Language Selection

English French German Italian Portuguese Spanish

About Tux Machines

Friday, 24 Feb 17 - Tux Machines is a community-driven public service/news site which has been around for over a decade and primarily focuses on GNU/LinuxSubscribe now Syndicate content

Search This Site

Quick Roundup

Leftovers: OSS

Filed under
OSS

today's howtos

Filed under
HowTos

Security Leftovers

Filed under
Security
  • Java and Python FTP attacks can punch holes through firewalls

    The Java and Python runtimes fail to properly validate FTP URLs, which can potentially allow attackers to punch holes through firewalls to access local networks.

    On Saturday, security researcher Alexander Klink disclosed an interesting attack where exploiting an XXE (XML External Entity) vulnerability in a Java application can be used to send emails.

  • Microsoft: no plans to patch known bugs before March [Ed: Microsoft is keeping open 'back doors' that are publicly known about, not just secret ones]

    Microsoft has no plans to issue updates for two vulnerabilities, one a zero-day and the other being one publicised by Google, before the scheduled date for its next round of updates rolls around in March.

    The company did not issue any updates in February, even though it had been scheduled to switch to a new system from this month onwards.

    It gave no reason for this, apart from saying: "This month, we discovered a last minute issue that could impact some customers and was not resolved in time for our planned updates today.

    "After considering all options, we made the decision to delay this month’s updates. We apologise for any inconvenience caused by this change to the existing plan."

    The Google-disclosed bug was made public last week, and is said to be a flaw in the Windows graphic device interface library that can be exploited both locally and remotely to read the contents of a user's memory.

  • Microsoft issues critical security patches, but leaves zero-day flaws at risk

    Microsoft has patched "critical" security vulnerabilities in its browsers, but has left at least two zero-day flaws with public exploit code.

    The software giant released numerous patches late on Tuesday to fix flaws in Adobe Flash for customers using Internet Explorer on Windows 8.1 and later, as well as Edge for Windows 10.

Red Hat News

Filed under
Red Hat
  • Why upstream contributions matter when developing open source NFV solutions.

    When software is developed using open source methods, an upstream repository of the code is accessible to all members of the project. Members contribute to the code, test it, write documentation and can create a solution from that code to use or distribute under license. If an organization follows the main stream or branch of the upstream code their solution will receive all the changes and updates created in the upstream repository. Those changes simply “flow down” to the member’s solution. However, if a member organization forks the code — if they create a solution that strays from the main stream — their solution no longer receives updates, fixes and changes from the upstream repository. This organization is now solely responsible for maintaining their solution without the benefit of the upstream community, much like the baby salmon that took a tributary and then have to fend for themselves rather than remain in the main stream and receive the benefit and guidance of the other salmon making their way to the ocean.

  • HPE and Red Hat Join Forces to Give Customers Greater Choice for NFV Deployments

    Hewlett Packard Enterprise ( NYSE : HPE ) and Red Hat, Inc. ( NYSE : RHT ) announced today they are working together to accelerate the deployment of network functions virtualization (NFV) solutions based on fully open, production-ready, standards-based infrastructures. HPE plans to offer ready-to-use, pre-integrated HPE NFV System solutions and HPE Validated Configurations incorporating Red Hat OpenStack Platform and Red Hat Ceph Storage for communications service providers (CSPs).

  • Red Hat Joins the OpenPower Foundation

    As part of our commitment to delivering open technologies across many computing architectures, Red Hat has joined the OpenPOWER Foundation, an open development community based on the POWER microprocessor architecture, at the Platinum level. While we already do build and support open technologies for the POWER architecture, the OpenPOWER Foundation is committed to an open, community-driven technology-creation process – something that we feel is critical to the continued growth of open collaboration around POWER.

  • Buy, Sell or Hold? Analysts Approach: HCA Holdings, Inc. (HCA), Red Hat, Inc. (RHT)?

