Language Selection

English French German Italian Portuguese Spanish

LWN

Syndicate content
LWN.net is a comprehensive source of news and opinions from and about the Linux community. This is the main LWN.net feed, listing all articles which are posted to the site front page.
Updated: 4 hours 56 min ago

Security updates for Tuesday

Tuesday 7th of March 2017 04:07:19 PM
Security updates have been issued by Debian (freetype and libzip-ruby), Fedora (cacti, canl-c, and mupdf), and openSUSE (bind, munin, and mysql-community-server).

DRM in HTML5 is a victory for the open Web, not a defeat (Ars Technica)

Monday 6th of March 2017 11:22:00 PM
Ars Technica argues that Encrypted Media Extensions (EME), a framework that will allow the delivery of DRM-protected media through the browser, will be good for the web. "Moreover, a case could be made that EME will make it easier for content distributors to experiment with—and perhaps eventually switch to—DRM-free distribution. Under the current model, whether it be DRM-capable browser plugins or DRM-capable apps, a content distributor such as Netflix has no reason to experiment with unprotected content. Users of the site's services are already using a DRM-capable platform, and they're unlikely to even notice if one or two videos (for example, one of the Netflix-produced broadcasts like House of Cards or the forthcoming Arrested Development episodes) are unprotected. It wouldn't make a difference to them."

The Free Software Foundation has a different take on EME. "We have been fighting EME since 2013, and we will not back off because the W3C presents weak guidance as a fig leaf for DRM-using companies to hide their disrespect for users' rights. Companies can impose DRM without the W3C; but we should make them do it on their own, so it is seen for what it is—a subversion of the Web's principles—rather than normalize it or give it endorsement."

Security updates for Monday

Monday 6th of March 2017 05:16:53 PM
Security updates have been issued by Arch Linux (curl), CentOS (ipa, kernel, and qemu-kvm), Debian (munin, ruby-zip, and zabbix), Fedora (bind99, gtk-vnc, jenkins, jenkins-remoting, kdelibs, kf5-kio, libcacard, libICE, libXdmcp, and vim), openSUSE (php5), Oracle (kernel), Red Hat (ansible and openshift-ansible and rpm-ostree and rpm-ostree-client), and Ubuntu (munin).

Kernel prepatch 4.11-rc1

Monday 6th of March 2017 05:22:42 AM
The first 4.11 kernel prepatch is out, and the merge window is closed for this development cycle. "This looks like a fairly regular release. It's on the smallish side, but mainly just compared to 4.9 and 4.10 - so it's not really _unusually_ small (in recent kernels, 4.1, 4.3, 4.5, 4.7 and now 4.11 all had about the same number of commits in the merge window)." There were 10,960 non-merge commits pulled in the end, so it's definitely not unusually small.

How Threat Modeling Helps Discover Security Vulnerabilities (Red Hat Security Blog)

Friday 3rd of March 2017 08:19:29 PM
Over at the Red Hat Security Blog, Hooman Broujerdi looks at threat modeling as a tool to help create more secure software. "Threat modeling is a systematic approach for developing resilient software. It identifies the security objective of the software, threats to it, and vulnerabilities in the application being developed. It will also provide insight into an attacker's perspective by looking into some of the entry and exit points that attackers are looking for in order to exploit the software. [...] Although threat modeling appears to have proven useful for eliminating security vulnerabilities, it seems to have added a challenge to the overall process due to the gap between security engineers and software developers. Because security engineers are usually not involved in the design and development of the software, it often becomes a time consuming effort to embark on brainstorming sessions with other engineers to understand the specific behavior, and define all system components of the software specifically as the application gets complex. [...] While it is important to model threats to a software application in the project life cycle, it is particularly important to threat model legacy software because there's a high chance that the software was originally developed without threat models and security in mind. This is a real challenge as legacy software tends to lack detailed documentation. This, specifically, is the case with open source projects where a lot of people contribute, adding notes and documents, but they may not be organized; consequently making threat modeling a difficult task."

Francis: The story of Firefox OS

Friday 3rd of March 2017 03:49:25 PM
Ben Francis has posted a detailed history of the Firefox OS project. "For me it was never about Firefox OS being the third mobile platform. It was always about pushing the limits of web technologies to make the web a more competitive platform for app development. I think we certainly achieved that, and I would argue our work contributed considerably to the trends we now see around Progressive Web Apps. I still believe the web will win in the end. "

Security updates for Friday

Friday 3rd of March 2017 02:34:09 PM
Security updates have been issued by Debian (munin), Fedora (kernel, libXdmcp, and xrdp), Mageia (ming, quagga, util-linux, and webkit2), Oracle (ipa, kernel, and qemu-kvm), Red Hat (ipa, kernel, kernel-rt, python-oslo-middleware, and qemu-kvm), Scientific Linux (ipa, kernel, and qemu-kvm), and Ubuntu (munin, php7, and w3m).

FSFE: What happened in Munich

Friday 3rd of March 2017 12:30:13 AM
The Free Software Foundation Europe has put out a release providing its view of the decision in Munich to possibly back away from its free-software-based infrastructure. "Since this decision was reached, the majority of media have reported that a final call was made to halt LiMux and switch back to Microsoft software. This is, however, not an accurate representation of the outcome of the city council meeting. We studied the available documentation and our impression is that the last word has not been spoken."

Security updates for Thursday

Thursday 2nd of March 2017 03:01:07 PM
Security updates have been issued by Debian (imagemagick, libquicktime, munin, and qemu), Fedora (cxf, netpbm, and vim), openSUSE (ImageMagick, php7, and util-linux), and Red Hat (kernel and openstack-puppet-modules).

LWN.net Weekly Edition for March 2, 2017

Thursday 2nd of March 2017 02:12:19 AM
The LWN.net Weekly Edition for March 2, 2017 is available.

Security updates for Wednesday

Wednesday 1st of March 2017 04:35:43 PM
Security updates have been issued by CentOS (qemu-kvm), Debian (bind9, libquicktime, mupdf, qemu-kvm, and tnef), Fedora (mupdf, rpm, tomcat, util-linux, and xen), openSUSE (gstreamer and gstreamer-plugins-base), Oracle (qemu-kvm), Red Hat (qemu-kvm), Scientific Linux (qemu-kvm), SUSE (kernel and xen), and Ubuntu (libgd2).

MySQL 8 is coming (Opensource.com)

Tuesday 28th of February 2017 07:42:14 PM
Opensource.com takes a look at changes to MySQL 8.0. "Ever open up a directory of a MySQL schema and see all those files—.frm, .myi, .myd, and the like? Those files hold some of the metadata on the database schemas. Twenty years ago, it was a good way to go, but InnoDB is a crash proof storage engine and can hold all that metadata safely. This means file corruption of a .frm file is not going to stall your work. Developers also removed the file system's maximum number of files as the limiting factor to your number of databases; you can now have literally have millions of tables in your database."

[$] The case of the prematurely freed SKB

Tuesday 28th of February 2017 07:41:11 PM
CVE-2017-6074 is the vulnerability identifier for a use-after-free bug in the kernel's network stack. This vulnerability is apparently exploitable in local privilege-escalation attacks. The problem, introduced in 2005, is easily fixed, but it points at a couple of shortcomings in the kernel development process; as a result, it would not be surprising if more bugs of this variety were to turn up in the near future.

Security updates for Tuesday

Tuesday 28th of February 2017 04:58:51 PM
Security updates have been issued by Debian (apache2, libplist, and tnef), Fedora (firebird, kernel, and vim), Red Hat (java-1.6.0-ibm, java-1.7.0-ibm, java-1.7.1-ibm, kernel, and qemu-kvm-rhev), SUSE (php53 and xen), and Ubuntu (tiff).

Subversion SHA1 collision problem statement

Tuesday 28th of February 2017 04:27:23 PM
Users of the Subversion source-code management system may want to take a look at this post from Mark Phippard. He explains how hash collisions can corrupt a repository and a couple of short-term workarounds. "The quick summary if you do not want to read this entire post is that the problem is really not that bad. If you run into it there are solutions to resolve it and you are not going to run into it in normal usage. There will also likely be some future updates to Subversion that avoid it entirely so if you regularly update your server and client when new releases come out you are probably safe not doing anything and just waiting for an update to happen."

More in Tux Machines

Leftovers: OSS

  • Blockchain Startups Venture Beyond Bitcoin
    Bitcoin is the most widely-known example of blockchain-based technology, but many of today's startups are looking past the cryptocurrency and towards other, more business-friendly implementations. European blockchain startup incubator Outlier Ventures and Frost & Sullivan have mapped out the blockchain startup landscape, identifying several key areas of activity. It outlines possible paths to success following a busy year for blockchain investments.
  • Another Sandy Bridge Era Motherboard Now Supported By Coreboot
    The Sapphire Pure Platinum H61 is the latest motherboard to be supported by mainline Coreboot for replacing the board's proprietary BIOS.
  • OSI Welcomes the Journal of Open Source Software as Affiliate Member
    The Open Source Initiative® (OSI), a global non-profit organization formed to educate about and advocate for the benefits of open source software and communities, announced that the Journal Of Open Source Software (JOSS), a peer-reviewed journal for open source research software packages, is now an OSI affiliate member.
  • Open source project uses Docker for serverless computing
    Serverless computing has fast become a staple presence on major clouds, from Amazon to Azure. It’s also inspiring open source projects designed to make the concept of functions as a service useful to individual developers. The latest of these projects, called simply Functions as a Service (FaaS) by developer and Linux User contributor Alex Ellis, uses Docker and its native Swarm cluster management technology to package any process as a function available through a web API.
  • PyCharm 2017.1, MicroStrategy 2017.1, Next.js 2.0, and Ubuntu 17.04 final beta released — SD Times news digest: March 27, 2017
  • Open source JavaScript, Node.js devs get NPM Orgs for free
    The SaaS-based tool, which features capabilities like role-based access control, semantic versioning, and package discovery, now can be used on public code on the NPM registry, NPM Inc. said on Wednesday. Developers can transition between solo projects, public group projects, and commercial projects, and users with private registries can use Orgs to combine code from public and private packages into a single project.
  • Slaying Monoliths at Netflix with Node.js
    The growing number of Netflix subscribers -- nearing 85 million at the time of this Node.js Interactive talk -- has generated a number of scaling challenges for the company. In his talk, Yunong Xiao, Principal Software Engineer at Netflix, describes these challenges and explains how the company went from delivering content to a global audience on an ever-growing number of platforms, to supporting all modern browsers, gaming consoles, smart TVs, and beyond. He also looks at how this led to radically modifying their delivery framework to make it more flexible and resilient.
  • Mudlet, the open source MUD client has a new major stable build available
    I don't know how many of you play MUDs, but Mudlet, an open source cross-platform MUD client has hit version 3.0.

today's howtos

Minimal Linux Live

Minimal Linux Live is, as the name suggests, a very minimal Linux distribution which can be run live from a CD, DVD or USB thumb drive. One of the things which set Minimal Linux Live (MLL) apart from other distributions is that, while the distribution is available through a 7MB ISO file download, the project is designed to be built from source code using a shell script. The idea is that we can download scripts that will build MLL on an existing Linux distribution. Assuming we have the proper compiler tools on our current distribution, simply running a single shell script and waiting a while will produce a bootable ISO featuring the MLL operating system. Yet another option the MLL project gives us is running the distribution inside a web browser using a JavaScript virtual machine. The browser-based virtual machine running MLL can be found on the project's website, under the Emulator tab. This gives us a chance to try out the operating system in our web browser without installing or building anything. I decided to try the MLL build process to see if it would work and how long it would take if everything went smoothly. I also wanted to find out just how much functionality such a small distribution could offer. The project's documentation mostly covers building MLL on Ubuntu and Linux Mint and so I decided to build MLL on a copy of Ubuntu 16.04 I had running in a virtual machine. The steps to build MLL are fairly straight forward. On Ubuntu, we first install six packages to make sure we have all the required dependencies. Then we download an archive containing MLL's build scripts. Then we unpack the archive and run the build script. We just need to type four commands in Ubuntu's virtual terminal to kick-start the build process. Read more

GCC Compiler Tests At A Variety Of Optimization Levels Using Clear Linux

For those curious about the impact of GCC compiler optimization levels, a variety of benchmarks were carried out using GCC 6.3 on Intel's Clear Linux platform. Read more Also: LLVM 4.0.1 Planning, Aiming For Better Stable Releases