Brief items
Security
OSS-Fuzz: Five months later, and rewarding projects
Google Open Source Blog takes a look at the progress made by the OSS-Fuzz project. "OSS-Fuzz has found numerous security vulnerabilities in several critical open source projects: 10 in FreeType2, 17 in FFmpeg, 33 in LibreOffice, 8 in SQLite 3, 10 in GnuTLS, 25 in PCRE2, 9 in gRPC, and 7 in Wireshark, etc. We’ve also had at least one bug collision with another independent security researcher (CVE-2017-2801). (Some of the bugs are still view restricted so links may show smaller numbers.)" LWN covered OSS-Fuzz last January.
Security quote of the week
The applications for recorded-voice forgeries are obvious, but I think the
larger security risk will be real-time forgery. Imagine the social
engineering implications of an attacker on the telephone being able to
impersonate someone the victim knows.
— Bruce
Schneier on LyreBird
I don't think we're ready for this. We use people's voices to authenticate them all the time, in all sorts of different ways.
Kernel development
Kernel release status
The 4.12 merge window is still open, with nearly 12,000 changes merged as of this writing.Stable updates: 4.10.15, 4.9.27, 4.4.67, and 3.18.52 were all released on May 8.
Gregg: CPU Utilization is Wrong
Brendan Gregg asserts that CPU utilization is the wrong metric to be looking at when tuning a system. Much of the time when the CPU appears to be busy, it's actually just waiting for memory. "The key metric here is instructions per cycle (insns per cycle: IPC), which shows on average how many instructions we were completed for each CPU clock cycle. The higher, the better (a simplification). The above example of 0.78 sounds not bad (78% busy?) until you realize that this processor's top speed is an IPC of 4.0. This is also known as 4-wide, referring to the instruction fetch/decode path. Which means, the CPU can retire (complete) four instructions with every clock cycle. So an IPC of 0.78 on a 4-wide system, means the CPUs are running at 19.5% their top speed. The new Intel Skylake processors are 5-wide."
Exploiting the Linux kernel via packet sockets (Project Zero)
The Project Zero site has a detailed exploration of how to exploit CVE-2017-7308, a vulnerability in the kernel's packet socket implementation. "Let’s see how we can exploit this vulnerability. I’m going to be targeting x86-64 Ubuntu 16.04.2 with 4.8.0-41-generic kernel version with KASLR, SMEP and SMAP enabled. Ubuntu kernel has user namespaces available to unprivileged users (CONFIG_USER_NS=y and no restrictions on [its] usage), so the bug can be exploited to gain root privileges by an unprivileged user. All of the exploitation steps below are performed from within a user namespace."
Quotes of the week
A long time ago I laughed when I saw that Microsoft had to do lots
of "hardening" of their kernel to protect themselves from crappy
drivers, as I knew we didn't have to do that because we had the
source for them and could fix the root issues. But that has
changed and now we don't all have that option.
— Greg Kroah-Hartman
I think the merge window is basically some kind of ultimate curse.
— Jon Masters
Distributions
Debian 8.8 released
The Debian Project has announced the release of Debian 8.8, the eighth update to its stable release Debian 8 "jessie". "This update mainly adds corrections for security problems to the stable release, along with a few adjustments for serious problems. Security advisories were already published separately and are referenced where available."
A proposal to remerge OpenWrt and LEDE
It appears that the OpenWrt and LEDE communities are about to vote on a proposal covering many of the details behind merging the two projects (which forked one year ago) back together. The plan appears to be to go forward with the OpenWrt name, but with the LEDE repository; domain names would be transferred to SPI.Announcing the Tails Social Contract
The Amnesic Incognito Live System (Tails) has adopted a Social Contract, based on the Debian Social Contract and the Tor Social Contract. "We believe that privacy, the free exchange of ideas, and equal access to information are essential to free and open societies. Through our community standards and the tools we create, we provide means that empower all people to protect and advance these ideals."
