Language Selection

English French German Italian Portuguese Spanish

LWN

Syndicate content
LWN.net is a comprehensive source of news and opinions from and about the Linux community. This is the main LWN.net feed, listing all articles which are posted to the site front page.
Updated: 6 hours 34 min ago

Garrett: Microsoft aren't forcing Lenovo to block free operating systems

Thursday 22nd of September 2016 08:03:35 PM
Matthew Garrett looks at the real problem behind the inability of some Lenovo laptops to run Linux. "The real problem here is that Intel do very little to ensure that free operating systems work well on their consumer hardware - we still have no information from Intel on how to configure systems to ensure good power management, we have no support for storage devices in "RAID" mode and we have no indication that this is going to get better in future. If Intel had provided that support, this issue would never have occurred."

A pile of security updates for Thursday

Thursday 22nd of September 2016 07:17:15 PM
Arch Linux has updated firefox (multiple vulnerabilities), irssi (code execution), and tomcat7 (proxy injection).

CentOS has updated firefox (C5, C6, C7: multiple vulnerabilities).

Debian has updated wireshark (LTS: dissector vulnerabilities), irssi (denial of service), and openssl (multiple vulnerabilities).

Fedora has updated drupal7-google_analytics (F23, F24: cross-site scripting), drupal7-panels (F23, F24: multiple vulnerabilities), jasper (F23: multiple code-execution vulnerabilities), mod_cluster (F24: "remote exploits"), nodejs-string-dot-prototype-dot-repeat (F23: "update for security reasons"), php-horde-Horde-Mime-Viewer (F23, F24: cross-site scripting), php-horde-Horde-Text-Filter (F23, F24: cross-site scripting), and xen (F23: multiple vulnerabilities).

Mageia has updated chromium-browser-stable (29 CVEs), curl (code execution), file-roller (file deletion), flash-player-plugin (26 CVEs), icu (code execution), jsch (path traversal vulnerability), libksba (denial of service), nodejs (remote code execution), slock (lock bypass), and tomcat (traffic redirection).

openSUSE has updated opera (multiple vulnerabilities).

Oracle has updated firefox (OL5, OL6, OL7: multiple vulnerabilities).

Scientific Linux has updated firefox (SL5-7: multiple vulnerabilities).

Slackware has updated irssi (denial of service), pidgin (17 CVE numbers), and firefox (multiple vulnerabilities).

SUSE has updated java-1_7_1-ibm (SLES12: three CVEs described as "Unspecified vulnerability in Oracle Java SE 7u101 and 8u92 allows local users to affect confidentiality, integrity, and availability via vectors related to Deployment"), and java-1_6-0-ibm (SLES11: one unspecified vulnerability).

Ubuntu has updated firefox (multiple vulnerabilities), gdk-pixbuf (code execution), irssi (denial of service), and thunderbird (code execution).

Note that there appear to be differences of opinion as to whether the irssi vulnerability can be exploited for code execution.

[$] LWN.net Weekly Edition for September 22, 2016

Thursday 22nd of September 2016 01:18:35 AM
The LWN.net Weekly Edition for September 22, 2016 is available.

GNOME 3.22 released

Wednesday 21st of September 2016 06:36:39 PM
The GNOME Project has announced the release of GNOME 3.22, "Karlsruhe". "This release brings comprehensive Flatpak support. GNOME Software can install and update Flatpaks, GNOME Builder can create them, and the desktop provides portal implementations to enable sandboxed applications. Improvements to core GNOME applications include support for batch renaming in Files, sharing support in GNOME Photos, an updated look for GNOME Software, a redesigned keyboard settings panel, and many more."

[$] BBR congestion control

Wednesday 21st of September 2016 04:39:57 PM
Congestion-control algorithms are unglamorous bits of code that allow network protocols (usually TCP) to maximize the throughput of any given connection while simultaneously sharing the available bandwidth equitably with other users. New algorithms tend not to generate a great deal of excitement; the addition of TCP New Vegas during the 4.8 merge window drew little fanfare, for example. The BBR (Bottleneck Bandwidth and RTT) algorithm just released by Google, though, is attracting rather more attention; it moves away from the mechanisms traditionally used by these algorithms in an attempt to get better results in a network characterized by wireless links, meddling middleboxes, and bufferbloat.

Security advisories for Wednesday

Wednesday 21st of September 2016 03:36:21 PM

Arch Linux has updated curl (code execution), lib32-curl (code execution), and lib32-jansson (denial of service).

Debian has updated wireshark (multiple vulnerabilities).

Debian-LTS has updated unadf (two vulnerabilities).

Red Hat has updated firefox (RHEL5,6,7: multiple vulnerabilities).

SUSE has updated mysql (SLE11-SP3,4: multiple unspecified vulnerabilities).

CouchDB 2.0 released

Wednesday 21st of September 2016 02:52:59 PM
The Apache CouchDB database project has announced its 2.0 release. New features include clustering support, a new query language, a new administrative interface, and more. "CouchDB 2.0 is 99% API compatible with the 1.x series and most applications should continue to just work."

The curious case of the switch statement (fuzzy notepad)

Wednesday 21st of September 2016 02:49:37 PM
The fuzzy notepad blog is carrying a post about the switch statement with just about everything one might want to know about its past, present, and possible future. "As we’ve seen, the switch statement has had basically the same form for 49 years. The special case labels are based on syntax derived directly from fixed-layout FORTRAN on punchcards in 1957, several months before my father was born. I hate it."

Catanzaro: GNOME 3.22 core apps

Wednesday 21st of September 2016 02:33:05 PM
Michael Catanzaro lays down the rules for which GNOME applications distributions should package if they want to claim to provide a "pure GNOME experience." "Selecting the right set of default applications is critical to achieving a quality user experience. Installing redundant or overly technical applications by default can leave users confused and frustrated with the distribution. Historically, distributions have selected wildly different sets of default applications. There’s nothing inherently wrong with this, but it’s clear that some distributions have done a much better job of this than others."

[$] The NTP pool system

Wednesday 21st of September 2016 01:59:37 AM
NTP, the Network Time Protocol, quietly and without much fuss performs the critical internet function of knowing the correct time. Using it, a computer with imperfect communications links may join a distributed community of servers, each of which is either directly attached to a reliable clock, or is trying to best synchronize its clock to one or more better-synchronized members of the community. The NTP pool system has arisen as a method of providing such a community to the internet; it works well, but is not without its challenges.

Garcia: WebKitGTK+ 2.14

Tuesday 20th of September 2016 07:05:47 PM
Carlos Garcia Campos takes a look at the latest stable release of WebKitGTK+. "[The threaded compositor] is the most important change introduced in WebKitGTK+ 2.14 and what kept us busy for most of this release cycle. The idea is simple, we still render everything in the web process, but the accelerated compositing (all the OpenGL calls) has been moved to a secondary thread, leaving the main thread free to run all other heavy tasks like layout, JavaScript, etc. The result is a smoother experience in general, since the main thread is no longer busy rendering frames, it can process the JavaScript faster improving the responsiveness significantly." This release is also considered feature complete in Wayland.

Security updates for Tuesday

Tuesday 20th of September 2016 04:09:57 PM

CentOS has updated kernel (C7: three vulnerabilities).

openSUSE has updated file-roller (Leap42.1, 13.2: file deletion), openssh (Leap42.1: two vulnerabilities), and php5 (13.2: multiple vulnerabilities).

Ubuntu has updated kernel (16.04: three vulnerabilities), kernel (14.04: two vulnerabilities), kernel (12.04: code execution), linux-lts-trusty (12.04: two vulnerabilities), linux-lts-xenial (14.04: three vulnerabilities), linux-raspi2 (16.04: three vulnerabilities), linux-snapdragon (16.04: three vulnerabilities), linux-ti-omap4 (12.04: code execution), and tomcat6, tomcat7, tomcat8 (privilege escalation).

LLVM contemplates relicensing

Monday 19th of September 2016 04:38:46 PM
The LLVM project is currently distributed under the BSD-like NCSA license, but the project is considering a change in the interest of better patent protection. "After extensive discussion involving many lawyers with different affiliations, we recommend taking the approach of using the Apache 2.0 license, with the binary attribution exception (discussed before), and add an additional exception to handle the situation of GPL2 compatibility if it ever arises."

Security advisories for Monday

Monday 19th of September 2016 04:04:25 PM

Arch Linux has updated chromium (multiple vulnerabilities), jansson (denial of service), lib32-libgcrypt (flawed random number generation), and php (multiple vulnerabilities).

Debian-LTS has updated curl (code execution), jackrabbit (cross-site request forgery), pdns (multiple denial of service flaws), php5 (multiple vulnerabilities), phpmyadmin (multiple vulnerabilities), and zookeeper (buffer overflow).

Fedora has updated chromium (F24: multiple vulnerabilities), distribution-gpg-keys (F24: privilege escalation), GraphicsMagick (F23: multiple vulnerabilities), jasper (F24: denial of service), mingw-openjpeg2 (F24; F23: out-of-bounds write), mock (F24: privilege escalation), moin (F24: unspecified vulnerability from 2014), openjpeg2 (F23: out-of-bounds write), and php-adodb (F24; F23: cross-site scripting).

SUSE has updated php53 (SLES11-SP2: multiple vulnerabilities).

Emacs 25.1 released

Monday 19th of September 2016 01:56:43 PM
Version 25.1 of the Emacs editor is available. New features include a dynamic module loader, experimental Cairo drawing, better TLS certificat validation, better Unicode input, a mechanism for embedding widgets within buffers, and more.

Kernel prepatch 4.8-rc7

Monday 19th of September 2016 01:57:49 AM
The 4.8-rc7 kernel prepatch is out. "Normally rc7 is the last in the series before the final release, but by now I'm pretty sure that this is going to be one of those releases that come with an rc8. Things did't calm down as much as I would have liked, there are still a few discussions going on, and it's just unlikely that I will feel like it's all good and ready for a final 4.8 next Sunday."

Coghlan: The Python packaging ecosystem

Saturday 17th of September 2016 12:55:34 PM
Here's a lengthy piece from Nick Coghlan on how Python software gets to users. "There have been a few recent articles reflecting on the current status of the Python packaging ecosystem from an end user perspective, so it seems worthwhile for me to write-up my perspective as one of the lead architects for that ecosystem on how I characterise the overall problem space of software publication and distribution, where I think we are at the moment, and where I'd like to see us go in the future."

Bash 4.4 and Readline 7.0 released

Friday 16th of September 2016 10:22:03 PM
The GNU Bourne Again SHell (Bash) project has released version 4.4 of the tool. It comes with a large number of bug fixes as well as new features:"The most notable new features are mapfile's ability to use an arbitrary record delimiter; a --help option available for nearly all builtins; a new family of ${parameter@spec} expansions that transform the value of `parameter'; the `local' builtin's ability to save and restore the state of the single-letter shell option flags around function calls; a new EXECIGNORE variable, which adds the ability to specify names that should be ignored when searching for commands; and the beginning of an SDK for loadable builtins, which consists of a set of headers and a Makefile fragment that can be included in projects wishing to build their own loadable builtins, augmented by support for a BASH_LOADABLES_PATH variable that defines a search path for builtins loaded with `enable -f'. The existing loadable builtin examples are now installed by default with `make install'." In addition, the related Readline command-line editing library project has released Readline 7.0.

Friday's security advisories

Friday 16th of September 2016 05:15:09 PM

CentOS has updated libarchive (C7; C6: multiple vulnerabilities, some from 2015).

Debian has updated tomcat7 (privilege escalation) and tomcat8 (privilege escalation).

Debian-LTS has updated mysql-5.5 (privilege escalation).

Fedora has updated curl (F24: code execution).

Mageia has updated cracklib (code execution), dropbear (three code execution flaws), jasper (two vulnerabilities from 2015), krb5 (denial of service), lcms2 (information leak), mediawiki (multiple vulnerabilities), openvpn (information leak), perl-DBD-mysql (two code execution flaws from 2014 and 2015), and perl-XSLoader (code execution).

openSUSE has updated opera (42.1: multiple vulnerabilities) and tiff (42.1: multiple vulnerabilities, three from 2015).

Red Hat has updated chromium-browser (RHEL6: multiple vulnerabilities).

Scientific Linux has updated kernel (SL7: three vulnerabilities).

Slackware has updated curl (code execution).

Hutterer: Synaptics pointer acceleration

Friday 16th of September 2016 12:57:42 PM
For this week's development horror story, it would be hard to do better than Peter Hutterer's quest to figure out how pointer acceleration works in the Synaptics driver. "Also a disclaimer: the last time some serious work was done on acceleration was in 2008/2009. A lot of things have changed since and since the server is effectively un-testable, we ended up with the mess below that seems to make little sense. It probably made sense 8 years ago and given that most or all of the patches have my signed-off-by it must've made sense to me back then. But now we live in the glorious future and holy cow it's awful and confusing."

More in Tux Machines

ownCloud Desktop Client 2.2.4 Released with Updated Dolphin Plugin, Bug Fixes

ownCloud is still alive and kicking, and they've recently released a new maintenance update of the ownCloud Desktop Client, version 2.2.4, bringing some much-needed improvements and patching various annoying issues. Read more

Early Benchmarks Of The Linux 4.9 DRM-Next Radeon/AMDGPU Drivers

While Linux 4.9 will not officially open for development until next week, the DRM-Next code is ready to roll with all major feature work having been committed by the different open-source Direct Rendering Manager drivers. In this article is some preliminary testing of this DRM-Next code as of 29 September when testing various AMD GPUs with the Radeon and AMDGPU DRM drivers. Linux 4.9 does bring compile-time-offered experimental support for the AMD Southern Islands GCN 1.0 hardware on AMDGPU, but that isn't the focus of this article. A follow-up comparison is being done with GCN 1.0/1.1 experimental support enabled to see the Radeon vs. AMDGPU performance difference on that hardware. For today's testing was a Radeon R7 370 to look at the Radeon DRM performance and for AMDGPU testing was the Radeon R9 285, R9 Fury, and RX 480. Benchmarks were done from the Linux 4.8 Git and Linux DRM-Next kernels as of 29 September. Read more

How to Effectively and Efficiently Edit Configuration Files in Linux

Every Linux administrator has to eventually (and manually) edit a configuration file. Whether you are setting up a web server, configuring a service to connect to a database, tweaking a bash script, or troubleshooting a network connection, you cannot avoid a dive deep into the heart of one or more configuration files. To some, the prospect of manually editing configuration files is akin to a nightmare. Wading through what seems like countless lines of options and comments can put you on the fast track for hair and sanity loss. Which, of course, isn’t true. In fact, most Linux administrators enjoy a good debugging or configuration challenge. Sifting through the minutiae of how a server or software functions is a great way to pass time. But this process doesn’t have to be an exercise in ineffective inefficiency. In fact, tools are available to you that go a very long way to make the editing of config files much, much easier. I’m going to introduce you to a few such tools, to ease some of the burden of your Linux admin duties. I’ll first discuss the command-line tools that are invaluable to the task of making configuration more efficient. Read more

Why Good Linux Sysadmins Use Markdown

The Markdown markup language is perfect for writing system administrator documentation: it is lightweight, versatile, and easy to learn, so you spend your time writing instead of fighting with formatting. The life of a Linux system administrator is complex and varied, and you know that documenting your work is a big time-saver. A documentation web server shared by you and your colleagues is a wonderful productivity tool. Most of us know simple HTML, and can whack up a web page as easily as writing plain text. But using Markdown is better. Read more