Christian Schaller has a lengthy update on the progress of Fedora 21. He looks at a number of different features, including Wayland, GNOME 3.14, software installation (dnf and “Software”), and more. “This also highlights one of the advantages of the new Fedora product model where we have one clear desktop product we are targeting, that we can define operating system standards for things like application metadata and apply them to the system as a whole. So for Fedora 22 we expect to make appdata metadata a mandatory part of the application packaging for Fedora, ensuring that any desktop application packaged for Fedora is easily discover able by our users. In the old ‘bucket of parts’ model these things would in practice not happen as there was no clear target that everyone was expected to aim for.”
On his blog, ownCloud founder Frank Karlitschek ponders the future of PHP. He doesn’t regret choosing PHP for ownCloud, but does note that the language suffers from its mid-1990s roots, which he would like to see cleaned up and fixed at some point—in a fully compatible way. “I wish PHP would do something that makes it possible to evolve and improve the language significantly but still provides a smooth migration experience not like Perl and Python did with introducing completely new backward incompatible releases.
So a good solution would be if PHP 6 or 7 [would] introduce a new tag to start a php file. For example
<?PHPNEXT instead of <?PHP. Both modes are fully supported by the new PHP version and can be used in parallel in the same application or even in the same file. In the NEXT section the new and improved syntax is used.” He goes on to list the changes he would like to see in the language.
It’s been a crazy week for the Bash shell, its maintainer,
and many Linux distributions that use the shell. A remote code-execution
vulnerability that was reported on September 24 has now morphed
into multiple related vulnerabilities, which have now mostly been fixed and
updates released by distributions. The
vulnerabilities have been dubbed “Shellshock” and the technical (and
mainstream) press has had a field day reporting on the incident. It all
revolves around a somewhat dubious Bash feature, but the widespread use of Bash
in places where it may not really make sense contributed to the severity of
“Third party application developer writes a new game for Linux. As his target he chooses one of the “application runtime” Docker images on Docker Hub. Let’s say he chooses the latest Debian stable release. In that case he writes a simple Dockerfile that installs his build-dependencies and compiles his game in “debian-app-dev:wheezy” container. The output of that is a new folder containing all the compiled game resources and another Dockerfile – this one describes the runtime dependencies of the game. Now when a docker image is built from this compiled folder, it is based on “debian-app:wheezy” container that no longer has any development tools and is optimized for speed and size. After this build is complete the developer exports the Docker image into a file. This file can contain either the full system needed to run the new game or (after #8214 is implemented) just the filesystem layers with the actual game files and enough meta-data to reconstruct the full environment from public Docker repos. The developer can then distribute this file to the end user in the way that is comfortable for them.”
As many in the free-software world know, copyright is, at best, a double-edged sword. Copyright law is what allows the various free and open-source licenses, but enforcing that copyright (i.e. adherence to the license) is expensive and time-consuming. Ars Technica has the tale of a bug photographer who details his woes in trying to protect his photographs. “While the stereotypical copyright story pits private users against large corporate rights-holders, real-world cases are often more complex. After all, most content creators are private, and many content users—as well as content infringers—are corporate. The corporate infringements are the most frustrating, as I live off photo licenses issued to corporations in the same sectors.
Licensing only works in a world where commercial content users like these must obtain permission from content creators. As long as I have the right to dispense permission, I am in a position to earn back the roughly $50 I spend to create each photograph. Money is time; I use my time to invest in more images, and the cycle continues. This is how copyright is supposed to work, and most of my photographs could not exist without it.”
Fedora has updated bash (F20; F19:
code injection), moodle (F20: multiple
vulnerabilities), not-yet-commons-ssl (F20; F19:
hostname verification botch), phpMyAdmin (F20; F19:
privilege escalation), procmail (F19: code
execution), wireshark (F20: yet another
pile of dissector flaws), and xerces-j2 (F20; F19:
denial of service from 2013).
Scientific Linux has updated bash
Ubuntu has updated bash (14.04,
12.04, 10.04: code injection), firefox
(14.04, 12.04: signature forgery), nss
(14.04, 12.04, 10.04: signature forgery), and thunderbird (14.04, 12.04: signature forgery).
align="right" alt="[Bruce Schneier]" width=143 height=160/>
Bruce Schneier is a cryptographer and security specialist who is
well-known in computer circles even though he has often branched into more
general security areas in recent years. His blog is a great source of
security news (and, of “quotes of the week” for the Security page, as readers
know). Beyond all that, he travels to many security conferences to give
talks, which is just what he did at AppSec USA in Denver on
September 18. The keynote topic was “incident response” (IR), which
is an area that is
finally getting more attention in the security-product space, he said.
