LWN.net

The Creative Commons has announced that a"detailedanalysis" has determined that materials licensed under BY-SA 4.0license may be distributed under the terms of GPLv3. "But if youruse case calls for or requires (in the case of remixing CC BY-SA 4.0 andGPLv3 material to make a single adaptation) releasing a CC BY-SA 4.0adaptation under GPLv3, now you can: copyright in the guise of incompatiblecopyleft licenses is no longer a barrier to growing the part of the commonsyou’re working in. We hope that this new compatibility not only removes abarrier, but helps inspire new and creative combinations of software andculture, design, education, and science, and the adoption of software bestpractices such as source control (e.g., through “git”) in thesefields."

On his blog, Martin Gräßlin has posted an update on porting KDE's Plasma desktop to Wayland. There has been progress in various areas, including transient window positioning (which makes menus appear at the right location), Plasma/KWin specific extensions, support for multiple X servers, and support for "KWin in the cloud":"So on Friday I decided to dedicate my development time on a virtual framebuffer backend. This backend (to start use kwin_wayland --xwayland --virtual) doesn’t render to any device, but only “simulates” rendering by using a QImage which then isn’t used at all. Well not completely true: there is an environment variable to force the backend to store each rendered frame into a temporary directory.Why is such a virtual backend so exiting? Well it means we can run KWin anywhere. We are not bound to any hardware restrictions like screen attached or screen resolution. With other words we can run it on servers – in the cloud. The first such instance runs on our CI [continuous integration] servers in the form of an automated integration test. And in future there will be much more such tests."

Arch Linux has updated bugzilla(privilege escalation).openSUSE has updated IPython,(cross-site scripting).SUSE has updated php5 (SLE11SP2:three vulnerabilities).

SCSI subsystem maintainer James Bottomley has posted adifferent view on the issue of civility on the kernel's mailing lists."So, by and large, I’m proud of the achievements we’ve made incivility and the way we have improved over the years. Are we perfect? byno means (but then perfection in such a large community isn’t a realisticgoal). However, we have passed our stress test: that an individual withbad patches to several mailing lists was met with courtesy and helpfuladvice, in spite of serially repeating the behaviour."

The LWN.net Weekly Edition for October 8, 2015 is available.

Drivers for graphics hardware are an important part of the graphics stack,so it was not unexpected that the 2015 X.Org DevelopersConference had several status updates for free graphics drivers. Threeprojects had talks: theNouveau driver forNVIDIA devices, the amdgpu driver for AMDhardware, and the Etnaviv driver forVivante GPUs. Each presented an update on its progress and plans.

Debian has updated freetype(denial of service) and zendframework (two vulnerabilities).Fedora has updated openhpi (F22:world writable /var/lib/openhpi directory) and wireshark (F22: multiple vulnerabilities).Ubuntu has updated spice (15.04,14.04: multiple vulnerabilities).

Back in the distant past (May 2015), LWN lookedat a couple of efforts to provide improved string-handling primitivesto the kernel. One of those two was recently merged, while the other hasrun into trouble; both cases highlight a fundamental concern Linus hasabout this type of kernel patch. The end result is that it is possible toevolve the kernel toward safer interfaces, but attempts to do so as a seriesof mass changes will probably not end well.

Open Invention Network (OIN) marks its ten year anniversary. "Since its founding in 2005, Open Invention Network has grown its community to over 1,700 participants – from sizable multinational companies to key open source projects to emerging businesses. OIN has expanded its strategic patent portfolio to more than 1,000 worldwide patents and applications. In parallel, the zone of patent non-aggression that is defined by OIN’s Linux System definition has evolved to include more than 2,300 software packages, which ensures freedom of action in core functionality for global open source projects and technology platforms such as Linux, Red Hat, SUSE, Android, Open Stack and Apache."

