LWN Weekly Edition
Leading itemsSecurity
Kernel development
Distributions
Development
Announcements
->Multipage format
This page
Previous weekFollowing week
Recent Features
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
LWN.net Weekly Edition for June 7, 2012LinuxCon Japan: Making kernel developers less grumpyGreg Kroah-Hartman is on something of a mission: reducing the grumpiness factor among kernel developers, and maintainers in particular. His keynote at LinuxCon Japan was meant to help the audience understand what the maintainers do, and how contributors' actions can sometimes result in grumpy maintainers. But, if contributors can follow the rules and make things easier on him, there are a number of things that he will promise to do on their behalf.
Developers typically send their changes to the maintainer of the file that is being changed. Those maintainers, who number around 700, feed those changes up to the 130 subsystem maintainers. From there, the patches make their way into linux-next, then to Linus Torvalds, and, eventually the mainline—if they get accepted at each step along the way. So, in order to see why some patches might not get accepted, he looked at those that he received in the last two weeks, which coincided with the 3.5 merge window. The merge window is a time when he really shouldn't be getting many patches. He should have received them all earlier in the cycle so that he could potentially pass them on to Torvalds during the merge window. But, he said, he got 487 patches in that two-week period, many with a wide variety of problems, and some of those from core kernel developers who should know better. Broken patchesWith that, he launched into a description of some of the broken patches he got. One patch was labeled "patch 48/48" (i.e. the last patch in a set of 48) but all of the other pieces were missing. He also got a patch series with no order specified, which means that he would have to guess at the order and undoubtedly get it wrong. The alternative is to ignore the patch entirely. He also got a ten-patch set that was missing patch two in the series. Another patch came in an email with a signature claiming that it was confidential. He actually sees that one a lot, he said, and there is nothing he can do with those kinds of patches. Linux development is done in the open and you can't send a confidential email to mailing lists or get a confidential patch merged. Obviously, it is boilerplate that gets added somewhere in the email process, but it has to be removed before the patch can be used. There are also malformed patches that end up in his inbox, including those with tabs converted to spaces. Microsoft Exchange does that, he said, so if that's a problem in your environment, do what IBM, Microsoft, and others do: put a Linux box in the corner for the developers to use to send their mail. Sometimes the leading spaces have been stripped off the diff or the diff is not in unified format. Linux developers have gotten good at raw editing diff format, he said, which is scary in itself, but they shouldn't have to do that. Patches are also created in the wrong directory, like down in a driver directory for example. He got a patch created in /usr/src/linux-2.6.32 and noted that there were multiple things wrong with that, including the age of the source tree and that it implied it was being built by root. The latter is very dangerous as there was a bug in the Linux build process at one point that would delete the entire root filesystem if it was run as root. None of the core developers noticed because they don't build as root. Suggestions that the bug be left in as a deterrent were ignored, but things like that can happen. In addition, patches came in that were made against a different tree than any he would expect. He got a patch made against the SCSI development tree, for reasons unknown because it had nothing to do with SCSI. Then there are those that don't have the right coding style. In one case, the coding style was wrong and the developer acknowledged that but wanted him to take the patch anyway. That gives the impression of "we don't care, take our code anyway", he said. There are tools to help find and fix those kinds of problems, so there is no excuse: "send it in the right coding style". Something he sees much more than he should are patches that don't even compile. The submitter clearly hasn't even built the patch, he said. Or there are patch sets that break the build in 3/6 but then fix it in 6/6. He even got a patch that broke the build in 5/8 but contained a note that sometime in the future the submitter would send changes to fix it. Another patch had obviously wrong kernel-doc in it that would cause failures building the documentation, so it was clear that the contributor had never even tried to run the kernel-doc extraction tool. One of the patches he got "had nothing to do with me". It was an x86 core kernel patch, which is not an area of the kernel he has ever dealt with. But the patch was sent only to him. "I get odd patches" a lot, he said. The last patch he mentioned was 450K in size, with 4500 lines added. Somebody suggested that it be broken up, but in the meantime several maintainers actually reviewed it, so the submitter didn't really learn from that mistake. All of this occurred during a "calm two weeks", he said. These are examples of what maintainers deal with on a weekly basis and explains why they can be grumpy. That said, he did note that this is the "best job I've ever had", but that's not to say it couldn't be improved. If someone sends him a patch and he accepts it, that means he may have to maintain it and fix bugs in it down the road. So it's in his self interest to ignore the patch, which is an interesting dynamic, he said. The way around that is to "give me no excuse to reject your patch"; it is as simple as that, really. RulesKroah-Hartman then laid out the rules that contributors need to follow in order to avoid the kinds of problems he described. Use checkpatch.pl, he said, because he will run it on your patch and it is a waste of his time to have to forward the results back when it fails. Send the patch to the right people and there is even a script available (get_maintainer.pl) to list the proper people and mailing lists where a patch should be sent. Send the patch with a proper subject that is "short, sweet, and descriptive" because it is going to be in the kernel changelog. It should not be something like "fix bugs in driver 1/10". In addition, the changelog comment should clearly say what the patch does, but also why it is needed. Make small changes in patches. You don't replace the scheduler in one patch, he said, you do it over five years. Small patches make it easier for reviewers and easier for maintainers to accept. In a ten-patch series, he might accept the first three, which means that the submitter just needs to continue working on the last seven. The best thing to do is to make the patch "obviously correct", which makes it easy for a maintainer to accept it. Echoing the problems he listed earlier, he said that patches should say what tree they are based on. In addition, the order of the patches is important, as is not breaking the build. The latter "seems like it would be obvious" but he has seen too many patches that fail that test. To the extent that you can, make sure that the patch works. It is fine to submit patches for hardware that you don't have access to, but you should test on any hardware that you do have. Review comments should not be ignored, he said. It is simply common courtesy if he takes time to review the code that those comments should be acted upon or responded to. It's fine to disagree with review comments, but submitters need to say why they disagree. If a patch gets resent, it should be accompanied with a reason for doing so. When reviewer's comments are ignored, they are unlikely to review code the next time. Maintainer's roleWhen you follow those rules there are certain things you can expect from him, Kroah-Hartman said, and that you should expect from the other maintainers as well. That statement may make other maintainers mad, he joked, but it is reasonable to expect certain things. For his part, he will review patches within one or two weeks. Other maintainers do an even better job than that, he said, specifically pointing to David Miller as one who often reviews code within 48 hours of its submission. If you don't get a response to a patch within a week, it is fine to ask him what the status is. He can't promise that he will always give constructive criticism, but he will always give "semi-constructive criticism". Sometimes he is tired or grumpy, so he can't quite get to the full "constructive" level. He will also keep submitters informed of the status of their patch. He has scripts that will help him do so, and let the submitter know when the patch gets merged into his tree or accepted into the mainline. That is unlike some other maintainers, he said, where he has submitted patches that just drop into a "big black hole" before eventually popping up in the mainline three months later. He ended by putting up a quote from Torvalds ("Publicly making fun of people is half the fun of open source programming. ...") that was made as a comment on one of Kroah-Hartman's Google+ postings. The post was a rant about a driver that had been submitted, which even contained comments suggesting that it should not be submitted upstream. He felt bad about publicly posting that at first, but Torvalds's comment made him rethink that. Because kernel development is done in the open, we are taking "personal pride in the work we do". As the code comment indicated, the driver developer didn't think it should be submitted because they realized the code was not in the proper shape to do so. It is that pride in the work that "makes Linux the best engineering project ever", he said. Sometimes public mocking is part of the process and can actually help instill that pride more widely. [ The author would like to thank the Linux Foundation for assistance with his travel to Yokohama. ]
