Language Selection

English French German Italian Portuguese Spanish

LWN

Syndicate content
LWN.net is a comprehensive source of news and opinions from and about the Linux community. This is the main LWN.net feed, listing all articles which are posted to the site front page.
Updated: 46 min ago

Stable kernels 4.7.6 and 4.4.23

9 hours 26 min ago
Greg Kroah-Hartman has released the 4.7.6 and 4.4.23 stable kernels with the usual set of important fixes.

Security updates for Thursday

Thursday 29th of September 2016 06:39:57 PM

CentOS has updated bind (C7; C6; C5: denial of service), bind97 (C5: denial of service), kvm (C5: two vulnerabilities), and openssl (C7; C6: multiple vulnerabilities).

Fedora has updated vfrnav (F24: unspecified).

Oracle has updated bind (OL7; OL6; OL5: denial of service) and bind97 (OL5: denial of service).

Scientific Linux has updated bind (denial of service), bind97 (SL5: denial of service), kvm (SL5: two vulnerabilities), and openssl (SL7&6: multiple vulnerabilities).

SUSE has updated postgresql93 (SLE12: two vulnerabilities) and postgresql94 (SLE12: two vulnerabilities).

Ubuntu has updated clamav (16.04, 14.04, 12.04: three code execution flaws), samba (16.04, 14.04: crypto downgrade), and systemd (16.04: denial of service).

Qubes OS 3.2 released

Thursday 29th of September 2016 02:20:53 PM
Version 3.2 of the Qubes OS distribution is available. "This is an incremental improvement over the 3.1 version that we released earlier this year. A lot of work went into making this release more polished, more stable and easier to use than our previous releases." Changes include a new management infrastructure, the ability to assign individual USB devices to virtual machines and a switch to the Xfce4 desktop. See the release notes for details.

PostgreSQL 9.6 released

Thursday 29th of September 2016 02:04:31 PM
The PostgreSQL 9.6 release is available. "This release will allow users to both scale up and scale out high performance database workloads. New features include parallel query, synchronous replication improvements, phrase search, and improvements to performance and usability, as well as many more features." See the announcement text and the release notes for more information.

[$] LWN.net Weekly Edition for September 29, 2016

Thursday 29th of September 2016 01:12:29 AM
The LWN.net Weekly Edition for September 29, 2016 is available.

Debian Project mourns the loss of Kristoffer H. Rose

Wednesday 28th of September 2016 04:27:21 PM
Ana Guerrero Lopez sadly reports that Kristoffer H. Rose died on September 17. "Kristoffer was a Debian contributor from the very early days of the project, and the upstream author of several packages that are still in the Debian archive nowadays, such as the LaTeX package Xy-pic and FlexML. On his return to the project after several years' absence, many of us had the pleasure of meeting Kristoffer during DebConf15 in Heidelberg. The Debian Project honours his good work and strong dedication to Debian and Free Software. Kristoffer's broad technical knowledge and his ability to share that knowledge with others will be missed. The contributions of Kristoffer will not be forgotten, and the high standards of his work will continue to serve as an inspiration to others."

Security advisories for Wednesday

Wednesday 28th of September 2016 04:19:04 PM

Arch Linux has updated bind (denial of service), lib32-openssl (denial of service), and openssl (denial of service).

Debian has updated bind9 (two denial of service flaws).

Fedora has updated jansson (F24; F23: denial of service) and openssl (F24: multiple vulnerabilities).

Mageia has updated autotrace (code execution), firefox/rootcerts/nss (multiple vulnerabilities), gnutls (certificate verification bypass), graphicsmagick (multiple vulnerabilities), pdns (three denial of service flaws), thunderbird (multiple vulnerabilities), wget (two vulnerabilities), and zookeeper (buffer overflow).

openSUSE has updated bind (Leap42.1, 13.2: denial of service), freerdp (Leap42.1; 13.2: two vulnerabilities), and openssl (Leap42.1: multiple vulnerabilities).

Oracle has updated kvm (OL5: two vulnerabilities) and openssl (OL7; OL6: multiple vulnerabilities).

