Debian Announces Interns for Outreachy and Summer of Code, Unity Editor for Linux Now Available, DistroWatch Turns 18 Today, Google Announces New Privacy Protections for Chrome Extensions and KStars v3.2.3 Released

News briefs for May 31, 2019.

Debian announces it has chosen seven interns—two people for Outreachy and five people for the Summer of Code. See the post for the list of interns and the projects they'll be working on.

Unity announces its Unity Editor for Linux, after years of offering an experimental Unity Editor for Linux. It's currently available as a preview for Ubuntu and CentOS, and it's expected it to be fully supported by Unity 2019.3. You can get the latest builds from the Unity Hub, and feedback is welcome at the Unity for Linux Editor Forum.

DistroWatch is 18 today. It started as "a single page comparing a dozen Linux distributions in a table format, with major features and package versions". Today the database contains "a total of 899 operating systems of which nearly 300 are considered active". Happy Birthday DistroWatch!

Google yesterday announced new privacy protections for Chrome extensions as well as new rules for the Google Drive API and Drive third-party apps. According to ZDNet, "The new rules are part of what Google calls Project Strobe, an initiative to improve the privacy and security of users' data, which the company set in motion after discovering a serious bug in Google+ that exposed the personal details of over 500,000 users. Project Strobe's main mission is to limit the amount of data third-parties can access about Google users via the company's many services, APIs, and tools."

KStars v3.2.3 has been released. This is likely the last release of the v3.2.x series, with development beginning on 3.3.0 now. The release contains a few minor bug fixes and also some convenience fixes thaat users had requested. Go here to download KDE's KStars.

Hello Again, Linux

Linux on a Laptop

My first MacBook was the first computer I really loved, but I wasn't happy about the idea of buying a new one. I decided it's important to live your values and to support groups that value the things you do.

After ten years of faithful service, last year the time finally came to retire my MacBook. Not many laptops last ten years—not many companies produce a machine as durable and beautiful as Apple does—but, if one was available, I was willing to invest in a machine that might last me through the next ten years. A lot has changed in ten years—for Apple, for Linux and for myself—so I started looking around.

The Situation

Prior to 2006, I had used only Windows. Around that time, there was a lot of anxiety about its upcoming successor to Windows XP, which at the time was code-named Project Longhorn. My colleagues and I all were dreading it. So, rather than go through all that trouble, I switched to Linux.

However, my first experience with Linux was not great. Although 2006 was The Year of the Linux Desktop (I saw headlines on Digg proclaiming it almost every day), I quickly learned, right after wiping my brand-new laptop's hard drive to make way for Fedora, that maybe it wasn't quite The Year of the Linux Laptop. After a desperate and miserable weekend, I finally got my wireless card working, but that initial trauma left me leery. So, about a year later, when I decided to quit my job and try the digital nomad freelance thing, I bought a MacBook. A day spent hunting down driver files or recompiling my kernel was a day not making money. I needed the assurance and convenience Apple was selling. And it proved a great investment.

During the next decade, I dabbled with Linux. Every year seemed to be The Year of the Linux Desktop—the real one, at last—so on my desktop at work (freelancing wasn't fun for long), I installed Ubuntu, then Debian, then FreeBSD. An article in this journal introduced me to tiling window managers in general and DWM in particular. The first time I felt something like disappointment with my MacBook was after using DWM on Debian for the first time.

Through the years, as my MacBook's hardware failures became increasingly inconvenient, and as my personal preference in software shifted from big beautiful graphical applications to small command-line programs, Linux started to look much more appealing. And, Linux's hardware compatibility had expanded—companies had even started selling laptops with Linux already installed—so I felt reasonably sure I wouldn't need to waste another weekend struggling with a broken wireless connection or risk frying my monitor with a misconfigured Xorg.conf.

Dell Announces More Ubuntu-Based Precision Developer Edition Laptops, Mozilla’s Alan Davidson Testifies on Internet Privacy, Canonical Announces the Release of Multipass 0.7.0 Beta, GParted Reaches 1.0 Milestone and New HiddenWasp Malware

News briefs for May 30, 2019.

