• WordPress 4.8.2 Security and Maintenance Release

  WordPress 4.8.2 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately.

• Attack on CCleaner Highlights the Importance of Securing Downloads and Maintaining User Trust

  Some of the most worrying kinds of attacks are ones that exploit users’ trust in the systems and softwares they use every day. Yesterday, Cisco’s Talos security team uncovered just that kind of attack in the computer cleanup software CCleaner. Download servers at Avast, the company that owns CCleaner, had been compromised to distribute malware inside CCleaner 5.33 updates for at least a month. Avast estimates that over 2 million users downloaded the affected update. Even worse, CCleaner’s popularity with journalists and human rights activists means that particularly vulnerable users are almost certainly among that number. Avast has advised CCleaner Windows users to update their software immediately.

  This is often called a “supply chain” attack, referring to all the steps software takes to get from its developers to its users. As more and more users get better at bread-and-butter personal security like enabling two-factor authentication and detecting phishing, malicious hackers are forced to stop targeting users and move “up” the supply chain to the companies and developers that make software. This means that developers need to get in the practice of “distrusting” their own infrastructure to ensure safer software releases with reproducible builds, allowing third parties to double-check whether released binary and source packages correspond. The goal should be to secure internal development and release infrastructure to that point that no hijacking, even from a malicious actor inside the company, can slip through unnoticed.

• Apache bug leaks contents of server memory for all to see—Patch now

  There's a bug in the widely used Apache Web Server that causes servers to leak pieces of arbitrary memory in a way that could expose passwords or other secrets, a freelance journalist has disclosed.

  The vulnerability can be triggered by querying a server with what's known as an OPTIONS request. Like the better-known GET and POST requests, OPTIONS is a type of HTTP method that allows users to determine which HTTP requests are supported by the server. Normally, a server will respond with GET, POST, OPTIONS, and any other supported methods. Under certain conditions, however, responses from Apache Web Server include the data stored in computer memory. Patches are available here and here.

• The Pirate Bay Takes Heat for Testing Monero Mining

  Cryptocurrencies usually are mined with CPU power initially, she told LinuxInsider. Users then find ways to speed up the hashing before going to GPU. They build specialized hardware and field programmable gate array (FPGA) chips to carry out the hashing function in order to mine much faster.

  [...]

  The notion that The Pirate Bay effectively would borrow resources from its own users is not the problem, suggested Jessica Groopman, principal analyst at Tractica.

• Ubuntu Server Development Summary – 19 Sep 2017

• Ubuntu Weekly Newsletter 519

  Welcome to the Ubuntu Weekly Newsletter. This is issue #519 for the weeks of September 5 – 18, 2017, and the full version is available here.

• Ubuntu Desktop default application survey results

  Canonical has released the results of its default applications survey for the 18.04 long-term support release of Ubuntu.

  The results of the previous survey – for Ubuntu 17.10, dubbed Artful Aardvark – yielded great suggestions, many of which have made their way into the beta version of the operating system.

  For Ubuntu 18.04, over 15,000 responses were processed by the Ubuntu Desktop team.

  “The team is now hard at work evaluating many of the suggested applications,” said Canonical.

• Linux Mint 18.3 “Sylvia” Information Released

  Linux Mint Project Leader Clement Lefebvre, otherwise known as “Clem” released a blog post on Sept. 18, giving some information about the upcoming release of Linux Mint 18.3, dubbed “Sylvia.”

  In his blog post Lefebvre gave some ideas to some of the pieces of software and changes that will be coming, such as the inclusion of the popular system restoration tool Timeshift.

  For those of you who haven’t used Timeshift, it’s an application that creates snapshots of your system, and then restores them later, similar to Windows System Restore, or Mac OS’s Time Machine.

Now that GNOME 3.26 is released, available in Ubuntu artful, and final GNOME Shell UI is confirmed, it’s time to adapt our default user experience to it. Let’s discuss how we worked with dash to dock upstream on the transparency feature. For more background on our current transition to GNOME Shell in artful, you can refer back to our decisions regarding our default session experience as discussed in my blog post.

