Author Archive Interview with Nathan Willis, GUADEC Keynote Speaker (GNOME News)

This post was syndicated from: and was written by: jake. Original post: at

LWN editor Nathan Willis is giving a keynote talk at the upcoming GUADEC (GNOME Users and Developers European Conference) and was interviewed by GNOME News. Willis’s talk is titled “Should We Teach The Robot To Kill” and will look at free software and the automotive industry. “And, finally, my ultimate goal would be to persuade some people that the free-software community can — and should — take up the challenge and view the car as a first-rate environment where free software belongs. Because there will naturally be lots of little gaps where the different corporate projects don’t quite have every angle covered. But we don’t have to wait for other giant companies to come along and finish the job. We can get involved now, and if we do, then the next generation of automotive software will be stronger for it, both in terms of features and in terms of free-software ideals.” GUADEC is being held in Strasbourg, France July 26–August 1. Kügler: Plasma’s Road to Wayland

This post was syndicated from: and was written by: jake. Original post: at

On his blog, Sebastian Kügler looks at what’s left to be done for KDE’s Plasma desktop to support Wayland. He discusses why the project cares about Wayland, what it means to support Wayland, the current status, the strategy for further work, and how interested folks can get involved.
One of the important topics which we have (kind of) excluded from Plasma’s recent 5.0 release is support for Wayland. The reason is that much of the work that has gone into renovating our graphics stack was also needed in preparation for Wayland support in Plasma. In order to support Wayland systems properly, we needed to lift the software stack to Qt5, make X11 dependencies in our underlying libraries, Frameworks 5 optional. This part is pretty much done. We now need to ready support for non-X11 systems in our workspace components, the window manager and compositor, and the workspace shell. Security updates for Friday

This post was syndicated from: and was written by: jake. Original post: at

CentOS has updated kernel (C7; C6; C5: two
vulnerabilities) and qemu-kvm (C7: many vulnerabilities).

Debian has updated apache2 (three
vulnerabilities) and transmission (code execution).

Fedora has updated httpd (F20:
multiple vulnerabilities), ipython (F20; F19: code
execution), java-1.7.0-openjdk (F19:
multiple vulnerabilities), java-1.8.0-openjdk (F20; F19:
multiple vulnerabilities), and kernel (F19:
multiple vulnerabilities).

Oracle has updated enterprise
(OL7: three vulnerabilities) and kernel (OL5: two vulnerabilities).

Red Hat has updated openstack-nova (OSP5.0: information
disclosure), openstack-swift (OSP5.0:
cross-site scripting), python-django-horizon (OSP5.0: three
vulnerabilities), and qemu-kvm-rhev
(OSP4.0, OSP3.0: multiple vulnerabilities). Fedora 21 delayed three weeks

This post was syndicated from: and was written by: jake. Original post: at

At yesterday’s Fedora Engineering Steering Committee (FESCo) meeting, the release of Fedora 21 was delayed by three weeks (FESCo ticket), with the final release now scheduled for November 4. There are some problems with “test composes” of the release (creating test ISO images) that mean the deadline for the alpha release would be missed. The original plan was to delay for two weeks, but that put the freeze just before the Flock conference, so it was decided to push out an additional week. An Interview with Karen Sandler (Model View Culture)

This post was syndicated from: and was written by: jake. Original post: at

Over at Model View Culture, Adam Saunders interviews Karen Sandler, executive director of the Software Freedom Conservancy (SFC) and formerly the executive director of the GNOME Foundation. Sandler talks about SFC, the Outreach Program for Women, as well as being a cyborg: “I was diagnosed with a heart condition and needed a pacemaker/defibrillator, and none of the device manufacturers would let me see the source code that was to be literally sewn into my body and connected to my heart. My life relies on the proper functioning of software every day, and I have no confidence that it will. The FDA generally doesn’t review the source code of medical devices nor can the public. But multiple researchers have shown that these devices can be maliciously hacked, with fatal consequences.

Once you start considering medical devices, you quickly start to realize that it’s all kinds of software that is life and society-critical – cars, voting machines, stock markets… It’s essential that our software be safe, and the only way we can realistically expect that to be the case over time is by ensuring that our software is free and open. If there’s catastrophic failure at Medtronic (the makers of my defibrillator), for example, I wouldn’t be able to fix a bug in my own medical device.” Security updates for Thursday

This post was syndicated from: and was written by: jake. Original post: at

CentOS has updated httpd (C7; C6; C5: multiple vulnerabilities).

