Noise

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Technology Academy Finland has announced that Linus Torvalds is one of two finalists for the Millennium Technology Prize. “Technology Academy Finland has today declared two prominent innovators, Linus Torvalds and Dr Shinya Yamanaka, laureates of the 2012 Millennium Technology Prize, the prominent award for technological innovation. The laureates, who will follow in the footsteps of past victors such as World Wide Web creator Sir Tim Berners-Lee, will be celebrated at a ceremony in Helsinki, Finland, on Wednesday 13 June 2012, when the winner of the Grand Prize will be announced. The prize pool exceeds EUR 1 Million.” The Linux Foundation has also put out a
press release about the prize.

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

The core library that sits between user space and the kernel, the GNU C
library (or GLIBC), has undergone some changes recently in its governance, at least
partly to make it a more inclusive project. On the last day of the Linux
Foundation Collaboration Summit, Carlos O’Donell gave an update on the
project, the way it will be governed moving forward, and its plans for the
future. GLIBC founder Roland McGrath was on hand to contribute his thoughts
as well. Click below (subscribers only) for the full report.

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

On his blog, Michael Natterer writes about some major progress in making GIMP work with the Generic Graphics Library (GEGL), which will allow GIMP to handle images with more than 8-bits-per-channel among other things. “About 5 weeks ago, I happened to pick up Øyvind Kolås, aka Pippin the Goatkeeper to stay at my place for about a week and do some hacking. After one day, without intending it, we started to do some small GEGL hacking in GIMP, just in order to verify an approach that seemed a good migration [strategy] for the future porting. [...] What was planned as a one week visit turned into 3 weeks of GEGL porting madness. At the time this article is written, about 90% of the GIMP application’s core are ported to GEGL, and the only thing really missing are GeglOperations for all layer modes.”

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

It’s a bit of a rant, but a blogger known as “Eevee” has put together a detailed criticism of PHP as a language. It covers the flaws Eevee sees in the predictability, consistency, reliability, debug-ability, security, and many other attributes of the web application language.
“PHP is the lone exception. Virtually every feature in PHP is broken somehow. The language, the framework, the ecosystem, are all just bad. And I can’t even point out any single damning thing, because the damage is so systemic. Every time I try to compile a list of PHP gripes, I get stuck in this depth-first search discovering more and more appalling trivia. (Hence, fractal.)” (Thanks to Paul Wise.)

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

The Linux Security Summit will be held August 30-31 in conjunction with LinuxCon North America in San Diego, CA. The call for participation is open until May 23. The program committee is looking for proposals in the following topic areas: System hardening, Access control, Cryptography, Integrity control, Hardware security, Networking, Storage, Virtualization, Desktop, Tools, Management, Case studies, and Emerging technologies, threats & techniques (though other security-related topics are encouraged as well).

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

On his blog, Adam Langley explains why Google is ending its experiment with False Start, which was meant to speed up the establishment of SSL connections. Problems with hardware SSL terminators seem to be the main thing that derailed the scheme. “False Start was known to cause problems with a very small number of servers and the initial announcement outlined the uncommon scheme that we used to deploy it: we scanned the public Internet and built up a list of problematic sites. That list was built into Chrome and we didn’t use False Start for connections to those sites. Over time the list was randomly eroded away and I’d try to address any issues that came up. (Preemptively so in the case of large sites.)
[...]
It did work to some extent. Many sites that had problems were fixed and it’s a deployment scheme that is worth considering in the future. But it didn’t ultimately work well enough for False Start.”

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

A local privilege escalation flaw in wicd (wireless interface connection daemon) was found as part of an “ethical hacking” class using the Backtrack security-oriented Linux distribution. While Backtrack is singled out in the threatpost article, the flaw really resides in wicd and is likely present in other distributions:
“The security flaw was discovered in a Backtrack component known as the Wireless Interface Connection Daemon (or WICD). The latest version of Backtrack does a poor job “sanitizing” (or filtering) inputs to the WICD DBUS (Desktop Bus) interface – a component that allows different applications to communicate with each other. That means that attackers can push invalid configuration options to DBUS, which are then written to a WICD wireless settings configuration file. The improper settings could include scripts or executables that would be run when certain events occur – such as the user connecting to a wireless network, according to the post, whose author asked to remain anonymous.”