Arch Linux has updated nodejs (denial of service).Fedora has updated libvpx (F21:denial of service), openjpeg2 (F22: codeexecution), pixman (F22: buffer overflow),unzip (F21: two vulnerabilities), webkitgtk (F22; F21: denial of service), and webkitgtk3 (F22; F21: denial of service).openSUSE has updated apache2(13.2, 13.1: multiple vulnerabilities), conntrack-tools (13.2, 13.1: denial ofservice), froxlor (13.2, 13.1: privilegeescalation), redis (13.2, 13.1: codeexecution), seamonkey (13.2, 13.1: multiplevulnerabilities), thunderbird (13.2, 13.1:multiple vulnerabilities), and vorbis-tools(13.2, 13.1: code execution).SUSE has updated firefox, nspr(SLE12: multiple vulnerabilities).Ubuntu has updated kernel (15.04; 14.04:multiple vulnerabilities), linux-lts-trusty(12.04: multiple vulnerabilities), linux-lts-utopic (14.04: multiplevulnerabilities), linux-lts-vivid (14.04:multiple vulnerabilities), and lxc (14.04:regression in previous update).

The nomination process has begun for the 2015 election of the TechnicalAdvisory Board for the Linux Foundation. That election will happen onOctober 26 at the Kernel Summit in Seoul, South Korea. There are fivepositions to be filled; terms are for two years.

Ars Technica presentsa lengthy review of Android 6.0 "Marshmallow". "While this is a review of the final build of "Android 6.0," we're going to cover many of Google's apps along with some other bits that aren't technically exclusive to Marshmallow. Indeed, big chunks of "Android" don't actually live in the operating system anymore. Google offloads as much of Android as possible to Google Play Services and to the Play Store for easier updating and backporting to older versions, and this structure allows the company to retain control over its open source platform. As such, consider this a look at the shipping Google Android software package rather than just the base operating system. "Review: New Android stuff Google has released recently" would be a more accurate title, though not as catchy."

Arch Linux has updated hostapd(multiple vulnerabilities) and libunwind (denial of service).Fedora has updated activemq (F22:information disclosure), bind (F21: denialof service), jenkins-script-security-plugin(F22: unspecified vulnerability), kernel (F22; F21:denial of service), libwmf (F22: twovulnerabilities), scap-security-guide (F22; F21:unspecified vulnerability), seamonkey (F22; F21:multiple vulnerabilities), thunderbird(F22: multiple vulnerabilities), and xen (F22; F21:multiple vulnerabilities).Mageia has updated chromium-browser (MG5: information disclosure)and gdk-pixbuf2.0 (MG5: two vulnerabilities).openSUSE has updated phpMyAdmin(13.2, 13.1: guessable user credentials).Ubuntu has updated oxide-qt(15.04, 14.04: information disclosure), thunderbird (15.04, 14.04, 12.04: multiplevulnerabilities), and firefox (15.04,14.04, 12.04: regression in previous update).

Sarah Sharp has madeofficial her departure from the kernel development community. "Ididn’t take the decision to step down lightly. I felt guilty, for a longtime, for stepping down. However, I finally realized that I could no longercontribute to a community where I was technically respected, but I couldnot ask for personal respect. I could not work with people who helpfullyencouraged newcomers to send patches, and then argued that maintainersshould be allowed to spew whatever vile words they needed to in order tomaintain radical emotional honesty. I did not want to work professionallywith people who were allowed to get away with subtle sexist or homophobicjokes. I feel powerless in a community that had a 'Code of Conflict'without a specific list of behaviors to avoid and a community with no teethto enforce it."

The Linux Foundation has announcedthe formation of a collaborative project to support the ongoing developmentof the realtime kernel patch set. "The RTL Collaborative Projectwill focus on pushing critical code upstream to be reviewed and eventuallymerged into the mainline Linux kernel where it will receive ongoingsupport. This will save the industry millions of dollars in research anddevelopment. It will also improve quality of the code through robustupstream kernel test infrastructure, since anything maintained in themainline kernel is collectively supported by thousands of developers andhundreds of companies around the world." As part of the project,the Foundation has appointed Thomas Gleixner into a Fellow position.

The 4.3-rc4 kernel prepatch is out. "You all know the drill by now. It's Sunday, and there is a new releasecandidate out there."

Greg Kroah-Hartman has released the 4.2.3and 4.1.10 stable kernels. The fix for thedeadlocks reported for 4.1.9 did not makeit into 4.1.10. As usual, these stable kernels contain fixes throughoutthe tree.

