Bradley Kuhn started off his linux.conf.au 2016 talk by stating a goalthat, he hoped, he shared with the audience: a world where more (or most)software is free software. The community has one key strategy toward that goal:copyleft licensing. He was there to talk about whether that strategy isworking, and what can be done to make it more effective; the picture hepainted was not entirely rosy, but there is hope if software developers arewilling to make some changes.
Chris Hermansen looks at an early open music format—vinyl LP records—over at Opensource.com. He goes into some of the details of the format and how it is read, as well as a bit about ripping records using Linux. "Ok, so we just figured out that our stylus puts 136 times as much pressure on our records as our car puts on the pavement? That's crazy!!! Why doesn't the stylus completely destroy the record? Those alternate-Earth physicists and engineers are rolling on the floor now, clutching their bellies and gasping for breath... but here is the final straw. Despite the seemingly ridiculous or even impossible nature of the whole ensemble of components, a well-recorded vinyl LP played back with a decent turntable, tonearm, and cartridge sounds wonderful."
Debian has updated libgcrypt20(key leak) and nginx (three vulnerabilities).Debian-LTS has updated eglibc(regression in previous security update).Fedora has updated nodejs-is-my-json-valid (F22: denial ofservice) and python-pymongo (F23; F22: two vulnerabilities).openSUSE has updated cacti (42.1; 13.2; 13.1: multiple vulnerabilities), cacti-spine (13.1: unspecified), and openssl (13.1: cipher downgrade).Slackware has updated mozilla(14.1: unspecified).Ubuntu has updated firefox(15.10, 14.04, 12.04: same-origin restriction bypass) and postgresql-9.1, postgresql-9.3, postgresql-9.4(15.10, 14.04, 12.04: two vulnerabilities).
Scratching an itch is a recurring theme in presentations at linux.conf.au. As the open-hardware movement gains strength, more and more of these itches relate to the physical world, not just the digital. David Tulloh used his presentation [WebM] on the “Linux Driven Microwave†to discuss how annoying microwave ovens can be and to describe his project to build something less irritating.Click below (subscribers only) for the full report from Neil Brown.
Arch Linux has updated kscreenlocker (restriction bypass).CentOS has updated sos (C6: information leak).Fedora has updated claws-mail(F22: stack-based buffer overflow), imlib2(F22: denial of service), python-pillow(F23: denial of service), and webkitgtk4(F22: multiple vulnerabilities).Mageia has updated ffmpeg(multiple vulnerabilities), flash-player-plugin (multiple vulnerabilities), jasper (denial of service), and nettle (improper cryptographic calculations).openSUSE has updated jasper(13.2: denial of service), krb5 (13.2:three vulnerabilities), and tiff (13.2: three vulnerabilities).Oracle has updated sos (OL6:information leak).Red Hat has updated openstack-swift (RHELOSP7: denial of service) and python-django (RHELOSP7; RHELOSP5 for RHEL7; RHELOSP5 for RHEL6: information disclosure).Scientific Linux has updated sos(SL6: information leak).SUSE has updated flash-player (SLE12-SP1; SLE11-SP4: multiple vulnerabilities) and java-1_7_1-ibm (SLE12-SP1; SLE11-SP4: multiple vulnerabilities).Ubuntu has updated nginx (15.10,14.04: denial of service).
The SourceForge hosting site has announcedthat it has a new owner (BIZX, LLC, along with Slashdot) and that it willbe getting rid of the controversial DevShare program, which was covered here in 2013. "As of last week,the DevShare program was completely eliminated. The DevShare programdelivered installer bundles as part of the download for participatingprojects. We want to restore our reputation as a trusted home for opensource software, and this was a clear first step towards that. We’re moreinterested in doing the right thing than making extra short-termprofit."
The LibreOffice 5.1 release is available. "LibreOffice 5.1's user interface has been completelyreorganized, to provide faster and more convenient access to its most usedfeatures. A new menu has been added to each of the applications: Style(Writer), Sheet (Calc) and Slide (Impress and Draw). In addition, severalicons and menu commands have been repositioned based on userpreferences." See thispage for (a little) more information and some videos.
