Language Selection

English French German Italian Portuguese Spanish

Linux Journal

Syndicate content
Updated: 1 hour 25 min ago

Why Smart Cards Are Smart

Wednesday 12th of June 2019 11:30:00 AM
by Kyle Rankin

If you use GPG keys, learn about the benefits to storing them on a smart card.

GPG has been around for a long time and is used to secure everything from your email to your software. If you want to send an email to someone and be sure that no one else can read or modify it, GPG signing and encryption are the main method you'd use. Distributions use GPG to sign their packages, so you can feel confident that the ones you download and install from a package mirror have not been modified from their original state. Developers in many organizations follow the best practice of GPG-signing any code they commit to a repository. By signing their commits, other people can confirm that the changes that claim to come from a particular developer truly did. Web-based Git front ends like GitHub and GitLab let users upload their GPG public keys, so when they do commit signed code, the interface can display to everyone else that it has been verified.

Yet, all of the security ultimately comes down to the security of your private key. Once others have access to your private key, they can perform all of the same GPG tasks as though they were you. This is why you are prompted to enter a passphrase when you first set up a GPG key. The idea is that if attackers are able to copy your key, they still would need to guess your password before they could use the key. For all of the importance of GPG key security, many people still just leave their keys in ~/.gnupg directories on their filesystem and copy that directory over to any systems where they need to use GPG.

There is a better way. With OpenPGP smart cards, you can store your keys on a secure device that's protected with a PIN and not only store your keys more securely, but also use them more conveniently. Although some laptops come with integrated smart card readers, most don't. Thankfully, these devices are available as part of multi-function USB security token devices from a number of different vendors, and Linux Journal has published reviews of such products in the past. In this article, I discuss all the reasons OpenPGP smart cards are a better choice for storing your keys than your local filesystem.

Reason 1: Tamper-proof Key Storage

One of the main benefits of a smart card is that it stores your GPG keys securely. When you store your keys on a filesystem, anyone who can access that filesystem can copy off the keys. On a smart card, once keys go in, they never leave, neither accidentally nor from tampering. The smart card chips themselves are designed to be tamper-proof and resist attempts to extract key data even when someone has physical access. By putting keys on a smart card, you can have a reasonable assurance that your keys are safe, even from a determined attacker.

Go to Full Article

MariaDB Enterprise Server 10.4 Now Available, Pulumi Announces Pulumi Crosswalk for AWS, KDE Launches Plasma 5.16, IBM Announces Its List of Women Pioneers for AI in Business and Microway Provides Clemson University with an NVIDIA DGX-2 Supercomputer

Tuesday 11th of June 2019 01:18:43 PM

News briefs for June 10, 2019.

MariaDB today announces the release of MariaDB Enterprise Server 10.4, "code-named 'Restful Nights' for the peace of mind it brings enterprise customers". The press release notes that this version "is a new, hardened and secured Server (different from MariaDB Community Server aka MariaDB Server) and has never been available before. MariaDB Enterprise Server 10.4 includes features not available in the community version that are focused on solving enterprise customer needs, providing them with greater reliability, stability and long-term support in production environments."

Pulumi today announces the availability of Pulumi Crosswalk for Amazon Web Services, "an open source framework that streamlines defining and deploying modern AWS applications and infrastructure with built-in AWS Best Practices. Using Pulumi Crosswalk, cloud engineers -- including developers, operators and teams -- are able to use familiar programming languages and tools to take ideas to production more productively and safely while bypassing many of the traditional barriers to modern cloud engineering." Go here to learn more about Pulumi Crosswalk and try it for free.

KDE today launches the latest version of its desktop environment, Plasma 5.16. This release features many changes, such as a completely rewritten notification system including a Do Not Disturb Mode, themes have been greatly improved, widgets have been modernized, and now when any app accesses your microphone, and icon appears in the system tray to warn you. In addition, "Plasma 5.16 is also spectacular to look at, with our new wallpaper called Ice Cold. Designed by Santiago Cézar, it is the winner of a contest with more than 150 entries." See the Release Announcement and Complete Changelog for all the details.

IBM today announces the first recipients and list of global women leaders and pioneers in AI for business. From the press release: "The list recognizes and celebrates women across a variety of industries and geographies for pioneering the use of AI to advance their companies in areas such as innovation, growth, and transformation." Go here to learn more about the pioneering women in AI.

Microway announces it has provided an NVIDIA DGX-2 supercomputer to Clemson University. From the press release: "The system deploys with NVIDIA's Deep Learning software—and was ready to train models immediately after installation. DGX-2's NGC software stack was installed by Microway experts and supports all major AI frameworks as well as offers containers for a variety of HPC applications." At Clemson, the DGX-2 will "empower researchers in disciplines such as computational math, statistics, operations research, and mechanical and industrial engineering to analyze vast datasets with exceptional ease. Initial projects include research on medical imaging, drone control, autonomous driving, and ocean dynamics. The resource will be available to all faculty, staff, and students." For more information, see this post on Newsstand.

News MariaDB Pulumi AWS KDE Plasma IBM Microway

Securing the Kernel Stack

Tuesday 11th of June 2019 12:00:00 PM
by Zack Brown

The Linux kernel stack is a tempting target for attack. This is because the kernel needs to keep track of where it is. If a function gets called, which then calls another, which then calls another, the kernel needs to remember the order they were all called, so that each function can return to the function that called it. To do that, the kernel keeps a "stack" of values representing the history of its current context.

If an attacker manages to trick the kernel into thinking it should transfer execution to the wrong location, it's possible the attacker could run arbitrary code with root-level privileges. Once that happens, the attacker has won, and the computer is fully compromised. And, one way to trick the kernel this way is to modify the stack somehow, or make predictions about the stack, or take over programs that are located where the stack is pointing.

Protecting the kernel stack is crucial, and it's the subject of a lot of ongoing work. There are many approaches to making it difficult for attackers to do this or that little thing that would expose the kernel to being compromised.

Elena Reshetova is working on one such approach. She wants to randomize the kernel stack offset after every system call. Essentially, she wants to obscure the trail left by the stack, so attackers can't follow it or predict it. And, she recently posted some patches to accomplish this.

At the time of her post, no specific attacks were known to take advantage of the lack of randomness in the stack. So Elena was not trying to fix any particular security hole. Rather, she said, she wanted to eliminate any possible vector of attack that depended on knowing the order and locations of stack elements.

This is often how it goes—it's fine to cover up holes as they appear, but even better is to cover a whole region so that no further holes can be dug.

There was a lot of interest in Elena's patch, and various developers made suggestions about how much randomness she would need, and where she should find entropy for that randomness, and so on.

In general, Linus Torvalds prefers security patches to fix specific security problems. He's less enthusiastic about adding security to an area where there are no exploits. But in this case, he may feel that Elena's patch adds a level of security that wasn't there before.

Security is always such a nightmare. Often, a perfectly desirable feature may have to be abandoned, not because it's not useful, but because it creates an inherent insecurity. Microsoft's operating system and applications often have suffered from making the wrong decisions in those cases—choosing to implement a cool feature in spite of the fact that it could not be done securely. Linux, on the other hand, and the other open-source systems like FreeBSD, never make that mistake.

Go to Full Article

IPFire 2.23 - Core Update 132 Released with Important Security Fixes, Kernel 5.2-rc4 Is Out, Akraino Edge Stack Release 1.0 Is Now Available, KDE Announces Its Google Summer of Code Students and Google Assistant Now Works with Waze

Monday 10th of June 2019 02:02:01 PM

News briefs for June 10, 2019.

IPFire 2.23 - Core Update 132 was released recently. This update includes security fixes and improvements to help secure systems vulnerable to some recent problems with Intel processors, specifically RIDL, Fallout and ZombieLoad. From the release announcement: "Two new types of vulnerabilities have been found in Intel processors. They cannot be fixed unless the hardware is changed, but can be somewhat mitigated through some changes in the Linux kernel (4.14.120) and an update microcode (version 20190514). Both is shipped in this release. Additionally, to mitigate this bug which cannot be fixed at all, SMT is disabled by default on all affected processors which has significant performance impacts." In addition, this release includes a new GUI that shows you which attacks your hardware may be vulnerable to and whether mitigations are in place. Go here to download.

Linux kernel 5.2-rc4 was released on Saturday. Linus Torvalds writes, "We've had a fairly calm release so far, and on the whole that seems to hold. rc4 isn't smaller than rc3 was (it's a bit bigger), but rc3 was fairly small, so the size increase isn't all that worrisome. I do hope that we'll start actually shrinking now, though. The SPDX conversions do continue to stand out, and make the diffstat a bit noisy. They don't affect actual code, so it's not like we should have any issues with them, but it makes the patch statistics look a bit odd." See the LKML post for more information.

Akraino Edge Stack Release 1.0 is now available. Light Reading reports that "Akraino's premiere release unlocks the power of intelligent edge with deployable, self-certified blueprints for a diverse set of edge use cases." In addition, "Akraino R1 delivers the first iteration towards new levels of flexibility to scale edge cloud services quickly, maximize efficiency, and deliver high availability for deployed services. It delivers a deployable and fully functional edge stack for edge use cases ranging from Industrial IoT, Telco 5G Core & vRAN, uCPE, SDWAN, edge media processing, and carrier edge media processing. As the premiere release, it opens doors to further enhancements and development to support edge infrastructure." For more information, go to

KDE announces its Google Summer of Code students for 2019. There are too many to list here, so see the announcement for the list of students and projects they are working on.

Google Assistant now can offer navigation suggestions in Waze for Android users, so you can report on traffic without needing to touch your screen. According to Engadget, this feature is available only in the US for English at the moment.

News IPFire Security Intel kernel Akraino Edge Stack KDE Google Android Mobile

Data in a Flash, Part III: NVMe over Fabrics Using TCP

Monday 10th of June 2019 11:00:00 AM
by Petros Koutoupis

A remote NVMe block device exported via an NVMe over Fabrics network using TCP.

Version 5.0 of the Linux kernel brought with it many wonderful features, one of which was the introduction of NVMe over Fabrics (NVMeoF) across native TCP. If you recall, in the previous part to this series ("Data in a Flash, Part II: Using NVMe Drives and Creating an NVMe over Fabrics Network", I explained how to enable your NVMe network across RDMA (an Infiniband protocol) through a little method referred to as RDMA over Converged Ethernet (RoCE). As the name implies, it allows for the transfer of RDMA across a traditional Ethernet network. And although this works well, it introduces a bit of overhead (along with latencies). So when the 5.0 kernel introduced native TCP support for NVMe targets, it simplifies the method or procedure one needs to take to configure the same network, as shown in my last article, and it also makes accessing the remote NVMe drive faster.

Software Requirements

To continue with this tutorial, you'll need to have a 5.0 Linux kernel or later installed, with the following modules built and inserted into the operating systems of both your initiator (the server importing the remote NVMe volume) and the target (the server exporting its local NVMe volume):


More specifically, you need the module to import the remote NVMe volume:


And the module to export a local NVMe volume:


Before continuing, make sure your physical (or virtual) machine is up to date. And once you verify that to be the case, make sure you are able to see all locally connected NVMe devices (which you'll export across your network):

$ cat /proc/partitions |grep -e nvme -e major major minor #blocks name 259 0 3907018584 nvme2n1 259 1 3907018584 nvme3n1 259 2 3907018584 nvme0n1 259 3 3907018584 nvme1n1

If you don't see any connected NVMe devices, make sure the kernel module is loaded:

petros@ubu-nvme1:~$ lsmod|grep nvme nvme 32768 0 nvme_core 61440 1 nvme

The following modules need to be loaded on the initiator:

$ sudo modprobe nvme $ sudo modprobe nvme-tcp

And, the following modules need to be loaded on the target:

Go to Full Article

Episode 20: Advertising is Broken, but Linux Isn't.

Friday 7th of June 2019 03:51:33 PM
Your browser does not support the audio element. Reality 2.0 - Episode 20: Advertising is Broken, but Linux Isn't.

Katherine Druckman and Doc Searls talk to Don Marti, of Mozilla and formerly of Linux Journal, about ad technology, privacy, and the Linux community.

Links Mentioned:

RHEL 7.7 Beta Is Now Available, Kdenlive 19.04.2 Is Out, Vampire: The Masquerade - Coteries of New York to Support Linux, IceWM 1.5.5 Released and the Document Foundation Announces New "What Can I Do for LibreOffice" Website

Friday 7th of June 2019 02:08:23 PM

News briefs for June 7, 2019.

