ARM Give a man a fire and he's warm for a day, but set fire to him and he's warm for the rest of his life (Terry Pratchett, Jingo)

Security updates for Wednesday

([Security] Jul 15, 2020 14:34 UTC (Wed) (ris))

Security updates have been issued by CentOS (dbus), Debian (python3.5), Fedora (podofo and roundcubemail), Oracle (dbus, dovecot, jbig2dec, kernel, nodejs:10, nodejs:12, sane-backends, and thunderbird), Red Hat (.NET Core and kernel), SUSE (ansible, ansible1, ardana-ansible, ardana-cluster, ardana-freezer, ardana-input-model, ardana-logging, ardana-mq, ardana-neutron, ardana-octavia, ardana-osconfig, caasp-openstack-heat-templates, crowbar-core, crowbar-openstack, documentation-suse-openstack-cloud, grafana, kibana, openstack-dashboard, openstack-dashboard-theme-HPE, openstack-heat-templates, openstack-keystone, openstack-monasca-agent, openstack-monasca-installer, openstack-neutron, openstack-octavia-amphora-image, python-Django, python-Flask, python-GitPython, python-Pillow, python-amqp, python-apicapi, python-keystoneauth1, python-oslo.messaging, python-psutil, python-pyroute2, python-pysaml2, python-tooz, python-waitress, storm, bind, jasper, java-1_8_0-openjdk, LibVNCServer, libxml2, python-ipaddress, rubygem-bundler, rubygem-puma, samba, slirp4netns, xen, and xrdp), and Ubuntu (firefox and webkit2gtk).

What's new in Lua 5.4

([Development] Jul 15, 2020 20:19 UTC (Wed) (benhoyt))

[1]Lua version 5.4 was released at the end of June; it is the fifteenth major version of the lightweight scripting language since its creation in 1993. [2]New in 5.4 is a [3]generational mode for the garbage collector, which performs better for programs with lots of short-lived allocations. The language now supports "attributes" on local variables, allowing developers to mark variables as constant ( const ) or resources as closeable ( close ). There were also significant performance improvements over 5.3 along with a host of minor changes.



[1] https://www.lua.org/

[2] https://www.lua.org/manual/5.4/readme.html#changes

[3] http://www.lua.org/manual/5.4/manual.html#2.5.2

[$] Ubuntu invests in Google's Flutter and Dart

([Development] Jul 16, 2020 18:38 UTC (Thu) (coogle))

[1]Flutter is Google's open-source toolkit to build cross-device (and cross-platform) applications. Based on the [2]Dart programming language released by the company in 2013, Flutter promises developers the ability to write and maintain a single application that runs on all of a user's devices. Flutter applications support deployment on Android, iOS, Web browsers via JavaScript, macOS, and now Canonical and Google have [3]teamed up to support Flutter applications in Linux. Promises of native speed, rapid development, and a growing community make it an interesting technology to take a look at.



[1] https://flutter.dev/

[2] https://dart.dev/

[3] https://medium.com/flutter/announcing-flutter-linux-alpha-with-canonical-19eb824590a9

Security updates for Tuesday

([Security] Jul 14, 2020 14:49 UTC (Tue) (ris))

Security updates have been issued by Fedora (mingw-podofo and python-rsa), openSUSE (LibVNCServer, mozilla-nss, nasm, openldap2, and permissions), Red Hat (dovecot, sane-backends, and thunderbird), Scientific Linux (dbus), and SUSE (firefox and thunderbird).

[$] Operations restrictions for io_uring

([Kernel] Jul 15, 2020 0:25 UTC (Wed) (corbet))

The [1]io_uring subsystem is not much over one year old, having been merged for the 5.1 kernel in May 2019. It was initially added as a better way to perform asynchronous I/O from user space; over time it has gained numerous features and support for functionality beyond just moving bits around. What it has not yet gained is any sort of security mechanism beyond what the kernel already provides for the underlying system calls. That may be about to change, though, as the result of [2]this patch set from Stefano Garzarella adding a set of user-configurable restrictions to io_uring.



[1] https://lwn.net/Articles/776703/

[2] https://lwn.net/ml/linux-kernel/20200710141945.129329-1-sgarzare@redhat.com/

Security updates for Monday

([Security] Jul 13, 2020 15:08 UTC (Mon) (ris))

Security updates have been issued by Debian (chromium, mailman, openjpeg2, ruby-rack, squid3, tomcat8, and xen), Fedora (botan2, kernel, LibRaw, mingw-OpenEXR, mingw-podofo, podofo, seamonkey, squid, and webkit2gtk3), Mageia (ffmpeg, mbedtls, mediawiki, and xpdf), Oracle (kernel), Red Hat (bind, dbus, jbig2dec, and rh-nodejs12-nodejs), and SUSE (graphviz and xen).

