Matthew Garrett has posted an introduction to the trusted platform module (TPM) chip and what can be done with it. "I've been working on TPMs lately. It turns out that they're moderately awful, but what's significantly more awful is basically all the existing documentation. So here's some of what I've learned, presented in the hope that it saves someone else some amount of misery."

Red Hat has updated subscription-manager (man-in-the-middle attack).

Ubuntu has updated libxml2 (13.04: code execution) and mesa (12.04 LTS: code execution).

The Linux Foundation Collaboration Summit (LFCS) seems to be a likely venue for an update on the status of building the kernel with Clang/LLVM. Both in 2011 and 2012, we covered those updates. LFCS 2013 continued the trend as LLVMLinux project lead Behan Webster presented the status and plans for the project at LFCS. The gathering lived up to its name as well, since two problems faced by the project were solved through collaboration at the summit.

The PyPy project has announced an alpha release of its Python interpreter for the ARM architecture. "This is the first release that supports a range of ARM devices - anything with ARMv6 (like the Raspberry Pi) or ARMv7 (like Beagleboard, Chromebook, Cubieboard, etc.) that supports VFPv3 should work." Benchmark results are included in the announcement; it seems that, in many cases, PyPy speeds things up on ARM even more than on the x86 architecture, even in its current, unpolished state.

The nginx web server suffers from a remotely exploitable buffer overflow that can lead to the execution of arbitrary code. Versions 1.4.1 and 1.5.0 contain the fix; there is also a workaround in the announcement. This seems like a good one to apply quickly.

The WebM Project looks at a draft of a VP8 patent agreement. "Google is in the process of preparing an agreement that will assist companies and developers with the adoption of VP8 technology by making available a royalty-free license to certain patents that are necessary for the implementation of VP8 and which are owned by Google and a number of other major technology companies." (Thanks to Mark Wielaard)

Richard Stallman covers a proposal to specify standards for HTML extensions to implement Digital Restrictions Management (DRM). "Of course, the W3C cannot prevent companies from grafting DRM onto HTML. They do this through nonfree plug-ins such as Flash, and with nonfree Javascript code, thus showing that we need control over the Javascript code we run and over the C code we run. However, where the W3C stands is tremendously important for the battle to eliminate DRM. On a practical level, standardizing DRM would make it more convenient, in a very shallow sense. This could influence people who think only of short-term convenience to think of DRM as acceptable, which could in turn encourage more sites to use DRM." (Thanks to Paul Wise)

The Mozilla blog has some advice for developers trying to draw attention to their projects. "Before we get started, there’s a stumbling block we need to kick away. Terms like ‘marketing’ and ‘advertising’ are dirty words for many developers and it’s not uncommon for developers to be reluctant to do much promotion. ‘Build it and they will come’ used to work when exciting open source projects were few and far between but now everyone seems to be working on something and making a noise about it. Few of the successes you see come through pure luck but because developers are actively promoting their work or, at least, making it discoverable."

Fedora has updated xen (F18; F17: multiple vulnerabilities), python-pip (F18; F17: insecure tempdir usage), curl (F18: cookie information disclosure), gogoc (F18: violation of packaging guidelines), and kernel (F17: multiple vulnerabilities).

Mandriva has updated java-1.7.0-openjdk (multiple vulnerabilities).

Ubuntu has updated clamav (multiple vulnerabilities).

Debian has announced the release of Debian 7.0 ("Wheezy"). "Multiarch support, one of the main release goals for "Wheezy", will allow Debian users to install packages from multiple architectures on the same machine. This means that you can now, for the first time, install both 32- and 64-bit software on the same machine and have all the relevant dependencies correctly resolved, automatically. [...] The installation process has been greatly improved: Debian can now be installed using software speech, above all by visually impaired people who do not use a Braille device. Thanks to the combined efforts of a huge number of translators, the installation system is available in 73 languages, and more than a dozen of them are available for speech synthesis too." More details can be found in the release notes.

At the Yorba blog, Jim Nelson has written up an examination of the recent Geary development fundraising campaign, in particular a response to the theories circulating about why the drive came up short. "First, it’s important to understand that the Geary campaign was a kind of experiment. We wanted to know if crowdfunding was a potential route for sustaining open-source development. We weren’t campaigining to create a new application; Geary exists today and has been under development for two years now. Unlike OpenShot and VLC, we weren’t porting Geary to Windows or the Mac, we wanted to improve the Linux experience. And we had no plans on using the raised money as capital to later sell a product or service, which is the usual route for most crowdfunded projects. Our pitch was simply this: donate money so we can make Geary on Linux even better than it is today." Nelson analyzes several of the publicly debated issues, such as the amount, the competition, and the fundraising platform used.

Open Source Initiative (OSI) president Simon Phipps has posted a brief announcement on the OSI blog describing upcoming changes to the OSI governance process and the makeup of the board. "One of the ways we're turning OSI into a member organisation is to gradually replace the Board with member-selected directors. This process started last year when OSI's Affiliate members -- non-profit organizations themselves -- selected candidates for the Board." Two new vacancies on the board will be filled by election, and the OSI board is meeting in Washington DC next week to discuss further changes. Phipps notes: "If you would like to meet them, please come to OSI's DC Metro Open Source Community Summit on May 10."

Debian has updated stunnel4 (code execution).

Fedora has updated telepathy-idle (F17, F18; certificate validation error).

Mageia has updated apache-mod_security (information disclosure), clamav (multiple vulnerabilities), drupal (denial of service), java-1.7.0-openjdek (multiple vulnerabilities), krb5 (denial of service), phpmyadmin (multiple vulnerabilities), qemu (information disclosure), roundcubemail (information disclosure), subversion (multiple vulnerabilities), util-linux (information disclosure), and webmin (multiple vulnerabilities).

Mandriva has updated phpmyadmin (multiple vulnerabilities).

openSUSE has updated java-1_7_0-openjdk (multiple vulnerabilities) and krb5 (denial of service).

Ubuntu has updated kernel (multiple vulnerabilities).

This year's edition of the Linux Plumbers Conference (LPC) will be held September 18-20 in New Orleans, Louisiana, overlapping the last day of LinuxCon North America. Early registration for LPC ends on May 12 and the deadline for refereed paper proposals is June 17. The program committee has started approving microconference tracks, but it is not too late propose additional microconference topics.

openSUSE has updated icedtea-web (12.1: two vulnerabilities).

Ubuntu has updated kernel (12.04: multiple vulnerabilities), OMAP4 kernel (12.04: multiple vulnerabilities), Quantal HWE kernel (12.04: multiple vulnerabilities), kernel (12.10: multiple vulnerabilities), and OMAP4 kernel (12.10: multiple vulnerabilities).

The Google Open Source Blog announces the contribution of Adobe's Compact Font Format rasterizer to the FreeType project. "CFF fonts are capable of very high quality display but the technology places the burden for this display quality on the text rasterizer instead of on the font as is done in TrueType. The new Adobe CFF engine brings that high quality rasterizer support to FreeType." More information can also be found in Adobe's announcement.

The LWN.net Weekly Edition for May 2, 2013 is available.

OpenBSD 5.3 has been released. The release announcement (click below) contains a lengthy list of new features and improvements.

The Software Freedom Conservancy has announced a campaign to raise money and hire a developer to produce a useful, free-software accounting system aimed at the needs of non-profit organizations. "Indeed, Conservancy reached out into the broader fiscal sponsorship community beyond the FLOSS NPO community and discovered that many larger fiscal sponsors — even those willing to use proprietary components — have cobbled together their own unique systems, idiosyncratically tailored to their specific environments. Thus, good, well-designed, and reusable accounting software for non-profit fiscal sponsorship is not just missing in the software freedom community; it's missing altogether." The goal is to raise $75,000 for the first year's worth of work.

Greg KH has released a new set of stable kernels; 3.8.11, 3.4.43, and 3.0.76. As usual, these releases contain many important fixes.