LWN Weekly Edition
Front pageSecurity
Kernel development
Distributions
Development
Announcements
->One big page
This page
Previous weekFollowing week
| |||||||||||||
DistributionsUDS security discussionsThe Ubuntu Developer Summit (UDS) is an interesting event. It has a much different format than traditional technical conference because its focus is on making decisions for the upcoming Ubuntu release. I spent much of the conference's second day attending meetings in the security track, where the Ubuntu security team and members of the Ubuntu community discussed various topics of interest, with an eye toward what would end up in Oneiric Ocelot (11.10). Those meetings provided a look into the workings of the distribution and its security team. ![[UDS group photo]](/images/2011/uds-group1-sm.jpg)
All of the UDS meetings are set up the same, with a "fishbowl" of half-a-dozen chairs in the center where the microphone is placed so that audio from the meeting can be streamed live. There are two projector screens in each room, one showing the IRC channel so that external participants can comment and ask questions; the other is generally "tuned" to the Etherpad notes for the session, though it can be showing the Launchpad blueprint or some other document of interest. The team that is running the meeting sits in the fishbowl, while the other attendees are seated just outside of it; sometimes all over the floor and spilling out into the hallway. "Audience" participation is clearly an important part of UDS sessions. Involving the communityThe session on improving the community's relationship with the security team was rescheduled at the last minute—something that occurs with some frequency at UDS—but that didn't deter the folks who showed up from discussing the issue. The discussions at UDS "require" the presence of certain individuals or representatives of teams, and when they are not available, meetings get rescheduled. In this case, a community team representative was unavailable, but the discussion rolled on anyway. One attendee was interested in the opportunities available for those who are interested in helping out with Ubuntu security. Team members responded that one of the main areas where the security team needs help is in handling updates for the "universe" packages. Those packages are community maintained, which in practice means that some are well maintained and some are not. That stands in contrast to the packages in "main" which are maintained by the security team so security updates are issued in a timely fashion. Organizations or individuals could adopt packages in universe and ensure that they get timely updates as well. It is an excellent opportunity for anyone who does some programming to learn about Debian packaging, security practices, using the repositories, and more. For folks that are looking to become Ubuntu developers, doing updates for a package or packages would be good experience as well as looking good in the application process. Interested users don't have to be security experts to help out, it's a matter of following any upstream security updates, applying them, and then testing. The testing needs to minimally determine that it fixes the problem in question, and doesn't break the application. For people interested in security but who don't know where to start, adopting a universe package for security updates is an excellent starting point. Another audience member was interested in what protections there were for the process of creating and signing packages, as well as how the security team would handle a situation where a sensitive account was compromised. Without getting into specifics, the team explained that there are tools, logging, and procedures in place to detect and handle these kinds of problems. Should an event like that occur, emergency plans have been devised to handle it. For updates, the security team acts as a buffer between the packagers and the signing process. There is a process that updates go through, which includes looking at the updated code and some automated testing to look for things like permission problems and setuid programs. There is a lot more testing that could be done automatically, which is something that the team would like to add and that could be done in collaboration with others. A Google employee who attended noted that the company was interested in using those kinds of tools, so that might be one opportunity for collaboration. Security roundtableDaily "roundtable" sessions are held in the morning for several of the tracks at UDS. Security was no exception. The sessions are kind of "catch-alls" that allow discussion of smaller topics that don't require a full hour, as well as allowing people to bring up topics that might need a full session scheduled later in the week. The two main topics discussed in Tuesday's roundtable were the dissemination of Ubuntu security notices (USNs) and the idea of putting together a whitepaper that looked at the statistics of security updates for various releases. The team was trying to decide if there was value in continuing to put the USNs on the Bugtraq and Full-disclosure mailing lists given that there is a dedicated Ubuntu-security-announce list as well as a web page that tracks the USNs (the LWN security updates were also noted as a good source). The general feeling was that anyone truly interested in following Ubuntu security updates would use one of the other methods, rather than try to extract them from the rest of the traffic on Bugtraq or Full-disclosure. One team member noted that the usefulness of Bugtraq dropped significantly when vendors started overwhelming the list with security updates. The current practice of sending to those lists is something that came into Ubuntu from Debian's practices. In the end, it was decided that an announcement would be made to those lists that Ubuntu would no longer post USNs there and pointing to the other sources of the update information. A whitepaper that looked at the types and severities of vulnerabilities fixed for a particular Ubuntu release was also discussed. It would be a fair amount of work to pull together and there were questions about the purpose a study like that would serve. There are some technical hurdles in that many of the CVEs in the Ubuntu system are classified as "medium" because those values represent the priority of getting a fix out rather than the severity of the vulnerability. There was some concern that such a study would not be worth the time that was invested in it. There were also worries that the whitepaper might be interpreted to be a comparison to the reports periodically issued by Red Hat. On the other hand, there may be lessons for the team in a report of that sort, including finding classes of vulnerabilities that could be short-circuited via kernel or other changes. Some of the data is already collected as part of the self-analysis that the team does monthly, so the general feeling seemed to be that at least gathering the rest of the data would be a useful exercise. Whether it results in a whitepaper probably depends on how much time the team can find to pull one together. Ubuntu security noticesUSNs came up in another discussion to look at the format of those announcements. While it may be something of a boring subject for some, it is important to communicate the important information about a security vulnerability in security announcements. In addition, some of the elements that make up the announcement end up in other places, like the Update Manager's description of an update. The team had recently tweaked the format of USNs and wanted to discuss formalizing some of the language and formatting in the various elements. The first order of business was the "Issue Summary", which is a one-line description of the update. That is what appears in Update Manager so it needs to be written so that it is readable by anyone. That, of course, is difficult to do without either getting into security jargon or going on at length. Some standardization of the terminology and descriptions was deemed desirable, so the plan is to try to create templates for ten or so common application types (e.g. kernel, apache, firefox, ...) that would be vetted by the documentation and user experience teams for readability. Other tweaks to the format were also discussed such as cleaning up the "Software Description" section that sometimes has multiple entries for the same package, which can be confusing. Creating a wiki page that described how to update the system (i.e. run Update Manager) which could be linked from announcements was also planned. A look inside the sausage factory![[UDS group photo]](/images/2011/uds-group2-sm.jpg)
While some of these sessions may seem a little bland, I found them interesting for a number of reasons. In a week's time I was able to get a glimpse into what goes into the decision-making process for an Ubuntu release. It is a very community-oriented process that tries to be as inclusive as it can be, while still being focused on the task at hand. Rather than just having Canonical employees make decisions about the smaller details, hearing and acting on the community's concerns is clearly an important part of the process. There were two or three hundred such sessions throughout the week, some looking into fairly emotional topics (like default web browser and email client) or others about adding support for an out-of-tree kernel feature to the distribution. I also sat through a review of the kernel configuration parameters to determine which would be enabled or disabled for the Oneiric kernel. It was somewhat tedious, as would probably be expected, but an interesting exercise that is done, in public, for each Ubuntu release. And that is the essence of UDS: public review and discussion of the features that will appear in five-and-a-half months or so. There are also meals, parties, and lots of talks outside of the sessions—much like any conference—but the focus is clearly on getting things done. [ I would like to thank Canonical for sponsoring my travel to Budapest for UDS. ]
Brief items Distribution quotes of the week
What we can apply from the puzzle in Free Software, is that just like
building a [jigsaw] puzzle, solving problems or troubleshooting should also
be documented.
-- Juan
Rodriguez
So I'm using this as an excuse to remind everyone that if you "yum remove gnome* -y" from your Fedora 15 computer, and don't have KDE or any other graphical user interface to fall back to, the next time you reboot, it won't actually finish booting unless you set it to boot as Run Level 3.
The ugly memories of watching White Box shrivel up and die after failing to
deliver a RHEL5 distribution have been coming back lately. RHEL6 was
released in November of 2010, tomorrow it will be exactly six months old.