Debian has updated iceweasel
(multiple vulnerabilities) and openjdk-7 (multiple vulnerabilities).

Fedora has updated firefox (F20: multiple vulnerabilities).

Oracle has updated dovecot (OL7:
denial of service), firefox (OL7; OL7; OL5:
multiple vulnerabilities), gnutls (OL7: two
vulnerabilities), httpd (OL7; OL6; OL5:
multiple vulnerabilities), java-1.6.0-openjdk (OL7; OL7:
multiple vulnerabilities), java-1.7.0-openjdk (OL7; OL7:
multiple vulnerabilities), json-c (OL7: two
denial of service flaws), kernel (OL7; OL6: two
privilege escalations), kernel (OL7:
multiple vulnerabilities), kernel
(OL7:privilege escalation), libtasn1 (OL7:
three vulnerabilities), libvirt (OL7:
information disclosure/denial of service), lzo (OL7: denial of service/possible code
execution), mariadb (OL7: multiple
unspecified vulnerabilities), nss, nspr
(OL7: code execution), openssl (OL7:
multiple vulnerabilities), openssl098e
(OL7: man-in-the-middle attack), qemu-kvm
(OL7: many vulnerabilities), qemu-kvm (OL7:
code execution), samba (?:), (tomcat (OL7: three vulnerabilities), and tomcat (OL7: three vulnerabilities).

Red Hat has updated kernel (RHEL7; RHEL6.4; RHEL6; RHEL5: two privilege escalations) and qemu-kvm (RHEL7: many vulnerabilities).

Scientific Linux has updated kernel (SL6; SL5: two
privilege escalations).

Slackware has updated httpd
(multiple vulnerabilities), thunderbird
(multiple vulnerabilities), and firefox
(multiple vulnerabilities).

SUSE has updated libtasn1
(SLE11SP3: three vulnerabilities) and ppc64-diag (SLE11SP3: two vulnerabilities).

Ubuntu has updated apache2
(14.04, 12.04, 10.04: multiple vulnerabilities), jinja2 (12.04: code execution), lzo2 (14.04, 12.04: denial of service/possible
code execution), and oxide-qt (14.04:
multiple vulnerabilities). Oracle Linux 7 released

This post was syndicated from: and was written by: jake. Original post: at

Another of the Red Hat Enterprise Linux (RHEL) rebuilds has released its version of RHEL 7: Oracle Linux 7 for x86_64 is now available. It does add some features, including DTrace, Ksplice, and Xen. More information can be found in the release notes. Faults in Linux 2.6

This post was syndicated from: and was written by: jake. Original post: at

Six researchers (including Julia Lawall of the Coccinelle project) have just released a paper [PDF] (abstract) that looks at the faults in the 2.6 kernel. “In August 2011, Linux entered its third decade. Ten years before, Chou et al. published a study of faults found by applying a static analyzer to Linux versions 1.0 through 2.4.1. A major result of their work was that the drivers directory contained up to 7 times more of certain kinds of faults than other directories. This result inspired numerous efforts on improving the reliability of driver code. Today, Linux is used in a wider range of environments, provides a wider range of services, and has adopted a new development and release model. What has been the impact of these changes on code quality? To answer this question, we have transported Chou et al.’s experiments to all versions of Linux 2.6; released between 2003 and 2011. We find that Linux has more than doubled in size during this period, but the number of faults per line of code has been decreasing. Moreover, the fault rate of drivers is now below that of other directories, such as arch. These results can guide further development and research efforts for the decade to come. To allow updating these results as Linux evolves, we define our experimental protocol and make our checkers available.
(Thanks to Asger Alstrup Palm.) The state of accessibility in Linux and open source software (

This post was syndicated from: and was written by: jake. Original post: at

Over at, Rikki Endsley interviews Spencer Hunley, who will be giving a talk on accessibility at LinuxCon NA in August. Hunley also spoke at last year’s LinuxCon NA and, shortly after that, helped form the Universal Tux Google+ community to work on accessibility in Linux. “Built-in, easy to use and understand accessibility support is hard to find in many distributions. Can you tell me the key combination to activate that support in Ubuntu? How about any other distro? The fact is that although it’s there, it may not be easy to locate and/or use. When addressing this, focusing on independence is vital. No one wants to have to call upon someone else to help them install a new OS, or to utilize an application. This is especially true for people with disabilities; the learning curve can be nearly impossible, which leaves little in the way of choice in the FOSS world, depending on your abilities. X.Org server 1.16.0 released

