|
|
Subscribe / Log in / New account

Brief items

Security

CVE-2019-5736: runc container breakout

Anybody running containerized workloads with runc (used by Docker, cri-o, containerd, and Kubernetes, among others) will want to make note of a newly disclosed vulnerability known as CVE-2019-5736. "The vulnerability allows a malicious container to (with minimal user interaction) overwrite the host runc binary and thus gain root-level code execution on the host." LXC is also evidently vulnerable to a variant of the exploit.

Full Story (comments: 20)

Google releases ClusterFuzz

Google has announced the release of its ClusterFuzz fuzz-testing system as free software. "ClusterFuzz has found more than 16,000 bugs in Chrome and more than 11,000 bugs in over 160 open source projects integrated with OSS-Fuzz. It is an integral part of the development process of Chrome and many other open source projects. ClusterFuzz is often able to detect bugs hours after they are introduced and verify the fix within a day."

Comments (none posted)

Security quotes of the week

HP doesn’t spell out any consequences in their terms of service for failure to send the ink back, so we checked with a support agent. They helpfully explained that nothing happens if you fail to send them back, but the cartridges would stop working. You’ll have to buy more ink on your own if you want to keep printing. HP ships specially marked ink as part of this process, and your printer recognizes that it is intended for Instant Ink subscribers only. It’s essentially DRM, but instead of locking down a digital movie or book, this locks down a physical product: the ink in your printer.

Instant Ink requires an internet connection for your printer. HP explains that they monitor your ink levels, so they know when to send you more, but as described in their Terms of Service the other reason for this is to remotely disable your ink cartridges if you cancel, or if there are any issues with your payment.

Josh Hendrickson at How-To Geek

Ultimately, I suspect the best solution is to move most of our discussions to dedicated fora like GitLab issues, or something like Discourse. Fundamentally, the thing we're trying to do (send email to thousands of people at a time using a fake From address) is ... kind of the opposite of what the 2019 Internet wants us to do. Every few months the major providers drop more of our mail as they become more aggressive with spam, and every few months their userbase increases by a non-trivial amount.

We've done a lot of work on our email infrastructure, and are doing our best to be a responsible citizen within the constraint of having to launder mail and forge identity on an industrial scale, but it's coming to the point where it just may not be possible to run such a service at such a scale anymore. [...]

Of course we do not have any plans to stop providing email any time soon, but it might be worth thinking about what you can do to reduce your dependency on email lists. At the current rate of degradation, it might be non-viable quicker than you'd think. Maybe this is unduly gloomy, but the entire internet's direction of travel has been away from services like Mailman, and its velocity is only increasing.

Daniel Stone (Thanks to Jani Nikula)

Comments (4 posted)

Kernel development

Kernel release status

The current development kernel is 5.0-rc6, released on February 10. Linus said: "So while I would have wished for less at this point, nothing in there looks all that odd or scary. I think we're still solidly on track for a normal release."

Stable updates: 4.4.174 was released on February 8. The patches went out for review on February 7; this release contains a backport of a fix for the FragmentSmack denial-of-service vulnerability. "Many thanks to Ben Hutchings for this release, it's pretty much just his work here in doing the backporting of networking fixes to help resolve "FragmentSmack" (i.e. CVE-2018-5391)."

The (huge) 4.20.8, 4.19.21, 4.14.99, and 4.9.156 updates were released on February 12.

Comments (none posted)

Distributions

Distribution quotes of the week

OpenSUSE is certainly not one of the largest distributions, measured by number of users. But I dare to say that we might have achieved an interesting ratio of skilled users and users willing to contribute, whether it's bugfixing, packaging or testing and meaningful reporting. There is a long running joke that the reason why openSUSE has no community is that whenever someone becomes really active in openSUSE community, he sooner or later ends up as a SUSE employee. Sure, it's just a joke but as with many others, there is some deep truth hidden in it. Do we want to risk these users just to attract a lot of passive ones or even pure consuments of resources? I don't.
Michal Kubecek

For me, the email that I received last month is an indication that the openSUSE community can do more to retain its users. And that the openSUSE community should have a better ‘Marketing strategy’ (for the lack of a better term) to make the Contributor Journey a smoother experience. To try to get the roadblocks out of the way for the people that want to be informed or be involved. It is an area where I could see myself contributing to in the future.
Martin de Boer

Comments (2 posted)

Development

GTK+ renamed to GTK

The GTK+ toolkit project has, after extensive deliberation, decided to remove the "+" from its name. "Over the years, we had discussions about removing the '+' from the project name. The 'plus' was added to 'GTK' once it was moved out of the GIMP sources tree and the project gained utilities like GLib and the GTK type system, in order to distinguish it from the previous, in-tree version. Very few people are aware of this history, and it's kind of confusing from the perspective of both newcomers and even expert users; people join the wrong IRC channel, the URLs on wikis are fairly ugly, etc."

Full Story (comments: 16)

LibreOffice 6.2 released

The LibreOffice 6.2 release is out. The headline feature this time around appears to be "NotebookBar": "a radical new approach to the user interface - based on the MUFFIN concept". Other changes include a reworking of the context menus, better change-tracking performance, better interoperability with proprietary file formats, and more.

Full Story (comments: 2)

Plasma 5.15 released

KDE has announced the release of Plasma 5.15. "Plasma 5.15 brings a number of changes to the configuration interfaces, including more options for complex network configurations. Many icons have been added or redesigned to make them clearer. Integration with third-party technologies like GTK and Firefox has been improved substantially." This release also features improvements to the Discover software manager. Many other tweaks and improvements are covered in the changelog.

Comments (none posted)

PyPy 7.0.0 released

Version 7.0.0 of the PyPy Python interpreter is out. This release supports no less than three upstream Python versions: 2.7, 3.5, and 3.6 (as an alpha release). "All the interpreters are based on much the same codebase, thus the triple release".

Full Story (comments: none)

Development quotes of the week

However, little about Wayland is inherently network opaque. Things like sending pixel buffers to the compositor are already abstracted on Wayland and a network-backed implementation could be easily made. The problem is that no one seems to really care: all of the people who want network transparency drank the anti-Wayland kool-aid instead of showing up to put the work in. If you want to implement this, though, we’re here and ready to support you! Drop by the wlroots IRC channel and we’re prepared to help you implement this.
Drew DeVault

I want to add one comment: someone on the thread said: "we are a small niche market". No.. we're a growing niche market. I can assure you of that. This market is supporting several companies who market pre-installed machines with Linux based desktop and are thriving. It might be slow, but conversions are happening.
Sriram Ramkrishna

Comments (7 posted)

Miscellaneous

The CNCF 2018 annual report

For those wondering what the Cloud Native Computing Foundation is up to, its 2018 annual report [PDF] is now out. "KubeCon + CloudNativeCon has expanded from its start with 500 attendees in 2015 to become one of the largest and most successful open source conferences ever. The KubeCon + CloudNativeCon North America event in Seattle, held December 10-13, 2018, was our biggest yet and was sold out several weeks ahead of time with 8,000 attendees."

Comments (none posted)

FSF Annual Report now available

The Free Software Foundation has announced that its annual report for fiscal year 2017 is available. "The Annual Report reviews the FSF's activities, accomplishments, and financial picture from October 1, 2016 to September 30, 2017. It is the result of a full external financial audit, along with a focused study of program results. It examines the impact of the FSF's events, programs, and activities, including the annual LibrePlanet conference, the Respects Your Freedom (RYF) hardware certification program, and the fight against Digital Restrictions Management (DRM)."

Comments (2 posted)

The OpenStack Foundation's 2018 annual report

The OpenStack Foundation has issued its 2018 annual report. "2018 was a productive year for the OpenStack community. A total of 1,972 contributors approved more than 65,000 changes and published two major releases of all components, code named Queens and Rocky. The component project teams completed work on themes related to integrating with other OpenStack components, other OpenStack Foundation Open Infrastructure Projects, and projects from adjacent communities. They also worked on stability, performance, and usability improvements. In addition to that component-specific work, the community continued to expand our OpenStack-wide goals process, using a few smaller topics to refine the goal selection process and understand how best to complete initiatives on such a large scale."

Comments (none posted)

Page editor: Jake Edge
Next page: Announcements>>


Copyright © 2019, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds