Brief items
Security
Google’s OSS-Fuzz Tool Helps Secure Open Source Projects (Linux.com)
Linux.com takes a look at Google's OSS-Fuzz threat detection tool. "Google also announced that it is expanding its existing Patch Rewards program to include rewards for the integration of fuzz targets into OSS-Fuzz. To qualify for these rewards, a project needs to have a large user base and/or be critical to global IT infrastructure. Eligible projects will receive $1,000 for initial integration, and up to $20,000 for ideal integration (the final amount is at Google’s discretion). Project leaders have the option of donating these rewards to charity instead, and Google will double the amount." LWN covered OSS-Fuzz last January.
Security quotes of the week
In principles, if someone was able to say hack all the autonomous Teslas,
they could say – I mean just as a prank – they could say 'send them all to
Rhode Island' [laugh] – across the United States ... and that would be the end
of Tesla and there would be a lot of angry people in Rhode Island.
— Elon
Musk (as quoted in Electrek)
The laws of Australia prevail in Australia,
I can assure you of that.
The laws of mathematics are very commendable but the only law that applies
in Australia is the law of Australia.
— Australian prime minister Malcom
Turnbull on encryption from the Sydney Morning Herald
[Zeynep] Tufekci twice quotes historian Melvin Kranzberg from 1985:
"Technology is
neither good nor bad; nor is it neutral." This foreshadows her central
message. For better or worse, the technologies that power the networked
public sphere have changed the nature of political protest as well as
government reactions to and suppressions of such protest.
— Bruce
Schneier reviews Twitter
and Tear Gas
I have long characterized our technological future as a battle between the quick and the strong. The quick -- dissidents, hackers, criminals, marginalized groups -- are the first to make use of a new technology to magnify their power. The strong are slower, but have more raw power to magnify. So while protesters are the first to use Facebook to organize, the governments eventually figure out how to use Facebook to track protesters. It's still an open question who will gain the upper hand in the long term, but Tufekci's book helps us understand the dynamics at work.
Kernel development
Kernel release status
The current development kernel is 4.13-rc1, released on July 15. Linus said: "Once again, the diffstat is absolutely dominated by some AMD gpu header files, but if you ignore that, things look pretty regular, with about two thirds drivers and one third "rest" (architecture, core kernel, core networking, tooling)."
Stable updates: 4.12.2, 4.11.11. 4.9.38, 4.4.77, and 3.18.61 were released on July 15.
The 4.12.3, 4.11.12, 4.9.39, 4.4.78, and 3.18.62 stable updates are all in the review process as of this writing; they can be expected on or after July 21.
No more ext4 maximal mount count
Those of us who have been at this for a while will have many fond memories of the "/dev/foo has reached maximal mount count" boot-time message, followed by a time-consuming full check of the filesystem in question. The recollection of times when one was standing in front of a room full of people and already late to start a presentation brings a special sort of joy. But it's likely that few of us remember the last time we saw such a message on a newer ext4 filesystem; now the documentation is catching up.The mount-count check was there to force an occasional fsck run just in case some silent corruption might have found its way into the filesystem. The tune2fs command has had the ability to disable these checks since 1993, but the man page has long admonished against it:
You should strongly consider the consequences of disabling
mount-count-dependent checking entirely. Bad disk drives, cables,
memory, and kernel bugs could all corrupt a filesystem without
marking the filesystem dirty or in error.
The only problem here is that the mount-count-dependent checking was disabled
by default in 2011. Or, as Eric Sandeen put it: "We did 'strongly consider
the consequences' and disabled it by default
". On the theory that
there is "no need to scare the user about it now
", he has
proposed that this text be removed from the man page in favor of gentler
text suggesting that some users may want to turn the feature back on. One
suspects that most of us, though, are happier without random fsck
delays; the more worried among us would probably rather schedule regular
checks at predictable times.
