Language Selection

English French German Italian Portuguese Spanish

August 2018

Limiting Free Licences and New FUD From Veracode/CA

Filed under
OSS
Security
Legal
  • ​Javascript Tool Maker Relents After Mixing Immigration Politics with Open Source Licensing

    In very short order, Lerna, a company that offers some Javascript tooling, has learned the hard way not to mess with the integrity of an open source license. In other words, don’t decide you’re going to take an existing OSI-certified open source license, modify it to suit your agenda, license your code under the newly derived license, and still continue to refer to your offering as "open source.”

    First, this analysis piece is really just a follow up to my previous post about why it’s time to reject the latest attack on open source software (OSS). The main point of that post was to point out that all of us who have experienced the benefits of open source (ok, that’s nearly all human beings) should play a role in defending it. Otherwise, it will whither and so too will the benefits most of us have come to enjoy, blind to the fact that open source is playing such an important role in our lives.

  • Does Redis' Commons Clause threaten open-source software?
  • Get a Jump on Reducing Your Open Source Software Security Risks [Ed: Anti-FOSS firm Veracode/CA pays IDG for spam which stigmatises FOSS as lacking security]

Software: gPodder, Puppet Bolt and Last howtos for the Week

Filed under
Software
HowTos
  • gPodder – podcast client written in Python

    gPodder is an open source tool that downloads and manages free audio and video content (“podcasts”) for you. The software is written in Python and sports a simple GTK interface. The software package also includes a command-line interface which is called gpo. It lets you listen to podcasts on your computer or on mobile devices. The software is very mature; it’s been in development since 2005.

  • FOSS Project Spotlight: Run Remote Tasks on Linux and Windows with Puppet Bolt

    Puppet, the company that makes automation software for managing systems and delivering software, has introduced Puppet Bolt, an open-source, agentless multiplatform tool for running commands, scripts, tasks and orchestrated workflows on remote Linux and Windows systems.

    The tool, which is freely available as a Linux package, Ruby gem and macOS or Windows installer, is ideal for sysadmins and others who want to perform a wide range of automation tasks on remote bare-metal servers, VMs or cloud instances without the need for any prerequisites. Puppet Bolt doesn't require any previous Puppet know-how. Nor does it require a Puppet agent or Puppet master. It uses only SSH and WinRM (or can piggyback Puppet transports) to communicate and execute tasks on remote nodes.

    Despite its simplicity, Puppet Bolt can execute all your existing scripts written in Bash, PowerShell, Python or any other language, stop and start Linux or Windows services, gather information about packages and system facts, or deploy procedural orchestrated workflows, otherwise known as plans. You can do all this right from your workstation or laptop.

  • How to install MediaWiki on Ubuntu 18.04 LTS
  • How to Install MyWebSQL 3.7 on CentOS 7
  • Fix GTK File Chooser Cannot Add/Remove Bookmarks
  • Docker Guide: Deploying Ghost Blog with MySQL and Traefik with Docker
  • Move the Ubuntu Launcher to Bottom or Right

Linux Kernel up to 4.15-rc3 Crypto Subsystem memory corruption

Filed under
Linux
Security
  • Linux Kernel up to 4.15-rc3 Crypto Subsystem memory corruption

    The weakness was shared 08/30/2018 as bug report (Bugzilla). The advisory is available at bugzilla.redhat.com. This vulnerability is traded as CVE-2018-14619 since 07/27/2018. Local access is required to approach this attack. A single authentication is needed for exploitation. The technical details are unknown and an exploit is not available. The structure of the vulnerability defines a possible price range of USD $5k-$25k at the moment (estimation calculated on 08/31/2018).

  • CVE-2018-14619: New Critical Linux Kernel Vulnerability

    A new Linux kernel vulnerability identified as CVE-2018-14619 has been discovered by Red Hat Engineering researchers Florian Weimer and Ondrej Mosnacek. More particularly, the flaw was found in the crypto subsystem of the Linux kernel.

Security: Alexa Holes, Zemlin on CII, and Apache Struts Patches

Filed under
Security
  • Amazon Alexa Security Risk Allows Hackers to Take Over Voice Commands, Steal Private Information

    The world is changing and in the modern era, we are becoming reliant on our Internet of Things devices by the day. But this reliances could cost us everything, it could allow someone to steal our identity, bank information, medical history, and what not.

    Amazon Alexa has been criticised for having a number of security flaws but Amazon has been quick to deal with them. However, this new security flaw may not have a fix at all. And this could be the most dangerous security threat yet.

