LWN.net News from the source
LWN.net is a reader-supported news site dedicated to producing the best coverage from within the Linux and free software development communities. See the LWN FAQ for more information, and please consider subscribing to gain full access and support our activities.
The LWN.net Weekly Edition for September 22, 2016 is available.
Inside this week's LWN.net Weekly Edition
Matthew Garrett looks at the real problem behind the inability of some Lenovo laptops to run Linux. "The real problem here is that Intel do very little to ensure that free operating systems work well on their consumer hardware - we still have no information from Intel on how to configure systems to ensure good power management, we have no support for storage devices in "RAID" mode and we have no indication that this is going to get better in future. If Intel had provided that support, this issue would never have occurred."
Congestion-control algorithms are unglamorous bits of code that allow network protocols (usually TCP) to maximize the throughput of any given connection while simultaneously sharing the available bandwidth equitably with other users. New algorithms tend not to generate a great deal of excitement; the addition of TCP New Vegas during the 4.8 merge window drew little fanfare, for example. The BBR (Bottleneck Bandwidth and RTT) algorithm just released by Google, though, is attracting rather more attention; it moves away from the mechanisms traditionally used by these algorithms in an attempt to get better results in a network characterized by wireless links, meddling middleboxes, and bufferbloat.
Arch Linux has updated firefox (multiple vulnerabilities), irssi (code execution), and tomcat7 (proxy injection).
CentOS has updated firefox (C5, C6, C7: multiple vulnerabilities).
Debian has updated wireshark (LTS: dissector vulnerabilities), irssi (denial of service), and openssl (multiple vulnerabilities).
Fedora has updated drupal7-google_analytics (F23, F24: cross-site scripting), drupal7-panels (F23, F24: multiple vulnerabilities), jasper (F23: multiple code-execution vulnerabilities), mod_cluster (F24: "remote exploits"), nodejs-string-dot-prototype-dot-repeat (F23: "update for security reasons"), php-horde-Horde-Mime-Viewer (F23, F24: cross-site scripting), php-horde-Horde-Text-Filter (F23, F24: cross-site scripting), and xen (F23: multiple vulnerabilities).
Mageia has updated chromium-browser-stable (29 CVEs), curl (code execution), file-roller (file deletion), flash-player-plugin (26 CVEs), icu (code execution), jsch (path traversal vulnerability), libksba (denial of service), nodejs (remote code execution), slock (lock bypass), and tomcat (traffic redirection).
openSUSE has updated opera (multiple vulnerabilities).
Oracle has updated firefox (OL5, OL6, OL7: multiple vulnerabilities).
Scientific Linux has updated firefox (SL5-7: multiple vulnerabilities).
Slackware has updated irssi (denial of service), pidgin (17 CVE numbers), and firefox (multiple vulnerabilities).
SUSE has updated java-1_7_1-ibm (SLES12: three CVEs described as "Unspecified vulnerability in Oracle Java SE 7u101 and 8u92 allows local users to affect confidentiality, integrity, and availability via vectors related to Deployment"), and java-1_6-0-ibm (SLES11: one unspecified vulnerability).
Ubuntu has updated firefox (multiple vulnerabilities), gdk-pixbuf (code execution), irssi (denial of service), and thunderbird (code execution).
Note that there appear to be differences of opinion as to whether the irssi vulnerability can be exploited for code execution.
NTP, the Network Time Protocol, quietly and without much fuss performs the critical internet function of knowing the correct time. Using it, a computer with imperfect communications links may join a distributed community of servers, each of which is either directly attached to a reliable clock, or is trying to best synchronize its clock to one or more better-synchronized members of the community. The NTP pool system has arisen as a method of providing such a community to the internet; it works well, but is not without its challenges.
The GNOME Project has announced the release of GNOME 3.22, "Karlsruhe". "This release brings comprehensive Flatpak support. GNOME Software can install and update Flatpaks, GNOME Builder can create them, and the desktop provides portal implementations to enable sandboxed applications. Improvements to core GNOME applications include support for batch renaming in Files, sharing support in GNOME Photos, an updated look for GNOME Software, a redesigned keyboard settings panel, and many more."
The LWN.net Weekly Edition for September 15, 2016 is available.
Inside this week's LWN.net Weekly Edition
Arch Linux has updated curl (code execution), lib32-curl (code execution), and lib32-jansson (denial of service).
Debian has updated wireshark (multiple vulnerabilities).
Debian-LTS has updated unadf (two vulnerabilities).