Backing up in trees with Obnam 1.0Lars Wirzenius's new backup tool Obnam was just declared 1.0. There is no shortage of backup options these days, and in some way Wirzenius's decision to scratch his own itch with the project is par for the course. But the program does offer a different feature set than many of its competitors. For starters, Obnam makes only "snapshot" backups — that is, every backup looks like a complete snapshot of the system: there are not separate "full" and "incremental" backup options. That obviates the need to separately configure full and incremental backups on different schedules, and it similarly simplifies the restoration process. Any snapshot can be restored, without "walking" a chain of deltas from a full backup starting position. In his 1.0 release announcement, Wirzenius argues that full-plus-incremental backups make sense for tape drives, where sequential access favors adding deltas with incremental changes after an initial full backup, but that hard-disk backups make the incremental delta approach pointless. But the sneaky part is that under the hood, Obnam's snapshots are all incremental, at least in the sense that each snapshot only records changes since the last. The difference is that they are stored in copy-on-write (COW) b-trees like those Btrfs uses for filesystems. Any snapshot can be reconstructed from the b-tree, and individual snapshots can be removed by deleting their node and re-attaching the sub-trees. To make the COW b-tree approach space-efficient, it uses pervasive automatic data de-duplication. The same chunk of data on disk is re-used — both across multiple files and over multiple snapshot generations. In addition to saving space by not duplicating files that have not changed between snapshots, moving or renaming large files does not result in duplicate copies of the bits. By default, Obnam uses one-megabyte chunks, although this setting is adjustable in Obnam's configuration file. Obnam sports other features of practical value, such as built-in GnuPG encryption, which Wirzenius cited as a weakness in most rsync-based backup tools. It also works with local disks or over the network, including NFS, SMB, and SFTP. Wirzenius admits that the latter protocol is slow, but that SCP (which should be faster) lacks support for tracking information like file removals, which Obnam depends on. In network backup setups, Obnam supports both push (client-initiated) and pull (server-initiated) backup sessions. Storing and retrievingInstallation requires several of Wirzenius's other code projects, including his B-tree library larch and terminal status-update library ttystatus, plus paramiko a third-party SSH2 library. Most are packaged for Debian (Wirzenius packages his own projects for Debian), but not all of them are available in downstream derivatives like Ubuntu. He provides an Apt repository for the necessary packages; instructions and a link to the repository's signing key are provided on his Obnam tutorial page. The tutorial goes into further detail about Obnam's data de-duplication with practical examples. You can create a new backup with
obnam backup ~/projectfoo
and subsequently back up a parent directory with
obnam backup ~
Rather than re-save the files from projectfoo, the new
backup will point to the copy already on disk. Each backup created
with Obnam is specific to a directory; you can exclude specific
subdirectories with the --exclude= flag, but you cannot
backup several directories in a single command.
The tutorial also explains that Obnam automatically saves checkpoints every 100MB while creating a new backup. This is valuable because the initial snapshot is always akin to a full backup in other tools, and can be large enough to introduce failures. Checkpoints are not guaranteed to preserve the entire data set as are regular snapshots; they only allow an interrupted backup to resume without starting over from scratch. Obnam's basic usage is straightforward; the same
You can restore a directory from a snapshot with
obnam restore --to=/mnt/recovery-volume ~
(which will restore the most recent snapshot of your home directory to
/mnt/recovery-volume). You can optionally restore just a
file or a subdirectory from the snapshot with
obnam restore ~/importantfiles --to=/mnt/recovery-volume ~
You can also specify a specific intermediate snapshot by
appending a --generation=N flag to the restore command; you
can get a list of the available snapshots by running obnam generations. The obnam verify command checks
snapshot data against the files on disk, and obnam fsck
checks the internal consistency of the b-tree.
ForgetfulnessThe only real confusing part of working with Obnam is the snapshot retention process. You can tell the program to immediately delete older snapshots by running
obnam forget --keep=7d
(which will keep the most recent seven days' worth of snapshots), or
some variation. The wrinkle is that the 7d attribute will
keep only one backup per day for those seven days, even if
you run Obnam hourly. To keep seven days' worth of hourly snapshots,
you would need to specify --keep=168h.
You can set a snapshot retention policy in your configuration file that uses these rules in combination. You can retain hourly, daily, weekly, monthly, and yearly snapshots by providing a comma-separated list. For example, 12h,7d,3m will keep the last 12 hourly snapshots, the last seven daily snapshots, and the last three monthly snapshots. When the numbers start to converge (such as the last 48 hourly snapshots and last two daily snapshots) is when the potential for miscounting sets in; Wirzenius recommends that you try your retention policy on the command line with the --pretend option to simulate results before deploying them in the real world. In an email, Wirzenius elaborated a bit on those tricky multi-factor retention policies. Each retention rule (e.g., hour, day, or month) is examined separately by Obnam, he said, and a snapshot is kept if it matches any of the rules. So a 48h,2d policy would match 48 hourly snapshots, then match two additional daily snapshots, for 50 total. As of the 1.0 release, there are a few areas that need improvement, such as managing multiple clients storing snapshots on one repository; Wirzenius says that further thought is required before implementing a real "server mode." For example, two or more machines can run Obnam and push their backups to the same remote repository, and they will be tagged with the hostname of origin. However, Obnam can also be run from the repository machine and "pull" backups from the two remote sources, but in that case each one needs to specify a client name with the --client-name= flag in order for Obnam to keep their metadata separate. In practice, my interest in backup utilities stems largely from how rarely I make good backups on a regular basis (i.e., paranoia). I may be atypical in that way, but the primary reasons I have abandoned most of the backup utilities I have test driven in the past are the overhead in keeping track of full and incremental backup schedules and the lack of good tools for rotating old backups out without manual intervention. Obnam scores on both of those metrics. If you have a complicated setup with multiple machines, you may find quirks (such as the client name issue or the speed of SFTP) working against you, but Wirzenius is still at work on the code — and he seems quite happy to take bug reports and questions.
Fedora, secure boot, and an insecure futureThe UEFI secure boot mechanism has been the source of a great deal of concern in the free software community, and for good reason: it could easily be a mechanism by which we lose control over our own systems. Recently, Red Hat's Matthew Garrett described how the Fedora distribution planned to handle secure boot in the Fedora 18 release. That posting has inspired a great deal of concern and criticism, though, arguably, about the wrong things.On a system with secure boot enabled, the hardware will refuse to run any system that has not been signed by a key it recognizes. Secure boot is meant to be a way to thwart boot-time malware by ensuring that only trusted (and unmodified) software gains control of the system. It is not effective as a digital rights management (DRM) mechanism; if you can gain control of the system, it is relatively easy to fool an operating system into thinking that secure boot is in effect when it is not. Providing the degree of control needed for effective DRM requires a trusted platform module (or similar) and associated software. Secure boot does offer some hope of preventing a system from booting if its bootloader or kernel have been compromised by malware, though, as the "Flame" malware shows, there are limits to how much one can rely on signatures to keep systems secure. Secure boot could also, unfortunately, be effective in preventing booting if the user has tried to install an operating system of his or her choice. The Windows 8 logo requirements specify that secure boot must be enabled. After some pushback, the requirements have been amended to also say that it should be possible for the owner of a system to disable secure boot or install new keys. It does not say that these actions need to be easy to carry out, though. Given that changing secure boot is a firmware-level operation, users wanting to make changes will be subjecting themselves to the very best sort of user experience that can be created by BIOS developers. It would be entirely unsurprising, for example, if users were forced to hand-enter new keys as long hex strings. For this to be an unpleasant and error-prone process would not be surprising.