    According to research conducted by the University of Illinois at Urbana-Champaign (UIUC), Amazon Alexa’s idiosyncrasies can be exploited through voice-commands to route users to malicious websites. Hackers are targeting the loopholes in machine learning algorithms to access private information.

  • Researchers show Alexa “skill squatting” could hijack voice commands

    The success of Internet of Things devices such as Amazon's Echo and Google Home have created an opportunity for developers to build voice-activated applications that connect ever deeper—into customers' homes and personal lives. And—according to research by a team from the University of Illinois at Urbana-Champaign (UIUC)—the potential to exploit some of the idiosyncrasies of voice-recognition machine-learning systems for malicious purposes has grown as well.

    Called "skill squatting," the attack method (described in a paper presented at USENIX Security Symposium in Baltimore this month) is currently limited to the Amazon Alexa platform—but it reveals a weakness that other voice platforms will have to resolve as they widen support for third-party applications. Ars met with the UIUC team (which is comprised of Deepak Kumar, Riccardo Paccagnella, Paul Murley, Eric Hennenfent, Joshua Mason, Assistant Professor Adam Bates, and Professor Michael Bailey) at USENIX Security. We talked about their research and the potential for other threats posed by voice-based input to information systems.

  • The Linux Foundation Set to Improve Open-Source Code Security

    CII is now working on further trying to identify which projects matter to the security of the internet as a whole, rather than taking a broader approach of looking at every single open-source project, he said. In his view, by prioritizing the projects that are the most critical to the operation of the internet and modern IT infrastructure, the CII can be more effective in improving security.

    "You'll see in the next three months or so, additional activity coming out of CII," Zemlin said.

    Among the new activities coming from the CII, will be additional human resources as well as new funding. The Linux Foundation had raised $5.8 million from contributors to help fund CII efforts, which Zemlin said has now all been spent. Zemlin that CII's money was used to fund development work for OpenSSL, NTP (Network Time Protocol) and conducting audits.

  • Apache Struts 2.3.25 and 2.5.17 resolve Cryptojacking Exploit Vulnerability

    Information regarding a severe vulnerability found in Apache Struts was revealed last week. A proof of concept of the vulnerability was also published publicly along with the vulnerability’s details. Since then, it seems that malicious attackers have set out to repeatedly exploit the vulnerability to remotely install a cryptocurrency mining software on users’ devices and steal cryptocurrency through the exploit. The vulnerability has been allotted the CVE identification label CVE-2018-11776.

    This behavior was first spotted by the security and data protection IT company, Volexity, and since its discovery, the rate of exploits has been increasing rapidly, drawing attention to the critical severity of the Apache Struts vulnerability. The company released the following statement on the issue: “Volexity has observed at least one threat actor attempting to exploit CVE-2018-11776 en masse in order to install the CNRig cryptocurrency miner. The initial observed scanning originated from the Russian and French IP addresses 95.161.225.94 and 167.114.171.27.”

Gnome 3 & best extensions

Filed under
GNOME

There you go. Writing this article got me thinking. Gnome 3 is like Firefox 57. It brought about a radical change, made a lot of what made the original version great redundant, and hid options from users, making customization difficult. Gnome 3 also fights hard against extensions. But these are the bread and butter of what makes it useful, practical and appealing to users. The same is also true of Cinnamon, which has also partially been afflicted the same way. Technically, one may claim that extensions are a poor excuse for bad design, but then, in general, history has shown that they do make products more engaging in the long run. Collective intelligence can be a good thing, especially when harvested for free.

I am still convinced that Gnome 3 is doing it wrong, and that Plasma, Unity or even MATE are much better solutions on all levels. But then, if you do want to use this desktop environment, there are several handy extensions that can truly transform the experience. The must-have set, and then a sweetening of five nice little extras, which help make the desktop more useful and fun. If you have any other suggestions, this is a good time to use your email sending skills. And we're done.

Read more

Games: Scarecrow Studio, RAZED, XCOM 2

Filed under
Gaming
  • Colourful comedy adventure '3 Minutes to Midnight' planned to release for Linux

    Scarecrow Studio [Official Site] have officially announced that their colourful comedy adventure 3 Minutes to Midnight with a trailer and it's coming to Linux.

  • RAZED will bring lightning-fast platformer racing to Linux on September 14th

    Soaked in some vibrant colours, lightning-fast platformer RAZED will requiring a good pair of running shoes when it releases with Linux support on September 14th.

