Language Selection

English French German Italian Portuguese Spanish

LWN

Syndicate content
LWN.net is a comprehensive source of news and opinions from and about the Linux community. This is the main LWN.net feed, listing all articles which are posted to the site front page.
Updated: 4 hours 27 min ago

[$] The sidechannel LSM

4 hours 55 min ago

Side-channel attacks are a reasonably well-known technique to exfiltrate information across security boundaries. Until relatively recently, concerns about these types of attacks were mostly confined to cryptographic operations, where the target was to extract secrets by observing some side channel. But with the advent of Spectre, speculative execution provides a new way to exploit side channels. A new Linux Security Module (LSM) is meant to help determine where a side channel might provide secrets to an attacker, so that a speculative-execution barrier operation can be performed.

Security updates for Tuesday

13 hours 22 min ago
Security updates have been issued by CentOS (mariadb, mutt, and qemu-kvm), Debian (clamav and libcgroup), Fedora (libldb, samba, and soundtouch), Oracle (mutt), Red Hat (mutt), SUSE (ImageMagick), and Ubuntu (apt, linux-lts-trusty, openjdk-lts, and wpa).

[$] Batch processing of network packets

14 hours 29 min ago
It has been understood for years that kernel performance can be improved by doing things in batches. Whether the task is freeing memory pages, initializing data structures, or performing I/O, things go faster if the work is done on many objects at once; many kernel subsystems have been reworked to take advantage of the efficiency of batching. It turns out, though, that there was a piece of relatively low-hanging fruit at the core of the kernel's network stack. The 4.19 kernel will feature some work increasing the batching of packet processing, resulting in some impressive performance improvements.

[$] 3D printing with Atelier

Monday 20th of August 2018 09:14:41 PM
During this year's Akademy conference, Lays Rodrigues introduced Atelier, a cross-platform, open-source system that allows users to control their 3D printers. As she stated in her talk abstract, it is "a project with a goal to make the 3D printing world a better place". Read on for an overview of what the Atelier team is up to and what it has accomplished so far.

Security updates for Monday

Monday 20th of August 2018 01:55:01 PM
Security updates have been issued by Debian (confuse, jetty9, kamailio, kernel, libxcursor, and mutt), Fedora (blktrace, docker-latest, libgit2, and yubico-piv-tool), Mageia (chromium-browser-stable, flash-player-plugin, kernel, kernel-linus, kernel-tmb, microcode, openslp, and wpa_supplicant), openSUSE (apache2, curl, GraphicsMagick, perl-Archive-Zip, and xen), Oracle (kernel and mariadb), Red Hat (rh-postgresql95-postgresql), Slackware (ntp and samba), SUSE (apache2, curl, kernel, kernel-livepatch-tools, libgcrypt, mysql, openssl, perl, procps, rsyslog, shadow, wireshark, and xen), and Ubuntu (kernel).

Flatpak 1.0 released

Monday 20th of August 2018 12:58:50 PM
The 1.0 release of the Flatpak application distribution system is out. There are a number of performance improvements, the ability to mark applications as being at end-of-life, up-front confirmation of requested permissions, and more. "Apps can now request access the host SSH agent to securely access remote servers or Git repositories."

Two rounds of stable kernels released

Saturday 18th of August 2018 03:30:53 PM
Greg Kroah-Hartman has released two batches of stable kernels. The first set has fixes in various parts of the tree, while the second batch has a single fix for a problem with the page-table-entry inversion that is done as a mitigation for the L1TF speculative-execution vulnerability. The first batch includes: 4.18.2, 4.17.16, 4.14.64, 4.9.121, 4.4.149, and 3.18.119. The second batch is: 4.18.3, 4.17.17, 4.14.65, 4.9.122, and 4.4.150. Users should upgrade, presumably to something in the second batch unless they are running the 3.18 series.

