The LWN.net Weekly Edition for June 27, 2019 is available.
Over the past couple of months, things have been moving fairly swiftly
toward the establishment of a separate entity to govern the openSUSE
project. The idea is mainly meant to set up an organization that can
receive and disburse funds on behalf of the project, rather than as some
kind of move away from its parent company, SUSE. Also, while SUSE seems to
be in a healthy position with a strong interest in supporting and working
on openSUSE, that could change down the road, so a foundation or similar
organization seems like the right way to go. At this point, the first
draft of the foundation proposal has been posted; it generally has the
support of SUSE management, so it is time to see what thoughts the
Security updates have been issued by Debian (python3.4), Oracle (firefox), Red Hat (firefox and kernel-alt), SUSE (ImageMagick and SUSE Manager Server 3.2), and Ubuntu (bzip2).
More bugs in free software are being found these days, which is good for
many reasons, but there are some possible downsides to that as well. In
addition, projects like OSS-Fuzz
finding lots of bugs in an automated fashion—many of which may be security
relevant. The sheer number of bugs being reported is overwhelming many
(most?) free-software projects, which simply do not have enough eyeballs to
fix, or even triage, many of the reports they receive. A discussion about
that is currently playing out on the oss-security mailing list.
GitLab 12.0 has been released
gives users the ability to automatically create review apps for each merge request. This allows anyone to see how the design or UX has been changed.
In GitLab 12.0, we are expanding the ability to discuss those changes by
bringing the ability to insert visual review
tools directly into the Review App itself. With a small code snippet,
users can enable designers, product managers, and other stakeholders to
quickly provide feedback on a merge request without leaving the
" Other features include the ability to easily access a
project's Dependency List, restrict access by IP address, and much more.
Stable kernels 5.1.15
, and 4.14.130
have been released. The all contain
important fixes and users should upgrade.
Security updates have been issued by CentOS (python), Debian (bzip2, libvirt, python2.7, python3.4, rdesktop, and thunderbird), Fedora (thunderbird and tomcat), openSUSE (aubio, docker, enigmail, GraphicsMagick, and python-Jinja2), SUSE (kernel, libvirt, postgresql96, and tomcat), and Ubuntu (ceph, firefox, imagemagick, libmysofa, linux, linux-hwe, neutron, and policykit-desktop-privileges).
Konstantin Ryabitsev has announced
a new public blogging platform for kernel developers. "Ever since the demise of Google+, many developers have expressed a desire to have a service that would provide a way to create and manage content in a format that would be more rich and easier to access than email messages sent to LKML.
Today, we would like to introduce people.kernel.org, which is an
ActivityPub-enabled federated platform powered by WriteFreely and hosted by
very nice and accommodating folks at write.as.
" (LWN looked at WriteFreely
back in March).
statement from the Apache Software Foundation
regarding changes in its
leadership: "It is with a mix of sadness and appreciation that the
ASF Board accepted the resignations of Board Member Jim Jagielski, Chairman
Phil Steitz, and Executive Vice President Ross Gardler last month.
There is no indication of why all these people decided to leave at the same
Technologies like UEFI secure boot are intended to guarantee that a
locked-down system is running the software intended by its owner (for a
definition of "owner" as "whoever holds the signing key recognized by the
firmware"). That guarantee is hard to uphold, though, if a program run on
the system in question is able to modify the running kernel somehow. Thus,
proponents of secure-boot technologies have been trying for years to
provide the ability to lock
down many types of kernel functionality on secure systems. The latest
attempt posted by Matthew Garrett, at an eyebrow-raising version 34
tries to address previous concerns by putting lockdown under the control of
a Linux security module (LSM).
Canonical has let
it be known
that minds have been changed about removing all 32-bit x86
support from the Ubuntu distribution. "Thanks to the huge amount of feedback this weekend from gamers, Ubuntu Studio, and the WINE community, we will change our plan and build selected 32-bit i386 packages for Ubuntu 19.10 and 20.04 LTS.
We will put in place a community process to determine which 32-bit packages are needed to support legacy software, and can add to that list post-release if we miss something that is needed.
