Language Selection

English French German Italian Portuguese Spanish

LWN

Syndicate content
LWN.net is a comprehensive source of news and opinions from and about the Linux community. This is the main LWN.net feed, listing all articles which are posted to the site front page.
Updated: 3 hours 16 min ago

SPI board election results are available

4 hours 50 min ago

Software in the Public Interest (SPI) has completed its 2016 board elections. There were two open seats on the board in addition to four board members whose terms were expiring. The six newly elected members of the board are Luca Filipozzi, Joerg Jaspert, Jimmy Kaplowitz, Andrew Tridgell, Valerie Young, and Martin Zobel-Helas. The full results, including voter statistics, are also available.

Friday's security updates

13 hours 47 min ago

Debian-LTS has updated cakephp (denial of service) and perl (multiple vulnerabilities).

Fedora has updated drupal7-views (F24; F23: access bypass), golang (F24; F23: denial of service), java-1.8.0-openjdk (F24; F23: multiple vulnerabilities), php-guzzlehttp-guzzle (F24; F23: proxy injection), and php-guzzlehttp-guzzle6 (F24; F23: proxy injection).

Slackware has updated libidn (3.0, 13.1, 13.37, 14.0, 14.1, 14.2: multiple vulnerabilities).

SUSE has updated libarchive (SLE 12: multiple vulnerabilities).

Ingebrigtsen: The End of Gmane?

Thursday 28th of July 2016 03:54:00 PM
On his blog, Gmane creator and maintainer Lars Magne Ingebrigtsen warns that the email-to-news (and web) gateway may be disappearing soon. The site, which is hosted by his employer, has been under a distributed denial of service (DDoS) attack for the last few weeks, but there are other problems as well. "And now the DDoS stuff, which I have no idea why is happening, but I can only assume that somebody is angry about something. Probably me being a wise ass. So… it’s been 14 years… I’m old now. I almost threw up earlier tonight because I’m so stressed about the situation. I should retire and read comic books and watch films. Oh, and the day job. Work, work, work. Oh, and Gnus. I’m thinking about ending Gmane, at least as a web site. Perhaps continue running the SMTP-to-NNTP bridge? Perhaps not? I don’t want to make 20-30K mailing lists start having bouncing addresses, but I could just funnel all incoming mail to /dev/null, I guess…" The site, which has been relied on by many (including LWN) since it started in 2002, is down now and it appears to be unclear when (or if) it will be back.

Security advisories for Thursday

Thursday 28th of July 2016 03:45:21 PM

Debian has updated xen (multiple vulnerabilities, one from 2015).

Debian-LTS has updated tardiff (two vulnerabilities from 2015).

Fedora has updated httpd (F23: HTTP redirect), libarchive (F24: code execution), and libvirt (F23: authentication bypass).

openSUSE has updated dropbear (42.1, 13.2: multiple vulnerabilities), go (13.2: HTTP request smuggling flaws from 2015), karchive (42.1, 13.2: code execution), mbedtls (42.1: three vulnerabilities), python (42.1, 13.2: three vulnerabilities), and tiff (13.2: multiple vulnerabilities).

Oracle has updated java-1.7.0-openjdk (OL7; OL6; OL5: multiple vulnerabilities).

Scientific Linux has updated java-1.7.0-openjdk (multiple vulnerabilities).

[$] LWN.net Weekly Edition for July 28, 2016

Thursday 28th of July 2016 12:26:20 AM
The LWN.net Weekly Edition for July 28, 2016 is available.

[$] One-time passwords and GnuPG with Nitrokey

Wednesday 27th of July 2016 09:24:36 PM

A few years ago, the hardware vendor Yubico made a bit of a splash when it introduced its YubiKey line of inexpensive hardware security tokens powered by open-source software. With its most recent product release, however, Yubico has dropped open source and started deploying only proprietary software in its devices. Consequently, many community members have started looking for a viable replacement that will adhere to open-source principles. At present, one of the leading contenders for Yubico's departed customers is Nitrokey, which manufactures a line of hardware tokens capable of generating one-time passwords (OTPs), storing and using OpenPGP keys, and several other features. The devices made by Nitrokey run open-source software and are open hardware as well.

Stable kernel updates

Wednesday 27th of July 2016 08:18:41 PM
Greg Kroah-Hartman has released stable kernels 4.6.5, 4.4.16, and 3.14.74. All of them contain important fixes.

A statement from the Tor project

Wednesday 27th of July 2016 05:10:16 PM
Shari Steele has posted a statement from the Tor project on the results of an investigation into the allegations of harassment (and worse) within Tor and how the project will respond. "I am pleased, therefore, to announce that both the Tor Project and the Tor community are taking active steps to strengthen our ability to handle problems of unprofessional behavior. Specifically, the Tor Project has created an anti-harassment policy, a conflicts of interest policy, procedures for submitting complaints, and an internal complaint review process. They were recently approved by Tor’s board of directors, and they will be rolled out internally this week."

Security advisories for Wednesday

Wednesday 27th of July 2016 04:14:50 PM

CentOS has updated java-1.7.0-openjdk (C7; C6; C5: multiple vulnerabilities), samba (C7: crypto downgrade), and samba4 (C6: crypto downgrade).

Debian has updated libgd2 (denial of service), mariadb-10.0 (multiple vulnerabilities), and php5 (multiple vulnerabilities).

Debian-LTS has updated libgd2 (denial of service).

Mageia has updated apache (HTTP redirect), harfbuzz (multiple vulnerabilities), libgd (three vulnerabilities), libidn (multiple vulnerabilities), libupnp (unauthenticated access), libxml2 (multiple vulnerabilities), mariadb (multiple vulnerabilities), mupdf (denial of service), php/xmlrpc-epi/timezone (multiple vulnerabilities), sudo (race condition), tomcat/apache-commons-fileupload (denial of service), and virtualbox (allows local users to affect availability).

Red Hat has updated java-1.7.0-openjdk (RHEL5,6,7: multiple vulnerabilities) and kernel (RHEL6.7: privilege escalation).

Scientific Linux has updated samba (SL7: crypto downgrade) and samba4 (SL6: crypto downgrade).

Ubuntu has updated kde4libs (15.10, 14.04, 16.04: command execution) and openjdk-8 (16.04: multiple vulnerabilities).

Sitter: Snappy sprint reporty musing

Tuesday 26th of July 2016 06:18:44 PM
Harald Sitter reports on a discussion at recent sprint focused on making Snap packaging useful for KDE. "Shipping things users can use on Linux has been a pain in the rear since forever and these bundles are meant to change that. As such we as KDE should have a strong interest and presence in this field in the hopes of shaping a future that is useful to us. After all, we are one of the biggest source distributors, and the primary reason we don't also offer generic binary packages of our applications is because this never scaled and was altogether terrible to pull off from a KDE point of view." He and Scarlett Clark are working on some high level mass automation of snap building on top of KDE Neon's existing deb binaries. (Thanks to Jos van den Oever)

Tuesday's security updates

Tuesday 26th of July 2016 04:39:50 PM

Debian has updated ntp (multiple vulnerabilities).

Debian-LTS has updated cacti (three vulnerabilities), dietlibc (insecure default PATH), gosa (code injection), ntp (multiple vulnerabilities), squid (cache poisoning), and uclibc (three vulnerabilities).

Oracle has updated samba (OL7: crypto downgrade) and samba4 (OL6: crypto downgrade).

Red Hat has updated chromium-browser (RHEL6: multiple vulnerabilities), samba (RHEL7: crypto downgrade), and samba4 (RHEL6: crypto downgrade).

OpenVZ 7.0 released

Monday 25th of July 2016 10:38:37 PM
OpenVZ 7.0 has been released. The new release focuses on merging OpenVZ and Virtuozzo source codebase and replacing its hypervisor with KVM. There are many other improvements and new features in container management and more.

The newest version of OpenBSD closes potential security loopholes (InfoWorld)

Monday 25th of July 2016 08:11:14 PM
InfoWorld takes a look at the upcoming OpenBSD 6.0 release. "Most significant among the latest security-related changes for OpenBSD is the removal of Linux emulation support. Prior versions of OpenBSD made it possible to run Linux applications by way of a compatibility layer, but the release notes for OpenBSD 6.0 indicate the Linux subsystem was removed as a "security improvement.""

Security advisories for Monday

Monday 25th of July 2016 04:43:00 PM

Arch Linux has updated chromium (multiple vulnerabilities), python-django (cross-site scripting), and python2-django (cross-site scripting).

Debian has updated openssh (user enumeration via timing side-channel), perl (two vulnerabilities), and phpmyadmin (multiple vulnerabilities).

Debian-LTS has updated squid3 (denial of service).

Fedora has updated ca-certificates (F24: certificate update), gd (F24: multiple vulnerabilities), httpd (F24: HTTP redirect), kf5-karchive (F24; F23: command execution, over a hundred related KDE Frameworks packages were included in this update), libgcrypt (F24: key leak), libidn (F24: multiple vulnerabilities), libvirt (F24: authentication bypass), and mingw-gnutls (F24: certificate verification vulnerability).

openSUSE has updated Chromium (SPH for SLE12; Leap42.1; 13.2: multiple vulnerabilities) and gnugk (Leap42.1, 13.2: denial of service).

Red Hat has updated mariadb55-mariadb (RHSCL: many vulnerabilities) and mysql55-mysql (RHSCL: many vulnerabilities).

Slackware has updated bind (denial of service).

The 4.7 kernel is out

Sunday 24th of July 2016 10:12:46 PM
Linus has returned from his travels and released the 4.7 kernel. The most significant changes in this release include the tracing histograms feature, in-kernel tracing analysis via the ability to attach BPF programs to tracepoints, the LoadPin security module, better out-of-memory detection, faster filesystem operations with parallel pathname lookups, the schedutil CPU frequency governor, and more. See the KernelNewbies 4.7 page for lots of details.

Clasen: Using modern gettext

Friday 22nd of July 2016 10:33:52 PM

At his blog, Matthias Clasen explores the recent enhancements to the the classic GNU gettext utility. Thanks in large part to new maintainer Daiki Ueno, gettext now understands many more file formats—thus enabling developers to easily extract strings from a wide variety of source files for translation. In addition to programming languages, Clasen notes, gettext understands .desktop files, GSettings schemas, GtkBuilder ui files, and Appdata files. "If you don’t want to wait for your favorite format to come with built-in its support, you can also include its files with your application; gettext will look for such files in $XDG_DATA_DIRS/gettext/its/."

Friday's security updates

Friday 22nd of July 2016 03:23:13 PM

Arch Linux has updated drupal (proxy injection).

Debian has updated mysql-5.5 (multiple vulnerabilities) and squid3 (multiple vulnerabilities).

Debian-LTS has updated python-django (cross-site scripting).

openSUSE has updated p7zip (13.1: code execution).

Slackware has updated gimp (14.0, 14.1, 14.2: code execution) and php (14.0, 14.1, 14.2: multiple vulnerabilities).

Ubuntu has updated mysql-5.5, mysql-5.6, mysql-5.7 (12.04, 14.04, 15.10, 16.04: multiple vulnerabilities).

EFF Lawsuit Takes on DMCA Section 1201: Research and Technology Restrictions Violate the First Amendment

Thursday 21st of July 2016 07:37:03 PM
The Electronic Frontier Foundation (EFF) has announced that it is suing the US government over provisions in the Digital Millennium Copyright Act (DMCA). The suit has been filed on behalf of Andrew "bunnie" Huang, who has a blog post describing the reasons behind the suit. The EFF also explained why these DMCA provisions should be ruled unconstitutional: "These provisions—contained in Section 1201 of the DMCA—make it unlawful for people to get around the software that restricts access to lawfully-purchased copyrighted material, such as films, songs, and the computer code that controls vehicles, devices, and appliances. This ban applies even where people want to make noninfringing fair uses of the materials they are accessing. Ostensibly enacted to fight music and movie piracy, Section 1201 has long served to restrict people’s ability to access, use, and even speak out about copyrighted materials—including the software that is increasingly embedded in everyday things. The law imposes a legal cloud over our rights to tinker with or repair the devices we own, to convert videos so that they can play on multiple platforms, remix a video, or conduct independent security research that would reveal dangerous security flaws in our computers, cars, and medical devices. It criminalizes the creation of tools to let people access and use those materials."

Security updates for Thursday

Thursday 21st of July 2016 02:02:30 PM

Arch Linux has updated bind (denial of service).

CentOS has updated java-1.8.0-openjdk (C7; C6: multiple vulnerabilities).

Debian-LTS has updated libarchive (multiple vulnerabilities, most from 2015).

Fedora has updated openssh (F24: user enumeration via timing side-channel) and p7zip (F24: two code execution flaws).

openSUSE has updated dhcp (42.1: denial of service).

Oracle has updated java-1.8.0-openjdk (OL7; OL6: multiple vulnerabilities).

Red Hat has updated java-1.6.0-sun (multiple vulnerabilities), java-1.7.0-oracle (multiple vulnerabilities), java-1.8.0-oracle (RHEL6&7: multiple vulnerabilities), and openstack-neutron (RHOSP8; RHOSP7: three vulnerabilities, one from 2015).

Scientific Linux has updated java-1.8.0-openjdk (SL6&7: multiple vulnerabilities).

SUSE has updated obs-service-source_validator (SLE12: code execution).

[$] LWN.net Weekly Edition for July 21, 2016

Thursday 21st of July 2016 12:02:59 AM
The LWN.net Weekly Edition for July 21, 2016 is available.

More in Tux Machines

Red Hat and Fedora

Leftovers: OSS and Sharing

  • Learn from the Experts at The Linux Foundation’s Europe Events
    The Linux Foundation has released session details for three major conferences coming up this fall: MesosCon Europe, Embedded Linux Conference / OpenIoT Summit Europe, and LinuxCon + ContainerCon Europe. MesosCon Europe, which will take place August 31-September 1 in Amsterdam, The Netherlands, is an annual conference organized by the Apache Mesos community, bringing together users and developers for two days of sessions about Mesos and related technologies. This year, the MesosCon program will include workshops to get started with Mesos, keynote speakers from industry leaders, and sessions led by adopters and contributors.
  • The Firebird Project's Firebird Relational Database
    Firebird distills its identity into the phrase "True universal open-source database" and boasts not only of being "free like free beer" but also, fittingly, of being "free like a bird". The latter permits anyone to build a custom version of the Firebird, as long as the modifications are made available for others to use and build upon.
  • Report: Austria can benefit from Big Data solutions
    Big Data solutions can contribute significantly to Austrian public administrations, a working group concludes in a report published in June. Benefits include improved quality of life, finding optimal business locations, and offering better guidance to citizens. The report by the Big Data working group aims to help public administration when considering Big Data solutions, providing legal, economic and technical context.
  • Report: over half of Spain’s regions now use SaaS
    In 2014, 59% of Spain’s regional governments used Software as a Service, according to the 2015 eGovernment report published on 30 June by PAe, Spain’s eGovernment portal. Next most-used cloud computing service is Infrastructure as a Service (40%), and third is Platform as a Service (20%). The usage of cloud computing is just one of the attributes of and indicators for eGovernment services that are aggregated in the report. The document shows the use of document management systems and support of electronic signatures. The text looks at interoperability, open data portals and eParticipation, lists region’s maturity levels of eGovernment services, from the availability to download forms online to the fully electronic management of applications.
  • Software Freedom in Kosovo, Waiting for Xfce Mint & More…
    It’s not FOSS, but I reckon the biggest story in tech this week, ignoring claims of Russia hacking for Trump, is the sale of Yahoo to Verizon for $4.8 billion. Considering that traffic watcher Alexa says the site is the fifth most visited address on the web, that seems like something of a bargain to me. Add to that Yahoo’s prime Silicon Valley real estate and the price seems to be in the “it fell of the truck” category. The sale puts Verizon in control of both America Online and Yahoo, so I suspect we’ll be seeing Verizon trying to compete with Google and Bing for a share of the search advertising market. [...] We’ve also heard from Software Freedom Kosova, which tells us it’s issued this year’s call for speakers, which will be open through September 15. This will be the seventh year for the Kosovo event, which aims to “promote free/libre open source software, free culture and open knowledge” — all laudable goals in my estimation. Potential speakers should know “the topic must be related to free software and hardware, open knowledge and culture.” Mike DuPont, the SFK member who made us aware of the event, told FOSS Force, “There might be travel expenses for qualified speakers.” The event will take place October 21-23.
  • Cloud, open source and DevOps: Technology at the GLA
    David Munn, head of IT at the Greater London Authority, explains what technology his organisation has adopted in order to help individuals keep innovating
  • Our attitude towards wealth played a crucial role in Brexit. We need a rethink
    Money was a key factor in the outcome of the EU referendum. We will now have to learn to collaborate and to share [...] Does money matter? Does wealth make us rich any more? These might seem like odd questions for a physicist to try to answer, but Britain’s referendum decision is a reminder that everything is connected and that if we wish to understand the fundamental nature of the universe, we’d be very foolish to ignore the role that wealth does and doesn’t play in our society.
  • France’s Insee and Drees publish microsimulation model to increase transparency
    Insee (Institut national de la statistique), the French public agency for statistics, and Drees (Direction des études du Ministère des Affaires sociales et de la santé), which is in charge of surveys at the Ministry of Social Affairs and Health, has published the source code of the microsimulation algorithmic model called Ines.
  • Plant Sciences pushing open-source berry model
    Several of those opportunities appear to lie in the development of so-called ‘open market’ breeding. Historically, Plant Sciences’ berry varieties have made it into the commercial arena under limited licensing arrangements, with individuals or groups of grower-shippers paying a premium to use them. While Nelson is eager to point out that this model continues to perform well, his company have decided to structure its business in Europe in such a way that it offers varieties to the “largest audience possible” at the most competitive price. “Given the price pressures that producers, marketers and retailers are under, we sense that such an approach is needed to remain most viable going forward and bring new varieties forward to the broadest market,” he explained.
  • Drug discovery test leads to malaria drug prospects at UW
  • Worldwide Open-Source Project Discovers Promising Disease-Fighting Compounds
  • Open-source drug discovery a success
  • The Global Open Data Index to be updated
    Open Knowledge International, a not-for-profit organisation that promotes openness and transparency, has decided to update the survey for its Global Open Data Index. This index measures Open Data publication in 122 countries.
  • This Startup Created the Ultimate Open-Source Prototyping Product
    The world has become a technologically focused place. Unless you’ve set up shop in a cabin in the woods, your life is likely filled with gadgets, wearables, devices, and doodads that control everything from your TV to your laptop. And with all this technology, it’s no wonder tech jobs have become so prevalent in the market. Fortunately, there are a number of ways to learn skills and prototyping projects that will impress even the most critical interviewer. And one startup has built the perfect product to do just that. Created by a group of students from the India Institute of Technology, evive is an open-source prototyping module that can make creating projects easier than ever. It has a power module, plug and play hardware interface, user interface, data acquisition module, shield stack space and more. It’s even IoT ready so it can connect to more devices than you can count. Plus, it works across multiple platforms like LabVIEW, MATLAB, Scratch, Eclipse, ROS, Python, Arduino IDE and many more.
  • Friday's security updates
  • Pwnie Express Open Sources Tools to Lock Down IoT/Android Security
    Pwnie Express isn't a name that everyone is familiar with, but in the security arena the company has a good reputation for its wired and wireless threat detection technologies. Now, the Boston-based firm has announced plans to open source key tools that it has used to secure the Internet of Things (IoT) and Android software. Blue Hydra is a Bluetooth utility that can detect Bluetooth devices, and also work as a sniffer to query devices it detects for threats. Meanwhile, the Android Open Pwn Project (AOPP), is an Android ROM built for security testers. It's based on the Android Open Source Project (AOSP) and community-developed ROMS -- one of which is CyanogenMod. It lets developers on the Android front sniff out threats on mobile platforms.

Openwashing

Sailfish OS 2.0.2

  • Sailfish OS 2.0.2 In Early Access With Variety Of Improvements
    Jolla announced today that their Sailfish OS 2.0.2 "Aurajoki" mobile operating system release is available as early access. Sailfish OS 2.0.2 makes it easier to take screenshots via the volume buttons, a variety of new keyboard layouts, a new layout on the media app, a new Sailfish OS logo, simplified backups, browser improvements, support for flash when recording videos, the cloud services now supports the VK service, dual SIM support on capable devices, Dropbox and OneDrive integration in the photo gallery, and a wide variety of other fixes and improvements.
  • [Early Access] Sailfish OS 2.0.2 Aurajoki
    This update contains of many bug fixes and new added features such as taking screenshot by holding down volume buttons for 0.5 seconds, added keyboard layouts for Indian languages Telugu, Malayalam, Kannada, Punjabi, Tamil and Bengali, new layout on Media app’s front page, new Sailfish OS logo and many more.