Skip to main content

Feed aggregator

Linus' Behavior and the Kernel Development Community

Linux Journal - Tue, 10/09/2018 - 08:08
by Zack Brown

WARNING: This article contains profanity.

On September 16, 2018, Linus Torvalds released the 4.19-rc4 version of the kernel, and he also announced he was taking a break from Linux development in order to consider his own behavior and to come up with a better approach to kernel development. This was partly inspired by his realization that he wasn't looking forward to the Kernel Summit event, and he said that "it wasn't actually funny or a good sign that I was hoping to just skip the yearly kernel summit entirely."

He also wrote that it was partly inspired when:

...people in our community confronted me about my lifetime of not understanding emotions. My flippant attacks in emails have been both unprofessional and uncalled for. Especially at times when I made it personal. In my quest for a better patch, this made sense to me. I know now this was not OK and I am truly sorry.

So he said, "I am going to take time off and get some assistance on how to understand people's emotions and respond appropriately."

He compared the situation to the kind of "pain points" the Linux kernel project has experienced on a technical level in the past, like moving from tarballs to BitKeeper, and from BitKeeper to git. And he remarked that "We haven't had that kind of pain-point in about a decade. But this week felt like that kind of pain point to me."

He also added, by way of clarification, that "This is not some kind of 'I'm burnt out, I need to just go away' break. I'm not feeling like I don't want to continue maintaining Linux. Quite the reverse. I very much *do* want to continue to do this project that I've been working on for almost three decades."

That was the last post Linus sent to the mailing list, up to the time of this writing. However, he and several other kernel developers signed off on a patch to the kernel tree, incorporating a new code of conduct policy. It's fairly boilerplate—basically, don't be mean, don't discriminate, violations will be investigated, and appropriate measures taken.

It's not a new idea. Long ago, Richard Stallman used to troll the mailing list trying to start an argument about "Linux" vs. "GNU/Linux", until the mailing list maintainers threatened to ban him if he kept it up. They phrased it as a general rule, not unlike a code of conduct.

There's been a wide range of responses to Linus' announcement and to the code of conduct itself. Some felt that Linus' earlier behavior had been community-strengthening, encouraging people to respond as equals and duke it out with Linus on the issues they cared about.

Some felt that Linus was taking a really wonderful step, seeking feedback and reflecting on the issues, and they in turn offered their own insights and assistance.

Go to Full Article
Categories: Linux News

Linux 4.19-rc7 Released, Calculate Linux Version 18 Announced, Linux Code of Conduct Patches, Emmabuntus Debian Edition 2 1.03 Now Available and Several Improvements to the KDE Software Stack

Linux Journal - Mon, 10/08/2018 - 09:07

News briefs from October 8, 2018.

Linux 4.19-rc7 was released yesterday. Greg KH says it's a bigger release than rc6 was, with networking fixes and lots of driver subsystem fixes. It also looks like there will be an -rc8 next week "just to be sure 4.19 is solid".

Calculate Linux version 18 was announced yesterday. In this version, "Calculate Utilities were ported to Qt5, your network is managed in a different way, and binary packages get checked using their index signature". See the announcement for more details. You can download LiveUSB images here.

The Linux Code of Conduct may see changes with the upcoming 4.19 kernel release, Phoronix reports. James Bottomley submitted a couple fixes over the weekend, and Geert Uytterhoeven submitted a patch as well.

The Emmabuntus Collective yesterday announced the release of Emmabuntus Debian Edition 2 1.03, based on Debian 9.5 and featuring the XFCE desktop environment. This distro was "designed to facilitate the reconditioning of computers donated to humanitarian organizations, starting with the Emmaüs communities (which is where the distribution's name obviously comes from), to promote the discovery of GNU/Linux by beginners, as well as to extend the lifespan of computer hardware in order to reduce the waste induced by the overconsumption of raw materials".

There has been a "veritable flood of improvement throughout KDE's software stack over the past few days", Nate Graham writes in his Adventures in Linux and KDE blog. See the post for details on all the new features, UI improvements and bug fixes.

News kernel Code of Conduct Calculate Linux Emmabuntus KDE Desktop
Categories: Linux News

Now Is the Time to Start Planning for the Post-Android World

Linux Journal - Mon, 10/08/2018 - 06:30
by Glyn Moody

We need a free software mobile operating system. Is it eelo?

Remember Windows? It was an operating system that was quite popular in the old days of computing. However, its global market share has been in decline for some time, and last year, the Age of Windows ended, and the Age of Android began.

Android—and thus Linux—is now everywhere. We take it for granted that Android is used on more than two billion devices, which come in just about every form factor—smartphones, tablets, wearables, Internet of Things, in-car systems and so on. Now, in the Open Source world, we just assume that Android always will hold around 90% of the smartphone sector, whatever the brand name on the device, and that we always will live in an Android world.

Except—we won't. Just as Windows took over from DOS, and Android took over from Windows, something will take over from Android. Some might say "yes, but not yet". While Android goes from strength to strength, and Apple is content to make huge profits from its smaller, tightly controlled market, there's no reason for Android to lose its dominance. After all, there are no obvious challengers and no obvious need for something new.

However, what if the key event in the decline and fall of Android has already taken place, but was something quite different from what we were expecting? Perhaps it won't be a frontal attack by another platform, but more of a subtle fracture deep within the Android ecosystem, caused by some external shock. Something like this, perhaps:

Today, the Commission has decided to fine Google 4.34 billion euros for breaching EU antitrust rules. Google has engaged in illegal practices to cement its dominant market position in internet search. It must put an effective end to this conduct within 90 days or face penalty payments.

