Intel Responds To Alleged Chip Flaw, Claims Effects Won't Significantly Impact Average Users ( 375

An anonymous reader quotes a report from Hot Hardware: The tech blogosphere lit up yesterday afternoon after reports of a critical bug in modern Intel processors has the potential to seriously impact systems running Windows, Linux and macOS. The alleged bug is so severe that it cannot be corrected with a microcode update, and instead, OS manufacturers are being forced to address the issue with software updates, which in some instances requires a redesign of the kernel software. Some early performance benchmarks have even suggested that patches to fix the bug could result in a performance hit of as much as 30 percent. Since reports on the issues of exploded over the past 24 hours, Intel is looking to cut through the noise and tell its side of the story. The details of the exploit and software/firmware updates to address the matter at hand were scheduled to go live next week. However, Intel says that it is speaking out early to combat "inaccurate media reports."

Intel acknowledges that the exploit has "the potential to improperly gather sensitive data from computing devices that are operating as designed." The company further goes on state that "these exploits do not have the potential to corrupt, modify or delete data." The company goes on to state that the "average computer user" will be negligibly affected by any software fixes, and that any negative performance outcomes "will be mitigated over time." In a classic case of trying to point fingers at everyone else, Intel says that "many different vendors' processors" are vulnerable to these exploits.
You can read the full statement here.
Operating Systems

Linux Mint 19 Named 'Tara' ( 124

BrianFagioli writes: Today, we get some information about the upcoming version 19 of Mint. The biggest news is that it will be called 'Tara.' If you aren't aware, Mint's distros are always named after a woman.

Clement Lefebvre, Linux Mint leader, shares the following information: "The development cycle only just started so it's a bit early to give details about Linux Mint 19, but here's what we can say already: Linux Mint 19 is estimated to be released around May/June 2018. Linux Mint 19.x releases will be based on Ubuntu 18.04 LTS and supported until 2023. Linux Mint 19.x will use GTK 3.22. GTK 3.22 is a major stable release for GTK3. From there on, the theming engine and the APIs are stable. This is a great milestone for GTK3. It also means Linux Mint 19.x (which will become our main development platform) will use the same version of GTK as LMDE 3, and distributions which use components we develop, such as Fedora, Arch..etc. This should ease development and increase the quality of these components outside of Linux Mint."


'Kernel Memory Leaking' Intel Processor Design Flaw Forces Linux, Windows Redesign ( 416

According to The Register, "A fundamental design flaw in Intel's processor chips has forced a significant redesign of the Linux and Windows kernels to defang the chip-level security bug." From the report: Programmers are scrambling to overhaul the open-source Linux kernel's virtual memory system. Meanwhile, Microsoft is expected to publicly introduce the necessary changes to its Windows operating system in this month's Patch Tuesday: these changes were seeded to beta testers running fast-ring Windows Insider builds in November and December. Crucially, these updates to both Linux and Windows will incur a performance hit on Intel products. The effects are still being benchmarked, however we're looking at a ballpark figure of five to 30 per cent slow down, depending on the task and the processor model. More recent Intel chips have features -- specifically, PCID -- to reduce the performance hit. Similar operating systems, such as Apple's 64-bit macOS, will also need to be updated -- the flaw is in the Intel x86 hardware, and it appears a microcode update can't address it. It has to be fixed in software at the OS level, or buy a new processor without the design blunder. Details of the vulnerability within Intel's silicon are under wraps: an embargo on the specifics is due to lift early this month, perhaps in time for Microsoft's Patch Tuesday next week. Indeed, patches for the Linux kernel are available for all to see but comments in the source code have been redacted to obfuscate the issue. The report goes on to share some details of the flaw that have surfaced. "It is understood the bug is present in modern Intel processors produced in the past decade," reports The Register. "It allows normal user programs -- from database applications to JavaScript in web browsers -- to discern to some extent the contents of protected kernel memory. The fix is to separate the kernel's memory completely from user processes using what's called Kernel Page Table Isolation, or KPTI."
The Almighty Buck

LinuxJournal, Which Ceased Publication Last Month Citing Poor Financial Condition, Secures Fresh Fund From Readers To Resume Operation ( 50

