Firefox to Block Tracking by Default, ZeroPhone Project Coming Soon, Google Code-in 2018, OpenStack Releases Version 18 “Rocky” and Greg Kroah-Hartman on Meltdown and Spectre Vulnerabilities

News briefs for August 31, 2018.

Mozilla yesterday announced a different approach to anti-tracking on the internet. Mozilla's new approach means that "in the near future, Firefox will—by default—protect users by blocking tracking while also offering a clear set of controls to give our users more choice over what information they share with sites." In order to accomplish this, Mozilla has three key initiatives: improve page load performance, remove cross-site tracking and mitigate harmful practices.

ZeroPhone, an "open-source Linux-powered $50 smartphone, is being launched on Crowd Supply. The project is coming soon, and according to its description, "It has no carrier locks, bloated apps, or data mining, and it doesn't depend on big companies." In addition, it's based on Raspberry Pi Zero, ESP8266 and Arduino.

Google announces its Google Code-in (GCI) 2018 contest. The contest begins October 23, 2018 and ends December 12, 2018, and "students ages 13–17 from around the world can learn about open source development by working on real open source projects, with mentorship from active developers." See the Google Code-in 2018 site for information for both students and mentoring organizations.

OpenStack released Rocky, version 18, of the open-source cloud infrastructure software yesterday. According to the release statement, the two main new features are "refinements to Ironic (the bare metal provisioning service) and fast forward upgrades". In addition, version 18 addresses "new user requirements for hardware accelerators, high availability configurations, serverless capabilities, and edge and internet of things (IoT) use cases".

Greg Kroah-Hartman warned attendees at the Open Source Summit North America about the "the severe impact the Meltdown and Spectre CPU vulnerabilities could have on them, as well as detailed how Linux kernel developers are dealing with the flaws", eWeek reports. He also strongly criticized the way Intel initially handled the disclosure.

Firefox to Block Tracking by Default, ZeroPhone Project Coming Soon, Google Code-in 2018, OpenStack Releases Version 18 “Rocky” and Greg Kroah-Hartman on Meltdown and Spectre Vulnerabilities

News briefs for August 31, 2018.

Mozilla yesterday announced a different approach to anti-tracking on the internet. Mozilla's new approach means that "in the near future, Firefox will—by default—protect users by blocking tracking while also offering a clear set of controls to give our users more choice over what information they share with sites." In order to accomplish this, Mozilla has three key initiatives: improve page load performance, remove cross-site tracking and mitigate harmful practices.

ZeroPhone, an "open-source Linux-powered $50 smartphone, is being launched on Crowd Supply. The project is coming soon, and according to its description, "It has no carrier locks, bloated apps, or data mining, and it doesn't depend on big companies." In addition, it's based on Raspberry Pi Zero, ESP8266 and Arduino.

Google announces its Google Code-in (GCI) 2018 contest. The contest begins October 23, 2018 and ends December 12, 2018, and "students ages 13–17 from around the world can learn about open source development by working on real open source projects, with mentorship from active developers." See the Google Code-in 2018 site for information for both students and mentoring organizations.

OpenStack released Rocky, version 18, of the open-source cloud infrastructure software yesterday. According to the release statement, the two main new features are "refinements to Ironic (the bare metal provisioning service) and fast forward upgrades". In addition, version 18 addresses "new user requirements for hardware accelerators, high availability configurations, serverless capabilities, and edge and internet of things (IoT) use cases".

Greg Kroah-Hartman warned attendees at the Open Source Summit North America about the "the severe impact the Meltdown and Spectre CPU vulnerabilities could have on them, as well as detailed how Linux kernel developers are dealing with the flaws", eWeek reports. He also strongly criticized the way Intel initially handled the disclosure.

FOSS Project Spotlight: Run Remote Tasks on Linux and Windows with Puppet Bolt

puppet bolt icon

Puppet, the company that makes automation software for managing systems and delivering software, has introduced Puppet Bolt, an open-source, agentless multiplatform tool for running commands, scripts, tasks and orchestrated workflows on remote Linux and Windows systems.

The tool, which is freely available as a Linux package, Ruby gem and macOS or Windows installer, is ideal for sysadmins and others who want to perform a wide range of automation tasks on remote bare-metal servers, VMs or cloud instances without the need for any prerequisites. Puppet Bolt doesn't require any previous Puppet know-how. Nor does it require a Puppet agent or Puppet master. It uses only SSH and WinRM (or can piggyback Puppet transports) to communicate and execute tasks on remote nodes.

Despite its simplicity, Puppet Bolt can execute all your existing scripts written in Bash, PowerShell, Python or any other language, stop and start Linux or Windows services, gather information about packages and system facts, or deploy procedural orchestrated workflows, otherwise known as plans. You can do all this right from your workstation or laptop.