What's striking is not so much the monetary aspect, impressive though that is, but the following: "our decision stops Google from controlling which search and browser apps manufacturers can pre-install on Android devices, or which Android operating system they can adopt."

Go to Full Article
Categories: Linux News

Weekend Reading: Gaming

Linux Journal - Sat, 10/06/2018 - 05:00
by Carlie Fairchild

Games for Linux are booming like never before. The revolution comes courtesy of cross-platform dev tools, passionate programmers and community support. Join us this weekend as we learn about Linux gaming.


Crossing Platforms: a Talk with the Developers Building Games for Linux

In the last five years, the number of mainstream games released for Linux has increased dramatically, with thousands of titles now available. These range from major AAA releases, such as Civilization VI and Deus Ex: Mankind Divided, to breakout indie hits like Night in the Woods. For this article, K.G. Orphanides spoke to different developers and publishers to discover the shape of the Linux games market and find out what's driving its prodigious growth.


Would You Like to Play a Linux Game?

A look at several games native to Linux. There are, of course, tons of games for the Linux platform if you're willing to install Steam. For the sake of this article, however, Marcel Gagne want to show you some games that are available native to Linux—none of this firing up Java so you can play something on your Ubuntu, or Fedora, or Debian or whatever your personal flavor of Linux happens to be.


Two Portable DIY Retro Gaming Consoles

A look at Adafruit's PiGRRL Zero vs. Hardkernel's ODROID-GO.


Review: Thrones of Britannia

A look at the recent game from the Total War series on the Linux desktop thanks to Steam and Feral Interactive.


Meet TASBot, a Linux-Powered Robot Playing Video Games for Charity

Can a Linux-powered robot play video games faster than you? Only if he takes a hint from piano rolls...and doesn't desync.


Build Your Own Arcade Game Player and Relive the '80s!

In this old but gold Linux Journal article, Shawn Powers describes how to construct a fully functional arcade cabinet. When complete, you'll be able to play all the old coin-op games from your childhood in the coin-free luxury of your living room (or garage—depending on the tolerance of individual spouses).



Go to Full Article
Categories: Linux News

Qt 5.12 LTS Beta Released, Yabits Now Available, Manjaro-Illyria and New Bladebook Coming Soon, First DNSSEC Rollover Next Week and Secret Text Adventure Game Found on

Linux Journal - Fri, 10/05/2018 - 08:40

News briefs for October 5, 2018.

Qt 5.12 LTS beta was released this morning. Qt 5.12 will be a long-term supported release, and it'll be supported for three years. Improved performance and reduced memory consumption have been a focus for this version, and it also now provides the TableView control. See the Qt 5.12 wiki for an overview of all the new features.

Yabits, a new UEFI Coreboot payload alternative, made its debut last month. According to Phoronix, Yabits "aims to deliver the same UEFI x86_64 booting capabilities as TianoCore but with a much smaller code-base for environments like embedded systems and the cloud". Future plans for Yabits include "ARM support, Secure Boot capabilities, Graphical Output Protocol handling, and the ability to boot Windows".

Manjaro-Illyria 18.0 is coming soon. Appuals reports that eight updates have been released in this past week, including updates to the 4.19-rc6 kernel, NVIDIA 410.57 drivers added, Wine upgraded to 3.17, upstream fixes to Haskell and Python packages, a new "smooth bootup experience", and Deepin and GNOME package updates. In addition, the Manjaro team is also working on the Bladebook Fall 2018, which will run Manjaro KDE 18.0 preinstalled "with the Intel Apollo Lake Quad-Core HD APU, a fanless metal material, and utilize eMMC as its primary storage, although the dev states that additional M2-SSD could be possible." See for more information.

The first DNSSEC root key rollover will happen on October 11, 2018. See the Red Hat Blog post for what you need to know about the rollover.

Users have discovered a secret text adventure game hidden in You need to be using Chrome, Firefox or Edge for it to work. See the story on The Verge for details.

News qt Yabits UEFI Manjaro DNSSEC gaming
Categories: Linux News

Introducing Genius, the Advanced Scientific Calculator for Linux

Linux Journal - Fri, 10/05/2018 - 06:30
by Joey Bernard

Genius is a calculator program that has both a command-line version and a GNOME GUI version. It should available in your distribution's package management system. For Debian-based distributions, the GUI version and the command-line version are two separate packages. Assuming that you want to install both, you can do so with the following command:

sudo apt-get install genius gnome-genius

If you use Ubuntu, be aware that the package gnome-genius doesn't appear to be in Bionic. It's in earlier versions (trusty, xenial and arty), and it appears to be in the next version (cosmic). I ran into this problem, and thought I'd mention it to save you some aggravation.

Starting the command-line version provides an interpreter that should be familiar to Python or R users.

Figure 1. When you start Genius, you get the version and some license information, and then you'll see the interpreter prompt.

If you start gnome-genius, you'll see a graphical interface that is likely to be more comfortable to new users. For the rest of this article, I'm using the GUI version in order to demonstrate some of the things you can do with Genius.

Figure 2. The GUI interface provides easy menu access to most of the functionality within Genius.

You can use Genius just as a general-purpose calculator, so you can do things like:

genius> 4+5 = 9

Along with basic math operators, you also can use trigonometric functions. This command gives the sine of 45 degrees:

genius> sin(45) = 0.850903524534

These types of calculations can be of essentially arbitrary size. You also can use complex numbers out of the box. Many other standard mathematical functions are available as well, including items like logarithms, statistics, combinatorics and even calculus functions.

