LWN.net News from the source
LWN.net is a reader-supported news site dedicated to producing the best coverage from within the Linux and free software development communities. See the LWN FAQ for more information, and please consider subscribing to gain full access and support our activities.
Rich Salz and Tim Hudson started off their LinuxCon Europe 2016 talk by stating that April 3, 2014 shall forever be known as the "re-key the Internet date." That, of course, was the day that the Heartbleed vulnerability in the OpenSSL library was disclosed. A lot has happened with OpenSSL since that day, to the point that, Salz said, this should be the last talk he gives that ever mentions that particular vulnerability. In the last two years, the project has recovered from Heartbleed and is now more vital than ever before.
The Free Software Foundation's Defective By Design campaign reports that Tim Berners-Lee decided not to exercise his power to extend the development timeline for the Encrypted Media Extensions (EME) Web technology standard. "Berners-Lee made his surprising decision on Tuesday, as explained in an email announcement by W3C representative Philippe Le Hégaret. Instead of granting a time extension — as he has already done once — Berners-Lee delegated the decision to the W3C's general decision-making body, the Advisory Committee. The Advisory Committee includes diverse entities from universities to companies to nonprofits, and it is divided as to whether EME should be part of Web standards. It is entirely possible that the Advisory Committee will reject the time extension and terminate EME development, marking an important victory for the free Web."
The LWN.net Weekly Edition for October 6, 2016 is available.
Inside this week's LWN.net Weekly Edition
In a world full of fancy development tools and sites, the kernel project's dependence on email and mailing lists can seem quaintly dated, if not positively prehistoric. But, as Greg Kroah-Hartman pointed out in a Kernel Recipes talk titled "Patches carved into stone tablets", there are some good reasons for the kernel community's choices. Rather than being a holdover from an older era, email remains the best way to manage a project as large as the kernel.
Debian-LTS has updated c-ares (code execution) and python-django (cross-site request forgery).
Fedora has updated mongodb (F24: information leak).
Gentoo has updated apache (multiple vulnerabilities) and groovy (code execution).
Mageia has updated thunderbird (code execution).
Oracle has updated kernel 4.1.12 (OL7; OL6: two vulnerabilities), kernel 3.8.13 (OL7; OL6: two vulnerabilities), kernel 2.6.39 (OL6; OL5: two vulnerabilities).
SUSE has updated compat-openssl098 (SLE12-SP1: multiple vulnerabilities), nodejs4 (SLEM12: multiple vulnerabilities), openssl1 (SLES11-SECURITY: multiple vulnerabilities), and xen (SLE12-SP1: multiple vulnerabilities).
Ubuntu has updated oxide-qt (16.04, 14.04: multiple vulnerabilities).
The LWN.net Weekly Edition for September 29, 2016 is available.
Inside this week's LWN.net Weekly Edition
On the GTK+ Development Blog, Emmanuele Bassi looks at some statistics on the development of GTK+ 3.22 and GLib contributions during the same cycle (that resulted in GLib 2.50.0). He looks at which developers contributed the most change sets and changed lines of code, as well as how many change sets and hackers there are for each component by company affiliation. "During the 3.22 development cycle, GLib saw a total of 14119 lines added, 2031 removed, for a net gain of 12088 lines [...] GTK+, instead, saw a total of 46581 lines added, 19163 removed, for a net gain of 27418 lines". Those numbers do not include the translation work that was done for 3.22.
Some time ago, we published a pair of articles about systemd programming that extolled the value of providing high-quality unit files in upstream packages. The hope was that all distributions would use them and that problems could be fixed centrally rather than each distribution fixing its own problems independently. Now, 30 months later, it seems like a good time to see how well that worked out for nfs-utils, the focus of much of that discussion. Did distributors benefit from upstream unit files, and what sort of problems were encountered?
Debian has updated nspr (code execution) and nss (multiple vulnerabilities, some from 2015).
Debian-LTS has updated bind9 (two denial of service flaws), freeimage (code execution), and zendframework (SQL injection).
Fedora has updated c-ares (F24: code execution).
openSUSE has updated ffmpeg (42.1: not well specified), postgresql94 (42.1: two vulnerabilities), and python-Jinja2 (13.2: privilege escalation from 2014).
Scientific Linux has updated kernel (SL6: two vulnerabilities).
