Linux

Linux Foundation President Used MacOS For Presentation at Open Source Summit (itsfoss.com) 284

Slashdot reader mschaffer writes:It appears that Jim Zemlin, President of the Linux Foundation, was using MacOS while declaring "2017 is officially the year of the Linux desktop!" at the Open Source Summit 2017. This was observed by several YouTube channels: Switched to Linux and The Lunduke Show. Finally it was reported by It's FOSS.

if, indeed, this is the year of desktop Linux, why oh why cannot people like Zemlin present a simple slide presentation -- let alone actually use a Linux distro for work.

A security developer at Google has now "spotted Jim Zemlin using Apple's macOS twice in last four years," according to the article, which complains the Foundation's admirable efforts on cloud/container technology has them neglecting Linux on the desktop.

Ironically, in March Zemlin told a cloud conference that organizations that "don't harvest the shared innovation" of open source "will fail."
Windows

'Bashware' Attacks Exploit Windows 10's Subsystem for Linux (betanews.com) 80

Mark Wilson quote BetaNews: While many people welcomed the arrival of Windows Subsystem for Linux (WSL) in Windows 10, it has been found to be a potential security issue. A new technique known as a Bashware has been discovered by security researchers that makes it possible for malware to use the Linux shell to bypass security software.

While administrator access is needed to execute a Bashware attack, this is fairly easily obtained, and the technique can be used to disguise malicious operations from antivirus software and other security tools. Researchers from Check Point Research point out that the danger stems from the fact that "existing security solutions are still not adapted to monitor processes of Linux executables running on Windows."

Microsoft

Will Linux Innovation Be Driven By Microsoft? (infoworld.com) 335

Adobe's VP of Mobile (and a former intellectual property lawyer) sees "a very possible future where Microsoft doesn't merely accept a peaceful coexistence with Linux, but instead enthusiastically embraces it as a key to its future," noting Microsoft's many Linux kernel developers and arguing it's already innovating around Linux -- especially in the cloud. An anonymous reader quotes InfoWorld: Even seemingly pedestrian work -- like making Docker containers work for Windows, not merely Linux -- is a big deal for enterprises that don't want open source politics infesting their IT. Or how about Hyper-V containers, which marry the high density of containers to the isolation of traditional VMs? That's a really big deal...

Microsoft has started hiring Linux kernel developers like Matthew Wilcox, Paul Shilovsky, and (in mid-2016) Stephen Hemminger... Microsoft now employs 12 Linux kernel contributors. As for what these engineers are doing, Linux kernel maintainer Greg Kroah-Hartman says, "Microsoft now has developers contributing to various core areas of the kernel (memory management, core data structures, networking infrastructure), the CIFS filesystem, and of course many contributions to make Linux work better on its Hyper-V systems." In sum, the Linux Foundation's Jim Zemlin declares, "It is accurate to say they are a core contributor," with the likelihood that Hemminger's and others' contributions will move Microsoft out of the kernel contribution basement into the upper echelons.

The article concludes that "Pigs, in other words, do fly. Microsoft, while maintaining its commitment to Windows, has made the necessary steps to not merely run on Linux but to help shape the future of Linux."
KDE

KDE Plasma 5.11 Beta Released (kde.org) 59

JRiddell writes: The original and best linux desktop has a new version, KDE Plasma 5.11 beta is out. UI improvements include a redesigned System Settings and notification history. Privacy improvements include Plasma Vault, which helps you store your files securely. Progress on Wayland support continues with many people now using it as their daily setup. The full changelog can be viewed here.
GNOME

GNOME 3.26 Released (betanews.com) 176

BrianFagioli shares a report from BetaNews: Today, GNOME 3.26 codenamed "Manchester" sees release. It is chock full of improvements, such as a much-needed refreshed settings menu, enhanced search, and color emoji! Yes, Linux users like using the silly symbols too! "System search has been improved for GNOME 3.26. Results have an updated layout which makes them easier to read and shows more items at once. Additionally, it's now possible to search for system actions, including power off, suspend, lock screen, log out, switch user and orientation lock. (Log out and switch user only appear if there's more than one user. Orientation lock is only available if the device supports automatic screen rotation.) These search features can be accessed in the usual way: click Activities and type into the search box, or simply press 'super' and start typing," says the GNOME Project. The full release notes are available here.
Security

BlueBorne Vulnerabilities Impact Over 5 Billion Bluetooth-Enabled Devices (bleepingcomputer.com) 121

An anonymous reader quotes a report from Bleeping Computer: Security researchers have discovered eight vulnerabilities -- codenamed collectively as BlueBorne -- in the Bluetooth implementations used by over 5.3 billion devices. Researchers say the vulnerabilities are undetectable and unstoppable by traditional security solutions. No user interaction is needed for an attacker to use the BleuBorne flaws, nor does the attacker need to pair with a target device. They affect the Bluetooth implementations in Android, iOS, Microsoft, and Linux, impacting almost all Bluetooth device types, from smartphones to laptops, and from IoT devices to smart cars. Furthermore, the vulnerabilities can be concocted into a self-spreading BlueTooth worm that could wreak havoc inside a company's network or even across the world. "These vulnerabilities are the most serious Bluetooth vulnerabilities identified to date," an Armis spokesperson told Bleeping Computer via email. "Previously identified flaws found in Bluetooth were primarily at the protocol level," he added. "These new vulnerabilities are at the implementation level, bypassing the various authentication mechanisms, and enabling a complete takeover of the target device." Consumers are recommended to disable Bluetooth unless you need to use it, but then turn it off immediately. When a patch or update is issued and installed on your device, you should be able to turn Bluetooth back on and leave it on safely. The BlueBorne Android App on the Google Play Store will be able to determine if a user's Android device is vulnerable. A technical report on the BlueBorne flaws is available here (PDF).
Security

Torvalds Wants Attackers To Join Linux Before They Turn To the "Dark Side" (eweek.com) 112

darthcamaro writes: People attack Linux everyday and Linus Torvalds is impressed by many of them. Speaking at the Open Source Summit in LA, Torvalds said he wants to seek out those that would attack Linux and get them to help improve Linux, before they turn to the 'dark side.' "There are smart people doing bad things, I wish they were on our side and they could help us," Torvalds said. "Where I want us to go, is to get as many smart people as we can before they turn to the dark side. We would improve security that way and get those that are interested in security to come to us, before they attack us," he added.
SuSE

Linux Pioneer SUSE Marks 25 Years In the Field (itwire.com) 54

troublemaker_23 shares an article from ITWire: The Germany-based SUSE Linux marked a milestone last week: on Friday, September 2, the company turned 25, a remarkable achievement in an industry where the remains of software companies litter the landscape around the world... SUSE was formed in 1992 by three university students -- Hubert Mantel, Roland Dyroff, and Burchard Steinbild. The fourth man in the equation was software engineer Thomas Fehr. They had a simple objective: to build software and deliver UNIX support. Linux had been around for a little more than a year at that point and they decided to use it... The name S.u.S.E is a German acronym and means "Software und System-Entwicklung", or "Software and systems development". The name was later changed to SuSE and some years on became SUSE...

Like other open source outfits, SUSE has widened its services and now not only provides an enterprise Linux distribution but has a well developed software-defined storage product and one for a container-as-a-service option. It also caters to those seeking cloud options and does more than its fair share in contributing to upstream FOSS projects. Along the way, it has spawned a top-notch community distribution, openSUSE, which is run by an autonomous board led by the ebullient British developer Richard Brown.

S.u.S.E Linux was one of the first distros, arriving in 1994 after Soft Landing Systems Linux (in mid-1992) and Slackware.
GUI

Linux.com Raves About New Snap-Centric 'Nitrux' Distro (linux.com) 137

An anonymous reader quotes Linux.com: What happens when you take Ubuntu 17.10, a new desktop interface (one that overlays on top of KDE), snap packages, and roll them all up into a pseudo rolling release? You get Nitrux. At first blush, this particular Linux distribution seems more of an experiment than anything else -- to show how much the KDE desktop can be tweaked to resemble the likes of the Elementary OS or MacOS desktops. At its heart, however, it's much more than that... This particular take on the Linux desktop is focused on the portable, universal nature of snap packages and makes use of a unique desktop, called Nomad, which sits atop KDE Plasma 5... The desktop includes a dock, a system/notification tray, a quick search tool (Plasma Search), and an app menu. Of all the elements on the desktop, it's the Plasma Search tool that will appeal to anyone looking for an efficient means to interact with their desktops. With this tool, you can just start typing on a blank desktop to see a list of results. Say, for example, you want to open LibreOffice writer; on the blank desktop, just start typing "libre" and related entries will appear...

Skilled Linux users should have no problem using Nitrux and might find themselves intrigued with the snap-centric Nomad desktop. The one advantage of having a distribution centered around snap packages would be the ease with which you could quickly install and uninstall a package, without causing issues with other applications... In the end, Nitrux is a beautiful desktop that is incredibly efficient to use -- only slightly hampered by an awkward installer and a lack of available snap packages. Give this distribution a bit of time to work out the kinks and it could become a serious contender.

The GUI-focused distro even includes Android apps in the menu -- although Linux.com's reviewer notes that "on two different installations, I have yet to get this feature to work. Even the pre-installed Android apps never start."
Chrome

Chrome 61 Arrives With JavaScript Modules, WebUSB Support (venturebeat.com) 115

The latest version of Google Chrome has launched, bringing a host of new developer features like JavaScript modules and WebUSB support. An anonymous Slashdot reader shares a report from VentureBeat: Google has launched Chrome 61 for Windows, Mac, and Linux. Additions in this release include JavaScript modules and WebUSB support, among other developer features. You can update to the latest version now using the browser's built-in silent updater or download it directly from google.com/chrome. Google also released Chrome 61 for Android today. In addition to performance and stability fixes, you can expect two new features: Translate pages with a more compact toolbar and pick images with an improved image picker.

Chrome now supports JavaScript modules natively via the new element, letting developers declare a script's dependencies. Modules are already popular in third-party build tools, which use them to bundle only the required scripts. Native support means the browser can fetch granular dependencies in parallel, taking advantage of caching, avoiding duplications across the page, and ensuring the script executes in the correct order, all without a build step. Google recommends these two blog posts for more information: ECMAScript modules in browsers and ES6 Modules in Depth. Speaking of JavaScript, Chrome 61 also upgrades the browser's V8 JavaScript engine to version 6.1. Developers can expect performance improvements and a binary size reduction. The WebUSB API meanwhile allows web apps to access user-permitted USB devices. This enables all the functionality provided by hardware peripherals such as keyboards, mice, printers, and gamepads, while still preserving the security guarantees of the web.

Operating Systems

Linux Kernel 4.13 Officially Released (softpedia.com) 43

prisoninmate writes: As expected, the Linux 4.13 kernel series was made official this past weekend by none other than its creator, Linus Torvalds, which urges all Linux users to start migrating to this version as soon as possible. Work on Linux kernel 4.13 started in mid-July with the first Release Candidate (RC) milestone, which already gave us a glimpse of the new features coming to this major kernel branch. There are, of course, numerous improvements and support for new hardware through updated drivers and core components. Highlights of Linux kernel 4.13 include Intel's Cannon Lake and Coffee Lake CPUs, support for non-blocking buffered I/O operations to improve asynchronous I/O support, support for "lifetime hints" in the block layers and the virtual filesystem, AppArmor enhancements, and better power management. There's also AMD Raven Ridge support implemented in the AMDGPU graphics driver, which received numerous improvements, support for five-level page tables was added in the s390 architecture, and the structure randomization plugin was added as part of the build system.
Android

With Android Oreo, Google Is Introducing Linux Kernel Requirements (betanews.com) 120

Mark Wilson shares a report from BetaNews: As is easy to tell by comparing versions of Android from different handset manufacturers, developers are -- broadly speaking -- free to do whatever they want with Android, but with Oreo, one aspect of this is changing. Google is introducing a new requirement that OEMs must meet certain requirements when choosing the Linux kernel they use. Until now, as pointed out by XDA Developers, OEMs have been free to use whatever Linux kernel they wanted to create their own version of Android. Of course, their builds still had to pass Google's other tests, but the kernel number itself was not an issue. Moving forward, Android devices running Oreo must use at least kernel 3.18, but there are more specific requirements to meet as well. Google explains on the Android Source page: "Android O mandates a minimum kernel version and kernel configuration and checks them both in VTS as well as during an OTA. Android device kernels must enable the kernel .config support along with the option to read the kernel configuration at runtime through procfs."
Operating Systems

Is Apple Copying Palm's WebOS? (salon.com) 188

An anonymous reader quotes a report from Salon: Released in 2009 by Palm -- the same company that popularized the PDA in the 1990s -- WebOS pioneered a number of innovations, including multiple synchronized calendars, unified social media and contact management, curved displays, wireless charging, integrated text and Web messaging, and unintrusive notifications [that have all been copied by the mobile operating systems that defeated it on the marketplace]. The operating system, built on top of a Linux kernel, was also legendary for how easily it could be upgraded by users with programming skills. WebOS was also special in that it used native internet technologies like JavaScript for local applications. That was a huge part of why it was able to do so much integration with Web services, something its competitors at the time simply couldn't match.

Apple's upcoming iOS 11 once again demonstrates how far ahead of its time WebOS really was. The yet-to-be-released Apple mobile system has essentially copied the WebOS model for switching apps by having the user swipe upward from the bottom to reveal several "cards" that represent background applications. While Apple's decision to remove its massively overworked Home button is an improvement, it is still an inferior way of switching apps, compared to what you could do on WebOS eight years ago.