This post was syndicated from: and was written by: jake. Original post: at

Keith Packard has announced the release of the 1.16.0 X.Org server with
many new features, including Glamor (GL-based 2D
X acceleration) integration, XWayland, systemd
integration, Glamor for the Xephyr nested X server, and support for non-PCI
devices. In addition, “thousands of compiler warnings were
eliminated from the code base. “For the first time in several releases, we’ve added substantial amounts
of code to the server, only 2/3 of which was the glamor code base:

604 files changed, 34449 insertions(+), 7024 deletions(-)” Security advisories for Thursday

This post was syndicated from: and was written by: jake. Original post: at

Debian has updated davfs2
(privilege escalation).

Fedora has updated lz4 (F20; F19:
denial of service/possible code execution), python (F19: information leak), and python3 (F19: information leak).

Gentoo has updated gnupg (denial
of service) and
xen (many vulnerabilities).

openSUSE has updated flash-player
(11.4: multiple vulnerabilities).

Oracle has updated java-1.7.0-openjdk (OL6; OL5:
multiple vulnerabilities).

Red Hat has updated openstack-neutron (OSP4.0: two vulnerabilities).

SUSE has updated firefox
(SLE10SP4, SLE10SP3: multiple vulnerabilities), kernel (SLE11SP3; SLE11SP3;
SLE11SP3; SLERTE11SP3; SLERTE11SP3: many vulnerabilities, including
one from 2012), and lzo (SLE11SP3: denial
of service/possible code execution).

Ubuntu has updated EC2 kernel
(10.04: three vulnerabilities), kernel (14.04; 13.10;
12.04; 10.04: multiple vulnerabilities), linux-lts-quantal (12.04: multiple
vulnerabilities), linux-lts-raring (12.04:
multiple vulnerabilities), linux-lts-saucy
(12.04: multiple vulnerabilities), linux-lts-trusty (12.04: multiple
vulnerabilities), linux-ti-omap4 (12.04:
multiple vulnerabilities), and mysql-5.5
(14.04, 12.04: unidentified vulnerabilities). 2014 Linux Security Summit schedule published

This post was syndicated from: and was written by: jake. Original post: at

James Morris has a blog post announcing that the schedule for this year’s Linux Security Summit (LSS) is now available. It starts with a keynote from James Bottomley of Parallels, then there are seven refereed talks, as well as other sessions: “Discussion session topics include Trusted Kernel Lock-down Patch Series, led by Kees Cook; and EXT4 Encryption, led by Michael Halcrow & Ted Ts’o. There’ll be kernel security subsystem updates from the SELinux, AppArmor, Smack, and Integrity maintainers. The break-out sessions are open format and a good opportunity to collaborate face-to-face on outstanding or emerging issues.” LSS will be held August 18-19 in Chicago, overlapping the first two days of the Kernel Summit and it is followed by LinuxCon North America; all are being held in the same location. [$] Filesystem notification, part 2: A deeper investigation of inotify

This post was syndicated from: and was written by: jake. Original post: at

In the first article in this series, we briefly looked at the original Linux filesystem notification API, dnotify, and noted a number of its limitations. We then turned our attention to its successor, inotify, and saw how the design of the newer API addressed various problems with the dnotify API while providing a number of other benefits as well. At first glance, inotify seems to provide a complete solution for the task of creating an application that reliably monitors the state of a filesystem. However, we are about to see that this isn’t quite the case.

Subscribers can check out the next article in guest author Michael Kerrisk’s series by clicking below. Day: Sandboxed applications for GNOME

This post was syndicated from: and was written by: jake. Original post: at

In the first of a two-part series, GNOME contributor Allan Day looks at sandboxed applications for the GNOME desktop. In this installment, he looks at the benefits of application sandboxes from a couple of different angles. “Security and privacy, I think, are core beliefs for Free Software. Users should be able to trust us to have their interests at heart, and should be able to have more faith in our products than proprietary alternatives. Ironically, though, the Free Software desktop world hasn’t done a great job at security. It is actually pretty scary what a malicious desktop application could do if it wants to. We rely on transparency and good faith to ensure that applications do not infringe on user privacy, rather than robust technical architecture. Boyer: At the playground

This post was syndicated from: and was written by: jake. Original post: at

Fedora kernel team member Josh Boyer, writes about a Fedora kernel-playground Copr (Cool Other Project Repository) on his blog. The idea is to provide an unsupported kernel that has some new features for those who want to help develop and test them.
OK, now that we have that out of the way, let’s talk about what is actually in kernel-playground. At the moment there are two additions on top of the standard rawhide kernel; overlayfs (v22) and kdbus.