    Developed by Warpfish Games with a sprinkle of publishing from PQube Limited, RAZED is promising an exciting speedrunning experience across the 60 levels being included at release. These levels are spreadout across six different worlds, each of them having their own unique flavour. Each world will also come with an ability to unlock, along with a boss battle.

  • XCOM 2 to possibly get another expansion with 'TLE'

    There's rumours circling around about XCOM 2 getting a new expansion and it seems whatever it turns out to be that Linux support should be there.

A Look At DragonFlyBSD's Kernel Tuning Performance On The AMD Threadripper 2990WX

Filed under
Graphics/Benchmarks
BSD

Last week I posted some initial tests and benchmarks of DragonFlyBSD/FreeBSD on the AMD Threadripper 2990WX. While that went well and the BSDs scale with this 32-core / 64-thread processor better than Windows, lead DragonFly developer Matthew Dillon had picked up a 2990WX system and has been tuning the kernel ever since. Here are some benchmarks looking at some of his recent optimizations.

Hours after that BSD Threadripper testing ended last week, Matthew Dillon landed some more performance tuning/optimizations to benefit the Threadripper 2990WX design. Here are some benchmarks of that original 2990WX support on DragonFlyBSD 5.3-DEVELOPMENT compared to the later daily snapshot.

Read more

SharkLinux Distro: Open Source in Action

Filed under
Linux
OSS

Every so often I run into a Linux distribution that reminds me of the power of open source software. SharkLinux is one such distribution. With a single developer creating this project, it attempts to change things up a bit. Some of those changes will be gladly welcomed by new users, while scoffed at by the Linux faithful. In the end, however, thanks to open source software, the developer of SharkLinux has created a distribution exactly how he would want it to be. And that my friends, is one amazing aspect of open source. We get to do it our way.

But what is SharkLinux and what makes it stand out? I could make one statement about SharkLinux and end this now. The developer of SharkLinux reportedly developed the entire distribution using only an Android phone. That, alone, should have you wanting to give SharkLinux a go.

Read more

Linux hacker board features new Allwinner SoC with analytics accelerator

Filed under
Linux

The open-spec, camera-oriented “Lindenis V5” SBC runs Linux on a new quad -A7 Allwinner V5 V100 with a visual analytics accelerator, and offers dual MIPI-CSI, GbE, and a 40-pin expansion header.

A Shenzhen, China startup called Lindenis Tech. Ltd., staffed by former Allwinner employees, has launched an open spec, 139 x 85mm single board computer that debuts a 1.5GHz Allwinner camera SoC called the V5 V100. Like the Allwinner A33, H2+, and H3 SoCs, the Allwinner V5 V100 (PDF) runs on 4x Cortex-A7 cores. However, instead of an Arm Mali GPU, there’s a custom VPU, a dual ISP, and an “AIE” acceleration engine for visual analytics, with support for motion detection, perimeter defense, video diagnosis, face detection, flow statistics, and binocular depth maps.

Read more

More in Tux Machines

Get More of Everything With the "Get New" Button in KDE Plasma

KDE Plasma is a desktop tweaker’s dream come true. You can virtually change every aspect of the desktop, from adding widgets and changing fonts, to trying out over-the-top effects and transformative themes. With most interfaces, you need to know where to look online to find these sorts of tweaks, but KDE spares you the effort. There’s a handy little magic button that delivers the goods right to your desktop. Read more

today's leftovers

  • Dave Airlie: crocus misrendering of the week

    The bottom image is crocus vs 965 on top. This only happened on Gen4->5, so Ironlake and GM45 were my test machines. I burned a lot of time trying to work this out. I trimmed the traces down, dumped a stupendous amount of batchbuffers, turned off UBO push constants, dump all the index and vertex buffers, tried some RGBx changes, but nothing was rushing to hit me, except that the vertex shaders produced were different. However they were different for many reasons, due to the optimization pipelines the mesa state tracker runs vs the 965 driver. Inputs and UBO loads were in different places so there was a lot of noise in the shaders. I ported the trace to a piglit GL application so I could easier hack on the shaders and GL, with that I trimmed it down even further (even if I did burn some time on a misplace */+ typo). Using the ported app, I removed all uniform buffer loads and then split the vertex shader in half (it was quite large, but had two chunks). I finally then could spot the difference in the NIR shaders.

  • X.Org Server Adds "Fake Screen FPS" Option

    The X.Org Server has picked up a new "-fakescreenfps" option to help with VNC and other remote display scenarios. Currently when any main hardware screen is powered off, the X.Org Server initializes the fake screen to a one second update interval. The X.Org Server will keep to that one second update interval for fake screens even if VNC or other remote viewing software is running, until the physical display is powered on.

  • FluBot malware spreads to Australia

    The FluBot strain of Android banking malware, which was initially observed in Spain in late 2020 before spreading more widely across Europe over the following months, is now targeting Australian banks. Once installed, FluBot periodically sends a list of apps installed on the device to one of its command-and-control servers. The server responds with a list of apps the malware should overlay. Upon one of these apps being launched, FluBot immediately displays an overlay on top of the legitimate app. The overlays impersonate the legitimate apps and are designed to collect the victim’s online banking credentials, which are sent to the criminals operating FluBot via the command-and-control server.

  • Bits relating to Alpine security initiatives in July – Ariadne's Space

    Another month has passed, and we’ve gotten a lot of work done. No big announcements to make, but lots of incremental progress, bikeshedding and meetings. We have been laying the ground work for several initiatives in Alpine 3.15, as well as working with other groups to find a path forward on vulnerability information sharing.

  • Linux Plumbers Conference: Android Microconference Accepted into 2021 Linux Plumbers Conference

    We are pleased to announce that the Android Microconference has been accepted into the 2021 Linux Plumbers Conference. The past Android microconferences have been centered around the idea that it was primarily a synchronization point between the Android kernel team and the rest of the community to inform them on what they have been doing. With the help of last year’s focus on the Generic Kernel Image[1] (GKI), this year’s Android microconference will instead be an opportunity to foster a higher level of collaboration between the Android and Linux kernel communities. Discussions will be centered on the goal of ensuring that both the Android and Linux development moves in a lockstep fashion going forward.

  • Vaccines + Masks for Safe In-Person Events – Read About All On-Site Safety Protocols [Ed: Linux Foundation discriminates and is not inclusive. "A vaccine verification app will be used to confirm vaccination status" means that Linux Foundation now mandates surveillance devices with back doors for all attendees. This is antithetical to a lot of Free software; they do not accept paper proof. There are commercial interests in the mix]

    The Linux Foundation is ecstatic to return to in-person events next month; we know how important these face-to-face gatherings are to accelerating collaboration and innovation in the open source community. [...] As announced previously, in-person attendees will be required to be fully vaccinated against the COVID-19 virus. A vaccine verification app will be used to confirm vaccination status.

  • Petter Reinholdtsen: Mechanic's words in five languages, English, Norwegian and Northern Sámi editions

    Almost thirty years ago, some forward looking people interested in metal work and Northern Sámi, decided to create a list of words used in Northern Sámi metal work. After almost ten years this resulted in a dictionary database, published as the book "Mekanihkkársánit : Mekanikerord = Mekaanisen alan sanasto = Mechanic's words" in 1999. The story of this work is available from the pen of Svein Lund, one of the leading actors behind this effort. They even got the dictionary approved by the Sámi Parliament of Norway as the recommended metal work words to use. Fast forward twenty years, I came across this work when I recently became interested in metal work, and started watching educational and funny videos on the topic, like the ones from mrpete222 and This Old Tony. But they all talk English, but I wanted to know what the tools and techniques they used were called in Norwegian. Trying to track down a good dictionary from English to Norwegian, after much searching, I came across the database of words created almost thirty years ago, with translations into English, Norwegian, Northern Sámi, Swedish and Finnish. This gave me a lot of the Norwegian phrases I had been looking for. To make it easier for the next person trying to track down a good Norwegian dictionary for the metal worker, and because I knew the person behind the database from my Skolelinux / Debian Edu days, I decided to ask if the database could be released to the public without any usage limitations, in other words as a Creative Commons licensed data set. And happily, after consulting with the Sámi Parliament of Norway, the database is now available with the Creative Commons Attribution 4.0 International license from my gitlab repository.

  • Lang team August update

    This week the lang team held its August planning meeting. We normally hold these meetings on the first Wednesday of every month. We had a short meeting this month, just planning and scheduling the design meetings for the remainder of the month. After each meeting, we post an update (like this one!) with notes and meeting announcements.

  • Dirk Eddelbuettel: x13binary 1.1.57-1 on CRAN: New Upstream, New M1 Binary

    Christoph and I are please to share that a new release 1.1.57-1 of x13binary, of the X-13ARIMA-SEATS program by the US Census Bureau (with updated upstream release 1.1.57) is now on CRAN. The x13binary package takes the pain out of installing X-13ARIMA-SEATS by making it a fully resolved CRAN dependency. For example, when installing the excellent seasonal package by Christoph, then X-13ARIMA-SEATS will get pulled in via the x13binary package and things just work. Just depend on x13binary and on all major OSs supported by R you should have an X-13ARIMA-SEATS binary installed which will be called seamlessly by the higher-level packages such as seasonal or gunsales. With this the full power of the what is likely the world’s most sophisticated deseasonalization and forecasting package is now at your fingertips and the R prompt, just like any other of the 17960+ CRAN packages. You can read more about this (and the seasonal package) in the Journal of Statistical Software paper by Christoph and myself. This release brings a new upstream release as well as binaries. We continue to support two Linux flavours (theh standard x86_64 as well as armv7l), windows and for a first time two macOS flavour. In addition to the existing Intel binary we now have a native built using the arm64 “M1” chip (with thanks to Kirill for the assist).

  • [LibreOffice] Tender to implement support for editing and creation of a Dynamic Diagram feature (#202108-02)

    The Document Foundation (TDF) is the charitable entity behind the world’s leading free/libre open source (FLOSS) office suite LibreOffice. We are looking for an individual or company to implement support for editing and creation of Dynamic Diagrams. The work has to be developed on LibreOffice master, so that it will be released in the next major version. The task is to solve the following problem: Our existing “SmartArt” import uses the fallback stream in OOX files (and has some issues). It therefore gives us only the draw shapes that are imported, so we lose the original layout. Additionally, in older file versions we don’t have the cached shapes, and therefore can’t render anything. The solution we seek, and as such the scope of this tender, is to have a schema driven diagram layout as a core feature. This should be interoperable with OOX (at least MSO2016) and have suitable extensions for ODF. It should layout interoperability, and allow editing of the underlying data, and selection of a schema.

  • Cinelerra Enters Sparky Linux

    Cinelerra is one of the most advanced, open-source non-linear video editors and compositors for Linux. Turn your Linux box into a complete audio and video production environment.

  • The Brains Behind the Books – Part VIII: Julia Faltenbacher

    My name is Julia, I was born in Bremen. This beautiful old Hanseatic city is situated in the north of Germany, close to the North Sea. When I was six years old, my parents and I moved to Rosenheim in Bavaria, which is on the southern end of Germany. Rosenheim is a rather small city, close to the Alps. I consider this my first “experience abroad”, as Bavarian people are very different to the Northern German people. They have a very strong accent and a special dialect. It took me years to understand the Bavarian dialect, and I still can’t talk like them. And still, I am learning new Bavarian words I have never heard before.

IBM/Red Hat/Fedora Leftovers

Linux and Arduino Hardware

  • An open source desk to showcase your projects, complete with swappable panels | Arduino Blog

    Almost every maker has run into the problem of not being able to find a convenient display or power source for their project prototype, and thus leading to minor delays and some frustration. However, YouTuber Another Maker has come up with an open source desk concept that makes finding these things simple. The system he built uses a large grid of swappable panels that can simply slide into place within a wooden frame. Behind these are a few devices for both power and connectivity, such as power strips, an Ethernet switch (with PoE capabilities), and an HDMI switch for changing between a Raspberry Pi and a PC.

  • Tiger Lake-H modules include Nano-ITX-sized COM-HPC Client B model

    Congatec announced “Conga-HPC/cTLH” (COM-HPC Client B) and “Conga-TS570” (Basic Type 6) modules with up to octa-core Tiger Lake-H CPUs. The Conga-HPC/cTLH offers up to 128GB DDR4, optional NVMe, 20x PCIe Gen4, 2x 2.5GbE, 2x USB 4.0, and 8K support.

  • Intel Core i5-1135G7 Tiger Lake mini PC with 12GB RAM sells for $700 and up

    Minisforum TL50 is a mini PC based on Intel Core i5-1135G7 Tiger Lake quad-core/octa-thread processor that ships with 12GB RAM, and optional 256GB and 512GB SSD preloaded with Windows 10 Pro. The mini PC also features two 2.5 Gbps Gigabit Ethernet ports, two 2.5-inch SATA drives, one M.2 slot for NVMe SSD, and supports 8K and 4K monitor setups through HDMI, DisplayPort, and USB-C video outputs. It was announced a few months ago, but it’s now available for sale for $699.99 and more on Banggood depending on storage options.