Operating Systems

Linux Desktop Market Share Crosses 3% (netmarketshare.com) 285

Data for the month of August 2017 from reliable market analytics firm Net Applications is here, and it suggests that Linux has finally surpassed the three percent mark, quite possibly for the first time in recent years. According to Net Applications, the desktop market share of Linux jumped from 2.53 percent in July to 3.37 percent in August. There's no explanation for what accounted for this growth.
AMD

New Ryzen Running Stable On Linux, Threadripper Builds Kernel In 36 Seconds (phoronix.com) 186

An anonymous reader writes: After AMD confirmed the a "performance marginality problem" affecting some Ryzen Linux users, RMAs are being issued and replacement Ryzen processors arriving for affected opensource fans. Phoronix has been able to confirm that the new Ryzen CPUs are running stable without the segmentation fault problem that would occur under very heavy workloads. They have also been able to test now the Ryzen Threadripper 1950X. The Threadripper 1950X on Linux is unaffected by any issues unless you count the lack of a thermal reporting driver. With the 32 threads under Linux they have been able to build the Linux kernel in just about a half minute.
Open Source

How Open Source Advocates Celebrated The 26th Anniversary of Linux (linux.com) 99

To celebrate Linux's 26th anniversary, the Linux Foundation tweeted a picture of Tux on a birthday cake, and linked to an essay on OpenSource.com by FreeDOS founder Jim Hall: My first Linux distribution was Softlanding Linux System (SLS) 1.03, with Linux kernel 0.99 alpha patch level 11. That required a whopping 2MB of RAM, or 4MB if you wanted to compile programs, and 8MB to run X windows... To celebrate, I reinstalled SLS 1.05 to remind myself what the Linux 1.0 kernel was like and to recognize how far Linux has come since the 1990s.
"Getting X windows to perform was not exactly easy..." Hall writes, adding "the concept of a desktop didn't exist yet." Meanwhile Phoronix celebrated by republishing that fateful email Linus Torvalds sent on August 25, 1991. And Fossbytes shared the most recent statistics about modern-day Linux's 20 million lines of code from the Linux Foundation: During the period between the 3.19 and 4.7 releases, the kernel community was merging changes at an average rate of 7.8 patches per hour; that is a slight increase from the 7.71 patches per hour seen in the previous version of this report, and a continuation of the longterm trend toward higher patch volumes.
Linux

You Can Help Purism Build the Secure Open Source Linux-based Librem 5 Smartphone (betanews.com) 109

BrianFagioli writes: Thankfully, consumers are starting to wake up and become more aware of security and privacy, and some companies, such as Purism, are designing products to safeguard users. The company's laptops, for instance, run an open source Linux-based operating system, called "PureOS" with a focus on privacy. These machines even have hardware "kill switches" so you can physically disconnect a webcam or Wi-Fi card. Today, Purism announces that it is taking those same design philosophies and using them to build a new $599 smartphone called Librem 5. The planned phone will use the GNOME desktop environment and PureOS by default, but users can install different distros too. Sound good? Well you can help the company build it through crowdfunding. "Purism, the social purpose corporation which designs and produces popular privacy conscious hardware and software, has revealed its plans to build the world's first encrypted, open platform smartphone that will empower users to protect their digital identity in an increasingly unsafe mobile world. After 18 months of R&D to test hardware specifications and engage with one of the largest phone fabricators, Purism is opening a self-hosted crowdfunding campaign to gauge demand for the initial fabrication order and add the features most important to users," says Purism.
Windows

Microsoft .NET Core 2.0 For Linux Released; Redhat Will Bundle Microsoft's .NET (zdnet.com) 185

Billly Gates writes: Microsoft recently released Visual Studio 15.3 for Windows and Visual Studio 7.1 for Mac with .NET core 2.0. In addition to porting Microsoft Code and SQL Server to Linux, they have ported .NET. Redhat will bundle .NET in their software offerings instead of relying on Mono. .NET core is Microsoft's open-source .NET platform which is not based off Mono and available for Linux, Mac, and Windows here.
Java

Red Hat Gives Ceylon To The Eclipse Foundation (eclipse.org) 97

An anonymous reader writes: Some media outlets called Ceylon an attempted "Java killer" when Gavin King first unveiled his secret two-year development project in 2011. In 2013 Red Hat finally released version 1.0 of the modern, modular statically-typed programming language for the Java and JavaScript virtual machines. After another four years, "Ceylon has a small but very active and enthusiastic community of developers and users, and indeed is the fruit of the hard work of a large number of contributors over the years," says a project proposal page at Eclipse.org seeking "to further grow our community... a key strategy to achieve that would be to move Ceylon from Red Hat to a vendor-neutral foundation."

That project has now been approved, and the "Eclipse Ceylon" project has been created. It includes the Ceylon distribution and its SDK, plus the Java2Ceylon converter and the Ceylon Herd project's server (and related services) for Ceylon module sharing. There's also three IDEs (and their code-formatting and functionality-sharing modules).

Back in 2011 InfoWorld predicted that instead of becoming a Java killer, "it is more likely Ceylon will join a growing list of new languages resting atop the JVM, while the Java language and platform will continue on as staples of enterprise computing."
Android

postmarketOS Pursues A Linux-Based, LTS OS For Android Phones (liliputing.com) 111

An anonymous reader quotes Liliputing: Buy an iPhone and you might get 4-5 years of official software updates. Android phones typically get 1-3 years of updates... if they get any updates at all. But there are ways to breathe new life into some older Android phones. If you can unlock the bootloader, you may be able to install a custom ROM like LineageOS and get unofficial software updates for a few more years. The folks behind postmarketOS want to go even further: they're developing a Linux-based alternative to Android with the goal of providing up to 10 years of support for old smartphones...

Right now postmarketOS is a touch-friendly operating system based on Alpine Linux that runs on a handful of devices including the Samsung Galaxy Nexus, Google Nexus 4, 5, and 7 (2012), and several other Samsung, HTC, LG, Motorola, and Sony smartphones. There are also ports for some non-Android phones such as the Nokia N900 and work-in-progress builds for the BlackBerry Bolt Touch 9900 and Jolla Phone. Note that when I say the operating system runs on those devices, I basically mean it boots. Some phones only have network access via a USB cable, for instance. None of the devices can actually be used to make phone calls. But here's the cool thing: the developers are hoping to create a single kernel that works with all supported devices, which means that postmarketOS would work a lot like a desktop operating system, allowing you to install the same OS on any smartphone with the proper hardware.

One postmarketOS developer complains that Android's architecture "is based on forking (one might as well say copy-pasting) the entire code-base for each and every device and Android version. And then working on that independent, basically instantly incompatible version. Especially adding device-specific drivers plays an important role... Here is the solution: Bend an existing Linux distribution to run on smartphones. Apply all necessary changes as small patches and upstream them, where it makes sense."
Desktops (Apple)

In Defense of the Popular Framework Electron (dev.to) 138

Electron, a popular framework that allows developers to write code once and seamlessly deploy it across multiple platforms, has been a topic of conversation lately among developers and users alike. Many have criticised Electron-powered apps to be "too memory intensive." A developer, who admittedly uses a high-end computer, shares his perspective: I can speak for myself when I say Electron runs like a dream. On a typical day, I'll have about three Atom windows open, a multi-team Slack up and running, as well as actively using and debugging my own Electron-based app Standard Notes. [...] So, how does it feel to run this bloat train of death every day? Well, it feels like nothing. I don't notice it. My laptop doesn't get hot. I don't hear the fan. I experience no lags in any application. [...] But aside from how it makes end-users feel, there is an arguably more important perspective to be had: how it makes software companies feel. For context, the project I work in is an open-source cross-platform notes app that's available on most platforms, including web, Mac, Windows, Linux, iOS, and Android. All the desktop applications are based off the main web codebase, and are bundled using Electron, while the iOS and Android app use their own native codebases respectively, one in Swift and the other in Kotlin. And as a new company without a lot of resources, this setup has just barely allowed us to enter the marketplace. Three codebases is two too many codebases to maintain. Every time we make a change, we have to make it in three different places, violating the most sacred tenet of computer science of keeping it DRY. As a one-person team deploying on all these platforms, even the most minor change will take at minimum three development days, one for each codebase. This includes debugging, fixing, testing, bundling, deploying, and distributing every single codebase. This is by no means an easy task.
Debian

OpenSource.com Test-Drives Linux Distros From 1993 To 2003 (opensource.com) 80

An anonymous reader quotes OpenSource.com: A unique trait of open source is that it's never truly EOL (End of Life). The disc images mostly remain online, and their licenses don't expire, so going back and installing an old version of Linux in a virtual machine and getting a precise picture of what progress Linux has made over the years is relatively simple... Whether you're new to Linux, or whether you're such an old hand that most of these screenshots have been more biographical than historical, it's good to be able to look back at how one of the largest open source projects in the world has developed. More importantly, it's exciting to think of where Linux is headed and how we can all be a part of that, starting now, and for years to come.
The article looks at seven distros -- Slackware 1.01 (1993), Debian 0.91 (1994), Jurix/S.u.S.E. (1996), SUSE 5.1 (1998), Red Hat 6.0 (1999), Mandrake 8.0 (2001), and Fedora 1 (2003). Click through for some of the highlights.
GNOME

Canonical Needs Your Help Transitioning Ubuntu Linux From Unity To GNOME (ubuntu.com) 111

BrianFagioli quotes BetaNews: On August 24 and 25, the Ubuntu Desktop team will be holding a "Fit and Finish Sprint," where they will aggressively test GNOME. Canonical is also asking the Ubuntu community to help with this process. In other words, you might be able to assist with making Artful Aardvark even better.

What makes this particularly cool, however, is that Canonical will be selecting some community members to visit its London office on August 24 between 4 pm and 9 pm. "Over the two days we'll be scrutinizing the new GNOME Shell desktop experience, looking for anything jarring/glitchy or out of place," says Alan Pope, Community Manager. "We'll be working on the GTK, GDM and desktop theme alike, to fix inconsistencies, performance, behavioral or visual issues. We'll also be looking at the default key bindings, panel color schemes and anything else we discover along the way."

A few caveats: Canonical won't pay anyone's travel expenses to London, and "Ideally we're looking for people who are experienced in identifying (and fixing) theme issues, CSS experts and GNOME Shell / GTK themers."
AMD

AMD Confirms Linux 'Performance Marginality Problem' On Ryzen (phoronix.com) 120

An anonymous reader writes: Ryzen customers experiencing segmentation faults under Linux when firing off many compilation processes have now had their problem officially acknowledged by AMD. The company describes it as a "performance marginality problem" affecting some Ryzen customers and only on Linux. AMD confirmed Threadripper and Epyc processors are unaffected; they will be dealing with the issue on a customer-by-customer basis, and their future consumer products will see better Linux testing/validation. Ryzen customers believed to be affected by the problem can contact AMD Customer Care. Michael Larabel writes via Phoronix: "With the Ryzen segmentation faults on Linux they are found to occur with many, parallel compilation workloads in particular -- certainly not the workloads most Linux users will be firing off on a frequent basis unless intentionally running scripts like ryzen-test/kill-ryzen. As I've previously written, my Ryzen Linux boxes have been working out great except in cases of intentional torture testing with these heavy parallel compilation tasks. [AMD's] analysis has also found that these Ryzen segmentation faults aren't isolated to a particular motherboard vendor or the like, contrary to rumors/noise online due to the complexity of the problem."
Debian

OpenSSL Support In Debian Unstable Drops TLS 1.0/1.1 Support (debian.org) 76

An anonymous reader writes: Debian Linux "sid" is deprecating TLS 1.0 Encryption. A new version of OpenSSL has been uploaded to Debian Linux unstable. This version disables the TLS 1.0 and 1.1 protocol. This currently leaves TLS 1.2 as the only supported SSL/TLS protocol version. This will likely break certain things that for whatever reason still don't support TLS 1.2. I strongly suggest that if it's not supported that you add support for it, or get the other side to add support for it. OpenSSL made a release 5 years ago that supported TLS 1.2. The current support of the server side seems to be around 90%. I hope that by the time Buster releases the support for TLS 1.2 will be high enough that I don't need to enable them again. This move caused some concern among Debian users and sysadmins. If you are running Debian Unstable on server tons of stuff is going to broken cryptographically. Not to mention legacy hardware and firmware that still uses TLS 1.0. On the client side (i.e. your users), you need to use the latest version of a browser such as Chrome/Chromium and Firefox. The Older version of Android (e.g. Android v5.x and earlier) do not support TLS 1.2. You need to use minimum iOS 5 for TLS 1.2 support. Same goes with SMTP/mail servers, desktop email clients, FTP clients and more. All of them using old outdated crypto.

This move will also affect for Android 4.3 users or stock MS-Windows 7/IE users (which has TLS 1.2 switched off in Internet Options.) Not to mention all the mail servers out there running outdated crypto.

Red Hat Software

Red Hat Acquires Data-Cleaning Company Permabit (fortune.com) 85

An anonymous reader quotes Fortune: Business software company Red Hat said on Monday that it is acquiring the technology assets of Permabit, a small company that specializes in cleaning up corporate data to make storage more efficient and data access faster. Terms of the deal were not disclosed but a Red Hat spokesman said 16 people from Permabit will be joining that company...

While the conventional wisdom is that data storage is cheap, it is not free. And with companies turning to more expensive flash storage, it saves money to remove redundant data, said Richard Fichera, vice president and principal analyst at Forrester Research... Red Hat, which sells a version of the Linux operating system used by many Fortune 500 companies, also offers its own storage software. And, it wants to become a more formidable challenger in data storage, a goal that can be furthered by buying Permabit's technology, Fichera said.

Slashdot reader See Attached points out that this week Red Hat also released RHEL 7.4, which introduces support for Network Bound Disk Encryption (NBDE) and system protection against intrusive USB devices.
Open Source

Linux Kernel Hardeners Grsecurity Sue Open Source's Bruce Perens (theregister.co.uk) 307

An anonymous reader shares a report from The Register: In late June, noted open-source programmer Bruce Perens [a longtime Slashdot reader] warned that using Grsecurity's Linux kernel security could invite legal trouble. "As a customer, it's my opinion that you would be subject to both contributory infringement and breach of contract by employing this product in conjunction with the Linux kernel under the no-redistribution policy currently employed by Grsecurity," Perens wrote on his blog. The following month, Perens was invited to court. Grsecurity sued the open-source doyen, his web host, and as-yet-unidentified defendants who may have helped him draft that post, for defamation and business interference. Grsecurity offers Linux kernel security patches on a paid-for subscription basis. The software hardens kernel defenses through checks for common errors like memory overflows. Perens, meanwhile, is known for using the Debian Free Software Guidelines to draft the Open Source Definition, with the help of others.

Grsecurity used to allow others to redistribute its patches, but the biz ended that practice for stable releases two years ago and for test patches in April this year. It offers its GPLv2 licensed software through a subscription agreement. The agreement says that customers who redistribute the code -- a right under the GPLv2 license -- will no longer be customers and will lose the right to distribute subsequent versions of the software. According to Perens, "GPL version 2 section 6 explicitly prohibits the addition of terms such as this redistribution prohibition." A legal complaint (PDF) filed on behalf of Grsecurity in San Francisco, California, insists the company's software complies with the GPLv2. Grsecurity's agreement, the lawsuit states, only applies to future patches, which have yet to be developed. Perens isn't arguing that the GPLv2 applies to unreleased software. Rather, he asserts the GPLv2, under section 6, specifically forbids the addition of contractual terms.

Ubuntu

Ubuntu Will Revert Window Controls To the Right-Hand Side in Next Release (neowin.net) 171

Following a survey carried out last month, Ubuntu will begin shipping with the minimise, maximise, and close buttons on the right-hand side of windows. From a report: In the survey 46.2% of people said they prefer their window controls on the left-hand side and 53.8% said they prefer them on the right. The decision comes after seven years of window controls being on the left, at the time it had plenty of detractors but Ubuntu founder, Mark Shuttleworth, maintained that the controls needed shifting to the left because they'd be in the way of the then newly introduced window indicators.
Python

It Will Take Fedora More Releases To Switch Off Python 2 (phoronix.com) 94

An anonymous reader quotes Phoronix: Finalizing Fedora's switch from Python 2 to Python 3 by default is still going to take several more Fedora release cycles and should be done by the 2020 date when Python 2 will be killed off upstream. While much of Fedora's Python code is now compatible with Py3, the /usr/bin/python still points to Python 2, various python-* packages still mean Python 2... The end game is to eventually get rid of Python 2 from Fedora but that is even further out.
Fedora is now gathering feedback on a Wiki page explaining the switch.
Cloud

Microsoft Further Pledges Linux Loyalty, Joins Cloud Native Computing Foundation (betanews.com) 109

BrianFagioli quotes BetaNews: Today, Microsoft further pledges its loyalty to Linux and open source by becoming a platinum member of the Cloud Native Computing Foundation. If you aren't familiar, the CNCF is a part of the well-respected Linux Foundation (of which Microsoft is also a member). With the Windows-maker increasingly focusing its efforts on the cloud -- and profiting from it -- this seems like a match made in heaven. In fact, Dan Kohn, Executive Director of the foundation says, "We are honored to have Microsoft, widely recognized as one of the most important enterprise technology and cloud providers in the world, join CNCF as a platinum member."

"CNCF is a part of the Linux Foundation, which helps govern for a wide range of cloud-oriented open source projects, such as Kubernetes, Prometheus, OpenTracing, Fluentd, Linkerd, containerd, Helm, gRPC, and many others," says John Gossman Azure Architect, Microsoft. "Since we joined the Linux Foundation last year, and now have decided to expand that relationship to CNCF membership as a natural next step to invest in open source communities and code at multiple levels, especially in the area of containers."

The announcement notes that Microsoft has already been contributing code to the Kubernetes project, "as well as running Kubernetes as part of the Azure Container Service."
Debian

Systemd Named 'Lamest Vendor' At Pwnie Security Awards (theregister.co.uk) 436

Long-time Slashdot reader darkpixel2k shares a highlight from the Black Hat USA security conference. The Register reports: The annual Pwnie Awards for serious security screw-ups saw hardly anyone collecting their prize at this year's ceremony in Las Vegas... The gongs are divided into categories, and nominations in each section are voted on by the hacker community... The award for best server-side bug went to the NSA's Equation Group, whose Windows SMB exploits were stolen and leaked online this year by the Shadow Brokers...

And finally, the lamest vendor response award went to Systemd supremo Lennart Poettering for his controversial, and perhaps questionable, handling of the following bugs in everyone's favorite init replacement: 5998, 6225, 6214, 5144, and 6237... "Where you are dereferencing null pointers, or writing out of bounds, or not supporting fully qualified domain names, or giving root privileges to any user whose name begins with a number, there's no chance that the CVE number will referenced in either the change log or the commit message," reads the Pwnie nomination for Systemd, referring to the open-source project's allergy to assigning CVE numbers. "But CVEs aren't really our currency any more, and only the lamest of vendors gets a Pwnie!"

