Author Archive

LWN.net: [$] Django Girls one year later

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Though it got a bit of a late start due to some registration woes, the
first day of EuroPython 2015
began with an engaging and well-received keynote. It recounted the history
of a project that got its start just a year ago when the first Django Girls workshop was held at
EuroPython 2014 in Berlin. The two women who started the
project, Ola Sitarska and Ola Sendecka, spoke about how the workshop
to teach women about Python and the Django web framework all came
together—and the amazing progress that has been made by the organization in
its first year.

LWN.net: Calculating the “truck factor” for GitHub projects

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

The idea of a truck or bus factor (or number) has been—morbidly, perhaps—bandied about in development projects for many years. It is a rough measure of how many developers would have to be lost (e.g. hit by a bus) to effectively halt the project. A new paper [PDF] outlines a method to try to calculate this number for various GitHub projects. Naturally, it has its own GitHub project with a description of the methodology used and some of the results. It was found that 46% of the projects looked at had a truck factor of 1, while 28% were at 2. Linux scored the second highest at 90, while the Mac OS X Homebrew package manager had the highest truck factor at 159.

LWN.net: Security updates for Thursday

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

CentOS has updated java-1.7.0-openjdk (C7; C6; C5: many vulnerabilities),
java-1.8.0-openjdk (C7; C6: many vulnerabilities), and kernel (C6: multiple vulnerabilities, one from
2011).

Debian-LTS has updated python-django (three vulnerabilities).

Fedora has updated cryptopp (F22; F21:
information disclosure), drupal7-feeds (F22; F21:
three vulnerabilities), rsyslog (F22:
denial of service), and springframework (F22; F21:
denial of service).

openSUSE has updated bind (13.2; 13.1:
three vulnerabilities, one from 2014).

Oracle has updated java-1.7.0-openjdk (OL7; OL6: unspecified),
java-1.8.0-openjdk (OL7; OL6: unspecified), kernel 3.8.13 (OL7; OL6: two vulnerabilities),
kernel 2.6.39 (OL6; OL5: two vulnerabilities),
and kernel 2.6.32 (OL6; OL5: denial of service).

Scientific Linux has updated java-1.7.0-openjdk (SL5; SL6&7: many vulnerabilities), java-1.8.0-openjdk (SL6&7: many
vulnerabilities), and kernel (SL6: multiple
vulnerabilities, one from 2011).

LWN.net: [$] Python 3.5 is on its way

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

It has been nearly a year and a half since the last major Python release,
which was 3.4 in March 2014—that means it is about time for
Python 3.5. We looked at some of the new
features in 3.4 at the time of its first release candidate, so the announcement of the penultimate beta release
for 3.5 seems like a good time to see what will be coming in the new release.

Subscribers can click below to see the full article from this week’s edition.

LWN.net: FSF and SFC work with Canonical on an “intellectual property” policy update

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

The Free Software Foundation (FSF) and Software Freedom Conservancy (SFC) have both put out statements about a change to the Canonical, Ltd. “intellectual property” policy that was negotiated over the last two years (FSF statement and SFC statement). Effectively, Canonical has added a “trump clause” that clarifies that the licenses of the individual packages override the Canonical policy when there is a conflict. Though, as SFC points out: “While a trump clause is a reasonable way to comply with the GPL in a secondary licensing document, the solution is far from ideal. Redistributors of Ubuntu have little choice but to become expert analysts of Canonical, Ltd.’s policy. They must identify on their own every place where the policy contradicts the GPL. If a dispute arises on a subtle issue, Canonical, Ltd. could take legal action, arguing that the redistributor’s interpretation of GPL was incorrect. Even if the redistributor was correct that the GPL trumped some specific clause in Canonical, Ltd.’s policy, it may be costly to adjudicate the issue.” While backing the change made, both FSF and SFC recommend further changes to make the situation even more clear.

LWN.net: Microservices 101: The good, the bad and the ugly (ZDNet)

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

ZDNet has an interview about “microservices” with Red Hat VP engineering for middleware, Dr. Mark Little. Microservices are a relatively recent software architecture that relies on small, easily replaced components and is an alternative to the well-established service-oriented architecture (SOA)—but it is not a panacea:
‘Just because you adopt microservices doesn’t suddenly mean your badly architected ball of mud is suddenly really well architected and no longer a ball of mud. It could just be lots of distributed balls of mud,’ Little said.

