Linux Weekly News
LWN.net is a comprehensive source of news and opinions from and about the Linux community. This is the main LWN.net feed, listing all articles which are posted to the site front page.
Frissült: 5 perc 40 másodperc
The LWN.net Weekly Edition for January 5, 2017 is available.
Old habits die hard, even when support for the tools required by those habits ended over a decade ago. It is not surprising for users to cling to the tools they learned early in their careers, even when they are told that it is time to move on. A recent discussion on the Debian development list showed the sort of stress that this kind of inertia can put on a distribution and explored the options that distributors have to try to nudge their users toward more supportable solutions.
The Google Open Source Blog introduces the Grumpy project. "Grumpy is an experimental Python runtime for Go. It translates Python code into Go programs, and those transpiled programs run seamlessly within the Go runtime. We needed to support a large existing Python codebase, so it was important to have a high degree of compatibility with CPython (quirks and all). The goal is for Grumpy to be a drop-in replacement runtime for any pure-Python project."
Arch Linux has updated lib32-curl (two vulnerabilities), lib32-libcurl-compat (two vulnerabilities), lib32-libcurl-gnutls (two vulnerabilities), libcurl-compat (two vulnerabilities), libcurl-gnutls (two vulnerabilities), and pcsclite (privilege escalation).
Debian has updated libphp-phpmailer (regression in previous update).
Gentoo has updated firefox (multiple vulnerabilities).
Version 0.92 of the Inkscape vector drawing editor is available. "New features include mesh gradients, improved SVG2 and CSS3 support, new path effects, interactive smoothing for the pencil tool, a new Object dialog for directly managing all drawing elements, and much more. Infrastructural changes are also under way, including a switch to CMake from the venerable Autotools build system." See the release notes for details.
In what is becoming its annual tradition, the darktable project released a new stable version of its image-editing system at the end of December. The new 2.2 release incorporates several new photo-correction features of note.
Click below (subscribers only) for the full article from Nathan Willis.
James Bottomley looks at Trusted Platform Module (TPM) version 2. "Recently Microsoft started mandating TPM2 as a hardware requirement for all platforms running recent versions of windows. This means that eventually all shipping systems (starting with laptops first) will have a TPM2 chip. The reason this impacts Linux is that TPM2 is radically different from its predecessor TPM1.2; so different, in fact, that none of the existing TPM1.2 software on Linux (trousers, the libtpm.so plug in for openssl, even my gnome keyring enhancements) will work with TPM2. The purpose of this blog is to explore the differences and how we can make ready for the transition." (Thanks to Paul Wise)
CentOS has updated ipa (C7: two vulnerabilities).
Debian-LTS has updated samba (privilege escalation).
Gentoo has updated firefox (multiple vulnerabilities, some from 2014).
Oracle has updated ipa (OL7: two vulnerabilities).
HackerBoards.com takes a look at hacker-friendly single board computers. "Community backed, open spec single board computers running Linux and Android sit at the intersection between the commercial embedded market and the open source maker community. Hacker boards also play a key role in developing the Internet of Things devices that will increasingly dominate our technology economy in the coming years, from home automation devices to industrial equipment to drones. This year, we identified 90 boards that fit our relatively loose requirements for community-backed, open spec SBCs running Linux and/or Android."
Pieter Hintjens passed away last October. "Pieter was known mostly for founding the ZeroMQ project but he was also an ambitious fighter for the open source philosophy, an active opponent to software patents and an inspiring and keen thinker on open systems of all kind." (Thanks to Viktor Horvath)
Debian-LTS has updated hdf5 (multiple vulnerabilities), hplip (man-in-the-middle attack from 2015), kernel (multiple vulnerabilities), libphp-phpmailer (code execution), pgpdump (denial of service), postgresql-common (file overwrites), python-crypto (denial of service), and shutter (code execution from 2015).
Fedora has updated curl (F24: buffer overflow), cxf (F25: two vulnerabilities), game-music-emu (F24: multiple vulnerabilities), libbsd (F25; F24: denial of service), libpng (F25: NULL dereference bug), mingw-openjpeg2 (F25; F24: multiple vulnerabilities), openjpeg2 (F24: two vulnerabilities), php-zendframework-zend-mail (F25; F24: parameter injection), springframework (F25: directory traversal), tor (F25; F24: denial of service), xen (F24: three vulnerabilities), and zookeeper (F25; F24: buffer overflow).
