Linux Weekly News

Subscribe to Linux Weekly News feed
LWN.net is a comprehensive source of news and opinions from and about the Linux community. This is the main LWN.net feed, listing all articles which are posted to the site front page.
Updated: 36 min 34 sec ago

Mailman 3.1.0 released

Fri, 05/26/2017 - 17:01
The 3.1.0 release of the Mailman mailing list manager is out. "Two years after the original release of Mailman 3.0, this version contains a huge number of improvements across the entire stack. Many bugs have been fixed and new features added in the Core, Postorius (web u/i), and HyperKitty (archiver). Upgrading from Mailman 2.1 should be better too. We are seeing more production sites adopt Mailman 3, and we've been getting great feedback as these have rolled out. Important: mailman-bundler, our previous recommended way of deploying Mailman 3, has been deprecated. Abhilash Raj is putting the finishing touches on Docker images to deploy everything, and he'll have a further announcement in a week or two." New features include support for Python 3.5 and 3.6, MySQL support, new REST resources and methods, user interface and user experience improvements, and more.

Poyarekar: The story of tunables

Fri, 05/26/2017 - 15:43
On his blog, Siddhesh Poyarekar looks at tunables in the GNU C library (glibc). The idea for centralizing the handling of tunable parameters in the library started back 2013, but was added to glibc in version 2.25 that was released in February. "Tunables is an internal implementation detail in glibc. It is a way to manage ways in which we allow behaviour in glibc to be modified. As of now the only way to manage glibc is via environment variables and the way to do that was strewn all over the place in the source code. Tunables provide one place to add the tunable parameter with all of the characteristics it would have and then the framework will handle everything from there. The user of that tunable (e.g. malloc for MALLOC_MMAP_THRESHOLD_ or malloc.mmap.threshold in tunables parlance) would then simply access the tunable from the list and do what it wants to do, without bothering about where it came from."

[$] What's new in gnuplot 5.2

Fri, 05/26/2017 - 12:59
This article is a tour of some of the newest features in the gnuplot plotting utility. Some of these features are already present in the 5.0 release, and some are planned for the next official release, which will be gnuplot 5.2. Highlights in the upcoming release include hypertext labels, more control over axes, a long-awaited ability to add labels to contours, better lighting effects, and more; read on for the details.

Security updates for Friday

Fri, 05/26/2017 - 11:48
Security updates have been issued by CentOS (kernel), Debian (graphicsmagick, imagemagick, kde4libs, and puppet), Fedora (FlightCrew, kernel, libvncserver, and wordpress), Gentoo (adobe-flash, smb4k, teeworlds, and xen), Mageia (kernel, kernel-linus, kernel-tmb, and perl-CGI-Emulate-PSGI), openSUSE (GraphicsMagick and rpcbind), Oracle (kernel), Red Hat (kernel and kernel-rt), and Scientific Linux (kernel).

The Licensing and Compliance Lab interviews AJ Jordon of gplenforced.org (FSF Blog)

Thu, 05/25/2017 - 18:56
The Free Software Foundation's blog is carrying an interview with AJ Jordon, who runs the gplenforced.org site to support GPL enforcement efforts and to help other projects indicate their support. "gplenforced.org is a small site I made that has exactly two purposes: host a badge suitable for embedding into a README file on GitLab or something, and provide some text with an easy and friendly explanation of GPL enforcement for that badge to link to. Putting badges in READMEs has been pretty trendy for a while now — people add badges to indicate whether their test suite is passing, their dependencies are up-to-date, and what version is published in language package managers. gplenforced.org capitalizes on that trend to add the maintainer's beliefs about license enforcement, too."

Alpine Linux 3.6.0 Released

Thu, 05/25/2017 - 16:35
Alpine Linux 3.6.0 has been released. Alpine is an independent, minimalist distribution that is built around musl libc and busybox to keep it small and resource efficient. This version adds support for 64-bit little-endian POWER machines (ppc64le) and 64-bit IBM z Systems (s390x).

Devuan Jessie 1.0.0 stable LTS

Thu, 05/25/2017 - 16:17
The Devuan project set out to create a systemd-less Debian, and now Devuan Jessie 1.0.0 Stable has been released. "There have been no significant bug reports since Devuan Jessie RC2 was announced only three weeks ago and the list of release critical bugs is now empty. So finally Devuan Jessie Stable is ready for release! As promised, this will also be a Long-Term-Support (LTS) release. Our team will participate in providing patches, security updates, and release upgrades beyond the planned lifespan of Debian Jessie."

Stable kernel updates

Thu, 05/25/2017 - 13:55
Greg Kroah-Hartman has announced the release of the 4.11.3, 4.9.30, 4.4.70, and 3.18.55 stable kernels. They contain a rather large set of patches all over the tree and users should upgrade.

Security updates for Thursday

Thu, 05/25/2017 - 11:32
Security updates have been issued by CentOS (samba and samba4), Mageia (samba), openSUSE (bash and samba), Oracle (samba and samba4), Slackware (samba), SUSE (ghostscript and java-1_7_0-openjdk), and Ubuntu (firefox and samba).

[$] LWN.net Weekly Edition for May 25, 2017

Wed, 05/24/2017 - 20:46
The LWN.net Weekly Edition for May 25, 2017 is available.

[$] Progress on the Gilectomy

Wed, 05/24/2017 - 16:37

At the 2016 Python Language Summit, Larry Hastings introduced Gilectomy, his project to remove the global interpreter lock (GIL) from CPython. The GIL serializes access to the Python interpreter, so it severely limits the performance of multi-threaded Python programs. At the 2017 summit, Hastings was back to update attendees on the progress he has made and where Gilectomy is headed.

[$] The state of bugs.python.org

Wed, 05/24/2017 - 15:27

In a brief session at the 2017 Python Language Summit, Maciej Szulik gave an update on the state and plans for bugs.python.org (bpo). It is the Roundup-based bug tracker for Python; moving to GitHub has not changed that. He described the work that two Google Summer of Code (GSoC) students have done to improve the bug tracker.

[$] New CPython workflow issues

Wed, 05/24/2017 - 12:57

As part of a discussion in 2014 about where to host some of the Python repositories, Brett Cannon was delegated the task of determining where they should end up. In early 2016, he decided that Python's code and other repositories (e.g. PEPs) should land at GitHub; at last year's language summit, he gave an overview of where things stood with a few repositories that had made the conversion. Since that time, the CPython repository has made the switch and he wanted to discuss some of the workflow issues surrounding that move at this year's summit.

A Samba remote code execution vulnerability

Wed, 05/24/2017 - 12:18
The Samba Team has issued an advisory regarding CVE-2017-7494: "All versions of Samba from 3.5.0 onwards are vulnerable to a remote code execution vulnerability, allowing a malicious client to upload a shared library to a writable share, and then cause the server to load and execute it." Distributors are already shipping the fix; there's also a workaround in the advisory for those who cannot update immediately.

[$] System monitoring with osquery

Wed, 05/24/2017 - 12:17

Your operating system generates a lot run-time data and statistics that are useful for monitoring system security and performance. How you get this information depends on the operating system you're running. It could be a from report in a fancy GUI, or obtained via a specialized API, or simply text values read from the filesystem in the case of Linux and /proc. However, imagine if you could get this data via an SQL query, and obtain the output as a database table or JSON object. This is exactly what osquery lets you do on Linux, macOS, and Windows.

Check Point: Hacked in Translation

Wed, 05/24/2017 - 12:13
Check Point has issued an advisory that a number of video-player applications can be compromised via specially crafted subtitles. "By crafting malicious subtitle files, which are then downloaded by a victim’s media player, attackers can take complete control over any type of device via vulnerabilities found in many popular streaming platforms, including VLC, Kodi (XBMC), Popcorn-Time and strem.io. We estimate there are approximately 200 million video players and streamers that currently run the vulnerable software, making this one of the most widespread, easily accessed and zero-resistance vulnerability reported in recent years."

[$] Python 3.6.x, 3.7.0, and beyond

Wed, 05/24/2017 - 11:50

Ned Deily, release manager for the Python 3.6 and 3.7 series, opened up the 2017 edition of the Python Language Summit with a look at the release process and where things stand. It was an "abbreviated update" to his talk at last year's summit, he said. He looked to the future for 3.6 and 3.7, but also looked a bit beyond those two.

This is the start of LWN's coverage of the language summit; look for more articles over the next week or so.

Security updates for Wednesday

Wed, 05/24/2017 - 11:41
Security updates have been issued by CentOS (libtirpc and rpcbind), Debian (libtasn1-3, libtasn1-6, and samba), Fedora (FlightGear, openvpn, and python-fedora), openSUSE (libtirpc and libxslt), Oracle (libtirpc and rpcbind), Red Hat (samba, samba3x, and samba4), Scientific Linux (samba and samba4), SUSE (java-1_7_0-ibm, java-1_7_1-ibm, java-1_8_0-ibm, samba, and tomcat), and Ubuntu (jbig2dec, miniupnpc, rtmpdump, and samba).

[$] Containers as kernel objects

Tue, 05/23/2017 - 18:56
The kernel has, over the years, gained comprehensive support for containers; that, in turn, has helped to drive the rapid growth of a number of containerization systems. Interestingly, though, the kernel itself has no concept of what a container is; it just provides a number of facilities that can be used in the creation of containers in user space. David Howells is trying to change that state of affairs with a patch set adding containers as a first-class kernel object, but the idea is proving to be a hard sell in the kernel community.

LibreOffice leverages Google’s OSS-Fuzz to improve quality of office suite

Tue, 05/23/2017 - 14:31
The Document Foundation looks at the progress made in improving the quality and reliability of LibreOffice's source code by using Google's OSS-Fuzz. "Developers have used the continuous and automated fuzzing process, which often catches issues just hours after they appear in the upstream code repository, to solve bugs - and potential security issues - before the next binary release. LibreOffice is the first free office suite in the marketplace to leverage Google's OSS-Fuzz. The service, which is associated with other source code scanning tools such as Coverity, has been integrated into LibreOffice's security processes - under Red Hat's leadership - to significantly improve the quality of the source code."

Pages