‘That worries me a bit. I’ve been around service-oriented architecture for a long time and know the plus points and the negative points. I like microservices because it allows us to focus on the positive points but it does worry me that people see it as the answer to a lot of problems that it’s never going to be the answer for.’”

LWN.net: A new crop of stable kernels

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Greg Kroah-Hartman has announced the release of the 4.1.2, 4.0.8,
3.14.48, and 3.10.84 stable kernels. All contain important
fixes and users should upgrade. In addition, this is the second to last
4.0.x release (i.e. there will be a 4.0.9, but that’s the last), so users
should be making plans to move to 4.1.x.

LWN.net: Friday’s security updates

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Arch Linux has updated openssl
(certificate verification botch).

CentOS has updated php (C6: many
vulnerabilities, some from 2014).

Debian has updated pdns (full fix
for denial of service) and pdns-recursor
(full fix for denial of service).

Gentoo has updated adobe-flash
(multiple vulnerabilities, one from 2014), chromium (multiple vulnerabilities), mysql (multiple vulnerabilities), net-snmp (denial of service from 2014), openssl (certificate verification botch), oracle-jre-bin (multiple vulnerabilities, some
from 2014), perl (denial of service from
2013), portage (certificate verification
botch from 2013), pypam (code execution
from 2012), and t1utils (multiple vulnerabilities).

Mageia has updated openssl
(certificate verification botch).

openSUSE has updated MariaDB
(13.2, 13.1: many vulnerabilities, some from 2014).

Oracle has updated php (OL6: many
vulnerabilities, some from 2014).

Red Hat has updated php (RHEL6:
many vulnerabilities, some from 2014) and php54-php (RHSC2: multiple vulnerabilities).

Scientific Linux has updated php
(SL6: many vulnerabilities, some from 2014).

Slackware has updated openssl
(certificate verification botch).

Ubuntu has updated firefox
(15.04, 14.10, 14.04: multiple vulnerabilities) and nss (two vulnerabilities).

LWN.net: Security advisories for Thursday

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Debian has updated python-django
(two vulnerabilities).

Mageia has updated bind (denial
of service), cups-filters (two code
execution vulnerabilities), flash-player-plugin (many vulnerabilities), openssh (access restriction bypass), and virtuoso-opensource (multiple unspecified vulnerabilities).

openSUSE has updated flash-player
(11.4: unspecified vulnerabilities), libwmf
(13.2, 13.1: multiple vulnerabilities), mysql-community-server (13.2, 13.1: cipher
downgrade), tiff (13.2, 13.1: multiple
vulnerabilities), and wireshark (13.2: two
denial of service vulnerabilities).

Red Hat has updated flash-plugin
(RHEL5&6: many vulnerabilities).

SUSE has updated flash-player
(SLE12: many vulnerabilities).

Ubuntu has updated python-django
(two vulnerabilities).

LWN.net: [$] A preview of PostgreSQL 9.5

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

The PostgreSQL 9.5
alpha release
is now available for testing. In this feature article,
PostgreSQL core team member Josh Berkus discusses the need for an alpha
release and introduces a number of the new features that will show up in
9.5. Click below (subscribers only) for the full article.

LWN.net: Security advisories for Thursday

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

CentOS has updated openssl (C5:
three vulnerabilities).

Debian-LTS has updated unattended-upgrades (improper package authentication).

LWN.net: [$] News and updates from DockerCon 2015

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

DockerCon on June 22 and 23 was
a much bigger affair than CoreOSFest or ContainerCamp was. DockerCon rented out
the San Francisco Marriott for the event; the keynote ballroom seats 2000.
That’s a pretty dramatic change from the first
DockerCon
last year, with roughly 500 attendees; it shows the huge
growth of interest in Linux containers. Or maybe, given that it’s Silicon
Valley, what you’re seeing is the magnetic power of $95 million in round-C
funding.

Subscribers can click below for a report from DockerCon by guest author
Josh Berkus.

LWN.net: Ardour 4.1 released

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Version 4.1 of the Ardour digital audio workstation software has been released. There are some new features in the release including input gain control, support for capture-only and playback-only devices, a real “Save As” option (with the old option being renamed to “Snapshot (& switch to new version)”), and allowing plugins to be reordered and meter positions to change without adding a click into the audio. There are also lots of user interface changes, including better High-DPI support. “This release contains several new features, both internally and in the user interface, and a slew of bug fixes worthy of your attention. Encouragingly, we also have one of our longest ever contributor lists for this release.

