Author Archive

LWN.net: [$] LWN.net Weekly Edition for October 9, 2014

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

The LWN.net Weekly Edition for October 9, 2014 is available.

LWN.net: Schaller: Fedora Workstation Progress Report (Wayland and more)

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Christian Schaller has a lengthy update on the progress of Fedora 21. He looks at a number of different features, including Wayland, GNOME 3.14, software installation (dnf and “Software”), and more. “This also highlights one of the advantages of the new Fedora product model where we have one clear desktop product we are targeting, that we can define operating system standards for things like application metadata and apply them to the system as a whole. So for Fedora 22 we expect to make appdata metadata a mandatory part of the application packaging for Fedora, ensuring that any desktop application packaged for Fedora is easily discover able by our users. In the old ‘bucket of parts’ model these things would in practice not happen as there was no clear target that everyone was expected to aim for.

LWN.net: Karlitschek: A possible future for PHP

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

On his blog, ownCloud founder Frank Karlitschek ponders the future of PHP. He doesn’t regret choosing PHP for ownCloud, but does note that the language suffers from its mid-1990s roots, which he would like to see cleaned up and fixed at some point—in a fully compatible way. “I wish PHP would do something that makes it possible to evolve and improve the language significantly but still provides a smooth migration experience not like Perl and Python did with introducing completely new backward incompatible releases.

So a good solution would be if PHP 6 or 7 [would] introduce a new tag to start a php file. For example
<?PHPNEXT instead of <?PHP. Both modes are fully supported by the new PHP version and can be used in parallel in the same application or even in the same file. In the NEXT section the new and improved syntax is used.” He goes on to list the changes he would like to see in the language.

LWN.net: Security updates for Thursday

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Oracle has updated libvirt (OL7:
two vulnerabilities).

Red Hat has updated libvirt
(RHEL7: two vulnerabilities).

LWN.net: [$] Bash gets shellshocked

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

It’s been a crazy week for the Bash shell, its maintainer,
and many Linux distributions that use the shell. A remote code-execution
vulnerability that was reported on September 24 has now morphed
into multiple related vulnerabilities, which have now mostly been fixed and
updates released by distributions. The
vulnerabilities have been dubbed “Shellshock” and the technical (and
mainstream) press has had a field day reporting on the incident. It all
revolves around a somewhat dubious Bash feature, but the widespread use of Bash
in places where it may not really make sense contributed to the severity of
the bug.

LWN.net: Mahinovs: Distributing third party applications via Docker?

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

On his blog, Aigars Mahinovs considers an alternative to Lennart Poettering’s recent thoughts about how Linux systems should be constructed. Mahinovs advocates a Docker-based approach.

Third party application developer writes a new game for Linux. As his target he chooses one of the “application runtime” Docker images on Docker Hub. Let’s say he chooses the latest Debian stable release. In that case he writes a simple Dockerfile that installs his build-dependencies and compiles his game in “debian-app-dev:wheezy” container. The output of that is a new folder containing all the compiled game resources and another Dockerfile – this one describes the runtime dependencies of the game. Now when a docker image is built from this compiled folder, it is based on “debian-app:wheezy” container that no longer has any development tools and is optimized for speed and size. After this build is complete the developer exports the Docker image into a file. This file can contain either the full system needed to run the new game or (after #8214 is implemented) just the filesystem layers with the actual game files and enough meta-data to reconstruct the full environment from public Docker repos. The developer can then distribute this file to the end user in the way that is comfortable for them.

LWN.net: Bugging out: How rampant online piracy squashed one insect photographer (Ars Technica)

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

As many in the free-software world know, copyright is, at best, a double-edged sword. Copyright law is what allows the various free and open-source licenses, but enforcing that copyright (i.e. adherence to the license) is expensive and time-consuming. Ars Technica has the tale of a bug photographer who details his woes in trying to protect his photographs. “While the stereotypical copyright story pits private users against large corporate rights-holders, real-world cases are often more complex. After all, most content creators are private, and many content users—as well as content infringers—are corporate. The corporate infringements are the most frustrating, as I live off photo licenses issued to corporations in the same sectors.

Licensing only works in a world where commercial content users like these must obtain permission from content creators. As long as I have the right to dispense permission, I am in a position to earn back the roughly $50 I spend to create each photograph. Money is time; I use my time to invest in more images, and the cycle continues. This is how copyright is supposed to work, and most of my photographs could not exist without it.”

LWN.net: Thursday’s security updates

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Debian has updated iceweasel
(signature forgery) and nss (signature forgery).

