Linux News Today features the latest news from the global Linux community. This site is updated daily. Click here to return to our homepage. Get the lowest cost and the best tech support on any Linux web hosting plan. Click here for details.
                                          home   |   news archives   |   advertise on our site   |   contact

Promote your company. Reach over 450,000 Linux software developers, Linux users, Web hosting companies, etc. Boost your sales and promote your brand. Read more, click here.

Plans begin at $24.95 a month. Get more details, click here.

Do it right this time. Click here and we will take good care of you!

Get all the details by clicking here!

Plans begin at $24.95 a month. Get more details, click here.

Promote your company. Reach over 450,000 Linux software developers, Linux users, Web hosting companies, etc. Boost your sales and promote your brand. Read more, click here.

Install your server in Sun Hosting's modern colocation center in Montreal. Get all the details by clicking here.

Click here to order our special clearance dedicated servers.

Install your server in Sun Hosting's modern colocation center in Montreal. Get all the details by clicking here.

Promote your company. Reach over 450,000 Linux software developers, Linux users, Web hosting companies, etc. Boost your sales and promote your brand. Read more, click here.

The Linux Foundation highlights which tools are most at risk

Share on Twitter.

Get the most dependable SMTP service for your business. You wished you got it sooner!

July 14, 2015

The Linux Foundation's Core Infrastructure Initiative has completed its first-pass survey of the Linux toolset, and is underscoring which OS tools are initially most at risk.

While there's still lots of attention on higher-profile packages like crypto tools, web servers and mail transfer agents, there's also quite a few packages that everyone uses and that nobody cares about such as compression and image libraries appearing high on the list of security vulnerabilities.

The foundation's Census Project has released the final version of a survey by David Wheeler and Samir Khakimov, from the Open Source Software Projects Needing Security Investments.

While Wheeler and Khakimov write that their work was somewhat constrained by time, and to this date concentrated mainly on tools associated with Debian, it's still worrying.

The list of most exposed packages is drawn from a range of metrics-– how much maintenance it actually receives, how popular it is, and how important it is: that is, can you live without it?

After their automated assessment of more than 350 projects, the pair then ran human eyeballs to identify what they believe to be the most exposed to security vulnerabilities in the Linux kernel.

While the list includes more than twenty utilities, some of which are highly exposed to internet risks (mail transfer agents, DHCP, BIND tools, SMTP and so on), the survey is measuring not the “level of bugginess” per se, but rather how much damage a bug could possibly do, and therefore how much TLC a particular tool or project needs to run smoothly.

So while OpenSSL and OpenSSH are rated as critically important, those two projects are already operating under the CII's wing.

But of course, that's not true of tools like the widespread Bzip2 compression tool, which hasn't changed at all in the past five years and doesn't operate a source code repository.

Likewise, reports that BIND 9 has a huge backlog of security issues is equally worrying. Additionally, 'wget' has a fair number of hacks.

And while the vital gzip tool has many contributors, the last formal release was in 2013.

For its part, libxpat1 is also singled out-- maintenance was effectively halted in 2012, and its bug reports link produces an error page. And keyutils (used to manage security keys) has no bug tracker at all and no mailing list.

We will keep you posted on these and other Linux and open source news developments.

In other Linux community news

The United States National Security Agency's X-KEY SCORE software, revealed by Edward Snowden as capable of sniffing and analysing just about any data from anywhere, runs on Red Hat Enterprise Linux.

This is according to NSA's Glenn Greenwald, who last week wrote that XKEYSCORE “is a piece of Linux software that is typically deployed on Red Hat servers.”

“It uses the Apache web server and stores collected data in MySQL databases. File systems in a cluster are handled by the NFS distributed file system and the autofs service, and scheduled tasks are handled by the cron scheduling service.”

The NSA is a known contributor to some specific open source projects, although there aren't that many considering the secret nature of the federal agency.

To be sure, the Xen Project admitted as much when it launched its Xen 4.5 solution in 2014. There's no reason it shouldn't also be a user as it operates under the same constraints as plenty of other organizations who feel that open source solutions best meets their specific needs.

However, news that the NSA uses open source software could dismay those who feel that such efforts promote greater openness, as the NSA promotes rather different values.

On the upside, XKEYSCORE appears to operate at enormous scale, so Linux system admins have proof of concept of open source software's impressive scalability.

Greenwald doesn't say if the NSA uses the free version of MySQL or Oracle's fee-for-licence version, however. We'll keep you posted on these and other developments.

In other Linux and open source news

The new Linux 4.2-rc1 kernel features an incredible one million lines of extra code, and Linus Torvalds rates it the biggest release candidate ever in terms of the volume of new code it contains.

Torvalds, the original Linux creator back in 1991, writes that “if you count the size in pure number of lines changed, this really seems to be the biggest release candidate we've ever had, with over a million lines added, and about a quarter million lines removed.”

Most of those new lines of code come from the new AMD GPU register description header-- new code that Torvalds says comprises “41 percent of the entire patch” and has created a “somewhat odd situation where a single driver is about half of the whole rc1 in number of lines.”

Torvalds added that the new 4.2rc1 kernel knocks off the previous champion, 3.11rc1, which grew because it added the 'Lustre' filesystem.

Also new to version 4.2 are the Renesas H8/300 architecture, “in a newly cleaned-up form” and “quite a bit of low-level x86 changes-- both source code re-organization for x86 entry code and lots of FPU handling cleanups.”

Torvalds rates the x86 injections as fairly unusual because low-level x86 code being fairly stable and seldom seeing those kinds of big changes.

“Outside of the drivers and architectures, there's a fair amount of filesystem elements, including some fundamental changes and cleanups to symlink handling,” Torvalds concludes.

“And all the usual updates to various filesystems, networking, cryptography, tools, testing, you name it,” he added.

In other Linux and open source news

It was long in the tooth, but Linux kernel 3.14.40 LTS has finally arrived, as announced by Greg Hartman on the kernel mailinglist. The new kernel brings with it a number of important new improvements to the ARM and PowerPC architectures, as well as several updated drivers.

According to the attached shortlog, Linux kernel 3.14.40, which is an LTS (Long Term Support) release, brings improvements to many hardware architectures, including ARM, Alpha, AVR32, FRV, CRIS, IA64, M32R, m68k, MicroBlaze, MIPS, mn10300, OpenRISC, PA-RISC, PowerPC, s390, SPARC, Xtensa, and of course, last but not least, the x86 platform.

"I'm announcing the release of the 3.14.40 LTS (long term support) kernel. All users of the 3.14 kernel series must upgrade," says Greg Hartman.

The updated 3.14.y git tree can be browsed at the normal site.

The new Linux kernel 3.14.40 LTS also updates various Ethernet drivers, for Broadcom, Intel, Mellanox, Freescale, Emulex and Realtek hardware manufacturers.

Some Acer Bluetooth drivers have been updated as well, along with some networking fixes for both the IPv4 and IPv6 network protocols.

Several file systems received important updates in Linux kernel 3.14.40 LTS. Among these, we can mention Amiga Fast File System (AFFS), autofs4, Ceph, CIFS, Coda (Constant Data Availability), Debugfs, Exportfs, ncpfs, OCFS2, and NFS.

Naturally, many other internal components of the Linux kernel have been improved in this release.

Users who utilize the Linux 3.14 series are urged to upgrade as soon as the new 3.14.40 LTS packages arrives in the official software repositories of their GNU/Linux operating systems.

You can also download Linux kernel 3.14.40 LTS from the website and compile it yourself, if you prefer.

The Debian project is touting new ports for ARM and POWER architectures, a new list of software updates, an upgraded Gnome desktop and improved security in its just-released Jessie newest version.

But we expect that the switch to System D as the default init system will divert at least some attention from the new release. Time will tell anyway.

Promising that System D provides “advanced monitoring, logging, and service management capabilities”, Jessie – the upgrade to Wheezy – still lets old timers' favourites, sysvinit and co-exist with the new init system.

After a brief trial with Xfce, Jessie sees Debian return to the Gnome fold, using version 3.14 of the venerable desktop as its default.

The MATE and Cinnamon desktops are also available, or users can opt for Xcfe (version 4.10) if they prefer.

As well as abandoning SSLv3 in Jessie, Debian's system admins have put hardened compiler flags in more packages, and switched the stack protector flag to stack-protector-strong.

However, there's a new package-- needrestart, also to help security along. “If any services running on the system require a restart to take advantage of some changes in the upgraded packages, then it offers to perform these restarts”, the release notes say.

Overall, the Gnome desktop has been made workmate-friendly-- if someone leaves music playing when they leave the machine, workmates can press pause without knowing the password.

The new release announcement simply points to upgraded versions of everything from Apache and Asterisk to Tomcat and Xen, adding that a full install includes “43,000 other ready-to-use software packages built from nearly 20,100 source packages.”

As could be expected, all package versions shipping with Jessie are of the latest release.

Additional supporting services include a browsable view of all source code, and a new code search to make browsing less daunting, Debian Code Search (since there's 130 GB of source code, it's no surprise that it uses up 616 pages of results).

Linux OS creator Linus Torvalds has decided it's time for version 4.0 of the Linux kernel. The news didn't come as a surprise to most in the IT community, however.

To be sure, Torvalds has been wondering about Linux kernel release numbering for a while, notably in a Google+ post last week.

He now seems to have taken the plunge in the direction, by declaring that the version of the kernel he's working in is “Linux 4.0-rc1”. In a recent poll, about 56 percent of Linux users say they felt the time is right to go for version 4.0 of the kernel.

Torvalds writes “People preferred 4.0, and 4.0 it shall be. Unless somebody can come up with a good argument against it, that's what it will be.”

Over on Git, Torvalds is even more blasé about the numbering change, offering the following analysis:

“After extensive statistical analysis of my G+ polling, I've come to the inescapable conclusion that internet polls are bad.”

He goes on to deride responses to the poll before saying “But hey, I asked, so I'll honor the votes.”

Torvalds says the new release is small, but the full list of additions to version 4.0 look to be pretty substantial-- on top of non-disruptive patching, the new version will support IBM's new Z-13 mainframe, Intel's Quark system-on-a-chip, support for the the OASIS Virt-IO 1.0 specification and lots of graphics enhancements over and above what would reasonably be expected.

In other Linux and open source news

For the past two to three years, Ubuntu on mobile phones has been an ongoing project for the Ubuntu team and quite an ambitious one at that.

Much like Microsoft and its new One Windows ideology, Team Canonical hatched the scheme for a unified cross-device application ecosystem long ago, but progress has been rather slow in and of itself.

To be sure, Meizu has been a critical part of the new OS development program at Canonical with various demo builds and a rumor of a Ubuntu-powered Meizu mobile handset arriving soon, ever since the MX 3 was the company's flagship offer.

Today, Meizu posted a rather interesting teaser on Facebook. The image of the new smartphone seems to suggest a new OS, which will join the ranks of Flyme and YunOS and probably be unveiled at this year's MWC.

We can instinctively point a finger towards Ubuntu Touch, which we will hopefully see in mass-production devices soon.

This tidbit is further backed up by some rumors of an Ubuntu MX4 hitting the market, possibly in March or April.

Click here to order the best deal on a HP enterprise dedicated server and at a great price.

The current flagship device has been a long-standing candidate for the Ubuntu experience, but we can definitely expect some surprises here and there.

Last week, Canonical threw a curve ball by announcing that the BQ Aquaris E4.5 will be the pioneer of Ubuntu on a Smartphone.

Keeping that element in mind, it's not certain if the MX-4 or MX-4 Pro version will offer a higher-end hardware for the new OS or if Meizu will bring in an entirely new phone to the scene. Time will tell.

At any rate, and no matter how you look at this, the news is exciting. The Ubuntu Touch platform itself is an interesting concept from Canonical.

The main idea behind it is a uniform Linux kernel and a set of base technologies that form a cross-device application platform.

What this implies is an improved level of uniformity and compatibility, allowing users to share pretty much the same set of applications, both on mobile and desktop devices.

To further add to the excitement, Ubuntu Touch also promises a full desktop experience and perhaps even in the near future, a full desktop Ubuntu session running straight from the phone or tablet once hooked up to a larger screen.

The latter, also known as "Full Desktop Convergence" is kind of experimental at this time, so it might be a little while until we are actually able to dock our phones and use them as an everyday work PC replacement for example.

There are also some hardware requirements for the feature to work correctly, but they are definitely not out of reach for current generation mobile devices so let's hope we finally see a full-featured Ubuntu experience on a Meizu device soon.

It's now confirmed today that version 3.19 of the Linux kernel has been released today by Linux OS inventor Linus Torvalds. News of the release emerged in a typically economical Sunday evening post to the Linux Kernel Mailing List, in which Torvalds noted that there are still a couple of bugs in the release but they were pretty obscure so “while I was tempted a couple of times to do an rc8, there really wasn't any reason for it,” he was quoted as saying.

New in this release is improved product support for Intel and AMD graphics, plus support for LZ4 compression in the SquasFS which should make for better Linux performance on Live CDs. (Do people still run Linux off of live CDs?)

Owners of Lenovo, Dell, Acer and Toshiba hardware will now find Linux plays better with some of their unique hardware features, especially keyboard backlights. And there's been a few more changes.

For example, the KVM Hypervisor has dropped support for the IA-64 chip, a milestone in that architecture's demise.

To be sure, Torvalds' post says that the next version of the Linux kernel will be known as 3.20. That's not something he was keen on saying in late 2013, when he said “I would actually prefer to not go into the twenties, so I can see it happening in a year or so, and we'll have 4.0 follow 3.19 or something like that.”

Torvalds' musings at the time imagined release 4.0 might be dedicated to “just stability and bug-fixes”. Little or nothing's been heard of that idea in the months since, so release 3.20 looks like more of the same.

Source: The Linux Foundation

Get the most reliable SMTP service for your business. You wished you got it sooner!

All logos, trade marks or service marks on this website are the property of their respective companies or owners.

Article featured on Tech Blog and on Business 5.0

Get a best price and the most dependable server colocation reliability from the experts at Sun Hosting. Learn more. This article was featured on Tech Blog and Business 5.0.

Linux News is read by over 450,000 people involved in the field of Linux application development, professional Web hosting services, Linux security, Linux Web development, etc. Inquire about our reasonable advertising rates on our news website. One of our advertising representatives will be in touch with you. Simply email us to learn about our ad rates and how we can help drive relevant traffic to your website. Advertising space is limited.

  Site powered by Linux Hosting      Sponsored by DMZ eMail and by Sun Hosting.      Linux news while they are still fresh.    ©   Linux is a registered trademark of Linus Torvalds.