News briefs for July 22, 2019.

Linux kernel 5.3-rc1 has been released. Linus Torvalds writes, "This is a pretty big release, judging by the commit count. Not the biggest ever (that honor still goes to 4.9-rc1, which was exceptionally big), and we've had a couple of comparable ones (4.12, 4.15 and 4.19 were also big merge windows), but it's definitely up there." He also notes that "...there's a lot to like in 5.3."

German cybersecurity watchdog CERT-Bund recently discovered a security flaw in the VLC media player 3.0.7.1. Softpedia News reports that "a successful exploit of the vulnerability allows for unauthorized disclosure of information, unauthorized modification of files, and disruption of service." See CVE-2019-13615 for specifics. A patch is in the works.

Melissa Di Donato has been appointed CEO of SUSE. From the press release: "Accomplished technology executive and former SAP leader, Melissa Di Donato, has been named chief executive officer of SUSE in a move that will herald the next phase of growth and momentum for the world's largest independent open source software company....Di Donato is highly regarded for her forward-thinking leadership style and is a passionate advocate for workplace diversity. This includes her role as Technology Group chair of the 30% Club—an organization with the goal of achieving 30 percent female directors on S&P 100 boards by 2020. She also holds prominent positions in other organizations, including Notion Capital, and is a trustee for charity Founders4Schools."

Dropbox brings back support for ZFS, XFS, Btrfs and eCryptFS. According to Linux Uprising, "it appears that this change has made it into the stable Dropbox client for Linux. This isn't directly mentioned on the Dropbox website, but after a fresh Dropbox installation that I performed on Ubuntu, the reported version is 77.4.131, which is a higher version number than the Dropbox beta version for which it was reported that it now supports ZFS and XFS on 64-bit Linux systems, and eCryptFS and Btrfs on all Linux systems. I also gave it a try on a Btrfs filesystem and folder syncing ran without running into any issues."

YugaByte is now 100% open source. dbta.com reports that "YugaByte, a provider of open source distributed SQL databases, announced that YugaByte DB is now 100% open source under the Apache 2.0 license, bringing previously commercial features into the open source core."

News kernel Security VLC SUSE Dropbox YugaByte open source

by Charles Fisher

Enterprise comes to the micro server.

Oracle Linux 7 has been released for the Raspberry Pi 3. The release packages Btrfs as the root filesystem on the UEK-branded Linux 4.14 Long Term Support (LTS) kernel. A bootable disk image with a minimal install is provided along with a standard ISO installer.

CentOS appears to support only the "Mustang" Applied Micro X-Gene for AArch64, and it provides the older AArch32 environment for all models of the Raspberry Pi. Oracle Linux is a compelling option among RPM distributions in supporting AArch64 for the Pi Model 3.

This is not to say that Oracle AArch64 Linux is without flaw, as Oracle warns that this is "a preview release and for development purposes only; Oracle suggests these not be used in production." The non-functional WiFi device is missing firmware and documentation, which Oracle admits was overlooked. No X11 graphics are included in the image, although you can install them. The eponymous database client (and server) are absent. Oracle has provided a previous example of orphaned software with its Linux for SPARC project, which was abandoned after two minor releases. There's no guarantee that this ARM version will not suffer the same fate, although Oracle has responded that "our eventual target is server class platforms". One possible hardware target is the Fujitsu A64FX, a new server processor that bundles 48 addressable AArch64 cores and 32GB of RAM on one die, asserted to be the "fastest server processor" that exists.

AArch64 on the Pi

You'll need a Raspberry Pi Model 3 to run Oracle Linux. The 3B+ is the best available device, and you should choose that over the predecessor Model 3B and all other previous models. Both Model 3 boards retain the (constraining) 1GB of RAM—a SODIMM socket would be far more practical. The newer board has a CPU that is 200MHz faster and a Gigabit-compatible Ethernet port (that is limited to 300Mbit due to the USB2 linkage that connects it). A Model A also exists, but it lacks many of the ports on the 3B. More important, the Model 3 platform introduces a 64-bit CPU.

Go to Full Article

News briefs for July 19, 2019.

Oracle yesterday announced the release of Oracle Linux 8. New features include Application Streams, a "Dandified Yum", RPM improvements and much more. From the announcement: "With Oracle Linux 8, the core operating environment and associated packages for a typical Oracle Linux 8 server are distributed through a combination of BaseOS and Applications Streams. BaseOS gives you a running user space for the operating environment. Application Streams provides a range of applications that were previously distributed in Software Collections, as well as other products and programs, that can run within the user space."

Microsoft this week announced it was giving away software to help secure American voting machines. According to NBC News, "The company said it was rolling out the free, open-source software product called ElectionGuard, which it said uses encryption to 'enable a new era of secure, verifiable voting.' The company is working with election machine vendors and local governments to deploy the system in a pilot program for the 2020 election. The system uses an encrypted tracking code to allow a voter to verify that his or her vote has been recorded and has not been tampered with, Microsoft said in a blog post."

Linux Mint 19.2 "Tina" Cinnamon beta was released this week. Some highlights in version 19.2 include improved kernel support in the update manager, improved software manager and a new look and layout for system reports. Go here to read about all the new features, and read the release notes here.

The first beta of Latte Dock for v0.9 (v0.8.97) has been released. New features include a new colors mechanism, online indicator, shared layouts and more. v0.9 is scheduled for release at the end of the month. The Psifidotos blog notes that you can help by finding bugs or with translations.

Ubuntu 18.10 (Cosmic Cuttlefish) officially reaches end of life today. Package updates will no longer be accepted to 18.10, and security notices will no longer include information or package updates for 18.10. To upgrade, visit https://help.ubuntu.com/community/DiscoUpgrades.

News Oracle Microsoft Latte Dock Ubuntu Linux Mint

by Petros Koutoupis

I have spent the first three parts of this series describing the evolution and current state of Flash storage. I also described how to configure an NVMe over Fabric (NVMeoF) storage network to export NVMe volumes across RDMA over Converged Ethernet (RoCE) and again over native TCP. [See Petros' "Data in a Flash, Part I: the Evolution of Disk Storage and an Introduction to NVMe", "Data in a Flash, Part II: Using NVMe Drives and Creating an NVMe over Fabrics Network" and "Data in a Flash, Part III: NVMe over Fabrics Using TCP".]

But what does the future of memory technologies look like? With traditional Flash technologies that are enabled via NVMe, you should continue to expect higher capacities. For instance, what comes after QLC or Quad-Level Cells NAND technology? Only time will tell. The next-generation NVMe specification will introduce a protocol standard operating across more PCI Express lanes and at a higher bandwidth. As memory technologies continue to evolve, the method in which you plug that technology into your computers will evolve with it.

Remember, the ultimate goal is to move closer to the CPU and reduce access times (that is, latencies).

Figure 1. The Data Performance Gap as You Move Further Away from the CPU

Storage Class Memory

For years, vendors have been developing a technology in which you are able to plug persistent memory into traditional DIMM slots. Yes, these are the very same slots that volatile DRAM also uses. Storage Class Memory (SCM) is a newer hybrid storage tier. It's not exactly memory, and it's also not exactly storage. It lives closer to the CPU and comes in two forms: 1) traditional DRAM backed by a large capacitor to preserve data to a local NAND chip (for example, NVDIMM-N) and 2) a complete NAND module (NVDIMM-F). In the first case, you retain DRAM speeds, but you don't get the capacity. Typically, a DRAM-based NVDIMM is behind the latest traditional DRAM sizes. Vendors such as Viking Technology and Netlist are the main producers of DRAM-based NVDIMM products.

The second, however, will give you the larger capacity sizes, but it's not nearly as fast as DRAM speeds. Here, you will find your standard NAND—the very same as found in modern Solid State Drives (SSDs) fixed onto your traditional DIMM modules.

Go to Full Article

Please support Linux Journal by subscribing or becoming a patron.

Your browser does not support the audio element. Episode 23: Advertisers: Don't Be Creepy

Katherine Druckman and Doc Searls talk to Linux Journal's Danna Vedder about the current state of advertising.

• Download ogg format

News briefs for July 18, 2019.

New Linux malware has been discovered that masquerades as a GNOME shell extension and spies on users. Bleeping Computer reports that Intezer Labs' researchers made the discovery earlier this month, and they say that "EvilGnome's functionalities include desktop screenshots, file stealing, allowing capturing audio recording from the user's microphone and the ability to download and execute further modules. The implant contains an unfinished keylogger functionality, comments, symbol names and compilation metadata which typically do not appear in production versions." See Intezer's blog for more on EvilGnome.

Fedora recently announced the first preview release of Fedora CoreOS. From the announcement: "Fedora CoreOS is built to be the secure and reliable host for your compute clusters. It's designed specifically for running containerized workloads without regular maintenance, automatically updating itself with the latest OS improvements, bug fixes, and security updates. The initial preview release of Fedora CoreOS runs on bare metal, QEMU, VMware, and AWS, on x86_64 only." Go here to download and get started with Fedora CoreOS.

Germany has banned its schools from using cloud-based productivity suites from Microsoft, Google, and Apple, because the companies weren't meeting the country's privacy requirements. Naked Security reports, that the statement from the Hessische Beauftragte für Datenschutz und Informationsfreiheit (Hesse Commissioner for Data Protection and Freedom of Information, or HBDI) said, "The digital sovereignty of state data processing must be guaranteed. With the use of the Windows 10 operating system, a wealth of telemetry data is transmitted to Microsoft, whose content has not been finally clarified despite repeated inquiries to Microsoft. Such data is also transmitted when using Office 365." The HBDI also stressed that "What is true for Microsoft is also true for the Google and Apple cloud solutions. The cloud solutions of these providers have so far not been transparent and comprehensible set out. Therefore, it is also true that for schools, privacy-compliant use is currently not possible."

VirtualBox 6.0.10 was released this week. According to Linux Uprising, it's a maintenance release with mostly bug fixes, but it does have one main new addition: "support for UEFI secure boot driver signing on Ubuntu and Debian 10+ hosts". See the full Changelog for more details.

Sparky 5.8 "Nibiru" has new live/install media available to download. This is the first release of the stable line based on Debian 10 "Buster". Changes include Linux kernel 4.19.37-5 (i686 and amd64) and 4.19.57-v7 (ARMHF), Calamares installer updated to 3.2.11, old third party repositories have been removed and much more. Go here to download the Sparky stable edition.

News Security GNOME Fedora Germany Microsoft Google Apple VirtualBox UEFI Sparky Linux

by Zack Brown

Often, a kernel developer will try to reduce the size of an attack surface against Linux, even if it can't be closed entirely. It's generally a toss-up whether such a patch makes it into the kernel. Linus Torvalds always prefers security patches that really close a hole, rather than just give attackers a slightly harder time of it.

Matthew Garrett recognized that userspace applications might have secret data that might be sitting in RAM at any given time, and that those applications might want to wipe that data clean so no one could look at it.

There were various ways to do this already in the kernel, as Matthew pointed out. An application could use mlock() to prevent its memory contents from being pushed into swap, where it might be read more easily by attackers. An application also could use atexit() to cause its memory to be thoroughly overwritten when the application exited, thus leaving no secret data in the general pool of available RAM.

The problem, Matthew pointed out, came if an attacker was able to reboot the system at a critical moment—say, before the user's data could be safely overwritten. If attackers then booted into a different OS, they might be able to examine the data still stored in RAM, left over from the previously running Linux system.

As Matthew also noted, the existing way to prevent even that was to tell the UEFI firmware to wipe system memory before booting to another OS, but this would dramatically increase the amount of time it took to reboot. And if the good guys had won out over the attackers, forcing them to wait a long time for a reboot could be considered a denial of service attack—or at least downright annoying.

Ideally, Matthew said, if the attackers were only able to induce a clean shutdown—not simply a cold boot—then there needed to be a way to tell Linux to scrub all data out of RAM, so there would be no further need for UEFI to handle it, and thus no need for a very long delay during reboot.

Matthew explained the reasoning behind his patch. He said:

Unfortunately, if an application exits uncleanly, its secrets may still be present in RAM. This can't be easily fixed in userland (eg, if the OOM killer decides to kill a process holding secrets, we're not going to be able to avoid that), so this patch adds a new flag to madvise() to allow userland to request that the kernel clear the covered pages whenever the page reference count hits zero. Since vm_flags is already full on 32-bit, it will only work on 64-bit systems.

Matthew Wilcox liked this plan and offered some technical suggestions for Matthew G's patch, and Matthew G posted an updated version in response.

Go to Full Article

News briefs for July 17, 2019.

Malicious Python libraries have been found on the official Python Package Index (PyPI), which contain a hidden backdoor that would activate when installed on Linux systems. According to ZDNet, the three packages are named libpeshnx, libpesh and libari, and they "were authored by the same user (named ruri12) and had been available for download from PyPI for almost 20 months, since November 2017, before the packages were discovered earlier this month by security researchers from ReversingLabs. The PyPI team removed the packages on July 9, the same day ReversingLabs notified the PyPI repo maintainers about their findings." In addition, "None of the three packages ever listed a description, so it's impossible to tell what was their purpose. However, PyPI stats showed that the packages were being regularly downloaded, with tens of monthly installations for each."