Linux and FOSS Events

Filed under
OSS

Kernel Space/Linux

Filed under
Linux

Development News

Filed under
Development
KDE
  • Best practices for guiding new coders

    As the new year progresses, many free and open source projects are turning their attention to various formalized mentoring programs, such as Mozilla's Winter of Security, Outreachy, and (the program with my favorite name) the X.Org Endless Vacation of Code. Patterned after the success of Google's Summer of Code, these programs give many new programmers a chance to gain firsthand experience working within successful FLOSS (Free/Libre Open Source Software) projects and the projects themselves access to fresh talent.

  • Developing an nrf51822 based embedded device with Qt Creator and Debian

    I'm currently developing an nRF51822-based embedded device. Being one the Qt/Qt Creator maintainers in Debian I would of course try to use it for the development. Turns out it works pretty good... with some caveats.

  • How to create a look and feel theme
  • Qt Roadmap for 2017

    With Qt 5.7 and 5.8 released we have a completely new baseline for Qt 5 based applications and devices. In this blog, I want to provide a roadmap update on what we are currently working on in the Qt R&D and what the future directions are.

  • Qt's Roadmap For 2017: Graphics, An Exciting Qt 5.9/5.10

    Tuukka Turunen of The Qt Company has shared some of the project's goals for the 2017 calendar year in delivering Qt 5.9 and Qt 5.10 along with more point releases.

    Qt developers hope to make 2017 exciting by shipping Qt 5.9 in May and their hope is to ship Qt 5.10 this November.

  • Intend to retire perl-Log-Any-Adapter-Dispatch

Leftovers: Software

Filed under
Software
  • Tips for tpp and patat

    You might be surprised to learn that there are programs for running presentations in a terminal.

    No, I don't mean opening PowerPoint or Impress slides one after the other, as images in a frame-buffered console. I mean presenting slides coded for the terminal, in a terminal.

  • Introduction to LaTeXila - a multi-language LaTeX editor for Linux

    LaTeXila is a multi-language LaTeX editor for Linux users who prefer the GTK+ looks. The software is simple, easy to use, adequately powerful and customizable, so if you’re interested in LaTeX you should give this tool a try. In the following quick guide, I will showcase how to get started with LaTeXila and what its main features are. But first...

  • Nautilus 3.24 to Bring Desktop Support for Wayland Sessions, Easy Root Browsing

    The GNOME 3.24 desktop environment is coming in only one month from today, on March 22, and it will bring with it a lot of new features for many of its core components and applications, including the Nautilus (Files) file manager.

    GNOME developer Carlos Soriano is sharing with us today the upcoming features of Nautilus 3.24, as well all the improvements and bug fixes that landed so far, and what didn't make it in the release, which will be available for all users as part of the GNOME 3.24 Stack.

Wine Staging Release 2.2

Filed under
Software
  • [Wine Staging] Release 2.2

    Since the last release, we tested various games with the CSMT (command stream multithreading) feature enabled to identify remaining bugs and possible ways to improve performance. As a result, this release includes various speed optimizations, especially for DX10/11 games. Some functions, for example updating subresources, which previously required synchronization with the command stream thread, can now be done asynchronously. There might still be differences compared to Wine Staging 2.0, since some of the speed improvements from the original CSMT patchset contained bugs and have not been fixed / added back yet.

  • Wine-Staging 2.2 released with CSMT speed optimizations

    The Wine team has put out another Wine-Staging release based on Wine 2.2, this new development release has some CSMT speed optimizations.

    For those that don't know what CSMT is, it stands for "Commandstream multithreading" which should give you better performance in Wine.

  • Wine-Staging 2.2 Offers CSMT Speed Optimizations

    Wine-Staging 2.2 is now available as the latest version of Wine that carries various testing/experimental patches re-based atop the latest Wine bi-weekly development snapshot.

Virtual Reality on GNU/Linux

Filed under
GNU
Linux
Gaming
  • Destinations & Dota VR Hub are now available on Linux

    Valve have already put up Linux versions of both Destinations and The Dota VR Hub now that SteamVR is supported on Linux in beta.