Security updates for Friday

Friday 17th of August 2018 02:12:44 PM
Security updates have been issued by Debian (intel-microcode, keystone, php-horde-image, and xen), Fedora (rsyslog), openSUSE (apache2, clamav, kernel, php7, qemu, samba, and Security), Oracle (mariadb and qemu-kvm), Red Hat (docker, mariadb, and qemu-kvm), Scientific Linux (mariadb and qemu-kvm), SUSE (GraphicsMagick, kernel, kgraft, mutt, perl-Archive-Zip, python, and xen), and Ubuntu (postgresql-10, postgresql-9.3, postgresql-9.5, procps, and webkit2gtk).

[$] The first half of the 4.19 merge window

Friday 17th of August 2018 01:41:40 AM
As of this writing, Linus Torvalds has pulled just over 7,600 non-merge changesets into the mainline repository for the 4.19 development cycle. 4.19 thus seems to be off to a faster-than-usual start, perhaps because the one-week delay in the opening of the merge window gave subsystem maintainers a bit more time to get ready. There is, as usual, a lot of interesting new code finding its way into the kernel, along with the usual stream of fixes and cleanups.

The Problems and Promise of WebAssembly (Project Zero)

Thursday 16th of August 2018 10:36:40 PM
Over at Google's Project Zero blog, Natalie Silvanovich looks at some of the bugs the project has found in WebAssembly, which is a binary format to run code in the browser for web applications. She also looks to the future: "There are two emerging features of WebAssembly that are likely to have a security impact. One is threading. Currently, WebAssembly only supports concurrency via JavaScript workers, but this is likely to change. Since JavaScript is designed assuming that this is the only concurrency model, WebAssembly threading has the potential to require a lot of code to be thread safe that did not previously need to be, and this could lead to security problems. WebAssembly GC [garbage collection] is another potential feature of WebAssembly that could lead to security problems. Currently, some uses of WebAssembly have performance problems due to the lack of higher-level memory management in WebAssembly. For example, it is difficult to implement a performant Java Virtual Machine in WebAssembly. If WebAssembly GC is implemented, it will increase the number of applications that WebAssembly can be used for, but it will also make it more likely that vulnerabilities related to memory management will occur in both WebAssembly engines and applications written in WebAssembly."

Debian: 25 years and counting

Thursday 16th of August 2018 10:27:04 PM
The Debian project is celebrating the 25th anniversary of its founding by Ian Murdock on August 16, 1993. The "Bits from Debian" blog had this to say: "Today, the Debian project is a large and thriving organization with countless self-organized teams comprised of volunteers. While it often looks chaotic from the outside, the project is sustained by its two main organizational documents: the Debian Social Contract, which provides a vision of improving society, and the Debian Free Software Guidelines, which provide an indication of what software is considered usable. They are supplemented by the project's Constitution which lays down the project structure, and the Code of Conduct, which sets the tone for interactions within the project. Every day over the last 25 years, people have sent bug reports and patches, uploaded packages, updated translations, created artwork, organized events about Debian, updated the website, taught others how to use Debian, and created hundreds of derivatives." Happy birthday to the project from all of us here at LWN.

New stable kernels

Thursday 16th of August 2018 01:52:17 PM
Greg Kroah-Hartman has released a new batch of stable kernels: 4.18.1, 4.17.15, 4.14.63, 4.9.120, and 4.4.148. These include the fixes for the L1 terminal fault vulnerability and a few other fixes here and there. Users should upgrade.

Security updates for Thursday

Thursday 16th of August 2018 01:27:35 PM
Security updates have been issued by Debian (fuse), Fedora (cri-o, gdm, kernel-headers, postgresql, units, and wpa_supplicant), Mageia (iceaepe, kernel-linus, kernel-tmb, and libtomcrypt), openSUSE (aubio, libheimdal, nemo-extensions, and python-Django1), Red Hat (flash-plugin), SUSE (apache2, kernel, php7, qemu, samba, and ucode-intel), and Ubuntu (gnupg).

[$] LWN.net Weekly Edition for August 16, 2018

Thursday 16th of August 2018 01:18:00 AM
The LWN.net Weekly Edition for August 16, 2018 is available.

[$] The Data Transfer Project

Wednesday 15th of August 2018 08:24:46 PM

Social networks are typically walled gardens; users of a service can interact with other users and their content, but cannot see or interact with data stored in competing services. Beyond that, though, these walled gardens have generally made it difficult or impossible to decide to switch to a competitor—all of the user's data is locked into a particular site. Over time, that has been changing to some extent, but a new project has the potential to make it straightforward to switch to a new service without losing everything. The Data Transfer Project (DTP) is a collaborative project between several internet heavyweights that wants to "create an open-source, service-to-service data portability platform".

Security updates for Wednesday

Wednesday 15th of August 2018 02:55:47 PM
Security updates have been issued by CentOS (kernel), Debian (kernel, linux-4.9, postgresql-9.4, and ruby-zip), Fedora (cgit, firefox, knot-resolver, mingw-LibRaw, php-symfony, php-symfony3, php-symfony4, php-zendframework-zend-diactoros, php-zendframework-zend-feed, php-zendframework-zend-http, python2-django1.11, quazip, sox, and thunderbird-enigmail), openSUSE (python-Django and seamonkey), Oracle (kernel), Red Hat (kernel, kernel-rt, and redhat-virtualization-host), Scientific Linux (kernel), Slackware (openssl), SUSE (clamav, firefox, kernel, and samba), and Ubuntu (kernel, libxml2, linux, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon, linux-hwe, linux-azure, linux-gcp, linux-lts-trusty, linux-lts-xenial, linux-aws, linux-raspi2, and samba).

[$] CVE-2018-5390 and "embargoes"

Tuesday 14th of August 2018 08:35:30 PM

A kernel bug that allows a remote denial of service via crafted packets was fixed recently and the resulting patch was merged on July 23. But an announcement of the flaw (which is CVE-2018-5390) was not released until August 6—a two-week window where users were left in the dark. It was not just the patch that might have alerted attackers; the flaw was publicized in other ways, as well, before the announcement, which has led to some discussion of embargo policies on the oss-security mailing list. Within free-software circles, embargoes are generally seen as a necessary evil, but delaying the disclosure of an already-public bug does not sit well.

[$] Meltdown strikes back: the L1 terminal fault vulnerability

Tuesday 14th of August 2018 05:59:13 PM
The Meltdown CPU vulnerability, first disclosed in early January, was frightening because it allowed unprivileged attackers to easily read arbitrary memory in the system. Spectre, disclosed at the same time, was harder to exploit but made it possible for guests running in virtual machines to attack the host system and other guests. Both vulnerabilities have been mitigated to some extent (though it will take a long time to even find all of the Spectre vulnerabilities, much less protect against them). But now the newly disclosed "L1 terminal fault" (L1TF) vulnerability (also going by the name Foreshadow) brings back both threats: relatively easy attacks against host memory from inside a guest. Mitigations are available (and have been merged into the mainline kernel), but they will be expensive for some users.

Security updates for Tuesday

Tuesday 14th of August 2018 02:56:39 PM
Security updates have been issued by Arch Linux (thunderbird), Debian (gdm3 and samba), openSUSE (cgit and lxc), SUSE (grafana, kafka, logstash, openstack-monasca-installer and samba), and Ubuntu (gdm3 and libarchive).

[$] The importance of being noisy

Monday 13th of August 2018 10:12:27 PM
Hundreds (at least) of kernel bugs are fixed every month. Given the kernel's privileged position within the system, a relatively large portion of those bugs have security implications. Many bugs are relatively easily noticed once they are triggered; that leads to them being fixed. Some bugs, though, can be hard to detect, a result that can be worsened by the design of in-kernel APIs. A proposed change to how user-space accessors work will, hopefully, help to shine a light on one class of stealthy bugs.

