In a thought-provoking—and characteristically amusing—talk at the Vault conference,Dave Chinner looked at the history of XFS, its current status, and where the filesystem may be heading.In keeping with the title of the talk (shared by this article), he sees parallels in what drove the original development of XFS and what will bedriving new filesystems.Chinner's vision of the future for today's filesystems, and not justof XFS, may be a bit surprising or controversial—possibly both.
Firefox 37.0 has been released. This release features improved protectionagainst site impersonation via OneCRL centralized certificate revocation,Bing search now uses HTTPS for secure searching, opportunistic encryptingof HTTP traffic where the server supports HTTP/2 AltSvc, and more. See thereleasenotes for details.
Arch Linux has updated musl (code execution).Debian has updated openldap(multiple vulnerabilities).Mandriva has updated dokuwiki(MBS1.0: multiple vulnerabilities) and phpmyadmin (MBS1.0: information leak).openSUSE has updated gd (13.2,13.1: denial of service) and seamonkey(13.2, 13.1: two vulnerabilities).Oracle has updated libxml2 (OL7:denial of service) and postgresql (OL7; OL6:multiple vulnerabilities).SUSE has updated firefox (SLE12:two vulnerabilities).Ubuntu has updated jakarta-taglibs-standard (14.10, 14.04: code execution).
Linus has released 4.0-rc6 right onschedule. "Things are calming down nicely, and there are fixes allover. The NUMA balancing performance regression is fixed, and things arelooking up again in general. There were a number of i915 issues and a KVMdouble-fault thing that meant that for a while there I was pretty sure thatthis would be a release that will go to rc8, but that may beunnecessary."
More than a decade after its last major rewrite, the GNU Mailman mailinglist manager project aimsto release its 3.0 suite in April, during the sprints following PyConNorth America. Mailman 3 is a major rewrite that includes a new usermembership system, a REST API, an archiver replacement for Pipermail, and abetter web interface for subscriptions and settings — but it carries withit a few new dependencies as well. Brave system administrators can try outthefifthbeta version now.Subscribers can click below for the full story from next week's edition.
The LibreOffice project was announced withgreat fanfare in September 2010. Nearly one year later, the OpenOffice.orgproject (from which LibreOffice was forked) wascut loose from Oracle andfound a new home as an Apache project. It is fair to say that the rivalrybetween the two projects in the time since then has been strong.Predictions that one project or the other would fail have not been borneout, but that does not mean that the two projects are equally successful.A look at the two projects' development communities reveals someinteresting differences.Click below (subscribers only) for the full article.
Debian has updated openssl(regression in previous update) and python-django (cross-site scripting).Debian-LTS has updated gnutls26(multiple vulnerabilities).openSUSE has updated less (13.2,13.1: information leak) and tor (13.2,13.1: denial of service).Oracle has updated firefox (OL7; OL6: multiple vulnerabilities).SUSE has updated firefox(SLE11 SP3: multiple vulnerabilities).Ubuntu has updated batik (14.10,14.04, 12.04: information leak) and libarchive (14.10, 14.04, 12.04: directory traversal).
The GNOME 3.16 release is out. "This is another exciting release for GNOME, and brings many new featuresand improvements, including redesigned notifications, a new shelltheme, new scrollbars, and a refresh for the file manager. 3.16 alsoincludes improvements to the Image Viewer, Music, Photos and Videos.We are also including three new preview apps for the first time: Books,Calendar and Characters." See the releasenotes for more information.
The LibreOffice project has announced the accelerated development of a newonline offering. "Development of LibreOffice Online started back in 2011, with theavailability of a proof of concept of the client front end, based on HTML5technology. That proof of concept will be developed into a state of the artcloud application, which will become the free alternative to proprietarysolutions such as Google Docs and Office 365, and the first to nativelysupport the Open Document Format (ODF) standard." The currenteffort is supported by IceWarp and Collabora; see thisFAQ and MichaelMeeks's posting for more information. For those wanting to downloadit, though, note the "the availability of LibreOffice Online will be communicated at a laterstage."
The ACM has announcedthat the 2014 A. M. Turing award has gone to MichaelStonebraker. Among many other things, he was the original creator of thedatabase management system now known as PostgreSQL.
The Free Software Foundation Europe has a reminder that Document FreedomDay is happening from March 24 12:00 UTC until March 26 12:00 UTC."Document Freedom Day is the global campaign for document liberation by local groups throughout the world.So far more than 50 groups registered their events in over 25 countriesranging from Asia, Europa, Africa, to South and North America."
The 2015 Linux Plumbers Conference (LPC) has announced that two microconferences have been accepted for the event, which will be held August 19-21 in Seattle. The Checkpoint/Restart and Energy-aware scheduling and CPU power management microconferences will be held at LPC. Registration for the conference will open on March 27 and it will be co-located with LinuxCon North America, which will be held August 17-19.
Forbes takesa look at Cyanogen, and its prospects in the phone market."Cyanogen has a chance to snag as many as 1 billion handsets, morethan the total number of iPhones sold to date, according to someanalysts. Fifty million people already run Cyanogen on their phones, thecompany says. Most went through the hours-long process of erasing anAndroid phone and rebooting it with Cyanogen. [Kirt] McMaster is now persuading a growing list of phone manufacturers to make devices with Cyanogen built in, rather than Google’s Android. Their phones are selling out in record time. Analysts say each phone could bring Cyanogen a minimum of $10 in revenue and perhaps much more."
Worth a read: this postfrom Arjan van de Ven on the difficulty of removing old, insecurecryptographic algorithms from a Linux distribution. "But more, andthis is a call to action: If you're working on an open source project thatuses crypto, please please don't opencode crypto algorithm usage. Thealgorithm may be outdated at any time and might have to go away in ahurry."
It seems it was about time for another certificate authority horror story;the Google Online Security Blog duly delivers."CNNIC responded on the 22nd to explain that they had contracted withMCS Holdings on the basis that MCS would only issue certificates fordomains that they had registered. However, rather than keep the private keyin a suitable HSM, MCS installed it in a man-in-the-middle proxy. Thesedevices intercept secure connections by masquerading as the intendeddestination and are sometimes used by companies to intercept theiremployees’ secure traffic for monitoring or legal reasons. The employees’computers normally have to be configured to trust a proxy for it to be ableto do this. However, in this case, the presumed proxy was given the fullauthority of a public CA, which is a serious breach of the CAsystem."
Ars Technica is one of several news outlets to report on a change announced in Microsoft's Windows 10 plans. Though the headlines (including Ars Technica's) paint a rather bleak scenario, the details are not as clear-cut. The UEFI "Secure Boot" mechanism was introduced with Windows 8, at which time Microsoft's OEM-certification rules mandated that hardware must include a means for the local user to disable Secure Boot. The Windows 10 certification rules does not include the mandated disable switch. Writes Peter Bright: "Should this stand, we can envisage OEMs building machines that will offer no easy way to boot self-built operating systems, or indeed, any operating system that doesn't have appropriate digital signatures. This doesn't cut out Linux entirely—there have been some collaborations to provide Linux boot software with the 'right' set of signatures, and these should continue to work—but it will make it a lot less easy." Note, also, that the only source for this story appears to be a presentation from a Microsoft event in Shenzhen, China. Bright adds that he has contacted Microsoft seeking clarification, but has so far received no reply.
Firefox 36.0.4 has been released. This update includes security and bugfixes, support for the full HTTP/2 protocol, and more. The releasenotes contain the details.
Linus has released the 4.0-rc5 prepatch,saying "There's nothing particularly worrisome going on, although I'm stilltrying to think about the NUMA balancing performance regression. Itmay not be a show-stopper, but it's annoying, and I want it fixed.We'll get it, I'm sure."
