Brief items
Security
Security quotes of the week
On the other hand, increasingly difficult CAPTCHA practices can drive
humans crazy. "Which pictures do NOT contain traffic signs?" "Confirm this
statement, 'there are no images or partial images of automobiles in this
set of pictures.'"
— Vinton G. Cerf
Humans may justifiably want to throw their computers through the nearest window when poorly executed CAPTCHAs prevent them from legitimately accessing online services.
With a $300 Proxmark RFID card reading and writing tool, any expired
keycard pulled from the trash of a target hotel, and a set of cryptographic
tricks developed over close to 15 years of on-and-off analysis of the codes
Vingcard electronically writes to its keycards, they found a method to
vastly narrow down a hotel's possible master key code. They can use that
handheld Proxmark device to cycle through all the remaining possible codes
on any lock at the hotel, identify the correct one in about 20 tries, and
then write that master code to a card that gives the hacker free reign to
roam any room in the building. The whole process takes about a minute.
— Andy
Greenberg in Wired
Samsung Smart TV. During the first minute after power-on, the TV
talks to Google Play, Double Click, Netflix, FandangoNOW, Spotify, CBS,
MSNBC, NFL, Deezer, and Facebook—even though we did not sign in or create
accounts with any of them.
— The
Center for Information Technology Policy at Princeton announces its IoT Inspector project
Kernel development
Kernel release status
The current development kernel is 4.17-rc3, released on April 29. Linus said: "And by now, I think we've fixed all the nastiest fall-out from the merge window. In particular, the PTI large-page fallout that hit some people with particular configurations should all be good."
Stable updates: 4.16.5 and 4.14.37 were released on April 26. 4.16.6, 4.14.38, 4.9.97, 4.4.130, and 3.18.107 came out on April 30, and 4.16.7, 4.14.39, 4.9.98, 4.4.131, and 3.18.108 followed on May 2.
Quotes of the week
-rc releases suck. seriously suck. The quality of commits that went in -rc
cycles was much worse than merge window commits:
— Sasha Levin
- All commits had the same chance of introducing a bug whether they came in a merge window or an -rc cycle. This means that -rc commits mostly end up replacing obvious bugs with less obvious ones.
- While the average merge window commit changes, on average, 3x more lines than an -rc commit, the chances of a bug introduced per patch is the same, which means that bugs-per-line metric of code is much higher with -rc patches.
- A merge window commit spent 50% more days, on average, in -next than a -rc commit.
- The number of -rc commits that never saw any mailing list or has never been replied to on a mailing list was **way** higher than merge window commits.
- For some reason, the odds of a -rc commit to be targeted for -stable is over 20%, while for merge window commits it's about 3%. I can't quite explain why that happens, but this would suggest that -rc commits end up hurting -stable pretty badly.
Please don't edit patches by hand. It's a skill nobody should
have.
— Linus Torvalds
Distributions
Schaller: Warming up for Fedora Workstation 28
Christian Schaller looks forward to the Fedora 28 release (which will evidently be the first on-time Fedora release ever). "The Spectre/Meltdown situation did hammer home to a lot of people the need to have firmware updates easily available and easy to update. We created the Linux Vendor Firmware service for Fedora Workstation users with that in mind and it was great to see the service paying off for many Linux users, not only on Fedora, but also on other distributions who started using the service we provided. I would like to call out to Dell who was a critical partner for the Linux Vendor Firmware effort from day 1 and thus their users got the most benefit from it when Spectre and Meltdown hit. Spectre and Meltdown also helped get a lot of other vendors off the fence or to accelerate their efforts to support LVFS and Richard Hughes and Peter Jones have been working closely with a lot of new vendors during this cycle to get support for their hardware and devices into LVFS."
Fedora 28 released
The Fedora 28 release has been announced. "The headline feature for Fedora 28 Server is the inclusion of the new Modular repository. This lets you select between different versions of software like NodeJS or Django, so you can chose the stack you need for your software." Some users will also appreciate that proprietary blobs (such as the NVIDIA drivers) are now easier to obtain and install.
Fedora Atomic Workstation becomes Team Silverblue
There is a new initiative in the Fedora community based on what used to be called "Fedora Atomic Workstation". From this whitepaper [PDF]: "The descriptive name for this product is image-mode container-based Fedora Workstation based on rpm-ostree, which is clear but terrible for branding. Therefore, we call it Team Silverblue. The long-term goal for this effort is to transform Fedora Workstation into an image-based system where applications are separate from the OS and updates are atomic."
Pitt: De-Googling my phone
Martin Pitt describes his experience running a fully free-software Android phone. "I previously used Opera as a web browser, because it is relatively lightweight (important on my previous phone) and the really good builtin ad blocker. But these days Firefox is really fast and good enough, so I replaced it with Fennec, which is more or less Firefox with some non-free bits removed. After installing uBlock Origin I’ve never looked back."
Google launches the gVisor container runtime
Google has announced the open-sourcing of gVisor, a sandboxed container runtime. "gVisor is more lightweight than a VM while maintaining a similar level of isolation. The core of gVisor is a kernel that runs as a normal, unprivileged process that supports most Linux system calls. This kernel is written in Go, which was chosen for its memory- and type-safety. Just like within a VM, an application running in a gVisor sandbox gets its own kernel and set of virtualized devices, distinct from the host and other sandboxes."
Ubuntu 18.04 LTS (Bionic Beaver) released
Ubuntu 18.04, a long-term-support release, is out. "Codenamed 'Bionic Beaver', 18.04 LTS continues Ubuntu's proud tradition of integrating the latest and greatest open source technologies into a high-quality, easy-to-use Linux distribution. The team has been hard at work through this cycle, introducing new features and fixing bugs." It features a 4.15 kernel, a new GNOME-based desktop environment, and more. See the release notes and this overview for details.
Distribution quotes of the week
Charles Babbage wasn’t lying when he said “The only thing that would make
my Difference Engine any better would be a modern customisable desktop
environment that didn’t deviate from traditional desktop paradigms (unless
I wanted it to.)” In a long lost diary entry Ada Lovelace scribbled “If
only my code could be matched to an OS that had a perfect blend of
usability and style accompanied by a handpicked selection of quality
software packages.” ENIAC, moments before being unplugged in 1956, spat out a final message: “Give us a reboot when Ubuntu MATE 18.04 LTS is out will ya?”
— Martin Wimpress
An advantage of code that is dead upstream is that everyone ships the
same sources.
— Adrian Bunk
This makes porting fixes from one distribution to another trivial.
It's important that the openSUSE Project is a free and open Project
for anyone to contribute to.
...
— Richard Brown
...
I greatly appreciate the fact that we have contributors who feel able to be part of this project entirely under an identity of their choosing, perhaps one which is significantly different from the identity they hold when interacting with other communities or legal entities.
I strongly feel that such an approach is the true way to fostering diversity within openSUSE, which is a worthwhile goal, long held as part of our projects Guiding Principles.
Not speaking to this case specifically, but in general I would try
to convince maintainers with some combination of irrefutable
argument and well-tested patches (combined with a friendly demeanour
and a rhethorical flourish) rather than try and summon the "mob" from
debian-devel if I didn't immediately get my way. ;)
— Chris Lamb
Development
GCC 8.1 Released
Version 8.1 of the GCC compiler suite is out. "Are you tired of your existing compilers? Want fresh new language features and better optimizations? Make your day with the new GCC 8.1!" See this page for a complete list of changes in this release.
Development quotes of the week
Here are some examples of long-running bug reports where you can see this dynamic in action. It’s quite sad to observe, because everybody involved is doing what makes perfect sense from their perspective (except for a few people behaving badly), yet the result is a mess.
— Philip
Chimento (Thanks to Paul Wise)
I hope this illustrates why it’s important to assume that people are acting in good faith.
fwiw, libinput has a setting where it can automatically disable the touchpad
for external mice but it's not integrated into GNOME (afaik). It's a bit
problematic in that it provides little feedback once set. Ideally you want a
OSD to signal your touchpad's disabled now. Otherwise it's hard to guess why
nothing works after the bluetooth mouse in the sock drawer randomly decided
to connect to your host.
— Peter Hutterer
So while the libinput feature is there, I'm not sure I can fully recommend it as a user-friendly solution for GNOME.
PS: do not keep mice in a sock drawer. That's not their natural habitat.
Page editor: Jake Edge
Next page:
Announcements>>