All posts by jake

Ubuntu 19.04 (Disco Dingo) released

Post Syndicated from jake original https://lwn.net/Articles/786238/rss

Ubuntu 19.04, code named “Disco Dingo”, has been released, along with the following flavors: Ubuntu Budgie, Kubuntu, Lubuntu, Ubuntu Kylin, Ubuntu MATE,
Ubuntu Studio, and Xubuntu.
The Ubuntu kernel has been updated to the 5.0 based Linux kernel,
our default toolchain has moved to gcc 8.3 with glibc 2.29, and we’ve
also updated to openssl 1.1.1b and gnutls 3.6.5 with TLS1.3 support.

Ubuntu Desktop 19.04 introduces GNOME 3.32 with increased performance,
smoother startup animations, quicker icon load times and reduced CPU+GPU
load. Fractional scaling for HiDPI screens is now available in Xorg
and Wayland.

Ubuntu Server 19.04 integrates recent innovations from key open
infrastructure projects like OpenStack Stein, Kubernetes, and Ceph with
advanced life-cycle management for multi-cloud and on-prem operations,
from bare metal, VMware and OpenStack to every major public cloud.” More information can be found in the release notes.

OpenSSH 8.0 released

Post Syndicated from jake original https://lwn.net/Articles/786236/rss

OpenSSH 8.0 has been released with a bunch new features and some bug fixes, including one for a security problem:
This release contains mitigation for a weakness in the scp(1) tool
and protocol (CVE-2019-6111): when copying files from a remote system
to a local directory, scp(1) did not verify that the filenames that
the server sent matched those requested by the client. This could
allow a hostile server to create or clobber unexpected local files
with attacker-controlled content.

This release adds client-side checking that the filenames sent from
the server match the command-line request,

The scp protocol is outdated, inflexible and not readily fixed. We
recommend the use of more modern protocols like sftp and rsync for
file transfer instead.”

Security updates for Thursday

Post Syndicated from jake original https://lwn.net/Articles/786235/rss

Security updates have been issued by CentOS (polkit), Gentoo (dovecot, libseccomp, and patch), openSUSE (aubio, blktrace, flac, lxc, lxcfs, pspp, SDL, sqlite3, and xen), Red Hat (java-1.8.0-openjdk, java-11-openjdk, and rh-maven35-jackson-databind), Scientific Linux (java-1.8.0-openjdk), Slackware (libpng), SUSE (python, python3, sqlite3, and xerces-c), and Ubuntu (ntfs-3g).

[$] Business models and open source

Post Syndicated from jake original https://lwn.net/Articles/786068/rss

One of the more lively sessions that was held at the 2019 Legal and
Licensing Workshop (LLW) was Heather Meeker’s talk on
open-source business models and alternative licensing. As a lawyer in
private practice, Meeker worked on
a number of the alternative licenses that were drafted and
presented over the last year or so. But she is also part of a venture
capital (VC) firm that is exclusively investing in companies focused on
open source, so she
has experience in thinking about what kinds of models actually work for
those types of businesses.

[$] A backdoor in a popular Ruby gem

Post Syndicated from jake original https://lwn.net/Articles/785386/rss

Finding ways to put backdoors into various programming-language package
repositories (e.g. npm, PyPI, and now RubyGems) seems like it is becoming a new Olympic
sport or something. Every time you turn around, there is a
report of a new backdoor. It is now apparently Ruby’s turn, with a
new report of a
remote-execution backdoor being inserted, briefly, into a popular gem that
is installed by some sites using the Ruby on
Rails
web-application framework.

[$] Positional-only parameters for Python

Post Syndicated from jake original https://lwn.net/Articles/785245/rss

Arguments can be passed to Python functions by position or by
keyword—generally both. There are times when API designers may wish to
restrict some function parameters to only be passed by position, which is
harder than some think it should be in pure Python. That has led to a PEP
that is meant to make the situation better, but
opponents say it doesn’t really do that;
it simply replaces one obscure mechanism with another. The PEP was
assigned a fairly well-known “BDFL delegate” (former BDFL Guido van Rossum), who has
accepted it, presumably for Python 3.8.

[$] How to (not) fix a security flaw

Post Syndicated from jake original https://lwn.net/Articles/784758/rss

A pair of flaws in the web interface for two small-business Cisco routers
make for a prime example of the wrong way to go about security fixes.
These kinds of flaws are, sadly, fairly common, but the comedy of errors
that resulted here is, thankfully, rather rare. Among other things, it
shows that
vendors may wish to await a
real fix rather than to release a small, ineffective band-aid to try to close
a gaping hole.

[$] The return of the lockdown patches

Post Syndicated from jake original https://lwn.net/Articles/784674/rss

It’s been a year since we looked in on the
kernel lockdown patches; that’s because things have been fairly quiet on
that front since there was a loud and
discordant dispute
about them back then. But Matthew Garrett has been
posting new versions over the last two months; it would seem that the
changes that have been made might be enough to tamp down the flames and,
perhaps, even allow them to be merged into the mainline.

[$] Program names and “pollution”

Post Syndicated from jake original https://lwn.net/Articles/784508/rss

A Linux user’s $PATH likely contains well over a thousand different
commands that were installed by various packages. It’s not immediately
obvious which package is responsible for a command with
a generic name, like createuser. There are ways to figure it out, of
course, but perhaps it would make sense for packages like PostgreSQL, which
is responsible for createuser, to give their commands names that
are less generic—and more easily disambiguated—such as
pg_createuser. But renaming commands down the road has “backward
compatibility problems”
written all over it, as a recent discussion on the pgsql-hackers mailing
list shows.

Courtès: Connecting reproducible deployment to a long-term source code archive

Post Syndicated from jake original https://lwn.net/Articles/784401/rss

On the Guix blog, Ludovic Courtès writes about connecting reproducible builds for the Guix package manager with the Software Heritage archive.

It quickly became clear that reproducible builds had ‘reproducible source code downloads’, so to speak, as a prerequisite. The Software Heritage archive is the missing piece that would finally allow us to reproduce software environments years later in spite of the volatility of code hosting sites. Software Heritage’s mission is to archive essentially ‘all’ the source code ever published, including version control history. Its archive already periodically ingests release tarballs from the GNU servers, repositories from GitHub, packages from PyPI, and much more.
We quickly settled on a scheme where Guix would fall back to the Software Heritage archive whenever it fails to download source code from its original location. That way, package definitions don’t need to be modified: they still refer to the original source code URL, but the downloading machinery transparently goes to Software Heritage when needed.

Linux Foundation Welcomes LVFS Project (Linux.com)

Post Syndicated from jake original https://lwn.net/Articles/784378/rss

Linux.com interviews Richard Hughes about the Linux Vendor Firmware Service (LVFS), which has recently joined the Linux Foundation as a new project. Hughes is the founder and maintainer of the project. “The short-term goal was to get 95% of updatable consumer hardware supported. With the recent addition of HP that’s now a realistic target, although you have to qualify the 95% with ‘new consumer non-enterprise hardware sold this year’ as quite a few vendors will only support hardware no older than a few years at most, and most still charge for firmware updates for enterprise hardware. My long-term goal is for the LVFS to be seen like a boring, critical part of infrastructure in Linux, much like you’d consider an NTP server for accurate time, or a PGP keyserver for trust.

With the recent Spectre and Meltdown issues hitting the industry, firmware updates are no longer seen as something that just adds support for new hardware or fixes the occasional hardware issue. Now the EFI BIOS is a fully fledged operating system with networking capabilities, companies and government agencies are realizing that firmware updates are as important as kernel updates, and many are now writing in ‘must support LVFS’ as part of any purchasing policy.”

Security updates for Friday

Post Syndicated from jake original https://lwn.net/Articles/784370/rss

Security updates have been issued by Arch Linux (dovecot and imagemagick), Debian (dovecot, libraw, pdns, and ruby2.1), Fedora (mingw-podofo, openwsman, podofo, qemu, and svgsalamander), openSUSE (chromium, ffmpeg-4, firefox, libssh2_org, nodejs4, and qemu), Red Hat (libssh2), Scientific Linux (libssh2 and thunderbird), SUSE (kernel, liblouis, ntp, openssl-1_1, and tiff), and Ubuntu (firefox, freeimage, libapache2-mod-auth-mellon, and thunderbird).

[$] The Debian project leader election

Post Syndicated from jake original https://lwn.net/Articles/784123/rss

While a few weeks back it looked like there
might be a complete lack of Debian
project leader
(DPL) candidates, that situation has changed. After a one-week
delay
, five Debian developers have nominated themselves. We are now about
halfway through the campaign phase; platforms have been posted and
questions have been asked and answered. It seems a good time to have a
look at the candidates and their positions.

[$] Case-insensitive ext4

Post Syndicated from jake original https://lwn.net/Articles/784041/rss

Handling file names in a case-insensitive way for Linux filesystems has
been an ongoing
discussion topic for many years. It is a (dubious) feature of filesystems
for other operating systems (e.g. Android, Windows, macOS), but Linux has
limited support for it. Over the last year or more, Gabriel Krisman
Bertazi has been working on the problem for
ext4, but it is a messy one to solve. He recently posted his latest patch
set, which reflects some changes made at the behest of Linus Torvalds.

[$] The state of the OSU Open Source Lab

Post Syndicated from jake original https://lwn.net/Articles/783580/rss

The Oregon State University Open Source
Lab
(OSU OSL) has been a longtime hosting site for a wide variety of
free and open-source software (FOSS) projects. At SCALE 17x, OSL
director Lance
Albertson gave an overview of what the lab does, some of its history, and its
role in mentoring undergraduates at OSU. There are a lot of facets to the
lab and its work, most of which flies under the radar, which is why Albertson
came to Pasadena, CA to fill attendees in.

Scribus team mourns the passing of Peter “mrdocs” Linnell

Post Syndicated from jake original https://lwn.net/Articles/783763/rss

The team behind the Scribus libre desktop-publishing tool
is mourning the passing of Peter Linnell. “It is no understatement to say that without Peter Scribus wouldn’t be what it is today. It was Peter who spotted the potential of Franz Schmid’s initially humble Python program and, as a pre-press consultant at the time, contacted Franz to make him aware of the necessities of PostScript and PDF support, among other things. Peter also wrote the first version of the Scribus online documentation, which resulted in his nickname ‘mrdocs’ in IRC and elsewhere. Until recently, and despite his detoriating health, Peter continued to be involved in building and releasing new Scribus versions.

Scribus was the project he helped to set on track and which marked the beginning of his journey into the world of Free Software development. While it remained at the heart of his commitments to Open Source in general and Libre Graphics software in particular, Peter contributed to Free Software in many other ways as well. For example via contributions to projects related to freedesktop.org, as a package builder of many Free programs for several Linux distributions on the openSUSE Build Service, and later as an openSUSE board member. Peter was also crucial in bringing the Libre Graphics community together by way of sharing his expertise with other graphics-oriented projects and his assistance in organizing the first Libre Graphics Meetings. In the sometimes ego-driven and often emotional world of Open Source development, Peter managed to get along very well with almost everybody and never lost his sense of humour.”

Security updates for Friday

Post Syndicated from jake original https://lwn.net/Articles/783757/rss

Security updates have been issued by CentOS (firefox), Debian (cron and ntfs-3g), Fedora (firefox, ghostscript, libzip, python2-django1.11, PyYAML, tcpflow, and xen), Mageia (ansible, firefox, and ImageMagick/GraphicsMagick), Red Hat (ghostscript), Scientific Linux (firefox and ghostscript), SUSE (libxml2, unzip, and wireshark), and Ubuntu (firefox, ghostscript, libsolv, ntfs-3g, p7zip, and snapd).