Language Selection

English French German Italian Portuguese Spanish

LWN

Syndicate content
LWN.net is a comprehensive source of news and opinions from and about the Linux community. This is the main LWN.net feed, listing all articles which are posted to the site front page.
Updated: 3 hours 28 min ago

Yahoo to stop development on YUI library

Friday 29th of August 2014 09:31:09 PM

Yahoo has announced its decision to halt the development of Yahoo User Interface library (YUI), its open-source JavaScript library for writing HTML application interfaces. In the announcement, the company cites the rise in popularity of Node.JS, which has changed how developers build HTML applications, as have recent changes in package management and web application frameworks. "The consequence of this evolution in web technologies is that large JavaScript libraries, such as YUI, have been receiving less attention from the community. Many developers today look at large JavaScript libraries as walled gardens they don’t want to be locked into. As a result, the number of YUI issues and pull requests we’ve received in the past couple of years has slowly reduced to a trickle. Most core YUI modules do not have active maintainers, relying instead on a slow stream of occasional patches from external contributors. Few reviewers still have the time to ensure that the patches submitted are reviewed quickly and thoroughly." Nevertheless, it seems, YUI will be maintained for the foreseeable future, receiving critical fixes as they arise.

Friday's security updates

Friday 29th of August 2014 03:25:07 PM

Debian has updated squid3 (denial of service).

Fedora has updated glibc (F20: multiple vulnerabilities), GraphicsMagick (F20: code execution), gtk3 (F20: screen lock bypass), perl-Plack (F19; F20: information disclosure), phpMyAdmin (F19: multiple vulnerabilities), and subversion (F19; F20: credentials leak).

Gentoo has updated apache (multiple vulnerabilities), file (denial of service), libgcrypt (key extraction), libtasn1 (multiple vulnerabilities), and php (multiple vulnerabilities).

SUSE has updated MySQL (SLES/SLED 11: multiple vulnerabilities).

Ubuntu has updated eglibc (10.o4, 12.04, 14.04: denial of service).

Linux Foundation creates a new storage and filesystems conference: Vault

Thursday 28th of August 2014 09:57:11 PM
The Linux Foundation has announced a new conference called "Vault" that will focus on storage and filesystems for Linux. It will be co-located with the annual invitation-only Linux Storage, Filesystem and Memory Management Summit and will be held March 11-12, 2015 at the Revere Hotel in Boston. "'90% of the world's data has been created in the last few years and most of that data is being stored and accessed via a Linux-based system,' said Linux Foundation Chief Marketing Officer Amanda McPherson. 'Now is the ideal time to bring the open source community together in this new forum, Vault, to collaborate on new methods of improving capacity, efficiency and security to manage the huge data volumes envisioned in the coming years. By bringing together the leading minds of Linux file systems and storage and our members who are pushing the limits of what is possible, Vault should expand the state of the art in Linux.'"

Containers vs Hypervisors: The Battle Has Just Begun (Linux.com)

Thursday 28th of August 2014 09:10:18 PM
Russell Pavlicek looks at the rivalry between containers and hypervisors over at Linux.com. He outlines the arguments for and against each, and follows it up with a description of a new contender for a "cloud operating system": unikernels. "Unikernel systems create tiny VMs. Mirage OS from the Xen Project incubator, for example, has created several network devices that run kilobytes in size (yes, that's “kilobytes” – when was the last time you heard of any VM under a megabyte?). They can get that small because the VM itself does not contain a general-purpose operating system per se, but rather a specially built piece of code that exposes only those operating system functions required by the application. There is no multi-user operating environment, no shell scripts, and no massive library of utilities to take up room – or to subvert in some nefarious exploit. There is just enough code to make the application run, and precious little for a malefactor to leverage. And in unikernels like Mirage OS, all the code that is present is statically type-safe, from the applications stack all the way down to the device drivers themselves. It's not the “end-all be-all” of security, but it is certainly heading in the right direction."

5 UX Tips for Developers (Red Hat developer blog)

Thursday 28th of August 2014 08:58:33 PM
On Red Hat's developer blog, Máirín Duffy has tips for developers on improving their application's user experience (UX). "Speaking of speeding things up for your users – one way you can do this is to limit the amount of choices users have to make while using your application. It’s you, my application developer friend, that users are relying on as an expert in the ways of whatever it is that your application does. Users trust you to make set sane defaults based on your domain expertise; when you set defaults, you are also alleviating users from having to make a choice that – depending on their level of expertise – may be quite hard for them to understand. This isn’t to say you should eliminate all choices and configuration options from your application! Let users ease into it, though. Give them a good default so that your application requires less of them to start, and as they gain expertise and confidence in using your app over time, they can explore the preferences and change those settings based on their needs when they are ready."

Security updates for Thursday

Thursday 28th of August 2014 02:38:30 PM

Debian has updated s3ql (code execution).

Mageia has updated x11vnc (code execution).

openSUSE has updated phpMyAdmin (13.1, 12.3: multiple vulnerabilities) and python3 (12.3: two vulnerabilities).

Ubuntu has updated squid3 (14.04, 12.04: denial of service).