Red Hat Enterprise Linux 7.7 beta is now available. This version is the final release in the Full Support Phase of RHEL 7 and includes many enhancements and bug fixes. Updates include support for the latest generation of enterprise hardware and remediation for the Microarchitectural Data Sampling (MDS)/ZombieLoad vulnerabilities. See the release notes for more details.

Kdenlive version 19.04.2 is out. Highlights of this release include 77 bug fixes as well as "fixes for compositing issues, misbehaving guides/markers and grouping inconsistencies". You can get the AppImage here.

Vampire: The Masquerade - Coteries of New York will support Linux. GamingOnLinux quotes developer Draw Distance who says the game will be a "unique, atmospheric, single-player narrative experience, set in a rich, fully licensed, globally recognized universe of Vampire: The Masquerade 5th Edition". It's scheduled to be released on Steam in Q4 2019.

IceWM 1.5.5 has been released. This version of the window manager contains many bug fixes and portability fixes. Other improvements include updated translations, new manual pages and updated documentation, new quickswitch, new hotkeys, new focus behavior and much more. See the GitHub page for more details.

The Document Foundation announces a new website, "What can I do for LibreOffice". From the announcement: "In 'What can I do for LibreOffice', visitors are asked what they're interested in, and pointed to resources to get started. So instead of large web pages with walls of text, visitors can click around and find something that catches their eyes. The website source is on Gerrit if anyone has suggestions for updates or additions, and the site can be translated too."

News Red Hat RHEL Kdenlive gaming IceWM LibreOffice

Digital Will, Part I: Requirements

Friday 7th of June 2019 12:30:00 PM
by Kyle Rankin

Digital assets are becoming as important as physical assets, so how do you manage them after you die?

When you lose a member of your family, you may find yourself at some point thinking about your own mortality, which then may lead you to think through preparations for your own death. I lost my father recently, but years before his death, he set up a will that described how to manage his estate, but he also made sure to share with me login details for his important financial accounts so I would have access when the time came. When the time did come to put his plans into practice, those details were invaluable.

All of this made me realize just how complicated it would be for someone to manage my own accounts in the event of my death, especially considering how much effort I've gone through to secure my computers and accounts. After all, unlike my dad, I don't use the same password for everything. What I realized I needed was the equivalent of a digital will: instructions and credentials so my next of kin had everything they needed to access my accounts and manage my affairs. In this first article of what will be a two-part series, I describe the requirements and plans to create a digital will in a way that would be manageable for my next of kin while also not negatively affecting the security of my accounts. The second part of the article will describe how I implemented these plans.

Defining Terms

This digital will is based on many of the ideas behind a traditional will, and I intend on borrowing a lot of the framework and terms instead of "re-inventing the will". To get started, let me define a few terms, but I should make it clear that I'm not an attorney, so these are just loose definitions to describe how some common terms used in a will might be applied to this digital will:

Go to Full Article

Zorin OS 15 Released, Canonical Issues Security Updates for All Supported Versions of Ubuntu Linux, New RCE Vulnerability Discovered Affecting Email Servers, Khadas VIM3 Launching Soon and Krita's Digital Atelier on Sale

Thursday 6th of June 2019 01:47:23 PM

News briefs for June 6, 2019.

Zorin OS 15 has been released. From the announcement for this new major version: "Every aspect of the user experience has been re-considered and refined in this new release, from how apps are installed, to how you get work done, to how it interacts with the devices around you. The result is a desktop experience that combines the most powerful desktop technology with the most user-friendly design." Go here to download.

Canonical yesterday released important security updates for all supported versions of Ubuntu Linux. Update immediately if you haven't done so already. According to Softpedia News, "If you're using Ubuntu, you must update the kernel as soon as possible to patch these security issues. The new Linux kernel versions are linux-image 5.0.0-16.17 for Ubuntu 19.04, linux-image 4.18.0-21.22 for Ubuntu 18.10, linux-image 4.15.0-51.55 for Ubuntu 18.04 LTS, linux-image 4.4.0-150.176 for Ubuntu 16.04 LTS, linux-image 4.18.0-21.22~18.04.1 for Ubuntu 18.04.2 LTS, and linux-image 4.15.0-51.55~16.04.1 for Ubuntu 16.04.6 LTS."

A new RCE (remote command execution) vulnerability is affecting almost half of the internet's email servers. ZDNet reports that the Qualys security firm "found a very dangerous vulnerability in Exim installations running versions 4.87 to 4.91. The vulnerability is described as a remote command execution—different, but just as dangerous as a remote code execution flaw—that lets a local or remote attacker run commands on the Exim server as root."

The Khadas VIM3, an Amlogic S922X-powered Raspberry Pi-competitor, is launching on June 24. According to Notebook Check, the Khadas VIM3 will run Android 9.0 Pie, LibreELEC or Ubuntu. The company will initially launch two boards, the Basic and Pro, for $69.99 and $99.99, respectively. In addition, "Khadas has also integrated a neural processing unit (NPU), which it claims can process up to 2.5 tera operations per second (TOPS). The company has revealed the back of the board too, which houses the microSD card slot, MIPI CSI camera connector, along with the MIPI DSI and TP connectors for linking the VIM3 with an external monitor."

To celebrate its new release, Krita is offering "a 50% off sale of Digital Atelier, Ramon Miranda's painterly brushes and tutorials pack for the rest of this month!" Digital Atelier includes more than 50 new brush presets, more than 30 new brush tips, new patterns and surfaces, and almost two hours of video tutorial. You can get Digital Atelier in the Krita shop.

News Zorin OS Canonical Ubuntu Security SBCs Khadas Krita

Linux's Broadening Foundation

Thursday 6th of June 2019 11:30:00 AM
by Doc Searls

It's time to embrace 5G, starting with the Edge in our homes and hands.

In June 1997, David Isenberg, then of AT&T Labs Research, wrote a landmark paper titled "Rise of the Stupid Network". You can still find it here. The paper argued against phone companies' intent to make their own systems smarter. He said the internet, which already was subsuming all the world's phone and cable TV company networks, was succeeding not by being smart, but by being stupid. By that, he meant the internet "was built for intelligence at the end-user's device, not in the network".