Fedora has updated bash (F20; F19:
code injection), moodle (F20: multiple
vulnerabilities), not-yet-commons-ssl (F20; F19:
hostname verification botch), phpMyAdmin (F20; F19:
privilege escalation), procmail (F19: code
execution), wireshark (F20: yet another
pile of dissector flaws), and xerces-j2 (F20; F19:
denial of service from 2013).

Gentoo has updated bash (code
injection) and bash (fix to the previous
update for the
code injection vulnerability).

Mageia has updated bash (code
injection), curl (M4; M3: cookie handling), php-pear-CAS (privilege escalation), and wireshark (yet another pile of dissector flaws).

Mandriva has updated bash (code
injection), curl (two cookie-handling
vulnerabilities), nss (signature forgery),
and wireshark (yet another pile of
dissector flaws).

Oracle has updated bash (OL7; OL6; OL5 OL4: code
injection).

Scientific Linux has updated bash
(code injection).

Slackware has updated bash (code
injection) and mozilla (signature forgery).

SUSE has updated bash (SLE11SP3, SLE10SP4; SLE11SP1: code injection) and bash (SLE10SP3: two vulnerabilities, one from
2012).

Ubuntu has updated bash (14.04,
12.04, 10.04: code injection), firefox
(14.04, 12.04: signature forgery), nss
(14.04, 12.04, 10.04: signature forgery), and thunderbird (14.04, 12.04: signature forgery).

LWN.net: [$] Schneier on incident response

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

align="right" alt="[Bruce Schneier]" width=143 height=160/>

Bruce Schneier is a cryptographer and security specialist who is
well-known in computer circles even though he has often branched into more
general security areas in recent years. His blog is a great source of
security news (and, of “quotes of the week” for the Security page, as readers
know). Beyond all that, he travels to many security conferences to give
talks, which is just what he did at AppSec USA in Denver on
September 18. The keynote topic was “incident response” (IR), which
is an area that is
finally getting more attention in the security-product space, he said.

LWN.net: Friday’s security advisories

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Debian has updated apt
(regression in previous security update).

Fedora has updated apache-poi
(F20: two XML handling flaws), asterisk (F20; F19:
denial of service), haproxy (F20:
unspecified vulnerabilities), kernel (F20:
three vulnerabilities), pdns-recursor (F20; F19:
denial of service), polkit-qt (F20; F19: authorization bypass), and ReviewBoard (F19: two vulnerabilities).

openSUSE has updated lua (code
execution) and squid (denial of service).

LWN.net: Simply Secure announces itself

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

A new organization to “make security easy and fun” has announced itself in a blog post entitled “Why Hello, World!”. Simply Secure is targeting the usability of security solutions: “If privacy and security aren’t easy and intuitive, they don’t work. Usability is key.
The organization was started by Google and Dropbox; it also has the Open Technology Fund as one of its partners.
To build trust and ensure quality outcomes, one core component of our work will be public audits of interfaces and code. This will help validate the security and usability claims of the efforts we support.

More generally, we aim to take a page from the open-source community and make as much of our work transparent and widely-accessible as possible. This means that as we get into the nitty-gritty of learning how to build collaborations around usably secure software, we will share our developing methodologies and expertise publicly. Over time, this will build a body of community resources that will allow all projects in this space to become more usable and more secure.”

LWN.net: Thursday’s security advisories

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Debian has updated icedove (two
vulnerabilities) and libav (multiple
unspecified vulnerabilities).

openSUSE has updated curl (13.1,
12.3: two cookie-handling vulnerabilities).

Oracle has updated automake (OL5:
code execution from 2012), bind97 (OL5:
three vulnerabilities, two from 2013), conga (OL5: multiple vulnerabilities some
going back to 2012), krb5 (OL5: code
execution), krb5 (OL5: multiple
vulnerabilities, two from 2013), and nss,
nspr
(multiple vulnerabilities, one from 2013).

SUSE has updated squid3
(SLE11SP3: denial of service).

LWN.net: [$] X and SteamOS

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

alt="[Keith Packard]" width=130 height=150/>

In a talk entitled “SteamOS Magic”, longtime X developer Keith Packard
looked at the new Linux “distribution” and the effort to turn the Linux
desktop into a gaming console. It turns out that, with a fairly small
amount of code, Steam and SteamOS creator, Valve, was able to take the
existing X-based desktop and
turn it into a “living-room experience”.

Click below (subscribers only) for the full report from LinuxCon North
America.