The Obama administration has put out aplan for how it would like to make the net a safer place. There are alot of topics covered here; toward the end it also mentions that "theGovernment will work with organizations such as the Linux Foundation’s CoreInfrastructure Initiative to fund and secure commonly used internet'utilities' such as open-source software, protocols, and standards. Justas our roads and bridges need regular repair and upkeep, so do thetechnical linkages that allow the information superhighway to flow."
"TPM," said Matthew Garrett in his linux.conf.au 2016 talk, stands for "trusted platform module"; it is a tool that is meant to allow a system'sowner to decide which software to trust. Some years ago, there was a lot offear that the TPM would be used, instead, to take that decision away, to allow othersto decide which software would be trusted to run on our systems; for that reason,some called "trusted computing" by the rather less complimentary name"treacherous computing." That scenario didn't come about, though, for anumber of reasons, both technical and social. But we can still use the TPM forits original purpose; Matthew was there to talk about his work to bringabout computing that we can trust.Click below (subscribers only) for the full report from LCA 2016.
Debian has updated qemu (multiplevulnerabilities), qemu (more vulnerabilities), qemu-kvm (multiple vulnerabilities), and wordpress (two vulnerabilities).Debian-LTS has updated gajim (man-in-the-middle).Mageia has updated mbedtls/hiawatha/belle-sip/linphone/pdns (codeexecution), openssl (man-in-the-middle), php (multiple vulnerabilities), privoxy (denial of service), and radicale (authentication bypass).Red Hat has updated sos (RHEL6:information leak).Slackware has updated curl (authentication bypass) and flac (multiple vulnerabilities).SUSE has updated java-1_8_0-ibm(SLE12-SP1: multiple vulnerabilities) and rubygem-rails-html-sanitizer (SES2.1: multiple vulnerabilities).Ubuntu has updated firefox(regression in previous update).
Wired talkswith John Perry Barlow on the 20th anniversary of his Declaration ofIndependence of Cyberspace. "In the modern era of global NSA surveillance, China’s Great Firewall, and FBI agents trawling the dark Web, it’s easy to write off Barlow’s declaration as early dotcom-era hubris. But on his document’s 20th anniversary, Barlow himself wants to be clear: He stands by his words just as much today as he did when he clicked “send†in 1996."
The 4.5-rc3 kernel prepatch is out."It's slightly bigger than I'd like, but not excessively so (and notunusually so). Most of the patches are pretty small, although the diff isutterly dominated by the (big) removal a couple of staging rdma driversthat just weren't going anywhere. Those removal patches are 90% of the bulkof the diff."
The CoreOS project has announced version1.0 of its rkt container manager.As part of the release, rkt's command-line interface and on-diskformat have been declared stable. The announcement also highlights anumber of new security features, including "KVM-based containerisolation, SELinux support, TPM integration, image signaturevalidation, and privilege separation" and notes that rkt willrun Docker images.
Arch Linux has updated libbsd (denial of service).Debian has updated krb5(multiple vulnerabilities).Fedora has updated nettle(F23: improper cryptographic calculations), salt (F22: information leak), and webkitgtk4 (F23: multiple vulnerabilities).SUSE has updated MozillaFirefox,MozillaFirefox-branding-SLE, mozilla-nss (SLE12: multiple vulnerabilities) and MozillaFirefox,MozillaFirefox-branding-SLED, mozilla-nss (SLE11: multiple vulnerabilities).
Over at Linux.com, Eric Brown looks at the newly announced Ubuntu Touch tablet. The hardware: "The Aquaris M10 is equipped with a 64-bit, quad-core, Cortex-A53 MediaTek MT8163A system-on-chip clocked to 1.5GHz, along with a high-powered ARM Mali-T720 MP2 GPU. The tablet ships with 2GB of RAM, 16GB flash, and a microSD slot." It is said to have 1920x1200 resolution and an 8 megapixel camera capable of HD recording. The interface will change to take advantage of larger displays and additional input devices (e.g. keyboard, mouse)."It appears that the upcoming Ubuntu 16.04 “Xenial Xerus†LTS release due in April will be the first true convergence release. According to PC World, it will still be optional, however, with a traditional Unity 7 build with X.org available alongside the newly converged Unity 8 with the new Mir display server. The new tablet, and Unity 8, will feature Ubuntu Touch’s Scopes interface, which presents frequently used content and services as an alternative to traditional apps.In addition to automatically changing the interface in response to new screens and input devices, Ubuntu is also providing convergence on the application development level. Developers are already developing single apps that can automatically morph into desktop, phone, and tablet formats."
Arch Linux has updated lib32-nettle (improper cryptographic calculations) and nettle (improper cryptographic calculations).Debian has updated openjdk-6 (multiple vulnerabilities).Fedora has updated openstack-heat(F23: denial of service) and openstack-swift (F23: denial of service).openSUSE has updated kernel(13.2: multiple vulnerabilities).Red Hat has updated kernel(RHEL7.1: multiple vulnerabilities).Ubuntu has updated qemu, qemu-kvm(15.10, 14.04, 12.04: multiple vulnerabilities).
Michael Catanzaro describesthe sad state of WebKit security on Linux distributions and thechallenges of security support for such a complex package in general."We regularly receive bug reports from users with very old versionsof WebKit, who trust their distributors to handle security for them andmight not even realize they are running ancient, unsafe versions ofWebKit. I strongly recommend using a distribution that releases WebKitGTK+updates shortly after they’re released upstream. That is currently onlyArch and Fedora. (You can also safely use WebKitGTK+ in Debian testing —except during its long freeze periods — and Debian unstable, and maybe alsoin openSUSE Tumbleweed. Just be aware that the stable releases of thesedistributions are currently not receiving our security updates.)"Lots of information here, worth a read for anybody interested in the topic.
The Black Forestfire destroyed over 500 Colorado houses in June 2013; one of thosebelonged to longtime Debian developer Bdale Garbee. As he reported duringhis talk at the 2016 linux.conf.au Multimedia and Musicminiconf, the house has been redesigned and rebuilt and life is generally better now. Part of the rebuildingprocess included the incorporation of a whole-house audio system;naturally, Bdale took a unique approach to that task. His talk showed whatcan be done when one starts from scratch — and doesn't mind designing acircuit board along the way.
ThisRed Hat blog post celebrates the fifteenth anniversary of the firstSELinux release. "With the question of open source security longbehind us, we are now focused on providing an even more flexible securitymodel through SELinux. With the rise of composite, distributed applicationsthat can span hundreds of physical and virtual machines as well asdisparate cloud instances and Linux container deployments, one-off usage ofSELinux is not enough. Instead, we are focused on providing “defense indepth†for modern computing scenarios, effectively building and deployingSELinux policies at each level of the datacenter."
The 4.5-rc2 kernel prepatch is out. Linussays things aren't going so slowly anymore: "As late as Friday, I was planning on talking about how nice it is tosee this new trend of tiny rc2 releases, because there really hadn'tbeen very many pull requests at all.But it turns out the pull requests were just heavily skewed to the endof the week, and 4.5-rc2 isn't particularly small after all. It prettymuch doubled over the weekend." Still, he seems to think thatthings are working well enough.
The 4.4.1,4.3.5, and4.1.17 stable kernel updates are out.These contain a relatively large number of changes as Greg Kroah-Hartmancontinues to work through the patch backlog.
The KDE neon project — which arguablycould be seen as a replacement for the Kubuntu distribution — has been announcedat FOSDEM. "More than ever people expect a stable desktop with cutting-edge features, all in a package which is easy to use and ready to make their own.KDE Neon is the intersection of these needs using a stable Ubuntu long-term release as its core, packaging the hottest software fresh from the KDE Community ovens. Compute knowing you have a solid foundation and enjoy the features you experience in the world's most customisable desktop."