CSO has more coverage -- and presumably there will eventually be an official announcement up at Pwnies.com.
Windows

Microsoft's 'Windows Subsystem For Linux' Finally Leaves Beta (microsoft.com) 163

An anonymous reader quotes Microsoft's Developer blog: Early adopters on the Windows Insider program will notice that Windows Subsystem for Linux is no longer marked as a beta feature as of Insider build 16251. This will be great news for those who've held-back from employing WSL as a mainline toolset: You'll now be able to leverage WSL as a day-to-day developer toolset, and become ever more productive when building, testing, deploying, and managing your apps and systems on Windows 10... What will change is that you will gain the added advantage of being able to file issues on WSL and its Windows tooling via our normal support mechanisms if you want/need to follow a more formal issue resolution process. You can also provide feedback via Windows 10 Feedback Hub app, which delivers feedback directly to the team.
Microsoft points out that distro-publishers are still responsible for supporting and fixing the internals of their distros -- and they have no plans to support X/GUI apps or desktops. And of course, Linux files are not currently accessible from Windows -- though Microsoft says they're working on a fix.
Open Source

OpenMoko: Ten Years After (vanille.de) 48

Michael Lauer, member of the core team at OpenMoko, a project that sought to create a family of open source mobile phones -- which included the hardware specs and the Linux-based OS -- has shared the inside story of what the project wanted to do and why it failed. From his blog post: For the 10th anniversary since the legendary OpenMoko announcement at the "Open Source in Mobile" (7th of November 2006 in Amsterdam), I've been meaning to write an anthology or -- as Paul Fertser suggested on #openmoko-cdevel -- an obituary. I've been thinking about objectively describing the motivation, the momentum, how it all began and -- sadly -- ended. I did even plan to include interviews with Sean, Harald, Werner, and some of the other veterans. But as with oh so many projects of (too) wide scope this would probably never be completed. As November 2016 passed without any progress, I decided to do something different instead. Something way more limited in scope, but something I can actually finish. My subjective view of the project, my participation, and what I think is left behind: My story, as OpenMoko employee #2. On top of that you will see a bunch of previously unreleased photos (bear with me, I'm not a good photographer and the camera sucked as well). [....] Right now my main occupation is writing software for Apple's platforms -- and while it's nice to work on apps using a massive set of luxury frameworks and APIs, you're locked and sandboxed within the software layers Apple allows you. I'd love to be able to work on an open source Linux-based middleware again. However, the sad truth is that it looks like there is no business case anymore for a truly open platform based on custom-designed hardware, since people refuse to spend extra money for tweakability, freedom, and security. Despite us living in times where privacy is massively endangered.
Open Source

FreeBSD 11.1 Released (freebsd.org) 219

Billly Gates writes: Linux is not the only free open-source operating system. FreeBSD, which is based off of the historical BSD Unix in which TCP/IP was developed on from the University of California at Berkeley, has been updated. It does not include systemd nor PulseAudio and is popular in many web server installations and networking devices. FreeBSD 11.1 is out with improvements in UEFI and Amazon cloud support in addition to updated userland programs. EFI improvements including a new utility efivar(8) to manage UEFI variables, EFI boot from TFTP or NFS, as well as Microsoft Hyper-V UEFI and Secure Boot for generation 2 virtual machines for both Windows Server and Windows 10 Professional hosts. FreeBSD 11.1 also has extended support Amazon Cloud features. A new networking stack for Amazon has been added with the ena(4) driver, which adds support for Amazon EC2 platform. This also adds support for using Amazon EC2 NFS shares and support for the Amazon Elastic Filesystem for NFS. For application updates, FreeBSD 11.1 Clang, LLVM, LLD, LLDB, and libc++ to version 4.0.0. ZFS has been updated too with a new zfsbootcfg with minor performance improvements. Downloads are here which include Sparc, PowerPC, and even custom SD card images for Raspberry Pi, Beagle-bone and other devices.
Bug

DNS Lib Underscore Bug Bites Everyone's Favorite Init Tool, Blanks Netflix (theregister.co.uk) 292

Reader OneHundredAndTen writes and shares a report: Systemd doing what it does best. From a report on The Register: A few Penguinistas spent a weekend working out why they can't get through to Netflix from their Linux machines, because when they tried, their DNS lookups failed. The issue emerged over the weekend, when Gentoo user Dennis Schridde submitted a bug report to the Systemd project. Essentially, he described a failure within systemd-resolve, a Systemd component that turns human-readable domain names into IP addresses for software, like web browsers, to connect to. The Systemd resolver couldn't look up Netflix's servers for Schridde's web browser, according to the report. In his detailed post, Schridde said he expected this to happen: ipv6_1-cxl0-c088.1.lhr004.ix.nflxvideo.net gets resolved to 37.77.187.142 or 2a00:86c0:5:5::142. When in reality, that wasn't happening, so Netflix couldn't be reached on his box. His speculation that libidn2, which adds internationalised domain names support to the resolver, was at fault turned out to be accurate. Rebuilding Systemd without that library cleared the problem.
Debian

Debian 'Stretch' Updated With 9.1 Release (debian.org) 40

An anonymous reader quotes Debian.org: The Debian project is pleased to announce the first update of its stable distribution Debian 9 (codename "stretch"). This point release mainly adds corrections for security issues, along with a few adjustments for serious problems... Please note that the point release does not constitute a new version of Debian 9 but only updates some of the packages included. There is no need to throw away old "stretch" media... Those who frequently install updates from security.debian.org won't have to update many packages, and most such updates are included in the point release.
Bug

Debian, Gnome Patched 'Bad Taste' VBScript-Injection Vulnerabilities (neowin.net) 72

Slashdot reader KiloByte warned us about new exploit for .MSI files named "bad taste". Neowin reports: A now-patched vulnerability in the "GNOME Files" file manager was recently discovered which allowed hackers to create dodgy MSI files which would run malicious VBScript code on Linux... Once Nils Dagsson Moskopp discovered the bug, he reported it to the Debian Project which fixed it very rapidly. The GNOME Project also patched the gnome-exe-thumbnailer file which is responsible for parsing MSI and EXE files inside the GNOME Files app... If you run a Linux distribution with the GNOME desktop it's advisable to run the update manager and check for updates as soon as possible before you become affected by this critical vulnerability.
Google

Linus Torvalds Now Reviews Gadgets On Google+ (zdnet.com) 51

An anonymous reader quotes ZDNet: If you know anything about Linus Torvalds, you know he's the mastermind and overlord of Linux. If you know him at all well, you know he's also an enthusiastic scuba diver and author of SubSurface, a do-it-all dive log program. And, if you know him really well, you'd know, like many other developers, he loves gadgets. Now, he's starting his own gadget review site on Google+: Working Gadgets...

"[W]hile waiting for my current build to finish, I decided to write a note about some of the gadgets I got that turned out to work, rather than all the crazy crap that didn't. Because while 90% of the cool toys I buy aren't all that great, there's still the ones that actually do live up to expectations. So the rule is: no rants. Just good stuff. Because this is about happy gadgets."

So far Linus has reviewed an automatic cat litter box, a scuba diving pressure regulator, and a Ubiquiti UniFi Wi-Fi access point that complements his Google WiFi mesh network.

Linus will be great at this. Just last week I saw him recommending a text editor.
Operating Systems

Slackware, Oldest Linux Distro Still In Active Development, Turns 24 70

sombragris writes: July 17 marked the 24th anniversary of Slackware Linux, the oldest GNU/Linux still in active development, being created in 1993 by Patrick Volkerding, who still serves as its BDFL. Version 14.2 was launched last year, and the development version (Slackware-current) currently offers kernel 4.9.38, gcc 7.1, glibc 2.25, mesa 17.1.5, and KDE and Xfce as official desktops, with many others available as 3rd party packages. Slackware is also among the Linux distributions which have not adopted systemd as its init system; instead, it uses a modified BSD init which is quite simple and effective. Slackware is known to be a solid, stable and fast setup, with easy defaults which is appreciated by many Linux users worldwide. Phoronix has a small writeup noting the anniversary and there's also a nice reddit thread.
Ubuntu

Ask Slashdot: Ubuntu 18.04 LTS Desktop Default Application Survey 298

Dustin Kirkland, Ubuntu Product and Strategy at Canonical, writes: Howdy all- Back in March, we asked the HackerNews community, "What do you want to see in Ubuntu 17.10?": https://ubu.one/AskHN. A passionate discussion ensued, the results of which are distilled into this post: http://ubu.one/thankHN. In fact, you can check that link, http://bit.ly/thankHN and see our progress so far this cycle. We already have a beta code in 17.10 available for your testing for several of those:

- GNOME replaced Unity
- Bluetooth improvements with a new BlueZ
- Switched to libinput
- 4K/Multimonitor/HiDPI improvements
- Upgraded to Network Manager 1.8
- New Subiquity server installer
- Minimal images (36MB, 18% smaller)

And several others have excellent work in progress, and will be complete by 17.10:

- Autoremove old kernels from /boot
- EXT4 encryption with fscrypt
- Better GPU/CUDA support

In summary -- your feedback matters! There are hundreds of engineers and designers working for *you* to continue making Ubuntu amazing! Along with the switch from Unity to GNOME, we're also reviewing some of the desktop applications we package and ship in Ubuntu. We're looking to crowdsource input on your favorite Linux applications across a broad set of classic desktop functionality. We invite you to contribute by listing the applications you find most useful in Linux in order of preference.


Click through for info on how to contribute.
Open Source

In Which Linus Torvalds Makes An 'Init' Joke (lkml.org) 359

Long-time Slashdot reader jawtheshark writes: In a recent Linux Kernel Mailing List post, Linux Torvalds finishes his mail with a little poke towards a certain init system. It is a very faint criticism, compared to his usual style. While Linus has no direct influence on the "choices" of distro maintainers, his opinion is usually valued.
In a discussion about how to set rlimit default values for setuid execs, Linus concluded his email by writing, "And yes, a large part of this may be that I no longer feel like I can trust "init" to do the sane thing. You all presumably know why."
GNOME

Fedora 26 Linux Distro Released (betanews.com) 66

Reader BrianFagioli writes: Today, Fedora 26 sheds its pre-release status and becomes available for download as a stable release. GNOME fans are in for a big treat, as version 3.24 is default. If you stick to stable Fedora releases, this will be your first time experiencing that version of the desktop environment since it was released in March. Also new is LibreOffice 5.3, which is an indispensable suite for productivity. If you still use mp3 music files I've moved onto streaming), support should be baked in for both encoding and decoding. "The latest version of Fedora's desktop-focused edition provides new tools and features for general users as well as developers. GNOME 3.24 is offered with Fedora 26 Workstation, which includes a host of updated functionality including Night Light, an application that subtly changes screen color based on time of day to reduce effect on sleep patterns, and LibreOffice 5.3, the latest update to the popular open source office productivity suite. For developers, GNOME 3.24 provides matured versions of Builder and Flatpak to make application development for a variety of systems, including Rust and Meson, easier across the board," says the Fedora Project.
Open Source

Bruce Perens Warns Grsecurity Breaches the Linux Kernel's GPL License (perens.com) 474

Bruce Perens co-founded the Open Source Initiative with Eric Raymond. Now he's sharing a "strong opinion" that companies should avoid the Grsecurity security patch for the Linux kernel "because it presents a contributory infringement and breach of contract risk." Slashdot reader NewGnu shared Bruce's comments: [I]t would fail a fair-use test... Because of its strongly derivative nature of the kernel, it must be under the GPL version 2 license, or a license compatible with the GPL and with terms no more restrictive than the GPL. Earlier versions were distributed under GPL version 2... My understanding from several reliable sources is that customers are verbally or otherwise warned that if they redistribute the Grsecurity patch, as would be their right under the GPL, that they will be assessed a penalty: they will no longer be allowed to be customers, and will not be granted access to any further versions of Grsecurity. GPL version 2 section 6 explicitly prohibits the addition of terms such as this redistribution prohibition...

This is tantamount to the addition of a term to the GPL prohibiting distribution or creating a penalty for distribution. GPL section 6 specifically prohibits any addition of terms. Thus, the GPL license, which allows Grsecurity to create its derivative work of the Linux kernel, terminates, and the copyright of the Linux Kernel is infringed. The contract from the Linux kernel developers to both Grsecurity and the customer which is inherent in the GPL is breached.

Perens advises companies to discuss his position with their attorneys, adding "In the public interest, I am willing to discuss this issue with companies and their legal counsel, under NDA, without charge."
Debian

Survey Finds Most Popular Linux Laptop Distros: Ubuntu and Arch (phoronix.com) 141

After collating 30,171 responses, Phoronixhas released some results from their first Linux Laptop Survey. An anonymous reader quotes their report: To little surprise, Ubuntu was the most popular Linux distribution running on the respondents' laptops. 38.9% of the respondents were said to be using Ubuntu while interesting in second place was Arch Linux at 27.1% followed by Debian at 15.3%. Rounding out the top ten were then Fedora at 14.8%, Linux Mint in 5th at 10.8%, openSUSE/SUSE in sixth at 4.2%, Gentoo in seventh at 3.9%, CentOS/RHEL in eighth at 3.1%, Solus in ninth at 2%, and Manjaro in tenth at 1.6%. The other Linux distributions had each commanded less than 1% of the overall response.
Only 10.3% of respondents said their most recent laptop purchase came pre-loaded with Linux. But 29.3% are now dual-booting their Linux laptop with Windows, while another 4.4% were dual-booting with yet another Linux distribution.
Windows

WikiLeaks Unveils CIA Implants That Steal SSH Credentials From Windows, Linux PCs (thehackernews.com) 140

An anonymous reader quotes a report from The Hacker News: WikiLeaks has today published the 15th batch of its ongoing Vault 7 leak, this time detailing two alleged CIA implants that allowed the agency to intercept and exfiltrate SSH (Secure Shell) credentials from targeted Windows and Linux operating systems using different attack vectors. Secure Shell or SSH is a cryptographic network protocol used for remote login to machines and servers securely over an unsecured network. Dubbed BothanSpy -- implant for Microsoft Windows Xshell client, and Gyrfalcon -- targets the OpenSSH client on various distributions of Linux OS, including CentOS, Debian, RHEL (Red Hat), openSUSE and Ubuntu. Both implants steal user credentials for all active SSH sessions and then sends them to a CIA-controlled server.
Operating Systems