Fedora's planDevelopers in the Fedora camp have evidently come to the conclusion that they do not want to force their users to endure such an experience to be able to install Fedora on their systems. So Fedora has chosen to take a different approach. Availing themselves of the Microsoft developer program, they will purchase a Microsoft-signed key for $99, then use that key to sign a minimal bootloader. UEFI-enabled hardware will then consent to boot that bootloader, which will immediately turn around and boot a special version of the GRUB2 bootloader which, in turn, will boot the Fedora kernel. A Fedora system set up in this mode should boot on a system with secure boot enabled with no changes required. The appeal of this solution is clear: Fedora will "just work" on UEFI systems without forcing (possibly highly non-technical) users to make scary firmware-level changes. But there is a down side as well. The signed bootloader must ensure that it only runs GRUB2 if the GRUB2 binary has been signed by Fedora (using its own key at this point), and GRUB2 will only boot kernels that have been signed by Fedora. GRUB2 will need to be locked down, and the kernel too; the kernel will, for example, only be able to load modules that bear Fedora's signature. Given that, Red Hat's persistent attempts to get signed module enforcement into the kernel despite some interesting resistance make more sense. Much of the coverage of this plan in the mainstream media bore headlines like "Red Hat to pay Microsoft for the right to run Linux." Such headlines are not strictly true; the payment ($99 total) evidently goes to Verisign, and what is really being paid for is the ability to boot Linux with a minimum of UEFI-caused user inconvenience. The payment for a Microsoft-signed key raises eyebrows, but it is evidently seen as the best response to a bad situation. And perhaps that is just what it is. But it also raises a number of interesting questions.
A good idea?For example: what guarantees exist that a Microsoft-signed key will continue to be available in the future for a reasonable price? If secure boot takes over, and the only universally-recognized keys are those signed by Microsoft, then Microsoft will have a monopoly on the right to boot an operating system on future hardware. Corporations are, in general, not known for a principled refusal to exploit that kind of position, and this corporation, in particular, is well known indeed for the opposite sort of behavior. One can only assume that the price of such keys would increase in this situation. Microsoft will also have the right to revoke keys if they can be said to be a threat to the promises given by the secure boot mechanism. That is why Fedora must be careful to limit anything that enables direct access to the hardware; should somebody be able to get such access, the signed Fedora system could be used to attack Windows systems that have secure boot enabled. In theory, all it would take is a kernel security hole to enable this sort of attack; that could then cause the Fedora key to be revoked. A quick check shows about 20 kernel security updates issued by Fedora since the beginning of this year, with multiple vulnerabilities fixed in most. That could lead to a lot of key churn, especially if, as Alan Cox suggests, every kernel hole will require that its certificate be revoked. Depending on what software is run on a specific system (if it dual-boots Windows and Linux, for example), a revoked key could find itself into the system's "forbidden signatures" database. That would immediately disable the booting of the signed Fedora image, essentially crippling the machine. The amount of joy resulting from such an outcome can be expected to be small. Some developers have argued that Fedora's plan is a violation of the GNU General Public License, or, at least, of the Fedora project's own guidelines, despite Fedora's efforts to ensure that users retain as much freedom as possible. GPL enforcement actions in this case seem unlikely; there's no shortage of much more severely locked-down Linux systems out there, and they have not been the target of such actions thus far. But there is a definite risk of damage to the Fedora project's image as users discover that they cannot easily install their own kernels, add third-party modules, or run tools like SystemTap. Finally, there is the risk that Fedora's plan will legitimize the UEFI secure boot mechanism. For now secure boot can be disabled on x86 systems; what if Microsoft, in the future, points to Fedora 18 as an example of how everybody is able to work within the secure boot system and tries to make secure boot mandatory? Thus, some argue, Fedora is giving aid and comfort to those who would most like to take control of our systems away from us.
Why bother?Given all of this, one might well wonder why Fedora is pursuing this path. Fedora users are not generally known to clamor for locked-down systems that they cannot easily tweak. Without any inside information whatsoever, your editor suggests that there are two entirely plausible reasons for Fedora's attempt to work with secure boot:
So Fedora's decision to take this approach is not all that surprising. The project has concluded that it is better to restrict user freedom in certain settings to make their life easier in other ways; as Matthew Garrett put it:
[T]here's no way to rationally say that the loss of
freedom in terms of users not being able to produce their own
signed bootloader or kernel for free is more or less significant
than the benefit of having an operating system that users can
install without firmware reconfiguration.
For those who do think that the loss of freedom inherent in the Fedora scheme is unacceptable, the time between the present and when Windows 8 hardware starts shipping would be an ideal opportunity to demonstrate better alternatives. But it's not clear what those would be.
Alternatives?One could simply ignore secure boot, requiring users to disable it before they can install Linux on their machines. That imposes a potentially scary or difficult task on those users; by the specification, secure boot cannot be disabled by the software directly. There may also be resistance from users who see a switch saying "turn off security" and don't want to flip it. This approach will work fine for hard-core Linux users and developers, but seems certain to lose other kinds of users. An alternative would be to attempt to gain more control of the situation at the hardware level. An example can be seen in Google, which has made a point of ensuring that unlockable Android handsets exist and are available at a reasonable price. Hardware designed to run ChromeOS also, by design, comes with an easily-toggled physical switch that turns off the boot-time checks for users wanting to install their own software. The level of interest in "jailbreaks" for locked-down handsets shows that a lot of users do see value in having full control over the hardware they own. Open (and "open source") hardware has a following; it may be that the only real way to remain in control is to work to ensure that this kind of hardware continues to exist and has a growing market share. There should be a business opportunity here; projects like the Vivaldi tablet show that some people see that opportunity and are trying to pursue it. In the absence of open hardware, we will continue to be at the mercy of others whose interests are unlikely to be the same as ours (for just about any value of "ours"). That will leave us in a position where attempts to cope like what we're seeing with Fedora seem like the best options available. That does not seem like the path to freedom; it is not why we have spent decades developing free operating systems. Fedora's secure boot plan may be an effective workaround, but leaves the real bug unfixed.
Security Responsible disclosure in open source: The crypt() vulnerabilityAt the end of May, five separate open source projects released patches to close the same security hole in their software. This coordinated release and vulnerability handling is a demonstration that "responsible disclosure" can work, especially in open source. Responsible disclosure is the practice of security researchers discovering a vulnerability and contacting the software vendor to give them a reasonable time to fix it before the vulnerability is published. It contrasts with the policy of "full disclosure" in which security people publish the full details of any vulnerability immediately, in order to get information to the public as quickly as possible. Mostly, these two terms have shown up in the media as part of controversies, or even legal battles, which pit security researchers against software companies and each other. While the inflammatory confrontations gain most of the news headlines, it doesn't have to be that way. In fact, among open source projects, it isn't that way most of the time. The recent multi-product Crypt-DES vulnerability patch shows that responsible disclosure can and does work well in the open source world. The Crypt-DES vulnerabilityRobin Xu and Joseph Bonneau at Cambridge University had been investigating how non-ASCII passwords were handled by various systems for more than a year. Bonneau started on this research because of the massive Gawker security breach in 2010. In the course of investigating that, his team uncovered several issues with non-ASCII passwords in commonly used software. While the one at Gawker was quickly addressed — to some degree — he and Xu began a research project on the insecurities introduced by applying algorithms designed for ASCII to Unicode text. The version of crypt() using the DES algorithm (hereafter crypt-DES) is a simple irreversible hash designed to prevent storing passwords in plain text. Introduced in old Unix days, it had the advantages of easy implementation, portability between systems and programming languages, computational speed, and is hard enough to crack that dictionary attacks and social engineering were generally easier ways to grab passwords. Given the age and limited computational "strength" of crypt-DES, however, this is no longer true; brute-force computation of crypt() passwords is easily done. Programmers are encouraged to use more modern hashing and encryption algorithms, such as SHA1 and Blowfish. The "extended" DES version was introduced in BSDi in the early 1990's, improving the algorithm to have a larger "salt", more rounds of encryption, and also to support passwords longer than eight characters by "folding" them down to eight 7-bit characters using a first round of DES hashing. The last improvement is the problem which causes the crypt() vulnerability. Crypt-DES was designed for ASCII characters, and programmers who upgraded systems to support Unicode didn't really check to see how crypt-DES would work with Unicode passwords, since by that point crypt-DES was no longer mainstream. As it turns out, the folding is broken; the algorithm regards characters containing the byte 0x80 as a "stop" character and disregards any parts of the password after that byte. In many Unicode encodings, characters — such as the common character À — can contain a 0x80 byte, causing all characters after that one to be disregarded. This means if your password was Àlbanez60, then crypt-DES would match it with any password beginning with À. This is also a good illustration of how security is a process and not an end result. Crypt-DES was an adequately secure password hashing approach well into the mid 1990's, which is why people stopped testing it. It was the introduction of popular Unicode-compliant versions of programming languages and databases which has made it less secure than anyone realized. Contacting projectsHaving found this issue, Xu, Bonneau, and other Cambridge graduate students spent several weeks examining some common software and found that the defective version of Crypt-DES was still shipping with several open source software packages, among them PostgreSQL and FreeBSD. Having found the vulnerability, they emailed the private security mailing lists for the affected projects. The PostgreSQL security team received this email on April 24th:
My name is Rubin Xu, a PhD student at University of Cambridge. While my colleague and I were investigating how websites handle non-ASCII passwords, we noticed a glitch in one of the standard DES crypt() implementation which causes certain Unicode passwords to be truncated before being DES digested. Unfortunately PostgreSQL seems to be shipping with the offending code as well.
The Cambridge team had previously contacted a few other projects, including FreeBSD. The FreeBSD and PostgreSQL projects had to decide what to do about patching the vulnerability. For anyone affected by it, an updated version of crypt-DES would require that all affected passwords (ones containing the 0x80 byte) be regenerated. While neither PostgreSQL nor FreeBSD used crypt-DES for system authentication, both supply functions which are used to hash application passwords. Because of this disruption to some users' applications, it couldn't be done casually. The FreeBSD security team contacted the OpenBSD, NetBSD and DragonflyBSD projects. Rubin Xu's research indicated that PHP's crypt() also had the faulty algorithm, and had attempted to contact the PHP security team without success. Members of FreeBSD contacted them and brought them into the discussion. NetBSD turned out not to be vulnerable. Coordinating a releaseAmong the affected projects, this vulnerability was considered moderate in severity, since it only affected a minority of users of each project. Not only did users need to build applications using crypt() with DES, despite other, more modern hashing options being available, but the password vulnerability only affects passwords with Unicode characters including the 0x80 byte. Specifically, the vulnerability was limited to:
On the other hand, the vulnerability affects passwords, which means it's specifically a hole in code people have written to secure their systems. That raised this vulnerability from obscure to moderately serious. So FreeBSD filed for a Common Vulnerability and Exposure number (CVE), and the projects began trying to coordinate a release. From the perspective of the projects, once one project announced a release and CVE-2012-2143 became public, it wouldn't take much cleverness for a even a newbie black hat to figure out the vulnerability in other products. That meant coordinating a release date among five different projects. In surprisingly short order, they reached a compromise date of May 30th, which was the earliest reasonable release date. On that date:
The entire timeline from the discovery of the vulnerability to deploying fixes for multiple projects took about three months. The majority of this time (about seven weeks) was taken up by the researchers finding and contacting affected projects. If there's room for improvement in the process of responsible discovery, it's that finding affected projects or products and contacting their security teams is slow and time-consuming. The remaining five weeks is only two weeks longer than the minimum time for most packaged projects to do a release at all, due to packaging, scheduling, testing, and coordination requirements. One could easily argue that immediate disclosure would have gotten the news about the vulnerability out much sooner, but it's not clear how that would have benefited affected users until fixes for their software were available. In relatively short order, five major open source projects were updated to close it. Nobody was threatened, no single project's users or developers were singled out, the security researchers were thanked for their work, and nobody needed to spend more than a few hours of their time getting the fixes made and released. At least from the perspective of software maintainers and regular users, this episode looks like a success. Why it worked this timeThis whole episode had two important factors to make it a relative success: the security researchers were university staff unmotivated by fame or profit, and the open source projects are community non-profits lacking incentives to defer or deny patching security holes. This meant that everyone involved was motivated to fix the vulnerability in the fastest, most responsible way possible. This is by no means exceptional in the open source world. On the PostgreSQL project today, as with many other open source projects, companies and academic researchers regularly practice responsible disclosure, letting the developers know about a security issue in a reasonable time to fix it. If anything, this is the rule in the non-profit open source world. So why does disclosure cause friction, user exposure, blog wars, and legal threats in the for-profit world? Well, when you look at failures of security disclosure, the overwhelming trend is bad faith. Software companies don't want to do expensive releases and get bad press for security issues, so they put off security researchers forever, or even threaten them. Security people or their employers want fame and attention so they publicize security holes as widely as possible without verification, or giving the vendor a chance to patch issues. Or worse, researchers, companies and agencies participate in a marketplace of secret security exploits. So, while responsible disclosure can and does work in the non-profit open source world, it's not clear how to transfer these practices to the for-profit world, or even if it's possible to do so. Maybe the answer is simply to use more open source software. [ Note that MITRE has not updated their CVE database. As such, the CVE link for the exploit will still show as "pending". ]
Brief items Security quotes of the week
One of the nastier effects of this (and it didn't start
with EFI and 'secure' boot but with Android) is that people are now
hoarding kernel security holes rather than reporting them. Previously bad
guys hoard them, good ones fixed them. Now everyone is hoarding them so
end user security will suffer drastically.
-- Alan Cox
Why not just avoid the entire Secure Boot problem by using Coreboot? Because the reason we have the Secure Boot problem is because Microsoft's Windows 8 certification requirements mean vendors have to ship a UEFI implementation with Secure Boot. You could satisfy that by using Coreboot with a Tiano payload, but it'll still have Secure Boot enabled so you still have the same set of problems. But maybe you could just reflash your system with Coreboot? No, because another part of the requirements states that all firmware updates have to be cryptographically signed now. The only way to reflash will be to attach a flash programmer directly to your motherboard.
-- Matthew Garrett
So why not just use Coreboot? Because it doesn't help solve this problem in any way.
Deleting intermediate certificates is pointless. You can only rely on revocation (which is known to be very unreliable), _or_ (preferably) you should import the same certificate in the _revocation_ branch of the SYSTEM certificate store. Only in that case you can be certain that the particular certificate will be untrusted (regardless of whether it is present in one of the _trusted_ stores or not).
-- Erik van Straten
As the article makes clear, the 6.5 million hashes are likely just those the hackers couldn't crack. The take-away from this is: It means nothing that you don't find your password in the list. Out of an abundance of caution, readers should presume the entire list has been obtained and change their password no matter what.
-- Dan Goodin
Critical vulnerability derails Ruby on Rails (The H)The H reports on a newly-discovered SQL injection vulnerability in Ruby on Rails, affecting the 3.0.x, 3.1.x, and 3.2.x versions. "The vulnerability exists in versions 3.0 and later of Active Record, Rail's database layer, and is exposed when using nested query parameters. Code that directly passes parameters to a where method, is affected. For example, using the common idiom params[:id] can be tricked into returning a crafted hash which causes the generated SQL statement to query an arbitrary table." The Rails team pushed out a fix, but shortly thereafter had to follow it up with another.
New vulnerabilities apache-commons-compress: denial of service
arpwatch: privilege escalation
bind: multiple vulnerabilities
drupal7: full path disclosure
firefox: multiple vulnerabilities
globus-gridftp-server: privilege escalation
kernel: multiple vulnerabilities
moodle: multiple vulnerabilities
nut: application crash
openoffice.org: code execution
php: integer overflow
postgresql: multiple vulnerabilities
python-crypto: insecure key generation
rubygem-rack-cache: information leak
socat: buffer overflow
Page editor: Nathan Willis Kernel development Brief items Kernel release statusThe current development kernel is 3.5-rc1, announced on June 3. "It's a pretty normal release - roughly 60% drivers, 20% arch updates, and 20% "all over" - filesystems, documentation, tools, you name it. [...] Depending on what your interest is, you might be excited about the CoDel packet scheduler, or about the GPU driver updates, or the new scsi targets. There is something in here for pretty much anybody."Stable updates: the 3.0.33, 3.2.19, 3.3.8, and 3.4.1 stable kernels were all released on June 4; each contains a long list of fixes. 3.3.8 is the final update for the 3.3 series.
