Software Freedom Conservancy has announceda long-term campaign to increase education and understanding aboutcommunity-driven GPL enforcement processes. "Conservancy invitesdevelopers and other Open Source and Free Software contributors to emailtheir questions on GPL enforcement to<enforcement-questions@sfconservancy.org>. Conservancy cannot promiseto answer every question; Conservancy will use the collected questions overthe coming months to provide more educational and informational materialsabout GPL enforcement, and in particular about Conservancy's GPL Compliance Project for Linux Developers."
Mauro Carvalho Chehab, the maintainer of the kernel's media subsystem, hasposted the first two in a series of articles on digital video broadcastingsupport in Linux. Part 1gives an overview of how the devices and protocols work, while part 2looks at digital TV network interface use. "Supporting embeddedDigital TV hardware is complex, considering that such hardware generallyhas multiple components that can be rewired in runtime to dynamicallychange the stream pipelines and provide flexibility for things likerecording a video stream, then tuning into another channel to see adifferent program. This article describes how the DVB pipelines are setupand the needs that should be addressed by the Linux Kernel."
At his blog, Chris Ball announces "GitTorrent," his new project designed to let developers host Git repositories on BitTorrent. The system takes advantage of Git's ability to run over arbitrary network protocols. "We ask for the commit we want and connect to a node with BitTorrent, but once connected we conduct this Smart Protocol negotiation in an overlay connection on top of the BitTorrent wire protocol, in what’s called a BitTorrent Extension. Then the remote node makes us a packfile and tells us the hash of that packfile, and then we start downloading that packfile from it and any other nodes who are seeding it using Standard BitTorrent. We can authenticate the packfile we receive, because after we uncompress it we know which Git commit our graph is supposed to end up at; if we don’t end up there, the other node lied to us, and we should try talking to someone else instead." The project is, obviously, a new one that still has important ground to cover—such as dealing with comments or pull requests—but there are interesting ideas to consider already.
The Document Foundation has announced the availability of the LibreOfficeviewer for Android systems. And it's not just for viewing:"LibreOffice Viewer also offers basic editing capabilities, like modifying words in existing paragraphs and changing font styles such asbold and italics.Editing is still an experimental feature which has to be enabledseparately in the settings, and is not stable enough for missioncritical tasks."
The folks at Banyan have looked into thesecurity state of the images stored on Docker Hub and published theirresults. "More than a third of all images have highpriority vulnerabilities and close to two-thirds have high or mediumpriority vulnerabilities. These statistics are especially troublesomebecause these images are also some of the most downloaded images (severalof them have hundreds of thousands of downloads)."
Arch Linux has updated curl(information leak).Debian-LTS has updated dulwich(code execution), eglibc (code execution),exactimage (denial of service), and libnokogiri-ruby (information disclosure from 2012).Fedora has updated ca-certificates (F20: CA update),hostapd (F21; F20: denial of service), java-1.8.0-openjdk (F20: insecure tmp fileuse), LibRaw (F21: denial of service), mingw-LibRaw (F21: denial of service), openslp (F20: two denial of service flaws, onefrom 2010, one from 2012), php (F21;F20: multiple vulnerabilities), postgresql (F22: three vulnerabilities), andrawtherapee (F22: denial of service).Mageia has updated fuse(privilege escalation), kernel-linus(denial of service), and kernel-tmb (denial of service).openSUSE has updated glibc,glibc-testsuite, glibc-utils, glibc.i686 (13.2, 13.1: two vulnerabilities).SUSE has updated firefox (SLE12:multiple vulnerabilities).
In 2013, we reported that SourceForge.net had started to redirectthe download links clicked on by some users, providing those users with aninstaller program that bundled in not just the software the user hadrequested, but a set of side-loaded "utilities" as well. The practiceraised the ire of many in the community, even though it was anoptional service that SourceForge offered to project owners. Mattersmay have changed recently, however, as the GIMP project discovered that"GIMP for Windows" downloads had suddenly become side-loadinginstallers—and that the project could no longer access the SourceForgeaccount that was used to distribute them.
LWN staff celebrated the US Memorial Day holiday on Monday this week, sothe Weekly Edition will come out on the holiday schedule — one day laterthan usual. We will return to our normal schedule next week. Thank youall, as always, for supporting LWN.
Ars Technica reportsthat the US Justice Department has sided with Oracle in its dispute withGoogle. "The dispute centers on Google copying names, declarations, and header lines of the Java APIs in Android. Oracle filed suit, and in 2012, a San Francisco federal judge sided with Google. The judge ruled that the code in question could not be copyrighted. Oracle prevailed on appeal, however. A federal appeals court ruled that the "declaring code and the structure, sequence, and organization of the API packages are entitled to copyright protection."Google maintained that the code at issue is not entitled to copyrightprotection because it constitutes a "method of operation" or "system" thatallows programs to communicate with one another." (Thanks to Martin Michlmayr)
Debian has updated ntfs-3g(incomplete fix in previous update).Debian-LTS has updated ntfs-3g(incomplete fix in previous update).Red Hat has updated kernel(RHEL6.4: privilege escalation) and qemu-kvm (RHEL6.5: code execution).Ubuntu has updated ntfs-3g(15.04: incomplete fix in previous update) and openldap (15.04, 14.10, 14.04, 12.04: denial of service).
The GNOME community is mourning the loss of developer Marco Pesenti Gritti,who passed away on May 23. "He was the most passionate and dedicated hacker I knew, and I know he wasextremely respected in the GNOME community, for his work on Epiphany,Evince and Sugar among many others, just like he was at litl. Those whoknew him personally know he was also an awesome human being."
Scott Kitterman has posted aseries of emails around the the Ubuntu Community Council's decision toremove Jonathan Riddell as the leader of the Kubuntu project. He has alsostatedhis intent to leave the Ubuntu community. "I also wish to extendmy personal apology to the Kubuntu community for keeping this private foras long as we did. Generally, I don’t believe such an approach isconsistent with our values, but I supported keeping it private in the hopethat it would be easier to achieve a mutually beneficial resolution of thesituation privately. Now that it’s clear that is not going to happen, I(and others in the KC) could not in good faith keep this private."
If you run PostgreSQL and have applied one of the updates that werereleased on May 22, it would be a good idea to read thispage about an unfortunate bug in those releases. In somecases, the problem can cause the server to fail to restart after a crash.There is a new release in the works; meanwhile, a workaround is available.
Ars Technica takesa look at the latest malware threat. "A worm that targets cable and DSL modems, home routers, and other embedded computers is turning those devices into a proxy network for launching armies of fraudulent Instagram, Twitter, and Vine accounts as well as fake accounts on other social networks. The new worm can also hijack routers' DNS service to route requests to a malicious server, steal unencrypted social media cookies such as those used by Instagram, and then use those cookies to add "follows" to fraudulent accounts. This allows the worm to spread itself to embedded systems on the local network that use Linux-based operating systems.The malware, dubbed "Linux/Moose" by Olivier Bilodeau and Thomas Dupuy of the security firm ESET Canada Research, exploits routers open to connections from the Internet via Telnet by performing brute-force login attempts using default or common administrative credentials. Once connected, the worm installs itself on the targeted device."
The Fedora 22 release is out. "If this release had ahuman analogue, it'd be Fedora 21 after it'd been to college,landed a good job, and kept its New Year's Resolution to go to thegym on a regular basis. What we're saying is that Fedora 22 hasbuilt on the foundation we laid with Fedora 21 and the work tocreate distinct editions of Fedora focused on the desktop, server,and cloud (respectively). It's not radically different, but thereare a fair amount of new features coupled with features we'vealready introduced but have improved for Fedora 22." LWN's preview of Fedora 22 was published in theMay 21 Weekly Edition.
An anonymous reader has pointed out that Mandriva iscurrently being liquidated (page in French). The company brought in€553,000 in 2013, but that is seemingly not enough to keep it going in2015. It is a sad end for a company that has been pursuing the desktopLinux dream since 1998.
The fifth 4.1 prepatch is out for testing."So we're on schedule for a normal 4.1 release, if it wasn't for thefact that the timing looks like the next merge window would hit our yearlyfamily vacation. So we'll see how that turns out, I might end up delayingthe release just to avoid that (or just delay opening the mergewindow)."
There have been two bugs causing filesystem corruption in the newsrecently. One of them, a bug in ext4, has gotten the bulk of theattention, despite the fact that it is an old bug that is hard to trigger.The other, however, is recent and able to cause data loss onfilesystems installed on a RAID 0 array. Both are interestingexamples of how things can go wrong, and, thus, merit a closer look.
At his blog, Bastien Nocera announcesthe 1.0 release of iio-sensor-proxy,a framework for accessing the various environmental sensors (e.g.,accelerometer, magnetometer, proximity, or ambient-light sensors) builtin to recent laptops. The proxy is a daemon that listens to theIndustrial I/O (IIO) subsystem and provides access to the sensorreadings over D-Bus. As of right now, support for ambient-lightsensors and accelerometers is working; other sensor types are indevelopment. The current API is based on those used by Android andiOS, but may be expanded in the future. "For future versions,we'll want to export the raw accelerometer readings, so thatapplications, including games, can make use of them, which might bringup security issues. SDL, Firefox, WebKit could all do with beingadapted, in the near future."