  • Valve debuts developer build of SteamVR for Linux

    Heads up, Linux fans who are maybe also VR developers (or vice versa): The folks at Valve Software have today released a very much still-in-development version of SteamVR that runs on Linux.

  • Valve launches SteamVR support for Linux

    Valve has been giving Steam users Linux love since 2012, and it's not stopping with VR. The company just launched SteamVR for Linux, letting developers create Linux content for the HTC Vive VR headset, trackers and other hardware. The program is in beta, meaning developers must use an NVIDIA developer beta driver that's built on "Vulkan," the successor to OpenGL. You're limited to "direct" mode, meaning you can only display images on the headset and not a desktop display at the same time.

  • Valve Finally Brings SteamVR To Linux As A Developer Release

    It was over four months ago now that Valve showed SteamVR running in Linux for the first time. Today, it’s finally launching the platform on the operating system, albeit in a limited form.

    SteamVR comes to Linux as a development release, meaning it’s intended for content creators to start working on apps for the open-source OS, and not for regular Linux users to access. To that end, users must have opted into the public Beta for Steam or SteamVR to access it along with obtaining pre-release drivers. On Nvidia cards that means the 375.27.10 “Developer Beta Driver”, while AMD users will need a pre-release version of the radv driver. You’ll also need Unity 5.6 to actually create content through Linux.

Android Leftovers

Filed under
Android

LG Watch Sport review: Not the watch Android Wear needs right now

Filed under
Android
Reviews

The LG Watch Sport just looks and feels like a “gadget” and not a “watch.” It harkens back to the days of those old Microsoft Spot watches (remember those?). Instead of reaching as broad a market as possible with the first full-featured Android Wear 2.0 watch, LG and Google have given us something with almost impossibly narrow appeal. This watch is almost exclusively for large-wristed athletic types whose fashion sense leans toward calculator watches. I found myself wanting to put it on just before I left for the gym, and itching to take it off the moment I got home.

Android Wear 2.0 deserves a better showcase watch than this. With any luck, another manufacturer will step in with a more universally acceptable design that at least supports Android Pay and has a heart-rate monitor.

Read more

Red Hat and Fedora

Filed under
Red Hat

Red Hat:

Fedora:

  • F25-20170221 Updated ISOs available!!

    It is with great pleasure to announce that the Community run respin team has yet another Updated ISO round. This round carries the 4.9.10-200 kernel along with over 780 MB of updates (avg, some Desktop Environments more, some less) since the Gold release.

  • F25-20170221 Updated Lives Released

    I am happy to announce new F25-20170221 Updated Lives.

  • Our Bootloader Problem

    GRUB, it is time we broke up. It’s not you, it’s me. Okay, it’s you. The last 15+ years have some great (read: painful) memories. But it is time to call it quits.

    Red Hat Linux (not RHEL) deprecated LILO for version 9 (PDF; hat tip: Spot). This means that Fedora has used GRUB as its bootloader since the very first release: Fedora Core 1.

    GRUB was designed for a world where bootloaders had to locate a Linux kernel on a filesystem. This meant it needed support for all the filesystems anyone might conceivably use. It was also built for a world where dual-booting meant having a bootloader implemented menu to choose between operating systems.

Android Leftovers

Filed under
Android

Google's Upspin Debuts

Filed under
Google
OSS
  • Another option for file sharing

    Existing mechanisms for file sharing are so fragmented that people waste time on multi-step copying and repackaging. With the new project Upspin, we aim to improve the situation by providing a global name space to name all your files. Given an Upspin name, a file can be shared securely, copied efficiently without "download" and "upload", and accessed by anyone with permission from anywhere with a network connection.

  • Google Developing "Upspin" Framework For Naming/Sharing Files

    Google today announced an experimental project called Upspin that's aiming for next-generation file-sharing in a secure manner.

  • Google releases open source file sharing project 'Upspin' on GitHub

    Believe it or not, in 2017, file-sharing between individuals is not a particularly easy affair. Quite frankly, I had a better experience more than a decade ago sending things to friends and family using AOL Instant Messenger. Nowadays, everything is so fragmented, that it can be hard to share.

