Linux Weekly News

Subscribe to Linux Weekly News feed
LWN.net is a comprehensive source of news and opinions from and about the Linux community. This is the main LWN.net feed, listing all articles which are posted to the site front page.
Updated: 21 min 37 sec ago

Protecting code integrity with PGP

Thu, 12/14/2017 - 11:40
Linux Foundation Director of IT infrastructure security, Konstantin Ryabitsev, has put together a lengthy guide to using Git and PGP to protect the integrity of source code. In a Google+ post, he called it "beta quality" and asked for help with corrections and fixes. "PGP incorporates a trust delegation mechanism known as the 'Web of Trust.' At its core, this is an attempt to replace the need for centralized Certification Authorities of the HTTPS/TLS world. Instead of various software makers dictating who should be your trusted certifying entity, PGP leaves this responsibility to each user. Unfortunately, very few people understand how the Web of Trust works, and even fewer bother to keep it going. It remains an important aspect of the OpenPGP specification, but recent versions of GnuPG (2.2 and above) have implemented an alternative mechanism called 'Trust on First Use' (TOFU). You can think of TOFU as 'the SSH-like approach to trust.' With SSH, the first time you connect to a remote system, its key fingerprint is recorded and remembered. If the key changes in the future, the SSH client will alert you and refuse to connect, forcing you to make a decision on whether you choose to trust the changed key or not. Similarly, the first time you import someone's PGP key, it is assumed to be trusted. If at any point in the future GnuPG comes across another key with the same identity, both the previously imported key and the new key will be marked as invalid and you will need to manually figure out which one to keep. In this guide, we will be using the TOFU trust model."

Stable kernels 4.14.6 and 4.9.69

Thu, 12/14/2017 - 11:21
Two new stable kernels have been released by Greg Kroah-Hartman: 4.14.6 and 4.9.69. As usual, they contain fixes all over the kernel tree; users of those series should upgrade.

Security updates for Thursday

Thu, 12/14/2017 - 10:41
Security updates have been issued by Arch Linux (qt5-webengine and quagga), Debian (xrdp), Oracle (kernel), Red Hat (eap7-jboss-ec2-eap, go-toolset-7 and go-toolset-7-golang, and java-1.8.0-ibm), and SUSE (intel-SINIT and tomcat).

[$] LWN.net Weekly Edition for December 14, 2017

Wed, 12/13/2017 - 20:27
The LWN.net Weekly Edition for December 14, 2017 is available.

[$] MAP_FIXED_SAFE

Wed, 12/13/2017 - 17:46
The MAP_FIXED option to the mmap() system call allows a process to specify that a mapping should be placed at a given virtual address if at all possible. It turns out, though, that "if at all possible" can involve a bit more collateral damage than some would like, and can even lead to exploitable vulnerabilities. A new, safer option is in the works but, as is often the case, it has run into a bit of non-technical difficulty.

[$] An overview of KubeCon + CloudNativeCon

Wed, 12/13/2017 - 13:22

The Cloud Native Computing Foundation (CNCF) held its conference, KubeCon + CloudNativeCon, in December 2017. There were 4000 attendees at this gathering in Austin, Texas, more than all the previous KubeCons before, which shows the rapid growth of the community building around the tool that was announced by Google in 2014. Large corporations are also taking a larger part in the community, with major players in the industry joining the CNCF, which is a project of the Linux Foundation. The CNCF now features three of the largest cloud hosting businesses (Amazon, Google, and Microsoft), but also emerging companies from Asia like Baidu and Alibaba.

Linaro ERP 17.12 released

Wed, 12/13/2017 - 11:58
Linaro has announced the 17.12 release of its "Enterprise Reference Platform" distribution. "The goal of the Linaro Enterprise Reference Platform is to provide a fully tested, end to end, documented, open source implementation for ARM based Enterprise servers. The Reference Platform includes kernel, a community supported userspace and additional relevant open source projects, and is validated against existing firmware releases."

Security updates for Wednesday

Wed, 12/13/2017 - 11:09
Security updates have been issued by Debian (tiff), openSUSE (firefox, fossil, GraphicsMagick, and libheimdal), Red Hat (rh-java-common-lucene and rh-java-common-lucene5), and Ubuntu (libxml2).

[$] Process tagging with ptags

Tue, 12/12/2017 - 19:22
For various reasons related to accounting and security, there is recurring interest in having the kernel identify the container that holds any given process. Attempts to implement that functionality tend to run into the same roadblock, though: the kernel has no concept of what a "container" is, and there is seemingly little desire to change that state of affairs. A solution to this problem may exist in the form of a neglected patch called "ptags", which enables the attachment of arbitrary tags to processes.