Along with functions, Genius also provides control structures like conditionals and looping structures. For example, the following code gives you a basic for loop that prints out the sine of the first 90 degrees:

for i = 1 to 90 do ( x = sin(i); print(x) )

As you can see, the syntax is almost C-like. At first blush, it looks like the semicolon is being used as a line-ending character, but it's actually a command separator. That's why there is a semicolon on the line with the sine function, but there is no semicolon on the line with the print function. This means you could write the for loop as the following:

Go to Full Article
Categories: Linux News

Fedora 29 GNOME 3.30 Test Day Tomorrow, Kernel Update for Debian GNU/Linux 9 "Stretch", Jigsaw Introduces Intra App to Prevent Censorship, Russian Subway Dogs Now Available for Linux and AT&T Releases Router Specs to the Open Compute Project

Linux Journal - Thu, 10/04/2018 - 08:49

News briefs for October 4, 2018.

Tomorrow, October 5, 2018, is a Fedora 29 GNOME 3.30 Test Day. If you're interested in participating, see the wiki page. All you need is Fedora 29 (which you can grab from the wiki), and the event will be held in #fedora-test-day on Freenode IRC.

Debian released a kernel update for Debian GNU/Linux 9 "Stretch" that addresses several vulnerabilities. If you haven't done so already, update to version 4.9.110-3+deb9u5. See the security announcement for details. (Source: Softpedia News.)

Jigsaw, a cyber unit division owned by Google's parent company Alphabet, recently introduced Intra, a new app with the goal of protecting users from state-sponsored censorship. According to TechCrunch, Intra "aims to prevent DNS manipulation attacks" and that "by passing all your browsing queries and app traffic through an encrypted connection to a trusted Domain Name Server, Intra says it ensures you can use your app without meddling or get to the right site without interference."

The game Russian Subway Dogs, the "systemic arcade game inspired by the real life stray dogs of the Moscow metro", is getting a content update and also is now supported on Linux. It's available now on Steam, and Humble Bundle for $14.99 USD, and you can view the trailer here.

AT&T this week is releasing specifications for a cell site gateway router to the Open Compute Project. According to the press release, this "white box" blueprint will allow any hardware maker to build these routers, which will be installed at tens of thousands of cell towers during the next several years. These routers then will "eventually form the infrastructure that will enable not just phones and tablets to connect to our mobile 5G network, but new technologies like autonomous cars, drones, augmented reality and virtual reality systems, smart factories, and more".

News Fedora GNOME kernel Security Debian Privacy censorship gaming AT&T
Categories: Linux News

Dealing with printk()

Linux Journal - Thu, 10/04/2018 - 07:00
by Zack Brown

It's odd that printk() would pose so many problems for kernel development, given that it's essentially just a replacement for printf() that doesn't require linking the standard C library into the kernel.

And yet, it's famously a mess, full of edge cases, corner cases, deadlocks, race conditions and a variety of other tough-to-solve problems. The reason for this is, unlike printf(), the printk() system call has to produce reasonable behavior even when the entire system is in the midst of crashing. That's really the whole point—printk() needs to report errors and warnings that can be used to debug whatever strange and unexpected catastrophe has just hit a running system.

Trying to fix all the deadlocks and other problems at the same time would be too large a task for anyone, especially since each one is a special case defined by the particular context in which the printk() call appeared. But, sometimes a bunch of instances in a particular region of code can be addressed all together.

Sergey Senozhatsky recently tried to address some printk() deadlocks, although he acknowledged he wouldn't address any instances that were caused by the printk() code itself triggering a separate recursive printk() call. He wanted to concern himself with non-recursion-based deadlocks only.

Sergey focused on the console code, which was where printk() generally sent its output, and which was one place where printk() could deadlock. He added a very small safeguard to the code, but the result seemed to be that drivers all throughout the kernel would have to be updated to use the new safeguard.

His code was not met with universal acclaim. Alan Cox noticed that Sergey's safeguard added code to the "fast path"—a region of code that needed to be as fast and efficient as possible, because it was run all the time, many times per second. Slowing down the fast path would slow down the whole system. Alan suggested instead of this, it would be better for the kernel simply not to call printk() if the console code would be in a position to deadlock.

Sergey was not in any way satisfied, however. He pointed out that his patch solved real-world problems that users had reported experiencing directly. He didn't see how it would help anything simply to pull out the printk() instances that triggered the problem, especially if those instances were doing important work like reporting on the real reason the system was crashing and so on.

Sergey wanted to keep the printk() instances and implement the safeguards to protect them. However, at this point Linus Torvalds joined the discussion, saying:

The rule is simple: DO NOT DO THAT THEN.

Don't make recursive locks. Don't make random complexity. Just stop doing the thing that hurts.

Go to Full Article
Categories: Linux News

Episode 1: Digital Privacy

Linux Journal - Wed, 10/03/2018 - 12:08
Your browser does not support the audio element. Reality 2.0 - Episode 1: Digital Privacy

Katherine Druckman talks to Doc Searls about digital privacy, wizards and muggles, and boiled frogs.


Categories: Linux News

Android Security Patch for October, Google Pixel Slate, Skype on Debian Vulnerability, PyTorch Beta 1.0 Released and XCOM 2: War of the Chosen - Tactical Legacy Pack Coming Soon to Linux

Linux Journal - Wed, 10/03/2018 - 08:57

News briefs for October 3, 2018.

Google this week released the Android Security Patch for October 2018. Softpedia News reports that the patch fixes 26 vulnerabilities, the most severe of which could allow remote attackers to execute arbitrary code. See the Android Security Bulletin for more information.

Rumor has it that Google Pixel Slate will be the official name for the first detachable Pixelbook 2-in-1, which may be coming out soon. According to Appuals, a Google Pixel Slate benchmark was leaked recently and Android Police also mentioned in a tweet that "Google Pixel Slate is the name of Google's first Chrome OS tablet." Further details on the tablet are slim.

Skype on Debian is vulnerable to attack. On installation, the package automatically inserts Microsoft's apt repository, which means "after obtaining control of Microsoft's Debian apt repository, an attacker would be able to inject malicious content in various distro packages using the update system, as well as replace legitimate packages with maliciously crafted ones". See the Softpedia News post for more details and steps you can take to protect your computer after installing Skype.

A beta of PyTorch 1.0 has been released. Facebook recently open-sourced the Python-based project, which "provides developers with the power to seamlessly move from research to production in a single framework". ZDNet reports that the project now has many new supporters, and "with deeper cloud service support from Amazon Web Services (AWS), Google Cloud, and Microsoft Azure, and tighter integration with technology providers ARM, Intel, IBM, NVIDIA, and Qualcomm, developers can easily deploy PyTorch's ecosystem of compatible software, hardware, and developer tools."

Feral Interactive is releasing another game for Linux! XCOM 2: War of the Chosen - Tactical Legacy Pack, the expansion for the XCOM 2 award-winning strategy game, will be released for Linux and macOS soon after the Windows release on October 9, 2018. See this video for a gameplay overview.

News Security tablets ChromeOS skype Debian PyTorch Feral Interactive gaming
Categories: Linux News

What's Your System's Uptime?

Linux Journal - Wed, 10/03/2018 - 07:00
by Ricardo Fraile

Keep track of your system's uptime and downtime with the tuptime tool.

Finding your system's uptime is easy if the "beginning" means the last startup; the historical uptime command reports that information. But what happens if by "beginning" you mean the first startup ever of the system? Or the last 365 days? Or the last month?

Is there any way to have an accumulated uptime—or even better, a look at the whole system's life? For example, cars have odometers, and you can see the miles/kilometers since the first day. For computers, a tool was developed exactly for this task: tuptime.

tuptime reports the historical and statistical running and stopped time of your system, keeping track between restarts. Its main goals are:

  • Count system startups.
  • Register the first boot time (since installation).
  • Count intended and accidental shutdowns.
  • Show the uptime and downtime percentage since the first boot time.
  • Show the accumulated system uptime, downtime and total.
  • Show the longest, shortest and average uptime and downtime.
  • Show the current uptime.
  • Print a formatted table or list with most of the previous values.
  • Register used kernels.
  • Create reports since and/or until a given startup or timestamp.
  • Create reports in CSV format.

It works very simply. tuptime falls to the init manager for execution at startup and shutdown, and then into a cron task that launches regular executions in the meantime—there isn't any dæmon to worry about. Internally, it looks at the btime value (available in /proc/stat) and the uptime value (from /proc/uptime), and that's basically it.

The installation process is easy in Debian, Ubuntu and derivative distributions, using their respective package managers, and it should be available in all the official repositories. As prerequisites, it needs Python 3 and the SQLite library, which usually are included in core packages by default.

Once it's available on your system, you can get the information. It has three output formats: the default is a summary, and there also are table and list outputs to print the registered behavior.

Figure 1. Example tuptime Execution after Installation

The first execution reports the time since the system was booted, and the lines are self-explanatory (note that the date format is based on the system's locale settings):

Go to Full Article
Categories: Linux News

Pulseway Announces Release of Pulseway 6.0, Feral Interactive's Life Is Strange 2 Coming to Linux in 2019, Fedora 29 Achieves "Flicker-Free" Boot Experience, Red Hat's Satellite 6.4 Now Available and Stratis 1.0 Is Out

Linux Journal - Tue, 10/02/2018 - 08:42

News briefs for October 2, 2018.

Pulseway recently announced the release of Pulseway 6.0. This new version, known as Pulseway Scale, "empowers IT professionals to remotely monitor and manage IT systems with thousands of endpoints from a smartphone or tablet—anytime, anywhere—and easily take corrective action before clients are impacted". New capabilities include a new organization structure, simplified and faster deployment, seamless collaboration, enhanced agent security, and antivirus and OS patch management. For more info, visit

Feral Interactive's Life Is Strange 2 is coming to Linux and macOS in 2019. This narrative adventure game is the next installment of 2015's BAFTA Award-winning Life Is Strange, originally developed by DONTNOD Entertainment and published by Square Enix on Windows and console. You can view the trailer here.

Fedora 29 has achieved a "flicker-free" boot experience. According to Phoronix, this was accomplished by "preserving the EFI frame-buffer and any initial system PC/motherboard logo all the way until fading to the GDM log-in screen for the desktop. This has required changes so the EFI frame-buffer wouldn't be messed up when the kernel starts, changes to the Plymouth boot handling, hiding the GRUB boot menu, and also making use of the Intel driver's 'fastboot' option that eliminates unnecessary mode-set operations."

Red Hat yesterday announced Satellite 6.4, "the latest version of Red Hat's infrastructure management solution", at AnsibleFest Austin. With this version, Red Hat Satellite will now "be enhanced with a deeper integration with Red Hat Ansible Automation technology for an automation-centric approach to IT management".

Stratis 1.0 was released last week. After two years of development, "Stratis 1.0 has stabilized its on-disk metadata format and command-line interface, and is ready for more widespread testing and evaluation by potential users. Stratis is implemented as a daemon—stratisd—as well as a command-line configuration tool called stratis, and works with Linux kernel versions 4.14 and up".

News Pulseway Monitoring Feral Interactive gaming Fedora Red Hat Ansible Stratis Storage
Categories: Linux News

Shall We Study Amazon's Pricing Together?

Linux Journal - Tue, 10/02/2018 - 06:30
by Doc Searls

Is it possible to figure out how we're being profiled online?

This past July, I spent a quality week getting rained out in a series of brainstorms by alpha data geeks at the Pacific Northwest BI & Analytics Summit in Rogue River, Oregon. Among the many things I failed to understand fully there was how much, or how well, we could know about how the commercial sites and services of the online world deal with us, based on what they gather about us, on the fly or over time, as we interact with them.

The short answer was "not much". But none of the experts I talked to said "Don't bother trying." On the contrary, the consensus was that the sums of data gathered by most companies are (in the words of one expert) "spaghetti balls" that are hard, if not possible, to unravel completely. More to my mission in life and work, they said it wouldn't hurt to have humans take some interest in the subject.

In fact, that was pretty much why I was invited there, as a Special Guest. My topic was "When customers are in full command of what companies do with their data—and data about them". As it says at that link, "The end of this a new beginning for business, in a world where customers are fully in charge of their lives in the marketplace—both online and off: a world that was implicit in both the peer-to-peer design of the Internet and the nature of public markets in the pre-industrial world."

Obviously, this hasn't happened yet.

This became even more obvious during a break when I drove to our AirBnB nearby. By chance, my rental car radio was tuned to a program called From Scurvy to Surgery: The History Of Randomized Trials. It was an Innovation Hub interview with Andrew Leigh, Ph.D. (@ALeighMP), economist and member of the Australian Parliament, discussing his new book, Randomistas: How Radical Researchers Are Changing Our World (Yale University Press, 2018). At one point, Leigh reported that "One expert says, 'Every pixel on Amazon's home page has had to justify its existence through a randomized trial.'"

I thought, Wow. How much of my own experience of Amazon has been as a randomized test subject? And can I possibly be in anything even remotely close to full charge of my own life inside Amazon's vast silo?

Go to Full Article
Categories: Linux News

September 2018 report: LTS, Mastodon, Firefox privacy, etc

Anarcat - Mon, 10/01/2018 - 15:28
Debian Long Term Support (LTS)

This is my monthly Debian LTS report.

Python updates

Uploaded DLA-1519-1 and DLA-1520-1 to fix CVE-2018-1000802, CVE-2017-1000158, CVE-2018-1061 and CVE-2018-1060 in Python 2.7 and 3.4. The latter three were originally marked as no-dsa but the fix was trivial to backport. I also found that CVE-2017-1000158 was actually relevant for 3.4 even though it was not marked as such in the tracker.

CVE-2018-1000030 was skipped because the fix was too intrusive and unclear.

Enigmail investigations

Security support for Thunderbird and Firefox versions from jessie has stopped upstream. Considering that the Debian security team bit the bullet and updated those in stretch, the consensus seems to be that the versions in jessie will also be updated, which will break third-party extensions in jessie.

One of the main victims of the XULocalypse is Enigmail, which completely stopped working after the stretch update. I looked at how we could handle this. I first proposed to wait before trying to patch the Enigmail version in jessie since it would break when the Thunderbird updates will land. I then detailed five options for the Enigmail security update:

  1. update GnuPG 2 in jessie-security to work with Enigmail, which could break unrelated things

  2. same as 1, but in jessie-backports-sloppy

  3. package the JavaScript dependencies to ship Enigmail with OpenPGP.js correctly.

  4. remove Enigmail from jessie

  5. backport only some patches to GPG 2 in jessie

I then looked at helping the Enigmail maintainers by reviewing the OpenPGP.js packaging through which I found a bug in the JavaScript packaging toolchain, which diverged into a patch in npm2deb to fix source package detection and an Emacs function to write to multiple files. (!!) That work was not directly useful to Jessie, I must admit, but it did end up clarifying which dependencies were missing for OpenPGP to land, which were clearly out of reach of a LTS update.

Switching gears, I tried to help the maintainer untangle the JavaScript mess between multiple copies of code in TB, FF (with itself), and Enigmail's process handling routines; to call GPG properly with multiple file descriptors for password, clear-text, statusfd, and output; to have Autocrypt be able to handle "Autocrypt Setup Messages" (ASM) properly (bug #908510); to finally make the test suite pass. The alternative here would be to simply rip Autocrypt out of Enigmail for the jessie update, but this would mean diverging significantly from the upstream version.

Reports of Enigmail working with older versions of GPG are deceiving, as that configuration introduces unrelated security issues (T4017 and T4018 in upstream's bugtracker).

So much more work remains on backporting Enigmail, but I might work for the stable/unstable updates to complete before pushing that work further. Instead, I might focus on the Thunderbird and Firefox updates next.


I worked more on the GnuTLS research as a short followup to our previous discussion.

I wrote the researchers who "still stand behind what is written in the paper" and believe the current fix in GnuTLS is incomplete. GnuTLS upstream seems to agree, more or less, but point out that the fix, even if incomplete, greatly reduces the scope of those vulnerabilities and a long-term fix is underway.

Next step, therefore, is deciding if we backport the patches or just upgrade to the latest 3.3.x series, as the ABI/API changes are minor (only additions).

