LWN.net Weekly Edition for October 8, 2020
Security updates for Thursday
([Security] Oct 1, 2020 12:53 UTC (Thu) (jake))
Security updates have been issued by Debian (ruby-json-jwt and ruby-rack-cors), Fedora (xen), SUSE (aspell and tar), and Ubuntu (ruby-gon, ruby-kramdown, and ruby-rack).
[$] Getting KDE onto commercial hardware
([Development] Oct 5, 2020 19:33 UTC (Mon) (mrybczyn))
At [1]Akademy 2020 , the annual KDE conference that was held virtually this year, KDE developer Nate Graham delivered a talk entitled "Visions of the Future" ( [2]YouTube video ) about the possible future of KDE on commercial products. Subtitled "Plasma sold on retail hardware — lots of it", the session concentrated on ways to make KDE applications (and the [3]Plasma desktop ) the default environment on hardware sold to the general public. The proposal includes creating an official KDE distribution with a hardware certification program and directly paying developers.
[1] https://akademy.kde.org/2020
[2] https://youtu.be/_VlgkuPvK0o#t=1h44m
[3] https://kde.org/plasma-desktop
[1] https://akademy.kde.org/2020
[2] https://youtu.be/_VlgkuPvK0o#t=1h44m
[3] https://kde.org/plasma-desktop
RPM 4.16.0 released
([Development] Sep 30, 2020 17:36 UTC (Wed) (ris))
Version 4.16.0 of the RPM package manager has been released. " This turned out to be a much bigger release than anticipated with several groundbreaking new features, despite finally being back to annual cycle almost to date. " Highlights include new database backends, macro and %if expressions including ternary operator and native version comparison, optional MIME type based file classification, new version parsing and comparison API in C and Python, license clarification, and more. The [1]release notes have more details.
[1] https://rpm.org/wiki/Releases/4.16.0
[1] https://rpm.org/wiki/Releases/4.16.0
Security updates for Wednesday
([Security] Sep 30, 2020 15:03 UTC (Wed) (ris))
Security updates have been issued by Arch Linux (chromium, firefox, libvirt, and podman), Debian (firefox-esr and nss), Gentoo (bitcoind, chromium, cifs-utils, gpsd, libuv, and xen), Mageia (firefox, gnutls, mediawiki, samba, and Thunderbird), openSUSE (brotli and cifs-utils), Red Hat (audiofile, bluez, cloud-init, cpio, cups, curl, dbus, dnsmasq, e2fsprogs, evince and poppler, exiv2, expat, firefox, fontforge, freeradius, freerdp, glib2 and ibus, glibc, httpd, hunspell, ipa, kernel, kernel-rt, libcroco, libexif, libmspack, libpng, librabbitmq, libsndfile, libsrtp, libssh2, libtiff, libvirt, libvpx, libwmf, libxml2, libxslt, mariadb, mod_auth_openidc, NetworkManager, nss and nspr, okular, OpenEXR, openldap, openwsman, pcp, python, python-pillow, python3, qemu-kvm, qemu-kvm-ma, qt5-qtbase, samba, SDL, spamassassin, squid, subversion, systemd, tigervnc, tomcat, unoconv, and webkitgtk4), SUSE (bcm43xx-firmware, nodejs8, pdns, python-pip, and xen), and Ubuntu (libapreq2, netqmail, samba, and tomcat6).
[$] From O_MAYEXEC to trusted_for()
([Kernel] Oct 1, 2020 15:40 UTC (Thu) (corbet))
The ability to execute the contents of a file is controlled by the execute-permission bits — some of the time. If a given file contains code that can be executed by an interpreter — such as shell commands or code in a language like Perl or Python, for example — there are easy ways to run the interpreter on the file regardless of whether it has execute permission enabled or not. Mickaël Salaün has been working on tightening up the administrator's control over execution by interpreters for some time, but has struggled to find an acceptable home for this feature. His latest attempt takes the form of a new system call named trusted_for() .
Security updates for Tuesday
([Security] Sep 29, 2020 15:06 UTC (Tue) (ris))
Security updates have been issued by Debian (firefox-esr and mediawiki), openSUSE (firefox, libqt5-qtbase, and rubygem-actionpack-5_1), Red Hat (qemu-kvm, qemu-kvm-ma, and virt:rhel), SUSE (dpdk, firefox, and go1.15), and Ubuntu (dpdk, imagemagick, italc, libpgf, libuv1, pam-python, squid3, ssvnc, and teeworlds).