Overlayfs is one of the top competing “union” filesystems out there, and has actually been posted for review for the past few releases. It has the best chance of landing upstream sometime this decade, and there has been interest in it for quite a while. I believe things like Docker would also be able to make use of it as a backend. I’ll track upstream submissions and update accordingly.

kdbus is of course the thing that Lennart Poettering and Kay Sievers have been talking about at various conferences for a while now. It is the in-kernel d-bus replacement. It has not been submitted for upstream review yet, but systemd already has support for it and things seem to be progressing well there.” Security updates for Thursday

This post was syndicated from: and was written by: jake. Original post: at

CentOS has updated lzo (C7:
denial of service/possible code execution), samba (C7: three vulnerabilities), samba,
(C6; C5: two vulnerabilities), and tomcat6 (C6: multiple vulnerabilities).

Debian has updated phpmyadmin
(multiple vulnerabilities).

Mageia has updated flash-player-plugin (multiple vulnerabilities).

Mandriva has updated gd (BS1.0:
denial of service), liblzo (BS1.0: denial
of service/possible code execution), and python (BS1.0: information leak).

Oracle has updated samba, samba3x (OL6; OL5: two
vulnerabilities) and tomcat6 (OL6: multiple

Red Hat has updated flash-plugin
(RHEL5&6: multiple vulnerabilities), lzo (RHEL6&7: denial of service/possible
code execution), samba (RHEL7: three
vulnerabilities), samba, samba3x
(RHEL5&6: two vulnerabilities), and tomcat6 (RHEL6: multiple vulnerabilities).

Scientific Linux has updated lzo
(SL6: denial of service/possible code execution), samba and samba3x (SL5&6: two
vulnerabilities), and tomcat6 (SL6:
multiple vulnerabilities).

Ubuntu has updated php5 (multiple
vulnerabilities). [$] Filesystem notification, part 1: An overview of dnotify and inotify

This post was syndicated from: and was written by: jake. Original post: at

Filesystem notification APIs provide a mechanism by which
applications can be informed when events happen within a
filesystem—for example, when a file is opened, modified,
deleted, or renamed. Over time, Linux has acquired three different
filesystem notification APIs, and it is instructive to look at
them to understand what the differences between the APIs are. It’s
also worthwhile to consider what lessons have been learned during
the design of the APIs—and what lessons remain to be

The first part of guest author Michael Kerrisk’s series on filesystem notification in Linux is now available for subscribers. The future of realtime Linux in doubt

This post was syndicated from: and was written by: jake. Original post: at

In a message about the release of the 3.14.10-rt7 realtime Linux kernel, Thomas Gleixner reiterated that the funding problems that have plagued realtime Linux (which he raised, again, at last year’s Real Time Linux Workshop) have only gotten worse. Efforts were made to find funding for the project, but “nothing has materialized“. Assuming that doesn’t change, Gleixner plans to cut back on development and on plans to get the code upstream. “After my last talk about the state of preempt-RT at LinuxCon Japan,
Linus told me: ‘That was far more depressing than I feared’.

The mainline kernel has seen a lot of benefit from the preempt-RT
efforts in the past 10 years and there is a lot more stuff which needs
to be done upstream in order to get preempt-RT fully integrated, which
certainly would improve the general state of the Linux kernel again.” Gräßlin: Next Generation Klipper

This post was syndicated from: and was written by: jake. Original post: at

On his blog, Martin Gräßlin examines Klipper, the KDE clipboard manager, with an eye toward how it should work for Plasma 5.1. “A clipboard history is of course an important part of a desktop shell and thus should be a first class citizen. The user interface needs to be integrate and this means the interface needs to be provided by a Plasmoid which needs to be added to the notification area. The interface would still show a list and this is best done by providing the data in the form of a QAbstractItemModel.

