Language Selection

English French German Italian Portuguese Spanish

LWN

Syndicate content
LWN.net is a comprehensive source of news and opinions from and about the Linux community. This is the main LWN.net feed, listing all articles which are posted to the site front page.
Updated: 5 hours 55 min ago

[$] Snowdrift.coop: Funding for free projects

Wednesday 10th of December 2014 08:20:11 PM
Funding projects in the "free and open" world is a perennial problem. "Crowdfunding" using Kickstarter and other platforms has helped to alleviate some funding issues for some projects, but it is a model that targets one-time goals, not sustained development. Snowdrift.coop, which is an organization aimed at providing long-term funding for free and open projects, has—somewhat ironically—announced a crowdfunding campaign to launch itself.

Click below (subscribers only) for the full article.

Security advisories for Wednesday

Wednesday 10th of December 2014 05:58:57 PM

CentOS has updated kernel (C7: multiple vulnerabilities) and rpm (C7; C6; C5: code execution).

Mageia has updated flash-player-plugin (multiple vulnerabilities), graphviz (format string vulnerability), iceape (multiple vulnerabilities), nodejs (multiple vulnerabilities), openafs (multiple vulnerabilities), php-pear-HTML_AJAX (code execution), and util-linux (command injection).

Oracle has updated kernel (OL7: multiple vulnerabilities) and rpm (OL7; OL6; OL5: code execution).

Red Hat has updated httpd24-httpd (RHSCL: two vulnerabilities), kernel (RHEL7: multiple vulnerabilities), and rpm (RHEL7; RHEL5,6; EUS products: code execution).

Scientific Linux has updated rpm (SL7; SL5,6: code execution).

Ubuntu has updated bind9 (denial of service) and xorg-server, xorg-server-lts-trusty (14.10, 14.04, 12.04: multiple vulnerabilities), xorg-server, xorg-server-lts-trusty (14.10.14.04.12.04: incomplete fixes in previous update).

Qt 5.4 released

Wednesday 10th of December 2014 01:37:46 PM
Version 5.4 of the Qt toolkit is now available. It provides better interaction with web-based content, improved graphics, Bluetooth Low Energy support, and a lot more, including a licensing change: "As announced earlier, the open-source version for Qt 5.4 is also made available under the LGPLv3 license. The new licensing option allows us at The Qt Company to introduce more value-add components for the whole Qt ecosystem without making compromises on the business side. It also helps to protect 3rd party developers’ freedom from consumer device lock-down and prevents Tivoization as well as other misuse."

An extensive set of X.org vulnerabilities

Tuesday 9th of December 2014 07:12:27 PM
The X.Org developers have released an advisory warning of a large set of vulnerabilities in the server, some of which date back to the X11R1 release in 1987. "How critical these vulnerabilities are to any given installation depends on whether they run an X server with root privileges or reduced privileges; whether they run X servers exposed to network clients or limited to local connections; and whether or not they allow use of the affected protocol extensions, especially the GLX extension."

Linux software nasty slithers out of online watering holes (The Register)

Tuesday 9th of December 2014 06:30:29 PM
The Turla trojan malware has been found to run on Linux, reports The Register. "[Kaspersky researcher Kurt] Baumgartner said the module written in C and C++ was hardened against reverse-engineering through the use of stripped symbol information and hidden network communications, adding it could not be discovered using Netstat. It contained attack capabilities which did not require root privileges including arbitrary remote command execution, incoming packet interception and remote management."

"Ubuntu Core" announced

Tuesday 9th of December 2014 05:14:00 PM
Mark Shuttleworth has announced the availability of "Ubuntu Core," a version of the distribution that takes a different approach to package management. "This is in a sense the biggest break with tradition in 10 years of Ubuntu, because Ubuntu Core doesn’t use debs or apt-get. We call it 'snappy' because that’s the new bullet-proof mechanism for app delivery and system updates; it’s completely different to the traditional package-based Ubuntu server and desktop. The snappy system keeps each part of Ubuntu in a separate, read-only file, and does the same for each application. That way, developers can deliver everything they need to be confident their app will work exactly as they intend, and we can take steps to keep the various apps isolated from one another, and ensure that updates are always perfect. Of course, that means that apt-get won’t work, but that’s OK since developers can reuse debs to make their snappy apps, and the core system is exactly the same as any other Ubuntu system – server or desktop."