Quotes of the week
I might be misreading and missing details, though - that code is
really as pleasant to read as using warm stale beer to deal with
industrial-strength hangover. The kind when you end up spitting
out a fly or two, if not a cigarette butt.
— Al Viro
You wouldn't want me to say that I think you're right,
— Hugh Dickins
it would impudently suggest that I might conceive of you being wrong. I sigh for your heavy burden.
Complexity is my Sun, and I am the planet that orbits around it.
— Steven Rostedt
Thing is, first thing on Monday morning my brain don't work too
fast. If I then get to basically reverse engineer a patch because
people forgot to mention all the important bits, I get annoyed.
— Peter Zijlstra doesn't accept
poorly-described patches before Tuesday
Kernel development news The conclusion of the 3.5 merge windowLinus closed the 3.5 merge window on June 2; the announcement for the 3.5 prepatch came one day later. Just under 1,000 patches were pulled into the mainline after the writing of last week's merge window summary, for a total of 9,534 for the merge window as a whole. Some of the more significant changes pulled at the end of the merge window include:
Changes visible to kernel developers include:
At this point, the addition of features for the 3.5 development cycle should be at an end unless something sneaks in before -rc2. If the usual pattern holds, the final 3.5 release can be expected right around the beginning of August.
Generic red-black treesRed-black trees (or "rbtrees") are used throughout the kernel to maintain a sorted list of related items. For example, the block I/O subsystem uses an rbtree to maintain a list of outstanding requests sorted by sector number, and the scheduler has an rbtree of runnable tasks sorted by a quantity known as "virtual runtime." The rbtree interface was described in this 2006 article; it has since been extended, but the core features of the API remain the same. In particular, users must provide their own functions for inserting nodes into the tree and performing searches; that allows the creation of highly-optimized rbtrees containing arbitrary types of structures.There is some appeal to being able to hand-code the search and insertion functions, but there would also be value in generic implementations. The amount of code in the kernel would shrink slightly and the task of debugging those functions would, hopefully, only have to be done once. So it is arguably surprising that nobody has proposed a generic rbtree implementation for all these years. Just as surprising is the fact that two independent generic implementations surfaced at about the same time. The simpler of the two can be found in this patch set from Kent Overstreet. In this version, rbtree users are required to provide a function to compare two rbtree nodes with this prototype:
typedef int (rb_cmp_t) (struct rb_node *l, struct rb_node *r);
With that in place, the following new functions become available:
int rb_insert(struct rb_root *root, struct rb_node *new, rb_cmp_t cmp);
void rb_insert_allow_dup(struct rb_root *root, struct rb_node *new,
rb_cmp_t cmp);
struct rb_node *rb_search(struct rb_root *root, struct rb_node *search,
rb_cmp_t cmp);
struct rb_node *rb_greater(struct rb_root *root, struct rb_node *search,
rb_cmp_t cmp);
As can be seen from the prototypes, all of these functions deal directly with rb_node structures. Only the comparison function needs to know about what sort of structure the rb_node is embedded within. There is no compile-time mechanism to ensure that the comparison function expects the actual structures found in the tree, but one assumes any errors along those lines will show themselves quickly at run time. One potential problem is that rb_search() and rb_greater() need to know what is being searched for; that, in turn, requires creating and passing in one of the structures stored in the tree. In some situations, that structure may need to be created on the stack, which is a clear problem if the structure is large. Unfortunately, in the block subsystem example mentioned above, that structure (struct request) is large indeed. Kent has tried to work around this problem by providing inlined versions (called _rb_search() and _rb_greater()) that, with luck, will cause the stack allocation to be optimized away. That depends on all supported versions of the compiler doing the right thing on all architectures, though, which may make some people nervous. The alternative patch set, posted by Daniel Santos, is significantly more complicated. It can be thought of as a set of tricky preprocessor macros and inline functions that serve as a template for the creation of type-specific rbtree implementations. Here, too, one starts with the creation of a comparison function:
typedef long (*rb_compare_f)(const void *a, const void *b);
In this case, the comparison function will be passed pointers to the actual key value stored in the rbtree node. One then defines an "rbtree interface" with this daunting macro:
RB_DEFINE_INTERFACE(prefix, container_type, root_member,
left_pointer, right_pointer,
object_type, rbnode_member, key_member,
flags, comparison_function, augment_func);
Eleven arguments are a lot to keep track of, so it makes sense to discuss them in the context of an example (taken from Daniel's patch). The CPU scheduler defines a type (struct cfs_rq in kernel/sched/sched.h) to represent a run queue; each run queue contains a red-black tree called tasks_timeline. To optimize the location of the highest-priority task to run, the scheduler keeps a pointer to the leftmost tree node in rb_leftmost. The entries in the red-black tree are of type struct sched_entity (defined in <linux/sched.h>); the embedded rb_node structure is called run_node, and the key used to sort the tree is the u64 value vruntime. To create the scheduler's tree using the generic mechanism, Daniel adds this declaration:
RB_DEFINE_INTERFACE(
fair_tree,
struct cfs_rq, tasks_timeline, rb_leftmost, /* no rightmost */,
struct sched_entity, run_node, vruntime,
0, compare_vruntime, 0)
Here, fair_tree is the "prefix" value used to generate the names of the tree functions—see below. The next line describes the structure containing the tree (struct cfs_rq), the name of the tree, and the name of the leftmost pointer used by the scheduler; there is no rightmost pointer (nobody cares about the lowest-priority task), so that parameter is simply left blank. The line after that describes the structure contained within the tree (struct sched_entity), the name of its embedded rb_node structure, and the name of the key value. Finally, no flags are given, compare_vruntime() is the comparison function, and, since this is not an augmented tree, there is no augmented callback function. Yes, it lacks a semicolon—the macro supplies that itself. The result is a new set of functions like:
struct sched_entity *fair_tree_insert(struct cfs_rq runqueue,
struct sched_entity *entity);
void fair_tree_remove(struct cfs_rq runqueue, struct sched_entity *entity);
struct sched_entity *fair_tree_find(struct cfs_rq runqueue, u64 *key);
/* ... */
These functions are all defined with the proper type, so the compiler will ensure that they are always called with the proper argument types. Everything is defined as __always_inline, so the implementations will be inlined at the place where they are called. That should eliminate any performance penalty caused by out-of-line implementations (as seen in Kent's patch), but, so far, nobody seems to have tried to measure that penalty. There has been little in the way of review of these patches in general. They represent different approaches to the task of creating a generic red-black implementation, one emphasizing simplicity while the other emphasizes explicitness and type safety. Which version might be inserted into the mainline kernel—if either goes in—is entirely unclear at this point.
Volatile ranges with fallocate()Last November LWN looked at the volatile ranges patch set from John Stultz. This patch is intended to bring an Android feature into the mainline, but it is a reimplemented feature that is more deeply tied into the memory management subsystem. That patch has now returned, but the API has changed so another look is warranted.A "volatile range" is a set of pages in memory containing data that might be useful to an application at some point in the future; a key point is that, if the need arises, the application is able to reacquire (or regenerate) that data from another source. A web browser's in-RAM image cache is a classic example. Keeping the images around can reduce net traffic and improve page rendering times, but, should the cached images vanish, the browser can request a new copy from the source. Thus, while it makes sense to keep this data around, it also makes sense to get rid of it if a more pressing need for memory arises. If the kernel knew about this sort of cached data, it could dump that data during times of memory stress and quickly reclaim the underlying memory. In such a situation, applications could cache more data than they otherwise would, knowing that there are limits to how much that caching can affect the system as a whole. The result would be better utilization of memory and a system that performs better overall. Google's Robert Love implemented such a mechanism for Android as "ashmem." There is a desire to get the ashmem functionality into the mainline kernel, but the implementation and API were not to everybody's taste. To get around that problem, John took the core ashmem code, reworked the virtual memory integration, and hooked it into the posix_fadvise() system call; that is the version of the patch that was described last November. Dave Chinner subsequently pointed out that this functionality might be better suited to the fallocate() system call. That call looks like this:
int fallocate(int fd, int mode, off_t offset, off_t len);
This system call is meant to operate on ranges of data within a file. Of particular interest, perhaps, is the FALLOCATE_FL_PUNCH_HOLE operation, which removes a block of data from an arbitrary location within a file. Declaring a volatile range can be thought of as a form of hole punching, but with a kernel-determined delay. If memory is tight, the hole could be punched immediately; otherwise the operation could complete at some later time, or not at all. Given the similarity between these two operations, it made sense to implement them within the same system call; John duly reworked the patch along those lines. With the new patch set, to declare that a range of a file's contents is volatile, an application would call:
fallocate(fd, FALLOCATE_FL_MARK_VOLATILE, offset, len);
Where offset and len describe the actual range to be marked. After the call completes, the kernel is not obligated to keep that range in memory, and is not obligated to write that range to backing store before reclaiming it. The application should not attempt to access that portion of the file while it has been marked volatile, since the contents could disappear at any time. Instead, if and when the data turns out to be useful, a call should be made to:
fallocate(fd, FALLOCATE_FL_UNMARK_VOLATILE, offset, len);
If the indicated range is still present in memory, the call will return zero and the application can proceed to work with the data. If, instead, any part of the range has been purged by the kernel since it was marked volatile, a non-zero return value will inform the application that it needs to find that data somewhere else. Any filesystem could conceivably implement this functionality, but, in practice, it only makes sense for a RAM-based filesystem like tmpfs, so it is only implemented there. The patch is in its third revision as of this writing, having gotten a number of comments in its first two iterations. The number of complaints has fallen off considerably, though, suggesting that most reviewers are happy now. So this feature may just find its way into the 3.6 kernel.
Patches and updates Kernel trees
Core kernel code
Development tools
Device drivers
Filesystems and block I/O
Memory management
Networking
Architecture-specific
Virtualization and containers
Page editor: Jonathan Corbet Distributions Looking forward to Fedora 18With Fedora 17 freshly released, the project has turned its attention to deciding on a feature set for Fedora 18. Among the approved changes so far are mounting /tmp in RAM, a better "hotspot" mode for WiFi connection sharing, a rewritten graphical installer, and a reorganization of the package categorization system. The basicsNew Fedora features must be approved by the distribution's Engineering Steering Committee (FESCo), which discusses them during its weekly IRC meetings. The approved list resides on the Fedora wiki. At the moment, it lists 14 items — but there are a few more recent additions, plus some proposals still in limbo. Proponents will have until July to make their cases for additional features. Several of the items are mundane, such as bumping a major package to the newest upstream version. Individual packages rarely merit a hearing by FESCo, but the group weighs in where it concerns major projects (such as desktop environments) or packages that affect a large number of dependencies (such as programming languages, compilers, or packaging). Among those key package updates for Fedora 18 are Xfce 4.10, the Glasgow Haskell Compiler (GHC) 7.4, Boost 1.50.0, RPM 4.10, and the Perl-Compatible Regular Expression (PCRE) library 8.30. Other system infrastructure pieces receiving a change in Fedora 18 are Kerberos and Red Hat's GlusterFS filesystem. The Kerberos package will move its cached credentials from /tmp/ to under /run/user/, while GlusterFS will be incremented to version 3.3. GlusterFS is designed to work with Red Hat's OpenShift cloud computing platform, which will also be added to Fedora 18. The package added will be OpenShift Origin, which is the community version of the OpenShift product. The distribution also wants to make Fedora machines work with Microsoft Active Directory domains out-of-the-box, a project that involves configuration and bug fixes in a variety of packages. Kerberos configuration is among them, but the fixes target SSH, NTP, and an array of other tools. User-visible desktop featuresFedora's installer is called Anaconda, and a visual and architectural overhaul has been in the works since 2011. According to the wiki, the user interface has not been updated in six to seven years, which makes it badly in need of a new coat of paint, but there are also architectural limitations to the design that make it difficult to add new features (both for Fedora itself and for downstream distributions). The plan is to rework the installer according to a "hub and spoke" design, in which only a few configuration screens are mandatory and demand user input, with optional configuration screens accessible for those who need them. GUI mock-ups and other design documents are on the wiki. A side-effect of the overhaul is that the text-mode version of the installer will be dropped for Fedora 18, and slated to reappear for 19. A related change is the refactoring of the distribution's package groups. These are the metadata-defined blocks of related packages that users can use to install sets of applications and libraries that serve a related need. Years ago, installing packages in such blocks was the norm in most distributions, but Fedora's group definitions have drifted out of alignment with the components that actually serve as the "building blocks" for Fedora itself and its "spin" derivatives. Refactoring the groups should ease maintenance in the long run, but implementing the change involves a lot of package metadata editing. A practical change on the feature list is a new, easy-to-use WiFi hotspot mode in NetworkManager. This is a feature used for turning the computer into a WiFi access point to be shared with other devices. The existing version of the hotspot-sharing mode uses WiFi Independent Basic Service Set (IBSS) ad-hoc mode, but in practice ad-hoc mode is not reliable (particularly if WPA or WPA2 is activated). As a result, many consumer devices refuse to connect to ad-hoc networks. The new hotspot mode will in essence let the Fedora box function as a standard WiFi access point (AP). Allowing Fedora to present itself as an AP will make connection sharing work with these devices. System component updates and migrationFedora 18 will also move /tmp to a tmpfs filesystem in RAM by default. As we covered last week, there are pros and cons to this approach, but FESCo decided that tmpfs-backed /tmp offered more benefits in the common case than downsides. The option to store /tmp on disk will still be provided. Interestingly, one of the main reasons cited for the Kerberos cache move mentioned earlier was that /run/ is a tmpfs filesystem and will vanish when the machine is rebooted, offering better security — but if /tmp moves to tmpfs, too, users will get the same added security they would from moving Kerberos's cache to /run. There are other system components being refreshed in the new release. One is migrating access control to privileged operations entirely to PolicyKit. The usermode package, which includes userhelper, userinfo, usermount, and userpasswd, is one of the last holdouts. These tools are setuid root shims around existing system tools, and will be replaced with PolicyKit-managed access to the underlying programs. The procps tools are also marked for replacement, in this case by the rewritten procps-ng suite. Procps is the suite of utility programs that report on and manage process information: ps, top, kill, free, and so forth. Fedora's "legacy" version of these utilities long ago diverged from upstream with a series of distribution-specific patches, to the point where they can no longer be re-merged. The procps-ng utilities are a rewrite designed to provide better message and error printing, exit codes, and cleaner behavior all around. Finally, as we discussed in greater depth elsewhere, Red Hat's Matthew Garrett is implementing support for UEFI's secure boot for Fedora 18. The plan involves purchasing a secure boot signing key for the project and making changes to the bootloader and kernel module-loading process to permit only signed binaries to boot on secure boot hardware. More to comeFESCo recently ratified the release schedule for Fedora 18, which gives contributors until the first week of July to propose new features for inclusion, aiming for a final release at the end of October. There are a few still under consideration that may make the cut before the deadline, including adding ARM as a first-class architecture and a new first-run tool. Promoting ARM support to the first tier would mean treating ARM equally alongside i686 and x64_64 in the project's build system. Proponents of the feature argue that although ARM devices vary in their capabilities, including many low-power devices without floating-point support, there are enough general-purpose desktop and laptop machines capable of serving as everyday PCs to warrant ensuring that Fedora runs on them. They also point out that ARM-based servers will come to market in the not too distant future. The promotion is a major undertaking, though, including hardware changes in Red Hat's build facility, plus extensive QA work on everything from the kernel to Anaconda. The idea has its supporters, but it could prove too ambitious for this cycle. The new first-run tool is documented as the Fedora Initial Experience. It encompasses post-installation setup, from license notices and networking setup to online account configuration and a tour of the GNOME 3 desktop. The specification is for some of these Initial Experience steps to replace the normal GDM login after installation. However, there remain issues to be sorted out, including how to make setup tasks optional and how to smoothly transition between the Initial Experience and a regular login session. With around one month to go, there is still plenty of time to add to the feature list; there may be new surprises or the reanimation long-delayed efforts like Btrfs-by-default or LXC containers. Thus far, Fedora 18 is taking on a smaller set of changes than those tackled in Fedora 17 — though some of them are of greater significance than a single bullet-point on a list suggests. The OpenShift features and ARM support would even the distribution with Ubuntu's offerings in those areas, which is clearly of interest to both the community and Red Hat. On the other hand, the UEFI secure boot feature has already spawned considerable debate, as has the /tmp move to a lesser degree. How those debates shake out will be interesting to watch over the coming six months.