In a stupid network, he wrote, "the data is boss, bits are essentially free, and there is no assumption that the data is of a single data rate or data type." That approach worked because the internet's base protocol, TCP/IP, was as general-purpose as can be. It supported every possible use by not caring about any particular use or purpose. That meant it didn't care about data rates or types, billing or other selfish concerns of the smaller specialized networks it harnessed. Instead, the internet's only concern was connecting end points for any of those end points' purposes, over any intermediary networks, including all those specialized ones, without prejudice. That lack of prejudice is what we later called neutrality.

The academic term for the internet's content- and purpose-neutral design is end-to-end. That design was informed by "End-to-End Arguments in System Design", a paper by Jerome Saltzer, David P. Reed and David D. Clark, published in 1980. In 2003, David Weinberger and I later cited both papers in "World of Ends: What the Internet Is and How to Stop Mistaking It for Something Else". In it, we explained:

When Craig Burton describes the Net's stupid architecture as a hollow sphere comprised entirely of ends, he's painting a picture that gets at what's most remarkable about the Internet's architecture: Take the value out of the center and you enable an insane flowering of value among the connected end points. Because, of course, when every end is connected, each to each and each to all, the ends aren't endpoints at all.

And what do we ends do? Anything that can be done by anyone who wants to move bits around.

Go to Full Article

Chrome 75 Released, Website Retiring, LinuxGizmos Publishes Its Spring 2019 SBC Catalog, LibreOffice 6.3 Beta 1 Is Ready for Testing and Happy 15th to Phoronix

Wednesday 5th of June 2019 01:17:59 PM

News briefs for June 5, 2019.

Chrome 75 was released yesterday. ZDNet reports that "The vast majority of the new features and changes in Chrome 75 are centered around adding new internal APIs and updating existing features." The big new feature is "the addition of a hidden Reader Mode, similar to the one included with Firefox". See the changelog for more details.

The website, a stack-exchange-like place for people to report problems and help each other, is being retired. According to the post, the problems were "Nobody seemed to be searching whether their problems had already been discussed and maybe solved, so the same questions were being asked again and again. Nobody seemed to stay around and engage with the people who were trying to help them, and nobody seemed to stay around to help other people." The team is looking for a replacement, but isn't sure quite what that will be yet. published its Spring 2019 catalog of SBCs. This latest catalog includes 125 community-backed Linux and Android SBCs with prices, features and a comparison spreadsheet. From the catalog intro, "Major new products this year include Google's i.MX8M driven Coral Dev Board and Nitrogen8M_Mini, as well as the dirt-cheap, Intel Cherry Trail based Atomic Pi. In the RK3399 world the Rock960 Model C and even cheaper Rock Pi 4 are forcing other RK3399 boards to cut prices. Also of note are the Amlogic S922X driven Odroid-N2 and the Allwinner H6-based Orange Pi 3 and Pine H64 Model B, among others."

LibreOffice 6.3 Beta 1 is out and ready for testing. The Document Foundation notes that since the 6.3 Alpha 1 release in November 2018, 683 commits have been submitted and 141 bugs fixed. See the release notes for details, and download from here. The final release of version 6.3 is scheduled for mid-August.

Phoronix turns 15 today. From Michael Larabel's post: "I started Phoronix for the poor Linux hardware support at the time and it's been an amazing turnaround since that point. No longer is it a battle of getting network devices or input devices working on Linux but now it's all a matter of maximizing the performance out of today's hardware on Linux and watching the amazing growth of Linux on servers, AI / deep learning, Android, Linux gaming, and embedded along with all other sorts of verticals. Each year it becomes more amazing to see what other hardware runs Linux as well as seeing where else the Phoronix Test Suite usage pops up next." Happy Birthday Phoronix!

News Chrome Krita SBCs LibreOffice Phoronix

Line Length Limits in the Kernel

Wednesday 5th of June 2019 12:00:00 PM
by Zack Brown

Periodically, the kernel developers debate something everyone generally takes for granted, such as the length of a line of text. Personally, I like lines of text to reach both sides of my screen—it's just a question of not wasting space.

Alastair D'Silva recently agreed with me. He felt that monitor sizes and screen resolution had gotten so big in recent years, that the kernel should start allowing more data onto a single line of text. It was simple pragmatism—more visible text means more opportunity to spot the bug in a data dump.

Alastair posted a patch to allow 64-byte line lengths, instead of the existing options of 16 bytes and 32 bytes. It was met with shock and dismay from Petr Mladek, who said that 64 bytes added up to more than 256 characters per line, which he doubted any human would find easy to read. He pointed out that the resolution needed to fit such long lines on the screen would be greater than standard hi-def. He also pointed out that there were probably many people without high-definition screens who worked on kernel development.

Alastair noted that regular users never would see this data anyway, and he added that putting the choice in the hands of the calling routine couldn't possibly be a bad thing. In fact, instead of 16-, 32- and 64-bytes, Alastair felt the true option should be any multiple of the groupsize variable.

There's very little chance that Alastair's patch will make it into the kernel. Linus Torvalds is very strict about making sure Linux development does not favor wealthy people. He wants developers working on ancient hardware to have the same benefits and capabilities as those working with the benefit of the latest gadgets.

Linus commented about seven years ago on the possibility of changing the maximum patch line length from 80 to 100 characters. At that time he said:

I think we should still keep it at 80 columns.

The problem is not the 80 columns, it's that damn patch-check script that warns about people *occasionally* going over 80 columns.

But usually it's better to have the *occasional* 80+ column line, than try to split it up. So we do have lines that are longer than 80 columns, but that's not because 100 columns is ok - it's because 80+ columns is better than the alternative.

So it's a trade-off. Thinking that there is a hard limit is the problem. And extending that hard limit (and thinking that it's 'ok' to be over 80 columns) is *also* a problem.

So no, 100-char columns are not ok.

Note: if you're mentioned above and want to post a response above the comment section, send a message with your response text to

Go to Full Article

Firefox Now Will Have Enhanced Tracking Protection On by Default, 5.0 Kernel Reaches End of Life, Apple Replacing Bash with zsh as Default Shell, IBM Announces Major Upgrade to Db2 and Oracle's Unbreakable Enterprise Kernel R5 Update 2 Is Now Available

Tuesday 4th of June 2019 02:01:05 PM

News briefs for June 4, 2019.

