Language Selection

English French German Italian Portuguese Spanish

LWN

Syndicate content
LWN.net is a comprehensive source of news and opinions from and about the Linux community. This is the main LWN.net feed, listing all articles which are posted to the site front page.
Updated: 2 hours 14 min ago

Security updates for Friday

3 hours 31 min ago
Security updates have been issued by Debian (php-horde-image), openSUSE (kernel), Scientific Linux (git), SUSE (bluez, kernel, mariadb, and mariadb, mariadb-connector-c, xtrabackup), and Ubuntu (openjdk-7).

Bottomley: Containers and Cloud Security

Thursday 21st of June 2018 06:49:57 PM
On his blog, James Bottomley looks at the value proposition for various types of cloud deployments. In particular, he compares the vertical and horizontal attack profile (VAP and HAP) of four different models: separate servers, separate logins on a single server, virtual machines, and containers. He finds the container story to be compelling: "The total VAP here is identical to that of physical infrastructure. However, the Tenant component is much smaller (the kernel accounting for around 50% of all vulnerabilities). It is this reduction in the Tenant VAP that makes containers so appealing: the CSP [cloud service provider] is now responsible for monitoring and remediating about half of the physical system VAP which is a great improvement for the Tenant. Plus when the CSP remediates on the host, every container benefits at once, which is much better than having to crack open every virtual machine image to do it. Best of all, the Tenant images don’t have to be modified to benefit from these fixes, simply running on an updated CSP host is enough. However, the cost for this is that the HAP is the entire linux kernel syscall interface meaning the HAP is much larger than then hypervisor virtual infrastructure case because the latter benefits from interface narrowing to only the hypercalls (qualitatively, assuming the hypercall interface is ~30 calls and the syscall interface is ~300 calls, then the HAP is 10x larger in the container case than the hypervisor case); however, thanks to protections from the kernel namespace code, the HAP is less than the shared login server case. Best of all, from the Tenant point of view, this entire HAP cost is borne by the CSP, which makes this an incredible deal: not only does the Tenant get a significant reduction in their VAP but the CSP is hugely motivated to keep on top of all vulnerabilities in their part of the VAP and remediate very fast because of the business implications of a successful horizontal attack."

Security updates for Thursday

Thursday 21st of June 2018 02:15:12 PM
Security updates have been issued by openSUSE (cobbler and matrix-synapse), Oracle (git), Red Hat (git), SUSE (java-1_7_1-ibm, nagios-nrpe, and ntp), and Ubuntu (AMD microcode).

[$] LWN.net Weekly Edition for June 21, 2018

Thursday 21st of June 2018 12:09:34 AM
The LWN.net Weekly Edition for June 21, 2018 is available.

Two stable kernel updates

Wednesday 20th of June 2018 09:41:53 PM
Stable kernels 4.16.17 and 4.14.51 have been released with lots of fixes throughout the tree. Users should upgrade.

[$] Mentoring and diversity for Python

Wednesday 20th of June 2018 09:38:38 PM

A two-part session at the 2018 Python Language Summit tackled the core developer diversity problem from two different angles. Victor Stinner outlined some work he has been doing to mentor new developers on their path toward joining the core development ranks; he has also been trying to document that path. Mariatta Wijaya gave a very personal talk that described the diversity problem while also providing some concrete action items that the project and individuals could take to help make Python more welcoming to minorities.

[$] Getting along in the Python community

Wednesday 20th of June 2018 07:04:32 PM

In a session with a title that used a common misquote of Rodney King ("can't we all just get along?"), several Python developers wanted to discuss an incident that had recently occurred on the python-dev mailing list. A rude posting to the list led to a thread that got somewhat out of control. Some short tempers among the members of the Python developer community likely escalated things unnecessarily. The incident in question was brought up as something of an object lesson; people should take some time to simmer down before firing off that quick, but perhaps needlessly confrontational, reply.

[$] PEP 572 and decision-making in Python

Wednesday 20th of June 2018 04:41:42 PM

The "PEP 572 mess" was the topic of a 2018 Python Language Summit session led by benevolent dictator for life (BDFL) Guido van Rossum. PEP 572 seeks to add assignment expressions (or "inline assignments") to the language, but it has seen a prolonged discussion over multiple huge threads on the python-dev mailing list—even after multiple rounds on python-ideas. Those threads were often contentious and were clearly voluminous to the point where many probably just tuned them out. At the summit, Van Rossum gave an overview of the feature proposal, which he seems inclined toward accepting, but he also wanted to discuss how to avoid this kind of thread explosion in the future.

Welcome to Fedora CoreOS

Wednesday 20th of June 2018 04:29:20 PM
Matthew Miller looks at how Red Hat's acquisition of CoreOS will affect the Fedora project. "This isn’t the place for technical details — see “what next?” at the bottom of this message for more. I expect that over the next year or so, Fedora Atomic Host will be replaced by a new thing combining the best from Container Linux and Project Atomic. This new thing will be “Fedora CoreOS” and serve as the upstream to Red Hat CoreOS."

Security updates for Wednesday

Wednesday 20th of June 2018 03:16:56 PM
Security updates have been issued by Arch Linux (pass), Debian (xen), Fedora (chromium, cobbler, gnupg, kernel, LibRaw, mariadb, mingw-libtiff, nikto, and timidity++), Gentoo (chromium, curl, and transmission), Mageia (gnupg, gnupg2, librsvg, poppler, roundcubemail, and xdg-utils), Red Hat (ansible and glusterfs), Slackware (gnupg), SUSE (cobbler, dwr, java-1_8_0-ibm, kernel, microcode_ctl, pam-modules, salt, slf4j, and SMS3.1), and Ubuntu (libgcrypt11, libgcrypt11, libgcrypt20, and mozjs52).

Security updates for Tuesday

Tuesday 19th of June 2018 02:33:31 PM
Security updates have been issued by Arch Linux (libgcrypt), Fedora (bouncycastle, nodejs, and perl-Archive-Tar), openSUSE (aubio), and Red Hat (chromium-browser, glibc, kernel, kernel-rt, libvirt, pcs, samba, samba4, sssd and ding-libs, and zsh).

[$] TCP small queues and WiFi aggregation — a war story

Monday 18th of June 2018 11:28:40 PM

This article describes our findings that connected TCP small queues (TSQ) with the behavior of advanced WiFi protocols and, in the process, solved a throughput regression. The resulting patch is already in the mainline tree, so before continuing, please make sure your kernel is updated. Beyond the fix, it is delightful to travel through history to see how we discovered the problem, how it was tackled, and how it was patched.

Subscribers can read on for the full story by guest authors Carlo Grazia and Natale Patriciello.

Security updates for Monday

Monday 18th of June 2018 03:04:00 PM
Security updates have been issued by CentOS (kernel), Debian (libgcrypt20, redis, and strongswan), Fedora (epiphany, freedink-dfarc, gnupg, LibRaw, nodejs-JSV, nodejs-uri-js, singularity, strongswan, and webkit2gtk3), Mageia (flash-player-plugin, freedink-dfarc, and imagemagick), openSUSE (enigmail, gpg2, java-1_7_0-openjdk, java-1_8_0-openjdk, poppler, postgresql96, python-python-gnupg, and samba), Oracle (kernel), SUSE (gpg2 and xen), and Ubuntu (gnupg and webkit2gtk).

[$] 4.18 Merge window, part 2

Sunday 17th of June 2018 08:23:07 PM
By the time that Linus Torvalds released 4.18-rc1 and closed the merge window for this development cycle, 11,594 non-merge changesets had found their way into the mainline kernel repository. Nearly 4,500 of those were pulled after last week's summary was written. Thus, in terms of commit traffic, 4.18 looks to be quite similar to its predecessors. As usual, the entry of significant new features has slowed toward the end of the merge window, but there are still some important changes on the list.

A set of weekend stable kernel updates

Sunday 17th of June 2018 02:25:12 AM
The stable update machine continues to crank out releases: 4.17.2, 4.16.16, 4.14.50, 4.9.109, and 4.4.138 are all available with another set of important fixes.

Kernel prepatch 4.18-rc1

Sunday 17th of June 2018 02:14:04 AM
The first 4.18 prepatch is out, and the merge window has closed for this development cycle. "You may think it's still Saturday for me, and that I should give you one more day of merge window to send in some last-minute pull requests, but I know better. I'm in Japan, and it's Sunday here."

[$] Toward a fully reproducible Debian

Friday 15th of June 2018 02:55:52 PM
It's been a little over one year since we last covered Debian's reproducible builds project. The effort has not stopped in the interim; progress continues to be made, the message has sharpened up, and word is spreading. Chris Lamb, speaking about this at FLOSS UK in a talk called "You may think you're not a target: a tale of three developers", hinted that the end may be starting to come into sight.

Security updates for Friday

Friday 15th of June 2018 02:49:06 PM
Security updates have been issued by CentOS (plexus-archiver), Fedora (chromium, kernel, and plexus-archiver), Mageia (firefox, gifsicle, jasper, leptonica, patch, perl-DBD-mysql, qt3, and scummvm), openSUSE (opencv), Oracle (kernel), Red Hat (kernel), Scientific Linux (kernel), SUSE (gpg2, nautilus, and postgresql96), and Ubuntu (gnupg2 and linux-raspi2).

Cook: security things in Linux v4.17

Friday 15th of June 2018 11:29:57 AM
Kees Cook describes the security-oriented changes included in the 4.17 kernel release. "It was possible that old memory contents would live in a new process’s kernel stack. While normally not visible, “uninitialized” memory read flaws or read overflows could expose these contents (especially stuff “deeper” in the stack that may never get overwritten for the life of the process). To avoid this, I made sure that new stacks were always zeroed. Oddly, this “priming” of the cache appeared to actually improve performance, though it was mostly in the noise."

Backdoored images downloaded 5 million times finally removed from Docker Hub (ars technica)

Friday 15th of June 2018 11:26:12 AM
Ars technica has the story of a set of Docker images containing cryptocurrency miners that persisted on Docker Hub for the better part of a year — after being discovered. "Neither the Docker Hub account nor the malicious images it submitted were taken down. Over the coming months, the account went on to submit 14 more malicious images. The submissions were publicly called out two more times, once in January by security firm Sysdig and again in May by security company Fortinet. Eight days after last month's report, Docker Hub finally removed the images."

More in Tux Machines

today's howtos

KDE/Qt: Qt Contributor Summit 2018, Integrating Cloud Solutions with Qt, FreeBSD, and Konsole

  • Qt Contributor Summit 2018
    One bit especially interesting is the graphics stack. Back in Qt 5.0, Qt took the liberty of limiting the graphics stack to OpenGL, but the world has changed since: On Windows the only proper stack is Direct3D 12, Apple introduced Metal and recently deprecated OpenGL and Vulkan is coming rather strong. It looks like embracing these systems transparently will be one of the most exciting tasks to achieve. From a KDE & Plasma perspective I don’t think this is scary, OpenGL is here to stay on Linux. We will get a Framework based on a more flexible base and we can continue pushing Plasma, Wayland, Plasma Mobile with confidence that the world won’t be crumbling. And with a bit of luck, if we want some parts to use Vulkan, we’ll have it properly abstracted already.
  • Integrating Cloud Solutions with Qt
    These days, using the cloud for predictive maintenance, analytics or feature updates is a de facto standard in the automation space. Basically, any newly designed product has some server communication at its core. However, the majority of solutions in the field were designed and productized when communication technology was not at today’s level. Still, attempts are being made to attach connectivity to such solutions. The mission statement is to “cloudify” an existing solution, which uses some internal protocol or infrastructure.
  • KDE on FreeBSD – June 2018
    It’s been a while since I wrote about KDE on FreeBSD, what with Calamares and third-party software happening as well. We’re better at keeping the IRC topic up-to-date than a lot of other sources of information (e.g. the FreeBSD quarterly reports, or the f.k.o website, which I’ll just dash off and update after writing this).
  • Konsole’s search tool
    Following my konsole’s experiments from the past week I came here to show something that I’m working on with the VDG, This is the current Konsole’s Search Bar. [...] I started to fix all of those bugs and discovered that most of them happened because we had *one* search bar that was shared between every terminal view, and whenever a terminal was activated we would reposition, reparent, repaint, disconnect, reconnect the search bar. Easiest solution: Each Terminal has it’s own search bar. Setuped only once. The one bug I did not fix was the Opening / Closing one as the searchbar is inside of a layout and layouts would reposition things anyway. All of the above bugs got squashed by just moving it to TerminalDisplay, and the code got also much cleaner as there’s no need to manual intervention in many cases. On the review Kurt – the Konsole maintainer – asked me if I could try to make the Search prettier and as an overlay on top of the Terminal so it would not reposition things when being displayed.

LibreOffice 6.0 Is Now Ready for Mainstream Users and Enterprise Deployments

LibreOffice 6.0.5 is here one and a half months after the LibreOffice 6.0.4 point release to mark the open-source office suite as ready for mainstream users and enterprise deployments. The Document Foundation considers that LibreOffice 6.0 has been tested thoroughly and that it's now ready for use in production, enterprise environments. Until now, The Document Foundation only recommended the LibreOffice 6.0 office suite to bleeding-edge users while urging enterprises and mainstream users to use the well-tested LibreOffice LibreOffice 5.4 series, which reached end of life on June 11, 2018, with the last point release, LibreOffice 5.4.7. Read more

LibreOffice 6.0 Is Now Ready for Mainstream Users and Enterprise Deployments

The Document Foundation informed Softpedia today about the general availability of the fifth point release of the LibreOffice 6.0 open-source and cross-platform office suite for all supported operating systems. LibreOffice 6.0.5 is here one and a half months after the LibreOffice 6.0.4 point release to mark the open-source office suite as ready for mainstream users and enterprise deployments. The Document Foundation considers that LibreOffice 6.0 has been tested thoroughly and that it's now ready for use in production, enterprise environments. Read more Direct: The Document Foundation announces LibreOffice 6.0.5