Many online media outlets are reporting the news that ownership ofthe popular ad-blocking browser extension AdBlock hasbeen sold to a new owner. Not to be confused with similarly namedprojects AdBlock Plus and AdBlock Edge, this AdBlock announced thenews of the sale to its users in a pop-up window. TheNextWeb reportsthat AdBlock employees refused to identify the buyer. In relatednews, the new owner has decided to join the "Acceptable Ads"whitelisting program run by rival AdBlock Plus. An announcementon the AdBlock Plus site confirms the move, and notes that an"independent review board" will now decide whichadvertisements are included the Acceptable Ads whitelist. Publicnominations for the board are said to be open.

CentOS has updated thunderbird (C6; C5; C7: multiple vulnerabilities).Debian-LTS has updated binutils (multiple vulnerabilities).Fedora has updated freeimage (F22; F21:integer overflow),golang (F22; F21: multiple vulnerabilities), jakarta-commons-httpclient(F22; F21: denial of service), and openjpeg2 (F22; F21: use-after-free vulnerability).Mageia has updated thunderbird (M5: multiple vulnerabilities).openSUSE has updated bind(11.4: denial of service).Oracle has updated thunderbird (O6; O7: multiple vulnerabilities).Red Hat has updated mod_proxy_fcgi (RHEL6: denial of service).Scientific Linux has updated thunderbird (SL5, 6, 7: multiple vulnerabilities).Slackware has updated mozilla-thunderbird (14.0, 14.1, current: multiple vulnerabilities), php (14.0, 14.1, current: multiple vulnerabilities), and seamonkey (14.0, 14.1, current: multiple vulnerabilities).Ubuntu has updated kernel(12.04: multiple vulnerabilities) and linux-ti-omap4 (12.04: multiple vulnerabilities).

The GNOME Foundation has announced the release of its Annual Report [PDF] for the 2014 fiscal year, which ran from October 1, 2013 through September 30, 2014. The report covers topics like finances, the Groupon trademark battle, conferences, outreach, accessibility, and lots more. "Jean-François Fortin Tam, president of the GNOME Foundation for 2014-2015, states in the introduction letter: '2014 is on record as one of the most challenging years in the Foundation's history. It is also the year that has given us the most demonstrative and passionate display of support—from our members, our contributors, and the Free Software community—that we have ever experienced.'"

Joanna Rutkowska has announced the release of Qubes OS 3.0, which has a new hypervisor abstraction layer (HAL) as one of its "killer features". Qubes OS uses a hypervisor as part of its "security by compartmentalization" strategy for creating a more secure operating system. The HAL "will allow us to easily switch the underlying hypervisors in the near future, perhaps even during the installation time, depending on the user needs (think tradeoffs between hardware compatibility and performance vs. security properties desired, such as e.g. reduction of covert channels between VMs, which might be of importance to some users). More philosophically-wise, this is a nice manifestation of how Qubes OS is really "not yet another virtualization system", but rather: a user of a virtualization system (such as Xen)."We looked at Qubes OS 3.0 back in May.

Greg Kroah-Hartman has announced the release of the 3.14.54 and 3.10.90 stable kernels. As usual, theycontain important fixes throughout the tree and users should upgrade.

The Free Software Foundation (FSF) has announced a collaboration with Software Freedom Conservancy (SFC) on "The Principles of Community-Oriented GPL Enforcement", which describes what it means to do GPL enforcement in a way that is oriented toward gaining compliance (also: SFC announcement). "'GPL enforcement is mostly an educational process working with people who have made honest mistakes, but it must be undertaken with care and thoughtfulness. Our goal is not to punish or censure violators, but to help them come into compliance. Abiding by these principles aids our work in bringing about that outcome,' said FSF's licensing and compliance manager, Joshua Gay.

Debian-LTS has updated commons-httpclient (denial of service) and fuseiso (two vulnerabilities).Mageia has updated kernel (multiple vulnerabilities).openSUSE has updated firefox (multiple vulnerabilities) and python-PyJWT (13.2: privilege escalation).Red Hat has updated openshift(RHOSE2.2: multiple vulnerabilities) and thunderbird (RHEL5,6,7: multiple vulnerabilities).SUSE has updated haproxy (SOSCC5,SLE12: two vulnerabilities).Ubuntu has updated cyrus-sasl2(15.04: denial of service from 2013), php5 (multiple vulnerabilities), rpcbind (denial of service), and lxc (14.04: regression inprevious fix).

