All posts by jake

coreutils-9.0 released

Post Syndicated from jake original https://lwn.net/Articles/870372/rss

The GNU Core Utilities (coreutils) has announced the release of version 9.0 of “the basic file, shell and text manipulation utilities” used by the GNU operating system and various Linux distributions. In the year and a half or so since the last major release (8.32), various new features were added, including:

cp has changed how it handles data

  • enables CoW [copy on write] by default (through FICLONE ioctl),
  • uses copy offload where available (through copy_file_range),
  • detects holes differently (though SEEK_HOLE)
  • This also applies to mv and install.

Security updates for Thursday

Post Syndicated from jake original https://lwn.net/Articles/870190/rss

Security updates have been issued by Debian (ruby-kaminari and tomcat8), Mageia (389-ds-base, ansible, apache, apr, cpio, curl, firefox, ghostscript, gifsicle, gpac, libarchive, libgd, libssh, lynx, nextcloud-client, openssl, postgresql, proftpd, python3, thunderbird, tor, and vim), openSUSE (chromium, ffmpeg, grilo, hivex, linuxptp, and samba), Oracle (go-toolset:ol8, kernel, kernel-container, krb5, mysql:8.0, and nodejs:12), SUSE (ffmpeg, firefox, grilo, hivex, kernel, linuxptp, nodejs14, and samba), and Ubuntu (ca-certificates, edk2, sqlparse, and webkit2gtk).

Courtès: What’s in a package

Post Syndicated from jake original https://lwn.net/Articles/870047/rss

Over at the Guix-HPC blog, Ludovic Courtès writes about trying to package the PyTorch machine-learning library for the Guix distribution. Building from source in a user-verifiable manner is part of the philosophy behind Guix, but there were a number of problems that were encountered:

The first surprise when starting packaging PyTorch is that, despite being on PyPI, PyTorch is first and foremost a large C++ code base. It does have a setup.py as commonly found in pure Python packages, but that file delegates the bulk of the work to CMake.

The second surprise is that PyTorch bundles (or “vendors”, as some would say) source code for no less than 41 dependencies, ranging from small Python and C++ helper libraries to large C++ neural network tools. Like other distributions such as Debian, Guix avoids bundling: we would rather have one Guix package for each of these dependencies. The rationale is manifold, but it boils down to keeping things auditable, reducing resource usage, and making security updates practical.

[$] A discussion on folios

Post Syndicated from jake original https://lwn.net/Articles/869942/rss

A few weeks ago, Matthew Wilcox might have guessed that his session
at the 2021 Linux
Plumbers Conference
would be focused rather differently. But, as we reported earlier in September, his folio patch set ran into some, perhaps
unexpected, opposition and, ultimately, did not land in the mainline for
5.15. Instead of discussing how to use folios as part
of the File
Systems microconference
, he led a discussion that was, at least in part, on the
path forward for them.

[$] Weaponizing middleboxes

Post Syndicated from jake original https://lwn.net/Articles/869842/rss

Middleboxes are,
unfortunately in many ways, a big part of today’s internet. While middleboxes
inhabit the same physical niche as routers, they are not aimed at packet forwarding;
instead they are meant to monitor and manipulate the packets that they
see. The effects of those devices on users of the networks they reign over may be
unfortunate as well, but the rest of the internet is only affected when
trying to communicate with those users—or so it was thought. Based on some
recently reported research, it turns out that middleboxes can be abused to
inflict denial-of-service (DoS) attacks elsewhere on the net.

Security updates for Friday

Post Syndicated from jake original https://lwn.net/Articles/869521/rss

Security updates have been issued by CentOS (firefox and thunderbird), Fedora (haproxy, wordpress, and xen), openSUSE (apache2-mod_auth_openidc, fail2ban, ghostscript, haserl, libcroco, nextcloud, and wireshark), Oracle (kernel and kernel-container), Slackware (httpd), SUSE (crmsh, gtk-vnc, libcroco, Mesa, postgresql12, postgresql13, and transfig), and Ubuntu (libgcrypt20, linux-gcp, linux-gcp-4.15, linux-hwe-5.4, linux-oem-5.13, python3.4, python3.5, and qtbase-opensource-src).

[$] Revisiting NaNs in Python

Post Syndicated from jake original https://lwn.net/Articles/869231/rss

Back in January 2020, we looked at some
oddities in Python’s handling of Not a Number (NaN) values in
its statistics
module
. The conversation went quiet after that, but it has been
revived recently with an eye toward fixing the problems that were reported.
As detailed in that earlier article, NaNs are rather strange beasts in the
floating-point universe, so figuring out how best to deal with their
presence is less straightforward than it might seem.

[$] Roundup: managing issues for 20 years

Post Syndicated from jake original https://lwn.net/Articles/869118/rss

The Roundup Issue Tracker
is a flexible tool for managing issues via the web or
email. However, Roundup is useful for more than
web-based bug tracking or help-desk ticketing; it can be used as a simple
wiki
or to manage tasks
with the Getting Things
Done
(GTD)
methodology. The 20th-anniversary
edition
of
Roundup,
version 2.1.0, was
released in July; it is a maintenance release, but there have been a number
of larger improvements in the last year or so. Here we introduce
Roundup’s
features
along with the
recent developments that have helped make Roundup even more useful for tracking
issues to their resolution.

SPDX Becomes Internationally Recognized Standard for Software Bill of Materials

Post Syndicated from jake original https://lwn.net/Articles/868882/rss

The Linux Foundation has announced that Software Package Data Exchange (SPDX) has become an international standard (ISO/IEC 5962:2021). SPDX has been used in the kernel and other projects to identify the licenses and attach other metadata to software components.

Between eighty and ninety percent (80%-90%) of a modern application is assembled from open source software components. An SBOM [software bill of materials] accounts for the software components contained in an application — open source, proprietary, or third-party — and details their provenance, license, and security attributes. SBOMs are used as a part of a foundational practice to track and trace components across software supply chains. SBOMs also help to proactively identify software issues and risks and establish a starting point for their remediation.

SPDX results from ten years of collaboration from representatives across industries, including the leading Software Composition Analysis (SCA) vendors – making it the most robust, mature, and adopted SBOM standard.

Security updates for Thursday

Post Syndicated from jake original https://lwn.net/Articles/868743/rss

Security updates have been issued by Fedora (lynx, matrix-synapse, and proftpd), openSUSE (ntfs-3g_ntfsprogs), Oracle (kernel), Red Hat (RHV-H), Scientific Linux (kernel), and Ubuntu (libapache2-mod-auth-mellon, linux, linux-aws, linux-aws-5.11, linux-azure, linux-azure-5.11, linux-gcp, linux-hwe-5.11, linux-kvm, linux-oracle, linux-oracle-5.11, linux-raspi, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gcp, linux-gcp-5.4, linux-gke, linux-gke-5.4, linux-gkeop, linux-gkeop-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, and linux-azure-5.8, linux-oem-5.10).

[$] Applying PEP 8

Post Syndicated from jake original https://lwn.net/Articles/868490/rss

Two recent threads on the python-ideas mailing list have overlapped to a
certain extent; both referred to Python’s style guide, but the discussion
indicates that the advice in it may have been stretched further than intended. PEP 8
(“Style Guide for Python Code“) is the longstanding set of
guidelines and suggestions for code that is going into the standard
library, but the “rules” in the PEP have been applied in settings and tools well outside of that
realm. There may be reasons to update the PEP—some unrelated work of that nature is
ongoing, in fact—but Pythonistas need to remember that the suggestions in
it are not carved in stone.

[$] FOSS for amateur radio

Post Syndicated from jake original https://lwn.net/Articles/868309/rss

Amateur (“ham”) radio operators have been experimenting with ways to use
computers in their hobby since PCs became widely available—perhaps even
before then. While many
people picture hams either talking into a microphone or tapping a telegraph
key, many hams now type on a keyboard or even click buttons on a computer screen to make
contacts. Even hams who still prefer to talk or use Morse code may still
use computers for some things, such as logging contacts or predicting
radio conditions. While most hams use Windows, there is no shortage of ham
radio software for Linux.

Fuzzing 100+ open source projects with OSS-Fuzz – lessons learned (ADA Logics blog)

Post Syndicated from jake original https://lwn.net/Articles/868165/rss

On the ADA Logics blog, David Korczynski and Adam Korczynski write about their work integrating 115 open-source projects with Google’s OSS-Fuzz project for doing continuous fuzz testing. They describe the process of integrating a project into OSS-Fuzz, and discuss their findings, which include more than 2000 bugs (500+ security relevant), of which 1300+ have been fixed at this point:

Throughout the process we integrated projects written in C, C++, Python, Go and Rust and the types of bugs we found across the projects are a reflection of the language the project was written in. Typically, for managed languages the bugs are within the umbrella term of uncaught exceptions and denial of service bugs, whereas in native languages the bugs are mostly split between assert violations, NULL-dereferences, heap-out-of-bounds, stack-out-of-bounds, stack overflows, integer arithmetic, memory leaks, out-of-memory and timeout bugs.

[$] Emacs discusses web-based development workflows

Post Syndicated from jake original https://lwn.net/Articles/867956/rss

Discussions on ways to “modernize” the Emacs editor have come up in various guises over the past few
years. Changes of that nature tend to be somewhat contentious in the Emacs
community, pitting the “old guard” that values the existing features (and
keybindings) against those who argue for changes to make Emacs more
approachable (and aesthetically pleasing) to newcomers. Those discussions
tend toward mega-thread status, so it should be no surprise that a query
about possibly moving Emacs development to a “forge” (e.g. GitHub or GitLab) got
similar treatment. As always in Emacs-land, there are multiple facets to
the discussion, including the desirability of moving away from an
email-based workflow, accommodating younger, forge-centric developers
without forcing existing developers into that model, and—naturally—licensing.