Red Hat has updated bind (RHEL5,6,7: denial of service), bind97 (RHEL5: denial of service), kernel (RHEL6.6: information leak), and kvm (RHEL5: two vulnerabilities).

Slackware has updated bind (denial of service).

SUSE has updated bind (SLE12-SP1; SLES12; SOSC5, SMP2.1, SM2.1, SLE11-SP4: denial of service), mariadb (SLE12-SP1; SLES12: SQL injection/privilege escalation), openssl (SLE12-SP1: multiple vulnerabilities), and php5 (SLESDK12-SP1, SLEM12: multiple vulnerabilities).

Ubuntu has updated bind9 (denial of service) and Pillow (14.04: multiple vulnerabilities).

Firefox OS, B2G OS, and Gecko

Tuesday 27th of September 2016 06:31:07 PM
Ari Jaaksi and David Bryant posted a note to the B2G (Boot to Gecko) OS community looking at the end of Firefox OS development and at what happens to the code base going forward. "In the spring and summer of 2016 the Connected Devices team dug deeper into opportunities for Firefox OS. They concluded that Firefox OS TV was a project to be run by our commercial partner and not a project to be led by Mozilla. Further, Firefox OS was determined to not be sufficiently useful for ongoing Connected Devices work to justify the effort to maintain it. This meant that development of the Firefox OS stack was no longer a part of Connected Devices, or Mozilla at all. Firefox OS 2.6 would be the last release from Mozilla. Today we are announcing the next phase in that evolution. While work at Mozilla on Firefox OS has ceased, we very much need to continue to evolve the underlying code that comprises Gecko, our web platform engine, as part of the ongoing development of Firefox. In order to evolve quickly and enable substantial new architectural changes in Gecko, Mozilla’s Platform Engineering organization needs to remove all B2G-related code from mozilla-central. This certainly has consequences for B2G OS. For the community to continue working on B2G OS they will have to maintain a code base that includes a full version of Gecko, so will need to fork Gecko and proceed with development on their own, separate branch." (Thanks to Paul Wise)

Tuesday's security updates

Tuesday 27th of September 2016 03:31:02 PM

Arch Linux has updated gnutls (certificate verification bypass), lib32-gnutls (certificate verification bypass), lib32-openssl (multiple vulnerabilities), openssl (multiple vulnerabilities), and wireshark-cli (multiple vulnerabilities).

Debian has updated jackrabbit (cross-site request forgery) and python-django (cross-site request forgery).

Debian-LTS has updated firefox-esr (multiple vulnerabilities).

Fedora has updated community-mysql (F24: SQL injection/privilege escalation).

openSUSE has updated firefox, nss (13.1: multiple vulnerabilities) and openssl (13.2: multiple vulnerabilities).

Red Hat has updated openssl (RHEL6,7: multiple vulnerabilities).

Slackware has updated openssl (denial of service).

SUSE has updated openssl (SLES12: multiple vulnerabilities).

Ubuntu has updated python-django (cross-site request forgery).

[$] Systemd programming, 30 months later

Tuesday 27th of September 2016 02:11:24 PM

Some time ago, we published a pair of articles about systemd programming that extolled the value of providing high-quality unit files in upstream packages. The hope was that all distributions would use them and that problems could be fixed centrally rather than each distribution fixing its own problems independently. Now, 30 months later, it seems like a good time to see how well that worked out for nfs-utils, the focus of much of that discussion. Did distributors benefit from upstream unit files, and what sort of problems were encountered?

Announcing the KDE Advisory Board

Monday 26th of September 2016 09:21:30 PM
KDE e.V. introduces the KDE Advisory Board. "One of the core goals of the Advisory Board is to provide KDE with insights into the needs of the various organizations that surround us. We are very aware that we need the ability to combine our efforts for greater impact and the only way we can do that is by adopting a more diverse view from outside of our organization on topics that are relevant to us. This will allow all of us to benefit from one another's experience."

Security advisories for Monday

Monday 26th of September 2016 04:23:59 PM

Debian has updated imagemagick (code execution), libarchive (three vulnerabilities), openssl (regression in previous update), and unadf (two vulnerabilities).

Debian-LTS has updated dropbear (two vulnerabilities), dwarfutils (two vulnerabilities), mactelnet (code execution), openssl (multiple vulnerabilities), and policycoreutils (sandbox escape).

Fedora has updated bash (F24; F23: code execution) and firefox (F24; F23: multiple vulnerabilities).

Gentoo has updated bundler (installs malicious gem files) and qemu (multiple vulnerabilities).

Mageia has updated gdk-pixbuf2.0 (denial of service), golang (denial of service), libarchive (file overwrite), libtorrent-rasterbar (denial of service), php (multiple vulnerabilities), and wireshark (multiple vulnerabilities).

openSUSE has updated curl (Leap42.1: multiple vulnerabilities), flash-player (13.1: multiple vulnerabilities), gd (Leap42.1: multiple vulnerabilities), gtk2 (Leap42.1; 13.2: code execution), firefox, nss (Leap42.1, 13.2: multiple vulnerabilities), samba (Leap42.1: crypto downgrade), thunderbird (13.1: multiple vulnerabilities), tiff (13.1: multiple vulnerabilities), and wpa_supplicant (Leap42.1: multiple vulnerabilities).

Slackware has updated php (multiple vulnerabilities).

Ubuntu has updated openssl (regression in previous update).

OpenSSL security advisory for September 26

Monday 26th of September 2016 01:12:27 PM
This OpenSSL security advisory is notable in that it's the second one in four days; sites that updated after the first one may need to do so again. "This security update addresses issues that were caused by patches included in our previous security update, released on 22nd September 2016. Given the Critical severity of one of these flaws we have chosen to release this advisory immediately to prevent upgrades to the affected version, rather than delaying in order to provide our usual public pre-notification."

Kernel prepatch 4.8-rc8

Monday 26th of September 2016 01:04:15 PM
The 4.8-rc8 kernel prepatch is out. "Things actually did start to calm down this week, but I didn't get the feeling that there was no point in doing one final rc, so here we are. I expect the final 4.8 release next weekend, unless something really unexpected comes up."

Prodromou: Adopt a pump.io server

Monday 26th of September 2016 08:27:59 AM

Evan Prodromou, creator of identi.ca and pump.io, has put a call out for interested parties to adopt the administration of public pump.io microblogging servers, which he is currently funding out of his own pocket. "Almost all of them are on $5/month Digital Ocean droplets, which makes them relatively cheap for a single person to support. If you decide you want to adopt a server, E14N will sell you the domain and all the software and data for $1. But you'll be obligated to keep the server running pump.io for at least a year, and if you decide you don't want to run it, you have to sell it back to me." There are currently around 25 servers in the federated network initially started by Prodromou, which does not count other pump.io instances. He notes that one important exception is the identi.ca site, which is significantly larger than the rest, and which he would like to find a trusted non-profit organization to maintain.

Stable kernel updates 4.7.5 and 4.4.22

Saturday 24th of September 2016 02:02:46 PM
The 4.7.5 and 4.4.22 stable kernel updates are available. These are relatively large updates containing the usual important fixes.

Mitchell: The MIT License, Line by Line

Friday 23rd of September 2016 04:11:19 PM

At his blog, Kyle E. Mitchell ("who is not your attorney") takes a close, line-by-line reading of the popular MIT software license. The details he points out begin on line one with the license's title: "'The MIT License' is a not a single license, but a family of license forms derived from language prepared for releases from the Massachusetts Institute of Technology. It has seen a lot of changes over the years, both for the original projects that used it, and also as a model for other projects. The Fedora Project maintains a kind of cabinet of MIT license curiosities, with insipid variations preserved in plain text like anatomical specimens in formaldehyde, tracing a wayward kind of evolution."

Despite the license being only 171 words, Mitchell finds quite a bit to expand on, such as the ambiguities of the phrase "to deal in the Software without restriction": "As a result of this mishmash of legal, industry, general-intellectual-property, and general-use terms, it isn’t clear whether The MIT License includes a patent license. The general language 'deal in' and some of the example verbs, especially 'use', point toward a patent license, albeit a very unclear one. The fact that the license comes from the copyright holder, who may or may not have patent rights in inventions in the software, as well as most of the example verbs and the definition of 'the Software' itself, all point strongly toward a copyright license." Nevertheless, Mitchell notes, "despite some crusty verbiage and lawyerly affectation, one hundred and seventy one little words can get a hell of a lot of legal work done."