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

CentOS has updated tomcat5 (C5:
multiple vulnerabilities) and tomcat6 (C6:
multiple vulnerabilities).

Debian has updated sqlalchemy (SQL
injection).

Fedora has updated openssl (F15: multiple vulnerabilities), mingw32-gnutls (F15: denial of service), mingw32-libtasn1 (F15: denial of service),
moodle (F15; F16: multiple vulnerabilities), and raptor (F16: code execution).

Mandriva has updated rpm (multiple
code execution vulnerabilities) and freetype2 (multiple
vulnerabilities).

openSUSE has updated python-pam
(code execution), file (denial of service),
freetype2 (multiple vulnerabilities), taglib (multiple vulnerabilities), libpng (code execution), chromium (multiple vulnerabilities), phppgadmin (cross-site scripting), and phpmyadmin (path disclosure).

Red Hat has updated tomcat5 (RHEL5:
multiple vulnerabilities), tomcat6
(RHEL6: multiple vulnerabilities), and cumin (RHEL5; RHEL6:
cross-site scripting).

Scientific Linux has updated tomcat5
(SL5: multiple vulnerabilities) and tomcat6
(SL6: multiple vulnerabilities).

SUSE has updated freetype2 (SLE10; SLE11:
multiple vulnerabilities).

Ubuntu has updated linux-lts-backport-maverick (10.04: multiple
vulnerabilities).

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

width=109 height=150 alt="[Keith Packard]"/>

Keith Packard has been working on the X window system since the early days,
but more recently has been doing lots of work to enable its replacement. X
has long held the position as the way that graphics is done on Linux (and
other Unix) systems, but that is changing. He came to the Linux Foundation
Collaboration Summit, which was held April 3-5 in San Francisco, to talk
about the Wayland protocol and the Weston server, and how they could
interoperate with X. Wayland
looks to be an interesting change for desktop
graphics on Linux.

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

GNOME foundation executive director Karen Sandler makes an appearance in a BBC News article about the security risks of medical implants:

LWN has covered several talks (1, 2) that Sandler has given on this topic as well.

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

width=250 height=114 alt="[Panel]"/>

On the first day of this year’s Linux Foundation Collaboration Summit,
several kernel developers sat down with moderator Greg Kroah-Hartman for
another edition of the kernel panel. The developers covered a wide range
of kernel subsystems, from graphics and memory management, to storage and
networking. As is usual, a lively discussion ensued, covering a number of
topical and longtime kernel concerns.

Click below (subscribers only) for LWN’s report from the event.

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

On his blog, Rusty Russell digs into sources of randomness for user-space programs (other than just reading /dev/urandom). “There are three obvious classes of randomness: things about the particular machine we’re on, things about the particular boot of the machine we’re on, and things which will vary every time we ask.” He goes on to look at examples in each category and give a rough guess of the number of bits of entropy each would produce.

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

The call for proposals for the openSUSE Summit, which will be held September 21-23, 2012 in Orlando, Florida, is now open. Submissions will be accepted until June 15 for sessions in three different tracks: “openSUSE Community”, “openSUSE Tech”, or “open World”—there is also a category for “fun” proposals: “The openSUSE Summit, by virtue of being an openSUSE event, has fun high on
the agenda. Therefore, proposals that are “outside the box” of a “regular”
software focused conference are encouraged. Collaboratively Building a Giant
Paper Mache Geeko has already been proposed and rejected due to
environmental concerns.”