New submitter dataknife2 writes: LinuxJournal announced in Nov 2017 that they were going to cease publication; With some timely intervention by Private Internet Access they are going to be able to continue operation and are currently soliciting feedback for improving the magazine in the future. In a blog post, team at LinuxJournal wrote: Talk about a Happy New Year. The reason: it turns out we're not dead. In fact, we're more alive than ever, thanks to a rescue by readers -- specifically, by the hackers who run Private Internet Access (PIA) VPN, a London Trust Media company. PIA are avid supporters of freenode and the larger FOSS community. They're also all about Linux and the rest of the modern portfolio of allied concerns: privacy, crypto, freedom, personal agency, rewriting the rules of business and government around all of those, and having fun with constructive hacking of all kinds. We couldn't have asked for a better rescue ship to come along for us. In addition, they aren't merely rescuing this ship we were ready to scuttle; they're making it seaworthy again and are committed to making it bigger and better than we were ever in a position to think about during our entirely self-funded past.

New Year's Resolutions For Linux Admins: Automate More, Learn New Languages ( 139

An anonymous reader writes: A long-time Unix sys-admin is suggesting 18 different New Year's resolutions for Linux systems adminstrators. And #1 is to automate more of your boring stuff. "There are several good reasons to turn tedious tasks into scripts. The first is to make them less annoying. The second is to make them less error-prone. And the last is to make them easier to turn over to new team members who haven't been around long enough to be bored. Add a small dose of meaningful comments to your scripts and you have a better chance of passing on some of your wisdom about how things should be done."

Along with that, they suggest learning a new scripting language. "It's easy to keep using the same tools you've been using for decades (I should know), but you might have more fun and more relevance in the long run if you teach yourself a new scripting language. If you've got bash and Perl down pat, consider adding Python or Ruby or some other new language to your mix of skills."

Other suggestions include trying a new distro -- many of which can now be run in "live mode" on a USB drive -- and investigating the security procedures of cloud services (described in the article as "trusting an outside organization with our data").

"And don't forget... There are now only 20 years until 2038 -- The Unix/Linux clockpocalypse."

Open Source

FSF Adds PureOS To List of Endorsed GNU/Linux Distributions ( 46

Long-time Slashdot reader donaldrobertson writes: The Free Software Foundation on Thursday announced PureOS as an endorsed GNU/Linux distro. PureOS is an operating system focused on privacy, security and ease of use. Endorsement means the system meets the FSF's Free System Distribution Guidelines by providing and promoting only free software, with a dedication to making sure the system always remains free.

Could 2018 Be The Year of the Linux Desktop? ( 383

Suren Enfiajyan writes: Red Hat worker and GNOME blogger Christian F.K. Schaller wrote why GNU/Linux failed to become a mainstream desktop OS... "My thesis is that there really isn't one reason, but rather a range of issues that all have contributed to holding the Linux Desktop back from reaching a bigger market. Also to put this into context, success here in my mind would be having something like 10% market share of desktop systems. That to me means we reached critical mass."

He named the following reasons:

- A fragmented market
- Lack of special applications
- Lack of big name applications
- Lack of API and ABI stability
- Apple's resurgence
- Microsoft's aggressive response
- Windows piracy
- Red Hat mostly stayed away
- Canonical's business model not working out
- Lack of original device manufacturer support

Then he ended with some optimism:

"So anyone who has read my blog posts probably knows I am an optimist by nature. This isn't just some kind of genetic disposition towards optimism, but also a philosophical belief that optimism breeds opportunity while pessimism breeds failure. So just because we haven't gotten the Linux Desktop to 10% marketshare so far doesn't mean it will not happen going forward. It just means we haven't achieved it so far.

"One of the key identifiers of open source is that it is incredibly hard to kill, because unlike proprietary software, just because a company goes out of business or decides to shut down a part of its business, the software doesn't go away or stop getting developed. As long as there is a strong community interested in pushing it forward it remains and evolves, and thus when opportunity comes knocking again it is ready to try again."

The essay concludes desktop Linux has evolved and is ready to try again, since from a technical perspective it's better than ever. "The level of polish is higher than ever before, the level of hardware support is better than ever before and the range of software available is better than ever before...

"There is also the chance that it will come in a shape we don't appreciate today. For instance maybe ChromeOS evolves into a more full fledged operating system as it grows in popularity and thus ends up being the Linux on the Desktop end game? Or maybe Valve decides to relaunch their SteamOS effort and it provides the foundation for a major general desktop growth? Or maybe market opportunities arise that will cause us at Red Hat to decide to go after the desktop market in a wider sense than we do today? Or maybe Endless succeeds with their vision for a Linux desktop operating system...."
Open Source

Fleeing Google's Apps and iOS, Mandrake Linux Creator Launches 'eelo' Project ( 122

Open-source veteran Gaël Duval created Mandrake Linux in 1998. But in a new essay, he writes that "I realized that I had become lazy. Not only wasn't I using Linux anymore as my main operating system, but I was using a proprietary OS on my smartphone. And I was using Google more and more."

Long-time Slashdot reader nuand999 writes: He's creating a non-profit project called that's going to release a "privacy-friendly" smartphone OS and associated web-services... eelo is going to be forked fromLineageOS, and will ship with the existing open source bricks put together into a consistent and privacy-enhanced, yet desirable, smartphone OS + web-services. A crowdfunding campaign has just started on Kickstarter to fuel early developments.
"iOS is proprietary and I prefer Open Source Software," Gaël writes on Hacker Noon, while also adding that "like millions of others, I'VE BECOME A PRODUCT OF GOOGLE... I'm not happy because Google has become too big and is tracking us by catching a lot of information about what we do. They want to know us as much as possible to sell advertising..."

"People are free to do what they want. They can choose to be volunteery slaves. But I do not want this situation for me anymore. I want to reconquer my privacy. My data is MY data. And I want to use Open Source software as much as possible."
The Courts

Court Throws Out Grsecurity Libel Lawsuit Against Bruce Perens ( 48

Long-time Slashdot reader SlaveToTheGrind writes: As previously discussed on Slashdot, Grsecurity developer Open Source Security sued Bruce Perens for allegedly defamatory statements about Grsecurity's licensing policies. Thursday, Magistrate Judge Laurel Beeler of the District Court for the Northern District of California dismissed the lawsuit, holding that Perens's statements were not libelous:

"Mr. Perens counters, and the court agrees, that the blog posts are opinions about a disputed legal issue, are not false assertions of fact, and thus are not actionable libel. . . . Mr. Perens -- who is not a lawyer — voiced an opinion about whether the Grsecurity Access Agreement violated the General Public License. No court has addressed the legal issue. Thus, his "opinion" is not a "fact" that can be proven provably false and thus is not actionable as defamation."

While Open Source Security technically has the ability to amend its complaint to allege a new legal theory, Judge Beeler said any amendment likely would fall under California's anti-SLAPP statute: "Mr. Perens's statements were made in a public forum and concern issues of public interest, and the plaintiffs have not shown a probability of prevailing on their claims."


PSA: Spotify Now Available As a Snap For Linux ( 66

BrianFagioli shares a report from BetaNews: Speaking of Spotify, the most popular streaming music service in the world has long supported Linux-based operating systems. Installing the official app was not an easy affair, however. Today this changes, as installation gets much simpler. You see, Spotify is now officially available as a Snap for easy installation on any Snap-supporting operating systems such as Ubuntu and Linux Mint. Canonical, the creator of both Ubuntu and Snaps, explains, "Snaps are containerized software packages designed to work perfectly and securely in any Linux environment. As well as supporting all major Linux systems from a single build, snaps can be also updated or rolled back automatically to ensure that users are always benefiting from the latest version of the application. Since their launch last year, close to 2,500 snaps have been released by developers as they adopt the format for its reliability and security."

Jamie Bennett, VP of Engineering, Devices & IoT, Canonical says, "In launching their own snap, Spotify has ensured that their users in the Linux ecosystem are now able to enjoy the latest version of their leading music streaming application as soon as it's released regardless of which distribution they are using. We're glad to welcome Spotify to the snaps ecosystem and look forward to unveiling more leading snaps in 2018."


Ubuntu 17.10 Temporarily Pulled Due To A BIOS Corrupting Problem ( 167

An anonymous reader writes: Canonical has temporarily pulled the download links for Ubuntu 17.10 "Artful Aardvark" from the Ubuntu website due to ongoing reports of some laptops finding their BIOS corrupted after installing this latest Ubuntu release. The issue is appearing most frequently with Lenovo laptops but there are also reports of issues with other laptop vendors as well. This issue appears to stem from the Intel SPI driver in the 17.10's Linux 4.13 kernel corrupting the BIOS for a select number of laptop motherboards. Canonical is aware of this issue and is planning to disable the Intel SPI drivers in their kernel builds. Canonical's hardware enablement team has already verified this works around the problem, but doesn't provide any benefit if your BIOS is already corrupted.

