Herefordshire Linux and Open Source User Group

CentOS has updated bind (denial of service) and bind97 (denial of service).

Debian has updated rails (multiple vulnerabilities).

openSUSE has updated clamav (security hardening fixes).

Oracle has updated bind (denial of service) and bind97 (denial of service).

Red Hat has updated bind (denial of service) and bind97 (denial of service).

Scientific Linux has updated bind (denial of service) and bind97 (denial of service).

Slackware has updated libssh (denial of service).

Ubuntu has updated bind (denial of service).

The PostgreSQL project has announced an update coming on April 4. "This release will include a fix for a high-exposure security vulnerability. All users are strongly urged to apply the update as soon as it is available." Pre-announcement of security updates is quite rare, as is the associated shutdown of repository updates and distribution of commit messages, so one assumes that it would be a good idea to be ready to apply this update when it arrives.

On behalf of the ZFS-on-Linux project, Brian Behlendorf has announced the availability of version 0.6.1 of this Solaris-derived filesystem. "Over two years of use by real users has convinced us ZoL is ready for wide scale deployment on everything from desktops to super computers." The project's home page offers binary modules for a wide variety of distributions. (See the FAQ for the project's take on licensing issues.)

Over at Linux.com, Joe "Zonker" Brockmeier, community evangelist for CloudStack at Citrix, tries to disambiguate the term "cloud". He describes the attributes of clouds, using the US National Institute of Standards and Technology (NIST) definition of cloud computing, looks at the various "X as a service" offerings, how it all works, and why it's important to have open clouds. "Having an open cloud matters because we need to be able to continue the work that GNU and Linux folks have been doing for more than twenty years, at scale. It matters because we need the cloud to be bigger than Amazon or proprietary companies – and because users and organizations should have as much control over their computing destiny at scale as they have had on individual servers."

Greg Kroah-Hartman has announced the release of the 3.8.5, 3.4.38, and 3.0.71 stable kernels. As always, there are lots of important changes throughout the tree.

This O'Reilly Radar post makes the case that upcoming changes in how shares of companies can be sold in the US will facilitate the creation of a new flood of open-source companies. "Now, open source projects will be able to seek and find crowds of investors from within their own communities. These companies will have both the traditional advantages of proprietary companies (well-capitalized companies recruit armies of competent programmers and sales forces that can survive long sales cycles) and the advantages of the open source development model (open code review and the ability to integrate the insights of outsiders)."

CentOS has updated pixman (C6: code execution).

Fedora has updated eucalyptus (F18: unauthorized snapshot manipulation).

openSUSE has updated libxml2 (11.4; 12.1, 12.2, 12.3: denial of service), sssd (12.3: access restriction bypass), and clamav (12.1, 12.2, 12.3: multiple hardening changes).

Oracle has updated pixman (OL6: code execution).

Red Hat has updated pixman (RHEL6: code execution).

Scientific Linux has updated pixman (SL6: code execution).

Ubuntu has updated libxml2 (denial of service).

Google has announced an initiative to help protect open source software from patent claims. "Today, we’re taking another step towards that goal by announcing the Open Patent Non-Assertion (OPN) Pledge: we pledge not to sue any user, distributor or developer of open-source software on specified patents, unless first attacked. We’ve begun by identifying 10 patents relating to MapReduce, a computing model for processing large data sets first developed at Google—open-source versions of which are now widely used. Over time, we intend to expand the set of Google’s patents covered by the pledge to other technologies."

Ars technica has a detailed review of a Firefox OS handset. "So Mozilla has succeeded in building an HTML-based platform that allows Mozilla to build apps that 'feel' native. But the much harder task will be to provide third-party developers tools to build apps with the same level of polish and convince them to use them. So far, the Firefox OS app store seems to have few, if any, examples of third-party apps that meet the high bar Mozilla has set for its own apps."

The "Meeting C++" blog looks at some proposed changes to the C++ language to be considered in April. "It is proposed to add a library for pipelines to the C++ Standard, that such a pipeline could be implemented in C++ as such: (pipeline::from(input_queue) | bind(grep, "^Error") | bind(vgrep, "test@example.com") | bind(sed, "'s/^Error:.*Message: //") | output_queue).run(&threadpool);

Red Hat and Rackspace Hosting have announced that they have won the dismissal of a patent suit by Uniloc USA. Uniloc was asserting patent #5,892,697, which relates to the handling of floating-point numbers. "In dismissing the case, Chief Judge Leonard Davis found that Uniloc's claim was unpatentable under Supreme Court case law that prohibits the patenting of mathematical algorithms. This is the first reported instance in which the Eastern District of Texas has granted an early motion to dismiss finding a patent invalid because it claimed unpatentable subject matter."

Update: see Groklaw for analysis and the text of the decision.

The LWN.net Weekly Edition for March 28, 2013 is available.

The GNOME 3.8 release is out. "The exciting new features and improvements in this release include a integrated application search, privacy and sharing settings, notification filtering, a new classic mode, OwnCloud integration, previews of clocks, notes, photos and weather applications, and many more." See the release notes for details.

Linus Torvalds has railed frequently and loudly against kernel developers breaking user space. But that rule is not ironclad; there are exceptions. The story of how a kernel change caused a GlusterFS breakage shows that there are sometimes unfortunate twists to those exceptions.

Python core developer Raymond Hettinger's PyCon 2013 keynote had elements of a revival meeting sermon, but it was also meant to spread the "religion" well beyond those inside the meeting tent. Hettinger specifically tasked attendees to use his "What makes Python awesome?" talk as a sales tool with management and other Python skeptics. Subscribers can get the full coverage of the talk from this week's edition at the link below.

Ben Hutchings has released stable kernel 3.2.42 with important fixes throughout the tree.

CentOS has updated perl (C6; C5: multiple vulnerabilities).

Debian has updated icinga (code execution).

openSUSE has updated pigz (information disclosure).

Oracle has updated perl (OL6; OL5: multiple vulnerabilities).

Red Hat has updated perl (multiple vulnerabilities).

Scientific Linux has updated perl (multiple vulnerabilities).

Matthew Garrett asserts that people attacking UEFI secure boot are aiming at the wrong target. "Those who argue against Secure Boot risk depriving us of the freedom to make a personal decision as to who we trust. Those who argue against Secure Boot while ignoring Restricted Boot risk depriving us of even more. The traditional PC market is decreasing in importance. Unless we do anything about it, free software will be limited to a niche group of enthusiasts who've carefully chosen from a small set of devices that respect user freedom. We should have been campaigning against Restricted Boot 10 years ago. Don't delay it even further by fighting against implementations that already respect user freedom."

Over at the grsecurity blog, Brad Spengler and the PaX Team have co-written a lengthy look at kernel address space layout randomization (KASLR) and its failures. "KASLR is an easy to understand metaphor. Even non-technical users can make sense of the concept of a moving target being harder to attack. But in this obsession with an acronym outside of any context and consideration of its limitations, we lose sight of the fact that this moving target only moves once and is pretty easy to spot. We forget that the appeal of ASLR was in its cost/benefit ratio, not because of its high benefit, but because of its low cost."

The world was a simpler place when the TCP/IP network protocol suite was first designed. The net was slow and primitive and it was often a triumph to get a connection to a far-away host at all. The machines at either end of a TCP session normally did not have to concern themselves with how that connection was made; such details were left to routers. As a result, TCP is built around the notion of a (single) connection between two hosts. The Multipath TCP (MPTCP) project looks to change that view of networking by adding support for multiple transport paths to the endpoints; it offers a lot of benefits, but designing a deployable protocol for today's Internet is surprisingly hard.