• iPhone 8, iPhone X vs Android flagships: Speed tests say it's not even close

• Here are the features Google Assistant might be getting soon

• Creating an Android 8.0 Oreo app: Implementing Notification Channels

• Here's how to bring the iPhone X's worst feature to your Android phone

• Android 8.0 update: When will my phone get Oreo?

• How Does This Foreign Android Phone Stack Up In America?

• What Android's notification snoozing needs next

• New Mobile Banking Trojan Can Infect Millions of Android Users

Octavo’s OSD335x-SM is a 40 percent smaller version of its AM335x-based OSD335x SiP that adds a 4KB EEPROM. There’s also a compact, open-spec dev board.

Last year, Octavo Systems added a new twist to BeagleBone development when it released its 27 x 27mm OSD335x System-In-Package (SiP) module. The OSD335x, which went on to form the basis of the BeagleBone Black Wireless and BeagleBone Blue SBCs, packs a Texas Instruments Sitara AM335x SoC and nearly all the functions of a BeagleBone Black SBC into a BGA module. Octavo has now followed up with a 40 percent smaller OSD335x-SM variant that measures 21 x 21mm (441 sq. mm).

• Black screen of death after Win10 update? Microsoft blames HP

  Microsoft is pointing the finger of blame at HP's factory image for black screens of death appearing after a Windows Update.

  Scores of PC owners took to the HP forums last week to report that Windows 10 updates released September 12 were slowing down the login process. Users stated that once they downloaded the updates and entered their username and password, they only saw black screens for about five to 10 minutes.

  The forum members said that clean installs or disabling a service called "app readiness", which "gets apps ready for use the first time a user signs in to this PC and when adding new apps" seemed to fix the delay.

  Today, a Microsoft spokesperson told The Register: "We're working to resolve this as soon as possible" and referred affected customers to a new support post.

• GNOME 3.26 Released! Check Out the New Features

  GNOME 3.26 is the latest version of GNOME 3 released six months after the last stable release GNOME 3.24. The release, code-named “Manchester”, is the 33rd stable release of the free, open-source desktop.

• Arch Arch and away! What's with the Arch warriors?

  If you choose to begin your Linux adventures with Arch Linux after trying Ubuntu for a month, you're probably doing it wrong. If there's a solid reason why you think Arch is for you; awesome! Do it. You will learn new things. A lot of new things. But hey, what's the point in learning what arch-chroot does if you can't figure out what sudo is or what wpa_supplicant does?

• Setting a primary monitor for launching games in a dual monitor rig

• AMD Zen Temperature Monitoring On Linux Is Working With Hwmon-Next

  If you want CPU temperature monitoring to work under Linux for your Ryzen / Threadripper / EPYC processor(s), it's working on hwmon-next.

  The temperature monitoring support didn't make it for Linux 4.14 but being published earlier this month were finally patches for Zen temperature monitoring by extending the k10temp Linux driver.

• Fanless Skylake computer offers four PCI and PCIe slots

  Adlink’s MVP-6010 and MVP-6020 embedded computers run Linux or Windows on Intel 6th Gen CPUs, and offer 4x PCI/PCIe slots, 6x USB ports, and 4x COM ports.

  If Adlink’s new MVP-6010/6020 Series looks familiar, that’s because it’s a modified version of the recent MVP-5000 and last year’s MVP-6000 industrial PCs. The top half appears to be identical, with the same ports, layout, and Intel 6th Gen Core “Skylake” TE series processors. Like the MVP-6000, it adds a PCI and PCIe expansion unit on the bottom, but whereas the MVP-6000 had two slots, the MVP-6010 and MVP-6020 have four.

• How Qi wireless charging works, and why it hasn’t taken over yet

  Qi has been an Android staple for a while, and now it’s coming to iPhones, too.

• W3C DRM appeal fails, votes kept secret

  Earlier this summer, the World Wide Web Consortium (W3C) — the organization responsible for defining the standards that make up the Web — decided to embrace DRM (aka "EME") as a web standard. I wasn’t happy about this. I don’t know many who were.

  Shortly after that, the W3C agreed to talk with me about the issue. During that discussion, I encouraged the W3C to increase their level of transparency going forward — and if there is an appeal of their DRM decision, to make that process completely open and visible to the public (including how individual members of the W3C vote on the issue).

  The appeal happened and has officially ended. I immediately reached out to the W3C to gather some details. What I found out was highly concerning. I’ll include the most interesting bits below, as un-edited as possible.

• Red Hat, DataTaag to discuss open source tech and digital transformation

  Red Hat, a provider of open source solutions along with Data TAAG Technologies is set to host a workshop focused on digital transformation.

  The event will be held on 20th September at the Palazzo Versace, Dubai.

  According to both companies, the event will look into best practices and innovations on how organisations today can optimise open source technologies in their digital transformation journey.

• Evaluating Total Cost of Ownership of the Identity Management Solution

  One of the main questions people ask when they hear about the IdM solution is: Is Identity Management in Red Hat Enterprise Linux free? It is. Identity Management in Red Hat Enterprise Linux is a component of the platform and not a separately licensable product. What does this mean? This means that you can install IdM on any Red Hat Enterprise Linux server system with a valid subscription and get support from Red Hat.

• Robeco Institutional Asset Management B.V. Raises Position in Red Hat, Inc. (NYSE:RHT)

• Red Hat (RHT): Expecting Momentum To Continue - Stifel

• Share Activity Lifted for Red Hat Inc (RHT) in Session

• Red Hat Inc (RHT), and Dollar Tree Inc (DLTR) Seeing Increased Action in Session

• Banks are turning to open source for blockchain, says Google engineer

  Banks have historically developed all software in-house and maintained a fierce secrecy around their code, but more recently they’ve embraced open-source. They’re likely to use open source for one of the most hotly tipped technologies out there – blockchain.

• Innersource: How to leverage open source in the enterprise

  Companies of varying sizes across many industries are implementing innersource programs to drive greater levels of development collaboration and reuse. They ultimately seek to increase innovation; reduce time to market; grow, retain, and attract talent; and of course, delight their customers.

  In this article, I'll introduce innersource and some of its key facets and examine some of the problems that it can help solve. I'll also discuss some components of an innersource program, including metrics.

• Reflection on trip to Kiel

  On Sunday, I flew home from my trip to Kiel, Germany. I was there for the Kieler Open Source und LinuxTage, September 15 and 16. It was a great conference! I wanted to share a few details while they are still fresh in my mind:

  I gave a plenary keynote presentation about FreeDOS! I'll admit I was a little concerned that people wouldn't find "DOS" an interesting topic in 2017, but everyone was really engaged. I got a lot of questions—so many that we had to wrap up before I could answer all the questions.

• A quick tour of MySQL 8.0 roles

  This year at the Percona Live Open Source Database Conference in Dublin, I'll be discussing a new feature introduced in MySQL 8.0: roles. This is a new security and administrative feature that allows database administrators to simplify user management and increases the security of multi-user environments.

  In database administration, users are granted privileges to access schemas, tables, or columns, depending on the business needs. When many different users require authorization for different sets of privileges, administrators have to repeat the process of granting privileges several times. This is both tedious and error-prone. Using roles, administrators can define sets of privileges for a user category, and then the user authorization becomes a single statement operation.

  Roles have been on the MySQL community's wish list for a long time. I remember several third-party solutions that tried to implement roles as a hack on top of the existing privileges granting system. I created my own solution many years ago when I had to administer a large set of users with different levels of access. Since then, anytime a new project promised to ease the roles problem, I gave it a try. None of them truly delivered a secure solution, until now.

• MyDiamo Expands Open Source Database Encryption Offerings to Include PostgreSQL

• Clang-Refactor Tool Lands In Clang Codebase

  The clang-refactor tool is now living within the LLVM Clang SVN/Git codebase.

• Ostriv, a city-builder set in the 18th century will have Linux support

  Ostriv [Official Site] is a city-builder built by one developer and I think it looks reasonably impressive. The developer plans Linux support too.

• The Humble Very Positive Bundle 2 is an awesome deal

• Back to Bed, an interesting and slightly weird puzzle game is currently free on Steam

• Blowing everyone up in EVERSPACE, my thoughts

  After a long wait, EVERSPACE [Steam] arrived for Linux recently, here’s my thoughts of this rather intense space shooter. I personally purchased my copy, as space combat games are one of my original loves.

• Homestuck adventure game HIVESWAP: Act 1 releases without promised Linux support

  Looks like another possible Kickstarter disappointment. The game Hiveswap: Act 1, by Homestuck creator Andrew Hussie, set a fundraising record back in 2012, making a whopping $2 million when it only asked for $750k. Linux support was one of the early stretch goals, which was smashed on the very first day. The game was set to release in 2014.

  Over the following years the game saw setbacks, mostly due to the team contracted to work on the 3D graphics going off to work on King's Quest instead and leaving Hussie in the lurch. So he retooled, made a strategic alliance with Viz comics, and made a 2D adventure game instead. The game released today on Humble and Steam — with no Linux support.

• Inocybe Technologies Continues to Grow with Additional Open Source Networking Expert Hires

• Nonprofit Launches Open-Source Take on Email Marketing [Ed: openwashing spam]

• Announcing immediate support for .NET Core for Linux

• Microsoft shows VMware and Oracle how to get real about open source [Ed: Mac Asay again. Second Microsoft openwashing piece in a week. He also pursued a job at Microsoft.]

• After Equifax Breach, Companies Advised to Review Open-Source Software Code [Ed: Microsoft-connected FUD proxy Black Duck is attacking FOSS again]

• News in brief: Linux advice for Equifax; fired over phish; Security.txt standard proposed

Canonical released today new kernel updates for all of its supported Ubuntu Linux releases, patching recently discovered security vulnerabilities, including the infamous BlueBorne that exposes billions of Bluetooth devices.

The BlueBorne vulnerability (CVE-2017-1000251) appears to affect all supported Ubuntu versions, including Ubuntu 17.04 (Zesty Zapus), Ubuntu 16.04 LTS (Xenial Xerus) up to 16.04.3, Ubuntu 14.04 LTS (Trusty Tahr) up to 14.04.5, and Ubuntu 12.04 LTS (Precise Pangolin) up to 12.04.5.

• Security updates for Tuesday

• The 2017 Linux Security Summit

  The past Thursday and Friday was the 2017 Linux Security Summit, and once again I think it was a great success. A round of thanks to James Morris for leading the effort, the program committee for selecting a solid set of talks (we saw a big increase in submissions this year), the presenters, the attendees, the Linux Foundation, and our sponsor - thank you all!

  Unfortunately we don't have recordings of the talks, but I've included my notes on each of the presentations below. I've also included links to the slides, but not all of the slides were available at the time of writing; check the LSS 2017 slide archive for updates.

• Key Considerations for Software Updates for Embedded Linux and IoT

  The Mirai botnet attack that enslaved poorly secured connected embedded devices is yet another tangible example of the importance of security before bringing your embedded devices online. A new strain of Mirai has caused network outages to about a million Deutsche Telekom customers due to poorly secured routers. Many of these embedded devices run a variant of embedded Linux; typically, the distribution size is around 16MB today.

  Unfortunately, the Linux kernel, although very widely used, is far from immune to critical security vulnerabilities as well. In fact, in a presentation at Linux Security Summit 2016, Kees Cook highlighted two examples of critical security vulnerabilities in the Linux kernel: one being present in kernel versions from 2.6.1 all the way to 3.15, the other from 3.4 to 3.14. He also showed that a myriad of high severity vulnerabilities are continuously being found and addressed—more than 30 in his data set.

• APNIC-sponsored proposal could vastly improve DNS resilience against DDoS

• Deploy Pod, Replication Controller and Service in Kubernetes 1.7 on CentOS 7

• How to Install and Configure VNC Server in CentOS 7

• How To Auto Logout Inactive Users After A Period Of Time In Linux

• How To Install And Setup Utangle Firewall

• Two Easy Ways To Install Bing Desktop Wallpaper Changer On Linux

• CentOS 7 Server Hardening Guide

• Using Redir to Alter Network Traffic: Part 1

• How to Setup Automatic Security Updates on CentOS 7

• 3 Ways to Change a Users Default Shell in Linux

• Writing LaTeX well in Vim

Linux Lite 3.6 is a good distribution, you just have to put your hands in the engine, but the assistance offered by Linux Lite helps us to set the system as well as possible. The XFCE desktop installed by default adds ease-of-use to this distribution, and the dashboard and main menu layout help the user from another operating system quickly find its brands

• Gigabyte X399 AORUS Gaming 7 Works As A Linux-Friendly Threadripper Motherboard

  For the past few weeks that I have been testing the AMD Threadripper 1950X on Linux, I have been using the Gigabyte X399 AORUS Gaming 7 motherboard. Overall, it's been a pleasant experience and is running fine under Linux. Here's a quick summary.

• Phoronix Test Suite 7.4 Officially Released

  Phoronix Test Suite 7.4.0-Tynset has been officially released as the newest quarterly feature update to our cross-platform, open-source automated benchmarking software.

• Plasma Mobile in Randa(aaaaaaaa)

  Last week I had a chance to attend the Randa meetings 2017, my plan was to work on the Plasma Mobile during the sprint, improve the state of current images.

• Progress On KDE Plasma Mobile From Randa 2017

  KDE contributor Bhushan Shah has shared some highlights of Plasma Mobile progress made from this year's Randa Meetings in Switzerland.

  At this annual KDE developer event in the Swiss mountains, some of the Plasma Mobile advancements worked on or reviewed included:

  - Plasma Mobile images are now being assembled by the KDE Neon build system rather than the Plasma Mobile CI.

• Calligra Suite does not suit me

  It pains me to say so, but the split from KOffice to Calligra has given this program only a temporary infusion of hope, and looking back at my 2013 trial, it's not made any progress since. On the contrary. Calligra Suite is slow, difficult to use, and it comes with less than ideal file format support. My conclusion here is much the same regarding different Linux software, be it distros or desktop environments. 90% of it just shouldn't exist, and the effort must be focused on just one or two select programs with the highest quality and chance of making it big. The infinite forking doesn't do anyone any good.

  Calligra Suite has the potential, but it's far, far from realizing it, and the world of Plasma has left it behind. The interface split is bad, too much equity is taken by a confusing maze of options, the performance is dreadful, the stability flaky, and the rest does not scale or compare against LibreOffice, let alone Microsoft Office. I wish my findings were different, but it cannot be. Ah well. Like so many other flowers of the open-source world, this one must wilt. I'll keep an eye, but I doubt there is ever going to be enough focus or love to make Calligra into a serious competitor. Dedoimedo's sad prose out.

• Plasma 5.11 beta available in unofficial PPA for testing on Artful

  Adventurous users and developers running the Artful development release can now also test the beta version of Plasma 5.11. This is experimental and can possibly kill kittens!

• Kubuntu: Writing Japanese (Kanji, Hiragana, Katakana) Easily

  On Kubuntu system, we can write Japanese easily using Fcitx-Mozc tool! This awesome tool eases you with word-suggestions popup on-the-fly, with ability to switch between Kanji-Hiragana-Katakana-ASCII as simple as one click. It's very well integrated to the whole screens inside KDE Plasma desktop, enables you to write Japanese in Firefox browser, LibreOffice, Kate text editor, and even Konsole terminal.

• AnsibleFest SF 2017

  AnsibleFest was amazing, it always is. This has been my Third one and it's always one that I look forward to attending. The Ansible Events Team does an absolutely stellar job of putting things together and I'm extremely happy I was not only able to attend but that I was accepted as a speaker.

• The eye-opening power of cultural difference

  Inclusivity is the quality of an open organization that allows and encourages people to join the organization and feel a connection to it. Practices aimed at enhancing inclusivity are typically those that welcome new participants to the organization and create an environment that makes them want to stay.

  When we talk about inclusivity, we should clarify something: Being "inclusive" is not the same as being "diverse." Diversity is a product of inclusivity; you need to create an inclusive community in order to become a diverse one, not the other way around. The degree to which your open organization is inclusive determines how it adapts to, responds to, and embraces diversity in order to improve itself. Interestingly enough, the best way to know which organizational changes will make your group more inclusive is to interact with the people you want to join your community.

• Red Hat (RHT) PT Raised to $120 at Barclays Into Q2 Print

• Barclays Holds To Rating And Raises Price Target On Red Hat, Inc. (RHT)

• Red Hat, Inc. (NYSE:RHT) Volatility in Focus

• Share Activity Lifted for Red Hat Inc (RHT) in Session

• Red Hat Formally Rolls Out Pipewire For Being The "Video Equivalent of PulseAudio"

  Red Hat has quietly been working on PipeWire for years that is like the "video equivalent of PulseAudio" while now it's ready to make its initial debut in Fedora 27 and the project now has an official website.

  Pipewire has been talked about a few times in recent months while Red Hat's Christian Schaller wrote a blog post today about Launching Pipewire!

• Results of the Ubuntu Desktop Applications Survey

  I had the distinct honor to deliver the closing keynote of the UbuCon Europe conference in Paris a few weeks ago. First off -- what a beautiful conference and venue! Kudos to the organizers who really put together a truly remarkable event. And many thanks to the gentleman (Elias?) who brought me a bottle of his family's favorite champagne, as a gift on Day 2 I should give more talks in France!

• Mir support for Wayland

  I’ve seen some confusion about how Mir is supporting Wayland clients on the Phoronix forums . What we are doing is teaching the Mir server library to talk Wayland in addition to its original client-server protocol. That’s analogous to me learning to speak another language (such as Dutch).

  This is not anything like XMir or XWayland. Those are both implementations of an X11 server as a client of a Mir or Wayland. (Xmir is a client of a Mir server or and XWayland is a client of a Wayland server.) They both introduce a third process that acts as a “translator” between the client and server.

• Mir 1.0 Still Planned For Ubuntu 17.10, Wayland Support Focus

  Following our reporting of Mir picking up initial support for Wayland clients, Mir developer Alan Griffiths at Canonical has further clarified the Wayland client support. It also appears they are still planning to get Mir 1.0 released in time for Ubuntu 17.10.

• Webinar: OpenStack Pike is here, what’s new?

  Sign up for our new webinar about the Canonical OpenStack Pike release. Join us to learn about the new features and how to upgrade from Ocata to Pike using OpenStack Charms.

• Bright Computing Announces Support for Ubuntu

  right Computing, a global leader in cluster and cloud infrastructure automation software, today announced the general availability of Bright Cluster Manager 8.0 with Ubuntu.

  With this integration, organizations can run Bright Cluster Manager Version 8.0 on top of Ubuntu, to easily build, provision, monitor and manage Ubuntu high performance clusters from a single point of control, in both on-premises and cloud-based environments.

• Linux Foundation LFCE Georgi Yadkov Shares His Certification Journey

  The Linux Foundation offers many resources for developers, users, and administrators of Linux systems. One of the most important offerings is its Linux Certification Program. The program is designed to give you a way to differentiate yourself in a job market that's hungry for your skills.

  How well does the certification prepare you for the real world? To illustrate that, The Linux Foundation is highlighting some of those who have recently passed the certification examinations. These testimonials should help you decide if either the Linux Foundation Certified System Administrator or the Linux Foundation Certified Engineer certification is right for you. In this article, recently certified engineer Georgi Yadkov shares his experience.

• Diversity Empowerment Summit Features Stories from Individual Persistence to Industry-wide Change

  Last week at The Linux Foundation’s first Diversity Empowerment Summit we heard from so many amazing speakers about how they are working to improve diversity in the tech industry.

  Leaders from companies including Comcast, DreamWorks, IBM, Rancher Labs, Red Hat and many others recounted their own personal struggles to fit in and advance as women and minorities in tech. And they gave us sage advice and practical tips on what women, minorities, and their allies can do to facilitate inclusion and culture change in open source and the broader tech community.

• Open Source Summit: Day 1 in 5 minutes

  As you can see in the video below, the first day of the Open Source Summit was quite educational. My day was filled with clouds, containers, community building, flavors of Linux, and Linus Torvalds.

I've begun running some Linux 4.14-rc1 kernel benchmarks and in some areas there appears to be nice gains with this in-development kernel.

If you are behind on your Phoronix reading and don't know about all of the changes coming for this next kernel release -- which will also be an LTS kernel -- see our Linux 4.14 feature overview that was published this past weekend.

Here are just some very early benchmarks while more are on the way.