[$] Federation in social networks

Tue, 12/12/2017 - 17:27

Social networking is often approached by the free-software community with a certain amount of suspicion—rightly so, since commercial social networks almost always generate revenue by exploiting user data in one way or another. While attempts at a free-software approach to social networking have so far not met widespread success, the new ActivityPub federation protocol and its implementation in the free-software microblogging system Mastodon are gaining popularity and already show some of the advantages of a community-driven approach.

Fedora 25 End Of Life

Tue, 12/12/2017 - 16:56
Fedora 25 has reached its end of life. There will be no more updates. Users are advised to upgrade.

Security updates for Tuesday

Tue, 12/12/2017 - 11:02
Security updates have been issued by Debian (chromium-browser, evince, pdns-recursor, and simplesamlphp), Fedora (ceph, dhcp, erlang, exim, fedora-arm-installer, firefox, libvirt, openssh, pdns-recursor, rubygem-yard, thunderbird, wordpress, and xen), Red Hat (rh-mysql57-mysql), SUSE (kernel), and Ubuntu (openssl).

Nottingham: Internet protocols are changing

Tue, 12/12/2017 - 10:07
Worth a read: this APNIC blog entry from Mark Nottingham on the near-term evolution of various Internet protocols. "The newest change on the horizon is DOH — DNS over HTTP. A significant amount of research has shown that networks commonly use DNS as a means of imposing policy (whether on behalf of the network operator or a greater authority). Circumventing this kind of control with encryption has been discussed for a while, but it has a disadvantage (at least from some standpoints) — it is possible to discriminate it from other traffic; for example, by using its port number to block access. DOH addresses that by piggybacking DNS traffic onto an existing HTTP connection, thereby removing any discriminators."

[$] Toward better CPU load estimation

Mon, 12/11/2017 - 18:33
"Load tracking" refers to the kernel's attempts to track how much load each running process will put on the system's CPUs. Good load tracking can yield reasonable predictions about the near-future demands on the system; those, in turn, can be used to optimize the placement of processes and the selection of CPU-frequency parameters. Obviously, poor load tracking will lead to less-than-optimal results. While achieving perfection in load tracking seems unlikely for now, it appears that it is possible to to do better than current kernels do. The utilization estimation patch set from Patrick Bellasi is the latest in a series of efforts to make the scheduler's load tracking work well with a wider variety of workloads.

Artifex and Hancom Reach Settlement Over Ghostscript Open Source Dispute

Mon, 12/11/2017 - 16:10
Artifex Software, Inc. and Hancom, Inc. have announced a confidential agreement to settle their legal dispute. The case filed by Artifex concerned the use of Artifex’s GPL licensed Ghostscript in Hancom's office product. "While the parties had their differences in the interpretation of the open source license, the companies were able to reach an amicable resolution based on their mutual respect for and recognition of the copyright protection and the open source philosophy."

Elisa 0.0.80 Released

Mon, 12/11/2017 - 14:07
A very early alpha version of the Elisa music player has been released. "Elisa allows to browse music by album, artist or all tracks. The music is indexed using either a private indexer or an indexer using Baloo. The private one can be configured to scan music on chosen paths. The Baloo one is much faster because Baloo is providing all needed data from its own database. You can build and play your own playlist."

Debian stable releases

Mon, 12/11/2017 - 11:35
The Debian project has released updates to oldstable "jessie" and stable "stretch". Debian 9.3 "stretch" and Debian 8.10 "jessie" are available with the usual set of corrections for security issues and adjustments for serious problems.

Four stable kernel updates

Mon, 12/11/2017 - 11:20
Stable kernels 4.14.5, 4.9.68, 4.4.105, and 3.18.87 have been released. They all contain important fixes and users should upgrade.

Security updates for Monday

Mon, 12/11/2017 - 11:12
Security updates have been issued by CentOS (postgresql), Debian (firefox-esr, kernel, libxcursor, optipng, thunderbird, wireshark, and xrdp), Fedora (borgbackup, ca-certificates, collectd, couchdb, curl, docker, erlang-jiffy, fedora-arm-installer, firefox, git, linux-firmware, mupdf, openssh, thunderbird, transfig, wildmidi, wireshark, xen, and xrdp), Mageia (firefox and optipng), openSUSE (erlang, libXfont, and OBS toolchain), Oracle (kernel), Slackware (openssl), and SUSE (kernel and OBS toolchain).

Kernel prepatch 4.15-rc3

Sun, 12/10/2017 - 21:36
The 4.15-rc3 kernel prepatch is out. "I'm not thrilled about how big the early 4.15 rc's are, but rc3 is often the biggest rc because it's still fairly early in the calming-down period, and yet people have had some time to start finding problems. That said, this rc3 is big even by rc3 standards. Not good." 489 changesets were merged since 4.15-rc2.

Pages