Wired reports on a talk at the USENIX Enigma conference by Rob Joyce of the US National Security Agency (NSA). Joyce is the head of the NSA's Tailored Access Operations, which is tasked with breaking into the systems of adversaries and sometimes allies. He spoke about ways to thwart the NSA and other nation-state-level attackers. "'We put the time in …to know [that network] better than the people who designed it and the people who are securing it,' he said. 'You know the technologies you intended to use in that network. We know the technologies that are actually in use in that network. Subtle difference. You'd be surprised about the things that are running on a network vs. the things that you think are supposed to be there.'"
Arch Linux has updated nginx(three denial of service flaws).Debian has updated iceweasel(three vulnerabilities) and openjdk-7(multiple vulnerabilities).openSUSE has updated chromium(13.1: multiple vulnerabilities), java-1_7_0-openjdk (13.2: multiple vulnerabilities),java-1_8_0-openjdk (42.1; 13.2: multiple vulnerabilities), java7 (13.1: multiple vulnerabilities), and openldap2 (42.1: two vulnerabilities).Oracle has updated bind (OL7; OL6; OL5: denial of service), bind97 (OL5: denial of service), andfirefox (OL7; OL6; OL5: twocode execution flaws).Red Hat has updated bind (RHEL6.4, 6.5: four denial of serviceflaws, including one from 2014) and bind(RHEL6.6: three denial of service flaws).Scientific Linux has updated bind(denial of service), bind97 (SL5: denial ofservice), and firefox (two code execution flaws).SUSE has updated java-1_7_0-openjdk (SLE12; SLE11:multiple vulnerabilities) and openldap2 (Studio Onsite 1.3: two vulnerabilities).Ubuntu has updated curl(authentication bypass) and oxide-qt(15.10, 15.04, 14.04: multiple vulnerabilities).
The Linux Foundation's board ofdirectors is not usually a hotbed of controversy; for the most part it does its work in the background, quietlygoing about the business of directing the non-profit organization. Inmid-January that all changed. The bylaws that governed howsome at-large board seats were allocated were changed, which caused quitean uproar within the Linux world. While there is speculation about the motive forthe change—as well as an official statement of sorts—it certainly seemslike the whole thing could have been handled a lot better.Subscribers can click below for the full story from this week's edition.
Firefox 44.0 has been released. With this version Firefox can getpush notifications from your favorite sites. This release alsofeatures improved warning pages for certificate errors and untrustedconnections, H.264 is enabled if the system decoder is available, ifMP4/H.264 are not supported WebM/VP9 video support is enabled, the brotlicompression format via HTTPS content-encoding is supported, and more. Seethe release notes fordetails.
The Linux Test Project test suite stable release for January 2016 isavailable. There were 191 patches by 29 authors merged since the previousrelease. Some notable changes include rewritten and new cgroup tests forcpuacct and pids controllers, rewritten basic cgroup functional and stresstests, new userns07 test for user namespaces, new syscall tests, and more.
AMD has launched"gpuopen.com" to support open graphics development (on AMD GPUs,naturally). "The second is a commitment to open source software. Thegame and graphics development community is an active hub of enthusiasticindividuals who believe in the value of sharing knowledge. Full andflexible access to the source of tools, libraries and effects is a keypillar of the GPUOpen philosophy. Only through open source access aredevelopers able to modify, optimize, fix, port and learn from software. Thegoal? Encouraging innovation and the development of amazing graphicstechniques and optimizations in PC games."
As expected, Linus released the 4.5-rc1development kernel and closed the merge window for this cycle on January 24. Less than 2,000changes were pulled since last week'ssummary, but there were some significant changes to be found amongthem. Click below (subscribers only) for the final part of LWN's 4.5 mergewindow coverage.
Arch Linux has updated ecryptfs-utils (privilege escalation), linux-lts (privilege escalation), privoxy (two denial of service flaws), python-rsa (signature forgery), and python2-rsa (signature forgery).CentOS has updated ntp (C7; C6: missing check for zero originate timestamp).Debian has updated claws-mail (code execution).Debian-LTS has updated foomatic-filters (buffer overflows), imlib2 (denial of service), pound (multiple vulnerabilities, one from 2009), and privoxy (two denial of service flaws).Fedora has updated bind (F23: twodenial of service flaws), bind99 (F23:denial of service), chrony (F23: packetmodification), dhcp (F22: denial ofservice), java-1.8.0-openjdk (F23:unspecified), mod_nss (F22: enablesinsecure ciphersuites), owncloud (F23; F22:multiple vulnerabilities), python-rsa (F22:signature forgery), and qemu (F23: multiple vulnerabilities).Mageia has updated virtualbox (unspecified vulnerabilities).openSUSE has updated bind (13.1:denial of service), cgit (13.1: threevulnerabilities), giflib (13.1: heap-basedbuffer overflow), jasper (13.2; 13.1: denial of service), libvirt (Leap42.1, 13.2; 13.1: path traversal), openldap2 (13.2: two vulnerabilities), roundcubemail (Leap42.1; 13.2; 13.1: code execution), and tiff (13.2; 13.1: denial of service).Oracle has updated ntp (OL7: missing check for zero originate timestamp).Red Hat has updated ntp (RHEL6,7:missing check for zero originate timestamp).Scientific Linux has updated ntp(SL6,7: missing check for zero originate timestamp).SUSE has updated bind(SLES10-SP4: four denial of service vulnerabilities), openldap2 (SLE12-SP1: two vulnerabilities),and kernel (SLE12: privilege escalation).
Matt Mackall, the creator of the Mercurial source-code management system,has announced thathe is ready to move on to a new project. "So over the course of thisyear, I'm going to gradually remove myself from daily involvement in theproject. As lots of people and companies have a lot invested in Mercurial,I'm doing this over a long period of time to make sure it goessmoothly."
Linus has released the 4.5-rc1 prepatch andclosed the merge window for this development cycle. "It's a fairlynormal release - neither unusually big or unusually small. The statisticslook fairly normal too, with drivers being a bit over 70% of the bulk (thebig driver areas being gpu, networking, sound, staging, fbdev, but its allover)."
The4.3.4,4.1.16,3.14.59, and3.10.95 stable kernel updates have beenreleased. They are the first in just over one month, and they contain afair number of important fixes.
On his blog, Peter Hutterer answers the perennial "is Wayland ready yet?" question by pointing out that it really is not the right question. "The protocol is stable and has been for a while. But not every compositor and/or toolkit/application speak Wayland yet, so it may not be sufficient for your use-case. So rather than asking 'Is Wayland ready yet', you should be asking: 'Can I run GNOME/KDE/Enlightenment/etc. under Wayland?' That is the right question to ask, and the answer is generally 'It depends what you expect to work flawlessly.' This also means 'people working on Wayland' is often better stated as 'people working on Wayland support in ....'. "
Just a quick note to point out that the very first LWN Weekly Edition came out onJanuary 22, 1998. So we have now been at it for eighteen years. Tosay we would have been surprised by that idea in 1998 is a seriousunderstatement. Many thanks to LWN's reader community for keeping us goingfor all this time!
Linux Foundation leader Jim Zemlin explainsthe recent changes in the organization's by-laws. "First, TheLinux Foundation Board structure has not changed. The same individualsremain as directors, and the same ratio of corporate to community directorscontinues as well. What we did do was to act on a long-discussed perceptionthat the value we provide to individual supporters could be improved, forthe first time in a decade. And that the process for recruiting communitydirectors should be changed to be in line with other leading organizationsin our community and industry." He also speaks out against thepersonal attacks that have appeared in conversations about this change.
LWN.net