Skip to main content

Feed aggregator

Linux 5.0, Canonical Update, openSUSE Board Elections, Woman and Girls in Science, European Astro-Pi Challenge

Linux Journal - Mon, 02/11/2019 - 11:43

The release candidate 6 for the highly anticipated 5.0 Linux kernel was just released. You can view the changeset for 5.0-rc6 here.

Canonical issued an update (USN-3878-3) and a formal apology for a recent kernel update regression that prevented systems with certain graphics chipsets from booting.

A stable version of Chrome OS 72 was just released on Friday which introduces better access to external storage, touchscreen optimizations for tablet mode and more.

There are only a few days left to cast your ballot in the 2018-2019 openSUSE board elections. Be sure to get your vote in.

Today, the Raspberry Pi Foundation and ESA Education are celebrating the International Day of  Women and Girls in Science and to support the occasion, astronaut Jenni Sidey is helping to kick off the European Astro-Pi challenge. While the challenge itself is not limited to female contestants, it will hopefully encourage more to participate.

News
Categories: Linux News

Easier Python paths with pathlib

Linux Journal - Mon, 02/11/2019 - 07:30
by Reuven M. Lerner

A look at the benefits of using pathlib, the "object-oriented way of dealing with paths".

Working with files is one of the most common things developers do. After all, you often want to read from files (to read information saved by other users, sessions or programs) or write to files (to record data for other users, sessions or programs).

Of course, files are located inside directories. Navigating through directories, finding files in those directories, and even extracting information about directories (and the files within them) might be common, but they're often frustrating to deal with. In Python, a number of different modules and objects provide such functionality, including os.path, os.stat and glob.

This isn't necessarily bad; the fact is that Python developers have used this combination of modules, methods and files for quite some time. But if you ever felt like it was a bit clunky or old-fashioned, you're not alone.

Indeed, it turns out that for several years already, Python's standard library has come with the pathlib module, which makes it easier to work with directories and files. I say "it turns out", because although I might be a long-time developer and instructor, I discovered "pathlib" only in the past few months—and I must admit, I'm completely smitten.

pathlib has been described as an object-oriented way of dealing with paths, and this description seems quite apt to me. Rather than working with strings, instead you work with "Path" objects, which not only allows you to use all of your favorite path- and file-related functionality as methods, but it also allows you to paper over the differences between operating systems.

So in this article, I take a look at pathlib, comparing the ways you might have done things before to how pathlib allows you to do them now.

pathlib Basics

If you want to work with pathlib, you'll need to load it into your Python session. You should start with:

import pathlib

Note that if you plan to use certain names from within pathlib on a regular basis, you'll probably want to use from-import. However, I strongly recommend against saying from pathlib import *, which will indeed have the benefit of importing all of the module's names into the current namespace, but it'll also have the negative effect of importing all of the module's names into the current namespace. In short, import only what you need.

Now that you've done that, you can create a new Path object. This allows you to represent a file or directory. You can create it with a string, just as you might do a path (or filename) in more traditional Python code:

Go to Full Article
Categories: Linux News

Weekend Reading: Containers

Linux Journal - Sat, 02/09/2019 - 07:37
by Carlie Fairchild

The software enabling this technology comes in many forms, with Docker as the most popular. The recent rise in popularity of container technology within the data center is a direct result of its portability and ability to isolate working environments, thus limiting its impact and overall footprint to the underlying computing system. To understand the technology completely, you first need to understand the many pieces that make it all possible. Join us this weekend as we learn about Containers.

Before we get started, many ask what the difference is between a container and virtual machines? Editor Petros Koutoupis explains: Both have a specific purpose and place with very little overlap, and one doesn't obsolete the other. A container is meant to be a lightweight environment that you spin up to host one to a few isolated applications at bare-metal performance. You should opt for virtual machines when you want to host an entire operating system or ecosystem or maybe to run applications incompatible with the underlying environment.

Everything You Need to Know about Linux Containers, Part I: Linux Control Groups and Process Isolation

Truth be told, certain software applications in the wild may need to be controlled or limited—at least for the sake of stability and, to some degree, security. Far too often, a bug or just bad code can disrupt an entire machine and potentially cripple an entire ecosystem. Fortunately, a way exists to keep those same applications in check. Control groups (cgroups) is a kernel feature that limits, accounts for and isolates the CPU, memory, disk I/O and network's usage of one or more processes.

Everything You Need to Know about Linux Containers, Part II: Working with Linux Containers (LXC)

Part I of this Deep Dive on containers introduces the idea of kernel control groups, or cgroups, and the way you can isolate, limit and monitor selected userspace applications. Here, I dive a bit deeper and focus on the next step of process isolation—that is, through containers, and more specifically, the Linux Containers (LXC) framework.

Go to Full Article
Categories: Linux News

Microsoft Joins the OpenChain Project, Google Open-Sources ClusterFuzz, New Android Vulnerability, FSF Gives the Vikings D8 Mainboard and Workstation Its "Respect Your Freedom" Endorsement, and Fedora Is Redesigning Its Logo

Linux Journal - Fri, 02/08/2019 - 09:37

News briefs for February 8, 2019.

Microsoft has joined the OpenChain Project, "which builds trust in open source by making open source license compliance simpler and more consistent". Uber, Google and Facebook joined it last month. According to the announcement, "By joining OpenChain, Microsoft will help create best practices and define standards for open source software compliance, so that its customers have even greater choice and opportunity to bridge Microsoft and other technologies together in heterogeneous environments."

Google today announced it is open-sourcing ClusterFuzz and making it available for anyone to use. Fuzzing is "an automated method for detecting bugs in software that works by feeding unexpected inputs to a target program", and it's "effective at finding memory corruption bugs". ClusterFuzz is "a fuzzing infrastructure running on over 25,000 cores" was written to aid in the Chrome development process. You can check it out at the ClusterFuzz GitHub repository.

A security vulnerability discovered in Android gives attackers access to your phone if you open a .png file. ZDNet reports that "All it takes to trigger the bug is for attackers to send a crafted, malicious Portable Network Graphic (.PNG) file to a victim's device. Should the user open the file, the exploit is triggered." This bug affects Android versions 7.0–9.0.

