Brief items
Security
GitHub's report on open-source security
GitHub has released its "2020 State of the Octoverse" report; one piece of that is a report on security [PDF]. There are a number of interesting conclusions there, including that a surprising number of security vulnerabilities are planted deliberately. "Analysis on a random sample of 521 advisories from across our six ecosystems finds that 17% of the advisories are related to explicitly malicious behavior such as backdoor attempts. Of those 17%, the vast majority come from the npm ecosystem. While 17% of malicious attacks will steal the spotlight in security circles, vulnerabilities introduced by mistake can be just as disruptive and are much more likely to impact popular projects. Out of all the alerts GitHub sent developers notifying them of vulnerabilities in their dependencies, only 0.2% were related to explicitly malicious activity. That is, most vulnerabilities were simply those caused by mistakes."
Security quotes of the week
In the current location data marketplace, if your phone and apps know where
you are, then the government could, too. But the Supreme
Court has decided
that our detailed location data is so revealing about our activities and
associations that law enforcement must get a warrant in order to acquire
it. Government purchase of location data also threatens to chill people’s
willingness to participate in protests in public places, associate with who
they want, or practice their religion. History and legal precedent teach us
that when the government indiscriminately collects records of First
Amendment activities, it can lead to retaliation or further surveillance.
— Matthew Guariglia on the EFF Deeplinks blog
Open source means that the code is available for security evaluation, not
that it necessarily has been evaluated by anyone. This is an important
distinction.
— Bruce
Schneier
Kernel development
Kernel release status
The current development kernel is 5.10-rc7, released on December 6. "So unless something odd and bad happens next week, we'll have a final 5.10 release next weekend, and then we'll get the bulk of the merge window for 5.11 over and done with before the holiday season starts."
Stable updates: 5.9.13, 5.4.82, 4.19.162, and 4.14.211 were released on December 8.
Distributions
CentOS is dead, long live CentOS Stream
Red Hat has announced an end to the CentOS distribution as we know it. CentOS will be replaced by "CentOS Stream", which looks like a sort of beta test for changes going into Red Hat Enterprise Linux. Support for CentOS 7 will continue as scheduled, but support for CentOS 8 will go away at the end of 2021. "When CentOS Linux 8 (the rebuild of RHEL8) ends, your best option will be to migrate to CentOS Stream 8, which is a small delta from CentOS Linux 8, and has regular updates like traditional CentOS Linux releases. If you are using CentOS Linux 8 in a production environment, and are concerned that CentOS Stream will not meet your needs, we encourage you to contact Red Hat about options."
More information can be found in this FAQ. "CentOS Stream
will be getting fixes and features ahead of RHEL. Generally speaking, we
expect CentOS Stream to have fewer bugs and more runtime features than RHEL
until those packages make it into the RHEL release.
"
Update: see also this blog post from Chris Wright.
t2 Linux 20.10 released
The 20.10 release of the t2 Linux distribution is available. "After a decade of development we are proud to announce the availability of the new T2 Linux Source and Embedded Linux distribution build kit stable release 20.10." More information about this distribution can be found at t2sde.org: "
T2 SDE is not just a regular Linux distribution - it is a flexible Open Source System Development Environment or Distribution Build Kit (others might even name it Meta Distribution). T2 allows the creation of custom distributions with state of the art technology, up-to-date packages and integrated support for cross compilation. Currently the Linux kernel is normally used - but the T2 SDE is being expanded to Minix, Hurd, OpenDarwin, Haiku and OpenBSD - more to come."
Distribution quotes of the week
It's not that I'm less interested in Debian. I've just been busy recently packaging up more software I use or want to use in designing high power model rockets and the solid propellant motors I fly in them, and would rather spend the time I have available for Debian maintaining those packages and all their various build dependencies than continuing to be responsible for core packages in the distribution that "work fine for me" but could use attention.
— Bdale Garbee
Almost immediately after the release, all the attention is now directed to towards filling the space that CentOS will leave behind. Undoubtedly, Ubuntu and SUSE would try to assert their presence with their open source alternatives. Debian, the largest behemoth of them all, hopefully will receive funding and participation like never before. A silver lining of this event would perhaps be the buzzing excitement of what will be and can be. It is time to be excited about Linux again.
— Clement Chiew
I have been doing this for 17 years and CentOS is
basically my life's work. This was (for me personally) a heart
wrenching decision. However, i see no other decision as a possibility.
If there was, it would have been made.
— Johnny Hughes
Development
GNU Autoconf 2.70 released
GNU Autoconf 2.70 is out. "Noteworthy changes include support for the 2011 revisions of the C and C++ standards, support for reproducible builds, improved support for cross-compilation, improved compatibility with current compilers and shell utilities, more efficient generated shell code, and many bug fixes." See this article for more information on what has been happening with Autoconf.
Bash 5.1 and Readline 8.1 released
Bash 5.1 is out. "This release fixes several outstanding bugs in bash-5.0 and introduces several new features. The most significant change is a return to the bash-4.4 behavior of not performing pathname expansion on a word that contains backslashes but does not contain any unquoted globbing special characters. This comes after a long POSIX discussion that resulted in a change to the standard. There are several changes regarding trap handling while reading from the terminal (e.g, for `read' and `select'.) There are a number of bug fixes, including several bugs that caused the shell to crash."
The readline library used in bash 5.1 has also been updated to version 8.1. "There are more
improvements in the programming interface and new user-visible variables
and bindable commands. There are a several new public API functions, but
there should be no incompatible changes to existing APIs.
"
Qt 6.0 released
Version 6.0 of the Qt interface framework is available. "Qt 6.0 is a starting point for the next generation of Qt. It is not yet as feature-complete as 5.15, but we will fill the gaps within the months to come. We've done a lot of important work in laying out the foundations of the next version of Qt. Many of those changes might not be immediately visible, but I firmly believe they will help keep Qt competitive in the years to come." Changes include moving to C++17, the completion of the Unicode transition, a move away from OpenGL to a new internal rendering interface, additional 3D capabilities, and more.
Miscellaneous
Linux Foundation 2020 annual report
The Linux Foundation has published a glossy report of its activities for 2020. "2020 has been a year of challenges for the Linux Foundation ('LF') and our hosted communities. During this pandemic, we’ve all seen our daily lives and those of many of our colleagues, friends, and family around the world completely changed. Too many in our community also grieved over the loss of family and friends. It was uplifting to see LF members join the fight against COVID-19. Our members worldwide contributed technical resources for scientific researchers, offered assistance to struggling families and individuals, contributed to national and international efforts, and some even came together to create open source projects under LF Public Health to help countries deal with the pandemic."
2019-2020 State of Mozilla
Mozilla has released its annual report: "Every year in the spirit of openness upon which Mozilla was founded, we share publicly the ways we have protected, fought for and helped advance the internet in service of the people who rely on it every day. We outline how our organization is meeting the challenges of online life through an annual report: the State of Mozilla. This year we’ve changed the format of our report to focus on how we are using our organization’s strength and resources on two fronts: Fighting for People and Building for the Future. This report highlights the impact of our work in 2020 and is accompanied by our most recently filed financials which cover 2019. As the State of Mozilla outlines, Mozilla works to make the promise of a better internet a reality. We can’t and we don’t do it alone. There are myriad ways anyone can join this effort through actions big and small, starting with getting better educated on what’s at stake; pushing companies to operate more transparently and in the interest of communities and people, not just profits; testing new products; and choosing technology made by companies who share your vision for a healthier internet."
Page editor: Jake Edge
Next page:
Announcements>>