Red Hat has updated firefox (RHEL5,6,7: multiple vulnerabilities).
SUSE has updated mysql (SLE11-SP3,4: multiple unspecified vulnerabilities).
One of the longest running debates in the kernel community has to do with the backporting of patches from newer kernels to older ones. Substantial effort goes into these backports, with the resulting kernels appearing in everything from enterprise distributions to mobile devices. A recent resurgence of this debate on the Kernel Summit discussion list led to no new conclusions, but it does show how the debate has shifted over time.
The Apache CouchDB database project has announced its 2.0 release. New features include clustering support, a new query language, a new administrative interface, and more. "CouchDB 2.0 is 99% API compatible with the 1.x series and most applications should continue to just work."
The LWN.net Weekly Edition for September 9, 2016 is available.
Inside this week's LWN.net Weekly Edition
The fuzzy notepad blog is carrying a post about the switch statement with just about everything one might want to know about its past, present, and possible future. "As we’ve seen, the switch statement has had basically the same form for 49 years. The special case labels are based on syntax derived directly from fixed-layout FORTRAN on punchcards in 1957, several months before my father was born. I hate it."
Concerns about the viability of the Apache OpenOffice (AOO) project are not new; they had been in the air for a while by the time LWN looked at the project's development activity in early 2015. Since then, though, the worries have grown more pronounced, especially after AOO's recent failure to produce a release with an important security fix nearly one year after being notified of the vulnerability. The result is an internal discussion on whether the project should be "retired," or whether it will find a way to turn its fortunes around.
Michael Catanzaro lays down the rules for which GNOME applications distributions should package if they want to claim to provide a "pure GNOME experience." "Selecting the right set of default applications is critical to achieving a quality user experience. Installing redundant or overly technical applications by default can leave users confused and frustrated with the distribution. Historically, distributions have selected wildly different sets of default applications. There’s nothing inherently wrong with this, but it’s clear that some distributions have done a much better job of this than others."
At GUADEC 2016 in Karlsruhe, Germany, Jonathan Blandford challenged the GNOME project to rethink how its desktop software uses network access. The GNOME desktop assumes Internet connectivity is always available, which has the side effect of making the software stack considerably less useful and, indeed, usable to people who live in those places regarded as the developing world.
Carlos Garcia Campos takes a look at the latest stable release of WebKitGTK+. "[The threaded compositor] is the most important change introduced in WebKitGTK+ 2.14 and what kept us busy for most of this release cycle. The idea is simple, we still render everything in the web process, but the accelerated compositing (all the OpenGL calls) has been moved to a secondary thread, leaving the main thread free to run all other heavy tasks like layout, JavaScript, etc. The result is a smoother experience in general, since the main thread is no longer busy rendering frames, it can process the JavaScript faster improving the responsiveness significantly." This release is also considered feature complete in Wayland.
The LWN.net Weekly Edition for September 1, 2016 is available.
Inside this week's LWN.net Weekly Edition
CentOS has updated kernel (C7: three vulnerabilities).
openSUSE has updated file-roller (Leap42.1, 13.2: file deletion), openssh (Leap42.1: two vulnerabilities), and php5 (13.2: multiple vulnerabilities).
Ubuntu has updated kernel (16.04: three vulnerabilities), kernel (14.04: two vulnerabilities), kernel (12.04: code execution), linux-lts-trusty (12.04: two vulnerabilities), linux-lts-xenial (14.04: three vulnerabilities), linux-raspi2 (16.04: three vulnerabilities), linux-snapdragon (16.04: three vulnerabilities), linux-ti-omap4 (12.04: code execution), and tomcat6, tomcat7, tomcat8 (privilege escalation).
Some of the most important discussions associated with the annual Kernel Summit do not happen at the event itself; instead, they unfold prior to the summit on the planning mailing list. There is value in learning what developers feel needs to be talked about and, often, important issues can be resolved before the summit itself takes place. That list has just hosted (indeed, is still hosting as of this writing) a voluminous discussion on license enforcement that was described by some participants as being "pointless" or worse. But that discussion has served a valuable purpose: it has brought to the light a debate that has long festered under the surface, and it has clarified where some of the real disagreements lie.
The LLVM project is currently distributed under the BSD-like NCSA license, but the project is considering a change in the interest of better patent protection. "After extensive discussion involving many lawyers with different affiliations, we recommend taking the approach of using the Apache 2.0 license, with the binary attribution exception (discussed before), and add an additional exception to handle the situation of GPL2 compatibility if it ever arises."
Copyright © 2016, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds