All posts by corbet

Project Triforce: Run AFL on Everything!

Post Syndicated from corbet original http://lwn.net/Articles/692878/rss

The developers of “Project Triforce,” an effort to run the “american fuzzy
lop” fuzz-testing tool in a system-wide manner, have posted a
detailed description
of what they are up to.
AFL is an awesome tool. The power of an easy to use, feedback-driven
fuzzer has produced an absolutely staggering number of bugs. Still, at
first AFL required being able to build the executable, something sadly not
available on a lot of targets. With the addition of AFL’s qemu_mode, it
became possible to fuzz binaries without source, exposing a whole new world
of targets to AFL. I’d been on a number of Linux container engagements
recently where we’d managed to escape through kernel exploits. I fell
asleep one night to several AFL screens running, and I awoke suddenly with
a crazy idea: ‘Run AFL on the Linux Kernel.’

A couple of unpleasant local kernel vulnerabilities

Post Syndicated from corbet original http://lwn.net/Articles/692697/rss

The just-released 4.6.3, 4.4.14, and 3.14.73 stable kernels contain a set
of netfilter fixes that, it has just been disclosed, fix a couple of severe
local privilege-escalation vulnerabilities. Anybody who is running a site
with user and network namespaces enabled will want to update their kernels
in short order. The fixes were originally committed into 4.6-rc2 in April
with no comment regarding their implications.

Xen 4.7 released

Post Syndicated from corbet original http://lwn.net/Articles/692542/rss

Version 4.7 of the Xen hypervisor has been released. “With dozens of
major improvements, many more bug fixes and small improvements, and
significant improvements to Drivers and Devices, Xen Project 4.7 reflects a
thriving community around the Xen Project Hypervisor.
” Some of the
new features include live patching, better dom0 robustness, better
migration support between non-identical hosts, scheduler improvements, and
more. See the
release notes
for more information.

Sony agrees to pay millions to gamers to settle PS3 Linux debacle (ars technica)

Post Syndicated from corbet original http://lwn.net/Articles/692410/rss

Back in 2009, Sony removed the “install other
OS” option
from its PS3 game consoles, removing the ability to install
Linux on those machines. It then went after developers who figured out how
to jailbreak the device. Ars technica reports
that Sony has now settled a class-action lawsuit over those actions.
Under the terms of the accord, which has not been approved by
a California federal judge yet, gamers are eligible to receive $55 if they
used Linux on the console. The proposed settlement, which will be vetted by
a judge next month, also provides $9 to each console owner that bought a
PS3 based on Sony’s claims about ‘Other OS’ functionality.
” The
lawyers, instead, get over $2 million.

Announcing Flatpak

Post Syndicated from corbet original http://lwn.net/Articles/692220/rss

Not to be left behind by a certain competing project, the developers of the
Flatpak packaging system have put out a press
release
proclaiming its virtues. “The Linux desktop has long
been held back by platform fragmentation. This has been a burden on
developers, and creates a high barrier to entry for third party application
developers. Flatpak aims to change all that. From the very start its
primary goal has been to allow the same application to run across a myriad
of Linux distributions and operating systems. In doing so, it greatly
increases the number of users that application developers can easily
reach.

Fedora 24 released

Post Syndicated from corbet original http://lwn.net/Articles/692128/rss

After several schedule slips, the Fedora 24 release is available.
The Fedora Project has embarked on a great journey… redefining what
an operating system should be for users and developers. Such innovation
does not come overnight, and Fedora 24 is one big step on the road to
the next generation of Linux distributions. But that does not mean that
Fedora 24 is some ‘interim’ release; there are great new features for
Fedora users to deploy in their production environments right now!

See the
Fedora 24 approved features list
for an idea of what’s in this
release.

[$] Transport-level protocols in user space

Post Syndicated from corbet original http://lwn.net/Articles/691887/rss

The Linux networking developers have long held a strong opinion about
user-space protocol implementations: they should be avoided in favor of
making the in-kernel implementation better. So it might be surprising to
see a veteran networking developer post a patch set aimed at making
user-space implementations easier. A look at this patch and its
motivations shines an interesting light on changes that are taking place in
the networking world.

The Children’s Illustrated Guide to Kubernetes

Post Syndicated from corbet original http://lwn.net/Articles/691828/rss

For those who are wondering what Kubernetes is all about, Matt Butcher has
posted an
illustrated guide for children
. “Phippy loved life aboard
Captain Kube’s ship and she enjoyed the company of her new friends (every
replicated pod of Goldie was equally delightful). But as she thought back
to her days on the scary hosted provider, she began to wonder if perhaps
she could also have a little privacy. ‘It sounds like what you need,’ said
Captain Kube, ‘is a namespace.’

Keen: The case against upstream packaging

Post Syndicated from corbet original http://lwn.net/Articles/691537/rss

Arch maintainer Kyle Keen speaks out against direct
delivery of software by upstream projects. “Maintainers’ greatest
power is the ability to outright say ‘This is not good enough for our
users’ and consequently punish an ISV by either patching out the offensive
part or in extreme cases removing the software from the repositories. ISVs
know this and so don’t act out. After 20 years of enforced good behavior
this has lead to the idea of ISVs as ‘the benevolent upstream developer.’
This is why Linux doesn’t have spyware, doesn’t come with browser toolbars,
doesn’t bundle limited trials, doesn’t nag you to purchase and doesn’t
pummel you with advertising.

[$] Kernel building with GCC plugins

Post Syndicated from corbet original http://lwn.net/Articles/691102/rss

It has long been understood that static-analysis tools can be useful in
finding (and defending against) bugs and security problems in code. One of
the best places to implement
such tools is in the compiler itself, since much of the work required to
analyze a program is already done in the compilation process. Despite the
fact that GCC has had the ability to support security-oriented plugins for
some years, the mainline kernel has never adopted any such plugins. That
situation looks likely to change with the 4.8 kernel release, though.

Lortie: Gtk 4.0 is not Gtk 4

Post Syndicated from corbet original http://lwn.net/Articles/691131/rss

Allison Lortie writes
about a new proposed GTK release scheme
that may take some getting used
to.
Meanwhile, Gtk 4.0 will not be the final stable API of what we would
call ‘Gtk 4’. Each 6 months, the new release (Gtk 4.2, Gtk 4.4, Gtk 4.6)
will break API and ABI vs. the release that came before it. These
incompatible minor versions will not be fully parallel installable; they
will use the same pkg-config name and the same header file directory. We
will, of course, bump the soname with each new incompatible release — you
will be able to run Gtk 4.0 apps alongside Gtk 4.2 and 4.4 apps, but you
won’t be able to build them on the same system. This policy fits the model
of how most distributions think about libraries and their ‘development
packages’.
” Only the last release in each major number series
(expected every two years) would have a stable API. Read the whole thing
to fully understand what is being proposed.

Mourning Hans-Jürgen Koch

Post Syndicated from corbet original http://lwn.net/Articles/691000/rss

Thomas Gleixner wrote the following to us: The Linux Kernel community is
mourning the passing of Hans-Jürgen Koch. Hans
was a free-software enthusiast and an active contributor. He worked on Radio
Data System support both in kernel and user space and was the main author and
maintainer of the UIO subsystem and contributed in various ways to the Linux
kernel as a professional and hobbyist. He authored a UIO book, gave
countless
talks at various open-source conferences, and served as a member of the
Linuxtag program committee.

His calm and modest nature made it a pleasure to work with him. Meeting him in
person was always a enjoyable experience. His interests spanned a broad range
from literature, music and history to politics and engagement for the german
branch of Friends of the Earth. His wicked sense of humor along with his
always ready to be told bag of anecdotes enlivened quite some social events.

He will be sorely missed and our thoughts are with his family and friends.

Kernel prepatch 4.7-rc3

Post Syndicated from corbet original http://lwn.net/Articles/690988/rss

The third 4.7 prepatch is out for testing.
Linus says: “The diffstat looks fairly normal and innocuous. There’s
more of a filesystem component to it than usual, but that’s mostly some
added new btrfs tests, and if you ignore that part it’s all the normal
stuff: drivers dominate (gpu and networking drivers are the bulk, but
there’s i2c, rdma, …) with some arch updates, and general networking
code. And the usual random stuff all over.

Tschacher: Typosquatting programming language package managers

Post Syndicated from corbet original http://lwn.net/Articles/690605/rss

Nikolai Tschacher demonstrates
how easy it is
to run arbitrary code by way of “typosquatting” uploads
to programming language download sites. “Because everybody can
upload any package on PyPi, it is possible to create packages which are
typo versions of popular packages that are prone to be mistyped. And if
somebody unintentionally installs such a package, the next question comes
intuitively: Is it possible to run arbitrary code and take over the
computer during the installation process of a package?
” He tried an
experiment and was able to run a little program that phoned home from
thousands of systems.

Maru OS now freely available

Post Syndicated from corbet original http://lwn.net/Articles/690508/rss

The Maru OS handset distribution (reviewed
here
in April) has moved out of the beta-test period and is now freely
downloadable without an invitation. Maru functions as both an Android
handset and an Ubuntu desktop (when connected to an external monitor). For
now, it remains limited to Nexus 5 handsets.
Now that the beta program is over, I’m finally turning my attention
to the open-source project so we can expand device support with the help of
the community. Let’s get Maru in the hands of a lot more people!