Debian Leftovers

• Debian LTS work, December 2017

• Markus Koschany: My Free Software Activities in December 2017

• TeX Live VCS History and Statistics – Perforce, Subversion, Git

  TeX Live is a project of long history, starting somewhen back in the 90ies with CDs distributed within user groups till the most recent net-based distribution and updates. Discussion about using a VCS started very early, in 1999. This blog recalls a bit of history of the VCS for TeX Live, and reports on the current status of the Subversion and Git (svn mirror) repositories.

• Meltdown and Spectre in Debian

  I'll assume everyone's already heard repeatedly about the Meltdown and Spectre security issues that affect many CPUs. If not, see meltdownattack.com. These primarily affect systems that run untrusted code - such as multi-tenant virtual hosting systems. Spectre is also a problem for web browsers with Javascript enabled.

• Are you a DD or DM doing source-only uploads to Debian out of a git repository?

  If you are a Debian Maintainer (DM) or Debian Developer (DD) doing source-only uploads to Debian for packages maintained in git, you are probably using some variation of the following...

OSS Leftovers

• Why isn't open source hot among computer science students?

  The technical savvy and inventive energy of young programmers is alive and well. This was clear from the diligent work that I witnessed while participating in this year’s PennApps, the nation’s largest college hackathon. Over the course of 48 hours, my high school- and college-age peers created projects ranging from a blink-based communication device for shut-in patients to a burrito maker with IoT connectivity. The spirit of open source was tangible throughout the event, as diverse groups bonded over a mutual desire to build, the free flow of ideas and tech know-how, fearless experimentation and rapid prototyping, and an overwhelming eagerness to participate. Why then, I wondered, wasn’t open source a hot topic among my tech geek peers? To learn more about what college students think when they hear "open source," I surveyed several college students who are members of the same professional computer science organization I belong to. All members of this community must apply during high school or college and are selected based on their computer science-specific achievements and leadership—whether that means leading a school robotics team, founding a nonprofit to bring coding into insufficiently funded classrooms, or some other worthy endeavor. Given these individuals’ accomplishments in computer science, I thought that their perspectives would help in understanding what young programmers find appealing (or unappealing) about open source projects.

• Blue Brain Nexus: An open-source knowledge graph for data-driven science

  EPFL's Blue Brain Project today announces the release of its open source software project 'Blue Brain Nexus', designed to enable the FAIR (Findable, Accessible, Interoperable, and Reusable) data management principles for the Neuroscience and broader scientific community. It is part of EPFL's open-science initiative, which seeks to maximize the reach and impact of research conducted at the school. The aim of the Blue Brain Project is to build accurate, biologically detailed, digital reconstructions and simulations of the rodent brain and, ultimately the human brain. Blue Brain Nexus is instrumental in supporting all stages of Blue Brain's data-driven modelling cycle including, but not limited to experimental data, single cell models, circuits, simulations and validations. The brain is a complex multi-level system and is one of the biggest 'Big Data' problems we have today. Therefore, Blue Brain Nexus has been built to organize, store and process exceptionally large volumes of data and support usage by a broad number of users.

• Devery.io – a Blockchain Powered, Open-Source, Product Verification Protocol

  Devery.io are developing the Devery Protocol, aiming to provide a decentralized verification platform enabling the marking and tracking of items over the Ethereum blockchain.

• What the Haven app shows us about the value of Open Source

  Christmas may have come a few days early this past December for security advocates with the introduction of the Haven app, bringing with it a fair amount of excitement, criticism, and an excellent opportunity to explore some of the less often discussed aspects of working with open source. For those who have been off of Twitter since the coverage started since Friday, the Haven app has been proposed as a solution for protecting your physical space from surveillance (or worse). Built for Android by the good folks over at the Guardian Project, the makers of great anonymity apps that help protect their users from surveillance, the app makes use of the phone’s sensors to detect intruders that might attempt to creep on your personal space.

• Jet Villegas: Turning a Corner in the New Year

  2017 was quite a year beyond the socio-economic, geo-political, and bizarre. I, and many of my colleagues did what we could: find solace in work. I’ve often found that in uncertain times, making forward progress on difficult technical projects provides just enough incentive to continue for a bit longer. With the successful release of Firefox 57, I’m again optimistic about the future for the technical work. The Firefox Layout Engine team has a lot to be proud of in the 57 version. The winning combination was shipping big-ticket investments, and grinding down on many very difficult bugs. Plan “A” all the way!

• Facebook has open-sourced encrypted group chat

  Facebook has responded to governments' criticism of cryptography by giving the world an open source encrypted group chat tool. It's hardly likely to endear the ad-farm to people like FBI Director Christopher Wray, who yesterday told an international infosec conference it was “ridiculous” that the Feds have seized nearly 8,000 phones they can't access. UK prime minister Theresa May has also called for backdoors in messaging services and for social networks to stop offering "safe spaces" for extremists.

• Open source code recycling: Know your software supply chain

  GNU/Linux was able to fill this gap, truly reshaping software design and development. Rather than writing and updating proprietary, foundational code, various developers working at varying companies or on their own could use and enhance the basic software building blocks, thereby focusing the majority of their resources on higher stack-level innovations. And, it worked.

Security: Updates, Apple, Microsoft, Intel, IBM and Linux

• Security updates for Wednesday

• Security Flaw in macOS 10.13 Lets App Store Preferences Access with Any Password

  Another major security flaw was discovered in Apple's macOS High Sierra 10.13 operating system, which lets anyone accessing the App Store preferences panel with any password if it's locked. First spotted by MacRumors, there's a bug report about an issue, discovered a couple of days ago by someone and reported on Open Radar, which lets anyone access the App Store panel in System Preferences with literally any password, if the padlock at the bottom left corner is closed and your Mac is unlocked. Usually, that padlock isn't locked, but its label says "Click the lock to prevent further changes" in the current version of macOS, a.k.a. High Sierra 10.13.2. Locking those settings should prevent someone from disabling automatic updates, as well as installing of new macOS versions, system data files, and security update.

• Microsoft: Be Ready For Significant Slowdown Of Your Old PC After Spectre Security Patches

• Intel Posts Updated Microcode Files For Linux

  In the wake of Meltdown and Spectre, Intel yesterday released new microcode binaries for Linux systems.

• Intel Releases Processor Microcode Patch for Linux OSes, Here's How to Update

• Updated Intel Microcode Not Causing Any Significant Performance Impact On Linux

• DragonFlyBSD Posts Initial Kernel Fix For Spectre

• Meltdown Fixes Will Slow Intel Computers -- Here's All The Proof You Need

• It’s not just Windows – Linux Ubuntu systems being bricked by Meltdown/Spectre patches, too

• Canonical Fixes Ubuntu 16.04 LTS Regression Causing Boot Failure on Some PCs

  Canonical has released on Wednesday a new Linux kernel update for Ubuntu 16.04 LTS (Xenial Xerus) operating system series to address a regression introduced with yesterday's security patch against the Meltdown vulnerability. On Tuesday, Canonical published multiple security notices to inform users of the Ubuntu 17.10, Ubuntu 16.04 LTS, Ubuntu 14.04 LTS, and Ubuntu 12.04 ESM operating systems that they can now patch their computers against the Meltdown security vulnerability affecting billions of devices.

• Meltdown & Spectre Patches Causing Boot Issues for Ubuntu 16.04 Computers

  Ubuntu Xenial 16.04 users who updated to receive the Meltdown and Spectre patches are reporting they are unable to boot their systems and have been forced to roll back to an earlier Linux kernel image. The issues were reported by a large number of users on the Ubuntu forums, Ubuntu's Launchpad bug tracker, and Reddit thread. Only Ubuntu users running the Xenial 16.04 series appear to be affected.

• First malicious Android app built with open source Kotlin language found wild

  For the first time, a malicious Android application built with Kotlin has been discovered in the Google Play store. First noted by Trend Micro researchers in a Tuesday blog post, it's possible that the app has already been downloaded thousands of times. In late November 2017, it was reported that 17% of the projects in Android Studio were using Kotlin. Because it's becoming easier to convert Java code to Kotlin, and the new language features a null-safety feature that can improve app quality, we'll likely see even more apps developed with the language. However, this also means we could see more malicious apps developed with Kotlin as well.

• Debian Stretch and Jessie Get Kernel Patches to Mitigate Meltdown Security Flaw

  The Debian Project released updated Linux kernels for Debian GNU/Linux 9 "Stretch" and Debian GNU/Linux 8 "Jessie" operating system series to patch the Meltdown security vulnerability and other issues. Last week, Debian GNU/Linux 9 "Stretch" users received the Linux kernel patch to mitigate the Meltdown security vulnerability (CVE-2017-5754) that affects billions of devices by allowing attackers to control unprivileged processes and read the memory from random addresses, including the kernel, as well as other processes running on the unpatched machine. To patch the issue, users had to update the kernel to version 4.9.65-3+deb9u2.

• Linux Systems with Exposed SSH Ports, Targeted by Python-Based Botnets

  Cybersecurity experts believe that a band of experience cybercriminals have created a botnet made of Linux-based systems and is using them to mine Monero, a cryptocurrency.

• Meltdown-Spectre: IBM preps firmware and OS fixes for vulnerable Power CPUs

  IBM has outlined a month-long plan to fix datacenter equipment running on its Power CPUs, which the company has now confirmed are vulnerable to the Meltdown and Spectre CPU attacks. The company today released firmware updates for the Power7+ and Power8 CPUs, with Power9 fixes coming on January 15. Until now, IBM hadn't fully confirmed its Power systems are affected by the two CPU attacks, though Red Hat said in its January 3 advisory that exploits existed for IBM System Z, Power8, and Power9 systems.

• How to install/update Intel microcode firmware on Linux

Kubuntu 17.10 upgrade - Should you?

I am not joking. I seriously believe that software regressions should be punished. They destroy people's mood and will and desire to use programs, and the users start developing almost PTSD-like effects, not knowing when something is going to crash because no one bothered checking their fresh code. Jail time seems appropriate. Failing that, strict and rigorous validation procedures that currently DO NOT EXIST in the wider Linux world. Zesty remains the perfect distro and the best Plasma release ever. It's so much ahead, I feel like shedding a tear every time I use it. In comparison, Awful Anteater is a pale shadow of what Kubuntu can do. So yes it works. But it brings crashes and unnecessary nonsense that just spoils everything. It's such a shame, and such a wasted opportunity. The upgrade itself was flawless. But it's not an upgrade. It's a version increase and a definite downgrade. Wait for the LTS. Or something. Oh, the humanity!