Can Intel's 'Management Engine' Be Repurposed? 139

Long-time Slashdot reader iamacat writes: Not a day goes by without a story about another Intel Management Engine vulnerability. What I get is that a lot of consumer PCs can access network and run x86 code on top of UNIX-like OS such as Minix even when powered off.

This sounds pretty useful for tasks such as running an occasional use Plex server. Like I can have a box that draws very little power when idle. But when an incoming connection is detected, it can power itself and the media drive on and serve the requested content.

The original submission ends with an interesting question. "if Intel ME is so insecure, how do I exploit it for practically useful purposes?"

Why Linux HDCP Isn't the End of the World ( 136

"There is no reason for the open-source community to worry..." writes Daniel Stone, who heads the graphics team at open-source consultancy Collabora. mfilion quotes Recently, Sean Paul from Google's ChromeOS team, submitted a patch series to enable HDCP support for the Intel display driver. HDCP is used to encrypt content over HDMI and DisplayPort links, which can only be decoded by trusted devices... However, if you already run your own code on a free device, HDCP is an irrelevance and does not reduce freedom in any way....

HDCP support is implemented almost entirely in the hardware. Rather than adding a mandatory encryption layer for content, the HDCP kernel support is dormant unless userspace explicitly requests an encrypted link. It then attempts to enable encryption in the hardware and informs userspace of the result. So there's the first out: if you don't want to use HDCP, then don't enable it! The kernel doesn't force anything on an unwilling userspace.... HDCP is only downstream facing: it allows your computer to trust that the device it has been plugged into is trusted by the HDCP certification authority, and nothing more. It does not reduce user freedom, or impose any additional limitations on device usage.


AMD Is Open-Sourcing Their Official Vulkan Linux Driver ( 75

An anonymous reader writes: While many of you have likely heard of the "RADV" open-source Vulkan driver, it's been a community-written driver up to this point in the absence of AMD's official, cross-platform Vulkan driver being open-source. That's now changed with AMD now open-sourcing their official Vulkan driver. The code drop is imminent and they are encouraging the use of it for quick support of new AMD hardware, access to the Radeon GPU Profiler, easy integration of AMD Vulkan extensions, and enabling third-party extensions. For now at least it does provide better Vulkan performance than RADV but the RADV developers have indicated they plan to continue development of their Mesa-based Vulkan driver.

Does Systemd Makes Linux Complex, Error-Prone, and Unstable? ( 751

"Systemd developers split the community over a tiny detail that decreases stability significantly and increases complexity for not much real value." So argues Nico Schottelius, talking about his experiences as the CEO of a Swiss company providing VM hosting, datacenters, and high-speed fiber internet. Long-time Slashdot reader walterbyrd quotes Nico's essay: While I am writing here in flowery words, the reason to use Devuan is hard calculated costs. We are a small team at ungleich and we simply don't have the time to fix problems caused by systemd on a daily basis. This is even without calculating the security risks that come with systemd. Our objective is to create a great, easy-to-use platform for VM hosting, not to walk a tightrope...

[W]hat the Devuan developers are doing is creating stability. Think about it not in a few repeating systemd bugs or about the insecurity caused by a huge, monolithic piece of software running with root privileges. Why do people favor Linux on servers over Windows? It is very easy: people don't use Windows, because it is too complex, too error prone and not suitable as a stable basis. Read it again. This is exactly what systemd introduces into Linux: error prone complexity and instability. With systemd the main advantage to using Linux is obsolete.

The essay argues that while Devuan foisted another choice into the community, "it is not their fault. Creating Devuan is simply a counteraction to ensure Linux stays stable. which is of high importance for a lot of people."

Updated Debian Linux 9.3 and 8.10 Released ( 49

An anonymous reader writes: The Debian project is pleased to announce the third update of its stable distribution Debian 9 (codename stretch). This point release mainly adds corrections for security issues, along with a few adjustments for serious problems. Security advisories have already been published separately and are referenced where available. The Debian project also announces the tenth update of its oldstable distribution Debian 8 (codename jessie).

Please note that the point release does not constitute a new version of Debian 9 or 8 but only updates some of the packages included. There is no need to throw away old jessie or stretch DVD/CD media. After installation, packages can be upgraded to the current versions using an up-to-date Debian mirror. This stable update adds a few important corrections to packages. New installation images will be available soon at the mirrors. Those who frequently install updates from won't have to update many packages, and most such updates are included in the point release. One can use the apt command or apt-get command to apply updates. A step-by-step update guide is posted here.