There is no sign of a CentOS6 yet.
-- Greg Smith
Fedora 15 is on trackFedora 15 is on track for its scheduled release on May 24. In the meantime, there is a release candidate available for testing.
Fedora 13 ARM betaThe third beta of the Fedora 13 ARM release is available for testing. "his release includes additional software not found in Beta2, most notably Abiword for your word processing needs. Unfortunately at this time we are not able to offer OpenOffice due to some issues with java packages ( java experts we could use your help! )."
Mageia 1 RC is availableThe Mageia project has announced the availability or Mageia 1 RC.
Time is short now but still you should have enough time for some final tests! Important things to check in the few days left before the official release:
LTTng in the Ubuntu kernelThe Linux Trace Toolkit next generation (LTTng) is a high-performance out-of-tree kernel tracer that has been integrated into several embedded distributions. It is currently being used in the Linaro kernel, which is based on Ubuntu's, but because of the size of the patch set, that is not seen as sustainable into the future. As it turns out, the LTTng team has been working on a way to reduce or eliminate the need for patches to the core kernel by turning LTTng into a kernel module. Julien Desfossez attended the recent Ubuntu Developer Summit (UDS) to propose adding LTTng to Ubuntu, both for the upcoming 11.10 ("Oneiric Ocelot") as well as the 12.04 LTS release coming next year. Because of its integration with user space, as well as its use in Linaro, LTTng is seen as a desirable feature for Ubuntu. The question came down to how to get there. There are two versions of LTTng 2.0, one of which requires a substantial, rather intrusive set of patches, while the other, 2.0-distro, only requires a small handful of changes that look to be fairly minor cleanups in the kernel. The ring buffer and the rest of LTTng have been moved to modules for 2.0-distro. Most of the functionality of LTTng is preserved, though there are a few missing pieces. The trace clock has been removed from 2.0-distro, so tracing in NMI contexts is no longer possible. In addition, there is no support for NO_HZ kernels. Since it was not clear that the changes needed for 2.0-distro would make it upstream before the 11.10 kernel freeze, it was determined that the kernel team would help Desfossez create a personal package archive (PPA) for this release, with an eye toward enabling the feature in the 12.04 release. The LTTng team is still working to try to get the full 2.0 code upstream (beginning with the generic ring buffer that could be shared with Ftrace and perf), but the modularized version will be useful in the meantime. Later in the week, Desfossez said that Mathieu Desnoyers had found a way to not require any core kernel changes for 2.0-distro in the day or two after the meeting. Whether that will result in Ubuntu building and shipping the LTTng modules as a dkms package for 11.10 is not yet known. In any case, it would seem that LTTng will be available, in one form or another, for Ubuntu kernels going forward.
Distribution News Debian GNU/Linux DebConf "Newbies" Funding InitiativeThis year the Debian Project invites "Newbies" and non-regular attendees to join DebConf11, which will take place in late July in Banja Luka, Bosnia. "As a special incentive, an extra travel fund has been set up, which is only available to new or returning DebConf attendees."
DebConf10 Final Report releasedThe DebConf team has released the DebConf10 Final Report. "It's a 46-page document which gives the reader an idea about the conference as a whole. It includes descriptions of talks, DebCamp and Debian Day activities, personal impressions, attendee and budgeting numbers, the work of various teams, social events, funny pictures and so on."
DNS security extensions now available for Debian's zone entriesThe Debian Project has announced that its domains debian.org and debian.net are now secured by the DNS Security Extension (DNSSEC). The corresponding DNS records have recently been added in the .net and .org zones.
Removal of alpha/hppa from ftp-master.debian.orgThe Debian ports for alpha and hppa have moved into the Debian Ports archive. "If you are a user of one of those two architectures please ensure that your sources.list entries point to the new location." Support for alpha and hppa in the Lenny release will continue.
Bits from the perl maintainersThe Debian perl maintainers have completed the perl 5.12 transition in the unstable repository. "As you'll probably have noticed by now, around 12 months after the first upstream 5.12 release, perl 5.12.3 was uploaded to unstable and has now, thanks to the superb work of the release team, has migrated to testing. This marks the first major new version of perl in Debian for three years."
Fedora Fedora project switching to new contributor agreementThe word has gone out that Fedora is switching to its new, improved contributor agreement. Anybody wanting to contribute to Fedora (with a few exceptions) will need to accept the new agreement by June 17. The full text of the agreement (preceded by a FAQ) is available for the curious.
Change in requirements for Board, FESCo, and FAmSCo candidatesThe Fedora Project has amended the requirements for candidates to elected and appointed roles in the Fedora Community. "Unfortunately, the laws in the United States which Fedora and Red Hat are subject to place very tight restrictions on the involvement of citizens of certain countries."
openSUSE openSUSE 11.2 has reached end of SUSE supportSupport for openSUSE 11.2 is officially over. The openSUSE Evergreen community effort will continue to provide some support for 11.2. From the Evergreen project page: "As this is the first trial it's not fully outlined which scope of the full distribution can be supported. The plan is to provide updates for as many components as possible. The same holds true for the time period of the support."
openSUSE announces location of 2011 conferenceThe 2011 openSUSE Conference will take place in Nuremberg, Germany, September 11-14. The conference will be co-located with the SUSE Labs conference. Additional information on the call for proposals can be found on this week's Announcements page.
Newsletters and articles of interest Distribution newsletters
Riding the Narwhal: Ars reviews Unity in Ubuntu 11.04 (ars technica)Ryan Paul reviews the Unity shell in Ubuntu 11.04. "Ubuntu 11.04 pulls together years of Ubuntu usability enhancement efforts—including Unity and the much-improved panel system that has gradually emerged from the Ayatana project—and ties them together to deliver a rich and highly cohesive desktop experience. Although the result is compelling, there are still a lot of rough spots and limitations that chafe along the environment's edges. Some parts—such as the application lens—seem awkward, poorly designed, and incomplete."
New tasty delights in Android's Ice Cream Sandwich (CNet)Marguerite Reardon answers questions about the Android "Ice Cream Sandwich" release. "The real purpose of Ice Cream Sandwich is to become the unifying version of Android for all mobile products that use the operating system. Though Honeycomb was designed for tablets, Ice Cream Sandwich will be a cross-platform OS. It will be the one OS that runs everywhere. This means it will allow developers to create apps once and then those apps will be able to operate on different devices with different screen sizes and different capabilities. The OS will essentially be smart enough to figure out which type of device the app is running on and then adjust parameters."
Puppy Linux: Top Dog of the Lightweight Distros (OSNews)Howard Fosdick takes a look at Puppy Linux. "Flexibility is essential when working with low-end computers. You need software that runs on the system you have, rather than requiring you to upgrade, change, or fix hardware. Puppy doesn't impose hardware requirements. For example, Puppy installs and boots from any bootable device and saves your work to any writeable device. No hard disk, optical drive, or USB? No problem. Want to use your old SCSI drive, floppy, Zip drive, LS-120/240 Superdisk, or compact flash memory? Puppy does it. It's great to see a distro that leverages whatever odd old devices your system has."
Slack World interviewsThe Slack World has interviews with Robby Workman and Eric Hameleers on the Slackware 13.37 release. Hameleers: "As you are well aware, a primary objective for Slackware (and essentially that of its creator Pat Volkerding) is to release "when it is ready". I think that the first time I mentioned to Pat that he should be thinking about finalizing what would become Slackware-13.2, was as far back as November or December. But Pat held out, waiting for a kernel version that he was satisfied with. That took a while! And the situation of driver stability in X.Org is a permanent source of frustration. It seems that we can never make everybody happy at the same time using any combination of X.Org, mesa and dri versions. That is the reason why you find alternative versions of mesa and the nouveau driver in the /testing directory of Slackware 13.37."
Page editor: Rebecca Sobol |
|||||||||||||