The LWN.net Weekly Edition for October 1, 2015 is available.

The Linux Foundation has announcedthe release of its first ever report that attempts to measure theestimated value of development costs in its Collaborative Projects. Thereport is titled “A $5 Billion Value: Estimating the Total Development Costof Linux Foundation’s Collaborative Projects.” "Linux Foundation Collaborative Projects are independently funded software projects that harness the power of collaborative development to fuel innovation across industries and ecosystems. More than 500 companies and thousands of developers from around the world contribute to these open source software projects that are changing the world in which we live."

An occasionally heard horror story about the kernel development communityconcerns developers who are told that, in order to get their code upstream,they must first invest considerable effort into fixing a relatedsubsystem. As with many such stories, this is not an experience manykernel developers have had, but there is also agrain of truth behind it. The ongoing live-patching effort, and the extrawork that has been required to push that work forward, is a case in point.

CentOS has updated openldap (C7: denial of service).Debian-LTS has updated flightgear(inadequate filesystem validation checks), freetype (denial of service), libemail-address-perl (denial of service), openssh (regression in previous update), and wordpress (multiple vulnerabilities).Oracle has updated openldap (OL7; OL6; OL5: denial of service).Ubuntu has updated lxc (15.04,14.04: apparmor policy bypass).

Greg Kroah-Hartman has released stable kernels 4.2.2 and 4.1.9. Both contain numerous fixes throughoutthe tree.

Many developers, users, and entire industries rely on virtualization, asprovided by software like Xen,QEMU/KVM, orkvmtool.While QEMU can run a software-based virtual machine, and Xen can runcooperating paravirtualized OSes without hardware support, most current usesand deployments of virtualization rely on hardware-accelerated virtualization,as provided on many modern hardware platforms. Linux supports hardwarevirtualization via the Kernel Virtual Machine (KVM) API. In this article,we'll take a closer look at the KVM API, using it to directly set up a virtualmachine without using any existing virtual machine implementation.Subscribers can click below for guest author Josh Triplett's look at the API from this week's Kernel page.

CentOS has updated openldap (C6; C5: denial of service).Debian-LTS has updated virtualbox-ose (multiple vulnerabilities, onefrom 2013) and vorbis-tools (multiple vulnerabilities).Red Hat has updated chromium-browser (RHEL6: informationdisclosure) and openldap (RHEL5,6,7: denial of service).Scientific Linux has updated openldap (SL5,6,7: denial of service).Ubuntu has updated kernel (15.04; 14.04:two vulnerabilities), linux-lts-trusty(12.04: two vulnerabilities), linux-lts-utopic (14.04: privilegeescalation), and linux-lts-vivid (14.04:two vulnerabilities).

The Document Foundation celebratesthe fifth birthday of LibreOffice, which was launched as a fork of OpenOffice.org on September 28, 2010. "LibreOffice 5.0, launched in early August, has been the most successful major release ever, triggering an unprecedented 8,000 donations in 30 days. Of course, the success has been reflected in the number of adoptions, which has soared. The icing on the cake has been the announcement of the Italian Defence Organization, which will be migrating some 150,000 PCs to LibreOffice starting from October 2015."

The Electronic Frontier Foundation (EFF) has launchedthe Offline project, "a campaign devoted to digital heroes—coders, bloggers, and technologists—who have been imprisoned, tortured, and even sentenced to death for raising their voices online or building tools that enable and protect free expression on the Internet."

The Apache OpenOffice blog promisesthat the 4.1.2 release is coming soon. "Most of the code changesfor OpenOffice 4.1.2 have already been integrated. Dozens of old and newdevelopers contributed in recent weeks. For users, improvements areexpected in stability (fixes in all modules: Writer, Calc, Impress, Draw,Base), Microsoft interoperability (Sharepoint) and documentsimport." If "recent weeks" is taken to mean "sinceJuly 1", then six developers (0.5 dozens)13 developers (1.08 dozens) have contributed 135patches toward this release.

