Language Selection

English French German Italian Portuguese Spanish

LWN's Latest: An OpenSUSE 'Foundation', Security, Programming and Kernel (Linux)

Filed under
Development
Linux
SUSE
  • An openSUSE foundation proposal

    The idea of spinning openSUSE out into a foundation is not new; it has come up multiple times along the way. The most recent push started back in April at two separate board meetings where it was discussed. It picked up steam during a board meeting at the openSUSE Conference 2019 in late May. While waiting for the outcome from that meeting (though there was a panel session with the board [YouTube] at the conference where some of the thinking was discussed), the community discussed ideas for a name for the foundation (and, possibly, the project itself). Now, board member Simon Lees has posted a draft of the foundation proposal for review.

    The proposal outlines the current thinking of the board. It notes that the move to a foundation is not meant to pull away from SUSE, "but to add more capabilities to the openSUSE Project". In particular, having a separate entity will allow the project to "receive and provide sponsorships (in terms of money, hardware, or contracted services)". Currently, any kind of agreement between the project and some other organization has to be done via SUSE, which can complicate those efforts. The new foundation would be able to partner with others, receive donations, spend money, and sign contracts with venues, service providers, and the like, all on behalf of the openSUSE project.

    SUSE would clearly have a role in the new foundation; the board is requesting some funding to set up the organization as well as one or two people to help with the administrative side. The new foundation's board would take the place of the existing project board, with the same election rules as there are today (which results in a board of six, five elected from the members of the project and the chair appointed by SUSE).

    The board is looking at setting up a German stiftung foundation as the legal entity for the new organization, though that was not clearly specified in the draft proposal. An eingetragener Verein (e. V.) was considered, but the structure of that type of entity is inflexible; in addition, the purpose of an e. V. can be changed if there was a "hostile takeover" at some point. Umbrella organizations (e.g. the Linux Foundation) and simply keeping things the same were also looked at, but were deemed unworkable for various reasons.

    There is also a handful of open questions, including logistical issues such as whether SUSE or the new foundation would own the IT infrastructure, trademarks, and so on. Also, who would be responsible (in a GDPR sense) for the project's data collection and storage. The biggest open issue is to create a charter for the foundation, which requires legal advice. The Document Foundation (TDF) is something of a model for what openSUSE is trying to achieve; it is also a stiftung and shares some of the attributes with the proposed structure.

  • CVE-less vulnerabilities

    More bugs in free software are being found these days, which is good for many reasons, but there are some possible downsides to that as well. In addition, projects like OSS-Fuzz are finding lots of bugs in an automated fashion—many of which may be security relevant. The sheer number of bugs being reported is overwhelming many (most?) free-software projects, which simply do not have enough eyeballs to fix, or even triage, many of the reports they receive. A discussion about that is currently playing out on the oss-security mailing list.

  • C, Fortran, and single-character strings

    The calling interfaces between programming languages are, by their nature, ripe for misunderstandings; different languages can have subtly different ideas of how data should be passed around. Such misunderstandings often have the effect of making things break right away; these are quickly fixed. Others can persist for years or even decades before jumping out of the shadows and making things fail. A problem of the latter variety recently turned up in how some C programs are passing strings to Fortran subroutines, with unpleasant effects on widely used packages like LAPACK.

    The C language famously does not worry much about the length of strings, which simply extend until the null byte at the end. Fortran, though, likes to know the sizes of the strings it is dealing with. When strings are passed as arguments to functions or subroutines, the GCC Fortran argument-passing conventions state that the length of each string is to be appended to the list of arguments. 

  • Statistics from the 5.2 kernel — and before

    As of this writing, just over 13,600 non-merge changesets have been pulled into the mainline repository for the 5.2 development cycle. The time has come, once again, for a look at where that work came from and who supported it. There are some unique aspects to 5.2 that have thrown off some of the usual numbers.
    1,716 developers contributed changes for the 5.2 kernel, 245 of whom made their first contribution during this cycle. Those 1,716 developers removed nearly 490,000 lines of code, which is a lot, but the addition of 596,000 new lines of code means that the kernel still grew by 106,000 lines. 

  • Lockdown as a security module

    Technologies like UEFI secure boot are intended to guarantee that a locked-down system is running the software intended by its owner (for a definition of "owner" as "whoever holds the signing key recognized by the firmware"). That guarantee is hard to uphold, though, if a program run on the system in question is able to modify the running kernel somehow. Thus, proponents of secure-boot technologies have been trying for years to provide the ability to lock down many types of kernel functionality on secure systems. The latest attempt posted by Matthew Garrett, at an eyebrow-raising version 34, tries to address previous concerns by putting lockdown under the control of a Linux security module (LSM).
    The lockdown patches have a long and controversial history; LWN first wrote about them in 2012. Opposition has come at all kinds of levels; some developers see lockdown as a way of taking control of systems away from their owners, while others see it as ultimately useless security theater. There does appear to be some value, though, in making a system as resistant to compromise as possible, so these patches have persisted and are often shipped by distributors. Disagreement over more recent versions of the lockdown patch set were focused on details like whether lockdown should be tied to the presence of secure boot or integration with the integrity-measurement infrastructure.