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

On his blog, Dmitry Grinberg writes about getting Linux to run on an 8-bit microcontroller. In order to do so, he wrote an ARM emulator for the ATmega1284p. The results: “uARM is certainly no speed demon. It takes about 2 hours to boot to bash prompt (“init=/bin/bash” kernel command line). Then 4 more hours to boot up the entire Ubuntu (“exec init” and then login). Starting X takes a lot longer. The effective emulated CPU speed is about 6.5KHz, which is on par with what you’d expect emulating a 32-bit CPU & MMU on a measly 8-bit micro. Curiously enough, once booted, the system is somewhat usable. You can type a command and get a reply within a minute. That is to say that you can, in fact, use it. I used it to day to format an SD card, for example. This is definitely not the fastest, but I think it may be the cheapest, slowest, simplest to hand assemble, lowest part count, and lowest-end Linux PC. The board is hand-soldered using wires, there is not even a requirement for a printed circuit board.”

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Debian has updated tryton-server
(privilege escalation).

Gentoo has updated libzip (multiple
code execution flaws).

Mandriva has updated nginx
(information disclosure) and cvs (code
execution).

openSUSE has updated php5 (multiple
vulnerabilities), flash-player (code
execution), and libreoffice (code execution).

Oracle has updated libtasn1 (OL6:
denial of service), gnutls (OL5; OL6: denial of service and code execution),
and openssl (OL5; OL6: denial of service and information
disclosure).

Red Hat has updated flash-plugin
(code execution).

SUSE has updated firefox (SLE10; SLE11:
multiple vulnerabilities).

Ubuntu has updated kernel (11.10:
denial of service), python-nova (11.10:
denial of service), and ca-certificates-java (11.10: regression in
previous security fix).

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Xconomy looks at Willow Garage and its open source software for robots. “Called the Robot Operating System, or ROS, it’s a collection of algorithms that handle standard tasks required of every mobile robot—things like making sense of a visual scene, planning a path around obstacles. Unlike PR2, ROS is completely free, and is already being adapted by hundreds of robotics labs and companies around the world. It’s spreading so fast that [CEO Steve] Cousins says Willow Garage is considering creating a non-profit foundation, similar to the Apache Software Foundation, that could organize the developer community, collect donations, and act as an independent steward and champion for the software.” LWN covered a talk by Willow Garage’s Tully Foote from SCALE 10x in January.

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

On his blog, Kees Cook reports that the Ubuntu kernel for 12.04 has added the seccomp filters feature that uses the packet filtering machinery (BPF) to restrict access to system calls. He also notes that the feature will be added to the Chrome OS kernel soon. “One of the questions I’ve been asked by several people while they developed policy for earlier “mode 2″ seccomp implementations was “How do I figure out which syscalls my program is going to need?” To help answer this question, and to show a simple use of seccomp filter, I’ve written up a little tutorial that walks through several steps of building a seccomp filter. It includes a header file (“seccomp-bpf.h“) for implementing the filter, and a collection of other files used to assist in syscall discovery. It should be portable, so it can build even on systems that do not have seccomp available yet.
[...]
Read more in the seccomp filter tutorial.”

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Red Hat’s assistant general counsel Rob Tiller writes about the implications of a recent US Supreme Court decision in Mayo Collaborative Services v. Prometheus Laboratories, Inc. [PDF]. He looks at the possible impact on software patent decisions down the road. “It also seems noteworthy that the Mayo Court outlined a balanced view of the patent system that took account of the risks it can pose for innovation. It wrote, ‘Patent protection is, after all, a two-edged sword. On the one hand, the promise of exclusive rights provides monetary incentives that lead to creation, invention, and discovery. On the other hand, that very exclusivity can impede the flow of information that might permit, indeed spur, invention, by, for example, raising the price of using the patented ideas once created, requiring potential users to conduct costly and time-consuming searches of existing patents and pending patent applications, and requiring the negotiation of complex licensing arrangements.’”

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Paul Gortmaker has announced the release of the 2.6.34.11 kernel. As usual, it has lots of
fixes throughout the tree and users of 2.6.34 should update.

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Debian has updated icedove (multiple
vulnerabilities) and raptor (information
disclosure).