Arch Linux has updated chromium (information disclosure).Debian has updated cyrus-sasl2(denial of service from 2013).Debian-LTS has updated eglibc(multiple vulnerabilities) and nss (two vulnerabilities).Fedora has updated firefox (F22:multiple vulnerabilities), pdns (F22; F21:denial of service), rolekit (F22: information leak), xen (F22; F21: two vulnerabilities), and xpra (F22; F21: information disclosure).Mageia has updated pixman (MG5:buffer overflow), rpcbind (MG5: denial ofservice), and unzip (MG5: two vulnerabilities).SUSE has updated Xen (SLES10SP4: multiple vulnerabilities).Ubuntu has updated NVIDIA graphicsdrivers (15.04, 14.04, 12.04: privilege escalation) and simplestreams (15.04, 14.04: regression inprevious update).

The 4.3-rc3 prepatch is out."So as usual, rc3 is actually bigger than rc2 (fixes are starting totrickle in), but nothing particularly alarming stands out.Everything looks normal: the bulk is drivers (all over, but gpu andnetworking are the biggest parts) and architecture updates. There'salso networking and filesystem updates, along with documentation."

Earlier this week, pump.io creator Evan Prodromou announcedthat, due to budget and time pressures, he was looking to move pump.iointo a community-governed project structure. "Ideally, what I'dlike to do is transfer the copyrights, domains and data to anon-profit that could collect donations to keep the serversrunning. Budget-wise, it's about $5K/year, including servers, domainregistration, and SSL certs. It'd also be great if some of the peoplewho have been sending in pull requests could start working on thesoftware directly. There are a lot of PRs backed up."Subsequently, interested community members met to hash out a plan, andhave now reportedtheir plans. Pump.io will apply to be a member project of theSoftware Freedom Conservancy, and Prodromou has started grantingadministrative and commit privileges to several other developers. Itis not yet clear how maintenance for Prodromou's current crop ofpump.io servers will be handled, but the community does appear to becoalescing into a more active project.

Arch Linux has updated rpcbind (denial of service).Debian has updated wireshark(multiple vulnerabilities).Debian-LTS has updated cups(code execution).Fedora has updated php-ZendFramework2 (F22; F21:code execution)and wordpress (F22; F21: multiple vulnerabilities).Gentoo has updated adobe-flash (multiple vulnerabilities), cacti (multiple vulnerabilities), curl (multiple vulnerabilities), git (code execution), libtasn1 (multiple vulnerabilities), networkmanager (denial of service), and ntp (multiple vulnerabilities).openSUSE has updated mysql-community-server (13.1, 13.2: multiple vulnerabilities) and php5 (13.1, 13.2: multiple vulnerabilities).Red Hat has updated firefox(RHEL 5, 6, 7: multiple vulnerabilities).SUSE has updated php5(SLE12: multiple vulnerabilities).Ubuntu has updated qemu,qemu-kvm (12.04, 14.04, 15.04: multiple vulnerabilities), simplestreams (14.04, 15.04: denial of service),and unity-firefox-extension,webapps-greasemonkey, webaccounts-browser-extension (12.04, 14.04, 15.04: denial of service).

The Electronic Frontier Foundation (EFF) Deeplinks blog has an almost amusing account of a patent holder trying to define "integer" as a whole number greater than one. It seems that this strategy is likely to fail, but there is, of course, a cost associated with refuting such a ridiculous definition. "To be clear: the law allows patent applicants to redefine words if they want. But the law also says they have to be clear that they are doing that (and in any event, they shouldn't be able to do it years after the patent issues, in the middle of litigation). In Core Wireless' patent, there is no indication that it used the word "integer" to mean anything other than what we all learn in high school. (Importantly, the word "integer" doesn’t appear in the patent anywhere other than in the claims.)It appears that Core Wireless is attempting to redefine a word—a word the patent applicant freely chose—because presumably otherwise its lawsuit will fail."

Debian has updated iceweasel (multiple vulnerabilities)and rpcbind (denial of service).Fedora has updated bind99 (F22:two denial of service flaws), groovy (F22:code execution), libvdpau (F22: threevulnerabilities), and libvpx (F22: denialof service).Mageia has updated firefox (M5:multiple vulnerabilities), moodle (M5: multiple vulnerabilities), and shutter (M5: code execution).openSUSE has updated cyrus-imapd (13.1; 13.2:largely unspecified).Ubuntu has updated apport(privilege escalation).

The LWN.net Weekly Edition for September 24, 2015 is available.