    Today, Google unveils yet another way to share files. Called "Upspin," the open source project aims to make sharing easier for home users. With that said, the project does not seem particularly easy to set up or maintain. For example, it uses Unix-like directories and email addresses for permissions. While it may make sense to Google engineers, I am dubious that it will ever be widely used.

  • Google devs try to create new global namespace

    Wouldn't it be nice if there was a universal and consistent way to give names to files stored on the Internet, so they were easy to find? A universal resource locator, if you like?

    The problem is that URLs have been clunkified, so Upspin, an experimental project from some Google engineers, offers an easier model: identifying files to users and paths, and letting the creator set access privileges.

RPi-friendly home automation kit adds voice recognition support

Filed under
GNU
Linux

Following its successful Kickstarter campaign for a standalone Matrix home automation and surveillance hub, and subsequent release of an FPGA-driven Matrix Creator daughter board for use with the Raspberry Pi, Matrix Labs today launched a “Matrix Voice” board on Indiegogo. The baseline board, currently available at early-bird pricing of $45, has an array of 7 microphones surrounding a ring of 18 software-controlled RGBW LEDs. A slightly pricier model includes an MCU-controlled WiFi/Bluetooth ESP32 wireless module.

Read more

The Year Of Linux On Everything But The Desktop

Filed under
GNU
Linux
Microsoft

The War on Linux goes back to Bill Gates, then CEO of Microsoft, in an “open letter to hobbyists” published in a newsletter in 1976. Even though Linux wouldn’t be born until 1991, Gates’ burgeoning software company – itself years away from releasing its first operating system – already felt the threat of open source software. We know Gates today as a kindly billionaire who’s joining us in the fight against everything from disease to income inequality, but there was a time when Gates was the bad guy of the computing world.

Microsoft released its Windows operating system in 1985. At the time, its main competition was Apple and Unix-like systems. BSD was the dominant open source Unix clone then – it marks its 40th birthday this year, in fact – and Microsoft fired barrages of legal challenges to BSD just like it eventually would against Linux. Meanwhile Apple sued Microsoft over its interface, in the infamous “Look and Feel” lawsuit, and Microsoft’s reign would forever be challenged. Eventually Microsoft would be tried in both the US and the UK for antitrust, which is a government regulation against corporate monopolies. Even though it lost both suits, Microsoft simply paid the fine out of its bottomless pockets and kept right at it.

Read more

Digital audio and video editing in GNU/Linux

Filed under
GNU
Linux
Software
Movies
  • Linux Digital Audio Workstation Roundup

    In the world of home studio recording, the digital audio workstation is one of the most important tools of the trade. Digital audio workstations are used to record audio and MIDI data into patterns or tracks. This information is then typically mixed down into songs or albums. In the Linux ecosystem, there is no shortage of Digital audio workstations to chose from. Whether you wish to create minimalist techno or full orchestral pieces, chances are there is an application that has you covered.

    In this article, we will take a brief look into several of these applications and discuss their strengths and weaknesses. I will try to provide a fair evaluation of the DAWs presented here but at the end of the day, I urge you to try a few of these applications and to form an opinion of your own.

  • Shotcut Video Editor Available As A Snap Package [Quick Update]

    Shotcut is a free, open source Qt5 video editor developed on the MLT Multimedia Framework (it's developed by the same author as MLT), available for Linux, Windows and Mac. Under the hood, Shotcut uses FFmpeg, so it supports many audio, video and image formats, along with screen, webcam and audio capture.

    The application doesn't require importing files, thanks to its native timeline editing. Other features worth mentioning are multitrack timeline with thumbnails and waveforms, 4k resolution support, video effects, as well as a flexible UI with dockable panels.

  • Simple Screen Recorder Is Now Available as a Snap App

    Simple Screen Recorder, a popular screen recording app for Linux desktops, is now available to install as a Snap app from the Ubuntu Store.

Kernel News: Linux 4.10 in SparkyLinux, Wayland 1.13.0, and Weston 2.0 RC2

Filed under
Graphics/Benchmarks
Linux
  • Linux Kernel 4.10 Lands in SparkyLinux's Unstable Repo, Here's How to Install It

    The trend of offering users the most recent Linux kernel release continues today with SparkyLinux, an open-source, Debian-based distribution that always ships with the latest GNU/Linux technologies and software versions.

    SparkyLinux appears to be the third distro to offer its users the ability to install the recently released Linux 4.10 kernel, after Linux Lite and Ubuntu, as the developers announced earlier that the Linux kernel 4.10 packages are now available from the unstable repository.

  • Wayland 1.13.0 Display Server Officially Released, Wayland 1.14 Lands in June

    Bryce Harrington, a Senior Open Source Developer at Samsung, announced today the release and general availability of the Wayland 1.13.0 for GNU/Linux distributions that already adopted the next-generation display server.next-generation display server.

    Wayland 1.13.0 has entered development in the first days of the year, but the first Alpha build arrived at the end of January, along with the Alpha version of the Weston 2.0 compositor, including most of the new features that are present in this final release that you'll be able to install on your Linux-based operating systems in the coming days.

  • Weston 2.0 RC2 Wayland Compositor Arrives With Last Minute Fixes

    While Wayland 1.13 was released today, Bryce Harrington today opted against releasing the Weston 2.0 reference compositor and instead issue a second release candidate.

    Weston 2.0 is the next version of this "playground" for Wayland compositor technologies since the new output configuration API had broke the ABI, necessitating a break from the same versioning as Wayland.

  • [ANNOUNCE] weston 1.99.94
Syndicate content

More in Tux Machines

Leftovers: BSD

Security Leftovers

  • Stop using SHA1 encryption: It’s now completely unsafe, Google proves
    Security researchers have achieved the first real-world collision attack against the SHA-1 hash function, producing two different PDF files with the same SHA-1 signature. This shows that the algorithm's use for security-sensitive functions should be discontinued as soon as possible. SHA-1 (Secure Hash Algorithm 1) dates back to 1995 and has been known to be vulnerable to theoretical attacks since 2005. The U.S. National Institute of Standards and Technology has banned the use of SHA-1 by U.S. federal agencies since 2010, and digital certificate authorities have not been allowed to issue SHA-1-signed certificates since Jan. 1, 2016, although some exemptions have been made. However, despite these efforts to phase out the use of SHA-1 in some areas, the algorithm is still fairly widely used to validate credit card transactions, electronic documents, email PGP/GPG signatures, open-source software repositories, backups and software updates.
  • on pgp
    First and foremost I have to pay respect to PGP, it was an important weapon in the first cryptowar. It has helped many whistleblowers and dissidents. It is software with quite interesting history, if all the cryptograms could tell... PGP is also deeply misunderstood, it is a highly successful political tool. It was essential in getting crypto out to the people. In my view PGP is not dead, it's just old and misunderstood and needs to be retired in honor. However the world has changed from the internet happy times of the '90s, from a passive adversary to many active ones - with cheap commercially available malware as turn-key-solutions, intrusive apps, malware, NSLs, gag orders, etc.
  • Cloudflare’s Cloudbleed is the worst privacy leak in recent Internet history
    Cloudflare revealed today that, for months, all of its protected websites were potentially leaking private information across the Internet. Specifically, Cloudflare’s reverse proxies were dumping uninitialized memory; that is to say, bleeding private data. The issue, termed Cloudbleed by some (but not its discoverer Tavis Ormandy of Google Project Zero), is the greatest privacy leak of 2017 and the year has just started. For months, since 2016-09-22 by their own admission, CloudFlare has been leaking private information through Cloudbleed. Basically, random data from random sites (again, it’s worth mentioning that every site that used CloudFlare in the last half year should be considered to having fallen victim to this) would be randomly distributed across the open Internet, and then indefinitely cached along the way.
  • Serious Cloudflare bug exposed a potpourri of secret customer data
    Cloudflare, a service that helps optimize the security and performance of more than 5.5 million websites, warned customers today that a recently fixed software bug exposed a range of sensitive information that could have included passwords and cookies and tokens used to authenticate users. A combination of factors made the bug particularly severe. First, the leakage may have been active since September 22, nearly five months before it was discovered, although the greatest period of impact was from February 13 and February 18. Second, some of the highly sensitive data that was leaked was cached by Google and other search engines. The result was that for the entire time the bug was active, hackers had the ability to access the data in real-time by making Web requests to affected websites and to access some of the leaked data later by crafting queries on search engines. "The bug was serious because the leaked memory could contain private information and because it had been cached by search engines," Cloudflare CTO John Graham-Cumming wrote in a blog post published Thursday. "We are disclosing this problem now as we are satisfied that search engine caches have now been cleared of sensitive information. We have also not discovered any evidence of malicious exploits of the bug or other reports of its existence."

Security Leftovers

  • Change all the passwords (again)
    Looks like it is time to change all the passwords again. There’s a tiny little flaw in a CDN used … everywhere, it seems.
  • Today's leading causes of DDoS attacks [Ed: The so-called 'Internet of things' (crappy devices with identical passwords) is a mess; programmers to blame, not Linux]
    Of the most recent mega 100Gbps attacks in the last quarter, most of them were directly attributed to the Mirai botnet. The Mirai botnet works by exploiting the weak security on many Internet of Things (IoT) devices. The program finds its victims by constantly scanning the internet for IoT devices, which use factory default or hard-coded usernames and passwords.
  • How to Set Up An SSL Certificate on Your Website [via "Steps To Secure Your Website With An SSL Certificate"]
  • SHA-1 is dead, long live SHA-1!
    Unless you’ve been living under a rock, you heard that some researchers managed to create a SHA-1 collision. The short story as to why this matters is the whole purpose of a hashing algorithm is to make it impossible to generate collisions on purpose. Unfortunately though impossible things are usually also impossible so in reality we just make sure it’s really really hard to generate a collision. Thanks to Moore’s Law, hard things don’t stay hard forever. This is why MD5 had to go live on a farm out in the country, and we’re not allowed to see it anymore … because it’s having too much fun. SHA-1 will get to join it soon.
  • SHA1 collision via ASCII art
    Happy SHA1 collision day everybody! If you extract the differences between the good.pdf and bad.pdf attached to the paper, you'll find it all comes down to a small ~128 byte chunk of random-looking binary data that varies between the files.
  • PayThink Knowledge is power in fighting new Android attack bot
    Android users and apps have become a major part of payments and financial services, carrying an increased risk for web crime. It is estimated that there are 107.7 million Android Smartphone users in the U.S. who have downloaded more than 65 million apps from the Google App Store, and each one of them represents a smorgasbord of opportunity for hackers to steal user credentials and other information.
  • Red Hat: 'use after free' vulnerability found in Linux kernel's DCCP protocol IPV6 implementation
    Red Hat Product Security has published details of an "important" security vulnerability in the Linux kernel. The IPv6 implementation of the DCCP protocol means that it is possible for a local, unprivileged user to alter kernel memory and escalate their privileges. Known as the "use-after-free" flaw, CVE-2017-6074 affects a number of Red Hat products including Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7 and Red Hat Openshift Online v2. Mitigating factors include the requirement for a potential attacker to have access to a local account on a machine, and for IPV6 to be enabled, but it is still something that will be of concern to Linux users. Describing the vulnerability, Red Hat says: "This flaw allows an attacker with an account on the local system to potentially elevate privileges. This class of flaw is commonly referred to as UAF (Use After Free.) Flaws of this nature are generally exploited by exercising a code path that accesses memory via a pointer that no longer references an in use allocation due to an earlier free() operation. In this specific issue, the flaw exists in the DCCP networking code and can be reached by a malicious actor with sufficient access to initiate a DCCP network connection on any local interface. Successful exploitation may result in crashing of the host kernel, potential execution of code in the context of the host kernel or other escalation of privilege by modifying kernel memory structures."

Android Leftovers