Brief items
Security
Numerous vulnerabilities in AMD processors
A company called CTS has disclosed a long series of vulnerabilities in AMD processors. "The chipset is a central component on Ryzen and Ryzen Pro workstations: it links the processor with hardware devices such as WiFi and network cards, making it an ideal target for malicious actors. The Ryzen chipset is currently being shipped with exploitable backdoors that could let attackers inject malicious code into the chip, providing them with a safe haven to operate from." See the associated white paper [PDF] for more details.
Update: there are a lot of questions circulating about the actual severity of these vulnerabilities and the motivations of the people reporting them. It may not be time to panic quite yet.
An important Samba 4 security release
Anybody running Samba 4 servers probably wants to take a look at this alert and upgrade their systems. "CVE-2018-1057: On a Samba 4 AD DC the LDAP server in all versions of Samba from 4.0.0 onwards incorrectly validates permissions to modify passwords over LDAP allowing authenticated users to change any other users' passwords, including administrative users."
Security quote of the week
The report collapses the question of whether the government should mandate
"exceptional
access" to the contents of encrypted communications with how
the government could accomplish this mandate. We wish the report gave as
much weight to the benefits of encryption and risks that exceptional access
poses to everyone’s civil liberties as it does to the needs—real and
professed—of law enforcement and the intelligence community.
— Andrew Crocker and Nate Cardozo of the EFF on a US
National Academy of Sciences report on the
encryption debate
Kernel development
Kernel release status
The current development kernel is 4.16-rc5, released on March 11. Linus said: "This continues to be pretty normal - this rc is slightly larger than rc4 was, but that looks like one of the normal fluctuations due to timing of pull requests, not due to anything distressing."
The current 4.16 regression report shows nine known problems.
Stable updates: 4.15.8 and 4.14.25 were released on March 9, followed by 4.15.9, 4.14.26, 4.9.87, 4.4.121, and 3.18.99 on March 11.
The 4.15.10 and 4.14.27 stable updates are in the review process as of this writing; they are due on March 15.
An update on the architecture purge
LWN recently covered a discussion on deleting some old, unloved architectures from the kernel. Since that time, this work has proceeded. On March 14, Arnd Bergmann posted a set of patches removing no less than eight architectures (blackfin, cris, frv, metag, m32r, mn10300, tile, and score); this series appears to be destined for the 4.17 merge window. The unicore32 architecture, which had been on the chopping block for a while, has been saved since a maintainer has stepped forward to continue work on it.Bergmann pointed out a pattern in the architectures that are on their way out:
In the end, it seems that while the eight architectures are
extremely different, they all suffered the same fate: There was one
company in charge of an SoC line, a CPU microarchitecture and a
software ecosystem, which was more costly than licensing newer
off-the-shelf CPU cores from a third party (typically ARM, MIPS, or
RISC-V).
When the removal of associated device drivers is taken into account, the net effect is to remove over 450,000 lines of code from the kernel. That suggests that 4.17 could well be smaller, in terms of lines of code, than 4.16 — that would be the third time in the entire history of the kernel that a release has been smaller than its predecessor. Of course, achieving that milestone could still be thwarted by the arrival of a patch adding another 100,000 GPU register definitions or some such, but one can always hope.
Distributions
Debian 9.4 released
The Debian Project has released the fourth update to Debian 9 "stretch". As usual, this update mainly adds corrections for security issues, along with a few adjustments for serious problems. "Those who frequently install updates from security.debian.org won't have to update many packages, and most such updates are included in the point release."
Robinson: Fedora IoT Edition is go!
On his blog, Peter Robinson announced the acceptance of a new edition of Fedora for the Internet of Things (IoT). He had proposed it as a Fedora "spin", but the Fedora Council decided to make it a full-fledged edition with its own working group. "So what will be happening over the coming weeks (and months)? We’ll be getting the working group in place, getting an initial monthly release process in place so that people can start to have something to kick the tires with and provide feedback and drive discussion. With those two big pieces in place we can start to grow the Fedora IoT community and work out the bits that work and bits that don’t work."
Distribution quotes of the week
Everybody I know has these sorts of complaints about language-based
PMs, whether they prefer Ubuntu, or Debian, or CentOS, or whatever.
Nobody wants random programs downloading random stuff and dropping
orphan files all over their filesystem with no way to identify these
or clean them up. They're usually written by the same sorts of people
who tell you to pipe curl into sudo bash...
— Rich Freeman
I'm happy that the ftp masters are doing their job in the best way
they can. This includes any re-reviews of packages already in the
archive, at whatever points they choose, be that when there's a new
binary package from an old source package, randomly chosen packages,
or targeting packages whose SHA3 ends in 42.
— Lars Wirzenius
If you are surrounded by other distributions then you will always hear the latest and greatest about their projects. At the end of the day it’s a bit sad to see that after almost 10 years (the first big attempt to join efforts between RPM based distributions was made during LinuxTag in 2009) we are still spending time to solve the same problems independently. I would really like to see that one day OpenSuSE, Mageia and Fedora are using the workflow for building packages and not need to maintain their own SPEC files.
— Fabian
Affolter
Development
Firefox 59 released
Mozilla has released Firefox 59, the next iteration of Firefox Quantum. From the release notes: "On Firefox for desktop, we’ve improved page load times, added tools to annotate and crop your Firefox Screenshots, and made it easier to arrange your Top Sites on the Firefox Home page. On Firefox for Android, we’ve added support for sites that stream video using the HLS protocol."
GNOME 3.28 released
GNOME 3.28 has been released. "This release brings a more beautiful font, an improved on-screen keyboard and a new 'Usage' application. Improvements to core GNOME applications include support for favorites in Files and the file chooser, a better month view in the Calendar, support for importing pictures from devices in Photos, and many more." See the release notes for details.
LLVM 6.0.0 released
Version 6.0.0 of the LLVM compiler suite is out. "This release is the result of the community's work over the past six months, including: retpoline Spectre variant 2 mitigation, significantly improved CodeView debug info for Windows, GlobalISel by default for AArch64 at -O0, improved scheduling on several x86 micro-architectures, Clang defaults to -std=gnu++14 instead of -std=gnu++98, support for some upcoming C++2a features, improved optimizations, new compiler warnings, many bug fixes, and more."
The Rust 2018 roadmap
Here is the Rust community's plan for the rest of this year. "This year, we will deliver Rust 2018, marking the first major new edition of Rust since 1.0 (aka Rust 2015). We will continue to publish releases every six weeks as usual. But we will designate a release in the latter third of the year (Rust 1.29 - 1.31) as Rust 2018. This new 'edition' of Rust will be the culmination of feature stabilization throughout the year, and will ship with polished documentation, tooling, and libraries that tie in to those features."
Development quotes of the week
It turned out that the problem was my monitor this whole time. I went with a full power cycle to my computer probably dozens of time in the course of debugging this issue. But I didn’t power cycle my monitor once… doing so fixed my issue fully.
— Michael
Pyne
I guess I’ve been thinking that monitors are still “dumb”, that they just show pixels coming in over the wire. But that is no longer the case, hasn’t been for years, and so if you’re having issues that you think are GPU issues, don’t forget to do the “turn it off and then back on again” routine with your monitor as well!
This is exactly what I'm trying to do here: advertise Monocypher with an article that should be interesting in its own right. While I expect most of you will walk away with some idea of how much ancillary support open source projects require, let's be honest: my real hope is that some of you notice my crypto library.
— Loup
Vaillant
I do mean to take over the world, after all.
Miscellaneous
ACME v2 and Wildcard Certificate Support is Live
Let's Encrypt has announced that ACMEv2 (Automated Certificate Management Environment) and wildcard certificate support is live. ACMEv2 is an updated version of the ACME protocol that has gone through the IETF standards process. Wildcard certificates allow you to secure all subdomains of a domain with a single certificate. (Thanks to Alphonse Ogulla)
Page editor: Jake Edge
Next page:
Announcements>>