OpenBSD Will Get Unique Kernels On Each Reboot (bleepingcomputer.com) 162

An anonymous reader quotes a report from Bleeping Computer: A new feature added in test snapshots for the upcoming OpenBSD 6.2 release will create a unique kernel every time an OpenBSD user reboots or upgrades his computer. This feature is named KARL -- Kernel Address Randomized Link -- and works by relinking internal kernel files in a random order so that it generates a unique kernel binary blob every time. Currently, for stable releases, the OpenBSD kernel uses a predefined order to link and load internal files inside the kernel binary, resulting in the same kernel for all users. Developed by Theo de Raadt, KARL will work by generating a new kernel binary at install, upgrade, and boot time. If the user boots up, upgrades, or reboots his machine, the most recently generated kernel will replace the existing kernel binary, and the OS will generate a new kernel binary that will be used on the next boot/upgrade/reboot, constantly rotating kernels on reboots or upgrades. KARL should not be confused with ASLR -- Address Space Layout Randomization -- a technique that randomizes the memory address where application code is executed, so exploits can't target a specific area of memory where an application or the kernel is known to run. A similar technique exists for randomizing the memory location where the kernel loads -- called KASLR. The difference between the two is that KARL loads a different kernel binary in the same place, while KASLR loads the same binary in random locations. Currently Linux and Windows only support KASLR.
Security

Linux Is Not As Safe As You Think (betanews.com) 237

BrianFagioli writes via BetaNews: Would you be surprised if I told you that threat methods for Linux increased an astonishing 300 percent in 2016, while Microsoft's operating systems saw a decrease? Well, according to a new report, that is true. Does this mean Linux is unsafe? No way, Jose! There are some important takeaways here. Microsoft's Windows operating systems are still the most targeted platforms despite the year over year decline -- far beyond Linux. Also, just because there is an increase in malware attack methods doesn't necessarily mean that more systems will be infected. Let us not forget that it is easier to find a vulnerability with open source too; Microsoft largely uses closed source code. "At the end of November, criminals with other variants of the same Linux malware unleashed devastating attacks against DSL routers of Telekom customers. 900,000 devices were taken down. In October, the Mirai code appeared freely available on the Internet. Since then, the AV-TEST systems have been investigating an increasing number of samples with spikes at the end of October, November and beginning of December," says AV Test of the Mirai malware. "Other Linux malware, such as the Tsunami backdoor, has been causing trouble for several years now and can be easily modified for attacks against IoT devices. The detection systems of AV-TEST first detected the Tsunami malicious code in the year 2003. Although, at that time, practically no IoT devices existed, the Linux backdoor already offered attack functions which even today would be suitable for virtually unprotected attacks on routers: In this manner, Tsunami can download additional malicious code onto infected devices and thus make devices remote controllable for criminals. But the old malware can also be used for DDoS attacks. The Darlloz worm, known since 2013, as well as many other Linux and Unix malware programs, have similar attack patterns which AV-TEST has been detecting and analyzing for years."
Bug

'Severe' Systemd Bug Allowed Remote Code Execution For Two Years (itwire.com) 551

ITWire reports: A flaw in systemd, the init system used on many Linux systems, can be exploited using a malicious DNS query to either crash a system or to run code remotely. The vulnerability resides in the daemon systemd-resolved and can be triggered using a TCP payload, according to Ubuntu developer Chris Coulson. This component can be tricked into allocating less memory than needed for a look-up. When the reply is bigger it overflows the buffer allowing an attacker to overwrite memory. This would result in the process either crashing or it could allow for code execution remotely. "A malicious DNS server can exploit this by responding with a specially crafted TCP payload to trick systemd-resolved in to allocating a buffer that's too small, and subsequently write arbitrary data beyond the end of it," is how Coulson put it.
Affected Linux vendors have pushed out patches -- but the bug has apparently been present in systemd code since June of 2015. And long-time Slashdot reader walterbyrd also reports a recently-discovered bug where systemd unit files that contain illegal usernames get defaulted to root.
Open Source

Linux Kernel 4.12 Officially Released (softpedia.com) 55

prisoninmate quotes Softpedia: After seven weeks of announcing release candidate versions, Linus Torvalds today informs the Linux community through a mailing list announcement about the general availability of the Linux 4.12 kernel series. Development on the Linux 4.12 kernel kicked off in mid-May with the first release candidate, and now, seven weeks later we can finally get our hands on the final release... A lot of great improvements, new hardware support, and new security features were added during all this time, which makes it one of the biggest releases, after Linux 4.9...

Prominent features of the Linux 4.12 kernel include initial support for AMD Radeon RX Vega graphics cards, intial Nvidia GeForce GTX 1000 "Pascal" accelerated support, implementation of Budget Fair Queueing (BFQ) and storage-I/O schedulers, more MD RAID enhancements, support for Raspberry Pi's Broadcom BCM2835 thermal driver, a lot of F2FS optimizations, as well as ioctl for the GETFSMAP space mapping ioctl for both XFS and EXT4 filesystems.

Linus said in announcing the release that "I think only 4.9 ends up having had more commits," also noting that 4.9 was a Long Term Support kernel, whereas "4.12 is just plain big."

"There's also nothing particularly odd going on in the tree - it's all just normal development, just more of it than usual."
Ubuntu

Ubuntu Disputes 'Ads In MOTD' Claims (twitter.com) 110

Thursday Lproven (Slashdot reader #6030) wrote: It appears that Ubuntu is using a feature it has added -- intended to insert headlines of breaking tech news (security alerts and so on) into the Message of the Day displayed at login to the console -- to display advertising and promotional messages.
The message in question linked to a Hacker Noon article titled "How HBO's Silicon Valley built 'Not Hotdog' with mobile TensorFlow, Keras & React Native." Later that day Dustin Kirkland, a Ubuntu Product Manager for the feature's design (and the Core Developer for its implementation) suggested the message had been mistaken for an ad, describing it on Hacker News as a "fun fact... an interesting tidbit of potpourri from the world of Ubuntu," and later saying it was intended like Google's doodles. "Last week's message actually announced an Ubuntu conference in Latin America. The week before, we linked to an article asking for feedback on Kubuntu. Before that, we announced the availability of Extended Security Maintenance updates for 12.04. And so on." He later confirmed Canonical received no money for the message, and also pointed out that the messages all come from an open source repository, and "You're welcome to propose your own messages for merging, if you have a well formatted, informative message for Ubuntu users."

Click through for a condensed version of the complete response by Dustin Kirkland, Ubuntu Product and Strategy at Canonical.

Slashdot Top Deals