Brief items Distribution quote of the week
We seem to have a problem with being willing to trade off simple
solutions that will greatly benefit users, for doing things "right",
even when doing things "right" benefits users *less*.
-- Joey Hess
A Gentoo x32 release candidateThe x32 ABI enables the running of processes in 64-bit mode while using 32-bit pointers, hopefully getting the best of both the 32-bit and 64-bit worlds. Users of most distributions will have to wait some time for an x32 version, but Gentoo, as is often the case, is ahead of the curve: there is an x32 release candidate available now. "I call this a release candidate as it is using glibc-2.15 with backported patches. the ABI however should be the same as glibc-2.16, so hopefully the upgrade will go smooth. but i don't want to make an official release on the chance that things aren't smooth, so this is a release candidate."
Debian Diversity statement acceptedThe Debian project has accepted a diversity statement which reads:
The Debian Project welcomes and encourages participation by everyone.
No matter how you identify yourself or how others perceive you: we welcome you. We welcome contributions from everyone as long as they interact constructively with our community. While much of the work for our project is technical in nature, we value and encourage contributions from those with expertise in other areas, and welcome them into our community. The Debian Project has a press release available.
Distribution News Debian GNU/Linux Bits from the Ruby team: switching to Ruby 1.9 and trasition to new policyThe Debian Ruby team has announced that Ruby 1.9 will be the default Ruby interpreter. Ruby 1.8 will be available in Wheezy, but will be dropped for Wheezy+1. Click below for a look at what that means for Ruby users and package maintainers.
Gentoo Linux Gentoo Council 2012/2013 electionNominations for the Gentoo Council 2012/2013 are open until June 17, 2012. Anyone can nominate a candidate, but voting is only open to those who were active Gentoo developers as of June 3.
Newsletters and articles of interest Distribution newsletters
Page editor: Rebecca Sobol Development Geary: simple email, for nowYorba released the first usable version of its desktop email client Geary on May 4. Geary is heavily GNOME-based, but is focused on working well with popular web-based email providers out of the box. The initial release boasts considerable UI polish, but only a basic feature set. Yorba is a relatively young non-profit software project that is developing several GNOME-centric desktop applications. Arguably the most well-known of the bunch is the lightweight photo organizer Shotwell. Geary is the newest offering, and like its sibling projects it is developed in the Vala language and uses SQLite for storage (in Geary's case, that includes offline email cached to enable full-text searching). It also comes with desktop notifications to integrate into the GNOME 3 environment. On the one hand, a skeptic might asked why yet another desktop email client is necessary for GNOME, when there are so many well-established options — including the "official" client, Evolution. But that might be a question fairly leveled at the other Yorba projects, too, and they have gained popularity among users due to their simplicity. There is considerable bloat and feature-creep in Evolution, Thunderbird, and similar email clients. Geary seems designed to do away with as much of it as possible, starting over with recent GNOME platform components, and targeting GNOME desktop integration. In the 0.1 release, Geary offers support for IMAP accounts only, and the application is limited to one account. The account data is stored in its own subdirectory under ~/.local/geary/, though, and multiple accounts are on the roadmap. The account setup window also comes pre-configured for GMail and Yahoo Mail accounts, which should suit the needs of a large portion of the user community. It does support SSL/TLS, but without much control over the settings — I was unable to get it to connect to TLS-equipped private mail server, for example. Read Me![[Geary main window]](/images/2012/06-geary-read-sm.jpg)
But supporting multiple server features is clearly not the emphasis in this release; a lot of work has gone into the presentation of messages and message conversations themselves. The application window is split into three columns: one for folders, one for the selected folder's message threads, and one for the open thread. Geary mimics GMail's "conversation" view, in which each thread is treated as a unit; Geary opens the entire thread as one item, with each message rendered in order in one long, scrollable pane. This is rapidly becoming the most popular way to render email threads, and it has its advantages. First, when reading long discussions, you can quickly scroll through the entire thread without clicking to load every message. Second, you see more of your inbox in the folder-contents column, by virtue of having each thread occupy only one list element. On the other hand, it is easier to get lost in a long thread, and it is more difficult to leap right to a specific message. Geary makes this message threading model the only option, and the three-pane view the only window arrangement. More subtle, but equally important, is the work that has gone into displaying the messages themselves. Each email is rendered onto the message canvas like a sheet of paper, with headers and metadata (such as sender's avatar images) set off only by font attributes and spacing. The look is cleaner, and nicer than what Evolution and Thunderbird use, both of which employ separate GTK+ panes for message content and headers. ![[Geary composition window]](/images/2012/06-geary-write-sm.jpg)
There are not a lot of other features to explore in this first release; you can read, reply to, and forward email. Message composition is not as smooth as message display — the editor looks like any other email client's composition window, which is not something that would be noteworthy except that it breaks with the slick presentation used for message display. Only HTML email is supported, and the editor sports an uneven set of editing tools. For example, your only font size choices are the vague "Small," "Medium", and "Large," but you have the full RGB / HSV color selector wheel to play with. I doubt I have often needed precise control over my font sizes in outgoing mail, but I have definitely needed it more often than I have needed multicolor text. There is a basic spell-checker built-in, which functions only in as-you-type mode. Missing miscellanyWhat you do not get in this release is support for daily email tasks beyond message reading: no attachments, no searching, no filters, and so on. There is also no address book functionality, junk mail filtering, or encryption. It is clear that at least some of these tasks are already on the Yorba project's to-do list (hence the advertisement of SQLite, despite the fact that message searching is not implemented in 0.1). Thus, it is not a criticism of the project to point out that these features are absent, it is merely a warning that the client is not ready for industrial usage. But I can't help but wonder how much of the "clean and simple" shine that Geary 0.1 enjoys will rub off as the project is forced to add more features to the mix (and to the window). For example, right now the three-pane window is slick, putting message reading front and center with each thread represented by a minimalist "card" showing a short message preview and an unread count. But there are not any columns in that view; it does not take long to realize that there is no way to sort the messages any way other than date, newest messages on top. A lot of users will want to sort and re-sort their mail folders, and it will be challenging to implement without adding considerable complexity to the clean and simple UI design. That hurdle gets drastically higher when you start talking about address book management, or, worst of all, the pinnacle of usability nightmares that is public key encryption. In short, it is pretty easy to make a clean and simple user interface when you only implement a handful of features. What few projects can do is maintain the high standard of UI design as the feature set expands outward. That is not simply a theoretical challenge; as Shotwell has added more and more features, its menus and sidebar have started to fill up, making the application look more and more like every other photo organizer. Of course, part of the reason for Yorba's projects is presumably to develop new code-bases built on top of Vala, GObject, and other modern GNOME frameworks, so in the long run feature creep is probably not anathema. At the moment, however, Geary offers a smooth and lightweight email reading experience. You could adapt Thunderbird to mimic many of the new application's UI features (via extensions or optional settings), but of course you do so with a higher memory footprint and more complexity. So perhaps it is a good idea to enjoy the simplicity of Geary while it lasts.