The Free Software Foundation has certified new hardware with its "Respect Your Freedom" endorsement: the Vikings D8 mainboard and D8 workstation. According to Phoronix, "The Vikings D8 is a re-branded ASUS KCMA-D8 but flashed with Libreboot+Coreboot to free the hardware down to the BIOS." In addition, "the D8 Workstation also ships with the FSF-approved Trisquel operating system that is free of any Linux binary blobs and proprietary software." See also the FSF post on the Respects Your Freedom certification.

Fedora is redesigning its logo due to issues with its current logo, including "the lack of a single colour variant", "the logo not working well on dark backgrounds", "confusion with other well-known brands, and the use of a proprietary font." See this article by Máirín Duffy for more on the history of the Fedora logo and other details on the change, and also see this post to join the discussion on the new options.

News Microsoft OpenChain Project Google ClusterFuzz Android Security FSF Hardware Fedora
Categories: Linux News

The Taloflow Instance Manager (Tim)

Linux Journal - Fri, 02/08/2019 - 08:00
by Petros Koutoupis

For years, modern workloads have shifted to the cloud, with AWS being the most popular. And although this shift has cut down operating costs significantly, millions, if not billions, of dollars still are wasted to maintain all those virtual instances—even when they are not in use.

To help alleviate both the burden and headache of managing your cloud-hosted virtual machines, Taloflow built the Taloflow Instance Manager (Tim), which can reduce your expenditures by as much as 40%. Tim monitors your AWS resources and suggests automations that effortlessly save you money in real time.

Taloflow is a Vancouver- and California-based startup, offering a Software-as-a-Service (SaaS) platform that seamlessly integrates into your preferred cloud service provider to set up alerts, capture metrics and automate a list of useful actions. The company is focused solely on bringing artificial intelligence (AI) automation and intelligence to cloud services. Currently, Taloflow is an operation of at least eight talented engineers coming from all business backgrounds (from startups to enterprises).

Figure 1. The Taloflow Team

One of the key differences with Tim is that it works in real time. Unlike its competition, which is focused primarily on accountants and finance departments, Tim takes a bottoms-up approach and shifts that focus onto the engineers and operators pulling the levers on these cloud virtual instances. Think of it as bot or tool helping developers manage their resources and monitor their workflows. Tim will provide recommendations to those same engineers on how to optimize the performance, as well as the cost in the cloud.

The current implementation of Tim is available under a freemium model. This is intended to encourage early adoption, and it also allows users to hit the ground running and get started quickly. Depending on usage, number of users and the required performance, a paid tier or Enterprise Model eventually will be offered by March 2019.

Tim's basic model runs on Taloflow's own cloud, and depending on the customer's security preferences, the company will offer and provision private instances for each user (under the Enterprise subscription model). This will look like a Kubernetes image running on-premises at the customer site.

Go to Full Article
Categories: Linux News

LibreOffice 6.2 Officially Available, Raspberry Pi Opens a Store in the UK, Purism Announces Partnership with GDQuest to Create Games for the Librem 5, Three New Snapshots for openSUSE Tumbleweed and Document Your DNA with an RPi Gel Imager

Linux Journal - Thu, 02/07/2019 - 10:37

News briefs for February 7, 2019.

The Document Foundation today announces the official release of LibreOffice 6.2 with NotebookBar. This is a major new release that "features a radical new approach to the user interface—based on the MUFFIN concept—and provides user experience options capable of satisfying all users'preferences, while leveraging all screen sizes in the best way." This version has many new and features, including substantial changes to icon themes, context menus are tidied up and interoperability with proprietary file formats has been improved. See this video for details on all the new features. Note that LibreOffice 6.1.5 also was released today for enterprise-class deployments. You can download LibreOffice 6.2 or LibreOffice 6.1.5 from here.

Raspberry Pi has opened a store in the Grand Arcade, Cambridge, UK. See this video for details and follow #RPiStore for more photos and info.

Purism recently announced a partnership with GDQuest to teach people how to create games for the Librem 5 smartphone using the free/libre Godot game engine. GDQuest founder and game design expert/teacher Nathan Lovato's video series will show how to create and release games on the Librem 5 and then submit them to the PureOS store. See also GDQuest's crowdfunding campaign for information on other tutorial videos and to help support the project.

Three new snapshots were released this week for openSUSE Tumbleweed with updates for ImageMagick, Mesa, Apache, Ceph, Flatpak Builder, Python and more. Bash, glusterfs, libvirt and openconnect got updates this week as well.

You can now document your DNA with a Raspberry Pi gel imager. Make magazine published a step-by-step how-to by Dr. Lindsay V. Clark, so you can make your own imager from a styrofoam box and RPi for around $150, because "Any genetics lab or DIY biohacker needs to be able to visualize DNA and RNA, and a common technique for doing so is agarose gel electrophoresis."

News LibreOffice Raspberry Pi Purism gaming Godot GDQuest openSUSE
Categories: Linux News

Disk Encryption for Low-End Hardware

Linux Journal - Thu, 02/07/2019 - 08:15
by Zack Brown

Eric Biggers and Paul Crowley were unhappy with the disk encryption options available for Android on low-end phones and watches. For them, it was an ethical issue. Eric said:

We believe encryption is for everyone, not just those who can afford it. And while it's unknown how long CPUs without AES support will be around, there will likely always be a "low end"; and in any case, it's immensely valuable to provide a software-optimized cipher that doesn't depend on hardware support. Lack of hardware support should not be an excuse for no encryption.

Unfortunately, they were not able to find any existing encryption algorithm that was both fast and secure, and that would work with existing Linux kernel infrastructure. They, therefore, designed the Adiantum encryption mode, which they described in a light, easy-to-read and completely non-mathematical way.

Essentially, Adiantum is not a new form of encryption; it relies on the ChaCha stream cipher developed by D. J. Bernstein in 2008. As Eric put it, "Adiantum is a construction, not a primitive. Its security is reducible to that of XChaCha12 and AES-256, subject to a security bound; the proof is in Section 5 of our paper. Therefore, one need not 'trust' Adiantum; they only need trust XChaCha12 and AES-256."

Eric reported that Adiantum offered a 20% speed improvement over his and Paul's earlier HPolyC encryption mode, and it offered a very slight improvement in actual security.

Eric posted some patches, adding Adiantum to the Linux kernel's crypto API. He remarked, "Some of these patches conflict with the new 'Zinc' crypto library. But I don't know when Zinc will be merged, so for now, I've continued to base this patchset on the current 'cryptodev'."