For those already using open-source Puppet or Puppet Enterprise, Puppet Bolt enables you to take advantage of the more than 5,700 modules available in the Puppet Forge for everything from deploying database servers to setting up Docker or Kubernetes. You also can query PuppetDB directly with Puppet Bolt.

Install Puppet Bolt and Run Some Tasks

You also can install Puppet Bolt with apt or yum once you add the Puppet repositories:


$ sudo apt install puppet-bolt

You can install Puppet Bolt on Windows with the available .msi, or if you're running Bash on Windows 10, by using the Linux instructions for the flavor you installed. Follow the link in the Resources section to see detailed installation instructions for your favorite platform.

If you're running Ruby (and have gcc and make on your workstation), you can get Puppet Bolt up and running in moments with the simple command:


$ gem install bolt

In just a few minutes, you're now ready to start running one-off commands, tasks, scripts or plans. Puppet Bolt is perfect for troubleshooting or deploying quick changes, distributing scripts to run across your infrastructure, or automating changes that need to happen in a particular order as part of an application deployment. See the built-in Puppet Bolt commands by running:


$ bolt help

Figure 1. Built-in Puppet Bolt Commands

A typical Puppet Bolt command looks like this:

FOSS Project Spotlight: Run Remote Tasks on Linux and Windows with Puppet Bolt

puppet bolt icon

Puppet, the company that makes automation software for managing systems and delivering software, has introduced Puppet Bolt, an open-source, agentless multiplatform tool for running commands, scripts, tasks and orchestrated workflows on remote Linux and Windows systems.

The tool, which is freely available as a Linux package, Ruby gem and macOS or Windows installer, is ideal for sysadmins and others who want to perform a wide range of automation tasks on remote bare-metal servers, VMs or cloud instances without the need for any prerequisites. Puppet Bolt doesn't require any previous Puppet know-how. Nor does it require a Puppet agent or Puppet master. It uses only SSH and WinRM (or can piggyback Puppet transports) to communicate and execute tasks on remote nodes.

Despite its simplicity, Puppet Bolt can execute all your existing scripts written in Bash, PowerShell, Python or any other language, stop and start Linux or Windows services, gather information about packages and system facts, or deploy procedural orchestrated workflows, otherwise known as plans. You can do all this right from your workstation or laptop.

For those already using open-source Puppet or Puppet Enterprise, Puppet Bolt enables you to take advantage of the more than 5,700 modules available in the Puppet Forge for everything from deploying database servers to setting up Docker or Kubernetes. You also can query PuppetDB directly with Puppet Bolt.

Install Puppet Bolt and Run Some Tasks

You also can install Puppet Bolt with apt or yum once you add the Puppet repositories:


$ sudo apt install puppet-bolt

You can install Puppet Bolt on Windows with the available .msi, or if you're running Bash on Windows 10, by using the Linux instructions for the flavor you installed. Follow the link in the Resources section to see detailed installation instructions for your favorite platform.

If you're running Ruby (and have gcc and make on your workstation), you can get Puppet Bolt up and running in moments with the simple command:


$ gem install bolt

In just a few minutes, you're now ready to start running one-off commands, tasks, scripts or plans. Puppet Bolt is perfect for troubleshooting or deploying quick changes, distributing scripts to run across your infrastructure, or automating changes that need to happen in a particular order as part of an application deployment. See the built-in Puppet Bolt commands by running:


$ bolt help

Figure 1. Built-in Puppet Bolt Commands

A typical Puppet Bolt command looks like this:

Google Hands Off Kubernetes to the Cloud Native Computing Foundation, Kinetica Joins Automotive Grade Linux, NordVPN Releases NordVPN Linux App, Storj Labs Announces The Open Source Partner Program and Update on Librem 5 Phone

News briefs for August 30, 2018.

Google is handing over control of the Kubernetes project to the Cloud Native Computing Foundation. According to the TechCrunch post, Google is providing the foundation $9 million in Google Cloud credits to help cover the costs of building, testing and distributing the software.

Kinetica, "the insight engine for the Extreme Data Economy", is "taking steps to bring advanced analytics, artificial intelligence and its GPU engine to the global automotive industry" and becoming a silver member of The Linux Foundation and a bronze member of Automotive Grade Linux. Kinetica also has announced it is releasing Mapbox, its location data platform for mobile and web applications, to the Open Source community.

NordVPN recently released the NordVPN Linux app. This dedicated app for Linux makes it even easier to install the VPN on your machine. For more information and to download, visit the NordVPN for Linux download page.

Storj Labs, a decentralized cloud storage company, has announced The Open Source Partner Program, "a partnership that will enable open-source projects to generate revenue when their users store data in the cloud". According to ZDNet, Storj's executive chairman Ben Golub calls Storj Labs' decentralized storage technology "AirBnB for hard drives", and says that "the Storj network, unlike conventional cloud storage, will provide a sustaining revenue stream to open-source projects using the Storj network." It plans to give 60% of its gross revenue to the storage farmers and split the remaining 40% with open-source developers.

