Brief items
Security
CVE-2019-5736: runc container breakout
Anybody running containerized workloads with runc (used by Docker, cri-o, containerd, and Kubernetes, among others) will want to make note of a newly disclosed vulnerability known as CVE-2019-5736. "The vulnerability allows a malicious container to (with minimal user interaction) overwrite the host runc binary and thus gain root-level code execution on the host." LXC is also evidently vulnerable to a variant of the exploit.
Google releases ClusterFuzz
Google has announced the release of its ClusterFuzz fuzz-testing system as free software. "ClusterFuzz has found more than 16,000 bugs in Chrome and more than 11,000 bugs in over 160 open source projects integrated with OSS-Fuzz. It is an integral part of the development process of Chrome and many other open source projects. ClusterFuzz is often able to detect bugs hours after they are introduced and verify the fix within a day."
Security quotes of the week
HP doesn’t spell out any consequences in their terms of service for failure
to send the ink back, so we checked with a support agent. They helpfully
explained that nothing happens if you fail to send them back, but the
cartridges would stop working. You’ll have to buy more ink on your own if
you want to keep printing. HP ships specially marked ink as part of this
process, and your printer recognizes that it is intended for Instant Ink
subscribers only. It’s essentially DRM, but instead of locking down a
digital movie or book, this locks down a physical product: the ink in your
printer.
— Josh
Hendrickson at How-To Geek
Instant Ink requires an internet connection for your printer. HP explains that they monitor your ink levels, so they know when to send you more, but as described in their Terms of Service the other reason for this is to remotely disable your ink cartridges if you cancel, or if there are any issues with your payment.
Ultimately, I suspect the best solution is to move most of our
discussions to dedicated fora like GitLab issues, or something like
Discourse. Fundamentally, the thing we're trying to do (send email to
thousands of people at a time using a fake From address) is ... kind
of the opposite of what the 2019 Internet wants us to do. Every few
months the major providers drop more of our mail as they become more
aggressive with spam, and every few months their userbase increases by
a non-trivial amount.
— Daniel Stone (Thanks to Jani Nikula)
We've done a lot of work on our email infrastructure, and are doing our best to be a responsible citizen within the constraint of having to launder mail and forge identity on an industrial scale, but it's coming to the point where it just may not be possible to run such a service at such a scale anymore. [...]
Of course we do not have any plans to stop providing email any time soon, but it might be worth thinking about what you can do to reduce your dependency on email lists. At the current rate of degradation, it might be non-viable quicker than you'd think. Maybe this is unduly gloomy, but the entire internet's direction of travel has been away from services like Mailman, and its velocity is only increasing.
Kernel development
Kernel release status
The current development kernel is 5.0-rc6, released on February 10. Linus said: "So while I would have wished for less at this point, nothing in there looks all that odd or scary. I think we're still solidly on track for a normal release."
Stable updates: 4.4.174 was released
on February 8. The patches went out
for review on February 7; this release contains a backport of a fix
for the FragmentSmack denial-of-service vulnerability. "Many
thanks to Ben Hutchings for this release, it's pretty much just his work
here in doing the backporting of networking fixes to help resolve
"FragmentSmack" (i.e. CVE-2018-5391).
"
The (huge) 4.20.8, 4.19.21, 4.14.99, and 4.9.156 updates were released on February 12.
Distributions
Distribution quotes of the week
OpenSUSE is certainly not one of the largest distributions, measured by
number of users. But I dare to say that we might have achieved an
interesting ratio of skilled users and users willing to contribute,
whether it's bugfixing, packaging or testing and meaningful reporting.
There is a long running joke that the reason why openSUSE has no
community is that whenever someone becomes really active in openSUSE
community, he sooner or later ends up as a SUSE employee. Sure, it's
just a joke but as with many others, there is some deep truth hidden in
it. Do we want to risk these users just to attract a lot of passive ones
or even pure consuments of resources? I don't.
— Michal Kubecek
For me, the email that I received last month is an indication that the openSUSE community can do more to retain its users. And that the openSUSE community should have a better ‘Marketing strategy’ (for the lack of a better term) to make the Contributor Journey a smoother experience. To try to get the roadblocks out of the way for the people that want to be informed or be involved. It is an area where I could see myself contributing to in the future.
— Martin de Boer
Development
GTK+ renamed to GTK
The GTK+ toolkit project has, after extensive deliberation, decided to remove the "+" from its name. "Over the years, we had discussions about removing the '+' from the project name. The 'plus' was added to 'GTK' once it was moved out of the GIMP sources tree and the project gained utilities like GLib and the GTK type system, in order to distinguish it from the previous, in-tree version. Very few people are aware of this history, and it's kind of confusing from the perspective of both newcomers and even expert users; people join the wrong IRC channel, the URLs on wikis are fairly ugly, etc."
LibreOffice 6.2 released
The LibreOffice 6.2 release is out. The headline feature this time around appears to be "NotebookBar": "a radical new approach to the user interface - based on the MUFFIN concept". Other changes include a reworking of the context menus, better change-tracking performance, better interoperability with proprietary file formats, and more.
Plasma 5.15 released
KDE has announced the release of Plasma 5.15. "Plasma 5.15 brings a number of changes to the configuration interfaces, including more options for complex network configurations. Many icons have been added or redesigned to make them clearer. Integration with third-party technologies like GTK and Firefox has been improved substantially." This release also features improvements to the Discover software manager. Many other tweaks and improvements are covered in the changelog.
PyPy 7.0.0 released
Version 7.0.0 of the PyPy Python interpreter is out. This release supports no less than three upstream Python versions: 2.7, 3.5, and 3.6 (as an alpha release). "All the interpreters are based on much the same codebase, thus the triple release".
Development quotes of the week
However, little about Wayland is inherently network opaque. Things like sending
pixel buffers to the compositor are already abstracted on Wayland and a
network-backed implementation could be easily made. The problem is that no
one seems to really care: all of the people who want network transparency
drank the anti-Wayland kool-aid instead of showing up to put the work
in. If you want to implement this, though, we’re here and ready to support
you! Drop by the wlroots
IRC channel and we’re prepared to help you implement this.
— Drew
DeVault
I want to add one comment: someone on the thread said: "we are a small
niche market". No.. we're a growing niche market. I can assure you
of that. This market is supporting several companies who market
pre-installed machines with Linux based desktop and are thriving. It
might be slow, but conversions are happening.
— Sriram Ramkrishna
Miscellaneous
The CNCF 2018 annual report
For those wondering what the Cloud Native Computing Foundation is up to, its 2018 annual report [PDF] is now out. "KubeCon + CloudNativeCon has expanded from its start with 500 attendees in 2015 to become one of the largest and most successful open source conferences ever. The KubeCon + CloudNativeCon North America event in Seattle, held December 10-13, 2018, was our biggest yet and was sold out several weeks ahead of time with 8,000 attendees."
FSF Annual Report now available
The Free Software Foundation has announced that its annual report for fiscal year 2017 is available. "The Annual Report reviews the FSF's activities, accomplishments, and financial picture from October 1, 2016 to September 30, 2017. It is the result of a full external financial audit, along with a focused study of program results. It examines the impact of the FSF's events, programs, and activities, including the annual LibrePlanet conference, the Respects Your Freedom (RYF) hardware certification program, and the fight against Digital Restrictions Management (DRM)."
The OpenStack Foundation's 2018 annual report
The OpenStack Foundation has issued its 2018 annual report. "2018 was a productive year for the OpenStack community. A total of 1,972 contributors approved more than 65,000 changes and published two major releases of all components, code named Queens and Rocky. The component project teams completed work on themes related to integrating with other OpenStack components, other OpenStack Foundation Open Infrastructure Projects, and projects from adjacent communities. They also worked on stability, performance, and usability improvements. In addition to that component-specific work, the community continued to expand our OpenStack-wide goals process, using a few smaller topics to refine the goal selection process and understand how best to complete initiatives on such a large scale."
Page editor: Jake Edge
Next page:
Announcements>>