Hírolvasó

Greg Kroah-Hartman has announced the release of the 5.7.8, 5.4.51, 4.19.132, 4.14.188, 4.9.230, and 4.4.230 stable kernels. As usual, these all contain important fixes; users should upgrade.

Security updates have been issued by CentOS (firefox), Debian (ffmpeg, fwupd, ruby2.5, and shiro), Fedora (freerdp, gssdp, gupnp, mingw-pcre2, remmina, and xrdp), openSUSE (chocolate-doom), Oracle (firefox and kernel), and Ubuntu (linux, linux-lts-xenial, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon and thunderbird).

The LWN.net Weekly Edition for July 9, 2020 is available.

The Linux Mint project has made good on previous threats to actively prevent Ubuntu Snap packages from being installed through the APT package-management system without the user's consent. This move is the result of "major worries" from Linux Mint on Snap's impact with regard to user choice and software freedom. Ubuntu's parent company, Canonical, seems open to finding a solution to satisfy the popular distribution's concerns — but it too has interests to consider.

Security updates have been issued by Debian (roundcube), Fedora (chromium, firefox, and ngircd), Oracle (firefox and thunderbird), Scientific Linux (firefox), Slackware (seamonkey), SUSE (djvulibre, ffmpeg, firefox, freetds, gd, gstreamer-plugins-base, icu, java-11-openjdk, libEMF, libexif, librsvg, LibVNCServer, libvpx, Mesa, nasm, nmap, opencv, osc, perl, php7, python-ecdsa, SDL2, texlive-filesystem, and thunderbird), and Ubuntu (cinder, python-os-brick).

Google has announced the creation of the Open Usage Commons, which is intended to help open-source projects manage their trademarks. From the organization's own announcement: "We created the Open Usage Commons because free and fair open source trademark use is critical to the long-term sustainability of open source. However, understanding and managing trademarks takes more legal know-how than most project maintainers can do themselves. The Open Usage Commons is therefore dedicated to creating a model where everyone in the open source chain – from project maintainers to downstream users to ecosystem companies – has peace of mind around trademark usage and management. The projects in the Open Usage Commons will receive support specific to trademark protection and management, usage guidelines, and conformance testing." Initial members include the Angular, Gerrit, and Istio projects.

The Cloudflare blog is running an overview of sandboxing with seccomp(), culminating in a tool written there to sandbox any existing program. "We really liked the 'zero code seccomp' approach with systemd SystemCallFilter= directive, but were not satisfied with its limitations. We decided to take it one step further and make it possible to prohibit any system call in any process externally without touching its source code, so came up with the Cloudflare sandbox. It’s a simple standalone toolkit consisting of a shared library and an executable. The shared library is supposed to be used with dynamically linked applications and the executable is for statically linked applications."

In this commit, Paul Irofti (pirofti@) added support for reading timecounters in userland without making a syscall.

Read more…

Static web-site generators take page content written in a markup language and render it into fully baked HTML, making it easy for developers to upload the result and serve a web site simply and securely. This article looks at Hugo, a static-site generator written in Go and optimized for speed. It is a flexible tool that can be configured for a variety of use cases: simple blogs, project documentation, larger news sites, and even government services.

When support for classic BPF was added to the kernel many years ago, there was no question of whether BPF programs could block in their execution. Their functionality was limited to examining a packet's contents and deciding whether the packet should be forwarded or not; there was nothing such a program could do to block. Since then, BPF has changed a lot, but the assumption that BPF programs cannot sleep has been built deeply into the BPF machinery. More recently, classic BPF has been pushed aside by the extended BPF dialect; the wider applicability of extended BPF is now forcing a rethink of some basic assumptions.

Security updates have been issued by Debian (php7.3), Fedora (gst), Mageia (libvirt, mariadb, pdns-recursor, and ruby), openSUSE (chocolate-doom, coturn, kernel, live555, ntp, python3, and rust, rust-cbindgen), Oracle (virt:ol), Red Hat (file, firefox, gettext, kdelibs, kernel, kernel-alt, microcode_ctl, nghttp2, nodejs:10, nodejs:12, php, qemu-kvm, ruby, and tomcat), SUSE (libjpeg-turbo, mozilla-nspr, mozilla-nss, mozilla-nss, nasm, openldap2, and permissions), and Ubuntu (coturn, glibc, nss, and openexr).

Since we reported the first bits of powerpc64 support going into the tree on 16 May, work has progressed at a steady pace, resulting in snapshots now being available for this platform.

So, if you have a POWER9 system idling around, go to your nearest mirror and fetch this snapshot. Keep in mind that as this is still very early days, very little handholding is available - you are basically on your own.

Read more…

The Home Assistant project has released version 0.112 of the open-source home automation hub we have previously covered, which is the eighth release of the project this year. While previous releases have largely focused on new integrations and enhancements to the front-end interface, in this release the focus has shifted more toward improving the performance of the database. It is important to be aware that there are significant database changes and multiple potential backward compatibility breaks to understand before attempting an upgrade to take advantage of the improvements.

Security updates have been issued by Debian (chromium, php7.0, and thunderbird), Fedora (ceph, gssdp, gupnp, libfilezilla, libldb, mediawiki, python-pillow, python36, samba, and xpdf), Mageia (curl, docker, firefox, libexif, libupnp, libvncserver, libxml2, mailman, ntp, perl-YAML, python-httplib2, tcpreplay, tomcat, and vlc), openSUSE (chocolate-doom, python3, and Virtualbox), Slackware (libvorbis), and SUSE (mozilla-nspr, mozilla-nss, systemd, tomcat, and zstd).

The 5.8-rc4 kernel prepatch is out for testing. "The end result is that it's been fairly calm, and there's certainly been discussion of upcoming fixes, but I still have the feeling that 5.8 is looking fairly normal and things are developing smoothly despite the size of this release."

Dan Book has done a detailed analysis of the Perl 7 transition. "Large amount of CPAN modules will not work in Perl 7; plans for working around this would either involve every affected CPAN author, which is a virtual impossibility for the stated 1 year time frame; or the toolchain group, a loose group of people who each maintain various modules and systems that are necessary for CPAN to function, who either have not been consulted as of yet or have not revealed their plans related to the tools they maintain. Going into this potential problem sufficiently would be longer than this blog post, but suffice to say that a Perl where highly used CPAN modules don't seamlessly work is not Perl."

Security updates have been issued by Debian (docker.io and imagemagick), Fedora (alpine, firefox, hostapd, and mutt), openSUSE (opera), Red Hat (rh-nginx116-nginx), SUSE (ntp, python3, and systemd), and Ubuntu (firefox, linux, linux-aws, linux-aws-hwe, linux-gcp, linux-gcp-4.15, linux-gke-4.15, linux-hwe, linux-kvm, linux-oem, linux-oracle, linux-raspi2, linux-snapdragon, linux, linux-aws, linux-gcp, linux-kvm, linux-oracle, linux-riscv, linux, linux-azure, linux-gcp, linux-gcp-5.3, linux-hwe, linux-kvm, linux-oracle, linux-oracle-5.3, linux-gke-5.0, linux-oem-osp1, net-snmp, and samba).

Earlier this year, Netflix developed and released a new Apache-licensed project named Dispatch. It is designed to coordinate the response to and the resolution of security-related incidents, but the project aims for more than just that. Rather, it hopes to be valuable for any type of one-off incident that needs coordination across an organization, such as a service outage.