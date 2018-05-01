Libvirt, PHP, FFmpeg Updates Roll Out on Tumbleweed
The 1.4 version of kdeconnect-kde was updated in the most recent 20200127 snapshot. The version offers a new “KDE Connect” desktop app to control the phone from the PC and SMS app that can read and write SMS texts. The newer version also offers compatibility with Xfce‘s file manager Thunar. The third release candidate for LibreOffice requires java 1.8 or newer with the libreoffice 6.4.0.3 package. Some core and curl bugs were fixed with php7 7.4.2, which included an Exif fix, and a handful of rubygem packages had minor version bumps. The snapshot is currently trending at a stable rating of 99, according to the Tumbleweed snapshot reviewer.
Snapshot, 20200125 had a half dozen packages updated. GNU’s Utilities tool package for multi-lingual messaging, gettext-runtime 0.20.1, removed dynamic linker ldconfig and script builder autoreconf. GNU Multiple Precision Arithmetic Library has a new C++ function in the gmp 6.2.0 update and the new version provides better assembly code and greater speed for AMD Ryzen, Power9 and ARM 64-bit CPUs. An updated to the authentication-related tool shadow 4.8 synced password field descriptions in man pages and migrated to ITS Tool for translations. The snapshot is currently trending at a stable rating of 99.
There’s a subtle difference between the Python identity operator (is) and the equality operator (==). Your code can run fine when you use the Python is operator to compare numbers, until it suddenly doesn’t. You might have heard somewhere that the Python is operator is faster than the == operator, or you may feel that it looks more Pythonic. However, it’s crucial to keep in mind that these operators don’t behave quite the same.
The == operator compares the value or equality of two objects, whereas the Python is operator checks whether two variables point to the same object in memory. In the vast majority of cases, this means you should use the equality operators == and !=, except when you’re comparing to None.
Software has security issues, Python is software, so how do Python developers avoid common traps? In this webinar, Anthony Shaw discusses the topic of security vulnerabilities, how code quality tools can help, and demonstrates the PyCharm plugin he wrote to let the IDE help.
The next PyPy sprint will be in Leysin, Switzerland, for the fourteenth time. This is a fully public sprint: newcomers and topics other than those proposed below are welcome.
If you wish to develop your own BPF observability tools, start with bpftrace and only use BCC when needed. My BPF Performance Tools book has plenty of examples. This is the culmination of five years of work: the BPF kernel runtime, C support, LLVM and Clang support, the BCC front-end, and finally the bpftrace language. Starting with other interfaces is like writing your first Java program in JVM bytecode. You can...but if you're looking for an educational exercise, I'd recommend using BPF tools to find performance wins.
I’m very excited to announce a new addition to Anaconda’s product line — Anaconda Team Edition!
For the last few years, Anaconda has offered two products: our free Anaconda Distribution, meant for individual practitioners, and Anaconda Enterprise, our full-featured machine learning platform for the enterprise. This left a gap for many data scientists and developers who use Anaconda professionally, but whose companies either do not yet need a fully-featured machine learning platform, or are building their own solution.
But even for these companies, open-source data science and machine learning tools are largely undermanaged. There are thousands of open-source packages data scientists and developers could bring into an organization, unaware of potential security or licensing implications. Moreover, these packages have complex inter-dependencies and intricate build requirements, which are underserved by traditional IT OSS management solutions.
Many of our enterprise users have been asking for the convenience and security of mirroring Anaconda’s repository onto their own infrastructure, using an official facility rather than relying on our community-facing free services. This is why we are offering Anaconda Team Edition.
When you save a large file to disk or upload a large texture to your graphics card, you probably don't want your CPU to sit there spending an extended period of time copying data between system memory and the relevant peripheral - it could be doing something more useful instead. As a result, most hardware that deals with large quantities of data is capable of Direct Memory Access (or DMA). DMA-capable devices are able to access system memory directly without the aid of the CPU - the CPU simply tells the device which region of memory to copy and then leaves it to get on with things. However, we also need to get data back to system memory, so DMA is bidirectional. This means that DMA-capable devices are able to read and write directly to system memory.
As long as devices are entirely under the control of the OS, this seems fine. However, this isn't always true - there may be bugs, the device may be passed through to a guest VM (and so no longer under the control of the host OS) or the device may be running firmware that makes it actively malicious. The third is an important point here - while we usually think of DMA as something that has to be set up by the OS, at a technical level the transactions are initiated by the device. A device that's running hostile firmware is entirely capable of choosing what and where to DMA.
Most reasonably recent hardware includes an IOMMU to handle this. The CPU's MMU exists to define which regions of memory a process can read or write - the IOMMU does the same but for external IO devices. An operating system that knows how to use the IOMMU can allocate specific regions of memory that a device can DMA to or from, and any attempt to access memory outside those regions will fail. This was originally intended to handle passing devices through to guests (the host can protect itself by restricting any DMA to memory belonging to the guest - if the guest tries to read or write to memory belonging to the host, the attempt will fail), but is just as relevant to preventing malicious devices from extracting secrets from your OS or even modifying the runtime state of the OS.
But setting things up in the OS isn't sufficient. If an attacker is able to trigger arbitrary DMA before the OS has started then they can tamper with the system firmware or your bootloader and modify the kernel before it even starts running. So ideally you want your firmware to set up the IOMMU before it even enables any external devices, and newer firmware should actually do this automatically. It sounds like the problem is solved.
My first interaction with the Ubuntu community was in March of 2005 when I put Ubuntu on an old Dell laptop and signed up for the Ubuntu Forums. This was just a few years into my tech career and I was mostly a Linux hobbyist, with a handful of junior systems administrator jobs on the side to do things like racking servers and installing Debian (with CDs!). Many of you with me on this journey have seen my role grow in the Ubuntu community with Debian packaging, local involvement with events and non-profits, participation in the Ubuntu Developer Summits, membership in the Ubuntu Community Council, and work on several Ubuntu books, from technical consultation to becoming an author on The Official Ubuntu Book.
These days I’ve taken my 15+ years of Linux Systems Administration and open source experience down a slightly different path: Working on Linux on the mainframe (IBM Z). The mainframe wasn’t on my radar a year ago, but as I got familiar with the technical aspects, the modernization efforts to incorporate DevOps principles, and the burgeoning open source efforts, I became fascinated with the platform.
As a result, I joined IBM last year to share my discoveries with the broader systems administration and developer communities. Ubuntu itself got on board with this mainframe journey with official support for the architecture (s390x) in Ubuntu 16.04, and today there’s a whole blog that gets into the technical details of features specific to Ubuntu on the mainframe: Ubuntu on Big Iron
I’m excited to share that I’ll be joining the author of the Ubuntu on Big Iron blog, Frank Heimes, live on February 6th for a webinar titled How to protect your data, applications, cryptography and OS – 100% of the time. I’ll be doing an introduction to the IBM Z architecture (including cool hardware pictures!) and general security topics around Linux on Z and LinuxONE.
Intel last night made public two more data leakage disclosures, which tie back to Zombieload and November's TAA issue.
As of writing no CPU microcode updates have been released for Linux users but as soon as that happens I'll begin with some tests for seeing any new performance overhead.
New Ubuntu 18.04 LTS kernel security update addresses 15 vulnerabilities in the Linux 5.0 kernel packages for various cloud systems.
