All posts by jake

[$] Devuan, April Fools, and self-destruction

Post Syndicated from jake original

An April Fools joke that went sour seems to be at least the proximate cause
for a rather large upheaval in the Devuan community.
For much of April 1 (or March 31 depending on time zone), the
Devuan web site looked like it had been taken
over by attackers, which was worrisome to many, but it was all a prank.
The joke was
clever, way over the top, unprofessional, or some combination of those,
depending on who is
describing it, but the incident and the threads on the devuan-dev mailing
list have led to rancor, resignations, calls for resignations, and more.

[$] On technological liberty

Post Syndicated from jake original

In his keynote at the 2019 Legal and
Licensing Workshop
(LLW), longtime workshop participant Andrew
Wilson looked
at the past, but he went much further back than, say, the history of free
software—or even computers. His talk looked at technological liberty in
the context of classical liberal philosophic thinking. He mapped some of
that thinking to the world of free and open-source software (FOSS) and to
some other areas where our liberties are under attack.

[$] The sustainability of open source for the long term

Post Syndicated from jake original

The problem of “sustainability” for open-source software is a common topic of
conversation in our community these days. We covered a talk by Bradley Kuhn on
sustainability a month ago. Another longtime community member, Luis Villa,
gave his take on the problem of making open-source projects sustainable at
the 2019 Legal and Licensing Workshop (LLW) in Barcelona. Villa is one of the
co-founders of Tidelift, which is a
company dedicated to helping close the gap so that the maintainers of
open-source projects get paid in order to continue their work.

Ubuntu 19.04 (Disco Dingo) released

Post Syndicated from jake original

Ubuntu 19.04, code named “Disco Dingo”, has been released, along with the following flavors: Ubuntu Budgie, Kubuntu, Lubuntu, Ubuntu Kylin, Ubuntu MATE,
Ubuntu Studio, and Xubuntu.
The Ubuntu kernel has been updated to the 5.0 based Linux kernel,
our default toolchain has moved to gcc 8.3 with glibc 2.29, and we’ve
also updated to openssl 1.1.1b and gnutls 3.6.5 with TLS1.3 support.

Ubuntu Desktop 19.04 introduces GNOME 3.32 with increased performance,
smoother startup animations, quicker icon load times and reduced CPU+GPU
load. Fractional scaling for HiDPI screens is now available in Xorg
and Wayland.

Ubuntu Server 19.04 integrates recent innovations from key open
infrastructure projects like OpenStack Stein, Kubernetes, and Ceph with
advanced life-cycle management for multi-cloud and on-prem operations,
from bare metal, VMware and OpenStack to every major public cloud.” More information can be found in the release notes.

OpenSSH 8.0 released

Post Syndicated from jake original

OpenSSH 8.0 has been released with a bunch new features and some bug fixes, including one for a security problem:
This release contains mitigation for a weakness in the scp(1) tool
and protocol (CVE-2019-6111): when copying files from a remote system
to a local directory, scp(1) did not verify that the filenames that
the server sent matched those requested by the client. This could
allow a hostile server to create or clobber unexpected local files
with attacker-controlled content.

This release adds client-side checking that the filenames sent from
the server match the command-line request,

The scp protocol is outdated, inflexible and not readily fixed. We
recommend the use of more modern protocols like sftp and rsync for
file transfer instead.”

Security updates for Thursday

Post Syndicated from jake original

Security updates have been issued by CentOS (polkit), Gentoo (dovecot, libseccomp, and patch), openSUSE (aubio, blktrace, flac, lxc, lxcfs, pspp, SDL, sqlite3, and xen), Red Hat (java-1.8.0-openjdk, java-11-openjdk, and rh-maven35-jackson-databind), Scientific Linux (java-1.8.0-openjdk), Slackware (libpng), SUSE (python, python3, sqlite3, and xerces-c), and Ubuntu (ntfs-3g).

[$] Business models and open source

Post Syndicated from jake original

One of the more lively sessions that was held at the 2019 Legal and
Licensing Workshop (LLW) was Heather Meeker’s talk on
open-source business models and alternative licensing. As a lawyer in
private practice, Meeker worked on
a number of the alternative licenses that were drafted and
presented over the last year or so. But she is also part of a venture
capital (VC) firm that is exclusively investing in companies focused on
open source, so she
has experience in thinking about what kinds of models actually work for
those types of businesses.

[$] A backdoor in a popular Ruby gem

Post Syndicated from jake original

Finding ways to put backdoors into various programming-language package
repositories (e.g. npm, PyPI, and now RubyGems) seems like it is becoming a new Olympic
sport or something. Every time you turn around, there is a
report of a new backdoor. It is now apparently Ruby’s turn, with a
new report of a
remote-execution backdoor being inserted, briefly, into a popular gem that
is installed by some sites using the Ruby on
web-application framework.

[$] Positional-only parameters for Python

Post Syndicated from jake original

Arguments can be passed to Python functions by position or by
keyword—generally both. There are times when API designers may wish to
restrict some function parameters to only be passed by position, which is
harder than some think it should be in pure Python. That has led to a PEP
that is meant to make the situation better, but
opponents say it doesn’t really do that;
it simply replaces one obscure mechanism with another. The PEP was
assigned a fairly well-known “BDFL delegate” (former BDFL Guido van Rossum), who has
accepted it, presumably for Python 3.8.

[$] How to (not) fix a security flaw

Post Syndicated from jake original

A pair of flaws in the web interface for two small-business Cisco routers
make for a prime example of the wrong way to go about security fixes.
These kinds of flaws are, sadly, fairly common, but the comedy of errors
that resulted here is, thankfully, rather rare. Among other things, it
shows that
vendors may wish to await a
real fix rather than to release a small, ineffective band-aid to try to close
a gaping hole.

[$] The return of the lockdown patches

Post Syndicated from jake original

It’s been a year since we looked in on the
kernel lockdown patches; that’s because things have been fairly quiet on
that front since there was a loud and
discordant dispute
about them back then. But Matthew Garrett has been
posting new versions over the last two months; it would seem that the
changes that have been made might be enough to tamp down the flames and,
perhaps, even allow them to be merged into the mainline.

[$] Program names and “pollution”

Post Syndicated from jake original

A Linux user’s $PATH likely contains well over a thousand different
commands that were installed by various packages. It’s not immediately
obvious which package is responsible for a command with
a generic name, like createuser. There are ways to figure it out, of
course, but perhaps it would make sense for packages like PostgreSQL, which
is responsible for createuser, to give their commands names that
are less generic—and more easily disambiguated—such as
pg_createuser. But renaming commands down the road has “backward
compatibility problems”
written all over it, as a recent discussion on the pgsql-hackers mailing
list shows.

Courtès: Connecting reproducible deployment to a long-term source code archive

Post Syndicated from jake original

On the Guix blog, Ludovic Courtès writes about connecting reproducible builds for the Guix package manager with the Software Heritage archive.

It quickly became clear that reproducible builds had ‘reproducible source code downloads’, so to speak, as a prerequisite. The Software Heritage archive is the missing piece that would finally allow us to reproduce software environments years later in spite of the volatility of code hosting sites. Software Heritage’s mission is to archive essentially ‘all’ the source code ever published, including version control history. Its archive already periodically ingests release tarballs from the GNU servers, repositories from GitHub, packages from PyPI, and much more.
We quickly settled on a scheme where Guix would fall back to the Software Heritage archive whenever it fails to download source code from its original location. That way, package definitions don’t need to be modified: they still refer to the original source code URL, but the downloading machinery transparently goes to Software Heritage when needed.

Linux Foundation Welcomes LVFS Project (

Post Syndicated from jake original interviews Richard Hughes about the Linux Vendor Firmware Service (LVFS), which has recently joined the Linux Foundation as a new project. Hughes is the founder and maintainer of the project. “The short-term goal was to get 95% of updatable consumer hardware supported. With the recent addition of HP that’s now a realistic target, although you have to qualify the 95% with ‘new consumer non-enterprise hardware sold this year’ as quite a few vendors will only support hardware no older than a few years at most, and most still charge for firmware updates for enterprise hardware. My long-term goal is for the LVFS to be seen like a boring, critical part of infrastructure in Linux, much like you’d consider an NTP server for accurate time, or a PGP keyserver for trust.

With the recent Spectre and Meltdown issues hitting the industry, firmware updates are no longer seen as something that just adds support for new hardware or fixes the occasional hardware issue. Now the EFI BIOS is a fully fledged operating system with networking capabilities, companies and government agencies are realizing that firmware updates are as important as kernel updates, and many are now writing in ‘must support LVFS’ as part of any purchasing policy.”

Security updates for Friday

Post Syndicated from jake original

Security updates have been issued by Arch Linux (dovecot and imagemagick), Debian (dovecot, libraw, pdns, and ruby2.1), Fedora (mingw-podofo, openwsman, podofo, qemu, and svgsalamander), openSUSE (chromium, ffmpeg-4, firefox, libssh2_org, nodejs4, and qemu), Red Hat (libssh2), Scientific Linux (libssh2 and thunderbird), SUSE (kernel, liblouis, ntp, openssl-1_1, and tiff), and Ubuntu (firefox, freeimage, libapache2-mod-auth-mellon, and thunderbird).

[$] The Debian project leader election

Post Syndicated from jake original

While a few weeks back it looked like there
might be a complete lack of Debian
project leader
(DPL) candidates, that situation has changed. After a one-week
, five Debian developers have nominated themselves. We are now about
halfway through the campaign phase; platforms have been posted and
questions have been asked and answered. It seems a good time to have a
look at the candidates and their positions.

[$] Case-insensitive ext4

Post Syndicated from jake original

Handling file names in a case-insensitive way for Linux filesystems has
been an ongoing
discussion topic for many years. It is a (dubious) feature of filesystems
for other operating systems (e.g. Android, Windows, macOS), but Linux has
limited support for it. Over the last year or more, Gabriel Krisman
Bertazi has been working on the problem for
ext4, but it is a messy one to solve. He recently posted his latest patch
set, which reflects some changes made at the behest of Linus Torvalds.