Jason A. Donenfeld's Zinc ("Zinc Is Not crypto/") is a front-runner to replace the existing kernel crypto API, and it's more simple and low-level than that API, offering a less terrifying coding experience.

Jason replied to Eric's initial announcement. He was very happy to see such a good disk encryption alternative for low-end hardware, but he asked Eric and Paul to hold off on trying to merge their patches until they could rework them to use the new Zinc security infrastructure. He said, "In fact, if you already want to build it on top of Zinc, I'm happy to work with you on that in a shared repo or similar."

He also suggested that Eric and Paul send their paper through various academic circles to catch any unanticipated problems with their encryption system.

But Paul replied:

Go to Full Article
Categories: Linux News

January 2019 report: LTS, Mailman 3, Vero 4k, Kubernetes, Undertime, Monkeysign, oh my!

Anarcat - Wed, 02/06/2019 - 10:32

January is often a long month in our northern region. Very cold, lots of snow, which can mean a lot of fun as well. But it's also a great time to cocoon (or maybe hygge?) in front of the computer and do great things. I think the last few weeks were particularly fruitful which lead to this rather lengthy report, which I hope will be nonetheless interesting.

So grab some hot coco, a coffee, tea or whatever warm beverage (or cool if you're in the southern hemisphere) and hopefully you'll learn awesome things. I know I did.

Free software volunteer work

As always, the vast majority of my time was actually spent volunteering on various projects, while scrambling near the end of the month to work on paid stuff. For the first time here I mention my Kubernetes work, but I've also worked on the new Mailman 3 packages, my monkeysign and undertime packages (including a new configuration file support for argparse), random Debian work, and Golang packaging. Oh, and I bought a new toy for my home cinema, which I warmly recommend.

Kubernetes research

While I've written multiple articles on Kubernetes for LWN in the past, I am somewhat embarrassed to say that I don't have much experience running Kubernetes itself for real out there. But for a few months, with a group of fellow sysadmins, we've been exploring various container solutions and gravitated naturally towards Kubernetes. In the last month, I particularly worked on deploying a Ceph cluster with Rook, a tool to deploy storage solutions on a Kubernetes cluster (submitting a patch while I was there). Like many things in Kubernetes, Rook is shipped as a Helm chart, more specifically as an "operator", which might be described (if I understand this right) as a container that talks with Kubernetes to orchestrate other containers.

We've similarly worked on containerizing Nextcloud, which proved to be pretty shitty at behaving like a "cloud" application: secrets and dynamic data and configuration are all mixed up in the config directory, which makes it really hard to manage sanely in a container environment. The only way we found it could work was to mount configuration as a volume, which means configuration becomes data and can't be controled through git. Which is bad. This is also how the proposed Nextcloud Helm solves this problem (on which I've provided a review), for what it's worth.

We've also worked on integrating GitLab in our workflow, so that we keep configuration as code and deploy on pushes. While GitLab talks a lot about Kubernetes integration, the actual integration features aren't that great: unless I totally misunderstood how it's supposed to work, it seems you need to provide your own container and run kubectl from it, using the tokens provided by GitLab. And if you want to do anything of significance, you will probably need to give GitLab cluster access to your Kubernetes cluster, which kind of freaks me out considering the number of security issues that keep coming out with GitLab recently.

In general, I must say I was very skeptical of Kubernetes when I first attended those conferences: too much hype, buzzwords and suits. I felt that Google just threw us a toy project to play with while they kept the real stuff to themselves. I don't think that analysis is wrong, but I do think Kubernetes has something to offer, especially for organizations still stuck in the "shared hosting" paradigm where you give users a shell account or (S?!)FTP access and run mod_php on top. Containers at least provide some level of isolation out of the box and make such multi-tenant offerings actually reasonable and much more scalable. With a little work, we've been able to setup a fully redundant and scalable storage cluster and Nextcloud service: doing this from scratch wouldn't be that hard either, but it would have been done only for Nextcloud. The trick is the knowledge and experience we gained by doing this with Nextcloud will be useful for all the other apps we'll be hosting in the future. So I think there's definitely something there.

Debian work

I participated in the Montreal BSP, of which Louis-Philippe Véronneau made a good summary. I also sponsored a few uploads and fixed a few bugs. We didn't fix that many bugs, but I gave two workshops, including my now well-tuned packaging 101 workshop, which seems to be always quite welcome. I really wish I could make a video of that talk, because I think it's useful in going through the essentials of Debian packaging and could use a wider audience. In the meantime, my reference documentation is the best you can get.

I've decided to let bugs-everywhere die in Debian. There's a release critical bug and it seems no one is really using this anymore, at least I'm not. I would probably orphan the package once it gets removed from buster, but I'm not actually the maintainer, just an uploader... A promising alternative to BE seems to be git-bug, with support for synchronization with GitHub issues.

I've otherwise tried to get my figurative "house" of Debian packages in order for the upcoming freeze, which meant new updates for

I've also sponsored the introduction of web-mode (RFS #921130) a nice package to edit HTML in Emacs and filed the usual barrage of bug reports and patches.

Elegant argparse configfile support and new date parser for undertime

I've issued two new releases for my undertime project which helps users coordinate meetings across timezones. I first started working on improvingthe date parser which mostly involved finding a new library to handle dates. I started using dateparser which behaves slightly better, and I ended up packaging it for Debian as well although I still have to re-upload undertime to use the new dependency.

That was a first 1.6.0 release, but that wasn't enough - my users wanted a configuration file! I ended up designing a simple, YAML-based configuration file parser that integrates quite well with argparse, after finding too many issues with existing solutions like Configargparse. I summarized those for the certbot project which suffered from similar issues. I'm quite happy with my small, elegant solution for config file support. It is significantly better than the one I used for Monkeysign which was (ab)using the fromfile option of argparse.

Mailman 3

Motivated by this post extolling the virtues of good old mailing lists to resist social media hegemony, I did a lot (too much) work on installing Mailman 3 on my own server. I have ran Mailman 2 mailing lists for hundreds of clients in my previous job at Koumbit and I have so far used my access there to host a few mailing lists. This time, I wanted to try something new and figured Mailman 3 might have been ready after 4 years since the 3.0 release and almost 10 years since the project started.

How wrong I was! Many things don't work: there is no french translation at all (nor any other translation, for that matter), no invite feature, templates translation is buggy, the Debian backport fails with the MySQL version in stable... it's a mess. The complete history of my failure is better documented in mail.

I worked around many of those issues. I like the fact that I was almost able to replace the missing "invite" feature through the API and there Mailman 3 is much better to look at than the older version. They did fix a lot of things and I absolutely love the web interface which allows users to interact with the mailing list as a forum. But maybe it will take a bit more time before it's ready for my use case.

Right now, I'm hesitant: either I go with a mailing list to connect with friends and family. It works with everyone because everyone uses email, if only for their password resets. The alternative is to use something like a (private?) Discourse instance, which could also double as a comments provider for my blog if I ever decide to switch away from Ikiwiki... Neither seems like a good solution, and both require extra work and maintenance, Discourse particularly so because it is very unlikely it will get shipped as a Debian package.

Vero: my new home cinema box

Speaking of Discourse, the reason I'm thinking about it is I am involved in many online forums running it. It's generally a great experience, although I wish email integration was mandatory - it's great to be able to reply through your email client, and it's not always supported. One of the forums I participate in is the Pixls.us forum where I posted a description of my photography kit, explained different NAS options I'm considering and explained part of my git-annex/dartkable workflow.

Another forum I recently started working on is the OSMC.tv forum. I first asked what were the full specifications for their neat little embedded set-top box, the Vero 4k+. I wasn't fully satisfied with the answers (the hardware is not fully open), but I ended up ordering the device and moving the "home cinema services" off of the venerable marcos server, which is going to turn 8 years old this year. This was an elaborate enterprise which involved wiring power outlets (because a ground was faulty), vacuuming the basement (because it was filthy), doing elaborate research on SSHFS setup and performance, deal with systemd bugs and so on.

In the end it was worth it: my roommates enjoy the new remote control. It's much more intuitive than the previous Bluetooth keyboard, it performs well enough, and is one less thing to overload poor marcos with.

Monkeysign alternatives testing

I already mentioned I was considering Monkeysign retirement and recently a friend asked me to sign his key so I figured it was a great time to test out possible replacements for the project. Turns out things were not as rosy as I thought.

I first tested pius and it didn't behave as well as I hoped. Generally, it asks too many cryptic questions the user shouldn't have to guess the answer to. Specifically, here's the issues I found in my review:

  1. it forces you to specify your signing key, which is error-prone and needlessly difficult for the user

  2. I don't quite understand what the first question means - there's too much to unpack there: is it for inline PGP/MIME? for sending email at all? for sending individual emails? what's going on? and the second questions

  3. the second question should be optional: i already specified my key on the commandline, it should use that as a From...

  4. the signature level is useless and generally disregarded by all software, including OpenPGP. even if it would be used, 0/1/2/3/s/n/h/q is a pretty horrible user interface.

And then it simply fails to send the email completely on dkg's key, but that might be because its key was so exotic...

Gnome-keysign didn't fare much better - I opened six different issues on the promising project:

  1. what does the internet button do?
  2. signing arbitrary keys in GUI
  3. error in french translation
  4. using mutt as a MUA does not work
  5. signing a key on the commandline never completes
  6. flatpak instructions failure

So, surprisingly, Monkeysign might survive a bit longer, as much as I have come to dislike the poor little thing...

Golang packaging

To help a friend getting the new RiseupVPN package in Debian, I uploaded a bunch of Golang dependencies (bug #919936, bug #919938, bug #919941, bug #919944, bug #919945, bug #919946, bug #919947, bug #919948) in Debian. This involved filing many bugs upstream as many of those (often tiny) packages didn't have explicit licences, so many of those couldn't actually be uploaded, but the ITPs are there and hopefully someone will complete that thankless work.

I also tried to package two other useful Golang programs, dmarc-cat and gotop, both of which also required a significant number of dependencies to be packaged (bug #920387, bug #920388, bug #920389, bug #920390, bug #921285, bug #921286, bug #921287, bug #921288). dmarc-cat has just been accepted in Debian - it's very useful to decipher DMARC reports you get when you configure your DNS to receive such reports. This is part of a larger effort to modernize my DNS and mail configuration.

But gotop is just starting - none of the dependencies have been update just yet, and I'm running out of steam a little, even though that looks like an awesome package.

Other work
  • I hosed my workstation / laptop backup by trying to be too clever with Borg. It bit back and left me holding the candle, the bastard.

  • Expanded on my disk testing documentation to include better examples of fio as part of my neglected stressant package

GitHub said I "opened 21 issues in 14 other repositories" which seems a tad insane. And there's of course probably more stuff I'm forgetting here.

Debian Long Term Support (LTS)

This is my monthly Debian LTS report.

sbuild regression

My first stop this month was to notice a problem with sbuild from buster running on jessie chroots (bug #920227). After discussions on IRC, where fellow Debian Developers basically fabricated me a patch on the fly, I sent merge request #5 which was promptly accepted and should be part of the next upload.

systemd

I again worked a bit on systemd. I marked CVE-2018-16866 as not affecting jessie, because the vulnerable code was introduced in later versions. I backported fixes for CVE-2018-16864 and CVE-2018-16865 and published the resulting package as DLA-1639-1, after doing some smoke-testing.

I still haven't gotten the courage to dig back in the large backport of tmpfiles.c required to fix CVE-2018-6954.

tiff review

I did a quick review of the fix for CVE-2018-19210 proposed upstream which seems to have brought upstream's attention back to the issue and finally merge the fix.

Enigmail EOL

After reflecting on the issue one last time, I decided to mark Enigmail as EOL in jessie, which involved an upload of debian-security-support to jessie (DLA-1657-1), unstable and a stable-pu.

DLA / website work

I worked again on fixing the LTS workflow with the DLAs on the main website. Reminder: hundreds of DLAs are missing from the website (bug #859122) and we need to figure out a way to automate the import of newer ones (bug #859123).

The details of my work are in this post but basically, I readded a bunch more DLAs to the MR and got some good feedback from the www team (in MR #47). There's still some work to be done on the DLA parser, although I have merged my own improvements (MR #46) as I felt they had been sitting for review long enough.

Next step is to deal with noise like PGP signatures correctly and thoroughly review the proposed changes.

While I was in the webmaster's backyard, I tried to help with a few things by merging a LTS errata and a paypal integration note although the latter ended up being a mistake that was reverted. I also rejected some issues (MR #13, MR #15) during a quick triage.

phpMyAdmin review

After reading this email from Lucas Kanashiro, I reviewed CVE-2018-19968 and reviewed and tested CVE-2018-19970.

