The Linux Foundation has announced a new conference called “Vault” that will focus on storage and filesystems for Linux. It will be co-located with the annual invitation-only Linux Storage, Filesystem and Memory Management Summit and will be held March 11-12, 2015 at the Revere Hotel in Boston. “’90% of the world’s data has been created in the last few years and most of that data is being stored and accessed via a Linux-based system,’ said Linux Foundation Chief Marketing Officer Amanda McPherson. ‘Now is the ideal time to bring the open source community together in this new forum, Vault, to collaborate on new methods of improving capacity, efficiency and security to manage the huge data volumes envisioned in the coming years. By bringing together the leading minds of Linux file systems and storage and our members who are pushing the limits of what is possible, Vault should expand the state of the art in Linux.’”
Russell Pavlicek looks at the rivalry between containers and hypervisors over at Linux.com. He outlines the arguments for and against each, and follows it up with a description of a new contender for a “cloud operating system”: unikernels.
“Unikernel systems create tiny VMs. Mirage OS from the Xen Project incubator, for example, has created several network devices that run kilobytes in size (yes, that’s “kilobytes” – when was the last time you heard of any VM under a megabyte?). They can get that small because the VM itself does not contain a general-purpose operating system per se, but rather a specially built piece of code that exposes only those operating system functions required by the application.
There is no multi-user operating environment, no shell scripts, and no massive library of utilities to take up room – or to subvert in some nefarious exploit. There is just enough code to make the application run, and precious little for a malefactor to leverage. And in unikernels like Mirage OS, all the code that is present is statically type-safe, from the applications stack all the way down to the device drivers themselves. It’s not the “end-all be-all” of security, but it is certainly heading in the right direction.”
On Red Hat’s developer blog, Máirín Duffy has tips for developers on improving their application’s user experience (UX). “Speaking of speeding things up for your users – one way you can do this is to limit the amount of choices users have to make while using your application. It’s you, my application developer friend, that users are relying on as an expert in the ways of whatever it is that your application does. Users trust you to make set sane defaults based on your domain expertise; when you set defaults, you are also alleviating users from having to make a choice that – depending on their level of expertise – may be quite hard for them to understand.
This isn’t to say you should eliminate all choices and configuration options from your application! Let users ease into it, though. Give them a good default so that your application requires less of them to start, and as they gain expertise and confidence in using your app over time, they can explore the preferences and change those settings based on their needs when they are ready.”
Debian has updated s3ql (code execution).
Mageia has updated x11vnc (code
Ubuntu has updated squid3 (14.04,
12.04: denial of service).
Kubuntu developer Jonathan Riddell looks at packaging all of the pieces of KDE on his blog. His perspective is, of course, Kubuntu-focused, but the comments contain lengthy responses from Fedora and openSUSE KDE packagers, which makes for a good look at the work distributions put into packaging a huge code base like KDE. “Much of what we package are libraries and if one small bit changes in the library, any applications which use that library will crash. This is ABI and the rules for binary [compatibility] in C++ are nuts. Not infrequently someone in KDE will alter a library ABI without realising. So we maintain symbol files to list all the symbols, these can often feel like more trouble than they’re worth because they need updated when a new version of GCC produces different symbols or when symbols disappear and on investigation they turn out to be marked private and nobody will be using them anyway, but if you miss a change and apps start crashing as nearly happened in KDE PIM last week then people get grumpy.” (Thanks to Robie Basak.)
Greg Kroah-Hartman has announced the release of five new stable kernels: 3.16.1, 3.15.10, 3.14.17, 3.10.53, and 3.4.103. As usual, each has important fixes
and users should upgrade. In addition, this is the last 3.15.x release, so
users should be switching to the 3.16 series.
Debian has updated gpgme1.0 (code
openSUSE has updated flash-player
(13.1, 12.3: multiple vulnerabilities).
The Software Freedom Conservancy (SFC) and Open Source Initiative (OSI) have announced (and here) that they are both founding members of a working group “focused on tax exemption issues for organizations in the United States“. The working group will be open to participation by any concerned groups or individuals and will be looking for legal experts to join in. Aaron Williamson, formerly of the Software Freedom Law Center, will be chairing the group.
“Recent activity by the Internal Revenue Service in response to applications for tax exempt status have sparked a lot of interest and discussion amongst free and open source software communities.
OSI and Conservancy recognize that the IRS’s understanding and evaluation of free and open source software can impact both new organizations created to promote the public good as charities (known as 501(c)(3) organizations after the corresponding tax code provision), as well as new organizations formed to forward a common business interest (known as 501(c)(6) organizations).” We looked at the issue in July after the Yorba Foundation’s unsuccessful attempt to become a US tax-exempt organization.
The Linux Plumbers Conference (LPC) has a new blog post looking at the live kernel patching microconference. “There has been a great deal of interest in live kernel patching (see this LWN.net article) over the past few months, with several different approaches proposed, including CRIU+kexec, kGraft, and kpatch, all in addition to ksplice. This microconference will host discussions on required infrastructure (including tracing, checkpoint/restart, kexec, and live patching), along with expositions and comparisons of the various approaches. The purpose, believe it or not, is to work towards a common implementation that everyone can live with.” LPC will be held in Düsseldorf, Germany, October 15–17, co-located with LinuxCon Europe; the front-page blog for LPC has looks at many of the other microconferences along with other interesting information about the conference.
CentOS has updated tomcat6 (C6:
two vulnerabilities, one from 2013).
Debian has updated acpi-support
(regression in earlier security fix).
Gentoo has updated libssh (key
disclosure via bad randomness).
Oracle has updated kernel-2.6.32 (OL6; OL5:
denial of service),
kernel-2.6.39 (OL6; OL5: denial of service), kernel-3.8.13
two vulnerabilities), and tomcat6 (OL6: two
vulnerabilities, one from 2013).
Scientific Linux has updated tomcat6 (SL6: two vulnerabilities, one from 2013).
Ubuntu has updated python-pycadf
(14.04: information leak).
On the Montréal-Python blog, Mathieu Leduc-Hamel announces that the 2015 PyCon Call for Proposals (CFP) is now open. The conference will be held in Montréal April 8–16, 2015; CFPs will be accepted until September 15. “There are likely 95 talk slots to fill, assuming we keep the usual balance of 30/45 minute slots the same, and we’ll have room for 32 tutorials. This makes for some steep competition given the potential to reach over 600 talk proposals, while seeing three to four times as many tutorial proposals as available slots. While proposals will be accepted through September 15, we encourage submissions as early as possible, allowing reviewers more time to assess and provide feedback which may prove beneficial as the various rounds of review begin.”
Debian has updated drupal7
(denial of service), kde4libs (privilege
escalation), krb5 (multiple
vulnerabilities), libav (multiple
vulnerabilities, most from 2011 and 2013), wireshark (multiple
vulnerabilities), and wordpress (multiple
Fedora has updated drupal7-views (F20; F19:
access control bypass), openssl (F20; F19:
multiple vulnerabilities), thunderbird
(F19: multiple vulnerabilities), and xulrunner (F20: multiple vulnerabilities).
Gentoo has updated freetype (code
Mandriva has updated wireshark
openSUSE has updated chromium
(13.1, 12.3: multiple vulnerabilities), elfutils (13.1, 12.3: code execution),
exim (13.1, 12.3; 11.4: multiple vulnerabilities
going back to 2011), jbigkit (13.1, 12.3:
code execution from 2013), kdelibs4 (13.1:
privilege escalation), kdirstat (13.1: code
execution), kernel (13.1: multiple
vulnerabilities), krb5 (13.1, 12.3:
multiple vulnerabilities), thunderbird
(13.1, 12.3: multiple vulnerabilities), tor
(13.1, 12.3: traffic confirmation), and transmission (13.1: code execution).
Slackware has updated openssl
LWN editor Nathan Willis is giving a keynote talk at the upcoming GUADEC (GNOME Users and Developers European Conference) and was interviewed by GNOME News. Willis’s talk is titled “Should We Teach The Robot To Kill” and will look at free software and the automotive industry. “And, finally, my ultimate goal would be to persuade some people that the free-software community can — and should — take up the challenge and view the car as a first-rate environment where free software belongs. Because there will naturally be lots of little gaps where the different corporate projects don’t quite have every angle covered. But we don’t have to wait for other giant companies to come along and finish the job. We can get involved now, and if we do, then the next generation of automotive software will be stronger for it, both in terms of features and in terms of free-software ideals.” GUADEC is being held in Strasbourg, France July 26–August 1.
On his blog, Sebastian Kügler looks at what’s left to be done for KDE’s Plasma desktop to support Wayland. He discusses why the project cares about Wayland, what it means to support Wayland, the current status, the strategy for further work, and how interested folks can get involved.
“One of the important topics which we have (kind of) excluded from Plasma’s recent 5.0 release is support for Wayland. The reason is that much of the work that has gone into renovating our graphics stack was also needed in preparation for Wayland support in Plasma. In order to support Wayland systems properly, we needed to lift the software stack to Qt5, make X11 dependencies in our underlying libraries, Frameworks 5 optional. This part is pretty much done. We now need to ready support for non-X11 systems in our workspace components, the window manager and compositor, and the workspace shell.”
Fedora has updated httpd (F20:
multiple vulnerabilities), ipython (F20; F19: code
execution), java-1.7.0-openjdk (F19:
multiple vulnerabilities), java-1.8.0-openjdk (F20; F19:
multiple vulnerabilities), and kernel (F19:
Red Hat has updated openstack-nova (OSP5.0: information
disclosure), openstack-swift (OSP5.0:
cross-site scripting), python-django-horizon (OSP5.0: three
vulnerabilities), and qemu-kvm-rhev
(OSP4.0, OSP3.0: multiple vulnerabilities).
At yesterday’s Fedora Engineering Steering Committee (FESCo) meeting, the release of Fedora 21 was delayed by three weeks (FESCo ticket), with the final release now scheduled for November 4. There are some problems with “test composes” of the release (creating test ISO images) that mean the deadline for the alpha release would be missed. The original plan was to delay for two weeks, but that put the freeze just before the Flock conference, so it was decided to push out an additional week.
Over at Model View Culture, Adam Saunders interviews Karen Sandler, executive director of the Software Freedom Conservancy (SFC) and formerly the executive director of the GNOME Foundation. Sandler talks about SFC, the Outreach Program for Women, as well as being a cyborg: “I was diagnosed with a heart condition and needed a pacemaker/defibrillator, and none of the device manufacturers would let me see the source code that was to be literally sewn into my body and connected to my heart. My life relies on the proper functioning of software every day, and I have no confidence that it will. The FDA generally doesn’t review the source code of medical devices nor can the public. But multiple researchers have shown that these devices can be maliciously hacked, with fatal consequences.
Once you start considering medical devices, you quickly start to realize that it’s all kinds of software that is life and society-critical – cars, voting machines, stock markets… It’s essential that our software be safe, and the only way we can realistically expect that to be the case over time is by ensuring that our software is free and open. If there’s catastrophic failure at Medtronic (the makers of my defibrillator), for example, I wouldn’t be able to fix a bug in my own medical device.”
Fedora has updated firefox (F20: multiple vulnerabilities).
Oracle has updated dovecot (OL7:
denial of service), firefox (OL7; OL7; OL5:
multiple vulnerabilities), gnutls (OL7: two
vulnerabilities), httpd (OL7; OL6; OL5:
multiple vulnerabilities), java-1.6.0-openjdk (OL7; OL7:
multiple vulnerabilities), java-1.7.0-openjdk (OL7; OL7:
multiple vulnerabilities), json-c (OL7: two
denial of service flaws), kernel (OL7; OL6: two
privilege escalations), kernel (OL7:
multiple vulnerabilities), kernel
(OL7:privilege escalation), libtasn1 (OL7:
three vulnerabilities), libvirt (OL7:
information disclosure/denial of service), lzo (OL7: denial of service/possible code
execution), mariadb (OL7: multiple
unspecified vulnerabilities), nss, nspr
(OL7: code execution), openssl (OL7:
multiple vulnerabilities), openssl098e
(OL7: man-in-the-middle attack), qemu-kvm
(OL7: many vulnerabilities), qemu-kvm (OL7:
code execution), samba (?:), (tomcat (OL7: three vulnerabilities), and tomcat (OL7: three vulnerabilities).
Ubuntu has updated apache2
(14.04, 12.04, 10.04: multiple vulnerabilities), jinja2 (12.04: code execution), lzo2 (14.04, 12.04: denial of service/possible
code execution), and oxide-qt (14.04:
Another of the Red Hat Enterprise Linux (RHEL) rebuilds has released its version of RHEL 7: Oracle Linux 7 for x86_64 is now available. It does add some features, including DTrace, Ksplice, and Xen. More information can be found in the release notes.
Six researchers (including Julia Lawall of the Coccinelle project) have just released a paper [PDF] (abstract) that looks at the faults in the 2.6 kernel. “In August 2011, Linux entered its third decade. Ten years before, Chou et al. published a study of faults found by applying a static analyzer to Linux versions 1.0 through 2.4.1. A major result of their work was that the drivers directory contained up to 7 times more of certain kinds of faults than other directories. This result inspired numerous efforts on improving the reliability of driver code. Today, Linux is used in a wider range of environments, provides a wider range of services, and has adopted a new development and release model. What has been the impact of these changes on code quality? To answer this question, we have transported Chou et al.’s experiments to all versions of Linux 2.6; released between 2003 and 2011. We find that Linux has more than doubled in size during this period, but the number of faults per line of code has been decreasing. Moreover, the fault rate of drivers is now below that of other directories, such as arch. These results can guide further development and research efforts for the decade to come. To allow updating these results as Linux evolves, we define our experimental protocol and make our checkers available.”
(Thanks to Asger Alstrup Palm.)
Over at Opensource.com, Rikki Endsley interviews Spencer Hunley, who will be giving a talk on accessibility at LinuxCon NA in August. Hunley also spoke at last year’s LinuxCon NA and, shortly after that, helped form the Universal Tux Google+ community to work on accessibility in Linux. “Built-in, easy to use and understand accessibility support is hard to find in many distributions. Can you tell me the key combination to activate that support in Ubuntu? How about any other distro? The fact is that although it’s there, it may not be easy to locate and/or use. When addressing this, focusing on independence is vital. No one wants to have to call upon someone else to help them install a new OS, or to utilize an application. This is especially true for people with disabilities; the learning curve can be nearly impossible, which leaves little in the way of choice in the FOSS world, depending on your abilities.”
Keith Packard has announced the release of the 1.16.0 X.Org server with
many new features, including Glamor (GL-based 2D
X acceleration) integration, XWayland, systemd
integration, Glamor for the Xephyr nested X server, and support for non-PCI
devices. In addition, “thousands of compiler warnings were
eliminated from the code base. “For the first time in several releases, we’ve added substantial amounts
of code to the server, only 2/3 of which was the glamor code base:
604 files changed, 34449 insertions(+), 7024 deletions(-)”
Debian has updated davfs2
openSUSE has updated flash-player
(11.4: multiple vulnerabilities).
Red Hat has updated openstack-neutron (OSP4.0: two vulnerabilities).
SUSE has updated firefox
(SLE10SP4, SLE10SP3: multiple vulnerabilities), kernel (SLE11SP3; SLE11SP3;
SLE11SP3; SLERTE11SP3; SLERTE11SP3: many vulnerabilities, including
one from 2012), and lzo (SLE11SP3: denial
of service/possible code execution).
Ubuntu has updated EC2 kernel
(10.04: three vulnerabilities), kernel (14.04; 13.10;
12.04; 10.04: multiple vulnerabilities), linux-lts-quantal (12.04: multiple
vulnerabilities), linux-lts-raring (12.04:
multiple vulnerabilities), linux-lts-saucy
(12.04: multiple vulnerabilities), linux-lts-trusty (12.04: multiple
vulnerabilities), linux-ti-omap4 (12.04:
multiple vulnerabilities), and mysql-5.5
(14.04, 12.04: unidentified vulnerabilities).
James Morris has a blog post announcing that the schedule for this year’s Linux Security Summit (LSS) is now available. It starts with a keynote from James Bottomley of Parallels, then there are seven refereed talks, as well as other sessions: “Discussion session topics include Trusted Kernel Lock-down Patch Series, led by Kees Cook; and EXT4 Encryption, led by Michael Halcrow & Ted Ts’o. There’ll be kernel security subsystem updates from the SELinux, AppArmor, Smack, and Integrity maintainers. The break-out sessions are open format and a good opportunity to collaborate face-to-face on outstanding or emerging issues.” LSS will be held August 18-19 in Chicago, overlapping the first two days of the Kernel Summit and it is followed by LinuxCon North America; all are being held in the same location.
In the first article in this series, we briefly looked at the original Linux filesystem notification API, dnotify, and noted a number of its limitations. We then turned our attention to its successor, inotify, and saw how the design of the newer API addressed various problems with the dnotify API while providing a number of other benefits as well. At first glance, inotify seems to provide a complete solution for the task of creating an application that reliably monitors the state of a filesystem. However, we are about to see that this isn’t quite the case.
Subscribers can check out the next article in guest author Michael Kerrisk’s series by clicking below.