LWN.net News from the source
LWN.net is a reader-supported news site dedicated to producing the best coverage from within the Linux and free software development communities. See the LWN FAQ for more information, and please consider subscribing to gain full access and support our activities.
The LWN.net Weekly Edition for September 1, 2016 is available.
Inside this week's LWN.net Weekly Edition
The announcement of a project to develop the "Kool Desktop Environment" went out on October 14, 1996. As the 20th anniversary of that announcement approaches, the KDE project is celebrating with a project timeline and a 20 Years of KDE book. "This book presents 37 stories about the technical, social and cultural aspects that shaped the way the KDE community operates today. It has been written as part of the 20th anniversary of KDE. From community founders and veterans to newcomers, with insights from different perspectives and points of view, the book provides you with a thrilling trip through the history of such an amazing geek family."
Some of the most important discussions associated with the annual Kernel Summit do not happen at the event itself; instead, they unfold prior to the summit on the planning mailing list. There is value in learning what developers feel needs to be talked about and, often, important issues can be resolved before the summit itself takes place. That list has just hosted (indeed, is still hosting as of this writing) a voluminous discussion on license enforcement that was described by some participants as being "pointless" or worse. But that discussion has served a valuable purpose: it has brought to the light a debate that has long festered under the surface, and it has clarified where some of the real disagreements lie.
The 4.8-rc5 kernel prepatch is available for testing. "So rc5 is noticeably bigger than rc4 was, and my hope last week that we were starting to calm down and shrink the releases seems to have been premature. [...] Not that any of this looks worrisome per se, but if things don't start calming down from now, this may be one of those releases that will need an rc8. We'll see."
While distribution-hopping is common among newcomers to Linux, longtime users tend to settle into a distribution they like and stay put thereafter. In the end, Linux distributions are more alike than different, and one's time is better spent getting real work done rather than looking for a shinier version of the operating system. Your editor, however, somehow never got that memo; that's what comes from ignoring Twitter, perhaps. So there is a new distribution on the main desktop machine; this time around it's openSUSE Tumbleweed.
The Z-Wave wireless home-automation protocol has been released to the public. In years past, the specification was only available to purchasers of the Z-Wave Alliance's development kit, forcing open-source implementations to reverse-engineer the protocol. The official press release notes that there are several such projects, including OpenZWave; Z-Wave support is also vital to higher-level Internet-of-Things abstraction systems like AllJoyn.
The LWN.net Weekly Edition for August 25, 2016 is available.
Inside this week's LWN.net Weekly Edition
Arch Linux has updated chromium (multiple vulnerabilities) and webkit2gtk (multiple vulnerabilities).
Debian has updated libidn (multiple vulnerabilities).
Debian-LTS has updated mailman (password disclosure).
Fedora has updated canl-c (F24; F23: proxy manipulation), krb5 (F23: denial of service), libksba (F24: denial of service), openvpn (F23: information disclosure), tomcat (F24; F23: denial of service), and webkitgtk4 (F23: multiple vulnerabilities).
openSUSE has updated karchive (SLE12: command execution).
Oracle has updated ipa (O7; O6: denial of service).
On August 25, 1991, an obscure student in Finland named Linus Benedict Torvalds posted a message to the comp.os.minix Usenet newsgroup saying that he was working on a free operating system as a project to learn about the x86 architecture. He cannot possibly have known that he was launching a project that would change the computing industry in fundamental ways. Twenty-five years later, it is fair to say that none of us foresaw where Linux would go — a lesson that should be taken to heart when trying to imagine where it might go from here.
The US Department of Justice has announced that it has arrested a suspect in the 2011 kernel.org breakin. "[Donald Ryan] Austin is charged with causing damage to four servers located in the Bay Area by installing malicious software. Specifically, he is alleged to have gained unauthorized access to the four servers by using the credentials of an individual associated with the Linux Kernel Organization. According to the indictment, Austin used that access to install rootkit and trojan software, as well as to make other changes to the servers."
The LWN.net Weekly Edition for August 18, 2016 is available.
Inside this week's LWN.net Weekly Edition
Outgoing Apache OpenOffice project management committee (PMC) chair Dennis Hamilton has begun the discussion of a possible (note possible at this point) shutdown of the project. "In the case of Apache OpenOffice, needing to disclose security vulnerabilities for which there is no mitigation in an update has become a serious issue. In responses to concerns raised in June, the PMC is currently tasked by the ASF Board to account for this inability and to provide a remedy. An indicator of the seriousness of the Board's concern is the PMC been requested to report to the Board every month, starting in August, rather than quarterly, the normal case. One option for remedy that must be considered is retirement of the project. The request is for the PMC's consideration among other possible options." (Thanks to James Hogarth.)
Also of interest is this note on how the handling of CVE-2016-1513 went.
Anyone who has been paying attention to Linux kernel development in recent years would be aware that IPC — interprocess communication — is not a solved problem. There are certainly many partial solutions, from pipes and signals, through sockets and shared memory, to more special-purpose solutions like Cross Memory Attach and Android's binder. But it seems there are still some use cases that aren't fully addressed by current solutions, leading to new solutions being occasionally proposed to try to meet those needs. The latest proposal is called "bus1".
OpenBSD 6.0 has been released. An EFI bootloader has been added to the armv7 platform along with other improvements for that platform. Also in this release, new and improved hardware support, IEEE 802.11 wireless stack improvements, generic network stack improvements, installer improvements, routing daemons and other userland network improvements, security improvements, and more. The announcement also contains information about OpenSMTPD 6.0.0, OpenSSH 7.3, OpenNTPD 6.0, and LibreSSL 2.4.2.
The LWN.net Weekly Edition for August 11, 2016 is available.
Inside this week's LWN.net Weekly Edition
Debian-LTS has updated cacti (authentication bypass).
Mageia has updated eog (M5: out-of-bounds write), python3/python (M5: HTTPoxy attack), redis (M5: information leak), and webkit2 (M5: multiple vulnerabilities).
openSUSE has updated cracklib (Leap 42.1: code execution), gd (13.2: out-of-bounds read), and libgcrypt (13.2: flawed random number generation).
Red Hat has updated ipa (RHEL 6,7: denial of service).
Slackware has updated mozilla thunderbird (14.1, 14.2: unspecified vulnerabilities).
Side-channel attacks against various kinds of protocols (typically networking or cryptographic) are both dangerous and often hard for developers and reviewers to spot. They are generally passive attacks, which makes them hard to detect as well. A recent paper [PDF] describes in detail one such attack against the kernel's TCP networking stack; the bug (CVE-2016-5696) has existed since Linux 3.6, which was released in 2012. Ironically, the bug was introduced because Linux has implemented a countermeasure against another type of attack.
Here's a lengthy ars technica article on efforts to replace Tor with something more secure. "As a result, these known weaknesses have prompted academic research into how Tor could be strengthened or even replaced by some new anonymity system. The priority for most researchers has been to find better ways to prevent traffic analysis. While a new anonymity system might be equally vulnerable to adversaries running poisoned nodes, better defences against traffic analysis would make those compromised relays much less useful and significantly raise the cost of de-anonymising users."
The LWN.net Weekly Edition for August 4, 2016 is available.
Inside this week's LWN.net Weekly Edition
LWN covered a memory corruption vulnerability (CVE-2016-1513) in Apache OpenOffice that was disclosed before a fix was available. Now a hotfix for the problem has been released. "The official Apache OpenOffice security bulletin was announced on July 21, 2016. Affected is Apache OpenOffice 4.1.2 and older on all platforms and all languages. OpenOffice.org versions are also affected. The Apache OpenOffice project recommends to update to the latest version 4.1.2 and then to download and install the Zip file from the table below. Please follow the installation instructions in the respective Readme file." (Thanks to Cesar Eduardo Barros)
Copyright © 2016, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds