Brief items
Security
Security quote of the week
As I've mentioned before, diversity of cryptographic primitives is
expensive. It contributes to the exponential number of combinations
that need to be tested and hardened; it draws on limited developer
resources as multiple platforms typically need separate, optimised
code; and it contributes to code-size, which is a worry again in
the mobile age. SHA-3 is also slow, and is even slower than SHA-2
which is already a comparative laggard amongst crypto primitives.
— Adam
Langley
[...]
Thus I believe that SHA-3 should probably not be used. It offers no compelling advantage over SHA-2 and brings many costs. The only argument that I can credit is that it's nice to have a backup hash function, but both SHA-256 and SHA-512 are commonly supported and have different cores. So we already have two secure hash functions deployed and I don't think we need another.
Kernel development
Kernel release status
The current development kernel is 4.12-rc3, released on May 28. Quoth Linus:
"Hey, things continue to look good, and rc3 isn't even
very big. I'm hoping there's not another shoe about to drop, but so far
this really feels like a nice calm release cycle, despite the size of the
merge window.
"
Stable updates: 4.11.3, 4.9.30, 4.4.70, and 3.18.55 were released on May 25.
A mechanism for intercepting kernel upcalls
Last week, Containers as kernel objects looked at an attempt to add a formal "container" concept to the kernel, partly as a way of ensuring that kernel upcalls (calls to a user-space program from inside the kernel) would run inside the correct namespaces. This week, David Howells is back with a different approach: a way for a daemon process to intercept and handle specific key-related upcalls.In particular, the keyctl() system call is enhanced with a KEYCTL_SERVICE_CREATE command, which returns a special file descriptor. Subsequent calls can add "filters" describing the upcalls that should be intercepted; they are described by name and a set of flags indicating a set of relevant namespaces. If the calling program's namespaces match those of a process creating an upcall, that program will be allowed to handle the call. See the patch posting for a more detailed description of how it works.
Quotes of the week
Being a special snowflake in a large community like the kernel is
sometimes necessary, since if everyone always does it the same,
then the overall community doesn't learn anymore.
— Daniel Vetter
In practice whitelists are built by starting with everything and
deleting items until things stop working, then putting them
back. Whitelists are theoretically great, but very difficult to
build and maintain in the real world.
— Casey Schaufler
I agree that it is an unusual scenario. But, user-space programmers
outnumber kernel developers 10000 to 1, and over time they will
find every possible way to creatively use an API if it "works for
them".
— Michael Kerrisk (thanks to Dmitry Safonov)
Distributions
Alpine Linux 3.6.0 Released
Alpine Linux 3.6.0 has been released. Alpine is an independent, minimalist distribution that is built around musl libc and busybox to keep it small and resource efficient. This version adds support for 64-bit little-endian POWER machines (ppc64le) and 64-bit IBM z Systems (s390x).Devuan Jessie 1.0.0 stable LTS
The Devuan project set out to create a systemd-less Debian, and now Devuan Jessie 1.0.0 Stable has been released. "There have been no significant bug reports since Devuan Jessie RC2 was announced only three weeks ago and the list of release critical bugs is now empty. So finally Devuan Jessie Stable is ready for release! As promised, this will also be a Long-Term-Support (LTS) release. Our team will participate in providing patches, security updates, and release upgrades beyond the planned lifespan of Debian Jessie."
Debian stretch expected on June 17
The Debian release team has announced that the Debian 9.0 ("stretch") release is planned for June 17. Time is running out for packages with release-critical bugs; those that are not fixed will be removed on June 3. Any remaining package changes should be in place before June 9.Distribution quotes of the week
So much for the theory. Practically I can show you a sophisticated chroot/build/flash tool called pmbootstrap which should allow fast and clean development progress, both in porting to new phones and in implementing hardware support for the existing ports (more on pmbootstrap below). That is also where most of the time went during development so far, so don't expect too much of postmarketOS. Most drivers don't work so you can't make phone calls or use the WiFi.
— Oliver
Smith introduces postmarketOS
On Fri, May 26, 2017 at 03:33:17PM +0100, Ian Jackson wrote:
> Probably we should recommend --no-install-recommends.
— David Kalnischkies (Thanks to Paul Wise)
> Probably we should recommend --no-install-recommends.
I would recommend not to recommend it because apt follows the general recommendation of not recommending the installation of recommendations of build-dependencies by default for all recommended Debian releases.
Recommended summary: Already the default since 2011.
Recommending everyone to have a wonderful day,
Development
Poyarekar: The story of tunables
On his blog, Siddhesh Poyarekar looks at tunables in the GNU C library (glibc). The idea for centralizing the handling of tunable parameters in the library started back 2013, but was added to glibc in version 2.25 that was released in February. "Tunables is an internal implementation detail in glibc. It is a way to manage ways in which we allow behaviour in glibc to be modified. As of now the only way to manage glibc is via environment variables and the way to do that was strewn all over the place in the source code. Tunables provide one place to add the tunable parameter with all of the characteristics it would have and then the framework will handle everything from there. The user of that tunable (e.g. malloc for MALLOC_MMAP_THRESHOLD_ or malloc.mmap.threshold in tunables parlance) would then simply access the tunable from the list and do what it wants to do, without bothering about where it came from."