Other work
  • completed the work on gdm3 and git-annex by uploading DLA-1494-1 and DLA-1495-1

  • fixed Debian bug #908062 in devscripts to make dch generate proper version numbers since jessie was released

  • checked with the Spamassessin maintainer regarding the LTS update and whether we just use 3.4.2 across all suites

  • reviewed and tested Hugo's work on 389-ds. That involved getting familiar with that "other" slapd server (apart from OpenLDAP) which I did not know about.

  • checked that kdepim doesn't load external content so it is not vulnerable to EFAIL by default. The proposed upstream patch changes the API so that work is postponed.

  • triaged the Xen security issues by severity

  • filed bugs about Docker security issues (CVE-2017-14992 and CVE-2018-10892)

Other free software work

I have, this month again, been quite spread out on many unrelated projects unfortunately.


I've played around with the latest attempt from the free software community to come up with a "federation" model to replace Twitter and other social networks, Mastodon. I've had an account for a while but I haven't talked about it much here yet.

My Mastodon account is linked with my Twitter account through some unofficial Twitter cross-posting app which more or less works. Another "app" I use is the toot client to connect my website with Mastodon through feed2exec.

And because all of this social networking stuff is just IRC 2.0, I read it all through my IRC client, thanks to Bitlbee and Mastodon is (thankfully) no exception. Unfortunately, there's a problem in my hosting provider's configuration which has made it impossible to read Mastodon status from Bitlbee for a while. I've created a test profile on the main Mastodon instance to double-check, and indeed, Bitlbee works fine there.

Before I figured that out, I tried upgrading the Bitlbee Mastodon bridge (for which I also filed a RFP) and found a regression has been introduced somewhere after 1.3.1. On the plus side, the feature request I filed to allow for custom visibility statuses from Bitlbee has been accepted, which means it's now possible to send "private" messages from Bitlbee.

Those messages, unfortunately, are not really private: they are visible to all followers, which, in the social networking world, means a lot of people. In my case, I have already accepted over a dozen followers before realizing how that worked, and I do not really know or trust most of those people. I have still 15 pending follow requests which I don't want to approve until there's a better solution, which would probably involve two levels of followship. There's at least one proposal to fix this already.

Another thing I'm concerned about with Mastodon is account migration: what happens if I'm unhappy with my current host? Or if I prefer to host it myself? My online identity is strongly tied with that hostname and there doesn't seem to be good mechanisms to support moving around Mastodon instances. OpenID had this concept of delegation where the real OpenID provider could be discovered and redirected, keeping a consistent identity. Mastodon's proposed solutions seem to aim at using redirections or at least informing users your account has moved which isn't as nice, but might be an acceptable long-term compromise.

Finally, it seems that Mastodon will likely end up in the same space as email with regards to abuse: we are already seeing block lists show up to deal with abusive servers, which is horribly reminiscent of the early days of spam fighting, where you could keep such lists (as opposed to bayesian or machine learning). Fundamentally, I'm worried about the viability of this ecosystem, just like I'm concerned about the amount of fake news, spam, and harassment that takes place on commercial platforms. One theory is that the only way to fix this is to enforce two-way sharing between followers, the approach taken by Manyverse and Scuttlebutt.

Only time will tell, I guess, but Mastodon does look like a promising platform, at least in terms of raw numbers of users...

The ultimate paste bin?

I've started switching towards as a pastebin. Besides the unfortunate cryptic name, it's a great tool: multiple pastes are deduplicated, large pastes are allowed, there is a (limited) server-side viewing mechanism (allowing for some multimedia), etc. The only things missing are "burn after reading" (one-shot links) and client-side encryption yet the latter is planned.

I like the simplistic approach to the API that makes it easy to use from any client. I've submitted the above feature request and a trivial patch so far.

ELPA packaging work

I've done a few reviews and sponsoring of Emacs List Packages ("ELPA") for Debian, mostly for packages I requested myself but who were so nicely made by Nicolas (elpa-markdown-toc, elpa-auto-dictionary). To better figure out which packages are missing, I wrote this script to parse the output from an ELPA and compare it with what is in Debian. This involved digging deep into the API of the Debian archive, which in turn was useful for the JavaScript work previously mentioned. The result is in the firefox page which lists all the extensions I use and their equivalent in Debian.

I'm not very happy with the script: it's dirty, and I feel dirty. It seems to me this should be done on the fly, through some web service, and should support multiple languages. It seems we are constantly solving this problem for each ecosystem while the issues are similar...

Firefox privacy issues

I went down another rabbit hole after learning about Mozilla's plan to force more or less mandatory telemetry in future versions of Firefox. That got me thinking of how many such sniffers were in Firefox and I was in for a bad surprise. It took about a day to establish a (probably incomplete) list of settings necessary to disable all those trackers in a temporary profile starter, originally designed as a replacement for chromium --temp-profile but which turned out to be a study of Firefox's sins.

There are over a hundred of about:config settings that need to be tweaked if someone wants to keep their privacy intact in Firefox. This is especially distressing because Mozilla prides itself on its privacy politics. I've documented this in the Debian wiki as well.

Ideally, there would be a one-shot toggle to disable all those things. Instead, Mozilla is forcing us to play "whack-a-mole" as they pop out another undocumented configuration item with every other release.