Mozilla today announces that the Firefox browser will now have Enhanced Tracking Protection on by default. From Chris Beard's blog post: "These protections work in the background, blocking third-parties from tracking your online activity while increasing the speed of the browser. We're offering privacy protections by default as you navigate the web because the business model of the web is broken, with more and more intrusive personal surveillance becoming the norm. While we hope that people's digital rights and freedoms will ultimately be guaranteed, we're here to help in the interim."

Greg Kroah-Hartman today announced the last maintenance update of kernel 5.0. From his LKML message: "I'm announcing the release of the 5.0.21 kernel. All users of the 5.0 kernel series must upgrade. Note, this is the LAST 5.0.y kernel to be released. It is now end-of-life. Please move to the 5.1.y kernel tree at this point in time."

Apple is replacing bash with zsh as the default shell in macOS Catalina. According to The Verge, "Starting with macOS Catalina, Macs will now use zsh as the default login shell and interactive shell across the operating system. All newly created user accounts in macOS Catalina will use zsh by default. Bash will still be available, but Apple is signaling that developers should start moving to zsh on macOS Mojave or earlier in anticipation of bash eventually going away in macOS."

IBM today announced a major upgrade to its Db2 database. According to the press release, among the many new features of Db2 version 11.5 "is built-in support for data science development. Through a series of newly-available drivers for multiple open source programming languages and frameworks, it will now be easier for developers to analyze and build machine learning models into applications using Db2. The enhancements are designed to help Db2 developers more easily write applications that require less management, are more resilient to outages, and help improve productivity." The press release also notes that "The supported languages include Go, Ruby, Python, PHP, Java, Node.js, Sequelize. In addition there is support for popular frameworks such as Visual Studio Code and Jupyter notebook. The latest drivers and code samples for each are available now at GitHub." Go here for more information on data and AI.

Oracle announces that the Unbreakable Enterprise Kernel Release 5 Update 2 is now available. UEK R5 Update 2 is based on the mainline kernel version 4.14.35 and has many new features and bug fixes. Highlights include filesystem and storage fixes, virtualization updates, driver updates and much more.

News Mozilla Firefox Privacy kernel Apple Bash zsh IBM Databases AI Oracle Unbreakable Enterprise Kernel

Facebook, Not Microsoft, Is the Main Threat to Open Source

Tuesday 4th of June 2019 01:24:19 PM
by Glyn Moody

In the future, Facebook won't be a social-media site.

Facebook is under a lot of scrutiny and pressure at the moment. It's accused of helping foreign actors to subvert elections by using ads and fake accounts to spread lies—in the US, for example—and of acting as a conduit for terrorism in New Zealand and elsewhere. There are calls to break up the company or at least to rein it in.

In an evident attempt to head off those moves, and to limit the damage that recent events have caused to Facebook's reputation, Mark Zuckerberg has been publishing some long, philosophical posts that attempt to address some of the main criticisms. In his most recent one, he calls for new regulation of the online world in four areas: harmful content, election integrity, privacy and data portability. The call for data portability mentions Facebook's support for the Data Transfer Project. That's clearly an attempt to counter accusations that Facebook is monopolistic and closed, and to burnish Facebook's reputation for supporting openness. Facebook does indeed use and support a large number of open-source programs, so to that extent, it's a fair claim.

Zuckerberg' previous post, from the beginning of March 2019, is much longer, and it outlines an important shift in how Facebook will work to what he calls "A Privacy-Focused Vision for Social Networking". Greater protection for privacy is certainly welcome. But, it would be naïve to think that Zuckerberg's post is simply about that. Once more, it is an attempt to head off a growing chorus of criticism—in this case, that Facebook undermines data protection. This is the key idea:

I believe the future of communication will increasingly shift to private, encrypted services where people can be confident what they say to each other stays secure and their messages and content won't stick around forever.

Go to Full Article

The "From Mac to Linux" Issue

Monday 3rd of June 2019 03:00:00 PM
by Bryan Lunduke

What you are reading right now is a Linux magazine—with a focus on Apple computers running macOS. (Or MacOS. Or however Apple is doing the capitalization nowadays.)

I know, it's weird. It's extremely weird—like cats and dogs living together weird.

But we're not here to bash on Apple. Neither are we here to sing praises to those down in Cupertino.

The reality is, many within the Open Source and Free Software worlds do use Macintoshes—at least a portion of the time—and there are some unique challenges that pop up when you need to use both macOS and Linux on a regular basis. Likewise, many people have moved from Mac to Linux as part of their computing journey, and we'd like to offer some tips and ideas to help them out.

(And if we help a few Mac users feel a bit more confident in making the switch over to Linux? Well, that's just gravy on top.)

Never used a Macintosh before? There's some interesting technical tidbits held within these pages that might come in handy when interacting with co-workers that utilize a number of Mac-specific file types and programs. Or, at the very least, the various distinct differences between the platforms are sure to provide a bit of amusement. Who doesn't want to know how Mac filesystems work? You'll be the life of the party!

We kick everything off with a delightful tale we call "Hello Again, Linux" by a gentleman named Richard Mavis who recounts his own story of how he switched from Windows to Mac, then from Mac to Linux. He describes what hardware and software he used, what prompted his change, and how the entire experience went.

Then we get into the meat and potatoes of some of the more "Macintosh-y" things you can do from your Linux desktop.

We begin with "Accessing Those Old MacOS Volumes" by Linux Journal Editor at Large, Petros Koutoupis. In it, Petros walks through the process of how to mount (and read/write) Macintosh volumes (hard drives and so on) that were formatted with "Hierarchical File System Plus" (usually called "HFS+"). This process can be a royal pain in the posterior, so having it written down with step-by-step instructions is simply too handy for words.

Then I cover the various software and packages that allow Linux (and, to a lesser extent, some UNIX variants) to read and write some of the Mac-specific file types out there: DMG files, SIT files, ClarisWorks files and so on. I cover how to open them all, right on your Linux computer. No Mac required.

But let's say you're a Mac software developer. You've got a small mountain of code written in Objective-C using the Cocoa framework. Don't want to lose that massive investment in time and knowledge when you make the move to Linux? Petros Koutoupis provides an introduction to the free software re-implementation of Apple's closed-source frameworks in "Porting Mac OS Applications to Linux with GNUstep".

Go to Full Article

System76 Launching Reborn Gazelle Laptops, Red Hat Has Joined the Business Coalition for the Equality Act, Fedora Accepting Submissions for Fedora 31 Supplemental Wallpapers, Linux 5.2-rc3 Is Out and Creative Commons Introduces Its Summer of Code Students

Monday 3rd of June 2019 01:54:09 PM

News briefs for June 3, 2019.

System76 announces the rebirth of its Gazelle laptop line, offering the choice of Pop!_OS or Ubuntu as the OS. Beta News reports, "It comes with a 9th Gen Intel Core i7 by default, and you can choose between an NVIDIA GeForce GTX 1650 or 1660 Ti for graphics. There are two screen sizes available -- 15.3-inch and 17.3-inch. Regardless of the display you opt for, the resolution will be 1080p." See the full specs and sign up to be notified when the laptops are available (which should be sometime this month) here.

Red Hat today announced it has joined the Business Coalition for the Equality Act, "a group of leading U.S. employers supporting U.S. federal legislation that would provide the same basic protections to LGBTQ people as are provided to other protected groups under federal law." The Equity Act "creates clear, consistent protections to prohibit discrimination on the basis of sexual orientation and gender identity in employment. In addition, the bill provides protections from discrimination for LGBTQ people in a number of areas, including housing, credit, jury service, and public spaces and services."

Fedora is now accepting submissions for the Fedora 31 supplemental wallpapers. The design team will work with the community on 16 wallpapers that users can install along with the standard wallpapers. The post asks that submissions "Please stay away to submit pictures of pets, especially cats." The deadline for submissions is July 26, 2019 at 23:59 UTC. The voting will begin August 1, 2019 and will run through August 16, 2019 at 23:59 UTC. See the post for instructions and past wallpaper images.

Linux 5.2-rc3 is out. Of this release, Linus Torvalds writes: "Hmm. Fairly calm week, and rc3 is almost exactly the same size as rc2 was. Which is a bit unusual - usually rc2 is calm, and then rc3 is when people have started finding problems and we get a more active week. But far be it for me to complain about a calm rc week, so I won't."

Creative Commons introduces its 2019 Summer of Code Students. See the Creative Commons blog post to learn more about the "five phenomenal students (representing three continents) who will be working on CC tech projects full-time over the summer".

News System76 Laptops Red Hat Fedora creative commons Google Summer of Code

Debian Announces Interns for Outreachy and Summer of Code, Unity Editor for Linux Now Available, DistroWatch Turns 18 Today, Google Announces New Privacy Protections for Chrome Extensions and KStars v3.2.3 Released

Friday 31st of May 2019 01:49:04 PM

News briefs for May 31, 2019.

Debian announces it has chosen seven interns—two people for Outreachy and five people for the Summer of Code. See the post for the list of interns and the projects they'll be working on.

Unity announces its Unity Editor for Linux, after years of offering an experimental Unity Editor for Linux. It's currently available as a preview for Ubuntu and CentOS, and it's expected it to be fully supported by Unity 2019.3. You can get the latest builds from the Unity Hub, and feedback is welcome at the Unity for Linux Editor Forum.

DistroWatch is 18 today. It started as "a single page comparing a dozen Linux distributions in a table format, with major features and package versions". Today the database contains "a total of 899 operating systems of which nearly 300 are considered active". Happy Birthday DistroWatch!

Google yesterday announced new privacy protections for Chrome extensions as well as new rules for the Google Drive API and Drive third-party apps. According to ZDNet, "The new rules are part of what Google calls Project Strobe, an initiative to improve the privacy and security of users' data, which the company set in motion after discovering a serious bug in Google+ that exposed the personal details of over 500,000 users. Project Strobe's main mission is to limit the amount of data third-parties can access about Google users via the company's many services, APIs, and tools."

KStars v3.2.3 has been released. This is likely the last release of the v3.2.x series, with development beginning on 3.3.0 now. The release contains a few minor bug fixes and also some convenience fixes thaat users had requested. Go here to download KDE's KStars.

News Debian unity DistroWatch Google Chrome Privacy KStars Astronomy

Hello Again, Linux

Friday 31st of May 2019 01:26:34 PM
by Richard Mavis

My first MacBook was the first computer I really loved, but I wasn't happy about the idea of buying a new one. I decided it's important to live your values and to support groups that value the things you do.

After ten years of faithful service, last year the time finally came to retire my MacBook. Not many laptops last ten years—not many companies produce a machine as durable and beautiful as Apple does—but, if one was available, I was willing to invest in a machine that might last me through the next ten years. A lot has changed in ten years—for Apple, for Linux and for myself—so I started looking around.

The Situation

Prior to 2006, I had used only Windows. Around that time, there was a lot of anxiety about its upcoming successor to Windows XP, which at the time was code-named Project Longhorn. My colleagues and I all were dreading it. So, rather than go through all that trouble, I switched to Linux.

However, my first experience with Linux was not great. Although 2006 was The Year of the Linux Desktop (I saw headlines on Digg proclaiming it almost every day), I quickly learned, right after wiping my brand-new laptop's hard drive to make way for Fedora, that maybe it wasn't quite The Year of the Linux Laptop. After a desperate and miserable weekend, I finally got my wireless card working, but that initial trauma left me leery. So, about a year later, when I decided to quit my job and try the digital nomad freelance thing, I bought a MacBook. A day spent hunting down driver files or recompiling my kernel was a day not making money. I needed the assurance and convenience Apple was selling. And it proved a great investment.

During the next decade, I dabbled with Linux. Every year seemed to be The Year of the Linux Desktop—the real one, at last—so on my desktop at work (freelancing wasn't fun for long), I installed Ubuntu, then Debian, then FreeBSD. An article in this journal introduced me to tiling window managers in general and DWM in particular. The first time I felt something like disappointment with my MacBook was after using DWM on Debian for the first time.

