LWN.net is a reader-supported news site dedicated to producing the best coverage from within the Linux and free software development communities. See the LWN FAQ for more information, and please consider subscribing to gain full access and support our activities.
The LWN.net Weekly Edition for March 3, 2016 is available.
Inside this week's LWN.net Weekly Edition
The MAME (Multiple Arcade Machine Emulator) project has announced a license change, moving from the old, unique "MAME License" to the GNU GPLv2-or-later for the full codebase, with many individual components available under the 3-clause BSD License. The announcement notes that a considerable effort went into the relicensing process: "We have spent the last 10 months trying to contact all people that contributed to MAME as developers and external contributors and get information about desired license." The old license [Wayback link] had prohibited commercial sale and use.
If your software deals with untrusted user input, it's a good idea to run a fuzzer against the program. For the Linux kernel, the most effective fuzzer of recent years has been Dave Jones's Trinity system call tester. But there's a new system call fuzzer in town, Dmitry Vyukov's syzkaller, and early results from it look promising — over 150 bugs uncovered in the mainline kernel (plus several dozen in Google's internal kernels) in a few months of operation.
Click below (subscribers only) for the full article by David Drysdale.
Arch Linux has updated chromium (multiple vulnerabilities).
Debian has updated bsh (command execution), ctdb (denial of service), kernel (multiple vulnerabilities), and roundup (information leak).
Debian-LTS has updated squid3 (denial of service; reversion fix).
Fedora has updated exiv2 (F23: denial of service), openssl (F23: multiple vulnerabilities), pcs (F23: multiple vulnerabilities), and perl (F23: ambiguous environment).
Mageia has updated samba (multiple vulnerabilities).
openSUSE has updated eog (13.2, Leap 42.1: code execution) and pigz (13.2: directory traversal).
Red Hat has updated kubernetes (RHOSE 3: multiple vulnerabilities) and openstack-glance (RHEL7 OSP5; RHEL7 OSP7: authorization bypass).
Ubuntu has updated jasper (12.04, 14.04, 15.10: multiple vulnerabilities).
The LWN.net Weekly Edition for February 25, 2016 is available.
Inside this week's LWN.net Weekly Edition
The Debian "Stretch" release isn't expected for more than a year, but it just has been pushed back a couple of months, with the full freeze now scheduled for February 5 of next year. The reason is to be able to ship with the first kernel of the year (expected to be 4.10) that, by current plans, should be a long-term support release. "For the avoidance of doubt, this change is a one-off to align with an expected release of Linux only. We aren't in a position to try and accommodate other projects, however much we'd like to be able to."
One of the more entertaining presentations at this year's DevConf.cz was by Dan Walsh, Red Hat's head of container engineering. He presented on one of the core conflicts in the Linux container world: systemd versus the Docker daemon. This is far from a new issue; it has been brewing since Ubuntu adopted systemd, and CoreOS introduced Rocket, a container system built around systemd.
Subscribers can click below for a look at the talk by guest author Josh Berkus.
The LWN.net Weekly Edition for February 18, 2016 is available.
Inside this week's LWN.net Weekly Edition
KDE.news has an announcement of a new program to foster better cooperation between KDE and distributions. "KDE is distro-agnostic. We do not prefer any distributions over others, and want our software to run everywhere. This extends beyond Linux; we want our software to work for our users on Windows, Mac, BSD and Android as well. Our focus is always on our users having the best experience possible. We are aware that the more closely we cooperate, the better the experience for all, including those who package our software, and we think that open and free communication is the best way to cooperate. KDE developers should be able to tell distributions what our software needs from a distribution in order to work best. And in turn, distributions should be able to tell us what makes our software easy to distribute. " A new mailing list has been created to host these conversations.
Bradley Kuhn started off his linux.conf.au 2016 talk by stating a goal that, he hoped, he shared with the audience: a world where more (or most) software is free software. The community has one key strategy toward that goal: copyleft licensing. He was there to talk about whether that strategy is working, and what can be done to make it more effective; the picture he painted was not entirely rosy, but there is hope if software developers are willing to make some changes.
Over at LinuxGizmos, Eric Brown notes some new "Internet of Things" (IoT) projects from Mozilla that were described in a recent blog post by Ari Jaaksi, Mozilla Senior VP for Connected Devices. "The first projects include a Project Start Home framework for a home automation system, as well as a Project Link personal user agent and Vaani voice interface that would work within such a framework. Finally, there’s a crowdsourced Project SensorWeb for tracking air pollution. Interestingly, the term “Firefox OS” is not used in the latest announcement, despite the reference to Firefox OS Connected Devices in the previous post. Still, all the projects appear to use Firefox OS or Mozilla’s underlying Boot to Gecko (b2g) codebase. Mozilla is seeking testers, developers, and advisers, for all these open source projects."
The LWN.net Weekly Edition for February 11, 2016 is available.
Inside this week's LWN.net Weekly Edition
CentOS has updated postgresql (C7; C6: denial of service).
Fedora has updated kernel (F23: denial of service) and pcs (F22: two vulnerabilities).
Mageia has updated asterisk (denial of service), drupal (multiple vulnerabilities), openssl (multiple vulnerabilities), perl-FCGI (denial of service from 2012), phpmyadmin (cross-site scripting), postgresql (two vulnerabilities), tomcat (multiple vulnerabilities), wireshark (multiple vulnerabilities), xdelta3 (code execution from 2014), and xerces-c (code execution).
openSUSE has updated libopenssl0_9_8 (42.1, 13.2: many vulnerabilities, some from 2013 and 2014), libssh2_org (13.2: insecure sessions), and openssl (13.1; 11.4: multiple vulnerabilities).
Oracle has updated postgresql (OL7; OL6: denial of service).
Red Hat has updated postgresql (RHEL7; RHEL6: denial of service), postgresql92-postgresql (RHSC: denial of service), and rh-postgresql94-postgresql (RHSC: denial of service).
Scientific Linux has updated postgresql (SL7; SL6: denial of service).
Slackware has updated mailx (drop SSLv2 support), openssl (multiple vulnerabilities), and php (multiple vulnerabilities).
SUSE has updated compat-openssl097g (SLE11SP4: multiple vulnerabilities), java-1_7_0-ibm (SLE11SP3: multiple vulnerabilities), and openssl (SLE12, SLE12SP1: multiple vulnerabilities).
Ubuntu has updated pixman (14.04, 12.04: code execution from 2014).
Scratching an itch is a recurring theme in presentations at linux.conf.au. As the open-hardware movement gains strength, more and more of these itches relate to the physical world, not just the digital. David Tulloh used his presentation [WebM] on the “Linux Driven Microwave” to discuss how annoying microwave ovens can be and to describe his project to build something less irritating.
Click below (subscribers only) for the full report from Neil Brown.
Five Google developers share the lessons from ten years of container development in this ACM Queue article. "To cope with these kinds of requirements, configuration-management systems tend to invent a domain-specific configuration language that (eventually) becomes Turing complete, starting from the desire to perform computation on the data in the configuration (e.g., to adjust the amount of memory to give a server as a function of the number of shards in the service). The result is the kind of inscrutable 'configuration is code' that people were trying to avoid by eliminating hard-coded parameters in the application's source code. It doesn't reduce operational complexity or make the configurations easier to debug or change; it just moves the computations from a real programming language to a domain-specific one, which typically has weaker development tools (e.g., debuggers, unit test frameworks, etc)."
"TPM," said Matthew Garrett in his linux.conf.au 2016 talk, stands for "trusted platform module"; it is a tool that is meant to allow a system's owner to decide which software to trust. Some years ago, there was a lot of fear that the TPM would be used, instead, to take that decision away, to allow others to decide which software would be trusted to run on our systems; for that reason, some called "trusted computing" by the rather less complimentary name "treacherous computing." That scenario didn't come about, though, for a number of reasons, both technical and social. But we can still use the TPM for its original purpose; Matthew was there to talk about his work to bring about computing that we can trust.
Click below (subscribers only) for the full report from LCA 2016.
CentOS has updated openssl (C7; C5: multiple vulnerabilities).
Fedora has updated graphite2 (F23: unspecified vulnerabilities) and pcre (F23: denial of service).
openSUSE has updated openssl (Leap42.1; 13.2: multiple vulnerabilities).
Oracle has updated openssl (OL7; OL6; OL5: multiple vulnerabilities).
Red Hat has updated openssl (RHEL6, 7; RHEL5; RHEL6.2, 6.4, 6.5; RHEL5.6, 5.9; RHEL6.6, 7.1; RHEL4: multiple vulnerabilities).
Scientific Linux has updated openssl (SL6, 7; SL5: multiple vulnerabilities).
SUSE has updated openssl (SLE12-SP1; SLE12; SLE11-SP2,3,4; SLES11: multiple vulnerabilities).
Ubuntu has updated perl (multiple vulnerabilities) and python-django (two vulnerabilities).
The LWN.net Weekly Edition for February 4, 2016 is available.
Inside this week's LWN.net Weekly Edition
The Raspberry Pi 3 has been released and is on sale now for $35. "For Raspberry Pi 3, Broadcom have supported us with a new SoC, BCM2837. This retains the same basic architecture as its predecessors BCM2835 and BCM2836, so all those projects and tutorials which rely on the precise details of the Raspberry Pi hardware will continue to work. The 900MHz 32-bit quad-core ARM Cortex-A7 CPU complex has been replaced by a custom-hardened 1.2GHz 64-bit quad-core ARM Cortex-A53. Combining a 33% increase in clock speed with various architectural enhancements, this provides a 50-60% increase in performance in 32-bit mode versus Raspberry Pi 2, or roughly a factor of ten over the original Raspberry Pi." (Thanks to Forrest Cook)
Copyright © 2016, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds