Brief items
Security
Hardening the Kernel in Android Oreo (Android Developers Blog)
The Android Developers Blog has an overview of the security features added to the kernel in the Android "Oreo" release. "Usercopy functions are used by the kernel to transfer data from user space to kernel space memory and back again. Since 2014, missing or invalid bounds checking has caused about 45% of Android's kernel vulnerabilities. Hardened usercopy adds bounds checking to usercopy functions, which helps developers spot misuse and fix bugs in their code. Also, if obscure driver bugs slip through, hardening these functions prevents the exploitation of such bugs."
Kernel development
Kernel release status
The 4.13 kernel is out, released on September 3. Headline features in this release include kernel hardening via structure layout randomization, native TLS protocol support, better huge-page swapping, improved handling of writeback errors, better asynchronous I/O support, better power management via next-interrupt prediction, the elimination of the DocBook toolchain for formatted documentation, and more. There is one other change that is called out explicitly in the announcement: "The change in question is simply changing the default cifs behavior: instead of defaulting to SMB 1.0 (which you really should not use: just google for 'stop using SMB1' or similar), the default cifs mount now defaults to a rather more modern SMB 3.0."
The 4.14 merge window is open; just over 6,200 changesets have been merged as of this writing. Our first merge-window summary will appear around September 11.
Stable updates: 4.9.47, 4.4.86, and 3.18.69 were released on September 2, followed by 4.12.11, 4.9.48, 4.4.87, and 3.18.70 on September 7.
Greg Kroah-Hartman has reiterated that 4.14 will (probably) be the next kernel release to receive long-term stable maintenance.
Cook: Security things in Linux v4.13
Kees Cook highlights the security-related changes in the 4.13 kernel. "Daniel Micay created a version of glibc’s FORTIFY_SOURCE compile-time and run-time protection for finding overflows in the common string (e.g. strcpy, strcmp) and memory (e.g. memcpy, memcmp) functions. The idea is that since the compiler already knows the size of many of the buffer arguments used by these functions, it can already build in checks for buffer overflows. When all the sizes are known at compile time, this can actually allow the compiler to fail the build instead of continuing with a proven overflow. When only some of the sizes are known (e.g. destination size is known at compile-time, but source size is only known at run-time) run-time checks are added to catch any cases where an overflow might happen. Adding this found several places where minor leaks were happening, and Daniel and I chased down fixes for them."
Quote of the week
Lguest is an adventure, with you, the reader, as Hero. I can't
think of many 5000-line projects which offer both such capability
and glimpses of future potential; it is an exciting time to be
delving into the source! But be warned; this is an arduous journey
of several hours or more! And as we know, all true Heroes are
driven by a Noble Goal. Thus I offer a Beer (or equivalent) to
anyone I meet who has completed this documentation.
— We'll
miss lguest
Distributions
Summary of the DebConf 2038 BoF
Steve McIntyre reports from a BoF session on the year-2038 problem at DebConf 17. "It's important that we work on fixing issues *now* to stop people building broken things that will bite us. We all expect that our own computer systems will be fine by 2038; Debian systems will be fixed and working! We'll have rebuilt the world with new interfaces and found the issues. The issues are going to be in the IoT, with systems that we won't be able to simply rebuild/verify/test - they'll fail. We need to get the underlying systems right ASAP for those systems."
100 days of postmarketOS
The postmarketOS distribution looks back at its first 100 days. "One of our previously stated goals is using the mainline Linux kernel on as many mobile devices as possible. This is not as easy as it might sound, since many Linux-based smartphones (Android) require binary drivers which depend on very specific kernel versions. It's a tremendous task to rewrite these drivers to work with the current kernel APIs. Nevertheless, some people have been doing that since long before postmarketOS existed. In the case of the Nokia N900 this has been going on for some number of years and almost all components are now supported in the mainline kernel. This has allowed us to use the mainline kernel as the default kernel for the N900, jumping from Maemo's 2.6.x to mainline 4.12!"
Distribution quote of the week
However, if there is another distro out there with better hppa/sparc
support then it is actually a good thing if those users dump Gentoo
and switch to the other distro. These are extremely niche arches at
this point, so having 10 people on the planet on one distro is going
to work better than having them all on different distros.
— Rich Freeman
However, you can't really expect the ubuntu experience if you're running one of these architectures.
Development
Day: Status Icons and GNOME
Allan Day shares some welcome news about the GNOME status icon tray. "GNOME 3 currently shows status icons in the bottom-left corner of the screen, in a tray that slides in and out. We know that this isn’t a good solution. The tray gets in the way and it generally feels quite awkward. There’s a general consensus that we don’t want to continue with this UI for the upcoming version of GNOME 3."
GnuCOBOL 2.2 released
Version 2.2 of the GNU COBOL compiler is out. Changes include a relicensing to GPLv3, a set of new intrinsic functions, a direct call interface for C functions, and more.LLVM 5.0.0 released
Version 5.0.0 of the LLVM compiler infrastructure is out. "This release is the result of the community's work over the past six months, including: C++17 support, co-routines, improved optimizations, new compiler warnings, many bug fixes, and more". See the release notes (and release notes for Clang, Clang tools, lld, and polly) for details.
PulseAudio 11.0 released
Version 11.0 of the PulseAudio sound system has been released. New features include more hardware support, a priority change so that external sound devices are preferred over internal devices, support for operating as a Bluetooth headset device, and the long awaited GNU Hurd port. See the release notes for details.Python 3.3.7rc1 now available prior to Python 3.3 end-of-life
Ned Deily has announced the availability of Python 3.3.7rc1, which is a release candidate for the final 3.3.x release. "It is a security-fix source-only release. Python 3.3.0 was released 5 years ago on 2012-09-29 and has been in security-fix-only mode since 2014-03-08. Per project policy, all support for the 3.3 series of releases ends on 2017-09-29, five years after the initial release. Therefore, Python 3.3.7 is expected to be the final release of any kind for the 3.3 series. After 2017-09-29, **we will no longer accept bug reports nor provide fixes of any kind for Python 3.3.x**; of course, third-party distributors of Python 3.3.x may choose to offer their own extended support. Because 3.3.x has long been in security-fix mode, 3.3.7 may no longer build correctly on all current operating system releases and some tests may fail. If you are still using Python 3.3.x, we **strongly** encourage you to upgrade to a more recent, fully supported version of Python 3; see https://www.python.org/downloads/. If you are still using your own build of Python 3.3.x , please report any critical issues with 3.3.7rc1 to the Python bug tracker prior to 2017-09-18, the expected release date for Python 3.3.7 final. Even better, use the time to upgrade to Python 3.6.x!"
Development quote of the week
First of all, Twitter is so far behind in their attempts to do surveillance marketing that they’re more funny and heartening than ominous. If getting targeted by one of the big players is like getting tracked down by a pack of hunting dogs, then Twitter targeting is like watching a puppy chew on your sock.
— Don Marti
Page editor: Jake Edge
Next page:
Announcements>>