Purism yesterday provided an update on the development of its Chatty chat application for the Librem 5 phone. According to the post, "At the moment Chatty can perform some basic (and arguably most difficult task of) send and receive operations with SMS via ModemManager and a SIMCOM modem, as well as with XMPP/OMEMO messages via libpurple and the lurch plugin."

Google Hands Off Kubernetes to the Cloud Native Computing Foundation, Kinetica Joins Automotive Grade Linux, NordVPN Releases NordVPN Linux App, Storj Labs Announces The Open Source Partner Program and Update on Librem 5 Phone

News briefs for August 30, 2018.

Google is handing over control of the Kubernetes project to the Cloud Native Computing Foundation. According to the TechCrunch post, Google is providing the foundation $9 million in Google Cloud credits to help cover the costs of building, testing and distributing the software.

Kinetica, "the insight engine for the Extreme Data Economy", is "taking steps to bring advanced analytics, artificial intelligence and its GPU engine to the global automotive industry" and becoming a silver member of The Linux Foundation and a bronze member of Automotive Grade Linux. Kinetica also has announced it is releasing Mapbox, its location data platform for mobile and web applications, to the Open Source community.

NordVPN recently released the NordVPN Linux app. This dedicated app for Linux makes it even easier to install the VPN on your machine. For more information and to download, visit the NordVPN for Linux download page.

Storj Labs, a decentralized cloud storage company, has announced The Open Source Partner Program, "a partnership that will enable open-source projects to generate revenue when their users store data in the cloud". According to ZDNet, Storj's executive chairman Ben Golub calls Storj Labs' decentralized storage technology "AirBnB for hard drives", and says that "the Storj network, unlike conventional cloud storage, will provide a sustaining revenue stream to open-source projects using the Storj network." It plans to give 60% of its gross revenue to the storage farmers and split the remaining 40% with open-source developers.

Purism yesterday provided an update on the development of its Chatty chat application for the Librem 5 phone. According to the post, "At the moment Chatty can perform some basic (and arguably most difficult task of) send and receive operations with SMS via ModemManager and a SIMCOM modem, as well as with XMPP/OMEMO messages via libpurple and the lurch plugin."

Supporting the NDS32 Architecture

Green Hu posted a patch to support the NDS32 architecture. He described the current status as, "It is able to boot to shell and passes most LTP-2017 testsuites in nds32 AE3XX platform."

Arnd Bergmann approved the patch, but Linus Torvalds wanted a little more of a description—an overview of the "uses, quirks, reasons for existing" for this chip, to include in the changelog.

Arnd replied:

The non-marketing description is that this is a fairly conventional (in a good way) low-end RISC architecture that is usually integrated into custom microcontroller and SoC designs, competing with the similar ARM32, ARC, MIPS32, RISC-V, Xtensa and (currently under review) C-Sky architectures that occupy the same space. The most interesting bit from my perspective is that Andestech are already selling a new generation of CPU cores that are based on 32-bit and 64-bit RISC-V, but are still supporting enough customers on the existing cores to invest in both.

And Green also said:

Andes nds32 architecture supports Linux for Andes's N10, D10, N13, N15, D15 processor cores.

Based on the patented 16/32-bit AndeStar RISC-like architecture, we designed the configurable AndesCore series of embedded processor families. AndesCores range from highly performance-efficient small-footprint cores for microcontrollers and deeply-embedded applications to 1GHz+ cores running Linux, covering general-purpose N-series cores for a wide range of computing needs; DSP-capable D-series cores for digital signal control; instruction-extensible E-series cores for application-specific acceleration; and secure S-series cores for best protection of the most valuable.

Our customers together have shipped over 2.5 billion SoCs with Andes processors embedded (including non-MMU IP cores). It will help our customers to get better Linux support if we are merged into mainline.

It looks like there's no controversy over this port, and it should fly into the main tree. One reason for the easy adoption is that it doesn't touch any other part of the kernel—if the patch breaks anything, it'll break only that one architecture, so there's very little risk in letting Green make his own choices about what to include and what to leave out. Linus's main threshold will probably be, does it compile? If yes, then it's okay to go in.

Supporting the NDS32 Architecture

Green Hu posted a patch to support the NDS32 architecture. He described the current status as, "It is able to boot to shell and passes most LTP-2017 testsuites in nds32 AE3XX platform."

Arnd Bergmann approved the patch, but Linus Torvalds wanted a little more of a description—an overview of the "uses, quirks, reasons for existing" for this chip, to include in the changelog.

Arnd replied:

The non-marketing description is that this is a fairly conventional (in a good way) low-end RISC architecture that is usually integrated into custom microcontroller and SoC designs, competing with the similar ARM32, ARC, MIPS32, RISC-V, Xtensa and (currently under review) C-Sky architectures that occupy the same space. The most interesting bit from my perspective is that Andestech are already selling a new generation of CPU cores that are based on 32-bit and 64-bit RISC-V, but are still supporting enough customers on the existing cores to invest in both.