The announcement of Clear Containers (which guest author Arjan van de Ven described in an LWN article from this week) seems to have sparked some interesting work on QEMU that resulted in qboot: "a minimal x86 firmware that runs on QEMU and, together witha slimmed-down QEMU configuration, boots a virtual machine in 40milliseconds on an Ivy Bridge Core i7 processor." Paolo Bonzini announced the project (code is available at git://github.com/bonzini/qboot.git), which is quite new: "The first commit to qboot is more or less 24 hours old, so there isdefinitely more work to do, in particular to extract ACPI tables fromQEMU and present them to the guest. This is probably another day ofwork or so, and it will enable multiprocessor guests with little or noimpact on the boot times. SMBIOS information is also available from QEMU."
Debian has updated libmodule-signature-perl (multiple vulnerabilities).Debian-LTS has updated dnsmasq(information disclosure).Fedora has updated wordpress (F21; F20:three vulnerabilities).Oracle has updated docker (OL7; OL6: multiple vulnerabilities).Red Hat has updated java-1.5.0-ibm (RHEL5&6: multiple vulnerabilities, one from 2005)and java-1.7.1-ibm (RHEL6&7: multiple vulnerabilities, onefrom 2005).SUSE has updated gstreamer-0_10-plugins-bad (SLE11SP3: codeexecution) and xen (SLE12: multiple vulnerabilities).
The PostgreSQL development community is working toward the 9.5 release,currently planned for the third quarter of this year. Development activityis at peak levels as the planned feature freeze for this release approaches.While this activity is resulting in the merging of some interestingfunctionality, including the long-awaited "upsert" feature,it is also revealing some fault lines within the community. The fact that PostgreSQLlacks the review resources needed to keep up with its natural rate ofchange has been understood for years; many other projects suffer from thesame problem. But the pressures on PostgreSQL seem to be becoming moreacute, leading to concerns about fairness in the community and thedurability of the project's cherished reputation for high-quality software.
Lars Knoll marks the20th anniversary of the Qt toolkit on the Qt blog. "From thebeginning, Qt has been released with both open source and commerciallicensing options. Over the years, we have worked on expanding this model,and nowadays, Qt is actually developed as an open source project. In thissense Qt is actually in a rather unique position, having a strong ecosystemwith passionate people, as well as a commercial entity behind it, whichbacks up and funds most of the development."
Over at Linux.com, John Mark Walker examineswhy companies aren't making money on pure open source ventures. "It is not that there is no money in selling open source software, but rather that the business models have shifted. Whereas, under the old proprietary world, a larger percentage of money went to pure software vendors, now that money has spread among a larger spectrum of companies and industries; lots of people get paid to work on or with open source software, but an increasing number of them don’t work for software vendors, per se. In addition to looking in all the wrong places, the current investment model is suspicious of an open source approach. The vast majority of venture capitalists, especially in Silicon Valley, are very risk averse and shy away from open source products that, in their view, will not give as large a return on their investment. In order to secure the funding required to scale a company, investors will frequently require that the startup company include proprietary bits as tools to increase revenue and margins. These two factors - diffusion of revenue and risk-averse investors - combine to both give a false impression and, in part due to the false impression, prevent pure open source software vendors from getting funding."
Linux Journal takes alook at the C.H.I.P. mini-computer, an open software and hardwaredevice that comes with a Debian-based OS. "The official public release is scheduled for next year, but crowdfunding backers will be able to land a "Kernel Hacker" package this September. This package is aimed at Linux developers who want to help to contribute to kernel modifications for the C.H.I.P. before its final release."
Linus has released the 4.1-rc4 kernelprepatch, saying: "So here it is, last-minute fix and all. The -rc4patch is a bit bigger than the previous ones, but that seems to be mainlydue to normal random timing - just the fluctuation of when submaintainertrees get pushed."