Juho Snellman has an interesting treatise on the oft-overlooked challenges that face developers attempting to release an existing, proprietary codebase under open-source terms. "As soon as you get outside of the "one self-contained file or directory" level of complexity, the threshold for releasing code becomes much higher. And likewise every change to a program that was made in order to open source it will make it less likely that the two versions can really be kept in sync in the long term. In this case the core code is maybe 2k-3k lines and won't require much work. It's all the support infrastructure that's going to be an issue." Snellman also reflects on possible strategies for writing internal code that may some day be released to the public.
Over at Opensource.com, Daniel Walsh writes about applying various Linux security technologies to Docker containers. In the article, he looks at using user namespaces and seccomp filters to provide better security for Docker. "One of the problems with all of the container separation modes described here and elsewhere is that they all rely on the kernel for separation. Unlike air gapped computers, or even virtual machines, the processes within the container can talk directly to the host kernel. If the host kernel has a kernel vulnerability that a container can access, they might be able to disable all of the security and break out of the container.The x86_64 Linux kernel has over 600 system calls, a bug in any one of which could lead to a privilege escalation. Some of the system calls are seldom called, and should be eliminated from access within the container."
OpenSSL has updates released today, with two vulnerabilities of"High" severity, as described in its advisory. One ofthe High vulnerabilities is a reclassification of the FREAK vulnerability due to the prevalence ofservers with RSA export ciphers available, the other is a denial of servicein OpenSSL 1.0.2.CentOS has updated freetype (C6:multiple vulnerabilities) and unzip (C6:multiple vulnerabilities).Debian has updated file (denialof service).Debian-LTS has updated mono(three SSL/TLS vulnerabilities).Gentoo has updated python(multiple vulnerabilities, two from 2013).Mageia has updated moodle(multiple vulnerabilities).openSUSE has updated gdm (13.2:screen lock bypass), glusterfs (13.2:denial of service), and libssh2_org (13.2,13.1: information leak).Oracle has updated unzip (OL7; OL6:multiple vulnerabilities).Red Hat has updated postgresql92-postgresql (RHSC1: multiplevulnerabilities) and unzip (RHEL6&7:multiple vulnerabilities).SUSE has updated kernel (SLE12:multiple vulnerabilities).
The Fedora project is looking for somebody to become its diversityadvisor. "The Fedora Diversity Advisor will lead initiatives to assess andpromote equality and inclusion within the Fedora contributor and usercommunities, and will develop project strategy on diversity issues. TheDiversity Advisor will also be the point of contact for Fedora’sparticipation in third-party outreach programs and events." Youhave to get to the bottom of the announcement to read that this is avolunteer position, though they hope to change that someday.
The OpenSSH6.8 release is available. New features include host-key rotationsupport (to allow graceful changes to host keys), an option to require twopublic keys for authentication, and quite a few more.
Debian has updated php5 (multiple vulnerabilities).Fedora has updated freexl (F21; F20:denial of service) and libgcrypt (F21: two vulnerabilities).openSUSE has updated vorbis-tools(13.2, 13.1: denial of service).Oracle has updated freetype (OL7; OL6:multiple vulnerabilities).Red Hat has updated flash-plugin(RHEL5,6: multiple vulnerabilities) and freetype (RHEL6,7: multiple vulnerabilities).Ubuntu has updated libxfont (privilege escalation) and php5 (multiple vulnerabilities).
The Salt Lake Tribune reportsthat the SCO Group's lawsuit against IBM is once again alive and moving inFederal court. "In addition to its claims of IBM misappropriation ofcode, SCO alleges that IBM executives and lawyers directed the company'sLinux programmers to destroy source code on their computers after SCO madeits allegations. The company's other remaining claims are that IBM'sactions amounted to unfair competition and interference with its contractsand business relations with other companies."
Qt 5.5 alpha has been released."With Qt 5.5, Canvas 3D is fully supported and a technology previewof long awaited Qt 3D is included. Qt 5.5 also introduces mapping supportwith a Qt Location technology preview. Qt 5.5 Alpha is the first steptowards Qt 5.5 final release planned to be available in May." Checkout the New Features inQt 5.5 page for more details.
When the schedulefor the 2015 Linux Storage, Filesystem, and Memory Management Summit waslaid out, its authors optimistically set aside 30 minutes on the first dayfor the thorny issue of memory-allocation problems in low-memorysituations. That session (covered here)didn't get past the issue of whether small allocations should be allowed tofail, so the remainder of the discussion, focused on finding bettersolutions for the problem of allocations that simply cannot fail, waspushed into a plenary session on the second day.With this article, LWN's coverage of the memory-management track at LSFMM2015 is complete; sessions from the filesystems track are being added aswell. It all can be found at the LWN LSFMM2015 page.
Debian has updated checkpw (denial of service), libxfont (privilege escalation), and tcpdump (multiple vulnerabilities).Debian-LTS has updated gnupg (multiple vulnerabilities) and tcpdump (multiple vulnerabilities).Gentoo has updated adobe-flash(multiple vulnerabilities) and file(multiple vulnerabilities).Red Hat has updated kernel(RHEL6.2: multiple vulnerabilities) and kernel-rt (RHE MRG2.5: multiple vulnerabilities).Ubuntu has updated libav (12.04: multiple vulnerabilities).
The New Yorker notesthe 30th anniversary of the GNU Manifesto. "Stallman was one of the first to grasp that, if commercial entitieswere going to own the methods and technologies that controlled computers,then computer users would inevitably become beholden to thoseentities. This has come to pass, and in spades. Most computer users havebecome dependent on proprietary code provided by companies like Apple,Facebook, and Google, the use of which comes with conditions we may notcondone or even know about, and can’t control; we have forfeited thefreedom to adapt such code according to our needs, preferences, andpersonal ethics."
The fourth 4.0 prepatch is out for testing.Linus says: "Nothing particularly stands out here. Shortlog appended,I think we're doing fine for where in the release cycle we are."
Libre Graphics World has a lookat the new release of OpenSCAD, the 3D solid-modeling tool often usedin conjunction with 3D printers. The new features include support forcomplex text layout, offset functions for manipulating polygons, andthe ability to generate height maps from PNG images. "The user interface got a few improvements as well: new startup dialog to quickly open recent files or examples from a library, new QScintilla-based code editor with folding support, SVG and AMF exporting, and more."
InformationWeek has alengthy look at the maintenance of the network time protocol (NTP)code. "Not all is well within the NTP open source project. Thenumber of volunteer contributors -- those who submit code for periodicupdates, examine bug reports, and write fixes -- has shrunk over its longlifespan, even as its importance has increased. Its ongoing development andmaintenance now rest mostly on the shoulders of [Harlan] Stenn, and that'swhy NTP faces a turning point. Stenn, who also works sporadically on his ownconsulting business, has given himself a deadline: Garner more financialsupport by April, 'or look for regular work.'"
Google has announcedthat the Google Code repository is shutting down. "As developersmigrated away from Google Code, a growing share of the remaining projectswere spam or abuse. Lately, the administrative load has consisted almostexclusively of abuse management. After profiling non-abusive activity onGoogle Code, it has become clear to us that the service simply isn’t neededanymore." New project creation has been stopped already; the finalpulling of the plug will be in January 2016.
openSUSE has updated cacti (13.2,13.1: multiple vulnerabilities).Oracle has updated kernel (OL6: multiple vulnerabilities).Red Hat has updated kernel(RHEL6: multiple vulnerabilities).Scientific Linux has updated bind(SL6,7: denial of service) and kernel (SL6:multiple vulnerabilities).SUSE has updated bind(SLES11 SP1: denial of service) and kernel (SLES11 SP2: multiple vulnerabilities).Ubuntu has updated kernel (14.10; 14.04;12.04; 10.04: privilege escalation), linux-lts-trusty (12.04: privilegeescalation), and linux-lts-utopic (14.04: privilege escalation).
LWN.net