lwn.net

Security updates have been issued by Debian (chromium, mailman, openjpeg2, ruby-rack, squid3, tomcat8, and xen), Fedora (botan2, kernel, LibRaw, mingw-OpenEXR, mingw-podofo, podofo, seamonkey, squid, and webkit2gtk3), Mageia (ffmpeg, mbedtls, mediawiki, and xpdf), Oracle (kernel), Red Hat (bind, dbus, jbig2dec, and rh-nodejs12-nodejs), and SUSE (graphviz and xen).

The 5.8-rc5 kernel prepatch is out for testing; it's a relatively large set of changes. "Maybe I'm in denial, but I still think we might hit the usual release schedule. A few more weeks to go before I need to make that decision, so it won't be keeping me up at night."

For years, Windows PHP users have enjoyed builds provided directly by Microsoft. The company has contributed to the PHP project in many ways, with the binaries made available on windows.php.net being the most visible. Recently Microsoft Project Manager Dale Hirt announced that, beginning with PHP 8.0, Microsoft support for PHP on Windows would end.

Connecting one source of data to another isn't always easy because of different standards, data formats, and APIs to contend with, among the many challenges. One of the groups that is trying to help with the challenge of data interoperability is the Linux Foundation's Open Data Platform initiative (ODPi). At the 2020 Open Source Summit North America virtual event on July 2, ODPi Technical Steering Committee chairperson Mandy Chessell outlined the goals of ODPi and the projects that are part of it. She also described how ODPi is taking an open-source development approach to make data more easily accessible.

Security updates have been issued by Fedora (curl, LibRaw, python-pillow, and python36), Mageia (coturn, samba, and vino), openSUSE (opera), and Ubuntu (openssl).

The LibreOffice project would seem to be on a roll. It produces what is widely seen as the leading free office-productivity suite, and has managed to move out of the shadow of the moribund (but brand-recognized) Apache OpenOffice project. The LibreOffice 7 release is coming within a month, and the tenth anniversary of the founding of the Document Foundation arrives in September. Meanwhile, LibreOffice Online is taking off and, seemingly, seeing some market success. So it is a bit surprising to see the project's core developers in a sort of crisis mode while users worry about a tag that showed up in the project's repository.

Greg Kroah-Hartman has announced the release of the 5.7.8, 5.4.51, 4.19.132, 4.14.188, 4.9.230, and 4.4.230 stable kernels. As usual, these all contain important fixes; users should upgrade.

Security updates have been issued by CentOS (firefox), Debian (ffmpeg, fwupd, ruby2.5, and shiro), Fedora (freerdp, gssdp, gupnp, mingw-pcre2, remmina, and xrdp), openSUSE (chocolate-doom), Oracle (firefox and kernel), and Ubuntu (linux, linux-lts-xenial, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon and thunderbird).

The LWN.net Weekly Edition for July 9, 2020 is available.

The Linux Mint project has made good on previous threats to actively prevent Ubuntu Snap packages from being installed through the APT package-management system without the user's consent. This move is the result of "major worries" from Linux Mint on Snap's impact with regard to user choice and software freedom. Ubuntu's parent company, Canonical, seems open to finding a solution to satisfy the popular distribution's concerns — but it too has interests to consider.

Security updates have been issued by Debian (roundcube), Fedora (chromium, firefox, and ngircd), Oracle (firefox and thunderbird), Scientific Linux (firefox), Slackware (seamonkey), SUSE (djvulibre, ffmpeg, firefox, freetds, gd, gstreamer-plugins-base, icu, java-11-openjdk, libEMF, libexif, librsvg, LibVNCServer, libvpx, Mesa, nasm, nmap, opencv, osc, perl, php7, python-ecdsa, SDL2, texlive-filesystem, and thunderbird), and Ubuntu (cinder, python-os-brick).

Google has announced the creation of the Open Usage Commons, which is intended to help open-source projects manage their trademarks. From the organization's own announcement: "We created the Open Usage Commons because free and fair open source trademark use is critical to the long-term sustainability of open source. However, understanding and managing trademarks takes more legal know-how than most project maintainers can do themselves. The Open Usage Commons is therefore dedicated to creating a model where everyone in the open source chain – from project maintainers to downstream users to ecosystem companies – has peace of mind around trademark usage and management. The projects in the Open Usage Commons will receive support specific to trademark protection and management, usage guidelines, and conformance testing." Initial members include the Angular, Gerrit, and Istio projects.

The Cloudflare blog is running an overview of sandboxing with seccomp(), culminating in a tool written there to sandbox any existing program. "We really liked the 'zero code seccomp' approach with systemd SystemCallFilter= directive, but were not satisfied with its limitations. We decided to take it one step further and make it possible to prohibit any system call in any process externally without touching its source code, so came up with the Cloudflare sandbox. It’s a simple standalone toolkit consisting of a shared library and an executable. The shared library is supposed to be used with dynamically linked applications and the executable is for statically linked applications."

Static web-site generators take page content written in a markup language and render it into fully baked HTML, making it easy for developers to upload the result and serve a web site simply and securely. This article looks at Hugo, a static-site generator written in Go and optimized for speed. It is a flexible tool that can be configured for a variety of use cases: simple blogs, project documentation, larger news sites, and even government services.

When support for classic BPF was added to the kernel many years ago, there was no question of whether BPF programs could block in their execution. Their functionality was limited to examining a packet's contents and deciding whether the packet should be forwarded or not; there was nothing such a program could do to block. Since then, BPF has changed a lot, but the assumption that BPF programs cannot sleep has been built deeply into the BPF machinery. More recently, classic BPF has been pushed aside by the extended BPF dialect; the wider applicability of extended BPF is now forcing a rethink of some basic assumptions.

Security updates have been issued by Debian (php7.3), Fedora (gst), Mageia (libvirt, mariadb, pdns-recursor, and ruby), openSUSE (chocolate-doom, coturn, kernel, live555, ntp, python3, and rust, rust-cbindgen), Oracle (virt:ol), Red Hat (file, firefox, gettext, kdelibs, kernel, kernel-alt, microcode_ctl, nghttp2, nodejs:10, nodejs:12, php, qemu-kvm, ruby, and tomcat), SUSE (libjpeg-turbo, mozilla-nspr, mozilla-nss, mozilla-nss, nasm, openldap2, and permissions), and Ubuntu (coturn, glibc, nss, and openexr).

The Home Assistant project has released version 0.112 of the open-source home automation hub we have previously covered, which is the eighth release of the project this year. While previous releases have largely focused on new integrations and enhancements to the front-end interface, in this release the focus has shifted more toward improving the performance of the database. It is important to be aware that there are significant database changes and multiple potential backward compatibility breaks to understand before attempting an upgrade to take advantage of the improvements.

Security updates have been issued by Debian (chromium, php7.0, and thunderbird), Fedora (ceph, gssdp, gupnp, libfilezilla, libldb, mediawiki, python-pillow, python36, samba, and xpdf), Mageia (curl, docker, firefox, libexif, libupnp, libvncserver, libxml2, mailman, ntp, perl-YAML, python-httplib2, tcpreplay, tomcat, and vlc), openSUSE (chocolate-doom, python3, and Virtualbox), Slackware (libvorbis), and SUSE (mozilla-nspr, mozilla-nss, systemd, tomcat, and zstd).

The 5.8-rc4 kernel prepatch is out for testing. "The end result is that it's been fairly calm, and there's certainly been discussion of upcoming fixes, but I still have the feeling that 5.8 is looking fairly normal and things are developing smoothly despite the size of this release."

Dan Book has done a detailed analysis of the Perl 7 transition. "Large amount of CPAN modules will not work in Perl 7; plans for working around this would either involve every affected CPAN author, which is a virtual impossibility for the stated 1 year time frame; or the toolchain group, a loose group of people who each maintain various modules and systems that are necessary for CPAN to function, who either have not been consulted as of yet or have not revealed their plans related to the tools they maintain. Going into this potential problem sufficiently would be longer than this blog post, but suffice to say that a Perl where highly used CPAN modules don't seamlessly work is not Perl."