Arch Linux has updated thunderbird (multiple vulnerabilities).CentOS has updated thunderbird(C7: multiple vulnerabilities).Debian has updated libmodule-signature-perl (multiple vulnerabilities).Debian-LTS has updated dpkg (integrity-verification bypass), nbd (denial of service), and tiff (multiple vulnerabilities).Fedora has updated java-1.8.0-openjdk (F21: unspecifiedvulnerability), NetworkManager (F21: denialof service), phpMyAdmin (F21; F20: two vulnerabilities), qemu (F21: code execution), and t1utils (F21; F20: multiple vulnerabilities).Mageia has updated ruby-rest-client (two vulnerabilities) and virtualbox (code execution).openSUSE has updated flash-player(11.4: multiple vulnerabilities), qemu (13.2; 13.1:code execution), and firefox (11.4: multiple vulnerabilities).Red Hat has updated thunderbird(RHEL5,6,7: multiple vulnerabilities).Slackware has updated thunderbird (multiple vulnerabilities).SUSE has updated KVM (SLE11SP3:code execution), qemu (SLE12: two vulnerabilities), and spice (SLE12; SLESDK12: denial of service).
Guest author Arjan van de Ven writes: "Containers are hot. Everyoneloves them. Developers love the ease of creating a "bundle" of somethingthat users can consume; DevOps and information-technology departments lovethe ease of management and deployment." A group at Intel is workingon a new approach to containers called "ClearContainers"; click below (subscribers only) for an introduction to howthese containers work.
The Xen Project looks at a mechanism to mitigate vulnerabilities like VENOM that attack emulation layers in QEMU. "The good news is it’s easy to mitigate all present and future QEMU bugs, which the recent Xen Security Advisory emphasized as well. Stubdomains can nip the whole class of vulnerabilities exposed by QEMU in the bud by moving QEMU into a de-privileged domain of its own. Instead of having QEMU run as root in dom0, a stubdomain has access only to the VM it is providing emulation for. Thus, an escape through QEMU will only land an attacker in a stubdomain, without access to critical resources. Furthermore, QEMU in a stubdomain runs on MiniOS, so an attacker would only have a very limited environment to run code in (as in return-to-libc/ROP-style), having exactly the same level of privilege as in the domain where the attack started. Nothing is to be gained for a lot of work, effectively making the system as secure as it would be if only PV drivers were used." The Red Hat Security Blog also noted this kind of mitigation for VENOM-style attacks.
Version1.0 of the Rust language has been released. "The 1.0 release marks the end of that churn. This release is the official beginning of our commitment to stability, and as such it offers a firm foundation for building applications and libraries. From this point forward, breaking changes are largely out of scope (some minor caveats apply, such as compiler bugs).That said, releasing 1.0 doesn’t mean that the Rust language is “doneâ€. We have many improvements in store. In fact, the Nightly builds of Rust already demonstrate improvements to compile times (with more to come) and includes work on new APIs and language features, like std::fs and associated constants."
Arch Linux has updated wireshark-cli (multiple vulnerabilities), wireshark-gtk (multiple vulnerabilities), and wireshark-qt (multiple vulnerabilities).SUSE has updated flash-player (SLE12: multiple vulnerabilities).
Over at Opensource.com, Lucidworks co-founder and CTO Grant Ingersoll writes about lessons he has learned from running an open-source company. "You might ask, 'Why not open source it all and just provide support?' It's a fair question and one I think every company that open sources code struggles to answer, unless they are a data company (e.g., LinkedIn, Facebook), a consulting company, or a critical part of everyone's infrastructure (e.g., operating systems) and can live off of support alone. Many companies start by open sourcing to gain adoption and then add commercial features (and get accused of selling out), whereas others start commercial and then open source. Internally, the sales side almost always wants "something extra" that they can hang their quota on, while the engineers often want it all open because they know they can take their work with them."
It's been a Linux container bonanza in San Francisco recently, and thatincludes a series of events and announcements from multiple startups andcloud hosts. It seems like everyone is fighting for a piece of what theyhope will be a new multi-billion-dollar market. This included Container Camp on April 17 and CoreOS Fest on May 5th and 6th, with DockerCon to come near the end ofJune. While there is a lot of hype, the current container gold rush hasyielded more than a few benefits for users — and caused technologicaldevelopment so rapid it is hard to keep up with.Subscribers can click below for a report by guest author Josh Berkus fromthis week's edition.
The kernel community ordinarily tries to avoid letting users get into aposition where the integrity of their data might be compromised. There areexceptions, though; consider, for example, the ability to explicitly flushimportant data to disk (or more importantly, to avoid flushing at any giventime). Buffering I/O in this manner can significantly improve disk writeI/O throughput, but if application developers are careless, the result canbe data loss should the system go down at an inopportune time. Recentlythere have been a couple of proposed performance-oriented changes that havetested the community's willingness to let users put themselves into danger.<p>Click below (subscribers only) for the full story from this week's KernelPage.
Mozilla has released Firefox 38.0. This version features new tab-basedpreferences and Ruby annotation support. Also, it will be the base for thenext ESR release. The releasenotes contain more information.
LWN.net