Mailman 3.1.0 released
The 3.1.0 release of the Mailman mailing list manager is out. "Two years after the original release of Mailman 3.0, this version contains a huge number of improvements across the entire stack. Many bugs have been fixed and new features added in the Core, Postorius (web u/i), and HyperKitty (archiver). Upgrading from Mailman 2.1 should be better too. We are seeing more production sites adopt Mailman 3, and we've been getting great feedback as these have rolled out. Important: mailman-bundler, our previous recommended way of deploying Mailman 3, has been deprecated. Abhilash Raj is putting the finishing touches on Docker images to deploy everything, and he'll have a further announcement in a week or two." New features include support for Python 3.5 and 3.6, MySQL support, new REST resources and methods, user interface and user experience improvements, and more.
Perl 5.26.0 released
The Perl 5.26.0 release is out. "Perl 5.26.0 represents approximately 13 months of development since Perl 5.24.0 and contains approximately 360,000 lines of changes across 2,600 files from 86 authors". See this page for a list of changes in this release; new features include indented here-documents, the ability to declare references to variables, Unicode 9.0 support, and the removal of the current directory (".") from @INC by default.
Plasma 5.10.0 released
KDE has released Plasma 5.10. There are a number of new features in this release, including media controls on lock screen, pause music on suspend, Software Centre Plasma Search (KRunner) suggests to install non-installed apps, file copying notifications have a context menu on previews, 'desktop edit mode', when opening toolbox reveals applet handles, performance optimizations in Pager and Task Manager, 'Often used' docs and apps in app launchers in addition to 'Recently used', and much more.Qt 5.9 released
Lars Knoll takes a look at the Qt 5.9 LTS release. "With Qt 5.9, we have had a strong focus on performance and stability. We’ve fixed a large number of bugs all across Qt, and we have done a lot of work to improve our continuous integration system. This will make it a lot easier for us to create new releases (both patch level and minor releases) from 5.9 onward. We’ve also added automated performance regression testing to our testing infrastructure, something that will allow us to continuously monitor our work on improving the performance of Qt." Qt 5.9 will be supported for three years.
6th RISC-V Workshop Proceedings
The proceedings of the RISC-V workshop, held May 8-11 in Shanghai China, are available with links to slides and videos.
This workshop was a four day event broken down as follow:
- Monday May 8, 2017 – Introduction to RISC-V – this day long session was held for those who were new to RISC-V and have yet to be exposed to the RISC-V ISA. The session consisted of presentations from the RISC-V Foundation, some of the original creators of the RISC-V ISA and product presentations from vendors within the RISC-V community.
- Tuesday and Wednesday May 9-10, 2017 – These two days followed our traditional two day format with presentations covering various RISC-V projects underway within the RISC-V community and will included a poster / demo reception on Tuesday evening.
- Thursday May 11, 2017 – The workshop week concluded with RISC-V Foundation meetings with attendance restricted to members of the RISC-V Foundation. The day consisted of Technical and Marketing Committee face to face meetings to progress the work currently underway within our various Task Groups.
Development quotes of the week
It’s very strange to the modern eye just to see a simulation like ADVENT written with no analogue even of C structures, let alone objects. But the FORTRAN Crowther wrote in didn’t have such things; game state was all global variables, a “feature” preserved in the mechanically translated C of 2.5. (Which, alas, is extremely ugly code full of gotos.)
— Eric Raymond (Thanks to Paul
Wise)
It also looks odd, 40 years after the fact, to see the amount of code complexity devoted to space/time optimization so that (for example) you don’t have to re-parse the text master of the dungeon-defining database on every startup. That’s what you had to do then, when a room-filling minicomputer cranked many fewer instructions per second than the controller in your microwave oven.
With snaps vs docker/OCI and snaps vs FlatPak vs AppImage emerging as
new variations of the longstanding "deb vs RPM vs something else"
arguments, "Here's a source tarball, y'all have fun now" remains the
most sensible publication approach for relatively low level operating
system components like CPython.
— Nick Coghlan
It's not a sleek, smooth, finished tool. It's clunky, weird, and probably not what you want. But it's what I want.
— Lars
Wirzenius introduces Distix.
Miscellaneous
The Licensing and Compliance Lab interviews AJ Jordon of gplenforced.org (FSF Blog)
The Free Software Foundation's blog is carrying an interview with AJ Jordon, who runs the gplenforced.org site to support GPL enforcement efforts and to help other projects indicate their support. "gplenforced.org is a small site I made that has exactly two purposes: host a badge suitable for embedding into a README file on GitLab or something, and provide some text with an easy and friendly explanation of GPL enforcement for that badge to link to. Putting badges in READMEs has been pretty trendy for a while now — people add badges to indicate whether their test suite is passing, their dependencies are up-to-date, and what version is published in language package managers. gplenforced.org capitalizes on that trend to add the maintainer's beliefs about license enforcement, too."
Page editor: Jake Edge
Next page:
Announcements>>