lwn.net

Security updates have been issued by Arch Linux (kernel and linux-lts), Debian (chromium-browser and mono), Oracle (firefox), and Ubuntu (curl).

Richard Fontana has a long history working with open-source licenses in commercial environments. He came to the 2018 Open Source Summit Europe with a talk that, he said, had never before been presented outside of "secret assemblies of lawyers"; it gave an interesting view of licenses as resources that are shared within the community and the risks that this shared nature may present. While our licenses have many good properties, including a de facto standardization role, those properties come with some unique and increasing risks when it comes to litigation.

Over at the Collabora blog, Erik Faye-Lund writes about Zink, which is an effort to create an OpenGL driver on top of Vulkan that he has been working on with Dave Airlie. "One problem is that OpenGL is a big API with a lot of legacy stuff that has accumulated since its initial release in 1992. OpenGL is well-established as a requirement for applications and desktop compositors. But since the very successful release of Vulkan, we now have two main-stream APIs for essentially the same hardware functionality. It's not looking like neither OpenGL nor Vulkan is going away, and the software-world is now hard at work implementing Vulkan support everywhere, which is great. But this leads to complexity. So my hope is that we can simplify things here, by only require things like desktop compositors to support one API down the road. We're not there yet, though; not all hardware has a Vulkan-driver, and some older hardware can't even support it. But at some point in the not too far future, we'll probably get there. This means there might be a future where OpenGL's role could purely be one of legacy application compatibility. Perhaps Zink can help making that future a bit closer?"

Security updates have been issued by Debian (phpldapadmin, poppler, and tzdata), Fedora (firefox, java-11-openjdk, libarchive, sos-collector, and teeworlds), Scientific Linux (java-1.7.0-openjdk, python-paramiko, and thunderbird), Slackware (curl), and SUSE (kernel, MozillaFirefox, MozillaFirefox-branding-SLE, llvm4, mozilla-nspr, mozilla-nss, apache2-mod_nss, and wireshark).

The LWN.net Weekly Edition for November 1, 2018 is available.

The "systemd question" has roiled Debian multiple times over the years, but things had mostly been quiet on that front of late. The Devuan distribution is a Debian derivative that has removed systemd; many of the vocal anti-systemd Debian developers have switched, which helps reduce the friction on the Debian mailing lists. But that seems to have led to support for init system alternatives (and System V init in particular) to bitrot in Debian. There are signs that a bit of reconciliation between Debian and Devuan will help fix that problem.

The development of the web was a huge "sea change" in the history of the internet. The web is what brought the masses to this huge worldwide network—for good or ill. It is unlikely that Tim Berners-Lee foresaw all of that when he came up with HTTP and HTML as part of his work at CERN, but he has been in a prime spot to watch the web unfold since 1989. His latest project, Solid, is meant to allow users to claim authority over the personal data that they provide to various internet giants.

Security updates have been issued by Arch Linux (gitlab), Debian (gnutls28), Fedora (audiofile, coreutils, firefox, hesiod, kernel, kernel-headers, kernel-tools, libssh, lighttpd, mosquitto, opencc, patch, php-horde-nag, sos-collector, strongswan, and thunderbird), Gentoo (libxkbcommon, mutt-1.10, postgresql, systemd, xen, and xorg-server), Mageia (curl, libtiff, samba, spamassassin, and unzip), Oracle (java-1.7.0-openjdk and python-paramiko), Red Hat (git, glusterfs, java-1.7.0-openjdk, libvirt, python-paramiko, qemu-kvm, thunderbird, and xorg-x11-server), SUSE (apache2, apache2-mod_nss, audiofile, libarchive, and ntfs-3g_ntfsprogs), and Ubuntu (curl, ghostscript, and openjdk-8, openjdk-lts).

Version 3.2 of the Bison parser generator is out. "Massive improvements were brought to the deterministic C++ skeleton, lalr1.cc. When variants are enabled and the compiler supports C++11 or better, move-only types can now be used for semantic values. C++98 support is not deprecated."

Version 1.11.0 of the Subversion source-code management system is out. Changes include improvements to the shelving feature, better resolution of merge conflicts, an experimental checkpointing feature, and more; see the release notes for details.

Red Hat has announced the release of Red Hat Enterprise Linux 7.6, "a consistent hybrid cloud foundation for enterprise IT built on open source innovation. Red Hat Enterprise Linux 7.6 is designed to enable organizations to better keep pace with emerging cloud-native technologies while still supporting stable IT operations across enterprise IT’s four footprints."

Security updates have been issued by CentOS (xorg-x11-server), Debian (xen), Red Hat (389-ds-base, binutils, curl and nss-pem, fuse, glibc, glusterfs, GNOME, gnutls, jasper, java-1.7.0-openjdk, kernel, kernel-alt, kernel-rt, krb5, libcdio, libkdcraw, libmspack, libreoffice, libvirt, openssl, ovmf, python, python-paramiko, qemu-kvm, qemu-kvm-ma, samba, setup, sssd, wget, wpa_supplicant, X.org X11, xerces-c, zsh, and zziplib), and SUSE (ardana-monasca, ardana-spark, kafka, kafka-kit, openstack-monasca-api, python, python-base, python-cryptography, python-Django, and qemu).

The Fedora 29 release is available. "This release is particularly exciting because it’s the first to include the Fedora Modularity feature across all our different variants. Modularity lets us ship different versions of packages on the same Fedora base. This means you no longer need to make your whole OS upgrade decisions based on individual package versions."

People searching for a hardened Linux distribution have a wide range to choose from: they can use one of the security-focused offerings, or they can, with sufficient expertise, simply apply hardening patches and build everything to their taste. Such systems, of which Qubes OS is a good example, usually concentrate on the user's privacy. Recently, the French cybersecurity agency (ANSSI) released the source code for CLIP OS, its hardened operating system based on Linux. CLIP OS has been in development for more than ten years and, while sharing many elements with other hardened Linux distributions, this one is targeted to different needs: the focus is on providing maximum isolation between confidentiality levels and different users of the same system. As an illustration: the administrator is not able to access other users' data.

Security updates have been issued by Arch Linux (xorg-server), Debian (graphicsmagick, libmspack, paramiko, ruby2.1, teeworlds, and tiff), Fedora (lldpad), Mageia (bitcoin, blueman, busybox, dhcp, exempi, firefox, kernel, kernel-linus, kernel-tmb, lilypond, ruby, and x11-server), openSUSE (audiofile, clamav, hostapd, ImageMagick, lcms2, libgit2, mercurial, net-snmp, and wpa_supplicant), SUSE (audiofile, binutils, kdelibs3, lcms2, mysql, openssh, and xen), and Ubuntu (mysql-5.5 and xorg-server, xorg-server-hwe-16.04).

Bloomberg is reporting that IBM has agreed to acquire Red Hat for over $33 billion. "International Business Machines Corp. will pay $190 a share in cash for Raleigh, North Carolina-based Red Hat, according to a statement from the companies Sunday, confirming an earlier Bloomberg News report. That’s a 63 percent premium over Red Hat’s closing price of $116.68 per share on Friday."

The kernel, in theory, puts strict limits on which functions and data structures are available to loadable kernel modules; only those that have been explicitly exported with EXPORT_SYMBOL() or EXPORT_SYMBOL_GPL() are accessible. In the case of EXPORT_SYMBOL_GPL(), only modules that declare a GPL-compatible license will be able to see the symbol. There have been questions about when EXPORT_SYMBOL_GPL() should be used for almost as long as it has existed. The latest attempt to answer those questions was a session run by Greg Kroah-Hartman at the 2018 Kernel Maintainers Summit; that session offered little in the way of general guidance, but it did address one specific case.

The kernel supports a wide range of hardware. Or, at least, the kernel contains drivers for a lot of hardware, but the hardware for which many of those drivers was written is old and, perhaps, no longer in actual use. Some of those drivers would certainly no longer work even if the hardware could be found. These drivers provide no value, but they are still an ongoing maintenance burden; it would be better to simply remove them from the kernel. But identifying which drivers can go is not as easy as one might think. Arnd Bergmann led an inconclusive session on this topic at the 2018 Kernel Maintainers Summit.

Linus Torvalds has returned as the keeper of the mainline kernel repository, and the merge window for the next release which, depending on his mood, could be called either 4.20 or 5.0, is well underway. As of this writing, 5,735 non-merge changesets have been pulled for this release; experience suggests that we are thus at roughly the halfway point.

Security updates have been issued by Arch Linux (firefox), CentOS (firefox), Debian (389-ds-base, openjdk-8, thunderbird, and xorg-server), Fedora (firefox), openSUSE (GraphicsMagick, jhead, mysql-community-server, ntp, postgresql96, python-cryptography, rust, tomcat, webkit2gtk3, and zziplib), Scientific Linux (firefox), and SUSE (clamav, firefox, ImageMagick, libgit2, net-snmp, smt, wpa_supplicant, and xorg-x11-server).