Other work
Categories: External Blogs

Linux Journal October 2018: Programming

Linux Journal - Mon, 10/01/2018 - 09:59
by Carlie Fairchild

Welcome to the Programming issue, October 2018, of Linux Journal. This month we highlight programming languages new and old including Go, Rust, Clojure and Bash. Take a look at this month's complete line-up:

Featured articles in this issue include:

  • Understanding Bash: Elements of Programming** This article is available online now as a sneak peak in to our October issue.
  • Getting Started with Rust: Working with Files and Doing File I/O
  • Introductory Go Programming Tutorial
  • Creating Linux Command-Line Tools in Clojure

Additional articles:

  • Shall We Study Amazon's Pricing Together?
  • Review: System76 Oryx Pro Laptop
  • 3D-Printed Firearms Are Blowing Up
  • FOSS Project Spotlight: Tutanota, the First Encrypted Email Service with an App on F-Droid
  • Introducing Genius, the Advanced Scientific Calculator for Linux


  • Kyle Rankin's Hack and /: Papa's Got a Brand New NAS: the Software
  • Shawn Powers' The Open-Source Classroom: Have a Plan for Netplan
  • Reuven M. Lerner's At the Forge: Automate Sysadmin Tasks with Python's os.walk Function
  • Dave Taylor's Work the Shell: Normalizing Filenames and Data with Bash
  • Zack Brown's diff -u: What's New in Kernel Development
  • Glyn Moody's Open Sauce: Now Is the Time to Start Planning for the Post-Android World

Subscribers, you can download your October issue now.

Not a subscriber? It’s not too late. Subscribe today and receive instant access to this and ALL back issues since 1994!

Want to buy a single issue? Buy the August magazine or other single back issues in the LJ store.

Go to Full Article
Categories: Linux News

California Enacts Net Neutrality Law and the Justice Department Immediately Files a Lawsuit, Tim Berners-Lee Announces His New Project Solid, MS-DOS Source Code Now Available on GitHub, Haiku R1/beta1 Released and openSUSE Will Have a Summit at SCaLE

Linux Journal - Mon, 10/01/2018 - 08:25

News briefs for October 1, 2018.

California enacts net neutrality law, and the Justice Department immediately files a lawsuit against California. Attorney General Jeff Sessions stated "Once again the California legislature has enacted an extreme and illegal state law attempting to frustrate federal policy. The Justice Department should not have to spend valuable time and resources to file this suit today, but we have a duty to defend the prerogatives of the federal government and protect our Constitutional order."

Tim Berners-Lee, creator of the world wide web, announces his new project Solid, "an open-source project to restore the power and agency of individuals on the web". He writes "Solid changes the current model where users have to hand over personal data to digital giants in exchange for perceived value. As we've all discovered, this hasn't been in our best interests. Solid is how we evolve the web in order to restore balance—by giving every one of us complete control over data, personal or not, in a revolutionary way."

MS-DOS source code is now available on GitHub. These are the same files that were originally released to the Computer History Museum in 2014. They were "(re)published in this repo to make them easier to find, reference-to in external writing and works, and to allow exploration and experimentation for those interested in early PC Operating Systems".

Haiku R1/beta1 has been released, nearly six years since its last release in November 2012. Because of the long gap between releases, this version has a significant amount of changes, the largest being the addition of a complete package management system. You can download Haiku from here.

openSUSE announces it will have a summit at SCaLE on March 8, 2019 (SCaLE runs March 7–10, 2019). The Call for Papers for the openSUSE Summit closes January 10, 2019. Visit the conference website for more information.

News Net Neutrality internet Privacy MS-DOS GitHub Haiku openSUSE
Categories: Linux News

Weekend Reading: Containers

Linux Journal - Sat, 09/29/2018 - 06:37
by Carlie Fairchild

The software enabling this technology comes in many forms, with Docker as the most popular. The recent rise in popularity of container technology within the data center is a direct result of its portability and ability to isolate working environments, thus limiting its impact and overall footprint to the underlying computing system. To understand the technology completely, you first need to understand the many pieces that make it all possible. Join us this weekend as we learn about Containers.

Before we get started, many ask what the difference is between a container and virtual machines? Editor Petros Koutoupis explains: Both have a specific purpose and place with very little overlap, and one doesn't obsolete the other. A container is meant to be a lightweight environment that you spin up to host one to a few isolated applications at bare-metal performance. You should opt for virtual machines when you want to host an entire operating system or ecosystem or maybe to run applications incompatible with the underlying environment.

Everything You Need to Know about Linux Containers, Part I: Linux Control Groups and Process Isolation

Truth be told, certain software applications in the wild may need to be controlled or limited—at least for the sake of stability and, to some degree, security. Far too often, a bug or just bad code can disrupt an entire machine and potentially cripple an entire ecosystem. Fortunately, a way exists to keep those same applications in check. Control groups (cgroups) is a kernel feature that limits, accounts for and isolates the CPU, memory, disk I/O and network's usage of one or more processes.

Everything You Need to Know about Linux Containers, Part II: Working with Linux Containers (LXC)

Part I of this Deep Dive on containers introduces the idea of kernel control groups, or cgroups, and the way you can isolate, limit and monitor selected userspace applications. Here, I dive a bit deeper and focus on the next step of process isolation—that is, through containers, and more specifically, the Linux Containers (LXC) framework.

Go to Full Article
Categories: Linux News

Tor Browser for Android (Alpha) Now Available, Feral Interactive Announces Total War: THREE KINGDOMS Coming to Linux Spring 2019, Ubuntu 18.10 Cosmic Cuttlefish Final Beta Released, Four New openSUSE Tumbleweed Snapshots and More

Linux Journal - Fri, 09/28/2018 - 09:52

News briefs for September 28, 2018.

The Tor Browser for Android (alpha) is now available. This mobile browser has the "highest privacy protections ever available and is on par with Tor Browser for desktop". You can download the alpha release from Google Play, or you can get the apk directly from here. You also will need Orbot, which is a proxy application to connect the Tor Browser for Android with the Tor network. (When the stable version is released early next year, you won't need to do this.)

In other Tor news, Tor is looking for a software developer for its anti-censorship team. If you're interested, see the Tor Project page for details and how to apply.

Feral Interactive announced that Total War: THREE KINGDOMS is coming to Linux and macOS in spring of 2019, shortly after the Windows release, which is scheduled for March 7, 2019. The game is the first of the Total War series to be set in ancient China. You can view the trailer here.

Ubuntu 18.10 (Cosmic Cuttlefish) final beta has been released. This release includes images not only for Ubuntu Desktop, Server and Cloud, but also for Kubuntu, Lubuntu, Ubuntu Budgie, UbuntuKylin, Ubuntu MATE, Ubuntu Studio and Xubuntu. To upgrade to Ubuntu 18.10 beta from Ubuntu 18.04, go here. See the release notes for more information.

This week brought four new openSUSE Tumbleweed snapshots that update packages like vim, Xen, Git and ImageMagick.

Sailfish 3 is coming soon. According to the Official Jolla Blog, it will be rolled out next month, with early access releases by the end of October. It will include many new features such as VPN improvements and MDM (Mobile Device Management) functionalities.

News Tor Security Android Mobile Distributions openSUSE Sailfish Ubuntu gaming Feral Interactive
Categories: Linux News

Understanding Bash: Elements of Programming

Linux Journal - Fri, 09/28/2018 - 09:22
by Vladimir Likic

Ever wondered why programming in Bash is so difficult? Bash employs the same constructs as traditional programming languages; however, under the hood, the logic is rather different.

The Bourne-Again SHell (Bash) was developed by the Free Software Foundation (FSF) under the GNU Project, which gives it a somewhat special reputation within the Open Source community. Today, Bash is the default user shell on most Linux installations. Although Bash is just one of several well known UNIX shells, its wide distribution with Linux makes it an important tool to know.

The main purpose of a UNIX shell is to allow users to interact effectively with the system through the command line. A common shell action is to invoke an executable, which in turn causes the kernel to create a new running process. Shells have mechanisms to send the output of one program as input into another and facilities to interact with the filesystem. For example, a user can traverse the filesystem or direct the output of a program to a file.

Although Bash is primarily a command interpreter, it's also a programming language. Bash supports variables, functions and has control flow constructs, such as conditional statements and loops. However, all of this comes with some unusual quirks. This is because Bash attempts to fulfill two roles at the same time: to be a command interpreter and a programming language—and there is tension between the two.

All UNIX shells, including Bash, are primarily command interpreters. This trait has a deep history, stretching all the way to the very first shell and the first UNIX system. Over time, UNIX shells acquired the programming capabilities by evolution, and this has led to some unusual solutions for the programming environment. As many people come to Bash already having some background in traditional programming languages, the unusual perspective that Bash takes with programming constructs is a source of much confusion, as evidenced by many questions posted on Bash forums.

In this article, I discuss how programming constructs in Bash differ from traditional programming languages. For a true understanding of Bash, it's useful to understand how UNIX shells evolved, so I first review the relevant history, and then introduce several Bash features. The majority of this article shows how the unusual aspects of Bash programming originate from the need to blend the command interpreter function seamlessly with the capabilities of a programming language.

Go to Full Article
Categories: Linux News

System76 Launching a New Open-Source Computer, Krita 4.1.3 Released, the Hyperledger Project Gains 14 New Members, Distro Maintainers Need to Merge Kernel Security Fixes Faster and Java 11 Now Available

Linux Journal - Thu, 09/27/2018 - 08:35

News briefs for September 27, 2018.

System76 is launching a new open-source computer, which will be available for pre-order next month. Before announcing the finalized hardware, the company will be releasing a four-part animation each week with "design updates hidden within a game portion of the story". That story will contain "different worlds, each representing an antithesis to open source ideals. These themes are utilized to draw attention to the importance of open source in the evolution of technology". If you're interested, you can sign up here to follow the saga and receive updates leading up to the pre-order.

Krita 4.1.3 was released today. The team reports there are about 100 fixes, so update soon. This version features a new welcome screen, and several improvements, including working with selections and exporting EPUBs, and much more. Also, here's a reminder that Krita's Squash the Bugs fundraiser is still live.

Fourteen new members have joined The Linux Foundation's Hyperledger open-source blockchain project. According to the press release, new members include "BetaBlocks, Blockchain Educators, Cardstack, Constellation Labs, Elemential Labs, FedEx, Honeywell International Inc., KoreConX, Northstar Venture Technologies, Peer Ledger, Syncsort and Wanchain".

Google Project Zero researcher Jann Horn claims that distro maintainers need to merge kernel security fixes quicker. ZDNET quotes Horn regarding Debian and Ubuntu: "Debian stable ships a kernel based on 4.9, but as of 2018-09-26, this kernel was last updated 2018-08-21. Similarly, Ubuntu 16.04 ships a kernel that was last updated 2018-08-27. Android only ships security updates once a month."

Java 11 is now available. There are several changes and updates with this release, so see the release notes for all the changes. You can download it from here.

News System76 Krita Blockchain Hyperledger Google Security kernel Distributions Java
Categories: Linux News
Syndicate content