LWN.net: Hertzog: Freexian’s first report about Debian Long Term Support

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

On his blog, Raphaël Hertzog reports on the first few months of work on Debian Long Term Support (LTS). Official support for Debian 6.0 (Squeeze) ended in May and the LTS is an effort to continue the support until February 2016 (five years after the original release). Hertzog’s company, Freexian, is collecting subscriptions to pay Debian developers to work on the LTS. Reports from the two developers sponsored, Thorsten Alteholz and Holger Levsen, are also linked from the report.
It’s worth noting that Freexian sponsored Holger’s work to fix the security tracker to support squeeze-lts. It’s my belief that using the money of our sponsors to make it easier for everybody to contribute to Debian LTS is money well spent.

As evidenced by the progress bar on Freexian’s offer page, we have not yet reached our minimal goal of funding the equivalent of a half-time position. And it shows in the results, the dla-needed.txt still shows around 30 open issues. This is slightly better than the state two months ago but we can improve a lot on the average time to push out a security update…”

(Thanks to Paul Wise.)

LWN.net: Yao: The State of ZFS on Linux

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

At the ClusterHQ blog, Richard Yao looks at the current status of the ZFSOnLinux (ZoL) project. He argues that ZoL is ready for production use for a number of different reasons, all of which boil down to the belief that the ZFS filesystem port to Linux has achieved the same level of data integrity, runtime stability, and features as have the other platforms where ZFS runs. “Sharing a common code base with other Open ZFS platforms has given ZFS on Linux the opportunity to rapidly implement features available on other Open ZFS platforms. At present, Illumos is the reference platform in the Open ZFS community and despite its ZFS driver having hundreds of features, ZoL is only behind on about 18 of them.

LWN.net: Thursday’s security advisories

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Debian has updated curl (two
cookie-handling vulnerabilities) and file
(regression in previous security update).

Fedora has updated qemu (F20:
information leak).

openSUSE has updated glibc (13.1,
12.3: three vulnerabilities) and procmail
(13.1, 12.3: code execution).

Oracle has updated kernel 2.6.39 (OL6; OL5:
denial of service), kernel 2.6.32 (OL6; OL5: two
vulnerabilities), kernel 3.8.13 (OL7; OL6:
denial of service), and procmail (OL5: code
execution).

SUSE has updated firefox
(SLE11SP2: two vulnerabilities) and LibreOffice (SLE11SP3: two vulnerabilities,
one from 2013).

LWN.net: Stable kernels 3.16.2, 3.14.18, and 3.10.54

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Greg Kroah-Hartman has announced the latest batch of stable kernels: 3.16.2, 3.14.18, and 3.10.54. As usual, these new kernels contain fixes throughout
the tree; users of these series should upgrade.

LWN.net: Thursday’s security advisories

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

CentOS has updated xulrunner (C7: two
vulnerabilities), firefox (C7; C6; C5: two
vulnerabilities), httpcomponents-client
(C7: SSL server spoofing), kernel (C5:
denial of service), squid (C6; C5: two denial of service
flaws, one from 2013), squid (C7: denial of
service), and thunderbird (C6; C5: two vulnerabilities).

Gentoo has updated dhcpcd (denial
of service) and mysql (many
vulnerabilities, mostly unspecified, some from 2013).

Oracle has updated firefox (OL6:
two vulnerabilities), httpcomponents-client
(OL7: SSL server spoofing), squid (OL6; OL5: two denial of service
flaws, one from 2013), squid (OL7: denial
of service), and thunderbird (OL6: two vulnerabilities).

Red Hat has updated firefox (two
vulnerabilities), httpcomponents-client
(RHEL7: SSL server spoofing), kernel
(RHEL5: denial of service), squid (RHEL5&6: two denial of service
flaws, one from 2013), squid (RHEL7: denial of service), and thunderbird (RHEL5&6: two vulnerabilities).

Ubuntu has updated gnupg (12.04,
10.04: key disclosure) and libgcrypt11
(14.04, 12.04, 10.04: key disclosure).

LWN.net: Linux Foundation creates a new storage and filesystems conference: Vault

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

The Linux Foundation has announced a new conference called “Vault” that will focus on storage and filesystems for Linux. It will be co-located with the annual invitation-only Linux Storage, Filesystem and Memory Management Summit and will be held March 11-12, 2015 at the Revere Hotel in Boston. “’90% of the world’s data has been created in the last few years and most of that data is being stored and accessed via a Linux-based system,’ said Linux Foundation Chief Marketing Officer Amanda McPherson. ‘Now is the ideal time to bring the open source community together in this new forum, Vault, to collaborate on new methods of improving capacity, efficiency and security to manage the huge data volumes envisioned in the coming years. By bringing together the leading minds of Linux file systems and storage and our members who are pushing the limits of what is possible, Vault should expand the state of the art in Linux.’

LWN.net: Containers vs Hypervisors: The Battle Has Just Begun (Linux.com)

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Russell Pavlicek looks at the rivalry between containers and hypervisors over at Linux.com. He outlines the arguments for and against each, and follows it up with a description of a new contender for a “cloud operating system”: unikernels.
Unikernel systems create tiny VMs. Mirage OS from the Xen Project incubator, for example, has created several network devices that run kilobytes in size (yes, that’s “kilobytes” – when was the last time you heard of any VM under a megabyte?). They can get that small because the VM itself does not contain a general-purpose operating system per se, but rather a specially built piece of code that exposes only those operating system functions required by the application.

There is no multi-user operating environment, no shell scripts, and no massive library of utilities to take up room – or to subvert in some nefarious exploit. There is just enough code to make the application run, and precious little for a malefactor to leverage. And in unikernels like Mirage OS, all the code that is present is statically type-safe, from the applications stack all the way down to the device drivers themselves. It’s not the “end-all be-all” of security, but it is certainly heading in the right direction.”

LWN.net: 5 UX Tips for Developers (Red Hat developer blog)

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

On Red Hat’s developer blog, Máirín Duffy has tips for developers on improving their application’s user experience (UX). “Speaking of speeding things up for your users – one way you can do this is to limit the amount of choices users have to make while using your application. It’s you, my application developer friend, that users are relying on as an expert in the ways of whatever it is that your application does. Users trust you to make set sane defaults based on your domain expertise; when you set defaults, you are also alleviating users from having to make a choice that – depending on their level of expertise – may be quite hard for them to understand.

This isn’t to say you should eliminate all choices and configuration options from your application! Let users ease into it, though. Give them a good default so that your application requires less of them to start, and as they gain expertise and confidence in using your app over time, they can explore the preferences and change those settings based on their needs when they are ready.”

LWN.net: Security updates for Thursday

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Debian has updated s3ql (code execution).

Mageia has updated x11vnc (code
execution).

openSUSE has updated phpMyAdmin
(13.1, 12.3: multiple vulnerabilities) and python3 (12.3: two vulnerabilities).

Ubuntu has updated squid3 (14.04,
12.04: denial of service).

LWN.net: Riddell: Upstream and Downstream: why packaging takes time

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Kubuntu developer Jonathan Riddell looks at packaging all of the pieces of KDE on his blog. His perspective is, of course, Kubuntu-focused, but the comments contain lengthy responses from Fedora and openSUSE KDE packagers, which makes for a good look at the work distributions put into packaging a huge code base like KDE. “Much of what we package are libraries and if one small bit changes in the library, any applications which use that library will crash. This is ABI and the rules for binary [compatibility] in C++ are nuts. Not infrequently someone in KDE will alter a library ABI without realising. So we maintain symbol files to list all the symbols, these can often feel like more trouble than they’re worth because they need updated when a new version of GCC produces different symbols or when symbols disappear and on investigation they turn out to be marked private and nobody will be using them anyway, but if you miss a change and apps start crashing as nearly happened in KDE PIM last week then people get grumpy.” (Thanks to Robie Basak.)

LWN.net: Five new stable kernels

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Greg Kroah-Hartman has announced the release of five new stable kernels: 3.16.1, 3.15.10, 3.14.17, 3.10.53, and 3.4.103. As usual, each has important fixes
and users should upgrade. In addition, this is the last 3.15.x release, so
users should be switching to the 3.16 series.

LWN.net: Security advisories for Thursday

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

CentOS has updated openssl (C7; C6; C5: multiple vulnerabilities).

Debian has updated gpgme1.0 (code
execution).

Gentoo has updated adobe-flash
(multiple vulnerabilities), catfish
(multiple privilege escalations), and libpng (three vulnerabilities, two from 2013).

openSUSE has updated flash-player
(13.1, 12.3: multiple vulnerabilities).

Oracle has updated openssl (OL7; OL6; OL5: multiple vulnerabilities).

Red Hat has updated openssl (RHEL6&7; RHEL5: multiple vulnerabilities).

Scientific Linux has updated openssl (SL6; SL5:
multiple vulnerabilities).