Dell announces its Precision 5540, Precision 7540 and Precision 7740 developer edition laptops, the next in the line of Dell's Ubuntu-based Precision mobile workstations. From the announcement: "What started 5+ years ago as a blog post explaining how to get Ubuntu up and running on the Precision M3800 soon became a line of mobile workstations. With today's announcement, project Sputnik's Ubuntu-based mobile workstation line is now in its 4th generation. What's next for project Sputnik? Stay tuned..." See the announcement for specs and further details.

Mozilla's Alan Davidson, Vice President of Global Policy, Trust and Security, testified yesterday before the International Grand Committee on Big Data, Privacy and Democracy. Alan's testimony focused "on the need for better product design to protect privacy; getting privacy policy and regulation right; and the complexities of content policy issues. Against the backdrop of tech's numerous missteps over the last year, our mission-driven work is a clear alternative to much of what is wrong with the web today." See the Mozilla blog for more details, or read Alan's statement here.

Canonical yesterday announced the release of Multipass 0.7.0 beta. The announcement notes that "the big part is that we added a preview of VirtualBox support for Windows and macOS!" Highlights include improved concurrency, a new primary instance feature and more, along with several bug fixes. See the announcement for download links and how to provide feedback.

GParted (GNOME Partition Editor) has reached the 1.0 milestone after 15 years of development, now requiring gtkmm3 instead of gtkmm2. Softpedia News reports that this version features "support for the F2FS file system to read disk usage, grow, and check, the ability to enable online resizing of extended partitions, better refreshing of NTFS file systems, and port to Gtkmm 3 (GTK+3) and GNOME 3 yelp-tools." See the release notes for all the details.

Researchers have discovered new strain of malware targeting Linux machines. According to ZDNet, it "appears to have been created by Chinese hackers and has been used as a means to remotely control infected systems. Named HiddenWasp, this malware is composed of a user-mode rootkit, a trojan, and an initial deployment script." The ZDNet article quotes Nacho Sanmillan, a security researcher at Intezer Labs, "Unfortunately, I don't know what is the initial infection vector. Based on our research, it seems most likely that this malware was used in compromised systems already controlled by the attacker."

KUnit and Assertions

KUnit has been seeing a lot of use and development recently. It's the kernel's new unit test system, introduced late last year by Brendan Higgins. Its goal is to enable maintainers and other developers to test discrete portions of kernel code in a reliable and reproducible way. This is distinct from various forms of testing that rely on the behavior of the system as a whole and, thus, do not necessarily always produce identical results.

Lately, Brendan has submitted patches to make KUnit work conveniently with "assertions". Assertions are like conditionals, but they're used in situations where only one possible condition should be true. It shouldn't be possible for an assertion to be false. And so if it is, the assertion triggers some kind of handler that the developer then uses to help debug the reasons behind the failure.

Unit tests and assertions are to some extent in opposition to each other—a unit test could trigger an assertion when the intention was to exercise the code being tested. Likewise, if a unit test does trigger an assertion, it could mean that the underlying assumptions made by the unit test can't be relied on, and so the test itself may not be valid.

In light of this, Brendan submitted code for KUnit to be able to break out of a given test, if it triggered an assertion. The idea behind this was that the assertion rendered the test invalid, and KUnit should waste no time, but proceed to the next test in the queue.

There was nothing particularly controversial in this plan. The controversial part came when Frank Rowand noticed that Brendan had included a call to BUG(), in the event that the unit test failed to abort when instructed to do so. That particular situation never should happen, so Brendan figured it didn't make much difference whether there was a call to BUG() in there or not.

But Frank said, "You will just annoy Linus if you submit this." He pointed out that the BUG() was a means to produce a kernel panic and hang the entire system. In Linux, this was virtually never an acceptable solution to any problem.

At first, Brendan just shrugged, since as he saw it, KUnit was part of the kernel's testing infrastructure and, thus, never would be used on a production system. It was strictly for developers only. And in that case, he reasoned, what difference would it make to have a BUG() here and there between friends? Not to mention the fact that, as he put it, the condition producing the call to BUG() never should arise.

GNOME 3.33.2 Released, Krita 4.2 Debuts, RPi Camera Modules on RPi Zeros Power the Penguin Watch Project, Intrinsyc Switches Its Home Automation Dev Board from Android Things to Linux and Intel Hosting a Clear Linux OS Meetup Today

News briefs for May 29, 2019.

GNOME 3.33.2 was released yesterday. This marks the second development release of the 3.34 GNOME desktop, which is expected to be available this fall. According to Softpedia News, "GNOME 3.33.2 adds huge performance improvements to GNOME Shell, a new Backgrounds panel in GNOME Control Center, countless enhancements to the Epiphany web browser and GNOME Calculator, rendering improvements for the Mutter window and composite manager with X.Org Server, and much more." See the Changelog for more details.

Krita 4.2 makes its debut. OMG Ubuntu! reports that the new version "features more than 1,000 bug fixes (!) as well as several new features, including support for HDR displays on Windows 10." See the Release Notes for more on all the new features.

Raspberry Pi Camera Modules mounted on Raspberry Pi Zeros provide the images for the Penguin Watch project. The blog post calls the project "citizen science on a big scale", noting that "thousands of people from all over the world come together on the internet on penguins. By counting the birds in their colonies, users help penguinologists measure changes in the birds' behaviour and habitat, and in the larger ecosystem, thus assisting in their conservation.

Intrinsyc has switched its Snapdragon 212-based Open-Q 212 module and 212A Home Hub Development Kit from Android Things to Linux. From Linux Gizmos: "Intrinsyc's Open-Q 212A module and Development Kit, which were announced a year ago as along with several other Android Things production boards offered by Google, are being re-released as a Linux development platform for next-gen smart speaker and voice-controlled home hub products. The OpenEmbedded/Yocto Project based Linux stack brings improved support for the audio features on the $595 dev kit, which has been rebranded as the Open-Q 212A Home Hub Development Kit. There's also a new Bluetooth and 802.15.4 wireless add-on on the way."

Intel is hosting a Clear Linux OS meetup today in Santa Clara. The meetup will run from 3pm to 8:30pm and "is to introduce you to the Clear Linux Project and help you learn how to better use the Clear Linux OS in your everyday job. Light refreshments and dinner provided."

Visualizing Science with ParaView


I'd like to introduce one of the more popular tools used for visualizing data within several scientific disciplines: ParaView. ParaView started as a joint project between Kitware, Inc., and Los Alamos National Laboratory back in 2000. The first public release was version 0.6, which came out in 2002. Since then, ParaView has become one of the most popular visualization packages for visualizing large data sets.

Because it's open source, it should be available in most, if not all, package repository systems. For example, in Debian-based distributions, you should be able to install it with the command:

sudo apt-get install paraview

Starting it the first time should give you an empty workspace, ready for you to get to work.

Figure 1. When you first start ParaView, you'll see a new, empty layout to start your visualization.

Two major parts populate the bulk of the window. The right-hand side is the main display pane where the visualization will appear. The left-hand pane shows the list of objects being visualized, along with their properties. At the top, there is a toolbar of the common functions in ParaView.

To play with ParaView, you'll need some data. If you don't have any data of your own to use, you can grab some data provided as part of the ParaView Tutorial. More documentation and sample scripts are also available there.

Let's assume you're going to use the sample data as you learn how to use ParaView. To load the data, click File→Open, and navigate to where you unpacked the sample data.

While you're here, take a quick look at the list of all of the file types ParaView supports. For example, you can load the data stored in the file can.ex2. You won't see anything displayed right away. In the bottom part of the left-hand side pane, you should see the properties for the newly loaded data file. For now, you can just accept the defaults and click the apply button. You then should see the data visualized in the main pane.

Figure 2. The data in the sample file can.ex2 renders as a half cylinder attached to a rectangle on the end.

Clicking and dragging on the image allows you to rotate the view, so you can see the entire object from various angles.

Kernel 5.2-rc2 Is Out, Ubuntu Security Team’s New Podcast, the E Foundation’s Refurbished Phones with /e/ OS Available Soon, Mozilla Announces Firefox 68 Beta 6 Test Day and PostgreSQL 12 Beta Released

News briefs for May 28, 2019.