Categories: External Blogs

Vivaldi 2.3 Has Arrived, Security Flaw Discovered in LibreOffice and OpenOffice, Firefox 66 to Stop Loud Videos from Playing Automatically, Red Hat CodeReady Workspaces Released and Flowblade 2.0 Is Now Available

Linux Journal - Wed, 02/06/2019 - 09:53

News briefs for February 6, 2019.

Vivaldi's first release of 2019 arrived this morning. Version 2.3 introduces "a unique way to 'auto-stack' tabs that streamline your workflow even more. We've also added new ways to access websites in the Address Field and made overall improvements to navigate and interact with the Web quicker". You can download Vivaldi from here.

Security researchers have discovered a remote code execution vulnerability in LibreOffice on both Linux and Windows, Softpedia News reports. Evidently "the flaw can be exploited with just a malicious ODT document that includes code for running a macro with a mouse-hover action." Patches have been released, so update to the latest versions now (6.0.7 and 6.1.3). OpenOffice is vulnerable to the attack as well—specifically OpenOffice 4.1.6, and according to the Softpedia post, there is no fix yet.

Firefox 66 will stop videos containing audio from playing automatically. According to Ars Technica, "by default, any site that tries to play video with audio will have that video playback blocked", and "Firefox users will be able to override this block on a site-by-site basis, so those sites where autoplay is inoffensive can have it re-enabled." Mozilla plans to release Firefox 66 on March 19th.

Red Hat has released Red Hat CodeReady Workspaces, "a Kubernetes-native, browser-based IDE". ZDNet reports that "CodeReady is based on the open-source Eclipse Che IDE. It also includes formerly proprietary features from Red Hat's Codenvy acquisition." In addition, the IDE is optimized for Red Hat OpenShift, and Red Hat claims that "CodeReady Workspaces is the first IDE, which runs inside a Kubernetes cluster."

Flowblade 2.0, the open-source GTK3-based Linux video editor, was released this week. According to Phoronix, version 2.0 comes with "a new custom GTK3 theme and configurable workflow items to better cater to different users, a number of tools from keyframes to cut. Flowblade 2.0 also features better tool-tip coverage, various GUI updates, a transform compositor, and other changes." See the release notes and the GitHub repo for more information.

News Vivaldi Security LibreOffice OpenOffice Firefox Red Hat Kubernetes Flowblade multimedia
Categories: Linux News

What Is “Surveillance Capitalism?” And How Did It Hijack the Internet?

Linux Journal - Wed, 02/06/2019 - 09:08
by Augustine Fou

Shoshana Zuboff's new book The Age of Surveillance Capitalism goes into gory details of how companies collect, use, buy and sell your data for profit, often without consent or even the consumer knowing it was happening, until disasters reveal some of the dark underbelly—like the Cambridge Analytica scandal. But, I’m a marketer, so I will focus on the subset of “surveillance marketing”—also known as “digital marketing”—where companies profit off of you, because they are set up to do so. Digital ad-tech companies were built to extract as much value as possible from the trust transaction that used to be the user going to a publisher’s site that carries an advertiser’s ad.

Surveillance Marketing Was Built on the Foundation of Three Myths

Digital marketing as we know it today can be traced all the way back to Chris Anderson’s book The Long Tail, published in 2006. Before that, digital media was primarily purchased from large sites that had large human audiences. The Long Tail promulgated the idea that collectively a large number of small sites could rival the scale of a small number of large sites. This simple premise alone led digital marketing down a dark and dangerous path to the hell we now know is surveillance marketing. But most marketers don’t even know they are in this hell. They were looking for scale in digital—and they got it. They were looking for data in digital—and they got it. And, they were looking for more granular targeting in digital—and they got it. But how?

Herein lies the three myths: 1) the long tail, 2) behavioral targeting and 3) hypertargeting.

The Myth of the Long Tail

Go to Full Article
Categories: Linux News

Debian build helpers: dh dominates

Anarcat - Tue, 02/05/2019 - 19:54

It's been a while since someone did this. Back in 2009, Joey Hess made a talk at Debconf 9 about debhelper and mentioned in his slides (PDF) that it was used in most Debian packages. Here was the ratio (page 10):

  • debhelper: 54%
  • cdbs: 25%
  • dh: 9%
  • other: 3%

Then Lucas Nussbaum made graphs from snapshot.debian.org that did the same, but with history. His latest post (archive link because original is missing images), from 2015 confirmed Joey's 2009 results. It also showed cdbs was slowly declining and a sharp uptake in the dh usage (over debhelper). Here were the approximate numbers:

  • debhelper: 15%
  • cdbs: 15%
  • dh: 69%
  • other: 1%

I ran the numbers again. Jakub Wilk pointed me to the lintian.debian.org output that can be used to get the current state easily:

$ curl -so lintian.log.gz https://lintian.debian.org/lintian.log.gz $ zgrep debian-build-system lintian.log.gz | awk '{print $NF}' | sort | uniq -c | sort -nr 25772 dh 2268 debhelper 2124 cdbs-with-debhelper.mk 257 dhmk 123 other 8 cdbs-without-debhelper.mk

Shoving this in a LibreOffice spreadsheet (sorry, my R/Python brain is slow today) gave me this nice little graph:

As of today, the numbers are now:

  • debhelper: 7%
  • cdbs: 7%
  • dh: 84%
  • other: 1%

(No the numbers don't add up. Yes it's a rounding error. Blame LibreOffice.)

So while cdbs lost 10% of the packages in 6 years, it lost another half of its share in the last 4. It's also interesting to note that debhelper and cdbs are both shrinking at a similar rate.

This confirms that debhelper development is where everything is happening right now. The new dh(1) sequencer is also a huge improvement that almost everyone has adopted wholeheartedly.

Now of course, that remaining 15% of debhelper/cdbs (or just 7% of cdbs, depending on how pedantic you are) will be the hard part to transition. Notice how the 1% of "other" packages hasn't really moved in the last four years: that's because some packages in Debian are old, abandoned, ignored, complicated, or all of the above. So it will be difficult to convert the remaining packages and finalize this great unification Joey (unknowingly) started ten years ago, as the remaining packages are probably the hard, messy, old ones no want wants to fix because, well, "they're not broken so don't fix it".

Still, it's nice to see us agree on something for a change. I'd be quite curious to see an update of Lucas' historical graphs. It would be particularly useful to see the impact of the old Alioth server replacement with salsa.debian.org, because it runs GitLab and only supports Git. Without an easy-to-use internal hosting service, I doubt SVN, Darcs, Bzr and whatever is left in "other" there will survive very long.

Categories: External Blogs

February 2019 Security Bulletin for Android Released, New Patches Needed for Ubuntu 18.04, EU Recalls ENOX Safe-KID-One Smartwatches Due to Security Flaws, Raspberry Pi to Celebrate Its 7th Birthday with Jams March 2-3 and Some Fresh Snaps

Linux Journal - Tue, 02/05/2019 - 09:38

News briefs for February 5, 2019.

Google yesterday released its February 2019 security bulletin for Android. Source code patches should be released to the Android Open Source Project (AOSP) repository soon. The most severe vulnerability is in Framework "that could allow a remote attacker using a specially crafted PNG file to execute arbitrary code within the context of a privileged process."

Evidently the patches released for Ubuntu 18.04 last week caused other inadvertent problems, and Canonical has released a new patch to fix those issues. ZDNet quotes the Ubuntu security team: "Unfortunately, that update introduced regressions with docking station displays and mounting ext4 file systems with the meta_bg option enabled." This bug also could effect Kubuntu, Xubuntu, Lubuntu, Linux Mint 19 and Linux Mint 19.1. The new patch replaces linux-image 4.15.0-44.47 with the fixed linux-image 4.15.0-45.48 kernel.

The EU orders a recall of ENOX Safe-KID-One smartwatches due to significant security flaws that allow third parties to track and call the watches, ZDNet reports. From the Rapid Alert System for Non-Food Products (RAPEX) alert: "The mobile application accompanying the watch has unencrypted communications with its backend server and the server enables unauthenticated access to data. As a consequence, the data such as location history, phone numbers, serial number can easily be retrieved and changed." In addition, "a malicious user can send commands to any watch making it call another number of his choosing, can communicate with the child wearing the device or locate the child through GPS."

To celebrate its seventh birthday next month, the Raspberry Pi Foundation is coordinating several "Jams" all over the world: "Whether you're a Raspberry Pi user, club volunteer, avid forum question answerer, regular blog commenter, or brand-new community member, we want you to feel welcome! Look at the map, find a Jam near you, and meet the real-world Raspberry Pi community on 2 or 3 March."

The Ubuntu blog published a list of fresh snaps from January 2019. New snaps include OpenToonz, Eureka DOOM Editor, HexChat, Blender and much more. (All are available from the Snap store.)

News Google Android Security Mobile Privacy Ubuntu Canonical EU Raspberry Pi Snap
Categories: Linux News

Writing Secure Shell Scripts

Linux Journal - Tue, 02/05/2019 - 07:30
by Dave Taylor

Don't expose your system with sloppy scripts!

Although a Linux desktop or server is less susceptible to viruses and malware than a typical Windows device, there isn't a device on the internet that isn't eventually attacked. The culprit might be the stereotypical nerd in a bedroom testing his or her hacker chops (think Matthew Broderick in War Games or Angelina Jolie in Hackers). Then again, it might be an organized military, criminal, terrorist or other funded entity creating massive botnets or stealing millions of credit cards via a dozen redirected attack vectors.

In any case, modern systems face threats that were unimaginable in the early days of UNIX development and even in the first few years of Linux as a hobbyist reimplementation of UNIX. Ah, back in the day, the great worry was about copyrighted code, and so useful tools constantly were being re-implemented from scratch to get away from the AT&T Bell Labs licenses and so forth.

I have personal experience with this too. I rewrote the Hunt the Wumpus game wumpus from scratch for BSD 4.2 when the Berkeley crowd was trying to get away from AT&T UNIX legal hassles. I know, that's not the greatest claim to fame, but I also managed to cobble together a few other utilities in my time too.

Evolution worked backward with the internet, however. In real life, the lawless Wild West was gradually tamed, and law-abiding citizens replaced the outlaws and thugs of the 1850s and the Gold Rush. Online, it seems that there are more, smarter and better organized digital outlaws than ever.

Which is why one of the most important steps in learning how to write shell scripts is to learn how to ensure that your scripts are secure—even if it's just your own home computer and an old PC you've converted into a Linux-based media server with Plex or similar.

Let's have a look at some of the basics.

Know the Utilities You Invoke

Here's a classic trojan horse attack: an attacker drops a script called ls into /tmp, and it simply checks to see the userid that invoked it, then hands off its entire argument sequence to the real /bin/ls. If it recognizes userid = root, it makes a copy of /bin/sh into /tmp with an innocuous name, then changes its permission to setuid root.

This is super easy to write. Here's a version off the top of my head:

#!/bin/sh if [ "$USER" = "root" ] ; then /bin/cp /bin/sh /tmp/.secretshell /bin/chown root /tmp/.secretshell /bin/chmod 4666 root /tmp/.secretshell fi exec /bin/ls $*

I hope you understand what just happened. This simple little script has created a shell that always grants its user root access to the Linux system. Yikes. Fancier versions would remove themselves once the root shell has been created, leaving no trace of how this transpired.

Go to Full Article
Categories: Linux News

ZaReason Debuts New Gamerbox 9400, Google Announces Live Transcribe and Sound Amplifier Android Apps, Microsoft Bringing Xbox Live to Android, Kernel 5.0-rc5 Is Out and Mallard 1.1 Released

Linux Journal - Mon, 02/04/2019 - 09:41

News briefs for February 4, 2019.

ZaReason debuted its new Gamerbox 9400, "the ultimate Linux gaming PC". And, the Gamebox is just the beginning, ZDNet reports, quoting ZaReason CEO Cathy Malmrose: "Our current team is mostly gamers so, not surprisingly, that is the direction we are going. We have a full line of gaming machines in R&D." The Gamebox runs Ubuntu 18.04, with a 64-bit Pentium 3.8Ghz G5500 Coffee Lake processor and 8GB of DDR4 memory.

Google announces two new audio apps for Android to help people who are deaf or hard of hearing: Live Transcribe and Sound Amplifier. Live Transcribe "takes real-world speech and turns it into real-time captions using just the phone's microphone". Starting today, Live Transcribe will rollout gradually as a limited beta via the Play Store and pre-installed on Pixel 3 devices. You can sign up here to be notified when it's more widely available. Sound Amplifier makes "audio is more clear and easier to hear. You can use Sound Amplifier on your Android smartphone with wired headphones to filter, augment and amplify the sounds in your environment. It works by increasing quiet sounds, while not over-boosting loud sounds." Sound Amplifier is available now via the Play Store and supports Android 9 Pie or later and comes pre-installed on Pixel 3.

Microsoft is bringing Xbox Live to Android, macOS and Nintendo Switch. According to The Verge, "Some iOS and Android games already have Xbox Live Achievements, but they're only enabled in titles from Microsoft Studios and there's not many of them available right now. Microsoft describes this new push as much bigger. 'Xbox Live is expanding from 400 million gaming devices and a reach to over 68 million active players to over 2 billion devices with the release of our new cross-platform XDK,' says the GDC listing."

Linux kernel 5.0-rc5 is out. Linus writes, "I'm happy to report that things seem to be calming down nicely, and rc5 is noticeably smaller than previous rcs. Let's hope the trend continues."

Mallard 1.1 was released recently. Mallard is a "markup language for dynamic topic-oriented help. It is designed to be as simple as possible, while still providing the features needed for a modern help system. Mallard features a unique reciprocal linking system that helps writers create flexible help frameworks that are easy to extend with new content. Writers can create an outline-like structure, and as they add new help topics, the reciprocal linking mechanism will neatly integrate the new help topics with the existing help topics." To see the list of what's new, go here.

News gaming Hardware ZaReason Google Android Mobile Accessibility Microsoft kernel Mallard
Categories: Linux News

If Software Is Funded from a Public Source, Its Code Should Be Open Source

Linux Journal - Mon, 02/04/2019 - 08:00
by Glyn Moody

If we pay for it, we should be able to use it.

Perhaps because many free software coders have been outsiders and rebels, less attention is paid to the use of open source in government departments than in other contexts. But it's an important battleground, not least because there are special dynamics at play and lots of good reasons to require open-source software. It's unfortunate that the most famous attempt to convert a government IT system from proprietary code to open source—the city of Munich—proved such a difficult experience. Although last year saw a decision to move back to Windows, that seems to be more a failure of IT management, than of the code itself. Moreover, it's worth remembering that the Munich project began back in 2003, when it was a trailblazer. Today, there are dozens of large-scale migrations, as TechRepublic reports:

Most notable is perhaps the French Gendarmerie, the country's police force, which has switched 70,000 PCs to Gendbuntu, a custom version of the Linux-based OS Ubuntu. In the same country 15 French ministries have made the switch to using LibreOffice, as has the Dutch Ministry of Defence, while the Italian Ministry of Defence will switch more than 100,000 desktops from Microsoft Office to LibreOffice by 2020 and 25,000 PCs at hospitals in Copenhagen will move from Office to LibreOffice.

More are coming through all the time. The Municipality of Tirana, the biggest in Albania, has just announced it is moving thousands of desktops to LibreOffice, and nearly 80% of the city of Barcelona's IT investment this year will be in open source.

One factor driving this uptake by innovative government departments is the potential to cut costs by avoiding constant upgrade fees. But it's important not to overstate the "free as in beer" element here. All major software projects have associated costs of implementation and support. Departments choosing free software simply because they believe it will save lots of money in obvious ways are likely to be disappointed, and that will be bad for open source's reputation and future projects.

Arguably as important as any cost savings is the use of open standards. This ensures that there is no lock-in to a proprietary solution, and it makes the long-term access and preservation of files much easier. For governments with a broader responsibility to society than simply saving money, that should be a key consideration, even if it hasn't been in the past.

Go to Full Article
Categories: Linux News

February 2019, #295: The Security Issue

Linux Journal - Fri, 02/01/2019 - 11:00
by Bryan Lunduke

On January 13th, 2018—at 8:07 am—an emergency alert was issued in Hawaii. The message, in its entirety: "BALLISTIC MISSILE THREAT INBOUND TO HAWAII. SEEK IMMEDIATE SHELTER. THIS IS NOT A DRILL."

Although this message—which showed up on smart phones across the state—was, indeed, not a drill...it also was not a real threat. There was no missile hurtling through the atmosphere towards Hawaii. It turns out someone had simply clicked the wrong option from a very poorly designed user interface and sent out a fake (but very real-looking) emergency alert.

This is officially known as a "whoopsie daisy".

As the story spread around the globe, obviously all the news reports were going to need a picture to run along with it. As luck would have it, the Associated Press had published a picture taken inside the Hawaii Emergency Management Agency—showing computer workstations where they watch for such possible threats. This picture was spread far and wide.

On that picture, people noticed something. Something amusing. Something, for many of us, relatable.

On one of the monitors was a sticky note. With the password written on it.

(There were actually two sticky notes on the monitors in the picture. The second sticky note contained the message "SIGN OUT". Because, you know, security is important.)

While the accidental, non-real emergency alert was not caused by any sort of security breach (sticky-note-based or otherwise), this picture served as a great reminder to the entire world that we probably shouldn't write down our passwords on sticky notes. Not even a government agency tasked with Emergency Management is immune to this sort of weak security.

It reminds me of a scene from the Mel Brooks' film Spaceballs. In the film, an advanced security barrier had been constructed around a planet. The dastardly space-villains forced the king of the planet to give up the code that would open that barrier. That code? 12345. Upon learning of the code, one of the characters was shocked. "Remind me to change the code on my luggage."

Any of this sound familiar? Perhaps it's time to get rid of the sticky notes—and the passwords that are no more complex than "password123"—and get yourself a good password manager.

In this issue, Shawn Powers provides a good "Password Manager Roundup", laying out the pros and cons of various options.

Then, while you're in a security frame of mind, familiarize yourself with a good set of guidelines (based on the Linux Foundation's Security Checklist) for how to keep your system secure with Mike McCallister's "Everyday Security Tips".

Following these suggestions will make you far more secure than that Emergency Agency in Hawaii or that planet in Spaceballs, but what if you want to take things a step further? What if you want to dive into the world of encryption and hardware security keys?

Go to Full Article
Categories: Linux News

Qt 5.12.1 Is Now Available, Tor Browser 8.0.5 and Tails 3.12 Both Released with Important Security Fixes, Virt2real Launches StereoPi and Chrome Update for Android

Linux Journal - Fri, 02/01/2019 - 09:48

News briefs for February 1, 2019.

Qt 5.12.1 was released today, marking the first patch release of the Qt 5.12 LTS series. It contains nearly 300 bug fixes and other improvements. See the Change Files for all the changes. Use the online installer's maintenance tool to make the update, or for new installations, download the latest installer from the Qt Account Portal or the qt.io Download page.

Tor Browser 8.0.5 was released this week. This release includes important security updates to Firefox and also updates Tor to the first stable release in the 0.3.5 series. NoScript and HTTPS Everywhere also were updated to their latest versions. You can view the full changelog here and download from here.

Tails 3.12 was released this week. The release fixes many security vulnerabilities, but the biggest change is to the installation method: "In short, instead of downloading an ISO image (a format originally designed for CDs), you now download Tails as a USB image: an image of the data as it needs to be written to the USB stick." This release also updates Linux to 4.19, the Tor Browser to 8.0.5 and Thunderbird to 60.4.0.

Virt2real has launched a Crowd Supply campaign for its $89 "StereoPi" stereoscopic camera board designed to work with the RPi Compute Module and dual RPi cameras. According to Linux Gizmos, the StereoPi is open-spec and "supports spatial awareness, 3D depth maps, and 3D video livestreaming". In addition, "The StereoPi can capture, save, livestream, and process real-time stereoscopic video and images for robotics, AR/VR, computer vision, drone instrumentation, and panoramic video".

The Chrome team announced an update for Android this week. Chrome 72 (72.0.3626.76) is now available on Google Play, and the release includes several stability and performance improvements. In addition, Softpedia News reports that "To tackle various security and privacy issues that users have reported since previous updates, Google decided to update the built-in Incognito Mode of the Chrome web browser by making the media player controls and notifications incognito as well, which means that they're now invisible to the naked eye." See the Git log for all the changes.

News qt Tor Tails Raspberry Pi Chrome Privacy
Categories: Linux News

Ubuntu 18.04 Needs to Patching, Alpine 3.9 Released, Three New openSUSE Tumbleweed Snapshots, Latest Version of Red Hat Infrastructure Migration Solution Now Available and Electric Cloud Announces ElectricAccelerator 11.0

Linux Journal - Thu, 01/31/2019 - 09:28

News briefs for January 31, 2019.

Ubuntu 18.04 needs to be patched to fix several security bugs. ZDNet reports that Canonical is updating Ubuntu 18.04 to a new kernel, 4.15.0-44.47, which contains 11 security fixes. The most important of these addresses problems with the ext4 filesystem. If you use Ubuntu 18.04, patch your system as soon as possible. See also the Ubuntu security notice for more information and instructions on how to update.

Alpine 3.9 was released this week—the first release of the v3.9 stable series of the "security-oriented, lightweight Linux distribution based on musl libc and busybox". New features include support for armv7, a switch from LibreSSL to OpenSSL and improved GRUB support. Go here to download.

Three new openSUSE Tumbleweed snapshots were released this week that contained new versions of PHP7, poppler, GTK3 and LibreOffice. The first of the snapshots also included all the package upgrades for KDE Applications.

Red Hat this morning announced the latest version of the Red Hat infrastructure migration solution. New capabilities provide "greater customer choice, helping to further reduce infrastructure complexity and facilitating a pathway to open hybrid cloud environments". The two new target platforms are the Red Hat OpenStack Platform and the Red Hat Hyperconverged Infrastructure for Virtualization.

Electric Cloud yesterday announced a new version of its software build and test acceleration platform, ElectricAccelerator 11.0. The press release notes that "the platform now offers new plug-and-play support for Android Open Source Project, accelerated embedded Linux builds based on the Yocto project, and cloud bursting for AWS and Kubernetes help businesses shrink development cycles and improve software quality."

News Ubuntu Canonical Security Alpine Linux openSUSE Red Hat Electric Cloud Cloud
Categories: Linux News

Tamper-Evident Boot with Heads

Linux Journal - Thu, 01/31/2019 - 09:08
by Kyle Rankin

Learn about how the cutting-edge, free software Heads project detects BIOS and kernel tampering, all with keys under your control.

Disclaimer: I work for Purism, and my experience with Heads began as part of supporting it on Purism's hardware. As a technical writer, I personally find ads that mask themselves as articles in technical publications disingenuous, and this article in no way is intended to be an advertisement for my employer. However, in writing this deep dive piece, I found that mentioning Purism was unavoidable in some places without leaving out important information about Heads—in particular, the list of overall supported hardware and an explanation of Heads' HOTP alternative to TOTP authentication, because it requires a specific piece Purism hardware.

Some of the earliest computer viruses attacked the boot sector—that bit of code at the beginning of the hard drive in the Master Boot Record that allowed you to boot into your operating system. The reasons for this have to do with stealth and persistence. Viruses on the filesystem itself would be erased if users re-installed their operating systems, but if they didn't erase the boot sector as part of the re-install process, boot sector viruses could stick around and re-infect the operating system.

Antivirus software vendors ultimately added the ability to scan the boot sector for known viruses, so the problem was solved, right? Unfortunately, as computers, operating systems and BIOSes became more sophisticated, so did the boot-sector attacks. Modern attacks take over before the OS is launched and infect the OS itself, so when you try to search for the attack through the OS, the OS tells you everything is okay.

That's not to say modern defenses to this type of attack don't exist. Most modern approaches involve proprietary software that locks down the system so that it can boot only code that's signed by a vendor (typically Microsoft, Apple, Google or one of their approved third-party vendors). The downside, besides the proprietary nature of this defense, is that you are beholden to the vendor to bless whatever code you want to run, or else you have to disable this security feature completely (if you can).

Fortunately, an alternative exists that is not only free software, but that also takes a completely different approach to boot security by alerting you to tampering instead of blocking untrusted code. This approach, Heads, can detect tampering not only in the BIOS itself but also in all of your important boot files in the /boot directory, including the kernel, initrd and even your grub config. The result is a trusted boot environment with keys fully under your own control.

In this article, I describe some of the existing boot security approaches in more detail, along with some of their limitations, and then I describe how Heads works, and how to build and install it on your own system.

Go to Full Article
Categories: Linux News

Is Software As A Service (SaaS) a bad thing?

Linux Journal - Thu, 01/31/2019 - 00:51

Please support Linux Journal by subscribing or becoming a patron.

Categories: Linux News
Syndicate content