Offensive Security, the creators of open-source Kali Linux, has launched the Kali NetHunter App Store, "a new one stop shop for security relevant Android applications. Designed as an alternative to the Google Play store for Android devices, the NetHunter store is an installable catalogue of Android apps for pentesting and forensics". The press release also notes that the NetHunter store is a slightly modified version of F-Droid: "While F-Droid installs its clients with telemetry disabled and asks for consent before submitting crash reports, the NetHunter store goes a step further by removing the entire code to ensure that privacy cannot be accidentally compromised". See the Kali.org blog post for more details.

IBM to reunite original Apollo 11 mission technicians today for a live panel discussion celebrating the 50th anniversary of the Apollo 11 moon landing. The panel will be available via livestream starting at 2:30pm EDT. From the press release: "Moderated by Dr. John E. Kelly, IBM Executive Vice President, from the Johnson Space Center in Houston, Texas, the panel will reunite veterans of the Apollo 11 mission to share behind-the-scenes details of what it was like to be right in the middle of the action in the lead-up to and during this historic moment in time. The panelists will also look ahead to how the future of artificial intelligence, quantum computing, and other technologies could help us reach new frontiers." The livestream will be available here.

Azul Systems announces it has created OpenJSSE, an open-source implementation of TLS 1.3 for Java SE 8, which is now included in the latest releases of its Zulu Community and Zulu Enterprise products. You can find source code, example use cases and documentation on GitHub.

Krita 4.2.3 was released this morning. This release is mainly a bug fix release, but it does include one new feature: "it is now possible to rotate the canvas with a two-finger touch gesture. This feature was implemented by Sharaf Zaman for his 2019 Google Summer of Code work of porting Krita to Android. The feature also works on other platforms, of course."

News python Security Kali Linux Kali NetHunter App Store Android IBM Java OpenJSSE Krita

by Vince Calandra

“Linux is Linux is Linux,” is a direct quote I heard in a meeting I had recently with a major multi-national, critical-infrastructure company. Surprisingly and correctly, there was one intelligent and brave engineering executive who replied to this statement, made by one of his team members, with a resounding, “That’s not true.” Let’s be clear, selecting a commercial Linux is not like selecting corn flakes. This is especially true when you are targeting embedded systems. You must be considering key questions regarding the supplier of the distribution, the criticality of the target application, security and life-cycle support for your product.

Choose Wisely

There is a wonderful scene in the movie Indiana Jones and the Last Crusade when our hero, Indiana, must select the true Holy Grail. Set before him is a multitude of cups ranging from opulent, bejeweled challises to simple clay drinking cups. If you have seen the movie, Indiana reasons out the best choice, and it was a life or death selection. The knight who had been guarding the challises for centuries famously says, “You chose… wisely.” Why bring up this iconic scene? When you are selecting a commercial Linux distribution, you have a multitude of choices all bejeweled with wonderful marketing. The bottom line is that you want to save dollars that you would have otherwise spent on a DIY-Linux approach and ensure the commercial Linux selected fits your particular application. Here are some questions that you will need to keep in mind:

• Is this for an IT application?

• Is this for an OT (Operational Technology) application?

• How long will this system be in the field?

• What processes and procedures are used by my supplier to cover security vulnerabilities?

• Can my supplier integrate in other Linux packages that support functionality I need going forward?

This is the short list. Other elements to keep in mind are the specific distribution’s origin and the Open Source community upon which it is based. How important is that specific Linux supplier with regard to the Open Source community upon which the distribution is based? These elements need to be part of the thought process.

I’ll Let My Silicon Choose

Go to Full Article

News briefs for July 16, 2019.

IBM this morning announces three new open-source projects that "make it faster and easier for you to develop and deploy applications for Kubernetes". Kabanero "integrates the runtimes and frameworks that you already know and use (Node.js, Java, Swift) with a Kubernetes-native DevOps toolchain". Appsody "gives you pre-configured stacks and templates for a growing set of popular open source runtimes and frameworks, providing a foundation on which to build applications for Kubernetes and Knative deployments". And Codewind "provides extensions to popular integrated development environments (IDEs) like VS Code, Eclipse, and Eclipse Che (with more planned), so you can use the workflow and IDE you already know to build applications in containers."

IBM also today announces the Data Asset eXchange (DAX), which is "an online hub for developers and data scientists to find carefully curated free and open datasets under open data licenses". The press release notes that whenever possible, "datasets posted on DAX will use the Linux Foundation's Community Data License Agreement (CDLA) open data licensing framework to enable data sharing and collaboration. Furthermore, DAX provides unique access to various IBM and IBM Research datasets. IBM plans to publish new datasets on the Data Asset eXchange regularly. The datasets on DAX will integrate with IBM Cloud and AI services as appropriate."

In honor of Sysadmin Day, the Linux Foundation is offering all IT certification and prep course bundles for $325 each, along with a bonus course valued at $299 and a free Linux Foundation ball cap. The sale runs today until July 26th.

The city of London launches an open-source app for homebuilding. Arch News reports that "The freely-available app, titled PRISM, is aimed at the design and construction of high-quality, factory-built homes to address the current demand of 50,000+ houses per year."

Clonezilla live (2.6.2-15) was released recently. This release include major enhancements and bug fixes. The Linux kernel was updated to 4.19.37-5, the underling OS is based on the Debian Sid repository (as of 2019/Jul/07), the mechanism to update uEFI nvram boot entry was improved, and much more. The Clonezilla live 2.6.2-15 download link is here.

News IBM Kubernetes DevOps Open Data The Linux Foundation Clonezilla

by Matthew Hoskins

Love Arduino but hate the GUI? Try arduino-cli.

In this article, I explore a new tool released by the Arduino team that can free you from the existing Java-based Arduino graphical user interface. This allows developers to use their preferred tools and workflow. And perhaps more important, it'll enable easier and deeper innovation into the Arduino toolchain itself.

The Good-Old Days

When I started building hobby electronics projects with microprocessors in the 1990s, the process entailed a discrete processor, RAM, ROM and masses of glue logic chips connected together using a point-to-point or "wire wrapping" technique. (Look it up kids!) Programs were stored on glass-windowed EPROM chips that needed to be erased under UV light. All the tools were expensive and difficult to use, and development cycles were very slow. Figures 1–3 show some examples of my mid-1990s microprocessor projects with discrete CPU, RAM and ROM. Note: no Flash, no I/O, no DACs, no ADCs, no timers—all that means more chips!

Figure 1. Example Mid-1990s Microprocessor

Figure 2. Example Mid-1990s Microprocessor

Figure 3. Example Mid-1990s Microprocessor

It all changed in 2003 with Arduino.

The word "Arduino" often invokes a wide range of opinions and sometimes emotion. For many, it represents a very low bar to entry into the world of microcontrollers. This world before 2003 often required costly, obscure and closed-source development tools. Arduino has been a great equalizer, blowing the doors off the walled garden. Arduino now represents a huge ecosystem of hardware that speaks a (mostly) common language and eases transition from one hardware platform to another. Today, if you are a company that sells microcontrollers, it's in your best interest to get your dev boards working with Arduino. It offers a low-friction path to getting your products into lots of hands quickly.

It's also important to note that Arduino's simplicity does not inhibit digging deep into the microcontroller. Nothing stops you from directly twiddling registers and using advanced features. It does, however, decrease your portability between boards.

Go to Full Article

News briefs for July 15, 2019.

Q4OS 3.8 stable was released today. This is a long-term support (LTS) release based on Debian Buster 10 with Plasma 5.14 and optionally Trinity 14.0.6 for desktop environments. Its primary aim is stability, and it's code-named Centaurus. It's available for 64bit and 32bit/i686pae computers, and also for older i386 systems without PAE extension. Support for ARM devices is in the works. Go here to download.

Linux kernel 5.2.1 was released yesterday. Greg Kroah-Hartman writes, "All users of the 5.2 kernel series must upgrade. The updated 5.2.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-5.2.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary."

Cloudera recently announced an new open-source licensing model. The company's Vision blog post states that the new strategy "aligns the licensing models previously used by each of Hortonworks and Cloudera and also introduces some new changes. We take our open source leadership role seriously, and recognize that our need to align our own licenses is also an opportunity to lead and to renew our commitment to open source software." Moving forward all of the company's open-source licenses "will adhere to one of two OSI approved licenses: the Apache License, Version 2, or the GNU Affero General Public License, Version 3 ('AGPL')". The post also notes Cloudera's open-source goals: "freedom from vendor lock-in", "community standards, not Cloudera standards" and "open ecosystem". See the Cloudera Licensing Policy FAQ for more details.

Microsoft's Quantum Development Kit is now available as an open source project on GitHub. According to Windows Central, "The QDK, which launched in preview last year, gives developers access to the Q# programming language, quantum simulators, and the libraries needed to start experimenting with quantum computing before it goes mainstream." See also the Microsoft Quantum blog for more information.

The Bank of England has announced that Alan Turing will be on the new £50 note in the UK. Gizmodo quotes Bank of England Governor Mark Carney: "Why Turing? Turing was an outstanding mathematician whose works had an enormous impact on how we live today. As the father of computer science and artificial intelligence, Alan Turing's contributions were far-ranging and path-breaking. His genius lay in a unique ability to link the philosophical and the abstract with the practical and the concrete. And all around us his legacy continues to build. Turing is a giant on whose shoulders so many now stand."

News Q4OS Distributions Debian kernel Cloudera open source licensing Microsoft Quantum Computing Alan Turing

by Marcel Gagné

A look at using OpenAI's Generative Pretrained Transformer 2 (GPT-2) to generate text.

It's probably fair to say that there's more than one person out there who is worried about some version of artificial intelligence, or AI, possibly in a robot body of some kind, taking people's jobs. Anything that is repetitive or easily described is considered fair game for a robot, so driving a car or working in a factory is fair game.

Until recently, we could tell ourselves that people like yours truly—the writers and those who create things using some form of creativity—were more or less immune to the march of the machines. Then came GPT-2, which stands for Generative Pretrained Transformer 2. I think you'll agree, that isn't the sexiest name imaginable for a civilization-ending text bot. And since it's version 2, I imagine that like Star Trek's M-5 computer, perhaps GPT-1 wasn't entirely successful. That would be the original series episode titled, "The Ultimate Computer", if you want to check it out.

So what does the name "GPT-2" stand for? Well, "generative" means pretty much what it sounds like. The program generates text based on a predictive model, much like your phone suggests the next word as you type. The "pretrained" part is also quite obvious in that the model released by OpenAI has been built and fine-tuned for a specific purpose. The last word, "Transformer", refers to the "transformer architecture", which is a neural network design architecture suited for understanding language. If you want to dig deeper into that last one, I've included a link from a Google AI blog that compares it to other machine learning architecture (see Resources).

On February 14, 2019, Valentine's Day, OpenAI released GPT-2 with a warning:

Our model, called GPT-2 (a successor to GPT), was trained simply to predict the next word in 40GB of Internet text. Due to our concerns about malicious applications of the technology, we are not releasing the trained model. As an experiment in responsible disclosure, we are instead releasing a much smaller model for researchers to experiment with, as well as a technical paper.

I've included a link to the blog in the Resources section at the end of this article. It's worth reading partly because it demonstrates a sample of what this software is capable of using the full model (see Figure 1 for a sample). We already have a problem with human-generated fake news; imagine a tireless machine capable of churning out vast quantities of news and posting it all over the internet, and you start to get a feel for the dangers. For that reason, OpenAI released a much smaller model to demonstrate its capabilities and to engage researchers and developers.

Go to Full Article

News briefs for July 12, 2019.

Google yesterday announced Docsy, a website theme for technical documentation. From the Google blog post: "Docsy builds on existing open source tools, like Hugo, and our experience with open source docs, providing a fast and easy way to stand up an OSS documentation website with features specifically designed to support technical documentation. Special features include everything from site navigation to multi-language support—with easy site deployment options provided by Hugo. We also created guidance on how to add additional pages, structure your documentation, and accept community contributions, all with the goal of letting you focus on creating great content."

Several KDE releases came this week. KDE Applications 19.04.3 was released yesterday. This release contains more than 60 bugfixes and translation updates. See the full changelog for details.

KDE Plasma 5.16.3 also was released. This update comes just two weeks after the 5.16 release and contains several bugfixes and new translations. See the full Changelog for specifics.

And, Kdenlive 19.04.3 was released today. This release contains a ton of fixes, including "fixing compositing and speed effect regressions, thumbnail display issues of clips in the timeline and many Windows fixes. You can get the AppImage from the download page.

Alpine Linux 3.10.1 has been released. See the git log for the full list of changes in this version of the security-oriented lightweight distro.

Valve has launched Steam Labs, which gives users a peek at new experiments in development. According to TechCrunch, "Valve is quick to point out that all of these experiments are just that—there's no promising that any of the stuff that hits the Labs will make it all the way to the official client. They also say that even 'Steam Labs is itself an experiment', which will probably change and evolve a bunch over time." The first three experiments on Steam Labs are Micro Trailers, Interactive Recommender and Automatic Show.

News Google Docsy KDE Plasma Alpine Linux

by Joey Bernard

In this article, I want to look at a GIS option available for Linux—specifically, a program called SAGA (System for Automated Geoscientific Analyses). SAGA was developed at the Department of Physical Geography in Germany. It is built with a plugin module architecture, where various functions are provided by individual modules. A very complete API is available to allow users to extend SAGA's functionality with newly written modules. I take a very cursory look at SAGA here and describe a few things you might want to do with it.

