Language Selection

English French German Italian Portuguese Spanish

LWN

Syndicate content
LWN.net is a comprehensive source of news and opinions from and about the Linux community. This is the main LWN.net feed, listing all articles which are posted to the site front page.
Updated: 4 hours 56 min ago

Announcing the KDE Advisory Board

Monday 26th of September 2016 09:21:30 PM
KDE e.V. introduces the KDE Advisory Board. "One of the core goals of the Advisory Board is to provide KDE with insights into the needs of the various organizations that surround us. We are very aware that we need the ability to combine our efforts for greater impact and the only way we can do that is by adopting a more diverse view from outside of our organization on topics that are relevant to us. This will allow all of us to benefit from one another's experience."

Security advisories for Monday

Monday 26th of September 2016 04:23:59 PM

Debian has updated imagemagick (code execution), libarchive (three vulnerabilities), openssl (regression in previous update), and unadf (two vulnerabilities).

Debian-LTS has updated dropbear (two vulnerabilities), dwarfutils (two vulnerabilities), mactelnet (code execution), openssl (multiple vulnerabilities), and policycoreutils (sandbox escape).

Fedora has updated bash (F24; F23: code execution) and firefox (F24; F23: multiple vulnerabilities).

Gentoo has updated bundler (installs malicious gem files) and qemu (multiple vulnerabilities).

Mageia has updated gdk-pixbuf2.0 (denial of service), golang (denial of service), libarchive (file overwrite), libtorrent-rasterbar (denial of service), php (multiple vulnerabilities), and wireshark (multiple vulnerabilities).

openSUSE has updated curl (Leap42.1: multiple vulnerabilities), flash-player (13.1: multiple vulnerabilities), gd (Leap42.1: multiple vulnerabilities), gtk2 (Leap42.1; 13.2: code execution), firefox, nss (Leap42.1, 13.2: multiple vulnerabilities), samba (Leap42.1: crypto downgrade), thunderbird (13.1: multiple vulnerabilities), tiff (13.1: multiple vulnerabilities), and wpa_supplicant (Leap42.1: multiple vulnerabilities).

Slackware has updated php (multiple vulnerabilities).

Ubuntu has updated openssl (regression in previous update).

OpenSSL security advisory for September 26

Monday 26th of September 2016 01:12:27 PM
This OpenSSL security advisory is notable in that it's the second one in four days; sites that updated after the first one may need to do so again. "This security update addresses issues that were caused by patches included in our previous security update, released on 22nd September 2016. Given the Critical severity of one of these flaws we have chosen to release this advisory immediately to prevent upgrades to the affected version, rather than delaying in order to provide our usual public pre-notification."

Kernel prepatch 4.8-rc8

Monday 26th of September 2016 01:04:15 PM
The 4.8-rc8 kernel prepatch is out. "Things actually did start to calm down this week, but I didn't get the feeling that there was no point in doing one final rc, so here we are. I expect the final 4.8 release next weekend, unless something really unexpected comes up."

Prodromou: Adopt a pump.io server

Monday 26th of September 2016 08:27:59 AM

Evan Prodromou, creator of identi.ca and pump.io, has put a call out for interested parties to adopt the administration of public pump.io microblogging servers, which he is currently funding out of his own pocket. "Almost all of them are on $5/month Digital Ocean droplets, which makes them relatively cheap for a single person to support. If you decide you want to adopt a server, E14N will sell you the domain and all the software and data for $1. But you'll be obligated to keep the server running pump.io for at least a year, and if you decide you don't want to run it, you have to sell it back to me." There are currently around 25 servers in the federated network initially started by Prodromou, which does not count other pump.io instances. He notes that one important exception is the identi.ca site, which is significantly larger than the rest, and which he would like to find a trusted non-profit organization to maintain.

Stable kernel updates 4.7.5 and 4.4.22

Saturday 24th of September 2016 02:02:46 PM
The 4.7.5 and 4.4.22 stable kernel updates are available. These are relatively large updates containing the usual important fixes.

Mitchell: The MIT License, Line by Line

Friday 23rd of September 2016 04:11:19 PM

At his blog, Kyle E. Mitchell ("who is not your attorney") takes a close, line-by-line reading of the popular MIT software license. The details he points out begin on line one with the license's title: "'The MIT License' is a not a single license, but a family of license forms derived from language prepared for releases from the Massachusetts Institute of Technology. It has seen a lot of changes over the years, both for the original projects that used it, and also as a model for other projects. The Fedora Project maintains a kind of cabinet of MIT license curiosities, with insipid variations preserved in plain text like anatomical specimens in formaldehyde, tracing a wayward kind of evolution."

Despite the license being only 171 words, Mitchell finds quite a bit to expand on, such as the ambiguities of the phrase "to deal in the Software without restriction": "As a result of this mishmash of legal, industry, general-intellectual-property, and general-use terms, it isn’t clear whether The MIT License includes a patent license. The general language 'deal in' and some of the example verbs, especially 'use', point toward a patent license, albeit a very unclear one. The fact that the license comes from the copyright holder, who may or may not have patent rights in inventions in the software, as well as most of the example verbs and the definition of 'the Software' itself, all point strongly toward a copyright license." Nevertheless, Mitchell notes, "despite some crusty verbiage and lawyerly affectation, one hundred and seventy one little words can get a hell of a lot of legal work done."

Friday's security updates

Friday 23rd of September 2016 01:55:01 PM

Debian has updated firefox-esr (multiple vulnerabilities).

Debian-LTS has updated wordpress (multiple vulnerabilities).

Fedora has updated distribution-gpg-keys (F23: privilege escalation), mock (F23: privilege escalation), openvas-libraries (F24; F23: multiple vulnerabilities), openvas-scanner (F24; F23: denial of service), and shiro (F24: access control bypass).

openSUSE has updated pdns (13.2, Leap 42.1: multiple vulnerabilities).

Oracle has updated kernel (4.1.12 O6; O7: multiple vulnerabilities; 3.8.13 O7; O6: multiple vulnerabilities; 2.6.39 O6; O5: multiple vulnerabilities).

Slackware has updated openssl (14.0, 14.1, 14.2, -current: multiple vulnerabilities) and pidgin (13.0, 13.1, 13.137, 14.0, 14.1: mysterious vulnerabilities).

Ubuntu has updated openssl (12.04, 14.04, 16.04: multiple vulnerabilities).

Garrett: Microsoft aren't forcing Lenovo to block free operating systems

Thursday 22nd of September 2016 08:03:35 PM
Matthew Garrett looks at the real problem behind the inability of some Lenovo laptops to run Linux. "The real problem here is that Intel do very little to ensure that free operating systems work well on their consumer hardware - we still have no information from Intel on how to configure systems to ensure good power management, we have no support for storage devices in "RAID" mode and we have no indication that this is going to get better in future. If Intel had provided that support, this issue would never have occurred."

A pile of security updates for Thursday

Thursday 22nd of September 2016 07:17:15 PM
Arch Linux has updated firefox (multiple vulnerabilities), irssi (code execution), and tomcat7 (proxy injection).

CentOS has updated firefox (C5, C6, C7: multiple vulnerabilities).

Debian has updated wireshark (LTS: dissector vulnerabilities), irssi (denial of service), and openssl (multiple vulnerabilities).

Fedora has updated drupal7-google_analytics (F23, F24: cross-site scripting), drupal7-panels (F23, F24: multiple vulnerabilities), jasper (F23: multiple code-execution vulnerabilities), mod_cluster (F24: "remote exploits"), nodejs-string-dot-prototype-dot-repeat (F23: "update for security reasons"), php-horde-Horde-Mime-Viewer (F23, F24: cross-site scripting), php-horde-Horde-Text-Filter (F23, F24: cross-site scripting), and xen (F23: multiple vulnerabilities).

Mageia has updated chromium-browser-stable (29 CVEs), curl (code execution), file-roller (file deletion), flash-player-plugin (26 CVEs), icu (code execution), jsch (path traversal vulnerability), libksba (denial of service), nodejs (remote code execution), slock (lock bypass), and tomcat (traffic redirection).

openSUSE has updated opera (multiple vulnerabilities).

Oracle has updated firefox (OL5, OL6, OL7: multiple vulnerabilities).

Scientific Linux has updated firefox (SL5-7: multiple vulnerabilities).

Slackware has updated irssi (denial of service), pidgin (17 CVE numbers), and firefox (multiple vulnerabilities).

SUSE has updated java-1_7_1-ibm (SLES12: three CVEs described as "Unspecified vulnerability in Oracle Java SE 7u101 and 8u92 allows local users to affect confidentiality, integrity, and availability via vectors related to Deployment"), and java-1_6-0-ibm (SLES11: one unspecified vulnerability).

Ubuntu has updated firefox (multiple vulnerabilities), gdk-pixbuf (code execution), irssi (denial of service), and thunderbird (code execution).

Note that there appear to be differences of opinion as to whether the irssi vulnerability can be exploited for code execution.

[$] LWN.net Weekly Edition for September 22, 2016

Thursday 22nd of September 2016 01:18:35 AM
The LWN.net Weekly Edition for September 22, 2016 is available.

GNOME 3.22 released

Wednesday 21st of September 2016 06:36:39 PM
The GNOME Project has announced the release of GNOME 3.22, "Karlsruhe". "This release brings comprehensive Flatpak support. GNOME Software can install and update Flatpaks, GNOME Builder can create them, and the desktop provides portal implementations to enable sandboxed applications. Improvements to core GNOME applications include support for batch renaming in Files, sharing support in GNOME Photos, an updated look for GNOME Software, a redesigned keyboard settings panel, and many more."

[$] BBR congestion control

Wednesday 21st of September 2016 04:39:57 PM
Congestion-control algorithms are unglamorous bits of code that allow network protocols (usually TCP) to maximize the throughput of any given connection while simultaneously sharing the available bandwidth equitably with other users. New algorithms tend not to generate a great deal of excitement; the addition of TCP New Vegas during the 4.8 merge window drew little fanfare, for example. The BBR (Bottleneck Bandwidth and RTT) algorithm just released by Google, though, is attracting rather more attention; it moves away from the mechanisms traditionally used by these algorithms in an attempt to get better results in a network characterized by wireless links, meddling middleboxes, and bufferbloat.

Security advisories for Wednesday

Wednesday 21st of September 2016 03:36:21 PM

Arch Linux has updated curl (code execution), lib32-curl (code execution), and lib32-jansson (denial of service).

Debian has updated wireshark (multiple vulnerabilities).

Debian-LTS has updated unadf (two vulnerabilities).

Red Hat has updated firefox (RHEL5,6,7: multiple vulnerabilities).

SUSE has updated mysql (SLE11-SP3,4: multiple unspecified vulnerabilities).

CouchDB 2.0 released

Wednesday 21st of September 2016 02:52:59 PM
The Apache CouchDB database project has announced its 2.0 release. New features include clustering support, a new query language, a new administrative interface, and more. "CouchDB 2.0 is 99% API compatible with the 1.x series and most applications should continue to just work."

The curious case of the switch statement (fuzzy notepad)

Wednesday 21st of September 2016 02:49:37 PM
The fuzzy notepad blog is carrying a post about the switch statement with just about everything one might want to know about its past, present, and possible future. "As we’ve seen, the switch statement has had basically the same form for 49 years. The special case labels are based on syntax derived directly from fixed-layout FORTRAN on punchcards in 1957, several months before my father was born. I hate it."

Catanzaro: GNOME 3.22 core apps

Wednesday 21st of September 2016 02:33:05 PM
Michael Catanzaro lays down the rules for which GNOME applications distributions should package if they want to claim to provide a "pure GNOME experience." "Selecting the right set of default applications is critical to achieving a quality user experience. Installing redundant or overly technical applications by default can leave users confused and frustrated with the distribution. Historically, distributions have selected wildly different sets of default applications. There’s nothing inherently wrong with this, but it’s clear that some distributions have done a much better job of this than others."

[$] The NTP pool system

Wednesday 21st of September 2016 01:59:37 AM
NTP, the Network Time Protocol, quietly and without much fuss performs the critical internet function of knowing the correct time. Using it, a computer with imperfect communications links may join a distributed community of servers, each of which is either directly attached to a reliable clock, or is trying to best synchronize its clock to one or more better-synchronized members of the community. The NTP pool system has arisen as a method of providing such a community to the internet; it works well, but is not without its challenges.

Garcia: WebKitGTK+ 2.14

Tuesday 20th of September 2016 07:05:47 PM
Carlos Garcia Campos takes a look at the latest stable release of WebKitGTK+. "[The threaded compositor] is the most important change introduced in WebKitGTK+ 2.14 and what kept us busy for most of this release cycle. The idea is simple, we still render everything in the web process, but the accelerated compositing (all the OpenGL calls) has been moved to a secondary thread, leaving the main thread free to run all other heavy tasks like layout, JavaScript, etc. The result is a smoother experience in general, since the main thread is no longer busy rendering frames, it can process the JavaScript faster improving the responsiveness significantly." This release is also considered feature complete in Wayland.

Security updates for Tuesday

Tuesday 20th of September 2016 04:09:57 PM

CentOS has updated kernel (C7: three vulnerabilities).

openSUSE has updated file-roller (Leap42.1, 13.2: file deletion), openssh (Leap42.1: two vulnerabilities), and php5 (13.2: multiple vulnerabilities).

Ubuntu has updated kernel (16.04: three vulnerabilities), kernel (14.04: two vulnerabilities), kernel (12.04: code execution), linux-lts-trusty (12.04: two vulnerabilities), linux-lts-xenial (14.04: three vulnerabilities), linux-raspi2 (16.04: three vulnerabilities), linux-snapdragon (16.04: three vulnerabilities), linux-ti-omap4 (12.04: code execution), and tomcat6, tomcat7, tomcat8 (privilege escalation).

More in Tux Machines

OpenSUSE Leap 42.2 Beta2 OpenSUSE Leap 42.2 Beta2

Leap 42.2 Beta2 is looking pretty good, except for the problems with Plasma 5 and the nouveau driver. That’s really an upstream issue (a “kde.org” issue). I hope that is fixed in time for the final release. Otherwise, I may have to give up on KDE for that box. Read more

Unimpressive Yakkety Yak, Plasma 5 Issues in Leap

Today was a rough day in Linux distro news, Scott Gilbertson reviewed the Beta of upcoming Ubuntu 16.10 saying there's not a whole lot to recommend in this update. Neil Rickert test drove openSUSE's latest beta and had issues with his NVIDIA. Jesse Smith couldn't tell what was added to Uruk over base Trisquel and Gary Newell didn't see much point to portable Porteus since most stuff didn't work. Read more Also: Indicator Sound Switcher Makes Switching Audio Devices on Ubuntu a Snap

BeagleBone Black Wireless SBC taps Octavo SiP, has open design

BeagleBoard.org’s “BeagleBone Black Wireless” SBC uses Octavo’s OSD335x SiP module and replaces the standard BeagleBone Black’s Ethernet with 2.4GHz WiFi and BT 4.1 BLE. BeagleBone Black Wireless is the first SBC to incorporate the Octavo Systems OSD335x SiP (system-in-package) module, “which integrates BeagleBone functionality into one easy-to-use BGA package,” according to BeagleBoard.org. Announced on Sep. 26, the OSD3358 SiP integrates a TI Sitara AM3358 SoC along with a TI TPS65217C PMIC, TI TL5209 LDO (low-drop-out) regulator, up to 1GB of DDR3 RAM, and over 140 passives devices including resistors, capacitors, and inductors, within a single BGA package. The Linux-driven hacker SBC also adds TI WiLink 8 WL1835MOD wireless module with 2.2 MIMO. Read more Also: Epiq Solutions' Sidekiq M.2 NAS-targeted Skylake Mini-ITX loads up on SATA, GbE, PCIe

Android Leftovers

  • 6 open source fitness apps for Android
    A key part of developing a good fitness routine is creating a solid workout plan and tracking your progress. Mobile apps can help by providing readily accessible programs specifically designed to support the user's fitness goals. In a world of fitness wearable devices like FitBit, there are plenty of proprietary apps designed to work with those specific devices. These apps certainly provide a lot of detailed tracking information, but they are not open source, and as such, do not necessarily respect the user's privacy and freedom to use their own data as they wish. The alternative is to use open source fitness apps. Below, I take a look at six open source fitness apps for Android. Most of them do not provide super detailed collection of health data, but they do provide a focused user experience, giving the user the tools to support their workouts or develop a plan and track their progress. All these apps are available from the F-Droid repository and are all licensed under the GPLv3, providing an experience that respects the user's freedom.
  • Roku Express, Roku Premiere, and Roku Ultra announced, starting at $29.99
    Roku Inc, maker of the popular Roku line of home media players, has just refreshed their entire product lineup at once. The existing lineup of flagship Roku boxes (but not the Roku Streaming Stick) has been replaced by three new products (with upgraded models for each); the Roku Express, the Roku Premiere, and the Roku Ultra.
  • This is what the Chromecast Ultra will look like
    Google is ramping up for their major October 4th event. In addition to seeing the Pixel and the Pixel XL formally unveiled, we’re also expecting a new Chromebook and the Chromecast Ultra. Until today, we had no idea what to really expect from the new Chromecast device in terms of design, but now we’re finally getting a sneak peek.
  • Android + Chrome = Andromeda; merged OS reportedly coming to the Pixel 3
    It has been almost a year since The Wall Street Journal dropped a bomb of a scoop on the Android community, saying Chrome OS would be "folded into" Android. The resulting product would reportedly bring Android to laptops and desktops. According to the paper, the internal effort to merge these two OSes had been underway for "roughly two years" (now three years) with a release planned for 2017 and an "early version" to show things off in 2016. It seems like we're still on that schedule, and now Android Police claims to have details on the new operating system—and its first launch device—coming Q3 2017.