[$] Open-source contact tracing, part 2

([Development] Jul 20, 2020 16:02 UTC (Mon) (mrybczyn))

Contact tracing is a way to help prevent the spread of a disease, such as COVID-19, by identifying an infected person's contacts so that they can be informed of the infection risk. In the [1]first part of this series, we introduced open-source contact-tracing applications developed in response to the current pandemic, and described how they work. In this part, we look into the details of some of them, of both centralized and decentralized design. These application projects have all released their source code, but they differ in the implementation details, licenses used, and whether they accept user requests or patches. We conclude with the controversies around the tracing applications and the responses to them.



[1] https://lwn.net/Articles/823532/

Kernel prepatch 5.8-rc5

([Kernel] Jul 13, 2020 13:10 UTC (Mon) (corbet))

The [1]5.8-rc5 kernel prepatch is out for testing; it's a relatively large set of changes. " Maybe I'm in denial, but I still think we might hit the usual release schedule. A few more weeks to go before I need to make that decision, so it won't be keeping me up at night. "



[1] https://lwn.net/Articles/825976/

[$] Microsoft drops support for PHP

([Development] Jul 11, 2020 0:25 UTC (Sat) (coogle))

For years, Windows PHP users have enjoyed builds provided directly by Microsoft. The company has contributed to the PHP project in many ways, with the binaries made available on [1]windows.php.net being the most visible. Recently Microsoft Project Manager Dale Hirt [2]announced that, beginning with PHP 8.0, Microsoft support for PHP on Windows would end.



[1] http://windows.php.net/

[2] https://lwn.net/ml/php-internals/BYAPR21MB12691FC48E2DA27075609A7DCA640@BYAPR21MB1269.namprd21.prod.outlook.com/

Security updates for Friday

([Security] Jul 10, 2020 13:40 UTC (Fri) (jake))

Security updates have been issued by Fedora (curl, LibRaw, python-pillow, and python36), Mageia (coturn, samba, and vino), openSUSE (opera), and Ubuntu (openssl).

[$] Managing tasks with Org mode and iCalendar

([Development] Jul 14, 2020 0:53 UTC (Tue) (tbm))

In an earlier article, guest author Martin Michlmayr [1]reviewed the todo.txt and Taskwarrior task managers. This article continues the process of examining task managers by looking at tools for Org mode, which is a system originally created for Emacs, as well as at tools that make use of the iCalendar standard. It is time to find out whether he can find a system that meets his needs.



[1] https://lwn.net/Articles/824333/

[$] Creating open data interfaces with ODPi

([Development] Jul 10, 2020 17:53 UTC (Fri) (SMK))

Connecting one source of data to another isn't always easy because of different standards, data formats, and APIs to contend with, among the many challenges. One of the groups that is trying to help with the challenge of data interoperability is the Linux Foundation's [1]Open Data Platform initiative (ODPi). At the [2]2020 Open Source Summit North America virtual event on July 2, ODPi Technical Steering Committee chairperson Mandy Chessell outlined the goals of ODPi and the projects that are part of it. She also described how ODPi is taking an open-source development approach to make data more easily accessible.



[1] https://www.odpi.org/

[2] https://events.linuxfoundation.org/open-source-summit-north-america/

LWN.net Weekly Edition for July 16, 2020


Six new stable kernels

([Kernel] Jul 9, 2020 14:21 UTC (Thu) (jake))

Greg Kroah-Hartman has announced the release of the [1]5.7.8 , [2]5.4.51 , [3]4.19.132 , [4]4.14.188 , [5]4.9.230 , and [6]4.4.230 stable kernels. As usual, these all contain important fixes; users should upgrade.



[1] https://lwn.net/Articles/825732/

[2] https://lwn.net/Articles/825733/

[3] https://lwn.net/Articles/825735/

[4] https://lwn.net/Articles/825736/

[5] https://lwn.net/Articles/825737/

[6] https://lwn.net/Articles/825738/

Security updates for Thursday

([Security] Jul 9, 2020 13:14 UTC (Thu) (jake))

Security updates have been issued by CentOS (firefox), Debian (ffmpeg, fwupd, ruby2.5, and shiro), Fedora (freerdp, gssdp, gupnp, mingw-pcre2, remmina, and xrdp), openSUSE (chocolate-doom), Oracle (firefox and kernel), and Ubuntu (linux, linux-lts-xenial, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon and thunderbird).