Through the years, as my MacBook's hardware failures became increasingly inconvenient, and as my personal preference in software shifted from big beautiful graphical applications to small command-line programs, Linux started to look much more appealing. And, Linux's hardware compatibility had expanded—companies had even started selling laptops with Linux already installed—so I felt reasonably sure I wouldn't need to waste another weekend struggling with a broken wireless connection or risk frying my monitor with a misconfigured Xorg.conf.

Go to Full Article

Dell Announces More Ubuntu-Based Precision Developer Edition Laptops, Mozilla's Alan Davidson Testifies on Internet Privacy, Canonical Announces the Release of Multipass 0.7.0 Beta, GParted Reaches 1.0 Milestone and New HiddenWasp Malware

Thursday 30th of May 2019 01:30:24 PM

News briefs for May 30, 2019.

Dell announces its Precision 5540, Precision 7540 and Precision 7740 developer edition laptops, the next in the line of Dell's Ubuntu-based Precision mobile workstations. From the announcement: "What started 5+ years ago as a blog post explaining how to get Ubuntu up and running on the Precision M3800 soon became a line of mobile workstations. With today's announcement, project Sputnik's Ubuntu-based mobile workstation line is now in its 4th generation. What's next for project Sputnik? Stay tuned..." See the announcement for specs and further details.

Mozilla's Alan Davidson, Vice President of Global Policy, Trust and Security, testified yesterday before the International Grand Committee on Big Data, Privacy and Democracy. Alan's testimony focused "on the need for better product design to protect privacy; getting privacy policy and regulation right; and the complexities of content policy issues. Against the backdrop of tech's numerous missteps over the last year, our mission-driven work is a clear alternative to much of what is wrong with the web today." See the Mozilla blog for more details, or read Alan's statement here.

Canonical yesterday announced the release of Multipass 0.7.0 beta. The announcement notes that "the big part is that we added a preview of VirtualBox support for Windows and macOS!" Highlights include improved concurrency, a new primary instance feature and more, along with several bug fixes. See the announcement for download links and how to provide feedback.

GParted (GNOME Partition Editor) has reached the 1.0 milestone after 15 years of development, now requiring gtkmm3 instead of gtkmm2. Softpedia News reports that this version features "support for the F2FS file system to read disk usage, grow, and check, the ability to enable online resizing of extended partitions, better refreshing of NTFS file systems, and port to Gtkmm 3 (GTK+3) and GNOME 3 yelp-tools." See the release notes for all the details.

Researchers have discovered new strain of malware targeting Linux machines. According to ZDNet, it "appears to have been created by Chinese hackers and has been used as a means to remotely control infected systems. Named HiddenWasp, this malware is composed of a user-mode rootkit, a trojan, and an initial deployment script." The ZDNet article quotes Nacho Sanmillan, a security researcher at Intezer Labs, "Unfortunately, I don't know what is the initial infection vector. Based on our research, it seems most likely that this malware was used in compromised systems already controlled by the attacker."

News Dell Laptops Ubuntu Mozilla Privacy Multipass VirtualBox GParted GNOME HiddenWasp malware Security

KUnit and Assertions

Thursday 30th of May 2019 11:30:00 AM
by Zack Brown

KUnit has been seeing a lot of use and development recently. It's the kernel's new unit test system, introduced late last year by Brendan Higgins. Its goal is to enable maintainers and other developers to test discrete portions of kernel code in a reliable and reproducible way. This is distinct from various forms of testing that rely on the behavior of the system as a whole and, thus, do not necessarily always produce identical results.

Lately, Brendan has submitted patches to make KUnit work conveniently with "assertions". Assertions are like conditionals, but they're used in situations where only one possible condition should be true. It shouldn't be possible for an assertion to be false. And so if it is, the assertion triggers some kind of handler that the developer then uses to help debug the reasons behind the failure.

Unit tests and assertions are to some extent in opposition to each other—a unit test could trigger an assertion when the intention was to exercise the code being tested. Likewise, if a unit test does trigger an assertion, it could mean that the underlying assumptions made by the unit test can't be relied on, and so the test itself may not be valid.

In light of this, Brendan submitted code for KUnit to be able to break out of a given test, if it triggered an assertion. The idea behind this was that the assertion rendered the test invalid, and KUnit should waste no time, but proceed to the next test in the queue.

There was nothing particularly controversial in this plan. The controversial part came when Frank Rowand noticed that Brendan had included a call to BUG(), in the event that the unit test failed to abort when instructed to do so. That particular situation never should happen, so Brendan figured it didn't make much difference whether there was a call to BUG() in there or not.

But Frank said, "You will just annoy Linus if you submit this." He pointed out that the BUG() was a means to produce a kernel panic and hang the entire system. In Linux, this was virtually never an acceptable solution to any problem.

At first, Brendan just shrugged, since as he saw it, KUnit was part of the kernel's testing infrastructure and, thus, never would be used on a production system. It was strictly for developers only. And in that case, he reasoned, what difference would it make to have a BUG() here and there between friends? Not to mention the fact that, as he put it, the condition producing the call to BUG() never should arise.

Go to Full Article

More in Tux Machines

Raccoon – APK Downloader for Linux, MacOS, and Windows

We’ve covered APK stories before in articles like the one about F-Droid and Google Play Downloader, but never have we covered an app as cool as this one with a name inspired by the North American mammal, Raccoon. Raccoon is a free and modern open-source APK downloader application that enables you to safely download any Android app available on Google Play Store to your Linux, Windows, or Mac desktop. The incentive of Raccoon is to enable users to install Android apps without sending any kind of information to Google. It also works to store APK files locally, use a “Split APK” format, bypass application region restrictions, and aims to improve your phone’s battery life. Read more

Games: MMO Path of Titans, Steam Play Milestone, Rocket Pass, Stay Safe: Labyrinth, OBS Studio

  • Try the first demo of the dino MMO Path of Titans, we have some testing keys to give away

    After Alderon Games successful crowdfunding campaign on IndieGoGo for their dino themed survival MMO Path of Titans, the developer reached out to gather more Linux testers. They've released a first demo and it's currently quite limited with the character creation ability the only thing possible. However, once a month they will be deploying a big new feature for it like the ability to run around, AI, quests and so on.

