Language Selection

English French German Italian Portuguese Spanish

LWN

Syndicate content
LWN.net is a comprehensive source of news and opinions from and about the Linux community. This is the main LWN.net feed, listing all articles which are posted to the site front page.
Updated: 4 hours 7 min ago

Hutterer: The difference between uinput and evdev

Friday 6th of May 2016 12:05:00 AM
On his blog, Peter Hutterer answers an oft-asked question: "A recurring question I encounter is the question whether uinput or evdev should be the approach [to] implement some feature the user cares about. This question is unfortunately wrongly framed as uinput and evdev have no real overlap and work independent of each other. This post outlines what the differences are. Note that "evdev" here refers to the kernel API, not to the X.Org evdev driver. First, the easy flowchart: do you have to create a new virtual device that has a set of specific capabilities? Use uinput. Do you have to read and handle events from an existing device? Use evdev. Do you have to create a device and read events from that device? You (probably) need two processes, one doing the uinput bit, one doing the evdev bit."

Pennington: Professional corner-cutting

Thursday 5th of May 2016 11:36:36 PM
In a blog post that likens software development to cabinetmaking, Havoc Pennington makes the case for cutting corners—but only the right corners: "Software remains a craft rather than a science, relying on the experience of the craftsperson. Like cabinetmakers, we proceed one step at a time, making judgments about what’s important and what isn’t at each step. A professional developer does thorough work when it matters, and cuts irrelevant corners that aren’t worth wasting time on. Extremely productive developers don’t have supernatural coding skills; their secret is to write only the code that matters. How can we do a better job cutting corners? I think we can learn a lot from people building tables and dressers."

Boehm: How to campaign for the cause of software freedom

Thursday 5th of May 2016 11:29:30 PM
On his blog, Mirko Boehm reports on a multi-day workshop where the Free Software Foundation Europe (FSFE) and the Peng! Collective teamed up to look at new and innovative ways to get out the message about free software. "These campaigns translate abstract, distant risks or worries into concrete, tangible calls to action. By being provocative, they break the mold and reach a wide audience online and through traditional media. They are “cat content for social change”, as our tutors put it. Campaigners are being urged to stop preaching or complaining, and to start using positive communication combined with subversive PR work instead. Such messaging needs punchlines, which requires some kind of hyperbole – dadaism, hijacking attention, or provocation." (Thanks to Paul Wise.)

Security updates for Thursday

Thursday 5th of May 2016 02:15:53 PM

Debian has updated libpam-sshauth (privilege escalation) and libtasn1-6 (denial of service).

Debian-LTS has updated mplayer (code execution).

Fedora has updated dhcp (F23: denial of service), obs-signd (F23: improper user ID matching), and openssl (F23: multiple vulnerabilities).

Mageia has updated subversion (two vulnerabilities).

openSUSE has updated java-1_7_0-openjdk (13.1: multiple vulnerabilities), libopenssl0_9_8 (13.1; 11.4: multiple vulnerabilities), and openssl (13.2; 13.1; 11.4: multiple vulnerabilities).

SUSE has updated compat-openssl097g (SLE11: multiple vulnerabilities) and openssl (SLE12: multiple vulnerabilities).

Ubuntu has updated lcms2 (14.04: denial of service from 2013), openjdk-7 (15.10, 14.04: multiple vulnerabilities), openjdk-8 (16.04: multiple vulnerabilities), and samba (regression in previous security fix).

[$] LWN.net Weekly Edition for May 5, 2016

Thursday 5th of May 2016 12:11:32 AM
The LWN.net Weekly Edition for May 5, 2016 is available.

New stable kernels

Wednesday 4th of May 2016 10:29:05 PM
Greg Kroah-Hartman has released stable kernels 4.5.3, 4.4.9, and 3.14.68. All contain important fixes throughout the tree.

[$] Caravel data visualization

Wednesday 4th of May 2016 08:51:16 PM

One aspect of the heavily hyped Internet of Things (IoT) that can easily get overlooked is that each of the Things one hooks up to the Internet invariably spews out a near non-stop stream of data. While commercial IoT users—such as utility companies—generally have a well-established grasp of what data interests them and how to process it, the DIY crowd is better served by flexible tools that make exploring and transforming data easy. Airbnb maintains an open-source Python utility called Caravel that provides such tools. There are many alternatives, of course, but Caravel does a good job at ingesting data and smoothly molding it into nice-looking interactive graphs—with a few exceptions.

Security advisories for Wednesday

Wednesday 4th of May 2016 04:49:36 PM

Arch Linux has updated imlib2 (multiple vulnerabilities), jasper (multiple vulnerabilities), lib32-openssl (multiple vulnerabilities), and openssl (multiple vulnerabilities).

CentOS has updated kernel (C6: two vulnerabilities).

Debian has updated openssl (multiple vulnerabilities).

Debian-LTS has updated asterisk (multiple vulnerabilities), extplorer (cross-site scripting), minissdpd (denial of service), and openssl (multiple vulnerabilities).

Fedora has updated cacti (F23; F22: three vulnerabilities).

openSUSE has updated Chromium (SPH for SLE12; Leap42.1; 13.2: multiple vulnerabilities), giflib (Leap42.1: denial of service), java-1_7_0-openjdk (13.2: multiple vulnerabilities), java-1_8_0-openjdk (13.2: multiple vulnerabilities), jq (Leap42.1; 13.2: heap buffer overflow), libgcrypt (Leap42.1: key leak), firefox, nss (Leap42.1, 13.2: multiple vulnerabilities), wireshark (Leap42.1, 13.2: multiple vulnerabilities), xerces-j2 (13.2: denial of service), and yast2-users (Leap42.1: empty passwords fields in /etc/shadow).

Oracle has updated kernel (OL6: two vulnerabilities).

Red Hat has updated java-1.8.0-ibm (RHEL7: multiple vulnerabilities), jenkins (RHOSE3.1: multiple vulnerabilities), and kernel (RHEL6: two vulnerabilities).

Scientific Linux has updated kernel (SL6: two vulnerabilities).

Slackware has updated openssl (multiple vulnerabilities).

SUSE has updated openssl (SLE12: multiple vulnerabilities), openssl1 (SLES11: multiple vulnerabilities), and kernel (SLE11-SP3, SOSC5, SMP2.1: multiple vulnerabilities).

[$] task_diag and statx()

Wednesday 4th of May 2016 09:24:36 AM
The interfaces supported by Linux to provide access to information about processes and files have literally been around for decades. One might think that, by this time, they would have reached a state of relative perfection. But things are not so perfect that developers are deterred from working on alternatives; the motivating factor in the two cases studied here is the same: reducing the cost of getting information out of the kernel while increasing the range of information that is available.

Click below (subscribers only) for the full article from this week's Kernel Page.

De Maré: Mercurial 3.7 and 3.8

Wednesday 4th of May 2016 09:12:07 AM
Mercurial revision-control system developer Mathias De Maré summarizes the changes in the 3.7 and 3.8 releases. "Mercurial 3.7 had a major focus on performance. This is — to a large degree — due to large users like Facebook and Mozilla working on both performance and scalability."

The Linux Embedded Development Environment launches

Wednesday 4th of May 2016 08:30:44 AM
The Linux Embedded Development Environment (or LEDE) project, a fork (or "spinoff") of OpenWrt, has announced its existence. "We are building an embedded Linux distribution that makes it easy for developers, system administrators or other Linux enthusiasts to build and customize software for embedded devices, especially wireless routers. [...] Members of the project already include a significant share of the most active members of the OpenWrt community. We intend to bring new life to Embedded Linux development by creating a community with a strong focus on transparency, collaboration and decentralisation." The new project lives at lede-project.org. (Thanks to Mattias Mattsson).

Linux Kernel BPF JIT Spraying (grsecurity forums)

Tuesday 3rd of May 2016 05:33:02 PM
Over at the grsecurity forums, Brad Spengler writes about a recently released proof of concept attack on the kernel using JIT spraying. "What happened next was the hardening of the BPF interpreter in grsecurity to prevent such future abuse: the previously-abused arbitrary read/write from the interpreter was now restricted only to the interpreter buffer itself, and the previous warn on invalid BPF instructions was turned into a BUG() to terminate execution of the exploit. I also then developed GRKERNSEC_KSTACKOVERFLOW which killed off the stack overflow class of vulns on x64. A short time later, there was work being done upstream to extend the use of BPF in the kernel. This new version was called eBPF and it came with a vastly expanded JIT. I immediately saw problems with this new version and noticed that it would be much more difficult to protect -- verification was being done against a writable buffer and then translated into another writable buffer in the extended BPF language. This new language allowed not just arbitrary read and write, but arbitrary function calling." The protections in the grsecurity kernel will thus prevent this attack. In addition, the newly released RAP feature for grsecurity, which targets the elimination of return-oriented programming (ROP) vulnerabilities in the kernel, will also ensure that "the fear of JIT spraying goes away completely", he said.

Security advisories for Tuesday

Tuesday 3rd of May 2016 04:08:42 PM

Debian-LTS has updated openjdk-7 (multiple vulnerabilities) and smarty3 (code execution).

Fedora has updated php (F23: multiple vulnerabilities).

Gentoo has updated git (multiple vulnerabilities).

Oracle has updated mercurial (OL7: two vulnerabilities).

Scientific Linux has updated mercurial (SL7: two vulnerabilities).

Slackware has updated mercurial (code execution).

Ubuntu has updated libtasn1-3, libtasn1-6 (15.10, 14.04, 12.04: denial of service), libtasn1-6 (16.04: denial of service), openssl (multiple vulnerabilities), poppler (15.10, 14.04, 12.04: multiple vulnerabilities), and firefox (12.04: denial of service).

May Android security bulletin

Tuesday 3rd of May 2016 06:44:41 AM
The Android security bulletin for May is available. It lists 40 different CVE numbers addressed by the May over-the-air update; the bulk of those are at a severity level of "high" or above. "Partners were notified about the issues described in the bulletin on April 04, 2016 or earlier. Source code patches for these issues will be released to the Android Open Source Project (AOSP) repository over the next 48 hours. We will revise this bulletin with the AOSP links when they are available. The most severe of these issues is a Critical security vulnerability that could enable remote code execution on an affected device through multiple methods such as email, web browsing, and MMS when processing media files."

Intl. Day Against DRM is Tuesday

Monday 2nd of May 2016 09:36:27 PM
The International Day Against DRM is May 3. "Participate in person at one of the planned events, or join us Tuesday on dayagainstdrm.org for ways to take action against DRM. There will also be a list of discounted ebook offerings from stores participating in the Day."

Security updates for Monday

Monday 2nd of May 2016 06:03:30 PM

Arch Linux has updated firefox (multiple vulnerabilities).

CentOS has updated mercurial (C7: two vulnerabilities).

Debian has updated botan1.10 (multiple vulnerabilities), chromium-browser (multiple vulnerabilities), poppler (code execution), and tardiff (two vulnerabilities).

Debian-LTS has updated botan1.10 (multiple vulnerabilities), gdk-pixbuf (two vulnerabilities), mysql-5.5 (multiple vulnerabilities), poppler (code execution), and subversion (two vulnerabilities).

Fedora has updated ansible (F23; F22: code execution), firefox (F23: multiple vulnerabilities), gd (F23: code execution), openvas-cli (F23: cross-site scripting), openvas-gsa (F23: cross-site scripting), openvas-libraries (F23: cross-site scripting), openvas-manager (F23: cross-site scripting), openvas-scanner (F23: cross-site scripting), roundcubemail (F23; F22: multiple vulnerabilities), and xen (F23; F22: multiple vulnerabilities).

Mageia has updated chromium-browser-stable (multiple vulnerabilities), firefox (multiple vulnerabilities), pgpdump (denial of service), php (multiple vulnerabilities), php-ZendFramework (multiple vulnerabilities), and roundcubemail (three vulnerabilities).

Red Hat has updated chromium-browser (RHEL6: multiple vulnerabilities), java-1.6.0-ibm (RHEL5,6: multiple vulnerabilities), java-1.7.0-ibm (RHEL5: multiple vulnerabilities), java-1.7.1-ibm (RHEL7: multiple vulnerabilities), mercurial (RHEL7: two vulnerabilities), and rh-mysql56-mysql (RHSCL: multiple vulnerabilities).

Slackware has updated ntp (multiple vulnerabilities), php (multiple vulnerabilities), and subversion (two vulnerabilities).

Ubuntu has updated ubuntu-core-launcher (16.04: code execution).

A guide to inline assembly code in GCC

Monday 2nd of May 2016 07:59:38 AM
The "linux-insides" series of articles has gained an overview of inline assembly in GCC. "I've decided to write this to consolidate my knowledge related to inline assembly here. As inline assembly statements are quite common in the Linux kernel and we may see them in linux-insides parts sometimes, I thought that it would be useful if we would have a special part which contains descriptions of the more important aspects of inline assembly. Of course you may find comprehensive information about inline assembly in the official documentation, but I like the rules all in one place."

Kernel prepatch 4.6-rc6

Monday 2nd of May 2016 07:41:40 AM
The 4.6-rc6 kernel prepatch is out. Linus says: "Things continue to be fairly calm, although I'm pretty sure I'll still do an rc7 in this series." As of this prepatch the code name has been changed to "Charred Weasel."

Devuan Jessie beta released

Saturday 30th of April 2016 01:45:10 PM
The Devuan community has finally gotten a beta release out for testing. "Debian GNU+Linux [sic] is a fork of Debian without systemd, on its way to become much more than that. This Beta release marks an important milestone towards the sustainability and the continuation of Devuan as an universal base distribution."

WebExtensions in Firefox 48

Friday 29th of April 2016 10:45:38 PM

At the Mozilla blog, Andy McKay announces that the browser maker has officially declared WebExtensions ready to use for add-on development. "With the release of Firefox 48, we feel WebExtensions are in a stable state. We recommend developers start to use the WebExtensions API for their add-on development." The WebExtensions support released for Firefox 48 includes improvements to the "alarms, bookmarks, downloads, notifications, webNavigation, webRequest, windows and tabs" APIs, support for a new Content Security Policy that limits where resources can be loaded from, and support in Firefox for Android. LWN looked at the WebExtensions API in December.

More in Tux Machines

Linux and FOSS Events

  • Tracing Microconference Accepted into 2016 Linux Plumbers Conference
    After taking a break in 2015, Tracing is back at Plumbers this year! Tracing is heavily used throughout the Linux ecosystem, and provides an essential method for extracting information about the underlying code that is running on the system. Although tracing is simple in concept, effective usage and implementation can be quite involved.
  • Ubuntu Online Summit
    There's a fundamental difference between conferences for community-driven projects and closed-source commercial software. While Microsoft, Apple and other large companies hold regular meetings to keep developers updated, the information almost always flows in one direction. They (the software owners) tell us (the software users) what they are working on and what they are about to release. These releases almost always come out of the blue often leave the developer community scrabbling to catch up.
  • Libocon 2016: accommodation
    We’re progressing with the organization of LibreOffice Conference 2016 in Brno. Italo Vignoli of The Document Foundation visited Brno last month, we showed him the venue and also places where we could hold a party, have a hacknight etc.

How to campaign for the cause of software freedom

Free Software communities produce tons of great software. This software drives innovation and enables everybody to access and use computers, whether or not they can afford new hardware or commercial software. So that’s that, the benefit to society is obvious. Everybody should just get behind it and support it. Right? Well, it is not that easy. Especially when it comes to principles of individual freedom or trade-offs between self-determination and convenience, it is difficult to communicate the message in a way that it reaches and activates a wider audience. How can we explain the difference between Free Software and services available at no cost (except them spying at you) best? Campaigning for software freedom is not easy. However, it is part of the Free Software Foundation Europe’s mission. The FSFE teamed up with Peng! Collective to learn how to run influential campaigns to promote the cause of Free Software. The Peng Collective is a Berlin based group of activists who are known for their successful and quite subversive campaigns for political causes. And Endocode? Endocode is a sponsor of the Free Software Foundation Europe. We are a sponsor because free software is essential to us, both as a company and as members of society. And so here we are. Read more Also:

Samsung debuts an Artik IoT cloud platform and IDE

At the Samsung Developer Conference in San Francisco last week, Samsung was all about the Internet of Things, and its Artik IoT modules got lots of love. Surprisingly, much of Samsung’s focus at its developer conference did not revolve around Tizen or SmartThings. Instead, the main focus was on its newly shipping Artik embedded modules, which ship with Fedora. There was some Tizen related news, however, including a new ”Smart View” SDK for improving mobile connectivity with Tizen-based Smart TVs, as well as a promise to bring Knox security support to Tizen. There were also more details on the upcoming, 64-bit capable Tizen 3.0. Read more

GNOME 3.20.2 stable tarballs due (responsible: fredp)

Hello all, Tarballs are due on 2016-05-09 before 23:59 UTC for the GNOME 3.20.2 stable release, which will be delivered on Wednesday. Modules which were proposed for inclusion should try to follow the unstable schedule so everyone can test them. Please make sure that your tarballs will be uploaded before Monday 23:59 UTC: tarballs uploaded later than that will probably be too late to get in 3.20.2. If you are not able to make a tarball before this deadline or if you think you'll be late, please send a mail to the release team and we'll find someone to roll the tarball for you! Read more