Quote of the week
Remember, if anyone tells you "we only update our kernels when we
have a CVE number assigned to the issue", run away fast, it's
obvious they have no idea what they are talking about. And yes, I
had the head of a very very large company's security team tell me
that a few months ago.
— Greg Kroah-Hartman
Distributions
Mageia 6 released
Version 6 of the Mageia distribution is available. "Though Mageia 6’s development was much longer than anticipated, we took the time to polish it and ensure that it will be our greatest release so far." Highlights include KDE Plasma 5, the DNF package manager as an alternative to urpmi, and an experimental ARM port. Details can be found in the release notes.
End of the line for Remix OS
Remix OS was an effort to bring Android to the PC, which included a kickstarter campaign to build products using Remix OS. Now Jide Technology, makers of Remix OS, has announced a change in focus that leaves Remix OS out of the picture. "We’ll be restructuring our approach to Remix OS and transitioning away from the consumer space. As a result, development on all existing products such as Remix OS for PC as well as products in our pipeline such as Remix IO and IO+ will be discontinued. Full refunds will be issued to ALL BACKERS via Kickstarter for both Remix IO and Remix IO+. In addition any purchases made via our online store that has remained unfulfilled will also be fully refunded. This requires no action from you as we will begin issuing refunds starting August 15th."
Distribution quotes of the week
Doing live updates with rpm is a bit like doing
maintenance on your car engine while driving down the freeway. Most of
the time it's fine, and you feel awesome. 0.001% of the time you die
in a huge fireball.
— Richard Hughes
At the time of writing, more than 10% of the web is powered by Debian. How many web sites would you have missed today without Debian? Debian is the operating system of choice on the international space station and countless universities, companies and public administrations rely on Debian to deliver services to millions of users around the world and beyond. Debian is a highly successful and is far more pervasive in our lives than people are aware of, even within the GNU/Linux community.
— Chris
Lamb
Development
Drupal Association and project lead statement regarding Larry Garfield
The Drupal Association has issued a lengthy statement on why Larry Garfield has been removed from his management roles in the Drupal project. "Larry's subsequent blog posts harmed the community and had a material impact on the Drupal Association, including membership cancellations from those who believed we doxed, bullied, and discriminated against Larry as well as significant staff disruption. Due to the harm caused, the Drupal Association is removing Larry Garfield from leadership roles that we are responsible for, effective today." See this article for background information.
Libgcrypt 1.8.0 released
The GnuPG Project has announced the availability of Libgcrypt 1.8.0. "This is a new stable version of Libgcrypt with full API and ABI compatibility to the 1.7 series. Its main features are support Blake-2, XTS mode, an improved RNG, and performance improvements for the ARM architecture."
Development quotes of the week
Even though it's been nearly two decades since our early failure with AIX and very successful experiment with Linux, all of these lessons still apply. Sure, Linux did the heavy lifting here, but our overall success was due to bringing people together in the spirit of solving a common problem. And that's a lesson that I think you can apply to pretty much any situation you face.
— Jim Hall
I see a lot of people assert that safety issues (leading to exploitable
bugs) with C and C++ only afflict "incompetent" or "mediocre" programmers,
and one need only hire "skilled" programmers (such as, presumably, the
asserters) and the problems go away. I suspect such assertions are examples
of the Dunning-Kruger
effect, since I have never heard them made by someone I know to be a
highly skilled programmer.
— Robert O'Callahan
Actually, as a side note, I’ll tell you an interesting principle. Usually, if you’ve done a good job of fixing a bug, you’ve actually caused some part of the system to go away, become simpler, have better design, etc. as part of your fix.
— Max Kanat-Alexander
If I were on a desert island, I probably would not need a license, but let's say I did. I'd stuff the MIT license in one pocket, put the GPLv3 in my backpack, and find a place to tuck the Apache license.
— Scott
K Peterson
Page editor: Jake Edge
Next page:
Announcements>>