  • Steam Play passes six thousand Windows games playable on Linux, according to ProtonDB

    On the day of Steam Play hitting the big one year anniversary (August 21st), it seems another milestone has been reached in terms of compatibility. According to ProtonDB, the handy (but unofficial) tracking website, over six thousand games are now working. At time of writing, exactly 6,023 "games work" against the 9,134 total of games that currently have user reports to see if they run or not. That's quite an impressive number! It's worth noting though, that with little over nine thousand games currently reported, Steam does host well over thirty thousand so there's a huge amount that hasn't yet been tested. How about a question for you to answer in the comments: What does Steam Play mean to you? I'll start.

  • Rocket Pass 4 is coming to Rocket League on August 28th, with a new rally-inspired Battle-Car

    The fourth Rocket Pass is due to arrive in Rocket League soon, along with the start of Competitive Season 12. For those of you wanting to rank up and ensure you get the best rewards possible, Season 11 is ending really soon on August 27th. A day later, Rocket Pass 4 is going to be released.

  • Roguelike Stay Safe: Labyrinth of the Mad now has a Linux beta, sounds quite unique

    Stay Safe: Labyrinth of the Mad from Yellowcake Games is a roguelike with plenty of random generation, including an interesting way of generating the world. When starting a new game, the developer said you can use files on your PC or a combination of keyboard/gamepad button presses to generate the dungeon, items and gems. That's not all that makes it somewhat unique, there's also another feature where you will come across a copy of other players. It's a single-player game, so you're not directly facing other people only a shadow of what they had. Although that feature is entirely optional.

  • OBS Studio has a fresh release candidate available for a major new version

    OBS Studio, the free and open source video livestreaming and recording software is my one and only stop for video capturing and it continues to mature. The upcoming 24.0 release has a first release candidate now available and it has some fun new features. For starters, you can now actually pause recordings to easily cut away parts you know you don't need. I've tested that and it works perfectly. It does need you to have separated encoders for streaming and recording though, so you can't have the recording encoder set to "same as stream".

LWN: Spectre, Linux and Debian Development

  • Grand Schemozzle: Spectre continues to haunt

    The Spectre v1 hardware vulnerability is often characterized as allowing array bounds checks to be bypassed via speculative execution. While that is true, it is not the full extent of the shenanigans allowed by this particular class of vulnerabilities. For a demonstration of that fact, one need look no further than the "SWAPGS vulnerability" known as CVE-2019-1125 to the wider world or as "Grand Schemozzle" to the select group of developers who addressed it in the Linux kernel. Segments are mostly an architectural relic from the earliest days of x86; to a great extent, they did not survive into the 64-bit era. That said, a few segments still exist for specific tasks; these include FS and GS. The most common use for GS in current Linux systems is for thread-local or CPU-local storage; in the kernel, the GS segment points into the per-CPU data area. User space is allowed to make its own use of GS; the arch_prctl() system call can be used to change its value. As one might expect, the kernel needs to take care to use its own GS pointer rather than something that user space came up with. The x86 architecture obligingly provides an instruction, SWAPGS, to make that relatively easy. On entry into the kernel, a SWAPGS instruction will exchange the current GS segment pointer with a known value (which is kept in a model-specific register); executing SWAPGS again before returning to user space will restore the user-space value. Some carefully placed SWAPGS instructions will thus prevent the kernel from ever running with anything other than its own GS pointer. Or so one would think.

  • Long-term get_user_pages() and truncate(): solved at last?

    Technologies like RDMA benefit from the ability to map file-backed pages into memory. This benefit extends to persistent-memory devices, where the backing store for the file can be mapped directly without the need to go through the kernel's page cache. There is a fundamental conflict, though, between mapping a file's backing store directly and letting the filesystem code modify that file's on-disk layout, especially when the mapping is held in place for a long time (as RDMA is wont to do). The problem seems intractable, but there may yet be a solution in the form of this patch set (marked "V1,000,002") from Ira Weiny. The problems raised by the intersection of mapping a file (via get_user_pages()), persistent memory, and layout changes by the filesystem were the topic of a contentious session at the 2019 Linux Storage, Filesystem, and Memory-Management Summit. The core question can be reduced to this: what should happen if one process calls truncate() while another has an active get_user_pages() mapping that pins some or all of that file's pages? If the filesystem actually truncates the file while leaving the pages mapped, data corruption will certainly ensue. The options discussed in the session were to either fail the truncate() call or to revoke the mapping, causing the process that mapped the pages to receive a SIGBUS signal if it tries to access them afterward. There were passionate proponents for both options, and no conclusion was reached. Weiny's new patch set resolves the question by causing an operation like truncate() to fail if long-term mappings exist on the file in question. But it also requires user space to jump through some hoops before such mappings can be created in the first place. This approach comes from the conclusion that, in the real world, there is no rational use case where somebody might want to truncate a file that has been pinned into place for use with RDMA, so there is no reason to make that operation work. There is ample reason, though, for preventing filesystem corruption and for informing an application that gets into such a situation that it has done something wrong.

  • Hardening the "file" utility for Debian

    In addition, he had already encountered problems with file running in environments with non-standard libraries that were loaded using the LD_PRELOAD environment variable. Those libraries can (and do) make system calls that the regular file binary does not make; the system calls were disallowed by the seccomp() filter. Building a Debian package often uses FakeRoot (or fakeroot) to run commands in a way that appears that they have root privileges for filesystem operations—without actually granting any extra privileges. That is done so that tarballs and the like can be created containing files with owners other than the user ID running the Debian packaging tools, for example. Fakeroot maintains a mapping of the "changes" made to owners, groups, and permissions for files so that it can report those to other tools that access them. It does so by interposing a library ahead of the GNU C library (glibc) to intercept file operations. In order to do its job, fakeroot spawns a daemon (faked) that is used to maintain the state of the changes that programs make inside of the fakeroot. The libfakeroot library that is loaded with LD_PRELOAD will then communicate to the daemon via either System V (sysv) interprocess communication (IPC) calls or by using TCP/IP. Biedl referred to a bug report in his message, where Helmut Grohne had reported a problem with running file inside a fakeroot.

Flameshot is a brilliant screenshot tool for Linux

The default screenshot tool in Ubuntu is alright for basic snips but if you want a really good one you need to install a third-party screenshot app. Shutter is probably my favorite, but I decided to give Flameshot a try. Packages are available for various distributions including Ubuntu, Arch, openSuse and Debian. You find installation instructions on the official project website. Read more