[$] LibreOffice: the next five years

([Development] Jul 9, 2020 15:29 UTC (Thu) (corbet))

The [1]LibreOffice project would seem to be on a roll. It produces what is widely seen as the leading free office-productivity suite, and has managed to move out of the shadow of the moribund (but brand-recognized) [2]Apache OpenOffice project. The LibreOffice 7 release is coming within a month, and the tenth anniversary of the [3]founding of the [4]Document Foundation arrives in September. Meanwhile, [5]LibreOffice Online is taking off and, seemingly, seeing some market success. So it is a bit surprising to see the project's core developers in a sort of crisis mode while users worry about a tag that showed up in the project's repository.



[1] https://www.libreoffice.org/

[2] https://lwn.net/Articles/729460/

[3] https://lwn.net/Articles/407339/

[4] https://www.documentfoundation.org/

[5] https://www.libreoffice.org/download/libreoffice-online/

Security updates for Wednesday

([Security] Jul 8, 2020 15:01 UTC (Wed) (ris))

Security updates have been issued by Debian (roundcube), Fedora (chromium, firefox, and ngircd), Oracle (firefox and thunderbird), Scientific Linux (firefox), Slackware (seamonkey), SUSE (djvulibre, ffmpeg, firefox, freetds, gd, gstreamer-plugins-base, icu, java-11-openjdk, libEMF, libexif, librsvg, LibVNCServer, libvpx, Mesa, nasm, nmap, opencv, osc, perl, php7, python-ecdsa, SDL2, texlive-filesystem, and thunderbird), and Ubuntu (cinder, python-os-brick).

The "Open Usage Commons" launches

([Briefs] Jul 8, 2020 14:53 UTC (Wed) (corbet))

Google has [1]announced the creation of the [2]Open Usage Commons , which is intended to help open-source projects manage their trademarks. From [3]the organization's own announcement : " We created the Open Usage Commons because free and fair open source trademark use is critical to the long-term sustainability of open source. However, understanding and managing trademarks takes more legal know-how than most project maintainers can do themselves. The Open Usage Commons is therefore dedicated to creating a model where everyone in the open source chain – from project maintainers to downstream users to ecosystem companies – has peace of mind around trademark usage and management. The projects in the Open Usage Commons will receive support specific to trademark protection and management, usage guidelines, and conformance testing. " Initial members include the Angular, Gerrit, and Istio projects.



[1] https://opensource.googleblog.com/2020/07/announcing-new-kind-of-open-source.html

[2] https://openusage.org/

[3] https://openusage.org/news/introducing-the-open-usage-commons/

Sandboxing in Linux with zero lines of code (Cloudflare blog)

([Security] Jul 8, 2020 14:36 UTC (Wed) (corbet))

The Cloudflare blog is running [1]an overview of sandboxing with seccomp() , culminating in a tool written there to sandbox any existing program. " We really liked the 'zero code seccomp' approach with systemd SystemCallFilter= directive, but were not satisfied with its limitations. We decided to take it one step further and make it possible to prohibit any system call in any process externally without touching its source code, so came up with the Cloudflare sandbox. It’s a simple standalone toolkit consisting of a shared library and an executable. The shared library is supposed to be used with dynamically linked applications and the executable is for statically linked applications. "



[1] https://blog.cloudflare.com/sandboxing-in-linux-with-zero-lines-of-code/

Maintaining stable stability

([Kernel] Jul 22, 2020 22:04 UTC (Wed) (jake))

The stable kernel trees are quite active, often seeing several releases in a week's time. But they are also meant to be ... well ... stable, so a lot of effort goes into trying to ensure that they do not introduce new bugs or regress the kernel's functionality. One of the stable maintainers, Sasha Levin, gave a talk at the virtual [1]Open Source Summit North America that described the process of ensuring that these trees are carefully managed so that they can provide a stable base for their users.



[1] https://events.linuxfoundation.org/open-source-summit-north-america/
More

None of our men are "experts." We have most unfortunately found it necessary
to get rid of a man as soon as he thinks himself an expert -- because no one
ever considers himself expert if he really knows his job. A man who knows a
job sees so much more to be done than he has done, that he is always pressing
forward and never gives up an instant of thought to how good and how efficient
he is. Thinking always ahead, thinking always of trying to do more, brings a
state of mind in which nothing is impossible. The moment one gets into the
"expert" state of mind a great number of things become impossible.
-- From Henry Ford Sr., "My Life and Work"