Tuesday's security updates

Tuesday 9th of December 2014 04:49:56 PM

Debian has updated bind9 (denial of service) and kernel (multiple vulnerabilities).

Gentoo has updated dovecot (denial of service), libvirt (multiple vulnerabilities), nfs-utils (information disclosure), and qemu (multiple vulnerabilities).

SUSE has updated OpenVPN (SLE11 SP3: denial of service).

Ubuntu has updated graphviz (format string vulnerability).

Fedora 21 released

Tuesday 9th of December 2014 03:30:21 PM
The Fedora 21 distribution release is now available, in three different flavors (cloud, server, and workstation). "Fedora 21 is a game-changer for the Fedora Project, and we think you're going to be very pleased with the results." See the announcement for the highlights found in each of the released spins.

Kocialkowski: A hacker's journey: freeing a phone from the ground up, first part

Monday 8th of December 2014 07:55:35 PM
Paul Kocialkowski shares his experience with porting Replicant to the LG Optimus Black. "Every once in a while, an unexpected combination of circumstances ends up enabling us to do something pretty awesome. This is the story of one of those times. About a year ago, a member of the Replicant community started evaluating a few targets from CyanogenMod and noticed some interesting ones. After some early research, he picked a device: the LG Optimus Black (P970), bought one and started porting Replicant to it. After a few encouraging results, he was left facing issues he couldn't overcome and decided to give up with the port. As the device could still be an interesting target for Replicant, we decided to buy the phone from him so that I could pick up the work where he stalled." (Thanks to Paul Wise)

The SFLC's intervention in Google v. Oracle

Monday 8th of December 2014 07:07:50 PM
The Software Freedom Law Center has filed an interesting brief with the U.S. Supreme Court on whether the Court should review the Federal Circuit court decision stating that Android violates Oracle's copyrights by shipping some Java headers. The SFLC disagrees with the Circuit court decision, but, interestingly, still argues that the Supreme Court should not look at the case. "Given that the parties are agreed that Petitioner has the right to royalty-free use of all the material at issue under GNU GPL, and it is in addition entitled to claim that its use was licensed at all relevant times, there is no public interest in the adjudication a controversy which remains merely theoretical if not factually moot."

[$] A quick look at the new FontForge release

Monday 8th of December 2014 06:07:46 PM

FontForge is the most feature-rich free-software application for building and editing font files, but that is a niche that, regrettably, attracted relatively few developers over the project's lifespan. The situation has improved considerably in the last two years, however, and the latest release introduces several significant improvements. The new features include some expansion and enhancement to the editing tools, which will appeal to existing FontForge users, but they also include other changes that may be more significant in making FontForge appealing to new users.


Security advisories for Monday

Monday 8th of December 2014 06:02:54 PM

Debian has updated getmail4 (multiple vulnerabilities) and icedove (multiple vulnerabilities).

Fedora has updated arm-none-eabi-binutils-cs (F20; F19: multiple vulnerabilities), avr-binutils (F20; F19: multiple vulnerabilities), firefox (F19: multiple vulnerabilities), flac (F20: multiple vulnerabilities), graphviz (F20; F19: format string vulnerability), hivex (F20; F19: invalid hive files), kwebkitpart (F20; F19: code execution), libksba (F20; F19: denial of service), nrpe (F19: code execution), readline (F19: insecure temporary files), and thunderbird (F19: multiple vulnerabilities).

Mageia has updated apache-mod_wsgi (privilege escalation), jasper (code execution), and openvpn (denial of service).

openSUSE has updated apache2-mod_wsgi (13.1, 12.3: privilege escalation), docker (13.2: privilege escalation), firefox (13.2, 13.1, 12.3: multiple vulnerabilities), flac (13.2, 13.1, 12.3: multiple vulnerabilities), icecast (13.2; 13.1, 12.3: information leak/privilege escalation), openvpn (13.2, 13.1, 12.3: denial of service), and ruby19 (13.1, 12.3: two vulnerabilities).

Oracle has updated docker (OL7; OL6: privilege escalation).

Scientific Linux has updated kernel (SL5: restriction bypass).

SUSE has updated clamav (SLE11 SP3; SLES11 SP1,2: multiple vulnerabilities).

Ubuntu has updated ghostscript (10.04: code execution) and jasper (14.10, 14.04, 12.04: code execution).

The 3.18 kernel has been released

Monday 8th of December 2014 04:17:36 AM
Linus has released the 3.18 kernel. "I'd love to say that we've figured out the problem that plagues 3.17 for a couple of people, but we haven't. At the same time, there's absolutely no point in having everybody else twiddling their thumbs when a couple of people are actively trying to bisect an older issue, so holding up the release just didn't make sense." Highlights in this release include the bpf() system call, some significant networking performance improvements, dozens of new drivers, thousands of fixes, and more.

Some stable kernel updates

Sunday 7th of December 2014 08:27:15 PM
The 3.17.5 stable kernel has been released with a comment saying "No one should use it"; instead, the immediately following 3.17.6, containing an important patch reversion, should be used. Also available are 3.14.26 and 3.10.62.

Software Freedom Conservancy launches supporter program

Friday 5th of December 2014 07:48:39 PM

Software Freedom Conservancy (SFC), the US-based non-profit organization that sponsors around 30 separate FOSS projects, has announced a "Supporter" program. The program allows individuals to make a recurring donation to SFC's general operating fund, akin to the individual membership-style programs also offered by the Free Software Foundation, Software In The Public Interest, and various other non-profits in the community. As always, individuals can also make donations directly to SFC member projects.

Friday's security updates

Friday 5th of December 2014 04:44:24 PM

CentOS has updated kernel (C5: privilege escalation).

Mageia has updated mutt (M4: denial of service), yaml, perl-YAML-LibYAML (M4: denial of service), phpmyadmin (M4: denial of service), and tcpdump (M4: code execution).

openSUSE has updated clamav (12.3, 13.1, 13.2: multiple vulnerabilities), flash-player: code execution), and phpMyAdmin (12.3, 13.1, 13.2: multiple vulnerabilities).

Oracle has updated kernel (O5: privilege escalation; O6; O7: multiple vulnerabilities).

Red Hat has updated kernel (RHEL5: privilege escalation).

Ubuntu has updated MAAS (12.04, 14.04, 14.10: privilege escalation).

Hutterer: pointer acceleration in libinput - building a DPI database for mice

Friday 5th of December 2014 02:54:38 PM
Peter Hutterer describes a new mechanism aimed at providing consistent acceleration behavior across mice. "For us, useless and unpredictable is bad, especially in the use-case of everyday desktops. To work around that, libinput 0.7 now incorporates the physical resolution into pointer acceleration. And to do that we need a database, which will be provided by udev as of systemd 218 (unreleased at the time of writing). This database incorporates the various devices and their physical resolution, together with their sampling rate. udev sets the resolution as the MOUSE_DPI property that we can read in libinput and use as reference point in the pointer accel code." The developers are looking for help to populate this new database.

The first CentOS Linux Rolling media release

Friday 5th of December 2014 02:23:21 PM
The CentOS project has announced the availability of the first in a series of monthly rolling releases. "CentOS Linux rolling builds are point in time snapshot media rebuild from original release time, to include all updates pushed to mirror.centos.org's repositories. This includes all security, bugfix, enhancement and general updates for CentOS Linux. Machines installed from this media will have all these updates pre-included and will look no different when compared with machines installed with older media that have been yum updated to the same point in time."

A new set of Docker tools

Thursday 4th of December 2014 06:24:33 PM
Docker has announced a new set of container management tools: Machine (for system provisioning), Swarm (native clustering for Dockerized applications), and Compose (assembly of multi-container applications). "Finally, Docker Swarm has a pluggable architecture and ships 'batteries included' with a default scheduler. Stay tuned for the public API in the first half of 2015 which will allow swapping-in a scheduler implemented by an ecosystem partner or even your own custom implementation. Nevertheless, regardless of the underlying scheduler implementation, the interface to the app remains consistent, meaning that the app remains 100% portable."

Thursday's security updates

Thursday 4th of December 2014 06:20:23 PM

CentOS has updated firefox (C5; C6; C7: multiple vulnerabilities), nss (C5; C6; C7: protocol downgrade), thunderbird (C5; C6: multiple vulnerabilities), and wpa_supplicant (C7: command execution).

Debian has updated iceweasel (multiple vulnerabilities), jasper (code execution), qemu (privilege escalation), qemu-kvm (privilege escalation), and tcpdump (multiple vulnerabilities).

Fedora has updated firefox (F20: multiple vulnerabilities), tcpdump (F19: multiple vulnerabilities), teeworlds (F19; F20: denial of service), thunderbird (F20: multiple vulnerabilities), util-linux (F20: command injection), and wireshark (F20: multiple vulnerabilities).

Mageia has updated firefox, thunderbird (M4: multiple vulnerabilities), libreoffice (M4: code execution), mediawiki (M4: multiple vulnerabilities), and sddm (M4: multiple vulnerabilities).

Oracle has updated firefox (O5; O6: multiple vulnerabilities) and wpa_supplicant (O7: command execution).

Red Hat has updated wget (RHEL6.5: code execution) and wpa_supplicant (RHEL7: command execution).

Scientific Linux has updated firefox (multiple vulnerabilities), nss, nss-util, nss-softokn (protocol downgrade), thunderbird (SL6: multiple vulnerabilities), and wpa_supplicant (SL7: command execution).

Ubuntu has updated eglibc, glibc (10.04, 12.04, 14.04, 14.10: multiple vulnerabilities), tcpdump (10.04, 12.04, 14.04, 14.10: multiple vulnerabilities), and thunderbird (12.04, 14.04, 14.10: multiple vulnerabilities).

More in Tux Machines

Ruby 2.2.0 Released

We are pleased to announce the release of Ruby 2.2.0. Ruby 2.2 includes many new features and improvements for the increasingly diverse and expanding demands for Ruby. Read more

2014 Catalyst Linux Graphics Benchmarks Year-In-Review

With the year quickly coming to an end, it's time to do our year-end driver recap benchmarks from the year for the proprietary AMD and NVIDIA graphics drivers as well as the open-source drivers. To get things started, here's benchmarks done of the official AMD Catalyst Linux releases of 2014 and testing these drivers on three different graphics cards. Read more

From Red Hat's CEO: Reflecting on a 'great year,' looking to '15

It is confirmed: 2014 has been a great year for Red Hat. [On Dec. 18], we announced third quarter results of our fiscal year 2015 and, with that, celebrated our 51st consecutive quarter of revenue growth - more than 12 years of consecutive revenue growth. Thank you to the team of Red Hat customers, partners, open source contributors, and associates around the world, for helping us propel Red Hat to new heights. While 2014 has been a fantastic year for Red Hat, it has also been a banner year for open source. Read more Also: Red Hat Tech Exchange highlights: Architect, Implement, Enable

Open Source's 2014: MS 'cancer' embrace, NASDAQ listings, and a quiet dog

Ho hum. Another year, another slew of open source announcements that prove the once-maligned development methodology is now so mainstream as to be tedious. Running most of the world’s most powerful supercomputers? Been there, done that. Giving retailers the ability to deliver highly customized paper coupons to consumers based on warehouse inventory nearby? So 2013! And yet in 2014 we had a few events in open source that managed to surprise us, and suggest an even brighter future. Read more