Debian has updated apt
(regression in previous security update).
Fedora has updated apache-poi
(F20: two XML handling flaws), asterisk (F20; F19:
denial of service), haproxy (F20:
unspecified vulnerabilities), kernel (F20:
three vulnerabilities), pdns-recursor (F20; F19:
denial of service), polkit-qt (F20; F19: authorization bypass), and ReviewBoard (F19: two vulnerabilities).
A new organization to “make security easy and fun” has announced itself in a blog post entitled “Why Hello, World!”. Simply Secure is targeting the usability of security solutions: “If privacy and security aren’t easy and intuitive, they don’t work. Usability is key.”
The organization was started by Google and Dropbox; it also has the Open Technology Fund as one of its partners.
“To build trust and ensure quality outcomes, one core component of our work will be public audits of interfaces and code. This will help validate the security and usability claims of the efforts we support.
More generally, we aim to take a page from the open-source community and make as much of our work transparent and widely-accessible as possible. This means that as we get into the nitty-gritty of learning how to build collaborations around usably secure software, we will share our developing methodologies and expertise publicly. Over time, this will build a body of community resources that will allow all projects in this space to become more usable and more secure.”
openSUSE has updated curl (13.1,
12.3: two cookie-handling vulnerabilities).
Oracle has updated automake (OL5:
code execution from 2012), bind97 (OL5:
three vulnerabilities, two from 2013), conga (OL5: multiple vulnerabilities some
going back to 2012), krb5 (OL5: code
execution), krb5 (OL5: multiple
vulnerabilities, two from 2013), and nss,
nspr (multiple vulnerabilities, one from 2013).
SUSE has updated squid3
(SLE11SP3: denial of service).
alt="[Keith Packard]" width=130 height=150/>
In a talk entitled “SteamOS Magic”, longtime X developer Keith Packard
looked at the new Linux “distribution” and the effort to turn the Linux
desktop into a gaming console. It turns out that, with a fairly small
amount of code, Steam and SteamOS creator, Valve, was able to take the
existing X-based desktop and
turn it into a “living-room experience”.
Click below (subscribers only) for the full report from LinuxCon North
On his blog, Raphaël Hertzog reports on the first few months of work on Debian Long Term Support (LTS). Official support for Debian 6.0 (Squeeze) ended in May and the LTS is an effort to continue the support until February 2016 (five years after the original release). Hertzog’s company, Freexian, is collecting subscriptions to pay Debian developers to work on the LTS. Reports from the two developers sponsored, Thorsten Alteholz and Holger Levsen, are also linked from the report.
“It’s worth noting that Freexian sponsored Holger’s work to fix the security tracker to support squeeze-lts. It’s my belief that using the money of our sponsors to make it easier for everybody to contribute to Debian LTS is money well spent.
As evidenced by the progress bar on Freexian’s offer page, we have not yet reached our minimal goal of funding the equivalent of a half-time position. And it shows in the results, the dla-needed.txt still shows around 30 open issues. This is slightly better than the state two months ago but we can improve a lot on the average time to push out a security update…”
(Thanks to Paul Wise.)
At the ClusterHQ blog, Richard Yao looks at the current status of the ZFSOnLinux (ZoL) project. He argues that ZoL is ready for production use for a number of different reasons, all of which boil down to the belief that the ZFS filesystem port to Linux has achieved the same level of data integrity, runtime stability, and features as have the other platforms where ZFS runs. “Sharing a common code base with other Open ZFS platforms has given ZFS on Linux the opportunity to rapidly implement features available on other Open ZFS platforms. At present, Illumos is the reference platform in the Open ZFS community and despite its ZFS driver having hundreds of features, ZoL is only behind on about 18 of them.”
Fedora has updated qemu (F20:
CentOS has updated xulrunner (C7: two
vulnerabilities), firefox (C7; C6; C5: two
(C7: SSL server spoofing), kernel (C5:
denial of service), squid (C6; C5: two denial of service
flaws, one from 2013), squid (C7: denial of
service), and thunderbird (C6; C5: two vulnerabilities).
Oracle has updated firefox (OL6:
two vulnerabilities), httpcomponents-client
(OL7: SSL server spoofing), squid (OL6; OL5: two denial of service
flaws, one from 2013), squid (OL7: denial
of service), and thunderbird (OL6: two vulnerabilities).
Red Hat has updated firefox (two
(RHEL7: SSL server spoofing), kernel
(RHEL5: denial of service), squid (RHEL5&6: two denial of service
flaws, one from 2013), squid (RHEL7: denial of service), and thunderbird (RHEL5&6: two vulnerabilities).
The Linux Foundation has announced a new conference called “Vault” that will focus on storage and filesystems for Linux. It will be co-located with the annual invitation-only Linux Storage, Filesystem and Memory Management Summit and will be held March 11-12, 2015 at the Revere Hotel in Boston. “’90% of the world’s data has been created in the last few years and most of that data is being stored and accessed via a Linux-based system,’ said Linux Foundation Chief Marketing Officer Amanda McPherson. ‘Now is the ideal time to bring the open source community together in this new forum, Vault, to collaborate on new methods of improving capacity, efficiency and security to manage the huge data volumes envisioned in the coming years. By bringing together the leading minds of Linux file systems and storage and our members who are pushing the limits of what is possible, Vault should expand the state of the art in Linux.’”
Russell Pavlicek looks at the rivalry between containers and hypervisors over at Linux.com. He outlines the arguments for and against each, and follows it up with a description of a new contender for a “cloud operating system”: unikernels.
“Unikernel systems create tiny VMs. Mirage OS from the Xen Project incubator, for example, has created several network devices that run kilobytes in size (yes, that’s “kilobytes” – when was the last time you heard of any VM under a megabyte?). They can get that small because the VM itself does not contain a general-purpose operating system per se, but rather a specially built piece of code that exposes only those operating system functions required by the application.
There is no multi-user operating environment, no shell scripts, and no massive library of utilities to take up room – or to subvert in some nefarious exploit. There is just enough code to make the application run, and precious little for a malefactor to leverage. And in unikernels like Mirage OS, all the code that is present is statically type-safe, from the applications stack all the way down to the device drivers themselves. It’s not the “end-all be-all” of security, but it is certainly heading in the right direction.”
On Red Hat’s developer blog, Máirín Duffy has tips for developers on improving their application’s user experience (UX). “Speaking of speeding things up for your users – one way you can do this is to limit the amount of choices users have to make while using your application. It’s you, my application developer friend, that users are relying on as an expert in the ways of whatever it is that your application does. Users trust you to make set sane defaults based on your domain expertise; when you set defaults, you are also alleviating users from having to make a choice that – depending on their level of expertise – may be quite hard for them to understand.
This isn’t to say you should eliminate all choices and configuration options from your application! Let users ease into it, though. Give them a good default so that your application requires less of them to start, and as they gain expertise and confidence in using your app over time, they can explore the preferences and change those settings based on their needs when they are ready.”
Debian has updated s3ql (code execution).
Mageia has updated x11vnc (code
Ubuntu has updated squid3 (14.04,
12.04: denial of service).
Kubuntu developer Jonathan Riddell looks at packaging all of the pieces of KDE on his blog. His perspective is, of course, Kubuntu-focused, but the comments contain lengthy responses from Fedora and openSUSE KDE packagers, which makes for a good look at the work distributions put into packaging a huge code base like KDE. “Much of what we package are libraries and if one small bit changes in the library, any applications which use that library will crash. This is ABI and the rules for binary [compatibility] in C++ are nuts. Not infrequently someone in KDE will alter a library ABI without realising. So we maintain symbol files to list all the symbols, these can often feel like more trouble than they’re worth because they need updated when a new version of GCC produces different symbols or when symbols disappear and on investigation they turn out to be marked private and nobody will be using them anyway, but if you miss a change and apps start crashing as nearly happened in KDE PIM last week then people get grumpy.” (Thanks to Robie Basak.)
Greg Kroah-Hartman has announced the release of five new stable kernels: 3.16.1, 3.15.10, 3.14.17, 3.10.53, and 3.4.103. As usual, each has important fixes
and users should upgrade. In addition, this is the last 3.15.x release, so
users should be switching to the 3.16 series.
Debian has updated gpgme1.0 (code
openSUSE has updated flash-player
(13.1, 12.3: multiple vulnerabilities).