Kernel 5.2-rc2 was released over the weekend. Linus Torvalds writes: "Hey, what's to say? Fairly normal rc2, no real highlights - I think most of the diff is the SPDX updates. Who am I kidding? The highlight of the week was clearly Finland winning the ice hockey world championships. So once you sober up from the celebration, go test".

The Ubuntu Security Team announces its new Ubuntu Security Podcast. The weekly podcast will cover "the various security updates that have been published across the Ubuntu releases, describing the technical details of both the security vulnerabilities as well as the fixes involved". The podcast is available from iTunes, Spotify, Google Podcasts or RSS.

You can send the E Foundation your phone if you'd like a Google-free Android. FOSS Bytes reports that with the E Foundation's /e/ OS, "the main goal of /e/ is to take away Google's control over the device. It doesn't include any Google apps that you'd normally find on Android phones. Other than UI tweaks and pre-loading all the essential apps like Browser, Contacts, Calendar, Messaging, it even has an App Store of its own. You can also have an /e/ account, and take advantage of its cloud storage service, mail, and search." The E Foundation will soon be selling refurbished devices with the OS here, and according to Foss Bytes, you will be able to send them your phone, and they will install it for around $50. Or, you can flash your phone yourself and install the beta ROM, which you can download from here. It currently supports 81 devices from Google, Motorola, Huawei, Samsung and more.

Mozilla announces Friday, May 31, 2019, will be a test day for Firefox 68 Beta 6. The test will focus on Activity Stream and Pin Firefox shortcut to taskbar for Windows 10. If you're interested, see this etherpad for instructions. No experience with testing is needed, and you can join Mozilla at #qa on IRC.

PostgreSQL 12 Beta was released last week. This is the first beta release of version 12, and it includes previews of all the new features that will be available in the final version of PostgreSQL 12. The announcement notes that "In the spirit of the open source PostgreSQL community, we strongly encourage you to test the new features of PostgreSQL 12 in your database systems to help us eliminate any bugs or other issues that may exist. While we do not advise you to run PostgreSQL 12 Beta 1 in your production environments, we encourage you to find ways to run your typical application workloads against this beta release." See the Beta Testing Page for more information.

Breaking Up Apache Log Files for Analysis

Dave tackles analysis of the ugly Apache web server log.

I know, in my last article I promised I'd jump back into the mail merge program I started building a while back. Since I'm having some hiccups with my web server, however, I'm going to claim editorial privilege and bump that yet again.

What I need to do is be able to process Apache log files and isolate specific problems and glitches that are being encountered—a perfect use for a shell script. In fact, I have a script of this nature that offers basic analytics in my book Wicked Cool Shell Scripts from O'Reilly, but this is a bit more specific.

Oh Those Ugly Log Files

To start, let's take a glance at a few lines out of the latest log file for the site:

$ head sslaccesslog_askdavetaylor.com_3_8_2019 - - [08/Mar/2019:06:10:09 -0600] "GET /wp-content/
 ↪HTTP/1.1" 200 3074
↪10-win10/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64)
 ↪AppleWebKit/537.36 (KHTML, like Gecko) Chrome/
 ↪64.0.3282.140 Safari/537.36 Edge/18.17763 X-Middleton/1"
 ↪ - - [08/Mar/2019:06:10:09 -0600] "GET
 ↪/wp-includes/js/jquery/jquery.js?ver=1.12.4 HTTP/1.1"
 ↪200 33766 "
↪-dvd-free-windows-10-win10/" "Mozilla/5.0 (Windows NT
 ↪10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
 ↪Chrome/64.0.3282.140 Safari/537.36 Edge/18.17763
 ↪X-Middleton/1" - - [08/Mar/2019:06:10:09
 ↪-0600] "GET /wp-content/plugins/google-analytics-for-
↪wordpress/assets/js/frontend.min.js?ver=7.4.2 HTTP/1.1"
 ↪200 2544 "
 ↪"Mozilla/5.0 (Windows NT 10.0; Win64; x64)
 ↪AppleWebKit/537.36 (KHTML, like Gecko)
 ↪Chrome/64.0.3282.140 Safari/537.36 Edge/18.17763

It's big and ugly, right? Okay, then let's just isolate a single entry to see how it's structured: - - [08/Mar/2019:06:10:09 -0600] "GET
↪nivo.min.js?ver=3.2 HTTP/1.1" 200 3074
↪10-win10/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140
 ↪Safari/537.36 Edge/18.17763 X-Middleton/1"

That's still obfuscated enough to kick off a migraine!

