Language Selection

English French German Italian Portuguese Spanish

LWN

Syndicate content
LWN.net is a comprehensive source of news and opinions from and about the Linux community. This is the main LWN.net feed, listing all articles which are posted to the site front page.
Updated: 1 hour 13 min ago

[$] LWN.net Weekly Edition for February 22, 2018

Thursday 22nd of February 2018 03:12:41 AM
The LWN.net Weekly Edition for February 22, 2018 is available.

[$] New tricks for XFS

Wednesday 21st of February 2018 11:48:35 PM

The XFS filesystem has been in the kernel for fifteen years and was used in production on IRIX systems for five years before that. But it might just be time to teach that "old dog" of a filesystem some new tricks, Dave Chinner said, at the beginning of his linux.conf.au 2018 presentation. There are a number of features that XFS lacks when compared to more modern filesystems, such as snapshots and subvolumes; but he has been thinking—and writing code—on a path to get them into XFS.

[$] An overview of Project Atomic

Wednesday 21st of February 2018 10:38:50 PM

Terms like "cloud-native" and "web scale" are often used and understood as pointless buzzwords. Under the layers of marketing, though, cloud systems do work best with a new and different way of thinking about system administration. Much of the tool set used for cloud operations is free software, and Linux is the platform of choice for almost all cloud applications. While just about any distribution can be made to work, there are several projects working to create a ground-up system specifically for cloud hosts. One of the best known of these is Project Atomic from Red Hat and the Fedora Project.

[$] Licenses and contracts

Wednesday 21st of February 2018 06:36:02 PM

Some days it seems that wherever two or more free-software enthusiasts gather together, there also shall be licensing discussions. One such, which can get quite heated, is the question of whether a given free-software license is a license, or whether it is really a contract. This distinction is important, because most legal systems treat the two differently. I know from personal experience that that discussion can go on, unresolved, for long periods, but it had not previously occurred to me to wonder whether this might be due to the answer being different in different jurisdictions. Fortunately, it has occurred to some lawyers to wonder just that, and three of them came together at FOSDEM 2018 to present their conclusions.

Subscribers can read on for a report on the talk by guest author Tom Yates.

[$] Open-source trusted computing for IoT

Wednesday 21st of February 2018 05:23:30 PM

At this year's FOSDEM in Brussels, Jan Tobias Mühlberg gave a talk on the latest work on Sancus, a project that was originally presented at the USENIX Security Symposium in 2013. The project is a fully open-source hardware platform to support "trusted computing" and other security functionality. It is designed to be used for internet of things (IoT) devices, automotive applications, critical infrastructure, and other embedded devices where trusted code is expected to be run.

Security updates for Wednesday

Wednesday 21st of February 2018 03:43:19 PM
Security updates have been issued by Arch Linux (libmspack), Debian (zziplib), Fedora (ca-certificates, firefox, freetype, golang, krb5, libreoffice, monit, patch, plasma-workspace, ruby, sox, tomcat, and zziplib), openSUSE (dovecot22, glibc, GraphicsMagick, libXcursor, mbedtls, p7zip, SDL_image, SDL2_image, sox, and transfig), Red Hat (chromium-browser), and Ubuntu (cups, libvirt, and qemu).

Hovmöller: Moving a large and old codebase to Python3

Wednesday 21st of February 2018 01:03:35 AM
Anders Hovmöller has posted an account of migrating a large application to Python 3. There were multiple steps on the journey and plenty of lessons learned. "Our philosophy was always to go py2 -> py2/py3 -> py3 because we just could not realistically do a big bang in production, an intuition that was proven right in surprising ways. This meant that 2to3 was a non starter which I think is probably common. We tried a while to use 2to3 to detect Python 3 compatibility issues but quickly found that untenable too. Basically it suggests changes that will break your code in Python 2. No good. The conclusion was to use six, which is a library to make it easy to build a codebase that is valid in both in Python 2 and 3."

Security updates for Tuesday

Tuesday 20th of February 2018 04:10:07 PM
Security updates have been issued by Debian (libav), Gentoo (chromium, firefox, libreoffice, mysql, and ruby), SUSE (kernel), and Ubuntu (bind9).

[$] BPF comes to firewalls

Monday 19th of February 2018 11:17:40 PM
The Linux kernel currently supports two separate network packet-filtering mechanisms: iptables and nftables. For the last few years, it has been generally assumed that nftables would eventually replace the older iptables implementation; few people expected that the kernel developers would, instead, add a third packet filter. But that would appear to be what is happening with the newly announced bpfilter mechanism. Bpfilter may eventually replace both iptables and nftables, but there are a lot of questions that will need to be answered first.

Security updates for Monday

Monday 19th of February 2018 04:03:07 PM
Security updates have been issued by Arch Linux (irssi), Debian (bind9, gcc-4.9, plasma-workspace, quagga, and tomcat-native), Fedora (p7zip), Mageia (nasm), openSUSE (exim, ffmpeg, irssi, mpv, qpdf, quagga, rrdtool, and rubygem-puppet), and SUSE (p7zip and xen).