We had hoped to be on a roughly monthly release cycle after the release of 4.0, but collaborations with other organizations delayed 4.1 by nearly a month.”

LWN.net: Thursday’s security updates

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

CentOS has updated nss (C7;
C6: cipher downgrade) and nss-util (C7; C6: cipher downgrade).

Debian has updated cacti (three vulnerabilities).

Fedora has updated xen (F20: multiple vulnerabilities).

Oracle has updated kernel 2.6.39 (OL6; OL5: two
vulnerabilities), kernel 3.8.13 (OL7; OL6: two
vulnerabilities), and kernel 2.6.32 (OL6; OL5: two
vulnerabilities)

Red Hat has updated chromium-browser (RHEL6: multiple vulnerabilities), flash-plugin (RHEL5&6: code execution), nss (RHEL6&7: cipher downgrade), php55-php (RHSC2: multiple vulnerabilities), and rh-php56-php (RHSC2: multiple vulnerabilities).

Scientific Linux has updated libreswan (SL7: denial of service) and php (SL7: multiple vulnerabilities).

SUSE has updated IBM Java
(SLE10SP4: multiple vulnerabilities) and Java (SLE11SP2: multiple vulnerabilities).

Ubuntu has updated python2.7,
python3.2, python3.4
(14.10, 14.04, 12.04: multiple vulnerabilities, some from 2013), tomcat6 (12.04: three vulnerabilities), and tomcat7 (15.04, 14.10, 14.04: multiple vulnerabilities).

LWN.net: [$] A report from PGCon 2015

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

PGCon 2015, the PostgreSQL
international developer conference, took place in Ottawa, Canada from June
16 to 20. This PGCon involved a change in format from prior editions, with
a “developer unconference” in the two days before the main conference
program. Both the conference and the unconference covered a wide range of
topics, many of them related to horizontal or vertical scaling, or to new
PostgreSQL features.

Subscribers can click below for a report from the conference from guest author Josh Berkus.

LWN.net: A report from PGCon 2015

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

PGCon 2015, the PostgreSQL
international developer conference, took place in Ottawa, Canada from June
16 to 20. This PGCon involved a change in format from prior editions, with
a “developer unconference” in the two days before the main conference
program. Both the conference and the unconference covered a wide range of
topics, many of them related to horizontal or vertical scaling, or to new
PostgreSQL features.

Subscribers can click below for a report from the conference from guest author Josh Berkus.

LWN.net: The long ARM of Linux: Red Hat Enterprise Linux Server for ARM Development Preview (Red Hat Blog)

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

In a post on the Red Hat Blog, the company has announced a version of Red Hat Enterprise Linux (RHEL) for ARM development. “Today, we are making the Red Hat Enterprise Linux Server for ARM Development Preview 7.1 available to all current and future members of the Red Hat ARM Partner Early Access Program as well as their end users as an unsupported development platform, providing a common standards-based operating system for existing 64-bit ARM hardware. Beyond this release, we plan to continue collaborating with our partner ISVs and OEMs, end users, and the broader open source community to enhance and refine the platform to ultimately work with the next generation of ARM-based designs.” Jon Masters, who is the technical lead for the project, has a lengthy Google+ post about the project and its history over the last 4+ years.

LWN.net: Security updates for Thursday

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

CentOS has updated cups (C7; C6: three vulnerabilities).

Debian has updated kernel (three vulnerabilities).

Debian-LTS has updated linux-2.6
(multiple vulnerabilities going back to 2011) and openssl (multiple vulnerabilities).

Fedora has updated mbedtls (F20:
code execution), python-requests (F21:
cookie stealing), and python-urllib3 (F21:
proper openssl support).

openSUSE has updated busybox
(13.2, 13.1: code execution) and strongswan
(13.2, 13.1: information disclosure).

Oracle has updated cups (OL7; OL6:
three vulnerabilities).

Red Hat has updated cups
(RHEL6&7: three vulnerabilities).

Scientific Linux has updated cups
(SL6&7: three vulnerabilities).

LWN.net: [$] LWN.net Weekly Edition for June 18, 2015

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

The LWN.net Weekly Edition for June 18, 2015 is available.