Installing SAGA should be as easy as looking at the software repository for your favourite distribution. For Debian-based distros, you can install it with the command:

sudo apt-get install saga

When you first start it, you get a blank workspace where you can begin your project.

Figure 1. SAGA starts up with a central project window, several tool panes on the left and console messages at the bottom.

Two major categories of data sets are available that you can use within your projects: satellite imagery and terrain data. The tutorial website provides detailed walk-throughs that show how you can get access to these types of data sets for use in your own projects. The tutorial website also has sections on some of the processing tools available for doing more detailed analysis.

SAGA understands several data file formats. The typical ones used in GIS, like SHP files or point clouds, are the default options in the file selector window. You can work with these types of data, or satellite imagery or terrain data.

Let's start by looking at terrain analysis in SAGA. You'll need digital elevation data, in DEM format, which is available from the SRTM Tile Grabber site. You will get a zip file for each region you select, and these zip files contain geotiff files for the selected regions.

Load the geotiff file by clicking File→Open. By default, it will show only the common project file formats. To locate your downloaded geotiff files, you'll need to change the filter at the bottom of the file selector window to be all files. Once it is loaded, it will show up in the list of data sources in the bottom-left window pane.

Figure 2. You can load data sources, such as geotiffs, into your project.

Go to Full Article

News briefs for July 11, 2019.

The Electronic Frontier Foundation is celebrating its 29th birthday "by building a future where tech respects and empowers users". From now until July 24, 2019, the EFF is offering a $20 membership, which includes a set of limited-edition enamel pins. (Note also that the EFF is a US 501(c)(3) nonprofit, so contributions are tax-deductible as allowed by law.)

Linode yesterday launched new GPU-optimized cloud computing instances, specifically for developers and business that need massive parallel computational power. From the press release: "The new instances are built on NVIDIA Quadro RTX 6000 GPU cards with all three major types of processing cores (CUDA, Tensor, and Real-Time Ray Tracing) available to users. Linode is one of the first cloud providers to deploy NVIDIA's latest GPU architecture." For more information, see linode.com.

Syncthing 1.2.0 was released recently. Linux Uprising reports that this version of the open-source peer-to-peer synchronization tool "adds QUIC with NAT traversal as a new transport protocol, fixes some bugs and enables automatic error reporting." The article notes Syncthing's emphasis on privacy: "None of your data is ever store anywhere else other than your own computers (no central server); all communication is secured using TSL and authenticated using a strong cryptographic certificate. Basically, it can replace Dropbox and other similar services with something decentralized, where your data is your data alone." Go here to download.

Kali Linux for Raspberry Pi 4 was released recently, "complete with on-board wifi monitor mode & frame injection support!" You can download it from the Kali Linux ARM Images page. Currently there is support only for 32-bit, but 64-bit is coming soon.

GNOME developers plan to disable the Snap plugin for GNOME Software, as Canonical has started creating its own Snap Store and won't be using GNOME Software in Ubuntu 20.04 LTS. According to Phoronix, "Canonical's in-development Snap Store will obviously be focused just on their own Snap effort and not supporting the likes of Flatpak. Due to the likelihood that the GNOME Software Snap plug-in will quickly suffer from bit-rot and pose a maintenance burden to GNOME developers with little to no return, it's certainly reasonable that they would at least disable this plug-in."

News eff Linode Syncthing Kali Linux Raspberry Pi GNOME Canonical

by Mirza Krak

Introducing the Yocto Project and the benefits of using it in embedded Linux development.

In embedded Linux development, there are two approaches when it comes to what operating system to run on your device. You either build your own distribution (with tools such as Yocto/OpenEmbedded-Core, Buildroot and so on), or you use a binary distribution where Debian and derivatives are common.

It's common to start out with a binary distribution. This is a natural approach, because it's a familiar environment for most people who have used Linux on a PC. All the commodities are in place, and someone else has created the distribution image for you to download. There normally are custom vendor images for specific hardware that contain optimizations to make it easy to get started to utilize your hardware fully.

Any package imaginable is an apt install command away. This, of course, makes it suitable for prototyping and evaluation, giving you a head start in developing your application and your product. In some cases, you even might ship pre-series devices using this setup to evaluate your idea and product further. This is referred to as the "golden image" approach and involves the following steps:

1. Flash the downloaded Debian image to an SD card.
2. Boot the SD card, log in and make any modifications needed (for example, installing custom applications). Once all the modifications are complete, this becomes your golden image.
3. Duplicate the SD card into an image on your workstation (for example, using dd).
4. Flash the "golden image" to a fleet of devices.

