiple vulnerabilities), linux-lts-vivid(14.04: multiple vulnerabilities), and linux-ti-omap4 (12.04: privilege escalation).
The 2015 Kernel Summit will be held October 26-28 in Seoul, South Korea;the call for discussion proposals is out now. Now would be a good time forthose who would like to attend the Summit to come up with a good topic and get the discussion going. Proposals are due by July 31.
Linus has released 4.2-rc1 and closed themerge window for this development cycle. As Linus explains, 4.2 may, inthe end, not end up being the development cycle with the most commits ever,but there is still a lot going on. "However, if you count the sizein pure number of lines changed, this really seems to be the biggest rcwe've ever had, with over a million lines added (and about a quartermillion removed). That beats the previous champion (3.11-rc1) that was hugemainly due to Lustre being added to the staging tree." The sourceof the biggest chunk of those new lines is the new amdgpu graphics driver.
Firefox 39 has been releasedfor both desktop and mobile systems. The new features include a socialsharing tool for the FirefoxHello video chat subsystem. It is designed to make it easier toshare Firefox Hello chat invitations over third-party socialnetworks. In addition, Firefox's existing phishing-and-malwaredetection tool has been extended to cover downloads, support has beenadded for Unicode 8.0's multi-ethnic emoji characters, and there isimproved support for the Accessible Rich Internet Applications (ARIA) standard.
Ars Technica reportsthat the US Supreme Court rejected Google's appeal of the Google-Oracle APIcopyright dispute. "Despite the high court's inaction on the case, the Google-Oracle legal flap is far from resolved. That's because the appeals court sent the case back to the lower courts to determine whether Google's use of the code in Android—which it no longer uses—constitutes a "fair use." Oracle is seeking $1 billion in damages."This is not the end of the road for this case—the Federal Circuit decisionexplicitly left open the possibility that the kinds of uses Google madewere permissible under copyright's fair use doctrine," said Charles Duan,the director of Public Knowledge's patent reform project." (Thanksto Martin Michlmayr)
DockerCon on June 22 and 23 wasa much bigger affair than CoreOSFest or ContainerCamp. DockerCon rented outthe San Francisco Marriott for the event; the keynote ballroom seats 2000.That's a pretty dramatic change from the firstDockerCon last year, with roughly 500 attendees; it shows the hugegrowth of interest in Linux containers. Or maybe, given that it's SiliconValley, what you're seeing is the magnetic power of $95 million in round-Cfunding.Subscribers can click below for a report from DockerCon by guest authorJosh Berkus.
The Linux Foundation has announcedthe R Consortium. "The R language is used by statisticians, analysts and data scientists to unlock value from data. It is a free and open source programming language for statistical computing and provides an interactive environment for data analysis, modeling and visualization. The R Consortium will complement the work of the R Foundation, a nonprofit organization based in Austria that maintains the language. The R Consortium will focus on user outreach and other projects designed to assist the R user and developer communities.Founding companies and organizations of the R Consortium include The R Foundation, Platinum members Microsoft and RStudio; Gold member TIBCO Software Inc.; and Silver members Alteryx, Google, HP, Mango Solutions, Ketchum Trading and Oracle."
Amazon has announcedthe release of a new TLS library called "s2n" under the Apache license."s2n is a library that has been designed to be small, fast, withsimplicity as a priority. s2n avoids implementing rarely used options andextensions, and today is just more than 6,000 lines of code. As a result ofthis, we’ve found that it is easier to review s2n; we have alreadycompleted three external security evaluations and penetration tests on s2n,a practice we will be continuing."
Debian has updated libcrypto++ (information disclosure).Debian-LTS has updated cacti(multiple vulnerabilities), libwmf (denialof service), and t1utils (code execution).Fedora has updated kernel (F22: denial of service).openSUSE has updated roundcubemail (13.2: two vulnerabilities).Scientific Linux has updated kvm(SL5: code execution).SUSE has updated java-1_7_0-ibm(SLE11SP3: multiple vulnerabilities) and Xen (SLES11SP2; SLES11SP1: multiple vulnerabilities).
Valve has announced the first preview release of its forthcomingSteamOS update. The new release is based on Debian 8.1 with long-termsupport kernel 3.18; there aredownloadable builds linked to in the announcement for both UEFI andlegacy BIOS systems. There appear to be few user-visible differencesbetween the new release and the current SteamOS so far,though; the announcement notes: "Although there are a lot ofchanges under the covers, the overall functionality and experience ofbrewmaster is the same as alchemist."
Version 4.1 of the Ardour digital audio workstation software has been released. There are some new features in the release including input gain control, support for capture-only and playback-only devices, a real "Save As" option (with the old option being renamed to "Snapshot (& switch to new version)"), and allowing plugins to be reordered and meter positions to change without adding a click into the audio. There are also lots of user interface changes, including better High-DPI support. "This release contains several new features, both internally and in the user interface, and a slew of bug fixes worthy of your attention. Encouragingly, we also have one of our longest ever contributor lists for this release.We had hoped to be on a roughly monthly release cycle after the release of 4.0, but collaborations with other organizations delayed 4.1 by nearly a month."
The Ubuntu Community Council (UCC) and Kubuntu Council (KC) have issueda joint statement regarding the conflict between Jonathan Riddell andthe UCC. "We have mutually agreed that KDE is important to Ubuntu, and the Kubuntu Council believes that Ubuntu is important to the KDE community as well. Therefore we have a basis to work together on putting out a lovely Wily release. We recognize that there are honest and strong feelings about both the things that led up to the current controversy and the way that resolution of it was handled. Despite that, we would all like to move forward as best we can for the betterment of the Ubuntu project, including Kubuntu." LWN covered thecontroversy in late May.
PGCon 2015, the PostgreSQLinternational developer conference, took place in Ottawa, Canada from June16 to 20. This PGCon involved a change in format from prior editions, witha "developer unconference" in the two days before the main conferenceprogram. Both the conference and the unconference covered a wide range oftopics, many of them related to horizontal or vertical scaling, or to newPostgreSQL features.Subscribers can click below for a report from the conference from guest author Josh Berkus.
Red Hat has announcedthe winners of its Women in Open Source Awards. The AcademicAward goes to Kesha Shah, a student at Dhirubhai Ambani Institute ofInformation and Communication Technology, and the Community Award goes to SarahSharp, embedded software architect at Intel. Opensource.com has interviewswith both women.KeshaShah: "Last year, I was a mentor in Season of KDE and GCI again, with BRLCAD and KDE. Now, I am currently working on testing automation of Ushahidi with Systers, an Anita Borg community, as a part of GSoC. During my journey, I had seen several of my peers enter the domain, succeed, and fail in equal measure. So, I took up the challenge of mentoring newbies.One of my biggest achievements is that I have personally guided about 20-22newbies into the world of open source through mentoring programs like GCI,SoK, Learn IT girls, and through conducting hands-on workshops andenlightening talks on open source. Those efforts converted them to regularcontributors."SarahSharp: "My second proudest moment is the very first round whenthe Linux kernel participated in the Outreach Program for Women (now called Outreachy). A lot of kernel maintainers complained about how newcomers would send them mangled patches, and grump about how the newcomers should really just RTFM and look at our patch submission guidelines. Of course, it turned out the manual was lacking or out of date, and there were a lot of steps to set up tools for Linux kernel development, so I spent a week and created a step-by-step tutorial.It was really gratifying to see those first applicants go through my tutorial and send well-formed patches. I've loved watching those interns move onto bigger projects, and even get hired to work on the Linux kernel, and I'm really proud I was able to help people get involved in Linux kernel development."
The Open Container Projecthas announced itsexistence. "Housed under the Linux Foundation, the OCP’s missionis to enable users and companies to continue to innovate and developcontainer-based solutions, with confidence that their pre-existingdevelopment efforts will be protected and without industryfragmentation. As part of this initiative, Docker will donate the code forits software container format and its runtime, as well as the associatedspecifications. The leadership of the Application Container spec (“appcâ€)initiative, including founding member CoreOS, will also be bringing theirtechnical leadership and support to OCP."
LWN.net