As there should only be one clipboard history manager, but at the same time perhaps several user interfaces for it (e.g. one panel per screen) the QAbstractItemModel holding the data needs to be provided by a DataEngine. So overall we need to separate the user interface (Plasmoid) from the data storage (DataEngine) and turn the existing Klipper in just being the data storage.” Interview: Damian Conway (Linux Voice)

This post was syndicated from: and was written by: jake. Original post: at

Linux Voice magazine has an interview with Damian Conway, one of the chief architects of Perl 6. In it, he talks about Perl 6 a bit (of course), but also about Perl, in general, as well as about teaching and learning programming. “Anyone who believes you can teach programming in an hour has no idea about what programming is. I think that I finally thought that I was a confident programmer maybe about four or five years ago, so after about a quarter of a century of coding. I felt that I was an ordinary good programmer by that stage. I don’t think you can even teach HTML in an hour, to be brutally honest. Friday’s security advisories

This post was syndicated from: and was written by: jake. Original post: at

Fedora has updated apt-cacher-ng
(F20: cross-site scripting) and xen (F20; F19:
information leak).

SUSE has updated php5 (SLE11SP2:
two vulnerabilities) and php53 (SLE11SP2,
SLE11SP3: multiple vulnerabilities). The CHERI capability model: Revisiting RISC in an age of risk (Light Blue Touchpaper)

This post was syndicated from: and was written by: jake. Original post: at

Over at the Light Blue Touchpaper blog, there is a summary of a paper [PDF] presented in late June at the 2014 International Symposium on Computer Architecture about Capability Hardware Enhanced RISC Instructions (CHERI).
CHERI is an instruction-set extension, prototyped via an FPGA-based soft processor core named BERI, that integrates a capability-system model with a conventional memory-management unit (MMU)-based pipeline. Unlike conventional OS-facing MMU-based protection, the CHERI protection and security models are aimed at compilers and applications. CHERI provides efficient, robust, compiler-driven, hardware-supported, and fine-grained memory protection and software compartmentalisation (sandboxing) within, rather than between, addresses spaces. We run a version of FreeBSD that has been adapted to support the hardware capability model (CheriBSD) compiled with a CHERI-aware Clang/LLVM that supports C pointer integrity, bounds checking, and capability-based protection and delegation. CheriBSD also supports a higher-level hardware-software security model permitting sandboxing of application components within an address space based on capabilities and a Call/Return mechanism supporting mutual distrust. Python Foundation uncoils as membership opens up (

This post was syndicated from: and was written by: jake. Original post: at has an interview with Nick Coghlan, who is a newly elected Python Software Foundation (PSF) board member. In the interview, Coghlan discusses the new open membership model for the PSF, what makes Python special, how the huge investment in OpenStack is having an impact on CPython core development, and a look at the future for both Python and the PSF. “For me, the most fascinating thing about Python is the sheer breadth of the domains it competes in. In the projects I worked on at Boeing, Python became our “go to” glue language for getting different parts of a complex system to play nicely together, as well for writing simulation tools for testing environments. Linux distributions tend to use it in a similar fashion. In the scientific space it goes head to head with the likes of MATLAB for numeric computing, and R for statistical analysis. It was the original implementation language for YouTube, and the language of choice for OpenStack components, yet still simple enough to be chosen as the preferred programming language for the Raspberry Pi and One Laptop Per Child educational programs. With the likes of Maya and Blender using it as their embedded scripting engine, animation studios love it because animators can learn to handle tasks that previously had to be handled by the studios’ development teams.

That diversity of use cases can make things fraught at times, especially in core development where the competing interests can often collide, but it’s also a tremendous strength.” 3.14 to be the next longterm stable kernel

This post was syndicated from: and was written by: jake. Original post: at

Greg Kroah-Hartman has announced that 3.14 will be the next longterm stable
kernel that he will be maintaining. It should continue to receive updates
until August 2016. Schneier: NSA Targets Privacy Conscious for Surveillance

This post was syndicated from: and was written by: jake. Original post: at

Bruce Schneier has a good summary of recently reported information about the US National Security Agency (NSA) targeting of users searching for or reading information about Tor and The Amnesic Incognito Live System (Tails), which certainly could include readers of this site. “Jake Appelbaum et. al, are reporting on XKEYSCORE selection rules that target users — and people who just visit the websites of — Tor, Tails, and other sites. This isn’t just metadata; this is “full take” content that’s stored forever. [...] It’s hard to tell how extensive this is. It’s possible that anyone who clicked on this link — with the embedded URL above — is currently being monitored by the NSA. It’s possible that this only will happen to people who receive the link in e-mail, which will mean every Crypto-Gram subscriber in a couple of weeks. And I don’t know what else the NSA harvests about people who it selects in this manner.

Whatever the case, this is very disturbing.” Also see reports in Linux Journal (which was specifically noted in the XKeyscore rules) and Boing Boing.