LWN.net News from the source
LWN.net is a reader-supported news site dedicated to producing the best coverage from within the Linux and free software development communities. See the LWN FAQ for more information, and please consider subscribing to gain full access and support our activities.
The LWN.net Weekly Edition for June 9, 2016 is available.
Inside this week's LWN.net Weekly Edition
The first version of KDE neon, which is a distribution based on Ubuntu 16.04 that is meant to be a stable platform on which to try the latest Plasma desktop, has been released. "KDE neon User Edition 5.6 is based on the latest version of Plasma 5.6 and intends to showcase the latest KDE technology on a stable foundation. It is a continuously updated installable image that can be used not just for exploration and testing but as the main operating system for people enthusiastic about the latest desktop software. It comes with a slim selection of apps, assuming the user's capacity to install her own applications after installation, to avoid cruft and meaningless weight to the ISO. The KDE neon team will now start adding all of KDE's applications to the neon archive. Since the announcement of the project four months ago the team has been working on rolling out our infrastructure, using current best-practice devops technologies. A continuous integration Jenkins system scans the download servers for new releases and automatically fires up computers with Docker instances to build packages. We work in the open and as a KDE project any KDE developer has access to our packaging Git repository and can make fixes, improvements and inspect our work."
Linux users tend to pride themselves on their position at the leading edge of a fast-moving development community. But, in truth, much of what we do is rooted in many decades of Unix tradition, and we tend to get grumpy when young developers show up and start changing things around. A recent change of default in systemd represents such a change and the kind of response that it brings out; as a result, Linux distributors are going to have to make a decision on whether they should preserve the way things have always worked or make a change that, while potentially disruptive to users, is arguably a step toward more predictable, controllable, and secure behavior.
Fedora has updated firefox (F23: multiple vulnerabilities), gnutls (F23: arbitrary file overwrite), and kernel (F23: denial of service).
Mageia has updated firefox (multiple vulnerabilities).
openSUSE has updated ImageMagick (13.2: command execution).
Oracle has updated firefox (OL7; OL6; OL5: multiple vulnerabilities).
Red Hat has updated firefox (multiple vulnerabilities).
Scientific Linux has updated file (SL6: multiple vulnerabilities from 2014), icedtea-web (SL6: two vulnerabilities), ntp (SL6: multiple vulnerabilities, one from 2014), openssh (SL6: multiple vulnerabilities), openssl (SL6: multiple vulnerabilities), qemu-kvm (SL6: code execution), and thunderbird (SL6: two vulnerabilities).
The LWN.net Weekly Edition for June 3, 2016 is available.
Inside this week's LWN.net Weekly Edition
Nikolai Tschacher demonstrates how easy it is to run arbitrary code by way of "typosquatting" uploads to programming language download sites. "Because everybody can upload any package on PyPi, it is possible to create packages which are typo versions of popular packages that are prone to be mistyped. And if somebody unintentionally installs such a package, the next question comes intuitively: Is it possible to run arbitrary code and take over the computer during the installation process of a package?" He tried an experiment and was able to run a little program that phoned home from thousands of systems.
At OSCON 2016 in Austin, a panel of invited experts debated the always-thorny subject of how open-source software projects deal with patents. The panel was packed, featuring representatives from the free-software world, commerce, and the legal community, so there was scarcely enough time to move through the prepared topics in the time allotted, much less to take questions from the audience. But the discussion was able to highlight a number of current issues, including patent abolition, implicit patent licenses, and where the open-source community should focus its efforts to improve matters.
The Maru OS handset distribution (reviewed here in April) has moved out of the beta-test period and is now freely downloadable without an invitation. Maru functions as both an Android handset and an Ubuntu desktop (when connected to an external monitor). For now, it remains limited to Nexus 5 handsets. "Now that the beta program is over, I’m finally turning my attention to the open-source project so we can expand device support with the help of the community. Let’s get Maru in the hands of a lot more people!"
PostgreSQL's annual developer conference, PGCon, took place in May, which made it a good place to get a look at the new PostgreSQL features coming in version 9.6. The first 9.6 beta was released just the week before and several contributors demonstrated key changes at the conference in Ottawa. For many users, this was the first time to see the finished versions of features that had been under development for months or years.
There is no doubt that the addition of container technologies to Linux has created a lot of value, allowing workloads to be effectively and efficiently isolated from each other. Implementing these technologies presents a number of challenges, particularly as much of Linux and Unix was designed to use singletons: objects of which there could never ever be more than one, such as host names, network routing tables, or process-ID namespaces. Containers require this design approach to be revised as they need multiple instances of these objects. A singleton that has been causing problems recently is the set of pseudo terminals (TTYs).
Click below (subscribers only) for the full article from Neil Brown.
Arch Linux has updated firefox (multiple vulnerabilities), qemu (multiple vulnerabilities), qemu-arch-extra (multiple vulnerabilities), and subversion (two vulnerabilities).
CentOS has updated spice (C7: two vulnerabilities) and spice-server (C6: two vulnerabilities).
Debian has updated expat (two vulnerabilities) and vlc (code execution).
Debian-LTS has updated expat (two vulnerabilities), libpdfbox-java (XML External Entity attacks), and libxstream-java (XML External Entity attacks).
Fedora has updated openslp (F23; F22: denial of service).
Mageia has updated chromium-browser-stable/libpng (multiple vulnerabilities), libxslt (two vulnerabilities), and ntp (multiple vulnerabilities).
openSUSE has updated expat (Leap42.1: code execution), gd (13.2: information leak), glibc (13.2: multiple vulnerabilities), GraphicsMagick (Leap42.1; 13.2: command execution), libimobiledevice, libusbmuxd (Leap42.1, 13.2: sockets listening on INADDR_ANY), libksba (Leap42.1: denial of service), and php5 (Leap42.1: multiple vulnerabilities).
SUSE has updated expat (SLE11-SP4: code execution).
The LWN.net Weekly Edition for May 26, 2016 is available.
Inside this week's LWN.net Weekly Edition
The Qt Blog announces the launch of the Qt Automotive Suite. "With cumulative experience from over 20 automotive projects it was noted how Qt is really well suited to the needs of building IVIs and Instrument Clusters, that there were already millions of vehicles on the road with Qt inside, and that there were a lot of ongoing projects. There was though a feeling that things could be even better, that there were still a few things holding back the industry, contributing to the sense that shipped IVI systems could be built faster, cheaper and with a higher quality."
By all accounts, the Internet's transition to IPv6 has been a slow affair. In recent years, though, perhaps inspired by the exhaustion of the IPv4 address space, IPv6 usage has been on the rise. There is a corresponding interest in ensuring that applications work with both IPv4 and IPv6. But, as a recent discussion on the OpenBSD mailing list has highlighted, a mechanism designed to ease the transition to an IPv6 network may also make the net less secure — and Linux distributions may be configured insecurely by default.
Firefox 47 has been released. This version enables the VP9 video codec for users with fast machines, plays embedded YouTube videos with HTML5 video if Flash is not installed, and more. There is a blog post about these and other improvements. "Now, we are making it even easier to access synced tabs directly in your desktop Firefox browser. If you’re logged into your Firefox Account, you will see all open tabs from your smartphone or other computers within the sidebar. In the sidebar you can also search for specific tabs quickly and easily." See the release notes for more information.
The LWN.net Weekly Edition for May 19, 2016 is available.
Inside this week's LWN.net Weekly Edition
Debian has updated spice (two vulnerabilities).
Debian-LTS has updated dhcpcd5 (code execution) and nss (cipher-downgrade attacks).
Fedora has updated glibc (F23: denial of service), nginx (F23: denial of service), and qemu (F22: multiple vulnerabilities).
openSUSE has updated clamav-database (Leap42.1: database refresh).
Oracle has updated spice (OL7: two vulnerabilities) and spice-server (OL6: two vulnerabilities).
Red Hat has updated glibc (RHEL6.5: sends DNS queries to random file descriptors), jenkins (RHOSE3.2: multiple vulnerabilities), spice (RHEL7: two vulnerabilities), and spice-server (RHEL6: two vulnerabilities).
Scientific Linux has updated spice (SL7: two vulnerabilities) and squid (SL7: multiple vulnerabilities).
SUSE has updated expat (SLE12-SP1: code execution).
Ubuntu has updated libxml2 (multiple vulnerabilities) and oxide-qt (16.04, 15.10, 14.04: multiple vulnerabilities).
The LWN.net Weekly Edition for May 12, 2016 is available.
Inside this week's LWN.net Weekly Edition
Open Build Service 2.7 has been released. "Three large features around the topic of integrating external resources made it into this release. We worked on automatic tracking of moving repositories of development versions like Fedora Rawhide, distribution updates or rolling Linux releases like Arch. A change to the OBS git integration to enable developers to work on continuous builds. And last but not least an experimental KIWI import that can be used to easily migrate your images from SUSE studio."
Copyright © 2016, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds