Endless OS and Asus, Update on L1TF Exploit, Free Red Hat DevConf.US in Boston, Linux 4.19 Kernel Update

Some of us may recall a time when ASUS used to ship a stripped down version of Xandros Linux with their line of Eee PC netbooks. Last week, the same company announced that Endless OS will be supporting non-OS offerings of their product. However it comes with a big disclaimer stating that ASUS will not officially support the operating system's compatibility issues.

The latest update on the L1TF exploit: the 4.18, 4.17, 4.14, 4.9 and 4.4 Linux kernels have all been updated to mitigate the vulnerability.

From today to Sunday, August 19, Red Hat is hosting their first free and annual DevConf.US developer summit in Boston. If you are interested in attending or wish to learn more, details can be found here.

Many updates and features are finding their way into the Linux 4.19 kernel; features that include better CPU power management. Also included are NVM block device, file system, video code enhancements and more.

Image removed.

The Chromebook Grows Up

pixelbook

Android apps meet the desktop in the Chromebook.

What started out as a project to provide a cheap, functional, secure and fast laptop experience has become so much more. Chromebooks in general have suffered from a lack of street-cred acceptance. Yes, they did a great job of doing the everyday basics—web browsing and...well, that was about it. Today, with the integration of Android apps, all new and recently built Chrome OS devices do much more offline—nearly as much as a conventional laptop or desktop, be it video editing, photo editing or a way to switch to a Linux desktop for developers or those who just like to do that sort of thing.

Figure 1. Pixelbook in the Dark

Before I go further, let me briefly describe the Linux road I've traveled, driven by my curiosity to learn and see for myself how much could be done in an Open Source world. I've used Linux and have been a Linux enthusiast ever since I first loaded SUSE in 2003. About three years later, I switched to Ubuntu, then Xubuntu, then Lubuntu, then back to Ubuntu (I actually liked Unity, even though I was fine with GNOME too). I have dual-booted Linux on several Gateway desktops and Dell laptops, with Windows on the other partition. I also have owned a Zareason laptop and most recently, a System 76 laptop—both exclusively Ubuntu, and both very sound, well-built laptops.

Then, since I was due for a new laptop, I decided to try a Chromebook, now that Android apps would greatly increase the chances of having a good experience, and I was right. Chrome OS is wicked fast, and it's never crashed in my first six months of using it. I mention this only to provide some background as to why I think Chrome OS is, in my opinion, the Linux desktop for the masses that's been predicted for as long as I've used Linux. Granted, it has a huge corporate behemoth in the form of Google behind it, but that's also why it has advanced in public acceptance as far as it has. This article's main purpose is to report on how far it has come along and what to expect in the future—it's a bright one!

Chromebooks now have access to Microsoft Office tools, which is a must for those whose employers run only MS Office products. Although Google Docs does a good job with basic document creation and conversion, and although you can create a slide presentation with it, it won't do things like watch or create a PowerPoint presentation. That's where the Microsoft PowerPoint Android app comes in handy. If you need to watch one, simply download the PowerPoint file and open it with PowerPoint (you can do this without paying for Microsoft office). However, if you want to create or edit one, you'll have to pay for a yearly subscription or use your company's subscription.

Valve Working to Make Windows Games Run in Linux, Intel Vulnerability Being Patched, CentOS 7.5 Available, GNOME 3.29.91 Released

 

Happy belated 21st birthday to GNOME! The project celebrated this milestone by releasing version 3.29.91.

Good news to all the gamers out there: Valve is working on a set of compatibility tools to allow Windows developed games to run on Linux. More can be read here.

In recent security related news, a new Intel-focused vulnerability affecting Linux, the L1TF or "Foreshadow", is being patched by all the major distributions. Details about these exploits can be found here.

A bit of advice to our travelers with laptops: you should limit or refrain from placing stickers on your devices. It may be a great way to express oneself but anything ranging from political, recreational or business related content can be used against (or possibly detain) you when attempting to cross international borders.

In other news, the CentOS project just announced the availability of version 7.5 for the IBM Power9 architecture.

FOSS Project Spotlight: SIT (Serverless Information Tracker)

sit logo

In the past decade or so, we've learned to equate the ability to collaborate with the need to be online. The advent of SaaS clearly marked the departure from a decentralized collaboration model to a heavily centralized one. While on the surface this is a very convenient delivery model, it simply doesn't fit a number of scenarios well.

As somebody once said, "you can't FTP to Mars", but we don't need to go as far. There are plenty of use cases here on Earth that are less than perfectly suited for this "online world". Lower power chips and sensors, vessel/offshore collaboration, disaster recovery, remote areas, sporadically reshaping groups—all these make use of central online services a challenge.

Another challenge with centralization is somewhat less thought of—building software that can handle a lot of concurrent users and that stores and processes a lot of information and never goes down is challenging and expensive, and we, as consumers, pay dearly for that effort.

And not least important, software in the cloud removes our ability to adapt it perfectly for use cases beyond its owner's vision, scope and profitability considerations. Convenience isn't free, and this goes way beyond the price tag.

SIT is a free, open-source project that addresses these and other concerns in software that enables us to collaborate. It allows sporadically connected parties to continue collaborating seamlessly, over just about any digital transport (ranging from a P2P network to a USB drive). At its core, it's a very small tool that records every change as an immutable, additive-only set of files and allows this information to be displayed and operated on in a familiar way, though browser-based applications or the command line.

Figure 1. SIT Issue Tracker

Although its foundation is rather generic, its first real application is in issue tracking, and it enables a lot of scenarios that were previously rather difficult to achieve. For example, if a SIT repository is committed to a project repository, this allows you to see a snapshot of all issues for any revision, making it much easier to maintain separate versions or trace changes. Another interesting feature is its merge request functionality, where a patch, by its nature, can contain file changes that affect a project's issues, giving enormous flexibility in managing dependent issues (say you developed a feature and want to attach a "to-do" list to it as a part of the patch, so those new issues will appear only once the patch has been merged—with SIT this is a rather trivial task).

New Intel Chip Exploits Discovered, Instagram Accounts Attacked, Nativ Vita Hi-Res Music Server Has New Features, QEMU 3.0 Now Available and the Debian GNU/Linux Project Turns 25 Tomorrow

News briefs for August 15, 2018.

Three new Meltdown/Spectre-type Intel chip exploits have been discovered that affect Intel's desktop, workstation and server CPUs, and they are especially problematic for containers. ItProToday reports that "The latest exploits might prove to be particularly troublesome for those using containers since each container runs on its own implementation of Linux, which likely means each and every container will need to be patched. According to Red Hat, 'every Linux and Kubernetes distribution is impacted. All organizations deploying containers should consult their Linux/Kubernetes/containers provider.'" See also the Red Hat blog for more information.

Instagram accounts are being attacked—even those using 2FA. Mashable reports that users are being locked out of their accounts, their profile avatars are being changed and bios deleted. Restoring account access is evidently quite difficult.

The open platform Nativ Vita Hi-Res Music Server has been updated, adding serious new functionality, such as multi-room streaming, support of up to 10TB, playing music from a NAS or computer and CD ripping.

QEMU 3.0 is now available. Phoronix reports that this big feature release brings new functionality and several improvements including "Spectre V4 mitigation for x86 Intel/AMD, improved support for nested KVM guests on Microsoft Hyper-V, block device support for active mirroring, improved support for AHCI and SCSI emulation, OpenGL ES support within the SDL front-end, improved latency for user-mode networking, various ARM improvements, some POWER9 / RISC-V / s390 improvements too, and various other new bits." See the QEMU ChangeLog for details.

The Debian GNU/Linux project turns 25 tomorrow. Source: ITWire.

Shuffling Letters and Words

You can shuffle your feet and you can shuffle cards, but can you shuffle characters? Dave's latest column explores the possibilities.

My last few articles have described building a pretty sophisticated password generator, except for one thing: I never quite got to the point of scrambling the end result to add a second level of randomness. I sidestepped the issue by saying it was an exercise for the reader, but in fact, it's a pretty interesting problem, so let's look at it here.

You can reverse a word with the handy Linux command rev, like so:


$ echo "hello from the other side" | rev
edis rehto eht morf olleh

You also can reverse lines in a file so that the last line is shown first, penultimate line second, and so on:


$ cat -n test.me | sort -rn | cut -f2-
entering along with him.
enough to prevent a swirl of gritty dust from
glass doors of Victory Mansions, though not quickly
escape the vile wind, slipped quickly through the
chin nuzzled into his breast in an effort to
clocks were striking thirteen. Winston Smith, his
It was a bright cold day in April, and the

You recognize that opening paragraph even though it's backwards, right? "Clocks were striking thirteen" can only be George Orwell's cautionary tale 1984.

Note: there's a Linux command called tac that offers a reverse cat, which would do the job too, but I've always loved sort -rn as a command, so I wanted to demonstrate how to use it in a pipeline to accomplish the same result.

How about getting the lines of this file, but in completely random order? There's a command for that—at least in Linux: shuf. It's not available on the Mac OS X command line, however, so if you're playing along at home with your Mac system, well, you've just hit a road block. Sorry about that. I offer an alternative at the end of this article though, so don't despair!

If you're on a Linux system (and this is Linux Journal after all), then check this out:


$ cat test.me | shuf
clocks were striking thirteen. Winston Smith, his
entering along with him.
glass doors of Victory Mansions, though not quickly
escape the vile wind, slipped quickly through the
enough to prevent a swirl of gritty dust from
chin nuzzled into his breast in an effort to
It was a bright cold day in April, and the

So those commands are all ready to go, but how about scrambling letters in a line? That can be done with the shuf command as demonstrated previously, but individual lines aren't quite ready for the shuf treatment.

You can break up words by using the under-appreciated fold command, like this:

FOSS Alternatives to Popular Proprietary Software

free and open source software alternatives to proprietary software

A list of FOSS alternatives to popular proprietary software was compiled in to an infographic by anonymiss@despora.de. We've contributed by making a text list of the infographic. Now it's your turn-- tell us what FOSS alternatives you recommend in each category and we'll add them to this master list.

Google

YouTube

Google Maps

Gmail

Google Play

Facebook

Instagram

WhatsApp

Twitter

Encyclopedia Britannica

Microsoft Windows or Apple Mac

Internet Explorer

Microsoft Office

Adobe Photoshop

Adobe InDesign

 

Dropbox Ending Sync Support for Uncommon Filesystems, Google Tracks Your Location, NVIDIA Unveils Its First Turing Architecture-Based GPUs, Blackmagic Design Announces DaVinci Resolve 15 and Virtlyst 1.2.0 Released

News briefs for August 14, 2018.

Dropbox recently announced in its forum that it will be supporting only the ext4 filesystem for Linux starting in November. Here's the post: "Hi everyone, on Nov. 7, 2018, we're ending support for Dropbox syncing to drives with certain uncommon file systems. The supported file systems are NTFS for Windows, HFS+ or APFS for Mac, and Ext4 for Linux." (Source: It's FOSS.)

The AP reports that Google tracks your location history, even if you turn "Location History" off. On both Android devices and iPhones, Google stores "your location data even if you've used a privacy setting that says it will prevent Google from doing so. Computer-science researchers at Princeton confirmed these findings at the AP's request." This Wired post describes how you actually can disable location tracking.

NVIDIA unveiled its first Turing architecture-based GPUs yesterday at SIGGRAPH. The press release claims the Quadro RTX, "the world's first ray-tracing GPU" will revolutionize "the work of 50 million designers and artists by enabling them to render photorealistic scenes in real time, add new AI-based capabilities to their workflows, and enjoy fluid interactivity with complex models and scenes."

Blackmagic Design yesterday announced the release of DaVinci Resolve 15. You can download this "professional editing, visual effects, motion graphics, color correction and audio post production software" for free from the Blackmagic Design site. This release is "a massive update that fully integrates visual effects and motion graphics, making it the world's first solution to combine professional offline and online editing, color correction, audio post production, multi user collaboration and now visual effects together in one software tool".

Virtlyst 1.2.0, a web interface for managing virtual machines built with Cutelyst/Qt/C++, was released yesterday. According to Dantti's Blog, this update includes several bug fixes, including "the ability to warn users before doing important actions to help avoid making mistakes". You can download it from GitHub.

Git Quick Start Guide

Ditch USBs and start using real version control, and if you follow this guide, you can start using git in 30 minutes!

If you have any experience with programming or just altering config files, I'm sure you've been dumbstruck by how one change you've made along the line affects the whole project. Identifying and isolating the problem without a version control system is often time- and energy-intensive, involving retracing your steps and checking all changes made before the unwanted behavior first occurred. A version control system is designed explicitly to make that process easier and provide readable comparisons between versions of text.

Another great feature that distributed version control systems such as git provide is the power of lateral movement. Traditionally, a team of programmers would implement features linearly. This meant pulling the code from the trusted source (server) and developing a section before pushing the altered version back upstream to the server. With distributed systems, every computer maintains a full repository, which means each programmer has a full history of additions, deletions and contributors as well as the ability to roll back to a previous version or break away from the trusted repository and fork the development tree (which I discuss later).

Quick Start Guide

The great thing about git is there's so little you need to know! Without further ado, let's begin with the most important commands.

First, I'm working with a previous project of mine located here:


[user@lj src]$ pwd
/home/lj/projects/java/spaceInvaders/src

To create a local repository, simply run:


[user@lj src]$ git init
Initialized empty Git repository in
 ↪/home/lj/projects/java/spaceInvaders/src/.git/

To add all source files recursively to git's index, run:


[user@lj src]$ git add .

To push these indexed files to the local repository, run:


[user@lj src]$ git commit

You'll see a screen containing information about the commit, which allows you to leave a description of the commit:

The Academy of Motion Picture Arts and Sciences and The Linux Foundation Launched the Academy Software Foundation, Linux 4.18 and GNU Linux-libre 4.18-gnu Kernels Are Out, DXVK 0.65 Released and Canonical Live Patch Update

News briefs for August 13, 2018.

The Academy of Motion Picture Arts and Sciences and The Linux Foundation launched the Academy Software Foundation late last week. The ASF's mission is to "increase the quality and quantity of contributions to the content creation industry's open source software base; to provide a neutral forum to coordinate cross-project efforts; to provide a common build and test infrastructure; and to provide individuals and organizations a clear path to participation in advancing our open source ecosystem". Interested developers can sign up to join the mailing list here.

The Linux 4.18 kernel is out. See this Phoronix post for a list of the best features of this new kernel.

And, the GNU Linux-libre 4.18-gnu deblobbed version, which removes all non-free components from Linux, is now available as well. You can find dources and tarballs here.

DXVK 0.65, a Vulkan-based library for running Direct3D 11 games in Wine, has been released. According to GamingOnLinux, the new version provides "better configuration for various games out of the box", along with several other fixes.

Canonical recently released a new Linux kernel live patch for all of its supported Ubuntu Linux operating system releases to address various security vulnerabilities, including the recent TCP flaw (CVE-2018-5390) and a few others (CVE-2018-13405, CVE-2018-13094, CVE-2018-1094 and CVE-2018-11506). Update now if you haven't already. (Source: Softpedia News.)

Encrypting NFSv4 with Stunnel TLS

NFS clients and servers push file traffic over clear-text connections in the default configuration, which is incompatible with sensitive data. TLS can wrap this traffic, finally bringing protocol security. Before you use your cloud provider's NFS tools, review all of your NFS usage and secure it where necessary.

The Network File System (NFS) is the most popular file-sharing protocol in UNIX. Decades old and predating Linux, the most modern v4 releases are easily firewalled and offer nearly everything required for seamless manipulation of remote files as if they were local.

The most obvious feature missing from NFSv4 is native, standalone encryption. Absent Kerberos, the protocol operates only in clear text, and this presents an unacceptable security risk in modern settings. NFS is hardly alone in this shortcoming, as I have already covered clear-text SMB in a previous article. Compared to SMB, NFS over stunnel offers better encryption (likely AES-GCM if used with a modern OpenSSL) on a wider array of OS versions, with no pressure in the protocol to purchase paid updates or newer OS releases.