Google Wants Progressive Web Apps To Replace Chrome Apps ( 154

An anonymous reader quotes a report from Android Police: The Chrome Web Store originally launched in 2010, and serves a hub for installing apps, extensions, and themes packaged for Chrome. Over a year ago, Google announced that it would phase out Chrome apps on Windows, Mac, and Linux in 2018. Today, the company sent out an email to developers with additional information, as well as news about future Progressive Web App support. The existing schedule is mostly still in place -- Chrome apps on the Web Store will no longer be discoverable for Mac, Windows, and Linux users. In fact, if you visit the store right now on anything but a Chromebook, the Apps page is gone. Google originally planned to remove app support on all platforms (except Chrome OS) entirely by Q1 2018, but Google has decided to transition to Progressive Web Apps:

"The Chrome team is now working to enable Progressive Web Apps (PWAs) to be installed on the desktop. Once this functionality ships (roughly targeting mid-2018), users will be able to install web apps to the desktop and launch them via icons and shortcuts; similar to the way that Chrome Apps can be installed today. In order to enable a more seamless transition from Chrome Apps to the web, Chrome will not fully remove support for Chrome Apps on Windows, Mac or Linux until after Desktop PWA installability becomes available in 2018. Timelines are still rough, but this will be a number of months later than the originally planned deprecation timeline of 'early 2018.' We also recognize that Desktop PWAs will not replace all Chrome App capabilities. We have been investigating ways to simplify the transition for developers that depend on exclusive Chrome App APIs, and will continue to focus on this -- in particular the Sockets, HID and Serial APIs."

Red Hat Software

Understanding the New Red Hat-IBM-Google-Facebook GPL Enforcement Announcement ( 96

Bruce Perens co-founded the Open Source Initiative with Eric Raymond -- and he's also Slashdot reader #3872. Bruce Perens writes: Red Hat, IBM, Google, and Facebook announced that they would give infringers of their GPL software up to a 30-day hold-off period during which an accused infringer could cure a GPL violation after one was brought to their attention by the copyright holder, and a 60 day "statute of limitations" on an already-cured infringement when the copyright holder has never notified the infringer of the violation. In both cases, there would be no penalty: no damages, no fees, probably no lawsuit; for the infringer who promptly cures their infringement.
Perens sees the move as "obviously inspired" by the kernel team's earlier announcement, and believes it's directed against one man who made 50 copyright infringement claims involving the Linux kernel "with intent to collect income rather than simply obtain compliance with the GPL license."

Unfortunately, "as far as I can tell, it's Patrick McHardy's legal right to bring such claims regarding the copyrights which he owns, even if it doesn't fit Community Principles which nobody is actually compelled to follow."

Linux Journal Ceases Publication ( 123

Not too long after Linus Torvalds wrote his own Unix kernel, which he called Linux, in the summer of 1991, a magazine was founded by enthusiasts to focus on the operating system. For more than two decades Linux Journal has been an authority magazine on all things Linux, often cited by mainstream outlets, but it is now shuttering doors. In a blog post, Linux Journal's Carlie Fairchild writes: It looks like we're at the end, folks. If all goes according to a plan we'd rather not have, the November issue of Linux Journal was our last. The simple fact is that we've run out of money, and options along with it. We never had a wealthy corporate parent or deep pockets of our own, and that made us an anomaly among publishers, from start to finish. While we got to be good at flying close to the ground for a long time, we lost what little elevation we had in November, when the scale finally tipped irrevocably to the negative. Thanks for all the fish.

System76 Will Disable Intel Management Engine On Its Linux Laptops ( 149

System76 is rolling out a firmware update for its recent laptops that will disable the Intel Management Engine altogether. The decision comes after a major security vulnerability was discovered that would allow an attacker with local access to execute arbitrary code. Liliputing reports: What's noteworthy in the System76 announcement is that the PC maker isn't just planning to disable Intel ME in computers that ship from now on. The company will send out an update that disables it on existing computers with 6th, 7th, or 8th-gen Intel Core processors. System76 also notes that Intel ME "provides no functionality for System76 laptop customers and is safe to disable." Right now the firmware update will only be available for computers running Ubuntu 16.04 or later or a related operating system with the System76 driver. But the company says it's working on developing a command line tool that should work on laptops running other GNU/Linux-based operating systems. System76 says it will also release an update for its desktop computers... but on those machines the update will patch the security vulnerability rather than disabling Intel ME altogether.

Slashdot Top Deals