PostmarketOS is an Alpine Linux based operating system for mobile
devices. The postmarketOS blog takes a look
at the project after two years of development. "Wouldn't it be great if you could take any obsolete smartphone from the past ten years and replace its outdated and insecure software with a maintained, modular free software stack? How about then using it as a Raspberry Pi-like device for your next tinkering project? With some constraints, postmarketOS makes this possible today for 139 booting devices. Every single package in the whole OS can be updated, with the only exceptions being the vendor's Linux kernel and firmware blobs (if you plan on using them). In a few cases, it is even possible to switch out the discontinued vendor kernel forks with the upstream kernel releases straight from Linus Torvalds.
Security updates have been issued by Debian (jackson-databind, libvirt, pdns, and vim), Fedora (evince, firefox, gjs, libxslt, mozjs60, and poppler), openSUSE (dbus-1, firefox, ImageMagick, netpbm, openssh, and thunderbird), Oracle (libssh2, libvirt, and python), Scientific Linux (python), SUSE (compat-openssl098 , dbus-1 , evince , exempi , firefox , glib2 , gstreamer-0_10-plugins-base , gstreamer-plugins-base , java-1_8_0-ibm , libssh2_org , libvirt , netpbm , samba , SDL2 , sqlite3 , thunderbird , and wireshark ), and Ubuntu (web2py).
kernel prepatch has been
released. Linus worries that the volume of changes has increased — but not
too much. "With all that out of the way, I'm still reasonably
optimistic that we're on track for a calm final part of the release, and I
don't think there is anything particularly bad on the horizon.
also notes that, due to travel, he'll be releasing 5.2-rc7 later than
operating system is continuing
to make progress, 26 years after it got its name. Among the areas where
work is being done is on
improved support for RISC-V
filesystem updates, C runtime changes, and security improvements. FreeBSD
is celebrated on June 19, in recognition of the date in 1993 when
the name FreeBSD was coined
a fork of the 386BSD project. The first official release
of FreeBSD did not occur until November 1, 1993, however.
Ahead of FreeBSD
Day, the project released its quarterly
report for the first quarter of 2019, outlining some of its ongoing
efforts. In addition to the quarterly report, the executive director of the
FreeBSD Foundation provided LWN with some insights into the state of the
project and the foundation that supports it.
As of this writing, just over 13,600 non-merge changesets have been pulled
into the mainline repository for the 5.2 development cycle. The time has
come, once again, for a look at where that work came from and who supported
it. There are some unique aspects to 5.2 that have thrown off some of the
Bunnie Huang writes
about the escalating trade wars
and how they could be harmful to the
open-source community. "Because the administrative action so far
against Huawei relies only upon export license restrictions, the Linux
Foundation has been able to find shelter under a license exemption for open
source software. However, should Huawei be designated as a 'foreign
adversary' under EO13873, it greatly expands the scope of the ban because
it prohibits transactions with entities under the direction or influence of
foreign adversaries. The executive order also broadly includes any
information technology including hardware and software with no exemption
for open source.
Security updates have been issued by CentOS (libvirt and python), Debian (intel-microcode, php-horde-form, and znc), Fedora (firefox), Mageia (firefox, flash-player-plugin, git, graphicsmagick, kernel, kernel-linus, kernel-tmb, phpmyadmin, and thunderbird), Oracle (libssh2, libvirt, and python), Red Hat (libvirt and python), Scientific Linux (libvirt), Slackware (bind and mozilla), SUSE (enigmail), and Ubuntu (bind9, intel-microcode, mosquitto, postgresql-10, postgresql-11, and thunderbird).
The calling interfaces between programming languages are, by their nature,
ripe for misunderstandings; different languages can have subtly different
ideas of how data should be passed around. Such misunderstandings often
have the effect of making things break right away; these are quickly
fixed. Others can persist for years or even decades before jumping out of
the shadows and making things fail. A problem of the latter variety
recently turned up in how some C programs are passing strings to Fortran
subroutines, with unpleasant effects on widely used packages like LAPACK