And Green also said:

Andes nds32 architecture supports Linux for Andes's N10, D10, N13, N15, D15 processor cores.

Based on the patented 16/32-bit AndeStar RISC-like architecture, we designed the configurable AndesCore series of embedded processor families. AndesCores range from highly performance-efficient small-footprint cores for microcontrollers and deeply-embedded applications to 1GHz+ cores running Linux, covering general-purpose N-series cores for a wide range of computing needs; DSP-capable D-series cores for digital signal control; instruction-extensible E-series cores for application-specific acceleration; and secure S-series cores for best protection of the most valuable.

Our customers together have shipped over 2.5 billion SoCs with Andes processors embedded (including non-MMU IP cores). It will help our customers to get better Linux support if we are merged into mainline.

It looks like there's no controversy over this port, and it should fly into the main tree. One reason for the easy adoption is that it doesn't touch any other part of the kernel—if the patch breaks anything, it'll break only that one architecture, so there's very little risk in letting Green make his own choices about what to include and what to leave out. Linus's main threshold will probably be, does it compile? If yes, then it's okay to go in.

Mozilla’s Firefox Nightly Experiment Results, EFF’s Back to School Tips, HHVM 3.28 Released, Oracle Solaris 11.4 Now Available and Dropbox Vulnerability Discovered

News briefs for August 29, 2018.

Mozilla posted the results of its planned Firefox nightly experiment involving secure DNS via the DNS over HTTPS (DoH) protocol. The experiment focused on two questions: "Does the use of a cloud DNS service perform well enough to replace traditional DNS?" and "Does the use of a cloud DNS service create additional connection errors?" See the Mozilla Blog for details.

The EFF yesterday posted its Back to School Essentials for Security—great tips whether or not you're currently a student.

HHVM 3.28 was released yesterday. This new release of the open-source virtual machine for executing programs written in Hack and PHP "contains new language features, bugfixes, performance improvements, and improvements to the debugger and editor/IDE support."

Oracle Solaris 11.4 has been released. Scott Lynn, Director of Product Management, Oracle Linux and Oracle Solaris, writes "There have been 175 development builds to get us to Oracle Solaris 11.4. We've tested Oracle Solaris 11.4 for more than 30 million machine hours. Over 50 customers have already put Oracle Solaris 11.4 into production and it already has more than 3000 applications certified to run on it. Oracle Solaris 11.4 is the first and, currently, the only operating system that has completed UNIX V7 certification."

A vulnerability in Microsoft's cloud storage solution Dropbox was discovered recently. According to Appuals, this DLL hijacking and code execution vulnerability affects Dropbox's version 54.5.90, and "a user whose device is undergoing this exploit won't realize it until the process has been exploited to inject malware into the system. The DLL injection and execution runs in the background without requiring any user input to run its arbitrary code."

Mozilla’s Firefox Nightly Experiment Results, EFF’s Back to School Tips, HHVM 3.28 Released, Oracle Solaris 11.4 Now Available and Dropbox Vulnerability Discovered

News briefs for August 29, 2018.

Mozilla posted the results of its planned Firefox nightly experiment involving secure DNS via the DNS over HTTPS (DoH) protocol. The experiment focused on two questions: "Does the use of a cloud DNS service perform well enough to replace traditional DNS?" and "Does the use of a cloud DNS service create additional connection errors?" See the Mozilla Blog for details.

The EFF yesterday posted its Back to School Essentials for Security—great tips whether or not you're currently a student.

HHVM 3.28 was released yesterday. This new release of the open-source virtual machine for executing programs written in Hack and PHP "contains new language features, bugfixes, performance improvements, and improvements to the debugger and editor/IDE support."

Oracle Solaris 11.4 has been released. Scott Lynn, Director of Product Management, Oracle Linux and Oracle Solaris, writes "There have been 175 development builds to get us to Oracle Solaris 11.4. We've tested Oracle Solaris 11.4 for more than 30 million machine hours. Over 50 customers have already put Oracle Solaris 11.4 into production and it already has more than 3000 applications certified to run on it. Oracle Solaris 11.4 is the first and, currently, the only operating system that has completed UNIX V7 certification."

A vulnerability in Microsoft's cloud storage solution Dropbox was discovered recently. According to Appuals, this DLL hijacking and code execution vulnerability affects Dropbox's version 54.5.90, and "a user whose device is undergoing this exploit won't realize it until the process has been exploited to inject malware into the system. The DLL injection and execution runs in the background without requiring any user input to run its arbitrary code."

Creating the Concentration Game PAIRS with Bash

bash

Exploring the nuances of writing a pair-matching memory game and one-dimensional arrays in Bash.