Friday's security updates

Friday 23rd of September 2016 01:55:01 PM

Debian has updated firefox-esr (multiple vulnerabilities).

Debian-LTS has updated wordpress (multiple vulnerabilities).

Fedora has updated distribution-gpg-keys (F23: privilege escalation), mock (F23: privilege escalation), openvas-libraries (F24; F23: multiple vulnerabilities), openvas-scanner (F24; F23: denial of service), and shiro (F24: access control bypass).

openSUSE has updated pdns (13.2, Leap 42.1: multiple vulnerabilities).

Oracle has updated kernel (4.1.12 O6; O7: multiple vulnerabilities; 3.8.13 O7; O6: multiple vulnerabilities; 2.6.39 O6; O5: multiple vulnerabilities).

Slackware has updated openssl (14.0, 14.1, 14.2, -current: multiple vulnerabilities) and pidgin (13.0, 13.1, 13.137, 14.0, 14.1: mysterious vulnerabilities).

Ubuntu has updated openssl (12.04, 14.04, 16.04: multiple vulnerabilities).

Garrett: Microsoft aren't forcing Lenovo to block free operating systems

Thursday 22nd of September 2016 08:03:35 PM
Matthew Garrett looks at the real problem behind the inability of some Lenovo laptops to run Linux. "The real problem here is that Intel do very little to ensure that free operating systems work well on their consumer hardware - we still have no information from Intel on how to configure systems to ensure good power management, we have no support for storage devices in "RAID" mode and we have no indication that this is going to get better in future. If Intel had provided that support, this issue would never have occurred."

A pile of security updates for Thursday

Thursday 22nd of September 2016 07:17:15 PM
Arch Linux has updated firefox (multiple vulnerabilities), irssi (code execution), and tomcat7 (proxy injection).

CentOS has updated firefox (C5, C6, C7: multiple vulnerabilities).

Debian has updated wireshark (LTS: dissector vulnerabilities), irssi (denial of service), and openssl (multiple vulnerabilities).

Fedora has updated drupal7-google_analytics (F23, F24: cross-site scripting), drupal7-panels (F23, F24: multiple vulnerabilities), jasper (F23: multiple code-execution vulnerabilities), mod_cluster (F24: "remote exploits"), nodejs-string-dot-prototype-dot-repeat (F23: "update for security reasons"), php-horde-Horde-Mime-Viewer (F23, F24: cross-site scripting), php-horde-Horde-Text-Filter (F23, F24: cross-site scripting), and xen (F23: multiple vulnerabilities).

Mageia has updated chromium-browser-stable (29 CVEs), curl (code execution), file-roller (file deletion), flash-player-plugin (26 CVEs), icu (code execution), jsch (path traversal vulnerability), libksba (denial of service), nodejs (remote code execution), slock (lock bypass), and tomcat (traffic redirection).

openSUSE has updated opera (multiple vulnerabilities).

Oracle has updated firefox (OL5, OL6, OL7: multiple vulnerabilities).

Scientific Linux has updated firefox (SL5-7: multiple vulnerabilities).

Slackware has updated irssi (denial of service), pidgin (17 CVE numbers), and firefox (multiple vulnerabilities).

SUSE has updated java-1_7_1-ibm (SLES12: three CVEs described as "Unspecified vulnerability in Oracle Java SE 7u101 and 8u92 allows local users to affect confidentiality, integrity, and availability via vectors related to Deployment"), and java-1_6-0-ibm (SLES11: one unspecified vulnerability).

Ubuntu has updated firefox (multiple vulnerabilities), gdk-pixbuf (code execution), irssi (denial of service), and thunderbird (code execution).

Note that there appear to be differences of opinion as to whether the irssi vulnerability can be exploited for code execution.