Fortunately, the Apache website has a somewhat clearer explanation of what's known as the custom log file format that's in use on my server. Of course, it's described in a way that only a programmer could love:

Build Your Own Internet Radio Receiver

DIY Internet Radio Receiver

Tune in to communities around the world with the push of a button.

When I get home at night, I like to tune into the world with the push of a button. I've lived in lots of different places—from Dunedin, New Zealand, to Santa Fe, New Mexico—and in each town, I've come to love a radio station (usually a community radio station) that embodies the spirit of the place. With the push of a button, I can get a bit back in sync with each of these places and also visit new communities, thanks to internet radio.

Why build your own internet radio receiver? One option, of course, is simply to use an app for a receiver. However, I've found that the most common apps don't keep their focus on the task at hand, and are increasingly distracted by offering additional social-networking services. And besides, I want to listen now. I don't want to check into my computer or phone, log in yet again, and endure the stress of recalling YAPW (Yet Another PassWord). I've also found that the current offering of internet radio boxes falls short of my expectations. Like I said, I've lived in a lot of places—more than two or four or eight. I want a lot of buttons, so I can tune in to a radio station with just one gesture. Finally, I've noticed that streams are increasingly problematic if I don't go directly to the source. Often, streams chosen through a "middle man" start with an ad or blurb that is tacked on as a preamble. Or sometimes the "middle man" might tie me to a stream of lower audio quality than the best being served up.

So, I turned to building my own internet radio receiver—one with lots of buttons that allow me to "tune in" without being too pushy. In this article, I share my experience. In principle, it should be easy—you just need a Linux distro, a ship to sail her on and an external key pad for a rudder. In practice, it's not too hard, but there are a few obstacles along the course that I hope to help you navigate.

My recipe list included the following:

  1. A used notebook with an ultra low voltage (Core 2 Duo) processor.
  2. An audio interface with an optical TOSLINK.
  3. pyradio: an open-source Python radio program.
  4. An external keypad.

Figure 1. My Hardware Setup

Why a notebook and not a Raspberry Pi or ship of a similar ilk? Mostly due to time—my time in particular. It's not too hard to find a high quality notebook about ten years old for about $50, so the cost is really not that different, and I find the development platform to be much quicker.

Blindered by the GDPR

I usually don't like new tech regulations.

One reason is that technology changes so fast that new regulations tend to protect yesterday from last Thursday.

Another reason is that lawmakers tend to know little or nothing about tech. One former high U.S. government official once told a small group of us, roughly, "There are two things almost nobody in Congress understands. One is technology and the other is economics. So good luck."

Still, I had high hopes for the GDPR (the EU's General Data Protection Regulation), which famously went into effect one year ago. I suggested that we re-brand 25 May "Privmas Day" (hashtag #privmas), since I expected the GDPR would go far toward protecting personal privacy online, which prior to that date had been approximately nil. Back in 2017, I said (onstage, in front of thousands) the GDPR would be "an extinction event for  adtech in Europe."

Here in Linux Journal, I put up  an FUQ for the GDPR (the U meaning "Unanswered"), meant to provide guidance toward new developments that could give each of us many new forms of agency online, as well as some privacy. Because I really did expect the GDPR to encourage both.

Alas, mostly it hasn't. Worse, most of its early effects have been negative. For example,

ZFS On Linux 0.8 Released, BlackArch Linux 2019.06.01 Now Available, Canonical Releases Updated intel-microcode Firmware, Peppermint 10 Is Out, and Guardian Digital Celebrates 20 Years of Email Security with the Power of Open Source

News briefs for May 24, 2019.

ZFS On Linux 0.8 has been released. This new version supports up through the 5.1 stable series. Phoronix reports that "ZFS On Linux 0.8 adds native encryption support as well as raw encrypted ZFS send/receive support. Other prominent feature additions for this ZFS Linux file-system code include support for device removal, pool checkpoints, TRIM/discard for solid-state drives is finally here, pool initialize support, Python 3 compatibility with its tools, the ability to tap the Linux kernel's direct I/O interfaces, various performance improvements, and much more." See GitHub for more details.