2014 Kernel OPW internship report

Thursday 28th of August 2014 12:59:44 PM
Sarah Sharp has posted an update on the kernel internships managed through the Outreach Program for Women, with an emphasis on what past participants are doing now. "Many people may be disappointed that those three OPW alumni aren’t working on open source, but I’m overjoyed that these women have found jobs in the technology sector. This fact is heartening to me because many of the women that participate in OPW were working in retail before their internship. To be able to move into the technology sector is a giant step in the right direction, and I’m happy that the OPW program could be a part of that."

PHP 5.6.0 released

Thursday 28th of August 2014 12:35:38 PM
The PHP 5.6.0 release is available. There's a number of new features, including constant scalar expressions, a new "..." operator for both variadic functions and sequence unpacking, an exponentiation operator, an integrated interactive debugger, and more. See the PHP 5.6.0 migration guide for more information.

[$] LWN.net Weekly Edition for August 28, 2014

Thursday 28th of August 2014 12:46:43 AM
The LWN.net Weekly Edition for August 28, 2014 is available.

[$] Visual legerdemain abounds in G'MIC 1.6.0

Wednesday 27th of August 2014 09:59:35 PM
A new stable release of the G'MIC image-processing framework was recently released. Version 1.6.0 adds a number of new commands and filters useful for manipulating image data, as well as changes to the codebase that will hopefully make G'MIC easier to integrate into other applications.

Click below (subscribers only) for a look at the G'MIC 1.6.0 release and associated GIMP plugin.

Security advisories for Wednesday

Wednesday 27th of August 2014 04:33:20 PM

Debian has updated eglibc (code execution).

Fedora has updated jakarta-commons-httpclient (F20; F19: SSL server spoofing), krb5 (F19: code execution), mediawiki (F20; F19: multiple vulnerabilities), python-pillow (F20; F19: denial of service), and sks (F20; F19: cross-site scripting).

Mageia has updated file (denial of service), grub2 (denial of service/possible code execution), harbour (denial of service/possible code execution), icecream (denial of service/possible code execution), italc (denial of service/possible code execution), kdenetwork4 (MG3: denial of service/possible code execution), libvncserver (denial of service/possible code execution), and serf (information leak).

Red Hat has updated devtoolset-2-httpcomponents-client (RHDT2: SSL server spoofing), kernel (RHEL6.4 EUS: multiple vulnerabilities), and ror40-rubygem-activerecord (RHSCL1: strong parameter protection bypass).

MediaGoblin 0.7.0 released

Wednesday 27th of August 2014 12:16:46 PM
Version 0.7.0 of the MediaGoblin media publishing platform is available. New features include initial federation support, a switch to a responsive CSS system, a "featured media" option, bulk uploading via the command line, and more. "Well we’re excited to announce that the first piece towards MediaGoblin federation has landed! We don’t have server-to-server federation working yet, but we do have the first parts of the Pump API in place: you can now use the Pump API as a media upload API!"

Cluetrain at Fifteen (Linux Journal)

Tuesday 26th of August 2014 11:13:55 PM
Doc Searls looks back over the fifteen years that have passed since he (along with Chris Locke, David Weinberger and Rick Levine) wrote "The Cluetrain Manifesto". "What we had in mind was much fresher to me in the Summer of 2000, when I worked with Jason Schumaker, another Linux Journal editor, on an interview about Cluetrain and its relevance to Linux. What we ended up with was too long for both the magazine and our website at the time, so the project got sidelined and eventually buried in archival directories, where it stayed until this morning, when I found it during a search for something else. Reading it, I realized that I had come across a kind of time capsule."

Tuesday's security advisory

Tuesday 26th of August 2014 03:54:47 PM
Today we have only one security advisory. Ubuntu has updated openjdk-7 (14.04: fixes a regression in a previous update).

The poisoned NUL byte, 2014 edition (Project Zero)

Tuesday 26th of August 2014 01:15:17 PM
For those interested in the gory details of a complex exploit, Google's Project Zero page describes the process of getting arbitrary code execution from a single NUL byte written to the heap by glibc in an off-by-one error. "The main point of going to all this effort is to steer industry narrative away from quibbling about whether a given bug might be exploitable or not. In this specific instance, we took a very subtle memory corruption with poor levels of attacker control over the overflow, poor levels of attacker control over the heap state, poor levels of attacker control over important heap content and poor levels of attacker control over program flow. Yet still we were able to produce a decently reliable exploit! And there’s a long history of this over the evolution of exploitation: proclamations of non-exploitability that end up being neither advisable nor correct."

Kernel prepatch 3.17-rc2

Tuesday 26th of August 2014 12:28:26 PM
Linus has released 3.17-rc2 a little later than might have been expected. "So I deviated from my normal Sunday schedule partly because there wasn't much there (I blame the KS and LinuxCon), but partly due to sentimental reasons: Aug 25 is the anniversary of the original Linux announcement ('Hello everybody out there using minix'), so it's just a good day for release announcements."

LinuxCon and CloudOpen 2014 Keynote Videos Available

Monday 25th of August 2014 08:52:38 PM
Videos of the keynotes for LinuxCon NA and CloudOpen are available. "The event started Wednesday, Aug. 20, with Executive Director Jim Zemlin's “State of Linux” keynote at 9 a.m. Central, followed by a panel discussion of Linux kernel developers that included Linux Creator Linus Torvalds."

Security advisories for Monday

Monday 25th of August 2014 05:04:34 PM

CentOS has updated mod_wsgi (C7: privilege escalation).

Debian has updated mediawiki (two vulnerabilities) and python-django (multiple vulnerabilities).

Fedora has updated file (F20: denial of service), fish (F20; F19: multiple vulnerabilities), libserf (F20: information leak), pen (F20: unspecified vulnerability), php-htmlpurifier-htmlpurifier (F20; F19: "Hash Length Extension" attack), phpMyAdmin (F20: multiple vulnerabilities), ppp (F20: privilege escalation), rubygem-activerecord (F20; F19: SQL injection), struts (F20: code execution), wordpress (F19: multiple vulnerabilities), and xen (F20; F19: denial of service).

Mageia has updated ansible (MG4: multiple vulnerabilities), bugzilla (cross-site request forgery), busybox (denial of service/possible code execution), jakarta-commons-httpclient (MG4; MG3: SSL server spoofing), and mednafen (denial of service/possible code execution).

openSUSE has updated IPython (13.1, 12.3: code execution), libgcrypt (13.1, 12.3: side-channel attack), and libserf, subversion (13.1, 12.3: multiple vulnerabilities).

Oracle has updated mod_wsgi (OL7: privilege escalation).

Red Hat has updated mod_wsgi (RHEL7: privilege escalation).

[$] Kernel.org news: two-factor authentication and more

Monday 25th of August 2014 04:33:38 PM
Kernel developers depend heavily on kernel.org for the hosting of Git repositories and the management of patch flow in general, so it is not surprising that the annual Kernel Summit sets aside a slot to discuss what is happening with this site. In recent years, there has been a lot of change to discuss, mostly relating to the reorganization of kernel.org management resulting from the compromise of the site in 2011. The 2014 kernel.org discussion, run by Konstantin Ryabitsev, shows that, in a lot of ways, the pace of change is slowing, but the kernel.org maintainers are still working to improve their support and make it more secure.

Day: New Human Interface Guidelines for GNOME and GTK+

Friday 22nd of August 2014 09:25:59 PM

At his blog, Allan Day announces the preliminary availability of a brand-new edition of the GNOME Human Interface Guidelines (HIG). Prepared for the upcoming GNOME 3.14 release, this is the first major overhaul of the GNOME HIG in some time. Day notes: "There is a downside to all the experimentation that has been happening in software design in recent years, of course – it can often be a bewildering space to navigate. This is where the HIG comes in. Its goal is to help developers and designers take advantage of the new abilities at their disposal, without losing their way in the process. This is reflected in the structure of the new HIG: the guidelines don’t enforce a single template on which applications have to be based, but presents a series of patterns and elements which can be drawn upon." He also emphasizes that the new HIG, despite its name, is not a GNOME-only document, but is designed to aid interface design in other GTK+ applications, too.

More in Tux Machines

Simplenote want developers to make a GNU/Linux implementation

Matt Mullenweg founder and CEO of Automattic which is responsible for WordPress.com has reached out to people who develop software on the GNU/Linux platform to find someone who will bring the Simplenote application to GNU/Linux. Read more

How to set up Raspberry Pi, the little computer you can cook into DIY tech projects

You don't need an electrical engineering degree to build a robot army. With the $35 Raspberry Pi B+, you can create robots and connected devices on the cheap, with little more than an Internet connection and a bunch of spare time. The Raspberry Pi is a computer about the size of a credit card. The darling of the do-it-yourself electronics crowd, the Pi was originally designed to teach kids computer and programming skills without the need for expensive computer labs. People have used Raspberry Pis for everything from robots to cheap home media centers. The Pi sports USB ports, HDMI video, and a host of other peripherals. The latest version, the B+, sports 512MB of RAM and uses a MicroSD card instead of a full-size card. Read more

LibreOffice Ported To 64-bit ARM (AArch64)

As more and more open-source programs get brought up for 64-bit ARM, LibreOffice is the latest to receive such AArch64 enablement. As of today in LibreOffice Git is the initial AArch64 support. Over one thousand new lines of code were added to LibreOffice by Red Hat's Stephan Bergmann for allowing the open-source office suite to build on the ARMv8 64-bit architecture. LibreOffice already runs on many CPU architectures from x86 to Alpha and SPARC with ARM64 just being the latest. Read more

SUSE's Flavio Castelli on Docker's Rise Among Linux Distros

Docker has only gained traction since its launch a little over a year ago as more companies join the community's efforts on a regular basis. On July 30, the first official Docker build for openSUSE was released, making this distribution the latest among many to join the fray. I connected with Flavio Castelli, a senior software engineer at SUSE, who works extensively on SUSE Linux Enterprise and has played a major role in bringing official Docker support to openSUSE. In this interview, he discuses the importance of bringing Docker to each Linux distribution, the future of Docker on SUSE Linux Enterprise, and other interesting developments in the Docker ecosystem. Read more