Brief items
Security
Security quotes of the week
Larry [Cashdollar] was also super helpful in identifying the underlying
issue and very
polite in his emails.
— Sebastian Tschan, also known as "blueimp" (Thanks to Paul
Wise.)
Would definitely write another security vulnerability into my code again if I knew that Larry would report it. ;)
The government still has regular meetings on supply chain risk management,
but there are no easy answers to this problem. The technical ability to
detect something wrong has been outpaced by the ability to do something
about it.
— Tony
Sager, senior vice president and chief evangelist at the Center for
Internet Security and a former bug hunter at the U.S. National Security
Agency
Here's what that means: obeying the GDPR is hard and expensive; if you use
an ad service that screws up its GDPR systems, you can end up on the hook
financially for very large damages.
— Cory
Doctorow
These twin factors -- expensive compliance and liability for publishers with out-of-compliance ad-brokers -- has enhanced Google's business at the expense of its smaller competitors. The massively profitable, dominant Google can easily afford best-of-breed compliance, while the little competitors (including the scrappy Made-in-Europe competitors to Google) don't have the same kind of resources. Some of these little guys just go out of business (or exit the EU market), and the remainder struggle to drum up business as publishers ask themselves whether they're willing to risk costly penalties if their little-guy ad-broker turns out to be out-of-compliance.
Kernel development
Kernel release status
The 4.19 kernel is out, released on October 22. Headline features in this release include the new AIO-based polling interface, L1TF vulnerability mitigations, the block I/O latency controller, time-based packet transmission, the CAKE queuing discipline, and much more. "And with that, Linus, I'm handing the kernel tree back to you. You can have the joy of dealing with the merge window".
Stable updates: 4.18.15, 4.14.77, and 4.9.134 were released on October 18, followed by 4.18.16, 4.14.78, 4.9.135, and 4.4.162 on October 20.
Some kernel code-of-conduct refinements
Greg Kroah-Hartman has posted a series of patches making some changes around the newly adopted code of conduct. In particular, it adds a new document describing how the code is to be interpreted in the kernel community. "I originally sent the first two patches in this series to a lot of kernel developers privately, to get their review and comments and see if they wanted to ack them. This is the traditional way we have always done for policy documents or other 'contentious' issues like the GPLv3 statement or the 'closed kernel modules are bad' statement. Due to the very unexpected way that the original Code of Conduct file was added to the tree, a number of developers asked if this series could also be posted publicly before they were merged, and so, here they are."
Linux Foundation Technical Advisory Board election call for nominations
The Linux Foundation's Technical Advisory Board is chosen by a vote at the Kernel Summit each year; this year, that will happen during the Linux Plumbers Conference in November. The call for nominations to the board has gone out; it remains open until the voting happens. "The TAB advises the Foundation on kernel-related matters, helps member companies learn to work with the community, and works to resolve community-related problems before they get out of hand. We're also working with kernel maintainers to help refine the new code of conduct, and serving as the initial point of contact for code of conduct issues."
Distributions
OpenBSD 6.4
OpenBSD 6.4 has been released. This release features improved hardware support, adding a number of new drivers. Notable security improvements include the new unveil() system call to restrict file system access.Ubuntu 18.10 (Cosmic Cuttlefish) released
Ubuntu has announced the release of its latest version, 18.10 (or "Cosmic Cuttlefish"). It has lots of updated packages and such, and is available in both a desktop and server version; there are also multiple flavors that were released as well. More information can be found in the release notes. "The Ubuntu kernel has been updated to the 4.18 based Linux kernel, our default toolchain has moved to gcc 8.2 with glibc 2.28, and we've also updated to openssl 1.1.1 and gnutls 3.6.4 with TLS1.3 support. Ubuntu Desktop 18.04 LTS brings a fresh look with the community-driven Yaru theme replacing our long-serving Ambiance and Radiance themes. We are shipping the latest GNOME 3.30, Firefox 63, LibreOffice 6.1.2, and many others. Ubuntu Server 18.10 includes the Rocky release of OpenStack including the clustering enabled LXD 3.0, new network configuration via netplan.io, and iteration on the next-generation fast server installer. Ubuntu Server brings major updates to industry standard packages available on private clouds, public clouds, containers or bare metal in your datacentre."
Distribution quotes of the week
Minimal installation size is *not* the only goal here. Ease of use and
lack of surprise is important [too]. Personally, I'd much rather have
numerous unused packages installed than to have something break in an
opaque way when I try to use it, even if I'm unlikely to need to use it.
This is particularly the case when the additional packages don't do things
like run services or (much) increase the attack surface.
— Russ
Allbery
Personally, I think people in this thread are too worried about trying to remove as many packages from their system as possible and not worried enough about a straightforward user experience.
If you're happy with sysvinit, that's fine. But if sysvinit no longer
suits your use case, or you're afraid it will no longer work with
systemd apps and daemons, then don't try to massively bring up to date
the 30 year old jalopy from the days of Devo and Pat [Benatar] and
distributors and carburetors, instead switch to something that already
accommodates your needs: Runit (or s6).
— Steve Litt
I really like runit from what I read so far and like to see it
supported. For now I think it is important to have sysvinit be
maintained in Debian again and enjoy the first signs of cooperation
between Devuan and Debian. On sysvinit, but also in elogind package.
Maybe the start of a long-overdue healing process.
— Martin Steigerwald
How would it be to let the past be in the past… how would it to be let go of all the hurting each other and the blaming each other? The past is gone. Now both sysvinit and Systemd are there. That is just how it is. So instead of convincing those who use Systemd that it is bad, evil, and what else not, how about spending time to work on the alternatives like having sysvinit maintained again *and* supporting runit in Devuan?
Yeah, I saw this astronomical body and associated satellites passing
by, accelerated by the gravitational pull of the buildds, leaving a
tail of successful builds...
— Manuel
A. Fernandez Montecelo (Thanks to Paul Wise)
May they have many happy returns to the buildds in their future galactic trajectories!
Development
cairo release 1.16.0 now available
After four years of development since 1.14.0, version 1.16.0 of the cairo 2D graphics library has been released. "Of particular note is a wealth of work by Adrian Johnson to enhance PDF functionality, including restoring support for MacOSX 10.4, metadata, hyperlinks, and more. Much attention also went into fonts, including new colored emoji glyph support, variable fonts, and fixes for various font idiosyncrasies. Other noteworthy changes include GLESv3 support for the cairo_gl backend, tracking of SVG units in generated SVG documents, and cleanups for numerous test failures and related issues in the PDF and Postscript backends." More information can be found in the change log.
Firefox 63 blocks tracking cookies, offers a VPN when you need one (Ars Technica)
Ars technica takes a look at the Enhanced Tracking Protection (ETP) feature in Firefox 63. "Firefox has long had the ability to block all third-party cookies, but this is a crude solution, and many sites will break if all third-party cookies are prohibited. The new EPT option works as a more selective block on tracking cookies; third-party cookies still work in general, but those that are known to belong to tracking companies are blocked. For the most part, sites will retain their full functionality, just without undermining privacy at the same time. At least for now, however, Mozilla is defaulting this feature to off, so the company can get a better idea of the impact it has on the Web. In testing, the company has found the occasional site that breaks when tracking cookies are blocked. Over the next few months, Firefox developers will get a better picture of just how much breaks, and, if it's not too severe, the plan is to block trackers by default starting in early 2019." The article also mentions a second privacy-related feature; the offer of a subscription to the ProtonVPN service.
The Firefox 63 release notes contain other details.
Announcing the GNU Kind Communication Guidelines
Richard Stallman has released an initial version of the GNU Kind Communications Guidelines, and asks all GNU contributors to make their best efforts to follow these guidelines in GNU Project discussions. "The idea of the GNU Kind Communication Guidelines is to start guiding people towards kinder communication at a point well before one would even think of saying, "You are breaking the rules." The way we do this, rather than ordering people to be kind or else, is try to help people learn to make their communication more kind. I hope that kind communication guidelines will provide a kinder and less strict way of leading a project's discussions to be calmer, more welcoming to all participants of good will, and more effective."
OpenSSH 7.9 released
The OpenSSH 7.9 release is out. It (finally) allows the use of symbolic service names rather than port numbers, adds support for sending signals over the SSH protocol, bans the use of DSA keys for certificate authorities, and more.PostgreSQL 11 released
The PostgreSQL 11 release is out. "PostgreSQL 11 provides users with improvements to overall performance of the database system, with specific enhancements associated with very large databases and high computational workloads. Further, PostgreSQL 11 makes significant improvements to the table partitioning system, adds support for stored procedures capable of transaction management, improves query parallelism and adds parallelized data definition capabilities, and introduces just-in-time (JIT) compilation for accelerating the execution of expressions in queries." See this article for a detailed overview of what is in this release.
How to do Samba: Nicely
The Samba team has announced a set of guidelines for the project. "Please note this is not a "Code of Conduct" as such, but a set of advisory guidelines we'd like people to follow, with a way for people (privately if they prefer) to raise issues if they see them. I hope everyone will find this document acceptable as a way for us to agree on how we want our community to be a welcoming one for all members."
Development quotes of the week
To be fair, those rules did have a significant impact on the world back in AD 500, and continue to form the foundation for Benedictines' behavior to this day, but it is a little unusual to find software developers being urged to "prefer nothing more than the love of Christ" and "be not addicted to wine" (there is no mention of coffee or pizza, however).
— Kieren
McCarthy on SQLite's code of conduct
glmark is comprehensive and can do just about anything I need
while developing graphics drivers, except for making me a peanut butter and
jellyfish sandwich. Er, never mind, it looks like they just added an OpenGL sandwich scene. Bonus!
— Alyssa Rosenzweig (Thanks to
Paul Wise)
As for thumb detection: libinput now assumes that you only have one thumb
per hand, which is a statistically well-supported approximation.
— Peter
Hutterer (Thanks to Jan Engelhardt)
Page editor: Jake Edge
Next page:
Announcements>>