More in Tux Machines

Purism’s next product could be a smartphone that runs Linux/free software

Purism is a company that’s been developing laptops and tablets that run Linux-based, free and open source software for a few years. Now Purism is considering building a smartphone and the company is soliciting feedback from potential customers. The idea would be to release a Librem Phone that runs GNU/Linux rather than Android, and which offers security and privacy features to help set it apart from most other phones on the market. Read more

Cinnamon 3.2 in Linux Mint 18.1 Supports Vertical Panels, Better Accelerometers

After informing the community a few days ago about the Mintbox Mini Pro PC and the upcoming improvements and new features shipping with the XApps software projects in Linux Mint 18.1, Clement Lefebvre just published the monthly Linux Mint newsletter. Read more

Blender 2.78 Open-Source 3D Graphics Software Released with Spherical Stereo VR

Today, September 30, 2016, the Blender Foundation is proud to release Blender 2.78, the latest stable and most advanced version of the popular, open-source, free, and cross-platform Blender 3D modelling software. Blender 2.78 comes six months after the release of Blender 2.77, and it's a major update that adds numerous new features and improvements, among which we can mention rendering of spherical stereo images for VR (Virtual Reality), viewport rendering improvements, as well as brand new freehand curves drawing over surfaces. Moreover, the Grease Pencil received awesome improvements and it now doubles as both an animation and drawing tool, powerful new options have been added for B-Bones, it's now possible to import and export basic operators in the Alembic support, and the Cloth Physics feature received new Simulation Speed option and Dynamic Base Mesh support. Read more