Brief items Quotes of the week
I think it's better to give users the rope they want than to try
and prevent them from hanging themselves, since otherwise they'll
just use the power cords as ropes and electrocute themselves.
— Guido van Rossum
Now I’ll say it publicly: I formally object to any attempt by OSI
to pretend that the current list of “recommended licenses” has any
value or validity, and I request that you NOT patch it by putting
useless explanations around it. Please start a meaningful community
process to develop license selection guidelines and explanations of
the differences among licenses, and leave the politics and biases
on the cutting room floor.
— Lawrence Rosen
Firefox 13 releasedThe Firefox 13 release is out. New features include improved 'new tab' behavior and better access to utilities (bookmarks, history, etc.) from the default home page. There are plenty of bug fixes, some security related. See the release notes for details.Update: Thunderbird 13 has also been released. The Thunderbird release notes have the details.
KDE Announces 4.9 Beta1 and Testing InitiativeKDE has released the first beta for its renewed Workspaces, Applications, and Development Platform. Some highlights of 4.9 include Qt Quick in Plasma Workspaces, improvements in the Dolphin file manager, deeper integration of Activities, plus performance improvements and bug fixes. KDE's Beta Testing Team could always use help finding bugs before the final released. "The Beta Testing Team is a group of people who will do a 'Testapalooza' on the beta releases, catching as many bugs as possible. This is organized in a structured process so that developers know clearly what to fix before the final release. Anyone can help, even people without programming skills."
Obnam 1.0 releasedLars Wirzenius has announced the stable, 1.0 release of his backup tool Obnam. "It's been a long project, much longer than I expected, and much longer than was really sensible. However, it's ready now. It's not bug free, and it's not as fast as I would like, but it's time to declare it ready for general use. If nothing else, this will get more people to use it, and they'll find the remaining problems faster than I can do on my own." Among other features, Obnam makes btrfs-style "snapshot" backups and uses data de-duplication to save space.
Samba 4.0 beta1 releasedSamba 4.0 is getting closer: the first beta release is now available for testing. "We are making this beta release to gain real-world use of the 's3fs' file server combination we will use for the Samba 4.0 release. Users should expect some rough edges."
Twisted 12.1.0 releasedVersion 12.1.0 of the Twisted "networking engine" has been released. There's lots of new reactors for BSD kqueue support, GTK3 and GObject introspection, better file descriptor passing, systemd support, and more; see the NEWS file for details.
Newsletters and articles Development newsletters from the last week
Page editor: Jonathan Corbet Announcements Brief items Samsung becomes a Linux Foundation platinum memberThe Linux Foundation has announced that it has signed up Samsung at its highest membership level. "With today’s announcement, Samsung Electronics is reiterating its commitment to Linux and investing its resources in a platform it believes will help sustain its global leadership position. The company will work with The Linux Foundation on streamlining its participation with the kernel community and adopting open source best practices."
Red Hat launches CloudForms platformRed Hat has announced the availability of Red Hat CloudForms. "CloudForms is an open hybrid cloud management platform built to enable enterprises to create and manage Infrastructure-as-a-Service (IaaS) hybrid clouds with the ability to make self-service computing resources available to users in a managed, governed and secure way."
"Linux Tycoon" and "2299" now FreeBryan Lunduke has released his software under the GPL. "I put a challenge to the community last week: Help me raise enough funds to support me working full time, and I will Open Source (under the GPL) all of my games and software. The community stepped up and we hit that goal in just 8 short days -- helping to prove the viability of supporting Open Source development via Donations." "Linux Tycoon", the Linux-distro-simulation game, and "2299 : THE GAME" are the first of his games to be released under the GPL.
Articles of interest Free Software Supporter -- Issue 50, May 2012The May issue of the Free Software Supporter covers an FSF statement on Oracle v Google, DRM, a call on the new French president to "Stop software patents", and several other topics.
FSFE Newsletter - June 2012The Free Software Foundation Europe Newsletter for June covers the usage of terms like FOSS, Libre Software, FLOSS; enforcing web standards; French elections and non-free software; and several other topics.
Ah! The Morning After... (Groklaw)In a follow-up to yesterday's coverage of the Oracle v. Google ruling on the copyrightability of APIs, Groklaw has a summary of the reactions from various parties in and around the lawsuit, including interpretations on the case's broader impact. "The ruling totally wipes away the earlier partial ruling by the jury on the API question. Or as lawyers would say, it's now moot. There is no question of fair use for code that can't be copyrighted. You can't infringe something that isn't covered by copyright law, and so you don't need a defense like fair use."
8 million leaked passwords connected to LinkedIn, dating website (ars technica)Ars technica reports that a cracker has posted 8 million cryptographic hashes to the Internet that appear to belong to users of LinkedIn and also a popular dating website. "The massive dumps over the past three days came in postings to user forums dedicated to password cracking at insidepro.com. The bigger of the two lists contains almost 6.46 million passwords that have been converted into hashes using the SHA-1 cryptographic function. They use no cryptographic "salt," making the job of cracking them considerably faster. Rick Redman, a security consultant who specializes in password cracking, said the list almost certainly belongs to LinkedIn because he found a password in it that was unique to the professional social networking site. Robert Graham, CEO of Errata Security said much the same thing, as did researchers from Sophos. Several Twitter users reported similar findings." If you have an account on LinkedIn you should probably change your password.
Education and Certification LPI Announces Online Resource for Linux EducationThe Linux Professional Institute (LPI) has announced an online "one-stop-shopping" solution for learning resources for their Linux Professional Institute Certification (LPIC) program: the LPI Marketplace. "The LPI Marketplace was created for LPI by mindhub(TM) of Pearson VUE and is an online resource center offering a wide variety of learning products designed to help individuals prepare for LPI's industry-recognized certification, enhance their existing skills set and achieve their professional goals. Products in the LPI Marketplace will include a full range of expert reference materials including books, flash cards, practice exams, and video training modules. Content providers presently participating in the LPI Marketplace include such widely-recognized companies as Axzo Press, Element K, ExamForce, MeasureUp, McGraw-Hill, Sybex, Transcender and uCertify."
Linup Front GMBH Publishes Free Training ManualLinup Front GmbH has announced the availability of a free training manual, in German and English, for the new "Linux Essentials" certification published by the Linux Professional Institute (LPI). "The 250-page manual can be downloaded as a PDF file from http://shop.linupfront.com/ and is being published under a Creative Commons license allowing unmodified redistribution. The same content is also being issued as an Android app for tablets and smartphones, which can be obtained free of charge from the Google Play Store."
Calls for Presentations LCA2013 opens call for presentationsLinux.conf.au 2013 returns to the Australian National University in Canberra starting January 28. The call for presentations is now open. "This year, they are focusing on deep technical content, and the things that you think are going to really matter in the future. Do you have something to say about freedom and privacy, open source cloud systems, or energy efficient server farms of the future? Or something else that you are passionate about?" Submission deadline is July 6; see this page for more information.
Upcoming Events MeetBSD California 2012MeetBSD California 2012 will take place November 3-4, 2012 in Sunnyvale, CA. "It will feature one day of scheduled talks on Saturday followed by one day of unConference-style community-scheduled emergent activities on Sunday. We’re looking forward to another engaging and interesting conference! By combining scheduled talks and community-driven events like lightning talks and hacking sessions, we hope that everyone will get the most out of this year’s activities."
Events: June 7, 2012 to August 6, 2012The following event listing is taken from the LWN.net Calendar.
If your event does not appear here, please tell us about it.
Page editor: Rebecca Sobol
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
![[Greg KH]](/images/conf/2012/lc-japan/lcj-gregkh-sm.jpg)