SuiteCRM 7.10 released

Monday 19th of February 2018 02:25:41 PM
SuiteCRM is a fork of the formerly open-source SugarCRM customer relationship management system. The 7.10 release has been announced. "SuiteCRM 7.10 includes a long list of enhancements, improving user experience, adding new functionality and providing a new REST API. This edition of SuiteCRM also assists companies to be ready for GDPR, including opt-in functionality to track the consent of individuals."

Kernel prepatch 4.16-rc2

Monday 19th of February 2018 04:04:38 AM
The second 4.16 kernel prepatch is out. "Go out and test, it all looks fine."

Some weekend stable kernel updates

Sunday 18th of February 2018 09:15:44 PM
The 4.15.4, 4.14.20, 4.9.82, 4.4.116, and 3.18.95 stable kernel updates have all been released. These kernels contain a relatively large set of important fixes and updates.

[$] The boot-constraint subsystem

Friday 16th of February 2018 06:57:02 PM
The fifth version of the patch series adding the boot-constraint subsystem is under review on the linux-kernel mailing list. The purpose of this subsystem is to honor the constraints put on devices by the bootloader before those devices are handed over to the operating system (OS) — Linux in our case. If these constraints are violated, devices may fail to work properly once the kernel starts reconfiguring the hardware; by tracking and enforcing those constraints, instead, we can ensure that hardware continues to work properly until the kernel is fully operational.

Security updates for Friday

Friday 16th of February 2018 03:37:13 PM
Security updates have been issued by Debian (quagga), Mageia (freetype2, kernel-linus, and kernel-tmb), openSUSE (chromium, GraphicsMagick, mupdf, openssl-steam, and xen), Slackware (irssi), SUSE (glibc and quagga), and Ubuntu (quagga).

[$] Dynamic function tracing events

Thursday 15th of February 2018 11:12:11 PM
For as long as the kernel has included tracepoints, developers have argued over whether those tracepoints are part of the kernel's ABI. Tracepoint changes have had to be reverted in the past because they broke existing user-space programs that had come to depend on them; meanwhile, fears of setting internal code in stone have made it difficult to add tracepoints to a number of kernel subsystems. Now, a new tracing functionality is being proposed as a way to circumvent all of those problems.

FOSS Project Spotlight: LinuxBoot (Linux Journal)

Thursday 15th of February 2018 08:49:57 PM
Linux Journal takes a look at the newly announced LinuxBoot project. LWN covered a related talk back in November. "Modern firmware generally consists of two main parts: hardware initialization (early stages) and OS loading (late stages). These parts may be divided further depending on the implementation, but the overall flow is similar across boot firmware. The late stages have gained many capabilities over the years and often have an environment with drivers, utilities, a shell, a graphical menu (sometimes with 3D animations) and much more. Runtime components may remain resident and active after firmware exits. Firmware, which used to fit in an 8 KiB ROM, now contains an OS used to boot another OS and doesn't always stop running after the OS boots. LinuxBoot replaces the late stages with a Linux kernel and initramfs, which are used to load and execute the next stage, whatever it may be and wherever it may come from. The Linux kernel included in LinuxBoot is called the 'boot kernel' to distinguish it from the 'target kernel' that is to be booted and may be something other than Linux."

Security updates for Thursday

Thursday 15th of February 2018 03:24:41 PM
Security updates have been issued by Debian (jackson-databind, leptonlib, libvorbis, python-crypto, and xen), Fedora (apache-commons-email, ca-certificates, libreoffice, libxml2, mujs, p7zip, python-django, sox, and torbrowser-launcher), openSUSE (libreoffice), SUSE (libreoffice), and Ubuntu (advancecomp, erlang, and freetype).

[$] LWN.net Weekly Edition for February 15, 2018

Thursday 15th of February 2018 12:34:37 AM
The LWN.net Weekly Edition for February 15, 2018 is available.

[$] DIY biology

Wednesday 14th of February 2018 09:52:23 PM

A scientist with a rather unusual name, Meow-Ludo Meow-Meow, gave a talk at linux.conf.au 2018 about the current trends in "do it yourself" (DIY) biology or "biohacking". He is perhaps most famous for being prosecuted for implanting an Opal card RFID chip into his hand; the Opal card is used for public transportation fares in Sydney. He gave more details about his implant as well as describing some other biohacking projects in an engaging presentation.