Gentoo has updated bash (code execution), busybox (denial of service), chicken (multiple vulnerabilities going back to 2013), cyassl (multiple vulnerabilities from 2014), e2fsprogs (code execution from 2015), hdf5 (multiple vulnerabilities), icinga (privilege escalation), libarchive (multiple vulnerabilities, some from 2015), libjpeg-turbo (code execution), libotr (code execution), lzo (code execution from 2014), mariadb (multiple unspecified vulnerabilities), memcached (code execution), musl (code execution), mutt (denial of service from 2014), openfire (multiple vulnerabilities from 2015), openvswitch (code execution), pillow (multiple vulnerabilities, two from 2014), w3m (multiple vulnerabilities), xdg-utils (command execution from 2014), and xen (multiple vulnerabilities).
openSUSE has updated firefox (13.1: multiple vulnerabilities), gd (42.2, 42.1: stack overflow), GNU Health (42.2: two vulnerabilities), roundcubemail (13.1: cross-site scripting), kernel (42.1: information leak), thunderbird (42.2, 42.1, 13.2; SPH for SLE12: multiple vulnerabilities), and xen (42.2; 42.1; 13.2: multiple vulnerabilities).
Richard Fontana reviews legal development in 2016 on opensource.com. "The Federal Source Code Policy is notable for placing emphasis on adhering to proper standards for open development as well as open source licensing. Agencies releasing open source code are directed to do so in a manner that encourages engagement with existing communities, fosters growth of new communities, and facilitates contribution both by the community to the federal code and by federal employees and contractors to upstream projects."
The second 4.10 kernel prepatch is out for testing. "Hey, it's been a really slow week between Christmas Day and New Years Day, and I am not complaining at all. It does mean that rc2 is ridiculously and unrealistically small. I almost decided to skip rc2 entirely, but a small little meaningless release every once in a while never hurt anybody. So here it is."
The Python 3.6 release occurred on December 23, only one week later than planned all the way back in October 2015. Python 3.6 adds a number of new features, including more support for asynchronous operations (generators and comprehensions), a filesystem path protocol, a new literal string formatting option, two random-number-related features, a frame evaluation API for debuggers and just-in-time (JIT) compilation, and more. Some of these features have been described in LWN articles along the way, but many haven't, so an overview of the highlights of the new release is in order.
Subscribers can click below to see the article that will appear in next week's edition.
Debian has updated dcmtk (code execution from 2015).
Gentoo has updated mod_wsgi (privilege escalation from 2014).
Mageia has updated game-music-emu (multiple vulnerabilities), gstreamer1.0-plugins-good (multiple vulnerabilities), hdf5 (multiple vulnerabilities), kernel, kmod (three vulnerabilities), libgsf (denial of service), openjpeg2 (multiple vulnerabilities), roundcubemail (code execution), and samba (authentication bypass).
openSUSE has updated irc-otr (42.2: information disclosure).
The Electronic Frontier Foundation has a review of patent lawsuits in 2016. "We saw mixed results in the courts this year. The Supreme Court issued a good decision cutting back on out of control damages in design patent cases. Meanwhile, the Federal Circuit issued a very disappointing decision that allows patent owners to undermine ownership by asserting patent rights even after selling a patented good. Fortunately, the Supreme Court has agreed to review that ruling. We will file an amicus brief supporting the fundamental principle that once you buy something, you own it."
Arch Linux has updated openfire (multiple vulnerabilities).
Debian-LTS has updated libcrypto++ (denial of service).
Fedora has updated community-mysql (F25; F24: multiple unspecified vulnerabilities), curl (F25: buffer overflow), hdf5 (F25: multiple vulnerabilities), js-jquery (F25: cross-site scripting), nagios-plugins (F25; F24: multiple vulnerabilities), python-wikitcms (F25; F24: code execution), and xen (F25: multiple vulnerabilities).
Gentoo has updated firejail-lts (denial of service).
Darktable 2.2.0 has been released. This version includes the new automatic perspective correction module, a liquify tool for all your fancy pixel moving, a new image module to use a Color Look Up Table (CLUT) to change colors in the image, and much more.
Jim Hall has announced the release of FreeDOS 1.2. "The FreeDOS 1.2 release is an updated, more modern FreeDOS. You'll see that we changed many of the packages. Some packages were replaced, deprecated by newer and better packages. We also added other packages. And we expanded what we should include in the FreeDOS distribution. Where FreeDOS 1.0 and 1.1 where fairly spartan distributions with only "core" packages and software sets, the FreeDOS 1.2 distribution includes a rich set of additional packages. We even include games." There is also a new installer.
Debian-LTS has updated exim4 (information leak), phpmyadmin (multiple vulnerabilities), python-bottle (CRLF attacks), qemu (three vulnerabilities), qemu-kvm (three vulnerabilities), spip (two vulnerabilities), and squid3 (information leak).
SUSE has updated dnsmasq (SLE12-SP2,SP1: denial of service).
HUP napi hírlevél