More in Tux Machines

4 Neat New GTK Themes for Your Linux Desktop

The new Yaru/Communitheme theme might be the talk of the Ubuntu town right now, but it’s not the only decent desktop theme out there. If you want to give your Linux desktop a striking new look ahead of the autumn then the following quad-pack of quality GTK themes might help you out. Don’t be put off by the fact you will need to manually install these skins; it’s pretty to install GTK themes on Ubuntu 18.04 LTS above, providing you set hidden folders to show (Ctrl + H) in Nautilus first. Read more Also: Getting Things GNOME

Python wriggles onward without its head

At the third annual PyBay Conference in San Francisco over the weekend, Python aficionados gathered to learn new tricks and touch base with old friends. Only a month earlier, Python creator Guido van Rossum said he would step down as BDFL – benevolent dictator for life – following a draining debate over the addition of a new way to assign variables within an expression (PEP 572). But if any bitterness about the proposal politics lingered, it wasn't evident among attendees. Raymond Hettinger, a Python core developer, consultant and speaker, told The Register that the retirement of Python creator Guido van Rossum hasn't really changed things. "It has not changed the tenor of development yet," he said. "Essentially, [Guido] presented us with a challenge for self-government. And at this point we don't have any active challenges or something controversial to resolve." Read more

Today in Techrights

today's leftovers

  • How to Install R on Ubuntu 18.04
  • How to Install HTTP Git Server with Nginx on Ubuntu 18.04 LTS
  • Everything You Need to Know about Linux Containers, Part I: Linux Control Groups and Process Isolation
  • Robert Roth: Five or More GSoC
  • Adventures with NVMe, part 2
    A few days ago I asked people to upload their NVMe “cns” data to the LVFS. So far, 643 people did that, and I appreciate each and every submission. I promised I’d share my results, and this is what I’ve found:
  • The Next Challenge For Fwupd / LVFS Is Supporting NVMe SSD Firmware Updates
    With UEFI BIOS updating now working well with the Fwupd firmware updating utility and Linux Vendor Firmware Service (LVFS) for distributing these UEFI update capsules, Richard Hughes at Red Hat is next focusing on NVMe solid-state drives for being able to ship firmware updates under Linux. Hughes is in the early stages at looking to support NVMe firmware updates via LVFS/fwupd. Currently he is hoping for Linux users with NVMe drives to send in the id-ctrl identification data on your drives to him. This data will be useful so he knows what drives/models are most popular but also for how the firmware revision string is advertised across drives and vendors.
  • [Older] Language, Networking Packages Get Updates in Tumbleweed
    There were two openSUSE Tumbleweed snapshots this past week that mostly focused on language and network packages. The Linux Kernel also received an update a couple days ago to version 4.17.13. The packages in the 20180812 Tumbleweed snapshot brought fixes in NetworkManager-applet 1.8.16, which also modernized the package for GTK 3 use in preparations for GTK 4. The free remote desktop protocol client had its third release candidate for freerdp 2.0.0 where it improved automatic reconnects, added Wave2 support and fixed automount issues. More network device card IDs for the Intel 9000 series were added in kernel 4.17.13. A jump from libstorage-ng 4.1.0 to version 4.1.10 brought several translations and added unit test for probing xen xvd devices. Two Common Vulnerabilities and Exposures fixes were made with the update in postgresql 10.5. Several rubygem packages were updated to versions 5.2.1 including rubygem-rails 5.2.1, which makes the master.key file read-only for the owner upon generation on POSIX-compliant systems. Processing XML and HTML with python-lxml 4.2.4 should have fewer crashes thanks to a fix of sporadic crashes during garbage collection when parse-time schema validation is used and the parser participates in a reference cycle. Several YaST packages receive updates including a new ServiceWidget to manage the service status with yast2-ftp-server 4.1.3 as well with yast2-http-server, yast2-slp-server and yast2-squid 4.1.0 versions.
  • Red Hat Inc Risk Points versus Technology
  • 10 Efficient Raspberry Add-ons To Enhance Performance - Part 8
    Sometimes you may find yourself in great need to improve the functionality of your Raspberry Pi. There is a good chance your Raspberry does not support the functionality you want. There is also a chance that it supports your dream functionality but with the help of an external tool. An add-on in other words. It is pretty obvious that your dream add-on exists in the market or someone somewhere is cracking an algorithm to build. Never mind, here we compile a list of the best add-ons to get for your Raspberry in 2018.
  • Secure Email Service Tutanota sees F-Droid Release
    Back in February, I reviewed an email provider called Tutanota. If you read the article, you will remember that I thought very highly of the service. In my eyes, there were very few downsides to using the encrypted mail service, one of them being that you couldn’t use third-party email clients like Thunderbird for desktop computers or K-9 Mail for mobile devices.
  • Motorola Announces Android Pie Updates for 8 smartphones excluding Moto E5 & G5
  • How To Unsend Emails On Gmail For Android?
  • Nerd Knobs and Open Source in Network Software
    Tech is commoditizing. I've talked about this before; I think networking is commoditizing at the device level, and the days of appliance-based networking are behind us. But are networks themselves a commodity? Not any more than any other system. We are running out of useful features, so vendors are losing feature differentiation. This one is going to take a little longer… When I first started in network engineering, the world was multiprotocol, and we had a lot of different transports. For instance, we took cases on IPX, VIP, Appletalk, NetBios, and many other protocols. These all ran on top of Ethernet, T1, Frame, ATM, FDDI, RPR, Token Ring, ARCnet, various sorts of serial links ... The list always felt a little too long, to me. Today we have IPv4, IPv6, and MPLS on top of Ethernet, pretty much. All transports are framed as Ethernet, and all upper layer protocol use some form of IP. MPLS sits in the middle as the most common "transport enhancer." The first thing to note is that space across which useful features can be created is considerably smaller than it used to be.
  • Meetings that make people happy: Myth or magic?
    People tend to focus on the technical elements of meeting prep: setting the objective(s), making the agenda, choosing a place and duration, selecting stakeholders, articulating a timeline, and so on. But if you want people to come to a meeting ready to fully engage, building trust is mission-critical, too. If you need people to engage in your meetings, then you're likely expecting people to come ready to share their creativity, problem-solving, and innovation ideas.
  • Building microprocessor architectures on open-source hardware and software
     

    "The real freedom you get from open source projects is much more, and more important than the fact that you don't have to pay for it," Frank Gürkaynak, Director of ETHZ's Microelectronics Design Center, writes in an article posted on All About Circuits. "Researchers can take what we provide and freely change it for their experiments. Startup companies can build on what we provide as a starting point and concentrate their time and energy on the actual innovations they want to provide. And people who are disturbed by various attacks on their systems [1, 2] have the chance to look inside and know what exactly is in their system."

  • Create DIY music box cards with Punchbox
    That first time almost brought tears to my eyes. Mozart, sweetly, gently playing on the most perfect little music box. Perfectly! No errors in timing or pitch. Thank you, open source—without Mido, Svgwrite, PyYAML, and Click, this project wouldn't have been possible.
  • Fund Meant to Protect Elections May Be Too Little, Too Late
    The Election Assistance Commission, the government agency charged with distributing federal funds to support elections, released a report Tuesday detailing how each state plans to spend a total of $380 million in grants allocated to improve and secure their election systems. But even as intelligence officials warn of foreign interference in the midterm election, much of the money is not expected to be spent before Election Day. The EAC expects states to spend their allotted money within two to three years and gives them until 2023 to finish spending it. Election experts have expressed skepticism that the money will be enough to modernize election equipment and secure it against state-sponsored cyber threats.