The GNOME Project has announced the release of GNOME 3.18. "Thisrelease brings significant improvements to many of our core applications, from better Google Drive integration in Files to a listview in Boxes to firmware updates in Software, and several entirelynew applications: Calendar, Characters, Todo.Improvements to our platform include automatic screen brightnesshandling and improved typography." See the release notesfor details.

Arch Linux has updated firefox (multiple vulnerabilities).CentOS has updated firefox (C7; C6; C5: multiple vulnerabilities) and qemu-kvm (C6: information leak).Fedora has updated kernel (F21:privilege escalation) and unzip (F22: two vulnerabilities).openSUSE has updated flash-player(13.2, 13.1: multiple vulnerabilities).Oracle has updated firefox (OL7; OL6; OL5: multiple vulnerabilities) and qemu-kvm (OL6: information leak).Red Hat has updated firefox(RHEL5,6,7: multiple vulnerabilities) and qemu-kvm (RHEL6: information leak).Scientific Linux has updated firefox (SL5,6,7: multiple vulnerabilities)and qemu-kvm (SL6: information leak).Slackware has updated firefox (multiple vulnerabilities).SUSE has updated flash-player (SLE12; SLED11SP3,4: multiple vulnerabilities) and kernel (SLE11SP3: multiple vulnerabilities).Ubuntu has updated firefox(15.04, 14.04, 12.04: multiple vulnerabilities) and ubufox (15.04, 14.04, 12.04: multiple vulnerabilities).

The release of Firefox 41 has been announced."This release includes minor updates to personalize your FirefoxAccount and adds a new functionality to Firefox Hello Beta." The releasenotes contain more information.

In September 2014 a serious securityvulnerability that became known as Shellshock was found in Bash, whichis the default shell in most Linux distributions. But it quickly turned outthat the initial fix for Shellshock was incomplete. Various other relatedbugs were found only days after the publication, amongst them twosevere vulnerabilities discovered by Michał Zalewski from the Googlesecurity team. In the blog post, Zalewski mentioned that he had found thesebugs with a fuzzing tool that he wrote, which almost nobody knew back then: american fuzzy lop (afl).Subscribers can click below for the full article by guest author Hanno Böck.

Fedora 23 beta has been released. "Fedora 23 includes a number ofchanges that will improve all of the editions. For example, Fedora 23 makes use of compiler flags toimprove security by "hardening" the binaries against memorycorruption vulnerabilities, buffer overflows, and so on. This is a"behind the scenes" change that most users won't notice throughnormal use of a Fedora edition, but will help provide additionalsystem security." The final release is scheduled for late October.Fedora 23 beta is also available forAARCH64 and POWER architectures.

Arch Linux has updated flashplugin (multiple vulnerabilities).Debian has updated kernel (multiple vulnerabilities).Debian-LTS has updated linux-2.6 (multiple vulnerabilities).Fedora has updated icedtea-web(F21: applet execution).Mageia has updated flash-player-plugin (MG5: multiple vulnerabilities).openSUSE has updated bind (13.2,13.1: denial of service), criu (13.2: twovulnerabilities), icedtea-web (13.2, 13.1:multiple vulnerabilities), libgcrypt (13.2,13.1: information disclosure), and python-django (13.1: multiple vulnerabilities).Red Hat has updated flash-plugin(RHEL5,6: multiple vulnerabilities).SUSE has updated kernel(SLE11SP3: multiple vulnerabilities).

The4.2.1,4.1.8,3.14.53, and3.10.89stable kernel updates have been release. Each contains a relatively largeset of important fixes.

As the introduction to Tom Herbert's kernelconnection multiplexer (KCM) patch set notes, TCP is often used formessage-oriented communication protocols even though, as a streamingtransport, it has no native support for message-oriented communications.KCM is an effort to make it easier to send and receive messages over TCPwhich adds a couple of other interesting features as well.Click below (subscribers only) for the full story from this week's KernelPage.

The Free Software Foundation Europe and Open Invention Network, with theparticipation of the Legal Network and the Asian Legal Network, arepresentingtwo round table events with presentations and panel discussion ofindustry and community speakers, titled "Open Source and Software PatentNon-Aggression, European Context". The events will be held in Berlin,Germany on October 21 and in Warsaw, Poland on October 22.