SUSE has updated openssl (SLE11: multiple vulnerabilities), php53 (SLE11SP4; SLE11SP2: multiple vulnerabilities), and php7 (SLE12: multiple vulnerabilities).
Ubuntu has updated ntp (16.04, 14.04, 12.04: multiple vulnerabilities, many from 2015).
The LWN.net Weekly Edition for September 22, 2016 is available.
Inside this week's LWN.net Weekly Edition
There's a new release of FontForge available. "This release introduces a new icon set, new functionality for custom icon selection graphics, support for GlyphOrderAndAliasDB files, and support for Unicode 9.0."
Congestion-control algorithms are unglamorous bits of code that allow network protocols (usually TCP) to maximize the throughput of any given connection while simultaneously sharing the available bandwidth equitably with other users. New algorithms tend not to generate a great deal of excitement; the addition of TCP New Vegas during the 4.8 merge window drew little fanfare, for example. The BBR (Bottleneck Bandwidth and RTT) algorithm just released by Google, though, is attracting rather more attention; it moves away from the mechanisms traditionally used by these algorithms in an attempt to get better results in a network characterized by wireless links, meddling middleboxes, and bufferbloat.
CentOS has updated kernel (C6: two vulnerabilities).
Debian has updated icedove (multiple vulnerabilities) and libav (multiple vulnerabilities).
Debian-LTS has updated libav (multiple vulnerabilities).
Fedora has updated gd (F23: denial of service) and links (F24; F23: anonymity leak).
openSUSE has updated flex, at, libbonobo, netpbm, openslp, sgmltool, virtuoso (Leap42.1: buffer overflow), mariadb (Leap42.1: SQL injection/privilege escalation), and php5 (Leap42.1: multiple vulnerabilities).
Oracle has updated kernel (OL6: three vulnerabilities).
Red Hat has updated chromium-browser (RHEL6: multiple vulnerabilities) and kernel (RHEL6: two vulnerabilities).
Scientific Linux has updated thunderbird (SL5,6,7: multiple vulnerabilities).
Ubuntu has updated php5, php7.0 (multiple vulnerabilities).
NTP, the Network Time Protocol, quietly and without much fuss performs the critical internet function of knowing the correct time. Using it, a computer with imperfect communications links may join a distributed community of servers, each of which is either directly attached to a reliable clock, or is trying to best synchronize its clock to one or more better-synchronized members of the community. The NTP pool system has arisen as a method of providing such a community to the internet; it works well, but is not without its challenges.
The Mozilla Open Source Support (MOSS) program has awarded $300,000 to four projects this quarter. "On the Foundational Technology track, we awarded $100,000 to Redash, a tool for building visualizations of data for better decision-making within organizations, and $50,000 to Review Board, software for doing web-based source code review. Both of these pieces of software are in heavy use at Mozilla. We also awarded $100,000 to Kea, the successor to the venerable ISC DHCP codebase, which deals with allocation of IP addresses on a network. Mozilla uses ISC DHCP, which makes funding its replacement a natural move even though we haven’t deployed it yet. On the Mission Partners track, we awarded $56,000 to Speech Rule Engine, a code library which converts mathematical markup into vocalised form (speech) for the sight-impaired, allowing them to fully appreciate mathematical and scientific content on the web." (Thanks to Paul Wise)
The LWN.net Weekly Edition for September 15, 2016 is available.
Inside this week's LWN.net Weekly Edition
KDE has released Plasma 5.8. "This marks the point where the developers and designers are happy to recommend Plasma for the widest possible audience be they enterprise or non-techy home users. If you tried a KDE desktop previously and have moved away, now is the time to re-assess, Plasma is simple by default, powerful when needed." Plasma 5.8 is KDE's first Long Term Support release. The changelog has the details.
One of the longest running debates in the kernel community has to do with the backporting of patches from newer kernels to older ones. Substantial effort goes into these backports, with the resulting kernels appearing in everything from enterprise distributions to mobile devices. A recent resurgence of this debate on the Kernel Summit discussion list led to no new conclusions, but it does show how the debate has shifted over time.
The Mageia project remembers Thomas Spuhler who died in September. "Thomas had been contributing to Mageia, and Mandriva before that, since 2009 as a packager, and much earlier already partaking in email discussions and bug reports. His packaging interests were mostly web and server-related components, for which his contributions were invaluable. He had to step back from his Mageia responsibilities in early August due to his health condition."
Copyright © 2016, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds