Debian has updated libcrypto++ (information disclosure).Debian-LTS has updated cacti(multiple vulnerabilities), libwmf (denialof service), and t1utils (code execution).Fedora has updated kernel (F22: denial of service).openSUSE has updated roundcubemail (13.2: two vulnerabilities).Scientific Linux has updated kvm(SL5: code execution).SUSE has updated java-1_7_0-ibm(SLE11SP3: multiple vulnerabilities) and Xen (SLES11SP2; SLES11SP1: multiple vulnerabilities).
Valve has announced the first preview release of its forthcomingSteamOS update. The new release is based on Debian 8.1 with long-termsupport kernel 3.18; there aredownloadable builds linked to in the announcement for both UEFI andlegacy BIOS systems. There appear to be few user-visible differencesbetween the new release and the current SteamOS so far,though; the announcement notes: "Although there are a lot ofchanges under the covers, the overall functionality and experience ofbrewmaster is the same as alchemist."
Version 4.1 of the Ardour digital audio workstation software has been released. There are some new features in the release including input gain control, support for capture-only and playback-only devices, a real "Save As" option (with the old option being renamed to "Snapshot (& switch to new version)"), and allowing plugins to be reordered and meter positions to change without adding a click into the audio. There are also lots of user interface changes, including better High-DPI support. "This release contains several new features, both internally and in the user interface, and a slew of bug fixes worthy of your attention. Encouragingly, we also have one of our longest ever contributor lists for this release.We had hoped to be on a roughly monthly release cycle after the release of 4.0, but collaborations with other organizations delayed 4.1 by nearly a month."
The Ubuntu Community Council (UCC) and Kubuntu Council (KC) have issueda joint statement regarding the conflict between Jonathan Riddell andthe UCC. "We have mutually agreed that KDE is important to Ubuntu, and the Kubuntu Council believes that Ubuntu is important to the KDE community as well. Therefore we have a basis to work together on putting out a lovely Wily release. We recognize that there are honest and strong feelings about both the things that led up to the current controversy and the way that resolution of it was handled. Despite that, we would all like to move forward as best we can for the betterment of the Ubuntu project, including Kubuntu." LWN covered thecontroversy in late May.
PGCon 2015, the PostgreSQLinternational developer conference, took place in Ottawa, Canada from June16 to 20. This PGCon involved a change in format from prior editions, witha "developer unconference" in the two days before the main conferenceprogram. Both the conference and the unconference covered a wide range oftopics, many of them related to horizontal or vertical scaling, or to newPostgreSQL features.Subscribers can click below for a report from the conference from guest author Josh Berkus.
Red Hat has announcedthe winners of its Women in Open Source Awards. The AcademicAward goes to Kesha Shah, a student at Dhirubhai Ambani Institute ofInformation and Communication Technology, and the Community Award goes to SarahSharp, embedded software architect at Intel. Opensource.com has interviewswith both women.KeshaShah: "Last year, I was a mentor in Season of KDE and GCI again, with BRLCAD and KDE. Now, I am currently working on testing automation of Ushahidi with Systers, an Anita Borg community, as a part of GSoC. During my journey, I had seen several of my peers enter the domain, succeed, and fail in equal measure. So, I took up the challenge of mentoring newbies.One of my biggest achievements is that I have personally guided about 20-22newbies into the world of open source through mentoring programs like GCI,SoK, Learn IT girls, and through conducting hands-on workshops andenlightening talks on open source. Those efforts converted them to regularcontributors."SarahSharp: "My second proudest moment is the very first round whenthe Linux kernel participated in the Outreach Program for Women (now called Outreachy). A lot of kernel maintainers complained about how newcomers would send them mangled patches, and grump about how the newcomers should really just RTFM and look at our patch submission guidelines. Of course, it turned out the manual was lacking or out of date, and there were a lot of steps to set up tools for Linux kernel development, so I spent a week and created a step-by-step tutorial.It was really gratifying to see those first applicants go through my tutorial and send well-formed patches. I've loved watching those interns move onto bigger projects, and even get hired to work on the Linux kernel, and I'm really proud I was able to help people get involved in Linux kernel development."
The Open Container Projecthas announced itsexistence. "Housed under the Linux Foundation, the OCP’s missionis to enable users and companies to continue to innovate and developcontainer-based solutions, with confidence that their pre-existingdevelopment efforts will be protected and without industryfragmentation. As part of this initiative, Docker will donate the code forits software container format and its runtime, as well as the associatedspecifications. The leadership of the Application Container spec (“appcâ€)initiative, including founding member CoreOS, will also be bringing theirtechnical leadership and support to OCP."
In a post on the Red Hat Blog, the company has announced a version of Red Hat Enterprise Linux (RHEL) for ARM development. "Today, we are making the Red Hat Enterprise Linux Server for ARM Development Preview 7.1 available to all current and future members of the Red Hat ARM Partner Early Access Program as well as their end users as an unsupported development platform, providing a common standards-based operating system for existing 64-bit ARM hardware. Beyond this release, we plan to continue collaborating with our partner ISVs and OEMs, end users, and the broader open source community to enhance and refine the platform to ultimately work with the next generation of ARM-based designs." Jon Masters, who is the technical lead for the project, has a lengthy Google+ post about the project and its history over the last 4+ years.
The Linux Foundation's Critical Infrastructure Initiative has announcedthe funding of three projects to the tune of "nearly$500,000." "CII's funds will support a new open sourceautomated testing project, the Reproducible Builds initiative from Debian,and IT security researcher Hanno Boeck's Fuzzing Project. Additionally, TheLinux Foundation is announcing Emily Ratliff is joining The LinuxFoundation as senior director of infrastructure security for CII. Ratliffis a Linux, system and cloud security expert with more than 20 years'experience. Most recently she worked as a security engineer for AMD andlogged nearly 15 years at IBM."
Mark Shuttleworth announces "theFan", a new mechanism for directing communications between containers."We recognised that container networking is unusual, and quite unliketrue software-defined networking, in that the number of containers you wanton each host is probably roughly the same. You want to run a couple hundredcontainers on each VM. You also don’t (in the docker case) want to livemigrate them around, you just kill them and start them againelsewhere. Essentially, what you need is an address multiplier – anywhereyou have one interface, it would be handy to have 250 of theminstead."See this page fordetails on how it works.
The Mageia5 release is now available. The headline feature in this long-awaiteddistribution release appears to be UEFI BIOS support, but there's more; seethe releasenotes for details.
Linus has releasedthe 4.1 kernel. "It's not like the 4.1release cycle was particularly painful, and let's hope that the extraweek of letting it sit makes for a great release. Which wouldn't be abad thing, considering that 4.1 will also be a LTS release."Headline features in this release includesupport for encrypted ext4 filesystems,the persistent memory block driver,ACPI support for the ARM64 architecture, and more.
The openSUSE project has often struggled with questions of identity: whatis the distribution trying to be, and for who? From the 2010 strategy search through to the 2013 development-model discussions and the 2014 release-management questions, openSUSE'sdevelopers have tried to find a development approach that is bothsustainable and appealing to a wider audience. In 2015, it appears that apartial success has been achieved, but that success is driving a new andcontroversial change.
Lennart Poettering writesabout the sd-bus library with substantial digressions into how D-Busworks in general. "We believe the result of our work delivers our goals quite nicely:the library is fun to use, supports kdbus and sockets as back-end, isrelatively minimal, and the performance is substantially better than bothlibdbus and GDBus."
Code Climate has announcedthe open-source release of its static-analysis platform. "We’rereleasing the static analysis engines that power the new Code ClimatePlatform, and going forward, all of our static analysis code will bepublished under Open Source licenses. Code Climate has always provided freeanalysis to Open Source projects, and this continues to deepen ourcommitment to, and participation in, the OSS community."
At his blog, former Ubuntu Community Manager Jono Bacon speculateson whether or not the Ubuntu Phone project should rebase its softwarestack on Android. Bacon prefaces the post with a note that it is"designed purely for some intellectual fun and discussion. I amnot proposing we actually do this, nor advocating for this."The central argument is that new mobile platforms invariably expendhundreds of thousands of dollars attracting well-known app vendors tothe new stack. Supporting Android apps would let Ubuntu focus effortson the user interface, scopes, and other components. "I knowthere has been a reluctance to support Android apps on Ubuntu as itdevalues the Ubuntu app ecosystem and people would just use Androidapps, but I honestly think some kind of middle-ground is needed to getinto the game, otherwise I worry we won’t even make it to the subsbench no matter how awesome our technology is." Note that,whatever one makes of the idea, Bacon is speaking only about theUbuntu Phone stack; the post does touch on how such a rebase wouldinterfere with Ubuntu's plans for a converged software stack.
Luke Wagner of Mozilla has announcedthe existence of the WebAssembly project. The purpose is to define alow-level language to run in web browsers; it will then serve as acompilation target for higher-level languages. Developers from most of themajor browser engines are working on the project. "For existingEmscripten/asm.js users, targeting WebAssembly will be as easy as flippinga flag. Thus, it is natural to view WebAssembly as the next evolutionarystep of asm.js (a step many have requested and anticipated)."
CentOS has updated cups (C7; C6: three vulnerabilities).Debian has updated kernel (three vulnerabilities).Debian-LTS has updated linux-2.6(multiple vulnerabilities going back to 2011) and openssl (multiple vulnerabilities).Fedora has updated mbedtls (F20:code execution), python-requests (F21:cookie stealing), and python-urllib3 (F21:proper openssl support).openSUSE has updated busybox(13.2, 13.1: code execution) and strongswan(13.2, 13.1: information disclosure).Oracle has updated cups (OL7; OL6:three vulnerabilities).Red Hat has updated cups(RHEL6&7: three vulnerabilities).Scientific Linux has updated cups(SL6&7: three vulnerabilities).
A 2013 Kickstarterproject brought us Micro Python, which is a versionof Python 3 for microcontrollers, along with the pyboard torun it on. Micro Python is a complete rewrite of the interpreter thatavoids some of the CPython (the canonical Python interpreter written in C)implementation details that don't work well on microcontrollers.I recently got my hands on a pyboard and decided to give it—andMicro Python—a try.
Opensource.com takesa look at the upcoming release of Blender 2.75. "One of the biggest features merged into Blender this go-round were from the multiview branch. In short, Blender now fully supports the ability to create stereoscopic 3D images. With the increased pervasiveness of 3D films and televisions—not to mention VR headsets in gaming—a lot of people are interested in generating images that play nice in this format. And now Blender can."
The leap second is an occasional ritual wherein Coordinated Universal Time(UTC) is held back for one second to account for the slowing of the Earth'srotation. The last leap second happened on June 30, 2012; the next isscheduled for June 30 of this year. Leap seconds are thus infrequentevents. One might easily imagine that infrequent events involving timediscontinuities would be likely to expose software problems, and, sureenough, the 2012 leap second hadits share of issues. The 2015 leap second looks to be a calmer affair,but it appears that it will not be entirely problem-free.
Opensource.com has an interviewwith Robyn Bergeron about her current position as Operations Advocateat Elastic, and past roles (such as Fedora Project Leader). "The ELK stack (that's Elasticsearch, Logstash, and Kibana), being incredibly flexible and adaptable to many use cases, appeals to both operations folks and developers—but my love for it really has grown from seeing how fantastically it has allowed folks working in ops to not just start more rapidly identifying that "something broke," but also to be able to visually identify the patterns that lead to those broken things. Getting to a point where you're not just on fire all the time fixing technology, and instead fixing the processes that lead to fires, or implementing ways to proactively avoid fires, is not just redeeming, but frees up time to do other things besides firefighting.People love breaking that loop, and it's fabulous being an advocate for something that is literally making people's work-life balance and general happiness levels better. I've been in those fires. It's not fun. It makes me happy to see users feeling awesome."
As promised, the 4.1-rc8 kernel prepatch isout. "So I'm on vacation, but time doesn't stop for that, and it'sSunday, so time for a hopefully final rc."
The 2015 edition of the TeX Live software distribution, the "easy way to get up and running with the TeX document production system," has been released. DVDs are in production for members of the TeX Users Group (TUG), though many will probably prefer the downloadable release. The changes included in this edition include the merging of several LaTeX fixes from external packages into LaTeX itself, JPEG Exif support in pdfTeX, and image-handling fixes in XeTeX.
Version 1.10 of the MATE Desktop has been released. Perhaps the most notable new feature is that all MATE components can now be built with GTK+2 or GTK+3, although GTK+3 support is still labeled "experimental." Also new in this update are ePub support in the Atril document viewer and a new audio-mixing library named libmatemixer.
Over at the Red Hat Security Blog, Kurt Seifried looks at the costs of security embargoes. Keeping the information about security vulnerabilities quiet until distributions can coordinate their releases of a fix for it seems like it makes a lot of sense, but there are hidden costs to that. "Patch creation with an embargoed issue means only the researcher and upstream participating. The end result of this is often patches that are incomplete and do not fully address the issue. This happened with the Bash Shellshock issue (CVE-2014-6271) where the initial patch, and even subsequent patches, were incomplete resulting in several more CVEs (CVE-2014-6277, CVE-2014-6278, CVE-2014-7169). For a somewhat complete listing of such examples simply search the CVE database for 'because of an incomplete fix for'."
LinkedIn has announcedthe release of its "Pinot" analytics system under the Apache license."We’ve been using it at LinkedIn for more than two years, and in thattime, it has established itself as the de facto online analytics platformto provide valuable insights to our members and customers. At LinkedIn, wehave a large deployment of Pinot storing 100’s of billions of records andingesting over a billion records every day."
Processor architectures are far from trivial; untold millions ofdollars and many thousands of hours have likely gone into the creationand refinement of the x86 and ARM architectures that dominate theCPUs in Linux boxes today. But that does not mean that x86 and ARM are the onlyarchitectures of value, as Jeff Dionne, Rob Landley, and ShumpeiKawasaki illustrated in their LinuxCon Japan session "Turtles all theway down: running Linux on open hardware." The team has been workingon breathing new life into a somewhat older architecture that offerscomparable performance to many common system-on-chip (SoC)designs—and whichcan be produced as open hardware.Click below (subscribers only) for the full report from LinuxCon Japan.
Geoff Huston has written a lengthycolumn on multipath TCP. "For many scenarios there is littlevalue in being able to use multiple addresses. The conventional behavior iswhere each new session is directed to a particular interface, and thesession is given an outbound address as determined by localpolicies. However, when we start to consider applications where the bindingof location and identity is more fluid, and where network connections aretransient, and the cost and capacity of connections differ, as is often thecase in todays mobile cellular radio services and in WiFi roaming services,then having a session that has a certain amount of agility to switch acrossnetworks can be a significant factor." (See also: LWN's look at the Linux multipath TCPimplementation from 2013).
The folks behind the NGINX web server have put up ahighly self-congratulatory article on how the system was designed."NGINX scales very well to support hundreds of thousands ofconnections per worker process. Each new connection creates another filedescriptor and consumes a small amount of additional memory in the workerprocess. There is very little additional overhead per connection. NGINXprocesses can remain pinned to CPUs. Context switches are relativelyinfrequent and occur when there is no work to be done."
Arch Linux has updated cups (two vulnerabilities).Debian has updated cups (two vulnerabilities).Debian-LTS has updated libapache-mod-jk (information disclosure) and libraw (denial of service).Oracle has updated abrt (OL7:multiple vulnerabilities) and kernel (OL6: multiple vulnerabilities).Red Hat has updated abrt (RHEL7:multiple vulnerabilities), flash-plugin(RHEL5,6: multiple vulnerabilities), and kernel (RHEL6; RHEL6.2: multiple vulnerabilities).Scientific Linux has updated kernel (SL6: multiple vulnerabilities).Ubuntu has updated cups (15.04,14.10, 14.04, 12.04: two vulnerabilities) and qemu, qemu-kvm (15.04, 14.10, 14.04, 12.04: multiple vulnerabilities).
Tim Bird has worked with embedded Linux for many years; during this time hehas noticed an unhappy pattern: many of the companies that use and modifyopen-source software are not involved with the communities that developthat software. That is, he said, "a shame." In an attempt to determinewhat is keeping companies from contributing to the kernel in particular,the Consumer Electronics LinuxForum (a Linux Foundation workgroup) has runa survey of embedded kernel developers. The resulting picture highlightssome of the forces keeping these developers from engaging with thedevelopment community and offers some ideas for improving the situation.
ITWorld reportsthat Apple will release its Swift programming language under an open sourcelicense. "When Swift becomes open source later this year, programmers will be able to compile Swift programs to run on Linux as well as on OS X and iOS, said Craig Federighi, Apple’s head of software engineering, during the opening keynote of Apple’s Worldwide Developers Conference Monday in San Francisco.The source code will include the Swift compiler and standard library, and community contributions will be “accepted—and encouraged,†Apple said."
LWN.net