NFS is an extremely common NAS protocol, and extensive support is available for it in cloud storage. Although Amazon EC2 supports clear-text and encrypted NFS, Google Cloud makes no mention of data security in its documented procedures, and major initiatives for the protocol recently have been launched by Microsoft Azure and Oracle Cloud that raise suspicion. When using these features over untrusted networks (even within the hosting provider), it must be assumed that vulnerable traffic will be captured, stored and reconstituted by hostile parties should they have the slightest interest in the content. Fortunately, wrapping TCP-based NFS with TLS encryption via stunnel, while not obvious, is straightforward.

The performance penalty for tunneling NFS over stunnel is surprisingly small—transferring an Oracle Linux Installation ISO over an encrypted NFSv4.2 connection is well within 5% of the speed of clear text. Even more stunning is the performance of fuse-sshfs, which appears to beat even clear-text NFSv4.2 in transfer speed. NFS remains superior to sshfs in reliability, dynamic idmap and resilience, but FUSE and OpenSSH delivered far greater performance than expected.

Weekend Reading: All Things Bash

Bash shell

Bash is a shell and command language. It is distributed widely as the default login shell for most Linux distributions. We've rounded up some of the most popular Bash-related articles for your weekend reading.

Create Dynamic Wallpaper with a Bash Script

By Patrick Wheelan

Harnessthe power of bash and learn how to scrape websites for exciting new images every morning.

 

Developing Console Applications with Bash

By Andy Carlson

Bring the power of the Linux command line into your application development process.

 

Parsing an RSS News Feed with a Bash Script

By Jim Hall

I can automate an hourly job to retrieve a copy of an RSS feed, parse it, and save the news items to a local file that the website can incorporate. That reduces complexity on the website, with only a little extra work by parsing the RSS news feed with a Bash script.

 

Hacking a Safe with Bash

By Adam Kosmin

Being a minimalist, I have little interest in dealing with GUI applications that slow down my work flow or application-specific solutions (such as browser password vaults) that are applicable only toward a subset of my sensitive data. Working with text files affords greater flexibility over how my data is structured and provides the ability to leverage standard tools I can expect to find most anywhere.

 

Graph Any Data with Cacti!

By Shawn Powers

Cacti is not a new program. It's been around for a long time, and in its own way, it's a complicated beast itself. I finally really took the time to figure it out, however, and I realized that it's not too difficult to use. The cool part is that Cacti makes RRDtool manipulation incredibly convenient. It did take me the better part of a day to understand Cacti fully, so hopefully this article will save you some time.

 

Reading Web Comics via Bash Script

By Jim Hall

I follow several Web comics. I used to open my Web browser and check out each comic's Web site. That method was fine when I read only a few Web comics, but it became a pain to stay current when I followed more than about ten comics. These days, I read around 20 Web comics. It takes a lot of time to open each Web site separately just to read a Web comic. I could bookmark the Web comics, but I figured there had to be a better way—a simpler way for me to read all of my Web comics at once.

 

Ring-KDE 3.0.0 Released, Intel Debuts 32TB Ruler-Shaped SSDs, OpenEMR Security Issues, PostgreSQL Updates and New Version of Unigine

News briefs for August 10, 2018.

Ring-KDE 3.0.0, a GNU Ring.cx client, has been released. GNU Ring is a secure, distributed communication platform based on open industry-standard technologies for audio calls, video conferences, chat, screen-sharing and peer-to-peer file transfer. This new version of Ring-KDE is a full rewrite of the app "to use more modern technologies such as touch support, QtQuick2 and KDE Kirigami adaptive widget framework". When you join GNU Ring, "no servers or centralized accounts are needed. Beside an optional blockchain-based way to reserve your username against takeover, nothing leaves your device", and Ring-KDE "provides a simple wizard to help you create credentials or import your personal information from other devices." For more info, also visit here.

Intel debuts a totally silent ruler-shaped solid state drive, the Intel SSD DC P4500. This SSD is can store 32 terabytes—"equivalent to triple the entire printed collection of the U.S. Library of Congress". In addition, "the no-moving-parts ruler-shaped SSDs can be lined up 32 side-by-side, to hold up to a petabyte in a single server slot. Compared with a traditional SSD, the 'ruler' requires half the airflow to keep cool. And compared with hard disk storage, the new 3D NAND SSD sips one-tenth the power and requires just one-twentieth the space."

Several security vulnerabilities were discovered recently in OpenEMR, developer of open-source electronic health records and practice management tools, possibly affecting the data of more than 90 million patients. Info Security Magazine reports that the issues "included nine separate SQL injection vulnerabilities, four remote code execution flaws and several arbitrary file read, write and delete bugs. Others included a portal authentication bypass, unauthenticated information disclosure, and cross-site request forgery". Info Security notes that OpenEMR team has since patched "most" of the vulnerabilities.

PostgreSQL announces a slew of new releases: 10.5, 9.6.10, 9.5.14, 9.4.19, 9.3.24 and 11 beta 3. The third beta release of PostgreSQL 11 "contains previews of all features that will be available in the final release of PostgreSQL 11". Two security issues and more than 40 bugs are also fixed in these updates.

Unigine, the Linux-friendly commercial game and professional graphics engine has released version 2.7.2. According to Phoronix, this release "has better importing support for CAD models, optimized texture streaming, physically-based cameras and lights, an improved particle system, multi-channel rendering improvements, and various other optimizations and polishing. Unfortunately, no word on Vulkan support yet for Unigine 2." For more info, see also the Unigine Dev site.

Telecommuting Tips

With all the collaboration technology available for offices today, there's no reason telecommuters can't be as productive and as connected as other team members.

I live in the San Francisco Bay Area, known for high-tech companies, horrible traffic and high cost of living. When it came time for me to buy a house, I chose an area that left me with a 90–120-minute commute, depending on traffic and the time of day, so through the years, I've negotiated work-from-home days and have experience with telecommuting at companies of various sizes with different proportions of remote workers. Telecommuting is not only more convenient for many employees, it also can get the best work out of people, because it can grant better opportunities to focus and lets employees get right to work instead of spending hours getting to and from work. Unfortunately, many places inadvertently sabotage their telecommuters with bad practices, so here are a few tips to help make telecommuting successful.

Invest in Good Teleconference Hardware

I've attended many video conferences where the audio was so horrible, I might as well have not joined. Or worse, there was a time when one speaker was loud and clear, but when the conversation went to the other side of the table, it was inaudible. Although it's nice to have quality cameras, having quality microphones is critical. Make sure each of your meeting rooms has quality microphones that can pick up sounds all around the meeting table, and make sure attendees speak up. Relying on the microphone on someone's laptop just doesn't cut it for meetings involving more than two people. Although it's considered good meeting etiquette to have only one person speak at a time, this protocol is extra important if you have anyone calling in, as cross-talk makes it all but impossible to hear either conversation even over a good microphone.

Add Video Conference Links to Every Meeting

Make it a habit to add a link to your video conference room for each meeting you create, even if all of the attendees are expected to be in the office. This habit ensures that when you realize you forgot to invite a remote workers, you aren't scrambling to figure out how to set up the video conference, plus sometimes even team members in the office need to work from home at the last minute. If your scheduling software can do this automatically, even better (some do this by having each meeting room in a contact list and inviting the relevant meeting room to the meeting). Also make sure you set this up for all-hands company-wide meetings.

Julia 1.0 Released, 2018 State of Rust Survey, Samsung Galaxy Note 9 Launches Today, Margaret Dawson of Red Hat Named Business Role Model of the Year in Women in IT Awards and Creative Commons Awarded $800,000 from Arcadia

News briefs for August 9, 2018.

Julia 1.0 made its debut yesterday—the "culmination of nearly a decade of work to build a language for greedy programmers". The language's goal: "We want a language that's open source, with a liberal license. We want the speed of C with the dynamism of Ruby. We want a language that's homoiconic, with true macros like Lisp, but with obvious, familiar mathematical notation like Matlab. We want something as usable for general programming as Python, as easy for statistics as R, as natural for string processing as Perl, as powerful for linear algebra as Matlab, as good at gluing programs together as the shell. Something that is dirt simple to learn, yet keeps the most serious hackers happy. We want it interactive and we want it compiled." You can download it here.