OSS Leftovers

  • Tools for writing the next best seller
    I am using bibisco in conjunction with LibreOffice on my Ubuntu 16.04 Asus laptop that I converted over from Windows 7 to develop my characters, scenes, and plot. I tried Manuskript, but find that I like bibisco better, although the results are similar. For one, it gives helpful prompts.
  • GNOME Calendar App to Feature a New Sidebar, Week View & Attendees in GNOME 3.24
    GNOME developer Georges Stavracas wrote an in-depth blog post the other day to inform the GNOME, Linux, and Open Source communities about the upcoming improvements and new features coming to the GNOME Calendar apps. Now that some of us are already enjoying the recently released GNOME 3.22 desktop environment, the GNOME developers are hard at work to improve the GNOME apps and core components by either adding new exciting features and technologies or improving existing ones.
  • PHP version 5.6.27RC1 and 7.0.12RC1
  • Kubernetes Arrives in New Flavors
    Kubernetes has taken center stage in recent days, and, as we’ve been noting in recent posts, the open source container cluster manager is heading in new directions. Google has just announced the release of Kubernetes 1.4, which makes the tool much easier to install. Meanwhile, Canonical has now launched its own distribution of Kubernetes, with enterprise support, across a range of public clouds and private infrastructure. It's Kubernetes at the core, but features a number of extra bells and whistles.
  • 2016 Women in Open Source Award Winners
    We hope you enjoy and are inspired by this short video celebrating Preeti Murthy and Jessica McKellar, the winners of this year’s Red Hat Women in Open Source Awards.
  • Tech, talent and tools: The secret to monetizing open-source
    “In California during the gold rush, you didn’t make money digging for gold; you made money selling shovels,” said Mehta. A fitting metaphor for the idea that investing in talent and tools, especially tools, is how to turn a profit. The actual data, databases, algorithms and so on would be open source. Money would come from the tools to use that technology to benefit specific areas, such as automation of healthcare. And healthcare is a good place to start. “Big Data is all about making life cheaper, better. … If we forget about how to solve problems for humans, we’ve lost. We want to be known for enriching life,” said Mehta.
  • Changing the way we design for the web
    On the one hand, open source should mean lower cost of entry for people from poorer communities (like me, growing up). But on the other, I feel it is hard to contribute when under- or unemployed. I had a grant to work on the Web Animations API documentation, but I can't do as much as I'd like with other animation features (motion paths, advanced timing functions) because I need to spend a lot of time working on my own business, getting paid. Essentially this leads to an awkward model where the only contributors are employed programmers—and when it comes to open source animation or design APIs, platforms, etc, this lack of user input really starts to show. Or, the only products with thriving open source development teams are those that have financially lucrative futures, turning the open source software (OSS) model into a capitalist one.
  • Leaders in Data Management and Open Source Innovation to Gather for Postgres Vision 2016
  • CloudReady by neverware
    I thought I would put together a quick “installation” review of a product called CloudReady by neverware. What is CloudReady? CloudReady is basically a project to bring Chromium OS to those who would like to convert traditional laptops into Chromebook-like devices. I stumbled on them several months ago and finally decided to see how hard it was to install Chromium OS and how functional it actually was as a Chromebook-like device. I have a few low end (netbook-like) devices and I have been trying to figure out how I could make them functional for my boys, I thought this might be the solution.
  • Mozilla tells Firefox OS devs to fork off if they want to chase open web apps vision
    The Mozilla Foundation's Firefox development team has decided enough is enough and will stop supporting Windows XP and Vista in March 2017 and also bin Firefox OS. The OS first. In this post Mozillans Ari Jaaksi and David Bryant, respectively the head of connected devices and veep for platform engineering, write that “By the end of 2015 Mozilla leadership had come to the conclusion that our then Firefox OS initiative of shipping phones with commercial partners would not bring Mozilla the returns we sought.” That decision means that “as of the end of July 2016 have stopped all commercial development on Firefox OS.”
  • Cloudera Delivers Release Built on Apache Spark 2.0, and Advances Kudu
    Cloudera, focused on Apache Hadoop and other open source technologies,has announced its release built on the Apache Spark 2.0 (Beta), with enhancements to the API experience, performance improvements, and enhanced machine learning capabilities. The company is also working with the community to continue developing Apache Kudu 1.0, recently released by the Apache Software Foundation, which we covered here. Kudu is an open source columnar storage engine built for the Apache Hadoop ecosystem designed to enable flexible, high-performance analytic pipelines. Taken together, Cloudera's new tools are giving it more diverse kinds of presence on the Big Data scene. Cloudera claims it was the first Hadoop big data analytics vendor to deliver a commercially supported version of Spark, and has participated actively in the open source community to enhance Spark for the enterprise through its One Platform Initiative. "With Spark 2.0, organizations are better able to take advantage of streaming data, develop richer machine learning models, and deploy them in real time, enabling more workloads to go into production," the company reports.
  • Cloudera Delivers Enterprise-Grade Real-Time Streaming and Machine Learning with Apache Spark 2.0 and Drives Community Innovation with Apache Kudu 1.0
  • INSIDE Secure and Marvell Deliver Open Source Open Data Plane Security VPN Solution [Ed: “open source Open Data Plane (ODP) security API” sounds like nonsensical openwashing]
    INSIDE Secure (Paris:INSD), at the heart of security solutions for mobile and connected devices and network equipment, today announced the Marvell-INSIDE Secure solution, a collaboration that provides open source Open Data Plane (ODP) security API support on Marvell’s ARMADA® 8K and ARMADA 7K System-on-Chip (SoC) families with embedded INSIDE Secure Security Protocol Accelerator IP technology. The Marvell-INSIDE Secure solution provides customers with an easy and efficient way to secure their high-speed networking applications with access to all of the ARM ecosystem’s software support.
  • GE, Bosch Combine Resources to Bolster IoT
  • OpenBSD 6.0 Limited Edition CD set (signed by developers)
    Five OpenBSD 6.0 CD-ROM copies were signed by 40 developers during the g2k16 Hackathon in Cambridge, UK. Those copies are being auctioned sequentially on ebay. All proceeds will be donated to the OpenBSD Foundation to support and further the development of free software based on the OpenBSD operating system.
  • Friday Working together for Free Software Directory IRC meetup: September 30th
  • Machine Learning with Python
    I first heard the term “machine learning” a few years ago, and to be honest, I basically ignored it that time. I knew that it was a powerful technique, and I knew that it was in vogue, but I didn’t know what it really was— what problems it was designed to solve, how it solved them and how it related to the other sorts of issues I was working on in my professional (consulting) life and in my graduate-school research. But in the past few years, machine learning has become a topic that most will avoid at their professional peril. Despite the scary-sounding name, the ideas behind machine learning aren’t that difficult to understand. Moreover, a great deal of open-source software makes it possible for anyone to use machine learning in their own work or research. I don’t think it’s an overstatement to say that machine learning already is having a huge impact on the computer industry and on our day-to-day lives.