Development
Cinnamon 3.4 released
Cinnamon 3.4 has been released. This version includes support for mozjs38, support for additional Wacom devices, a multi-process Settings Daemon, a cleaner session EXIT phase, separate processes for Nemo and desktop handling, and more. "On the spices side of things, the maintenance was moved to Github and the Cinnamon team is now actively involved in the debugging of applets, desklets, extensions and themes. Support for Cinnamon 3.4 changes is added by the team itself."
CockroachDB 1.0 released
CockroachDB 1.0 has been released. "CockroachDB is a cloud-native SQL database for building global, scalable cloud services that survive disasters. But what does “cloud-native” actually mean? We believe the term implies horizontal scalability, no single points of failure, survivability, automatable operations, and no platform-specific encumbrances. To realize these product goals, development over the past year has focused on three critical areas: distributed SQL to support small and large use cases alike and scale seamlessly between them; multi-active availability for always-consistent high availability; and flexible deployment for automatable operations in virtually any environment."
Git v2.13.0
The latest feature release Git v2.13.0 is now available. "It is comprised of 729 non-merge commits since v2.12.0, contributed by 65 people, 15 of which are new faces. This release also contains the security patch in v2.12.3 and others to fix CVE-2017-8386." The release notes are in the announcement.
Maintenance releases Git 2.4.12, 2.5.6, 2.6.7, 2.7.5, 2.8.5, 2.9.4, 2.10.3, 2.11.2, and 2.12.3 are also available.
GNU Artanis 0.2 released
GNU Artanis is a web application framework (WAF) written in Guile Scheme and v0.2 is its first stable release. "It is designed to support the development of dynamic websites, web applications, web services and web resources. Artanis provides several tools for web development: database access, templating frameworks, session management, URL-remapping for RESTful, page caching, and so on."
GStreamer 1.12 released
The 1.12 release of the GStreamer multimedia framework is out. It contains many new features and bug fixes. New features include support for Intel's Media SDK for hardware-accelerated video encoding and decoding, multi-threaded video scaling and conversion, x264 can encode multiple bit depths transparently, multiple new video formats are supported, and so on. "More than 635 bugs have been fixed during the development of 1.12. This list does not include issues that have been cherry-picked into the stable 1.10 branch and fixed there as well, all fixes that ended up in the 1.10 branch are also included in 1.12. This list also does not include issues that have been fixed without a bug report in bugzilla, so the actual number of fixes is much higher."
KDE e.V. Community 2016 Report (KDE.News)
KDE e.V., the non-profit organization that represents the KDE community, has put out its report for 2016, which was announced on KDE.News. "The KDE e.V. community report for 2016 is now available. After the introductory statement from the Board, you can read a featured article about the 20th anniversary of KDE, and an overview of all developer sprints and conferences supported by KDE e.V. The report includes statements from our Working Groups, development highlights for 2016, and some information about the current structure of KDE e.V."
Thunderbird to stay with Mozilla — sort of
The Thunderbird email client project has announced the results of its long deliberation on its future. The project will remain with Mozilla administratively, but will move to its own infrastructure. "Thus, much has changed since 2015 – we were able to establish a financial home at the Mozilla Foundation, we are successfully collecting donations from our users, and the first steps of migrating infrastructure have been taken. We started questioning the usefulness of moving elsewhere, organizationally. While Mozilla wants to be laser-focused on the success of Firefox, in recent discussions it was clear that they continue to have a strong desire to see Thunderbird succeed. In many ways, there is more need for independent and secure email than ever. As long as Thunderbird doesn’t slow down the progress of Firefox, there seems to be no significant obstacles for continued co-existence."
Development quote of the week
Stepping back a bit: It is indeed important that our code is easy to
understand and modify, expresses its intent clearly, and helps future
programmers avoid writing bugs. But it is also important that
contributors feel valued, and feel a sense of ownership.
— Ian Jackson
(Thanks to George Dunlap)
The amount of emotional discouragement to a contributor does not scale linearly with the size and apparent importance of the disagreement. Indeed, turning a tiny issue into a blocker or a big argument can be especially demotivating.
Page editor: Jake Edge
Next page:
Announcements>>