Brief items
Security
Tor exit node operator arrested in Russia (TorServers.net blog)
On April 12 Dmitry Bogatov, a mathematician and Debian maintainer, was arrested in Russia for "incitation to terrorism" because of some messages that went through his Tor exit node. "Though, the very nature of Bogatov case is a controversial one, as it mixes technical and legal arguments, and makes necessary both strong legal and technical expertise involved. Indeed, as a Tor exit node operator, Dmitry does not have control and responsibility on the content and traffic that passes through his node: it would be the same as accusing someone who has a knife stolen from her house for the murder committed with this knife by a stranger." The Debian Project made a brief statement.
Security quotes of the week
In a damning report, the FDA said that St. Jude Medical knew about serious
security flaws in its implantable medical devices as early as 2014, but
failed to address them with software updates or by replacing those
devices. The government found that St. Jude Medical, time and again, failed
to adhere to internal security and product quality guidelines, a lapse that
resulted in at least one patient death.
— Paul
at The Security Ledger (Thanks to Paul Wise.)
Of course, technology isn't static. With time, things become cheaper and easier. What was once a secret NSA interception program or a secret FBI investigative tool becomes usable by less-capable governments and cybercriminals.
— Bruce
Schneier
Man-in-the-middle attacks against Internet connections are a common criminal tool to steal credentials from users and hack their accounts.
IMSI-catchers are used by criminals, too. Right now, you can go onto Alibaba.com and buy your own IMSI catcher for under $2,000.
Despite their uses by democratic governments for legitimate purposes, our security would be much better served by fixing these vulnerabilities in our infrastructures.
These systems are not only used by dissidents in totalitarian countries, they're also used by legislators, corporate executives, critical infrastructure providers, and many others in the US and elsewhere.
That we allow people to remain insecure and vulnerable is both wrongheaded and dangerous.
Kernel development
Kernel release status
The current development kernel is 4.11-rc7, released on April 16. Linus said: "We're in the late rc phase, and this may be the last rc if nothing surprising happens."
Stable updates: 4.10.11, 4.9.23, 4.4.62, and 3.18.49 were released on April 18.
For those who are surprised to see a 3.18 update after that series was declared end-of-life, Greg Kroah-Hartman explains it this way:
3.18? Wasn't that kernel dead and forgotten and left to
rot on the side of the road? Yes, it was, but unfortunately, there's a
few million or so devices out there in the wild that still rely on this
kernel. Now, some of their manufacturers and SoC vendors might not be
keeping their kernels up to date very well, but some do actually care
about security and their users, so this release is for them. If you
happen to have a vendor that does not care about their users, go
complain, as odds are, your device is very insecure right now...
The 4.10.12, 4.9.24, and 4.4.63 updates are in the review process as of this writing; they can be expected on or after April 21.
Quotes of the week
But there are more people running with lockdep enabled than there
are people writing code, of which there are more than people
reading relevant comments while writing code. Therefore having the
lockdep annotation is two orders better than a comment.
— Peter Zijlstra
One would have expected, with all their market power and plenty of
Linux-based devices in the telecom sphere, why did none of those
large telecom suppliers invest in improving the mainline Linux SCTP
code? I mean, they all use UDP and TCP of the kernel, so it works
for most of the other network protocols in the kernel, but why not
for SCTP? I guess it comes back to the fundamental lack of
understanding how open source development works.
— Harald
Welte (thanks to Paul Wise)
Distributions
Chris Lamb elected as Debian project leader
The 2017 Debian project leader (DPL) election has completed; Chris Lamb won, over incumbent DPL Mehdi Dogguy. Details of the voting can be found on the election web page. Dogguy posted his last "bits from the DPL" congratulating Lamb, filling the project in on what he has been up to over the last month plus, and more: "Serving as DPL for the past year has been a real honour and a fantastic experience for me. It also helped me to have a different perspective on the project and my future involvement. Last but not least, I wanted to confirm to other fellow Debian Developers that serving as DPL is not a traumatic experience and I am still as sane as I was one year ago :-) If you have ideas on how to make Debian a better place, project, OS, community, FOSS citizen, … please nominate yourself for DPL elections next year! Worst case scenario, you would contribute to the debate about Debian's future."
The new Fedora Project mission statement
The Fedora Project has come up with a new mission statement: "Fedora creates an innovative platform that lights up hardware, clouds, and containers for software developers and community members to build tailored solutions for their users." See the full text for a description of what it means and how they arrived at it.
Halium is an Open Source Project Working Towards a Common Base for Non-Android Mobile Operating Systems
The xda-developers blog looks at Project Halium. "This open-source project is trying to pool developers from Ubuntu Touch ports, Sailfish OS community developers, the open webOS Lune OS project, and KDE Plasma Mobile contributors, among other developers (Jolla, we suspect) to put an end to the fragmentation seen in their respective project’s lower-level base. Currently, Ubuntu Touch, Sailfish OS/Mer, Plasma Mobile, and others use different Android source trees and methods for differently-built stacks. This leads to a lot of fragmentation among the most popular non-Android, GNU/Linux-based mobile OS projects in their use of the Android source tree, how the Android init is started, and how images are flashed to the device. Many of these projects essentially do the same job, but in a different way." The goal of Halium is to work towards a common Linux base, which can be used by all of these different projects.
Scientific Linux 6.9 now Released
Scientific Linux 6.9 has been released for i386/x86_64 architectures. See the release notes and the upstream release notes for details.Ubuntu 17.04 (Zesty Zapus) released
The most recent version of the Ubuntu Linux distribution, 17.04 or Zesty Zapus, has been released with multiple flavors (Kubuntu, Lubuntu, Ubuntu GNOME, Ubuntu Kylin, Ubuntu MATE, Ubuntu Studio, Xubuntu, and the most recent addition, Ubuntu Budgie) and several editions (server, desktop, cloud). "Under the hood, there have been updates to many core packages, including a new 4.10-based kernel, and much more. Ubuntu Desktop has seen incremental improvements, with newer versions of GTK and Qt, updates to major packages like Firefox and LibreOffice, and stability improvements to Unity. Ubuntu Server 17.04 includes the Ocata release of OpenStack, alongside deployment and management tools that save devops teams time when deploying distributed applications - whether on private clouds, public clouds, x86, ARM, or POWER servers, z System mainframes, or on developer laptops. Several key server technologies, from MAAS to juju, have been updated to new upstream versions with a variety of new features." See the release notes for more information.
Distribution quotes of the week
I think openSUSE remains the best distribution from which to get KDE
from. But it's clear KDE upstream have their own preference of premier
KDE distribution now (Neon), so I think openSUSE's efforts are best
spent on being a premier distribution, rather than a premier KDE
distribution.
— Richard Brown
Anticipating abundant anonymous aardvarks in the Ubuntu archive.
— Adam Conrad
Currently, however, we are, by decree of our sabdfl (who might be having too much fun reading the dictionary's entire A section), taking a much-needed and well-deserved long weekend.
And I apologize for how this thread has almost completely changed the
original proposal. OTOH, this is the main bikeshed, and all the other
cool decisions and ideas you came to on your recent FAD can now slip
through uncontested. :-D
— Karsten Wade
Development
Firefox 53.0 released
Mozilla has released Firefox 53.0. From the release notes: "Today's Firefox release makes Firefox faster and more stable with a separate process for graphics compositing (the Quantum Compositor). Compact themes and tabs save screen real estate, and the redesigned permissions notification improves usability. Learn more on the Mozilla Blog."
Introducing Moby Project: a new open-source project to advance the software containerization movement (Docker blog)
The Docker blog introduces the Moby Project, which aims to advance the software containerization movement. "It provides a “Lego set” of dozens of components, a framework for assembling them into custom container-based systems, and a place for all container enthusiasts to experiment and exchange ideas. Think of Moby as the “Lego Club” of container systems."
Development quotes of the week
The cURL project consists of roughly 100 thousand lines of C code according to Ohloh. If we assume that converting it to a some other language is just as easy as converting simple Perl to Python (which seems unlikely), the conversion would take 1000 person hours. At 8 hours per day that comes to around 5 months of full time work. Once that is done you get to port all the changes made in trunk since starting the conversion. Halting the entire project while converting it from one language to another is not an option.
— Jussi Pakkanen
This gives us a clear answer on why people don't just convert their projects from one language to another:
There is no such thing as "just rewrite it in X".
Just as the way people join an open source project sets the tone of its future involvement, the way people leave a project sets the tone of the project for those that continue with it.
— Gareth
J. Greenaway
Page editor: Jake Edge
Next page:
Announcements>>