OpenWrt and SELinux
([Distributions] Sep 30, 2020 23:18 UTC (Wed) (jake))
[1]SELinux is a security mechanism with a lot of ability to restrict user-space compromises in various useful ways. It has also generally been considered a heavyweight option that is not suitable for more resource-restricted systems like wireless routers. Undeterred by this perception, some [2]OpenWrt developers are adding SELinux as an option for protecting the distribution, which targets embedded devices.
[1] https://selinuxproject.org/page/Main_Page
[2] https://openwrt.org/
[1] https://selinuxproject.org/page/Main_Page
[2] https://openwrt.org/
OpenSSH 8.4 released
([Security] Sep 28, 2020 15:44 UTC (Mon) (ris))
OpenSSH 8.4 is out. The SHA-1 algorithm is deprecated and the "ssh-rsa" public key signature algorithm will be disabled by default " in a near-future release. " They note that it is possible to perform chosen-prefix attacks against the SHA-1 algorithm for less than USD$50K.
Security updates for Monday
([Security] Sep 28, 2020 14:51 UTC (Mon) (ris))
Security updates have been issued by Debian (curl, libdbi-perl, linux-4.19, lua5.3, mediawiki, nfdump, openssl1.0, qt4-x11, qtbase-opensource-src, ruby-gon, and yaws), Fedora (grub2, libxml2, perl-DBI, singularity, and xawtv), Mageia (cifs-utils, kio-extras, libproxy, mbedtls, nodejs, novnc, and pdns), openSUSE (bcm43xx-firmware, chromium, conmon, fuse-overlayfs, libcontainers-common, podman, firefox, libqt4, libqt5-qtbase, openldap2, ovmf, pdns, rubygem-actionpack-5_1, and tiff), SUSE (firefox, go1.14, ImageMagick, and libqt5-qtbase), and Ubuntu (firefox, gnuplot, libquicktime, miniupnpd, ruby-sanitize, and sudo).
Kernel prepatch 5.9-rc7
([Kernel] Sep 27, 2020 22:32 UTC (Sun) (corbet))
The [1]5.9-rc7 kernel prepatch is out for testing. " But while I do now know of any remaining gating issues any more, the fixes came in fairly late. So unless I feel insanely optimistic and/or a burning bush tells me that everything is bug-free, my plan right now is that I'll do another rc next Sunday rather than the final 5.9 release. And btw, please no more burning bushes. We're kind of sensitive about those on the West coast right now. "
[1] https://lwn.net/Articles/832733/
[1] https://lwn.net/Articles/832733/
A small set of stable kernels
([Kernel] Sep 27, 2020 20:37 UTC (Sun) (corbet))
The [1]5.8.12 , [2]5.4.68 , and [3]4.19.148 stable kernels have been released; each contains another set of important fixes.
[1] https://lwn.net/Articles/832724/
[2] https://lwn.net/Articles/832725/
[3] https://lwn.net/Articles/832726/
[1] https://lwn.net/Articles/832724/
[2] https://lwn.net/Articles/832725/
[3] https://lwn.net/Articles/832726/
LVFS tames firmware updates
([Development] Sep 30, 2020 21:27 UTC (Wed) (coogle))
Keeping device firmware up-to-date can be a challenge for end users. Firmware updates are often important for correct behavior, and they can have security implications as well. The [1]Linux Vendor Firmware Service (LVFS) project is playing an increasing role in making firmware updates more straightforward for both end users and vendors; LVFS [2] just announced its 20-millionth firmware download. Since [3] even a wireless mouse dongle can pose a security threat, the importance of simple, reliable, and easily applied firmware updates is hard to overstate.
[1] https://fwupd.org/
[2] https://blogs.gnome.org/hughsie/2020/09/28/20-million-downloads-from-the-lvfs/
[3] https://www.theverge.com/2019/7/14/20692471/logitech-mousejack-wireless-usb-receiver-vulnerable-hack-hijack
[1] https://fwupd.org/
[2] https://blogs.gnome.org/hughsie/2020/09/28/20-million-downloads-from-the-lvfs/
[3] https://www.theverge.com/2019/7/14/20692471/logitech-mousejack-wireless-usb-receiver-vulnerable-hack-hijack
Calibre 5.0 released
([Development] Sep 25, 2020 15:03 UTC (Fri) (corbet))
[1]Version 5.0 of the Calibre electronic-book manager has been released. " There has been a lot of work on the calibre E-book viewer. It now supports Highlighting. The highlights can be colors, underlines, strikethrough, etc. and have added notes. All highlights can be both stored in EPUB files for easy sharing and centrally in the calibre library for easy browsing. Additionally, the E-book viewer now supports both vertical and right-to-left text. " Another significant change is a port to Python 3; that was a necessary change but it means that there are a number of plugins that have not yet been ported and thus won't work. The status of many plugins can be found on [2]this page .
[1] https://calibre-ebook.com/new-in/fourteen
[2] https://www.mobileread.com/forums/showthread.php?t=326405
[1] https://calibre-ebook.com/new-in/fourteen
[2] https://www.mobileread.com/forums/showthread.php?t=326405
Security updates for Friday
([Security] Sep 25, 2020 14:52 UTC (Fri) (jake))
Security updates have been issued by Debian (rails), openSUSE (chromium, jasper, ovmf, roundcubemail, samba, and singularity), Oracle (firefox), SUSE (bcm43xx-firmware, firefox, libqt5-qtbase, qemu, and tiff), and Ubuntu (aptdaemon, atftp, awl, packagekit, and spip).
LWN.net Weekly Edition for October 1, 2020
[$] New features in the fish shell
([Development] Sep 29, 2020 17:52 UTC (Tue) (ayoisaiah))
[1]Fish (the "friendly interactive shell") has the explicit goal of being more user-friendly than other shells. It features a modern command-line interface with syntax highlighting, tab completion, and auto-suggestions out of the box (all with no configuration required). Unlike many of its competitors, it doesn't care about being POSIX-compliant but attempts to blaze its own path. Since our [2]last look at the project, way back in 2013, it has seen lots of new releases with features, bug fixes, and refinements aimed at appealing to a wide range of users. Some of the biggest additions landed in the [3]3.0 release , but we will also describe some other notable changes from version 2.1 up through latest version.
[1] https://fishshell.com
[2] https://lwn.net/Articles/575002/
[3] https://github.com/fish-shell/fish-shell/releases/tag/3.0.0
[1] https://fishshell.com
[2] https://lwn.net/Articles/575002/
[3] https://github.com/fish-shell/fish-shell/releases/tag/3.0.0
PostgreSQL 13 released
([Development] Sep 24, 2020 13:48 UTC (Thu) (corbet))
Version 13 of the PostgreSQL database management system is out. " PostgreSQL 13 includes significant improvements to its indexing and lookup system that benefit large databases, including space savings and performance gains for indexes, faster response times for queries that use aggregates or partitions, better query planning when using enhanced statistics, and more. Along with highly requested features like parallelized vacuuming and incremental sorting, PostgreSQL 13 provides a better data management experience for workloads big and small, with optimizations for daily administration, more conveniences for application developers, and security enhancements. "
Security updates for Thursday
([Security] Sep 24, 2020 13:09 UTC (Thu) (jake))
Security updates have been issued by Fedora (firefox, libproxy, mbedtls, samba, and zeromq), openSUSE (chromium and virtualbox), Red Hat (firefox and kernel), SUSE (cifs-utils, conmon, fuse-overlayfs, libcontainers-common, podman, libcdio, python-pip, samba, and wavpack), and Ubuntu (rdflib).
[$] Toward a "modern" Emacs
([Development] Sep 25, 2020 16:49 UTC (Fri) (corbet))
It has only been a few months since the Emacs community went through [1]an extended discussion on how to make the [2]Emacs editor "popular again". As the community gears up for the Emacs 28 development cycle, (after the [3]Emacs 27.1 release in August) that discussion has returned with a vengeance. The themes of this discussion differ somewhat from the last; developers are concerned about making Emacs — an editor with decades of history — seem "modern" to attract new users.
[1] https://lwn.net/Articles/819452/
[2] https://www.gnu.org/software/emacs/
[3] https://lists.gnu.org/archive/html/emacs-devel/2020-08/msg00237.html
[1] https://lwn.net/Articles/819452/
[2] https://www.gnu.org/software/emacs/
[3] https://lists.gnu.org/archive/html/emacs-devel/2020-08/msg00237.html
One good turn usually gets most of the blanket.