LWN.net: [$] Micro Python on the pyboard

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

A 2013 Kickstarter
project
brought us Micro Python, which is a version
of Python 3 for microcontrollers, along with the pyboard to
run it on. Micro Python is a complete rewrite of the interpreter that
avoids some of the CPython (the canonical Python interpreter written in C)
implementation details that don’t work well on microcontrollers.
I recently got my hands on a pyboard and decided to give it—and
Micro Python—a try.

LWN.net: The hidden costs of embargoes (Red Hat Security Blog)

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Over at the Red Hat Security Blog, Kurt Seifried looks at the costs of security embargoes. Keeping the information about security vulnerabilities quiet until distributions can coordinate their releases of a fix for it seems like it makes a lot of sense, but there are hidden costs to that. “Patch creation with an embargoed issue means only the researcher and upstream participating. The end result of this is often patches that are incomplete and do not fully address the issue. This happened with the Bash Shellshock issue (CVE-2014-6271) where the initial patch, and even subsequent patches, were incomplete resulting in several more CVEs (CVE-2014-6277, CVE-2014-6278, CVE-2014-7169). For a somewhat complete listing of such examples simply search the CVE database for ‘because of an incomplete fix for’.

LWN.net: Security advisories for Thursday

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

CentOS has updated kernel (C6:
multiple vulnerabilities) and qemu-kvm (C6: code execution).

Debian-LTS has updated wireshark
(WCP dissector crash).

Fedora has updated cabal-install
(F22: force digest authentication), freecad
(F22: code execution), fusionforge (F22; F21: code
execution), haskell-platform (F22: force
digest authentication), less (F21:
information leak), libreswan (F22;
F21: denial of service), python-tornado (F21: TLS side-channel attack),
and thermostat (F21: code execution).

openSUSE has updated proftpd
(13.2, 13.1: two vulnerabilities, one from 2013), wpa_supplicant (13.2, 13.1: three
vulnerabilities), and zeromq (13.2, 13.1:
protocol downgrade).

Oracle has updated qemu-kvm (OL6:
code execution) and kernel (OL6; OL5: three vulnerabilities).

Red Hat has updated qemu-kvm
(RHEL6: code execution) and qemu-kvm-rhev
(RHEL6OSP: code execution).

Scientific Linux has updated abrt
(SL7: multiple vulnerabilities) and qemu-kvm (SL6: code execution).

Ubuntu has updated kernel (15.04; 14.10;
14.04; 12.04: multiple vulnerabilities), linux-lts-trusty (12.04: two vulnerabilities),
linux-lts-utopic (14.04: two
vulnerabilities), linux-lts-vivid (14.04:
three vulnerabilities), and linux-ti-omap4
(12.04: multiple vulnerabilities).

LWN.net: Let’s Encrypt Root and Intermediate Certificates

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

The Let’s Encrypt project has announced that it has created the root and intermediate keys and certificates it will use to sign certificates. Let’s Encrypt is the no-cost certificate authority announced by the Electronic Frontier Foundation (EFF) back in November. In April, the Linux Foundation announced that it would be hosting the project. “The keys and certificates that will underlie Let’s Encrypt have been generated. This was done during a key ceremony at a secure facility today.” The intermediate certificates will be cross-signed by IdenTrust so that they will be accepted by browsers before the Let’s Encrypt root certificate has been propagated. A bit more news from the blog post: “In the next few weeks, we’ll be saying some more about our plans for going live.

LWN.net: Security updates for Friday

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Arch Linux has updated pcre (code
execution).

CentOS has updated openssl (C7; C6: cipher
downgrade).

Fedora has updated batik (F22; F21; F20: information leak), netty (F21: httpOnly cookie bypass), and
pcs (F22; F21; F20: two vulnerabilities).

openSUSE has updated e2fsprogs (13.2; 13.1:
two vulnerabilities) and fuse (13.1:
privilege escalation).

Oracle has updated openssl (OL7; OL6:
cipher downgrade).

Red Hat has updated openssl
(RHEL6&7: cipher downgrade).

LWN.net: GNU Octave 4.0.0 Released

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

GNU Octave, which is a
high-level programming language for numerical computations that is largely
compatible with MATLAB, has made its 4.0 release. There are lots of new
features in this major release, which are described in the release notes.
Some of those features include defaulting to the graphical user interface
instead of the command-line interface, OpenGL graphics and Qt widgets by
default, a new syntax for object-oriented programming using
classdef, audio functions, better MATLAB compatibility, and more.