More in Tux Machines

NuTyX 10.1-rc1 Available

I'm very please to propose you the first release candidate version of the next version 10.1 stable version of NuTyX As they have been so many security issues, I took the chance to recompile all the collections (1701 packages) for this coming next stable NuTyX version. Read more

Android Leftovers

Events: FOSDEM Samba Talks, USENIX Enigma, LCA (linux.conf.au) and FAST18

  • Authentication and authorization in Samba 4
    Volker Lendecke is one of the first contributors to Samba, having submitted his first patches in 1994. In addition to developing other important file-sharing tools, he's heavily involved in development of the winbind service, which is implemented in winbindd. Although the core Active Directory (AD) domain controller (DC) code was written by his colleague Stefan Metzmacher, winbind is a crucial component of Samba's AD functionality. In his information-packed talk at FOSDEM 2018, Lendecke said he aimed to give a high-level overview of what AD and Samba authentication is, and in particular the communication pathways and trust relationships between the parts of Samba that authenticate a Samba user in an AD environment.
  • Two FOSDEM talks on Samba 4
    Much as some of us would love never to have to deal with Windows, it exists. It wants to authenticate its users and share resources like files and printers over the network. Although many enterprises use Microsoft tools to do this, there is a free alternative, in the form of Samba. While Samba 3 has been happily providing authentication along with file and print sharing to Windows clients for many years, the Microsoft world has been slowly moving toward Active Directory (AD). Meanwhile, Samba 4, which adds a free reimplementation of AD on Linux, has been increasingly ready for deployment. Three short talks at FOSDEM 2018 provided three different views of Samba 4, also known as Samba-AD, and left behind a pretty clear picture that Samba 4 is truly ready for use. I will cover the first two talks in this article, and the third in a later one.
  • A report from the Enigma conference
    The 2018 USENIX Enigma conference was held for the third time in January. Among many interesting talks, three presentations dealing with human security behaviors stood out. This article covers the key messages of these talks, namely the finding that humans are social in their security behaviors: their decision to adopt a good security practice is hardly ever an isolated decision. Security conferences tend to be dominated by security researchers demonstrating their latest exploits. The talks are attack-oriented, they keep a narrow focus, and usually they close with a dark outlook. The security industry has been doing security conferences like this for twenty years and seems to prefer this format. Yet, if you are tired of this style, the annual USENIX Enigma conference is a welcome change of pace. Most of the talks are defense-oriented, they have a horizon going far beyond technology alone, and they are generally focused on successful solutions.
  • DIY biology
    A scientist with a rather unusual name, Meow-Ludo Meow-Meow, gave a talk at linux.conf.au 2018 about the current trends in "do it yourself" (DIY) biology or "biohacking". He is perhaps most famous for being prosecuted for implanting an Opal card RFID chip into his hand; the Opal card is used for public transportation fares in Sydney. He gave more details about his implant as well as describing some other biohacking projects in an engaging presentation. Meow-Meow is a politician with the Australian Science Party, he said by way of introduction; he has run in the last two elections. He founded BioFoundry, which is "Australia's first open-access molecular biology lab"; there are now two such labs in the country. He is also speaks frequently as "an emerging technology evangelist" for biology as well as other topics.
  • Notes from FAST18

    I attended the technical sessions of Usenix's File And Storage Technology conference this week. Below the fold, notes on the papers that caught my attention.

Security: Vista10 and uTorrent Holes Found by Google

  • Google drops new Edge zero-day as Microsoft misses 90-day deadline

    Google originally shared details of the flaw with Microsoft on 17 November 2017, but Microsoft wasn’t able to come up with a patch within Google’s non-negotiable “you have 90 days to do this” period.

  • Google Goes Public with Another Major Windows 10 Bug
    After revealing an Edge browser vulnerability that Microsoft failed to fix, Google is now back with another disclosure, this time aimed at Windows 10 Fall Creators Update (version 1709), but potentially affecting other Windows versions as well. James Forshaw, a security researcher that’s part of Google’s Project Zero program, says the elevation of privilege vulnerability can be exploited because of the way the operating system handles calls to Advanced Local Procedure Call (ALPC). This means a standard user could obtain administrator privileges on a Windows 10 computer, which in the case of an attack, could eventually lead to full control over the impacted system. But as Neowin noted, this is the second bug discovered in the same function, and both of them, labeled as 1427 and 1428, were reported to Microsoft on November 10, 2017. Microsoft said it fixed them with the release of the February 2018 Patch Tuesday updates, yet as it turns out, only issue 1427 was addressed.
  • uTorrent bugs let websites control your computer and steal your downloads

    The vulnerabilities, according to Project Zero, make it possible for any website a user visits to control key functions in both the uTorrent desktop app for Windows and in uTorrent Web, an alternative to desktop BitTorrent apps that uses a web interface and is controlled by a browser. The biggest threat is posed by malicious sites that could exploit the flaw to download malicious code into the Windows startup folder, where it will be automatically run the next time the computer boots up. Any site a user visits can also access downloaded files and browse download histories.

  • BitTorrent Client uTorrent Suffers Security Vulnerability (Updated)

    BitTorrent client uTorrent is suffering from an as yet undisclosed vulnerability. The security flaw was discovered by Google security researcher Tavis Ormandy, who previously said he would reveal a series of "remote code execution flaws" in torrent clients. BitTorrent Inc. has rolled out a 'patch' in the latest Beta release and hopes to fix the stable uTorrent client later this week.