I've always been a fan of Rudyard Kipling. He wrote some great novels and stories, mostly about British colonial-era India. Politically correct in our modern times? Not so much, but still, his books are good fun for readers and still are considered great literature of its time. His works include The Jungle Book, Captains Courageous, The Just So Stories and The Man Who Would Be King, among many others.

He also wrote a great spy novel about a young English boy who is raised as an Indian native and thence recruited by the British government as a spy. The boy's name is the title of the book: Kim. In the story, Kim is trained to have an eidetic memory with a memory game that involves being shown a tray of stones of various shapes, sizes and colors. Then it's hidden, and he has to recite as many patterns as he can recall.

For some reason, that scene has always stuck with me, and I've even tried to teach my children to be situationally aware through similar games like "Close your eyes. Now, what color was the car that just passed us?" Since most of us are terrible observers (see, for example, how conflicting eyewitness accident reports can be), it's undoubtedly good practice for general observations about life.

Although it's tempting to try to duplicate this memory game as a program, the reality is that with just a shell script, it would be difficult. Perhaps you display a random pattern of letters and digits in a grid, then clear the screen, then ask the user to enter patterns, but that's really much more of a game for a screen-oriented, graphical application—not shell scripts.

But, there's a simplified version of this that you can play with a deck of cards: Concentration. You've probably played it yourself at some point in your life. You place the cards face down in a grid and then flip up two at a time to try to find pairs. At the beginning, it's just random guessing, but as the game proceeds, it becomes more about your spatial memory, and by the end, good players know what just about every unflipped card is at the beginning of their turn.

Designing PAIRS

That, of course, you can duplicate as a shell script, and since it is going to be a shell script, you also can make the number of pairs variable. Let's call this game PAIRS.

As a minimum, let's go with four pairs, which should make debugging easy. Since there's no real benefit to duplicating playing card values, it's just as easy to use letters, which means a max of 26 pairs, or 52 slots. Not every value is going to produce a proper spread or grid, but if you aim for 13 per line, players then can play with anywhere from 1–4 lines of possibilities.

Creating the Concentration Game PAIRS with Bash

bash

Exploring the nuances of writing a pair-matching memory game and one-dimensional arrays in Bash.

I've always been a fan of Rudyard Kipling. He wrote some great novels and stories, mostly about British colonial-era India. Politically correct in our modern times? Not so much, but still, his books are good fun for readers and still are considered great literature of its time. His works include The Jungle Book, Captains Courageous, The Just So Stories and The Man Who Would Be King, among many others.

He also wrote a great spy novel about a young English boy who is raised as an Indian native and thence recruited by the British government as a spy. The boy's name is the title of the book: Kim. In the story, Kim is trained to have an eidetic memory with a memory game that involves being shown a tray of stones of various shapes, sizes and colors. Then it's hidden, and he has to recite as many patterns as he can recall.

For some reason, that scene has always stuck with me, and I've even tried to teach my children to be situationally aware through similar games like "Close your eyes. Now, what color was the car that just passed us?" Since most of us are terrible observers (see, for example, how conflicting eyewitness accident reports can be), it's undoubtedly good practice for general observations about life.

Although it's tempting to try to duplicate this memory game as a program, the reality is that with just a shell script, it would be difficult. Perhaps you display a random pattern of letters and digits in a grid, then clear the screen, then ask the user to enter patterns, but that's really much more of a game for a screen-oriented, graphical application—not shell scripts.

But, there's a simplified version of this that you can play with a deck of cards: Concentration. You've probably played it yourself at some point in your life. You place the cards face down in a grid and then flip up two at a time to try to find pairs. At the beginning, it's just random guessing, but as the game proceeds, it becomes more about your spatial memory, and by the end, good players know what just about every unflipped card is at the beginning of their turn.

Designing PAIRS

That, of course, you can duplicate as a shell script, and since it is going to be a shell script, you also can make the number of pairs variable. Let's call this game PAIRS.

As a minimum, let's go with four pairs, which should make debugging easy. Since there's no real benefit to duplicating playing card values, it's just as easy to use letters, which means a max of 26 pairs, or 52 slots. Not every value is going to produce a proper spread or grid, but if you aim for 13 per line, players then can play with anywhere from 1–4 lines of possibilities.

3D-Printed Firearms Are Blowing Up

What's the practical risk with 3D-printed firearms today? In this opinion piece, Kyle explores the current state of the art.

If you follow 3D printing at all, and even if you don't, you've likely seen some of the recent controversy surrounding Defense Distributed and its 3D-printed firearm designs. If you haven't, here's a brief summary: Defense Distributed has created 3D firearm models and initially published them for free on its DEFCAD website a number of years ago. Some of those 3D models were designed to be printed with a traditional home hobbyist 3D printer (at least in theory), and other designs were for Defense Distributed's "Ghost Gunner"—a computer-controlled CNC mill aimed at milling firearm parts out of metal stock. The controversy that ensued was tied up in the general public debate about firearms, but in particular, a few models got the most attention: a model of an AR-15 lower receiver (the part of the rifle that carries the serial number) and "the Liberator", which was a fully 3D-printed handgun designed to fire a single bullet. The end result was that the DEFCAD site was forced to go offline (but as with all website take-downs, it was mirrored a million times first), and Defense Distributed has since been fighting the order in court.

The political issues raised in this debate are complicated, controversial and have very little to do with Linux outside the "information wants to be free" ethos in the community, so I leave those debates for the many other articles on this issue that already have been published. Instead, in this article, I want to use my background as a hobbyist 3D printer and combine it with my background in security to build a basic risk assessment that cuts through a lot of the hype and political arguments on all sides. I want to consider the real, practical risks with the 3D models and the current Ghost Gunner CNC mill that Defense Distributed provides today. I focus my risk assessment on three main items: the 3D-printed AR-15 lower receiver, the Liberator 3D-printed handgun and the Ghost Gunner CNC mill.

3D-Printed AR-15 Lower Receiver

This 3D model was one of the first items Defense Distributed shared on DEFCAD. In case you aren't familiar with the AR-15, its modular design is one of the reasons for its popularity. Essentially every major part of the rifle has numerous choices available that are designed to integrate with the rest of the rifle, and you can find almost all of the parts you need to assemble this rifle online, order them independently, and then build your own—that is, except for the lower receiver. That part of the rifle is what the federal government considers "the rifle", as it is the part that's stamped with the serial number that uniquely identifies and registers one particular rifle versus all of the others out there in the world. This part has restrictions like you would find with a regular rifle, revolver or other firearm.

Kali Linux’s New Version 2018.3, Open-Source License War, Lenovo Announces Five New Android Tablets, Google Releases Open-Source Reinforcement Learning Framework and KD Chart Update

News briefs for August 28, 2018.

Kali Linux recently announced its third release of 2018. Version 2018.3 features several new tools: idb, an iOS research/penetration-testing tool; gdb-peda, Python Exploit Development Assistance for GDB; datasploit, OSINT Framework to perform various recon techniques; and kerberoast, Kerberos assessment tools. See the Change Log for more information on all the changes, and download Kali from here.

A new open-source license war has begun. According to the ZDNet, Redis Labs has added the Commons Clause to its license for Redis, the open-source, in-memory data structure store that "enables real-time applications such as advertising, gaming financial services, and IoT to work at speed". This license "forbids you from selling the software. It also states you may not host or offer consulting or support services as 'a product or service whose value derives, entirely or substantially, from the functionality of the software'".

Lenovo has released a new generation of Android tablets for home and entertainment use: "the Lenovo Tab E7, Lenovo Tab E8, Lenovo Tab E10, as well as new mainstream and premium tablets, the Lenovo Tab M10 and Lenovo Tab P10". See the press release for more details on these affordable, thin and light tablets.

Google released an open-source reinforcement learning framework based on TensorFlow for training AI models. It's available on GitHub. Venture Beat quotes Pablo Samuel Castro and Marc G. Bellemare, researchers on the Google Brain Team, on the platform: "Inspired by one of the main components in reward-motivated behavior in the brain and reflecting the strong historical connection between neuroscience and reinforcement learning research, this platform aims to enable the kind of speculative research that can drive radical discoveries."

KD Chart has a new release. The latest release of this open-source Qt component for creating business charts builds with modern Qt versions (up to Qt 5.10), improves tooltip handling and now "includes Stock Charts, Box & Whisker Charts and the KD Gantt module for implementing ODF Gantt charts into applications". You can get it from here.

Cleaning Your Inbox with Mutt

Teach Mutt yet another trick: how to filter messages in your Inbox with a simple macro.

I'm a longtime Mutt user and have written about it a number of times in Linux Journal. Although many people may think it's strange to be using a command-line-based email client in 2018, I find a keyboard-driven email client so much more efficient than clicking around in a web browser. Mutt is extremely customizable, which presents a steep learning curve at first, but now that I'm a few decades in, my Mutt configuration is pretty ideal and fits me like a tailored suit.

Of course, as with any powerful and configurable tool, every now and then I learn of a new Mutt feature that improves my quality of life dramatically. In this case, I was using an email system that didn't offer server-side filters. Because I was a member of many different email groups and aliases, this meant that my Inbox was flooded with emails of all kinds, and it became difficult to filter through all the unimportant email I wanted to archive with the emails that demanded my immediate attention.

There are many ways to solve this problem, some of which involve tools like offlineimap combined with filtering tools. With email clients like Thunderbird, you also can set up filters that automatically move email to other folders every time you sync. I wanted a similar system with Mutt, except I didn't want it to happen automatically. I wanted to be able to press a key first so I could confirm what was moving. In the process of figuring this out, I discovered a few gotchas I think other Mutt users will want to know about if they set up a similar system.