Fedora has updated kernel (F16:
address-space layout randomization
bypass).

openSUSE has updated osc (code
execution).

Scientific Linux has updated glibc (SL5; SL6: code
execution), libpng (code
execution), thunderbird (multiple
vulnerabilities), firefox (multiple
vulnerabilities), systemtap (denial of
service), xen (SL5: privilege escalation), imagemagick (SL5: code execution), cups (SL5: code execution), xorg-x11-server (SL5: information disclosure),
vixie-cron (SL5: change arbitrary file
modification time from 2010), boost (SL5: code
execution from 2008), krb5 (SL5: access control
bypass), util-linux (SL5: multiple
vulnerabilities), busybox (SL5: two code
execution flaws, one from 2006), sudo (SL5: access control
bypass), nfs-utils (SL5: mtab corruption), sos (SL5: information disclosure), and initscripts (SL5: information disclosure from
2008).

Ubuntu has updated thunderbird
(11.10: multiple vulnerabilities) and libpng (code execution).

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Over at ITworld, Brian Proffitt looks into revenue and salaries at various open source non-profit organizations. “With a revenue of $1,934,659, the Mozilla Foundation ranked fourth of the eighteen FLOSS-related non-profits researched for this report. But with a net cash flow loss of $1,333,815 for the 2010 fiscal year, the Mozilla Foundation was next to last on money lost for the year.
[...]
All of this information was obtained from the Federal income tax forms all U.S. non-profits are required to file with the IRS. Specifically, Form 990 (or the 990-EZ when applicable). Thirteen of the non-profits have publicly available information for their 2010 fiscal years, with the other five’s information only up to date to their respective 2009 fiscal years.”

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

InfoWorld has a short interview with Guido van Rossum, the creator of Python. In it, he talks about Python 3, Unicode, the Global Interpreter Lock (GIL), and more. “At some point, you end up with one little piece of your system, as a whole, where you end up spending all your time. If you write that just as a sort of simple-minded Python loop, at some point you will see that that is the bottleneck in your system. It is usually much more effective to take that one piece and replace that one function or module with a little bit of code you wrote in C or C++ rather than rewriting your entire system in a faster language, because for most of what you’re doing, the speed of the language is irrelevant.”

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

CentOS has updated glibc (C6: code
execution).

Debian has updated iceweasel
(multiple vulnerabilities).

Gentoo has updated openswan (two
denial of service vulnerabilities), audacious-plugins (code execution), gif2png (two vulnerabilities from 2010), libmodplug (code execution), hplip (multiple vulnerabilities), and minitube (insecure tmp file handling).

Mandriva has updated pidgin (two
denial of service vulnerabilities).

openSUSE has updated chromium, v8
(multiple vulnerabilities).

Oracle has updated glibc (OL6: code
execution).

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

The H is reporting that a Linux distribution, supposedly created by the “Anonymous” activist group, has been taken down by SourceForge due to security concerns. The distribution is based on Ubuntu 11.10 with additional privacy and security tools like Tor. “In a statement released late last night, SourceForge explained that it had taken the distribution off its servers as significant concerns were raised concerning the software bundle’s authenticity and possible maliciousness. SourceForge stated that while it tends to consider projects to be amoral and thus even host software that could be considered controversial, it decided to take Anonymous-OS down as soon as it became clear that it might include malicious software and did not appear to be officially connected with the Anonymous movement. Almost as soon as the release of Anonymous-OS was announced on a new Tumblr page, the activist group stated via its Twitter account that Anonymous-OS is a fake and contains trojans.”

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

CentOS has updated firefox (C6:
multiple vulnerabilities) and thunderbird
(C6: multiple vulnerabilities).

Fedora has updated kernel (F15: null
pointer dereference on read-only regsets).

Oracle has updated firefox (OL5; OL6:
multiple vulnerabilities) and thunderbird
(OL6: multiple vulnerabilities).

Red Hat has updated glibc (RHEL6:
code execution).