The Rust Community announced the 2018 State of Rust Survey, and they want your opinions to help them establish future development priorities. The survey should take 10–15 minutes to complete, and is available here. And, you can see last year's results here.

Samsung Galaxy Note 9 launches today at 11am ET. You can watch the spectacle via Android Central, which will be streaming the live event.

Margaret Dawson, Vice President, Portfolio Product Marketing at Red Hat, was named Business Role Model of the Year at the inaugural Women in IT Awards USA. The awards were organized by Information Age to "redress the gender imbalance by showcasing the achievements of women in the sector and identifying new role models".

Creative Commons was awarded $800,000 from Arcadia (a charitable fund of Lisbet Rausing and Peter Baldwin) to support CC Search, which is "a Creative Commons technology project designed to maximize discovery and use of openly licensed content in the Commons". CC Search, along with Commons Metadata Library and the Commons API, plans to form the Commons Collaborative Archive and Library, a suite of tools that will "make the global commons of openly licensed content more searchable, usable, and resilient, and to provide essential infrastructure for collaborative online communities".

Astronomy on KDE

I recently switched to KDE and Plasma as my main desktop environment, so I thought I'd start digging into some of the scientific software available on KDE. First up is KStars, the desktop astronomy program.

KStars probably won't be installed with the standard KDE desktop, so you may need to install it. If you're using a Debian-based distribution, you can install KStars with the following command:


sudo apt-get install kstars

When you first start it, KStars asks for your current location, and then it gives you the option of installing several extra information files to add to the list of objects that KStars knows about and can display. Once those steps are finished, KStars begins with the current sky at the location you entered earlier.

Figure 1. On startup, KStars shows you the current layout of the sky in your location.

So, what can you do with KStars? If you've used programs like Stellarium before, you'll find that you can do the same types of tasks with KStars. You can use your mouse to click and drag the display to change the direction you're facing. The cardinal directions are labeled along the outside of the circle of the sky, and you can zoom in and out to change the field of view. If you see an object you want to examine further, you can double-click it to center it on the display and tag it as the current object of interest.

Depending on what catalogs of data you installed, some of the objects may have more or less information available. For example, selecting the planet Uranus and zooming all the way in shows a reasonably detailed image of the planet, including the ring orientation.

Figure 2. You can easily select and zoom in to objects of interest in KStars.

Quite a few options are available for controlling what's shown in the main window. The toolbar across the top of the window allows you to toggle the following items: stars, deep sky objects, solar system objects, supernovae, satellites, constellation lines, constellation names, constellation art, constellation boundaries, Milky Way, equatorial coordinate grid, horizontal coordinate grid and opaque ground. This allows you to customize the display so that it shows only what you're interested in at the time. The last display option is to toggle the "What's Interesting" pane.

LibreOffice 6.1 Now Available, Facebook Open-Sourcing Fizz, Firefox Advance Is Latest Test Pilot Experiment, Dart 2.0 Stable Released and KDE Neon Bionic Preview Images Available for Testing

News briefs for August 8, 2018.

The Document Foundation announced this morning that LibreOffice 6.1 is now available. This is the second major release of the 6 family, and it has many new features, such as Colibre (a new icon theme for Windows), a reworked image handling feature, an improved EPUB export filter, improvements in all modules of LibreOffice Online and much more. See this video for more on all the new features. You can download LibreOffice 6.1 from here.

Facebook announced it is open-sourcing Fizz, a "robust, highly performant TLS library written in C++ 14". In addition, Facebook says that "Fizz now handles millions of TLS 1.3 handshakes every second. We believe this makes it the largest deployment of TLS 1.3—and early (0-RTT) data—on the internet." Fizz is now available on GitHub, and Facebook hopes that open-sourcing it will "help speed up deployment of TLS 1.3 across the internet and help others make their apps and services faster and more secure".

Firefox's latest Test Pilot Experiment called Advance is now available. Mozilla writes that with Advance, "you can explore more of the web efficiently, with real-time recommendations based on your current page and your most recent web history." Advance is a Web Extension that "works by analyzing content you're into right now in order to provide recommendations based on what you may want to 'Read Next' through a sidebar in the browser." You can download it from here.

Google announced the release of Dart 2 stable yesterday, including a rewrite of the Dart web platform. According to Google, "Dart 2 marks the rebirth of Dart as a mainstream programming language focused on enabling a fast development and great user experiences for mobile and web applications." See the GitHub page for all the changes.

KDE neon Bionic Preview images are now available for testing. You can download the ISO images from here and provide feedback in the forum.

Good Lockdown vs. Bad

There's an ongoing series of skirmishes between corporations who want to sell products that users don't fully control and the kernel developers who want users to be the highest authority. Sometimes these skirmishes manifest in the form of security patches intended to lock down the kernel. Do they lock down the kernel against outside attackers? Or do they lock down the kernel against change from anyone at all, including the user who owns the device?

David Howells recently pushed a patch out of the linux-next, submitting it for inclusion in the main source tree. As he put it, the patch "adds kernel lockdown support for EFI secure boot". And a man page included in the patch said:

The Kernel Lockdown feature is designed to prevent both direct and indirect access to a running kernel image, attempting to protect against unauthorized modification of the kernel image and to prevent access to security and cryptographic data located in kernel memory, whilst still permitting driver modules to be loaded.

The patch gave birth to an odd debate, but a familiar one by now. Matthew Garrett, ultimately the main proponent of the patch, kept defending it on technical grounds that Linus Torvalds felt were meaningless and dishonest, hiding a secret agenda that included helping companies like Microsoft lock users out of making changes to their own systems.

Andy Lutomirski was another critic of Matthew's defense of the patch. The debate circled around and around, with Linus and Andy trying to get Matthew to admit the true motivation they believed he had and Matthew attempting to give solid reasons why the patch should go into the kernel. Things got ugly.

James Morris initially accepted the patch, planning to send it up to Linus for inclusion, and Andy reviewed the code. Among his comments, Andy said the goal of the patch was not clearly stated. He said for the purpose of his code review he would assume the goal was to prevent the root user from either reading kernel memory or intentionally corrupting the kernel.

But, he didn't think those were proper goals for a kernel, even a UEFI Secure Boot kernel. He said, "the kernel should try to get away from the idea that UEFI Secure Boot should imply annoying restrictions. It's really annoying and it's never been clear to me that it has a benefit." He singled out the idea of preventing the root user from accessing kernel memory as one of these annoying restrictions.

Kees Cook replied with his overall justification for this patch. He said:

SegmentSmack Kernel Bug Discovered, Android 9 Pie Now Available, Google’s August Security Bulletin for Android, Kernel 4.19 to Get STACKLEAK Feature and GNOME Releases Keysign 0.9.8

News briefs for August 7, 2018.

Security researchers have discovered a bug in kernel 4.9 called SegmentSmack. Red Hat comments that "a remote attacker could use this flaw to trigger time and calculation expensive calls to tcp_collapse_ofo_queue() and tcp_prune_ofo_queue() functions by sending specially modified packets within ongoing TCP sessions which could lead to a CPU saturation and hence a denial of service on the system". There's no known workaround other than a fixed kernel at this time. See also the story on ZDNet for more information.

Android 9 "Pie" was released yesterday. Android 9 uses AI to help it adapt to your preferences as you use it. Other new features include an adaptive battery, gesture navigation and tools to help you see how much time you're spending on your phone.

Google also released its August security bulletin for Android yesterday, and the most severe issue "is a critical vulnerability that could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process".

The upcoming 4.19 kernel will be getting the STACKLEAK feature, Phoronix reports. STACKLEAK provides further security as it "wipes out the kernel stack before returning from system calls. By clearing the kernel stack, it reduces possible leakage and can block some possible attack vectors, including stack clash attacks and uninitialized stack variable attacks."

GNOME Keysign 0.9.8 has been released. This update fixes several bugs and now includes Bluetooth support so you can exchange keys without a network connection. The app is also now on Flathub, and you can install it from here.