Tagging Emails

The traditional first step when setting up a keyboard macro to move email messages based on a pattern would be to use Mutt's tagging-by-pattern feature (by default, the T key) to tag all the messages in a folder that match a certain pattern. For instance, if all of your cron emails have "Cron Daemon" in the subject line, you would type the following key sequence to tag all of those messages:


TCron Daemon

That's the uppercase T, followed by the pattern I want to match in the subject line (Cron Daemon) and then the Enter key. If I type that while I'm in my Mutt index window that shows me all the emails in my Inbox, it will tag all of the messages that match that pattern, but it won't do anything with them yet. To act on all of those messages, I press the ; key (by default), followed by the action I want to perform. So to save all of the tagged email to my "cron" folder, I would type:

Everything You Need to Know about Linux Containers, Part II: Working with Linux Containers (LXC)

Part I of this Deep Dive on containers introduces the idea of kernel control groups, or cgroups, and the way you can isolate, limit and monitor selected userspace applications. Here, I dive a bit deeper and focus on the next step of process isolation—that is, through containers, and more specifically, the Linux Containers (LXC) framework.

Containers are about as close to bare metal as you can get when running virtual machines. They impose very little to no overhead when hosting virtual instances. First introduced in 2008, LXC adopted much of its functionality from the Solaris Containers (or Solaris Zones) and FreeBSD jails that preceded it. Instead of creating a full-fledged virtual machine, LXC enables a virtual environment with its own process and network space. Using namespaces to enforce process isolation and leveraging the kernel's very own control groups (cgroups) functionality, the feature limits, accounts for and isolates CPU, memory, disk I/O and network usage of one or more processes. Think of this userspace framework as a very advanced form of chroot.

Note: LXC uses namespaces to enforce process isolation, alongside the kernel's very own cgroups to account for and limit CPU, memory, disk I/O and network usage across one or more processes.

But what exactly are containers? The short answer is that containers decouple software applications from the operating system, giving users a clean and minimal Linux environment while running everything else in one or more isolated "containers". The purpose of a container is to launch a limited set of applications or services (often referred to as microservices) and have them run within a self-contained sandboxed environment.

Note: the purpose of a container is to launch a limited set of applications or services and have them run within a self-contained sandboxed environment.

Figure 1. A Comparison of Applications Running in a Traditional Environment to Containers

This isolation prevents processes running within a given container from monitoring or affecting processes running in another container. Also, these containerized services do not influence or disturb the host machine. The idea of being able to consolidate many services scattered across multiple physical servers into one is one of the many reasons data centers have chosen to adopt the technology.

Container features include the following:

New Raspberry Pi PoE HAT, UBports Foundation Releases Ubuntu Touch OTA-4, OpenSSH 7.8 Now Available, KDE Enhancements and Seagate Media Server SQL Injection Vulnerabilities,

News briefs for August 27, 2018.

Raspberry Pi Trading is offering a Power-over-Ethernet HAT board for the RPi 3 Model B+ for $20 that ships with a small fan. Linux Gizmos notes that the "802.3af-compliant 'Raspberry Pi PoE HAT' allows delivery of up to 15W over the RPi 3 B+'s USB-based GbE port without reducing the port's up to 300Mbps bandwidth." To purchase, visit here.

UBports Foundation has released Ubuntu Touch OTA-4. This release features Ubuntu 16.04 and includes many security fixes and stability improvements. UBports notes that "We believe that this is the 'official' starting point of the UBports project. From the point when Canonical dropped the project until today, the community has been playing 'catch up' in development, infrastructure, and community building. This release shows that the community is soundly based and capable of delivering."

OpenSSH 7.8 was released August 24, 2018, and is available from its mirrors at https://www.openssh.com.

KDE developers continue to enhance KDE. According to Phoronix, the latest usability and productivity improvements include a new Plasmoid that brings easy access to the screen layout switcher, the logout screen will now warn you when other users are still logged in, new thumbnails for AppImages and more.

Several SQL injection vulnerabilities were discovered in the Seagate Media Server. Evidently the public folder facility "can be abused by malicious attackers when they upload troublesome files and media to the folder in the cloud". See the Appuals post for more details about this exploit.

Intel Reworks Microcode Security Fix License after Backlash, Intel’s FSP Binaries Also Re-licensed, Valve Releases Beta of Steam Play for Linux, Chromebooks Running Linux 3.4 or Older Won’t Get Linux App Support and Windows 95 Now an App

News briefs for August 24, 2018.

Intel has now reworked the license for its microcode security fix after outcry from the community. The Register quotes Imad Sousou, corporate VP and general manager of Intel Open Source Technology Center, "We have simplified the Intel license to make it easier to distribute CPU microcode updates and posted the new version here. As an active member of the open source community, we continue to welcome all feedback and thank the community."

Intel also has re-licensed its FSP binaries, which are used by Coreboot, LinuxBoot and Facebook's Open Compute Project, so that they are under the same license as the CPU microcode files. According to the Phoronix post, "The short and unofficial summary of that license text is it allows for redistribution (and benchmarking, if so desired) of the binaries and the restricts essentially come down to no reverse-engineering/disassembly of the binaries and respecting the copyright."

Valve announced this week that it's releasing the Beta of a new and improved Steam Play version to Linux. The new version includes "a modified distribution of Wine, called Proton, to provide compatibility with Windows game titles." Other improvements include DirectX 11 and 12 implementations are now based on Vulkan, full-screen support has been improved, game controller support has been improved, and "Windows games with no Linux version currently available can now be installed and run directly from the Linux Steam client, complete with native Steamworks and OpenVR support".

Linux app support will be available soon for many Chromebooks, but a post on the Chromium Gerrit indicates that devices running Linux 3.14 or older will not be included. See this beta news article for a full list of the Chromebooks that won't be able to run Linux apps.

Windows 95 is now an app you can run on Linux, macOS and Windows thanks to Slack developer Felix Rieseberg who created the electron app. See The Verge for more details. The source code and app installers are available on GitHub.

Organizing a Market for Applications

Gnome

The "Year of the Desktop" has been a perennial call to arms that's sunken into a joke that's way past its expiration date. We frequently talk about the "Year of the Desktop", but we don't really talk about how we would achieve that goal. What does the "Year of the Desktop" even look like?

What it comes down to is applications—rather, a market for applications. There is no market for applications because of a number of cultural artifacts that began when the Free Software was just getting up on wobbly legs.

Today, what we have is a distribution-centric model. Software is distributed by an OSV (operating system vendor), and users get their software directly from there via whatever packaging mechanism that OSV supports. This model evolved, because in the early-to-mid 1990s, those OSVs existed to compile the kernel and userspace into a cohesive product. Packaging of applications was the next step as a convenience factor to save users from having to compile their own applications, which always was a hit-or-miss endeavor as developers had different development environment from the users. Ultimately, OSVs enjoyed being gatekeepers as part of keeping developers honest and fixing issues that were unique to their operating system. OSVs saw themselves as agents representing users to provide high-quality software, and there was a feeling that developers were not to be trusted, as of course, nobody knows the state of their operating system better than they would.

However, this model represented a number of challenges to both commercial and open-source developers. For commercial developers, the problem became how to maximize their audience as the "Linux" market consisted of a number of major OSVs and an uncountable number of smaller niche distributions. Commercial application developers would have to develop multiple versions of their own application targeted at various major distributions for fear of missing out on a subset of users. Over time, commercial application developers would settle on using Ubuntu or a compressed tar file hosted on their website. Various distributions would pick up these tar balls and re-package them for their users. If you were an open-source developer, you had the side benefit of distributions picking up your work automatically for you and packaging them if you successfully enjoyed a large following. But they faced the same dilemma.

Debian Withholding Intel Security Patches, Linus Torvalds on the XArray Pull Request, Red Hat Transitioning Its Container Registry, Akraino Edge Stack Moves to Execution Phase, openSUSE Tumbleweed Snapshots Released and digiKam 6.0.0 Beta 1 Now Available

News briefs for August 23, 2018.

Debian is withholding security patches for the latest Intel CPU design flaw due to licensing issues. The Register reports that the end-user license file Intel added to the archive "prohibits, among other things, users from using any portion of the software without agreeing to be legally bound by the terms of the license", and Debian is not having it. See also Bruce Perens' blog post on this issue.

Linus Torvalds ranted about the XArray pull request this week on the LKML saying, "For some unfathomable reason, you have based it on the libnvdimm tree. I don't understand at all why you did that. That libnvdimm tree didn't get merged, because it had complete garbage in the mm/ code. And yes, that buggy shit was what you based the radix tree code on. I seriously have no idea why you have based it on some unstable random tree in the first place."

Red Hat is transitioning its customers and product portfolio to a new container registry for Red Hat container images at registry.redhat.io. Red Hat notes that as it makes this transition, "the goal is to have a uniform experience for all of our registries that uses industry standard Open Authorization (OAuth)."

The Linux Foundation announced that its Akraino Edge Stack, "designed to improve the state of edge cloud infrastructure for enterprise edge, OTT edge, and carrier edge networks", is moving from formation to execution. The Akraino Edge Stack seed code will be released to the community this week at the Akraino Edge Stack Developer Summit.

Two openSUSE Tumbleweed snapshots were released this week. Changes include a move to kernel 4.18.0, KVM improvements, Mozilla Firefox 61.0.2 and many more fixes and updates.

digiKam 6.0.0 beta 1 was released recently. The next major version will include "full support of video files management working as photos"; "new tools to export to Pinterest, OneDrive and Box web-services"; "an integration of all import/export web-service tools in LightTable, Image editor and Showfoto"; and many more improvements.