And every time you need to make a change, you just repeat steps 2–4, with one change—that is, you boot the already saved "golden image" in step 2 instead of the "vanilla" image.

At a certain point, the approach of downloading a pre-built distribution image and applying changes to it manually will become a problem, as it does not scale well and is error-prone due to the amount of manual labor that can lead to inconsistent output. The optimization would be to find ways to automate this, generating distribution images that contain your applications and your configuration in a reproducible way.

This is a crossroad where you decide either to stick with a binary distribution or move your idea and the result of the evaluation and prototyping phase to a tool that's able to generate custom distributions and images in a reproducible and automated way.

Go to Full Article

News briefs for July 10, 2019.

Samba 4.11.0rc1 was released yesterday. Note that this release is for testing purposes only and not intended for production. New features include default samba process model, authentication logging, LDAP referrals, Bind9 logging, samba-tool improvements and much more. See the full Release Notes for more information, and go here to download the source code.

Mozilla released the latest Firefox update for iOS and Desktop. Highlights of Firefox 68.0esr include blackout shades for Firefox Reader View, Firefox Recommended Extensions (a curated "list of recommended extensions that have been thoroughly reviewed for security, usability and usefulness"), more customization for IT Pros and more. See the Release Notes for more details.

SPI board elections coming soon. The announcement notes there are three seats available for the Software in the Public Interest board, each for a three-year term: President and two General board member seats. Nominations are open now and end July 15th, 2019. Voting begins July 17th and ends July 30th, and the results will be announced on July 31st. From the announcement: "The ideal candidate will have an existing involvement in the Free and Open Source community, though this need not be with a project affiliated with SPI."

Microsoft has been admitted to the closed linux-distro list. ZDNet reports that "Microsoft wanted in because, while Windows sure isn't Linux, the company is, in fact, a Linux distributor. Sasha Levin, a Microsoft Linux kernel developer, pointed out Microsoft has several distro-like builds -- which are not derivative of an existing distribution—that are based on open-source components." The ZDNet article also noted that open-source security expert David A. Wheeler supported the decision as "the purpose of the list is to enable 'everyone to coordinate so that users get fixes.' That includes Linux users on Windows and Azure. So, he supported Microsoft being allowed into the private list."

SoftMaker FreeOffice now includes the Anniversary update. This new version has many new features for the TextMaker word processor and spreadsheets, and improved user-friendliness. See the press release for details on the office suite's update, and go here to download.

News Samba Mozilla Firefox SPI Microsoft Security FreeOffice SoftMaker office suite

by Zack Brown

Mike Rapoport from IBM launched a bid to implement address space isolation in the Linux kernel. Address space isolation emanates from the idea of virtual memory—where the system maps all its hardware devices' memory addresses into a clean virtual space so that they all appear to be one smooth range of available RAM. A system that implements virtual memory also can create isolated address spaces that are available only to part of the system or to certain processes.

The idea, as Mike expressed it, is that if hostile users find themselves in an isolated address space, even if they find bugs in the kernel that might be exploited to gain control of the system, the system they would gain control over would be just that tiny area of RAM to which they had access. So they might be able to mess up their own local user, but not any other users on the system, nor would they be able to gain access to root level infrastructure.

In fact, Mike posted patches to implement an element of this idea, called System Call Isolation (SCI). This would cause system calls to each run in their own isolated address space. So if, somehow, an attacker were able to modify the return values stored in the stack, there would be no useful location to which to return.

His approach was relatively straightforward. The kernel already maintains a "symbol table" with the addresses of all its functions. Mike's patches would make sure that any return addresses that popped off the stack corresponded to entries in the symbol table. And since "attacks are all about jumping to gadget code which is effectively in the middle of real functions, the jumps they induce are to code that doesn't have an external symbol, so it should mostly detect when they happen."

The problem, he acknowledged, was that implementing this would have a speed hit. He saw no way to perform and enforce these checks without slowing down the kernel. For that reason, Mike said, "it should only be activated for processes or containers we know should be untrusted."

There was not much enthusiasm for this patch. As Jiri Kosina pointed out, Mike's code was incompatible with other security projects like retpolines, which tries to prevent certain types of data leaks falling into an attacker's hands.

There was no real discussion and no interest was expressed in the patch. The combination of the speed hit, the conflict with existing security projects, and the fact that it tried to secure against only hypothetical security holes and not actual flaws in the system, probably combined to make this patch set less interesting to kernel developers.

Go to Full Article