    One outcome from the most recent discussion was a concern that the lockdown patches were wiring too much policy into the kernel itself. The kernel has long had a mechanism for pushing security-policy decisions out to user space — the security-module mechanism. So it arguably makes sense to move lockdown decision-making into an LSM; that is indeed what the more recent versions of the patch set do.

    First, though, there is the problem of initialization. LSMs exist to apply policies to actions taken by user space, so as long as the LSM infrastructure is running by the time user space starts, everything is fine. Lockdown, though, must act earlier: it needs to be able to block the action of certain types of command-line parameters and must be functional even before a security policy can be loaded. So the patch set starts by creating a new type of "early security module" that is initialized toward the beginning of the boot process. At this point, the module can't do much — even basic amenities like kmalloc() are not available — but it's enough to register its hooks and take control.

More in Tux Machines

Video and Audio: Neptune OS 6.0, Test and Code, GNU World Order, Coder Radio and This Week in Linux

  • Neptune OS 6.0 Run Through

    In this video, we are looking at Neptune OS 6.0. Enjoy!

  • Test and Code: 84: CircuitPython - Scott Shawcroft

    The combination of Python's ease of use and Adafruit's super cool hardware and a focus on a successful beginner experience makes learning to write code that controls hardware super fun. In this episode, Scott Shawcroft, the project lead, talks about the past, present, and future of CircuitPython, and discusses the focus on the beginner. We also discuss contributing to the project, testing CircuitPython, and many of the cool projects and hardware boards that can use CircuitPython, and Blinka, a library to allow you to use "CircuitPython APIs for non-CircuitPython versions of Python such as CPython on Linux and MicroPython," including Raspberry Pi.

  • GNU World Order 13x34
  • Absurd Abstractions | Coder Radio 371

    It’s a Coder Radio special all about abstraction. What it is, why we need it, and what to do when it leaks. Plus your feedback, Mike’s next language challenge, and a functional ruby pick.

  • KDE Apps 19.08, KNOPPIX, System76, Slackware, Huawei, EndeavourOS, Dreamcast | This Week in Linux 79

    On this episode of This Week in Linux, KDE announced their latest big release of their Application Suite with dozens of new app updates. We got some Distro news to talk about with KNOPPIX, Slackware, EndeavourOS and Neptune Linux. System76 announced some really cool news with their new Graphical Firmware Manager tool.

Games: Underworld Ascendant, Dark Envoy and Elite Dangerous

  • Underworld Ascendant's Linux port has now been released

    Get ready to dungeon crawl! After many delays, the sequel to the classic Ultima Underworld games has finally seen a Linux release.

  • Event Horizon (Tower of Time) show off the first gameplay from their next RPG Dark Envoy

    Ah Gamescom has arrived, which means tons of games will be shown off over the next week. Event Horizon (Tower of Time dev) are getting in on the action, to show off footage from their brand new RPG called Dark Envoy. For those who missed the previous article, it is already confirmed to be coming to Linux. To save you a click, when asked they said "We spent a considerable effort to make Tower of Time run well on Linux - so now, being more experienced with it, we also plan to release on Linux at the same time as PC launch.".

  • Going where no Steam Play has gone before with Elite Dangerous

    What’s the one game keeping you a dual booter? Maybe it’s PUBG, or Rainbow Six: Siege? Maybe it used to be Overwatch? For me, that game was Elite Dangerous, and one year on from Proton’s release, I have a story to tell. There’s a certain “je ne sais quoi” about Elite Dangerous that I’ve never been able to put my finger on. It’s a game set in a scientifically modelled, full-scale replica of the whole Milky Way galaxy, and as with that setting, the game is truly vast, remarkably cold, and frequently incomprehensible. Yet, when playing Elite, I get the same feeling as when looking up at the stars on a dark and moonless night — my hungry soul is fed. Or it could just be space madness. Regardless, it’s a feeling that I like to dip into every once in a while, immerse myself in, and try not to drown.

Red Hat and Fedora: HPC, Ansible and More Flock Reports

  • HPC workloads in containers: Comparison of container run-times

    Recently, I worked on an interesting project to evaluate different container run-times for high-performance computing (HPC) clusters. HPC clusters are what we once knew as supercomputers. Today, instead of giant mainframes, they are hundreds, thousands, or tens of thousands of massively parallel systems. Since performance is critical, virtualization with tools like virtual machines or Docker containers was not realistic. The overhead was too much compared to bare metal.

  • A project manager's guide to Ansible

    For project managers, it's important to know that deploying Ansible will improve the effectiveness of a company's IT. Employees will spend less time trying to troubleshoot their own configuration, deployment, and provisioning. Ansible is designed to be a straightforward, reliable way to automate a network's IT tasks. Further, development teams can use the Ansible Tower to track applications from development to production. Ansible Tower includes everything from role-based access to graphical inventory management and enables teams to remain on the same page even with complex tasks. Ansible has a number of fantastic use cases and provides substantial productivity gains for both internal teams and the IT infrastructure as a whole. It's free, easy to use, and robust. By automating IT with Ansible, project managers will find that their teams can work more effectively without the burden of having to manage their own IT—and that IT works more smoothly overall.

  • Flock to Fedora ?19

    I had a wonderful opportunity to go to Fedora’s annual contributor summit, Flock to Fedora in Budapest, Hungary. This is me penning down my takeaway from a week full of learning! [...] Apart from the talks, the conference outshone when it came to meeting mind-blowing developers. I got to know the most about Fedora and Red Hat through those interactions and it was a really pleasant experience. It was also super amazing to finally meet all the people I had been interacting with over the course of the internship in real life. My advice for any future Flock attendee would be to always make time to talk to people at Flock. Even I have a hard time interacting but the people are extremely nice and you get to learn a lot through those small interactions and end up making friends for a life time. Definitely taking back a tonne of memories, loads of pictures, and plethora of learning from this one week of experience.

  • Paul W. Frields: Flock 2019 in Budapest, Hungary.

    Last week I attended the Flock 2019 conference in Budapest, like many Fedora community members. There was a good mix of paid and volunteer community members at the event. That was nice to see, because I often worry about the overall aging of the community. Many people I know in Fedora have been with the project a long time. Over time, people’s lives change. Their jobs, family, or other circumstances move them in different directions. Sometimes this means they have less time for volunteer work, and they might not be active in a community like Fedora. So being able to refresh my view of who’s around and interested in an event like Flock was helpful. Also, at last year’s Flock in Dresden, after the first night of the conference, something I ate got the better of me — or I might have picked up a norovirus. I was out of commission for most of the remaining time, confined to my room to ride out whatever was ailing my gut. (It wasn’t pretty.) So I was glad this year also to be perfectly well, and able to attend the whole event. That was despite trying this terrible, terrible libation called ArchieMite, provided by my buddy Dennis Gilmore... [...] I also attended several sessions on Modularity. One of them was Merlin Mathesius’ presentation on tools for building modules. Merlin is on my team at Red Hat and I happened to know he hadn’t done a lot of public speaking. But you wouldn’t have guessed from his talk! It was well organized and logically presented. He gave a nice overview of how maintainers can use the available tools to build modules for community use. The Modularity group also held a discussion to hear about friction points with modularity. Much of the feedback lined up well with other inputs the group has received. We could solve some with better documentation and awareness. In some cases the tools could benefit from ease of use enhancements. In others, people were unaware of the difficult design decisions or choices that had to be made to produce a workable system. Fortunately there are some fixes on the way for tooling like the replacement for the so-called “Ursa Major” in Fedora. It allows normal packages to build against capabilities provided by modules.

Programming Leftovers

  • Excellent Free Books to Learn Groovy

    Apache Groovy is a powerful, optionally typed and dynamic language, with static-typing and static compilation capabilities, for the Java platform aimed at improving developer productivity thanks to a concise, familiar and easy to learn syntax. It integrates seamlessly with any Java program, and immediately delivers to your application powerful features, including scripting capabilities, Domain-Specific Language authoring, runtime and compile-time meta-programming and functional programming. It’s both a static and dynamic language with features similar to those of Python, Ruby, Perl, and Smalltalk. It can be used as both a programming language and a scripting language for the Java Platform.

  • Top 9 Django Concepts - Part 2 : 5 Mins

    I will be covering 3 Django concepts, for those who had missed the first part of the 3 part series, you can head down to the Top 9 Django Concepts - Part 1 The first concept is essential Django commands that you will be using when developing in Django. The second is the concept of using either a front-end like Vue, React or Angular web framework or using Django existing template system to build UI.

  • Get Current Date & Time in Python

    In this article, you will learn the datetime module supplies classes for manipulating dates and times in both simple and complex ways.

  • RcppQuantuccia 0.0.3

    RcppQuantuccia brings the Quantuccia header-only subset / variant of QuantLib to R. At the current stage, it mostly offers date and calendaring functions. This release was triggered by some work CRAN is doing on updating C++ standards for code in the repository. Notably, under C++11 some constructs such ptr_fun, bind1st, bind2nd, … are now deprecated, and CRAN prefers the code base to not issue such warnings (as e.g. now seen under clang++-9). So we updated the corresponding code in a good dozen or so places to the (more current and compliant) code from QuantLib itself.