BlackArch Linux 2019.06.01 is now available. This version of the Arch-based distro for penetration testing and security researchers includes more than 150 new tools, updated vim plugins, Linux kernel 5.1.4, updated all system packages and much more. You can download ISOs or OVA images here.

Canonical has released updated intel-microcode firmware in response to new MDS security vulnerabilities discovered on systems running Intel Cherry Trail and Intel Bay Trail processors. According to Softpedia News, "If you are using Ubuntu 19.04 (Disco Dingo), Ubuntu 18.10 (Cosmic Cuttlefish), Ubuntu 18.04 LTS (Bionic Beaver), Ubuntu 16.04 LTS (Xenial Xerus), or Ubuntu 14.04 ESM (Trusty Tahr) on a computer powered by an Intel CPU, you must update the intel-microcode packages to version 3.20190514.0 as soon as possible, as well as to install the latest available Linux kernel package for your Ubuntu version."

Peppermint 10 was released recently. The main changes include kernel 4.18.0-18 (which will eventually roll onto the 5.xx kernel automatically), updated xorg stack, proprietary NVIDIA drivers are now installed automatically, and more. See the full release notes for more information. You can download Peppermint from here.

Guardian Digital, the open-source email security provider, is celebrating "20 years of revolutionizing email security using the power of Open Source". In honor of this anniversary, it is "offering 20% off EnGarde Email Security Gateway to businesses that sign up for a free trial during June 2019." Go here for more information on the Guardian Digital EnGarde Email Security Gateway.

Knot DNS: One Tame and Sane Authoritative DNS Server

knot dns logo

How to install and minimally configure Knot to act as your home lab's local domain master and slave servers.

If you were a regular viewer of the original Saturday Night Live era, you will remember the Festrunks, two lewd but naïve Czech brothers who were self-described "wild and crazy guys!" For me, Gyorg and Yortuk (plus having my binomial handed to me by tests designed by a brilliant Czech professor at the local university's high-school mathematics contests) were the extent of my knowledge of the Czech Republic.

I recently discovered something else Czech, and it's not wild and crazy at all, but quite tame and sane, open-source and easy to configure. Knot DNS is an authoritative DNS server written in 2011 by the Czech CZ.NIC organization. They wrote and continue to maintain it to serve their national top-level domain (TLD) as well as to prevent further extension of a worldwide BIND9 software monoculture across all TLDs. Knot provides a separate fast caching server and resolver library alongside its authoritative server.

Authoritative nameserver and caching/recursive nameserver functions are separated for good reason. A nameserver's query result cache can be "poisoned" by queries that forward to malicious external servers, so if you don't allow the authoritative nameserver to answer queries for other domains, it cannot be poisoned and its answers for its own domain can be trusted.

A software monoculture means running identical software like BIND9 everywhere rather than different software providing identical functionality and interoperability. This is bad for the same reasons we eventually will lose our current popular species of banana—being genetically identical, all bananas everywhere can be wiped out by a single infectious agent. As with fruit, a bit of genetic diversity in critical infrastructure is a good thing.

In this article, I describe how to install and minimally configure Knot to act as your home lab's local domain master and slave servers. I will secure zone transfer using Transaction Signatures (TSIG). Although Knot supports DNSSEC, I don't discuss it here, because I like you and want you to finish reading before we both die of old age. I assume you already know what a DNS zone file is and what it looks like.

GitHub Launches New Sponsors Tool, Total War: THREE KINGDOMS Is Out on Linux, IBM Announces Expansion of its IBM Watson Decision Platform for Agriculture, Elisa 0.4.0 Released and NASA Deploys Astrobee Robots Running Ubuntu on the Space Station

News briefs for May 23, 2019.

GitHub launches a new tool called Sponsors that lets you make payments to open-source developers. Tech Crunch reports, that "Developers will be able to opt into having a 'Sponsor me' button on their GitHub repositories and open source projects will also be able to highlight their funding models, no matter whether that's individual contributions to developers or using Patreon, Tidelift, Ko-fi or Open Collective.

Feral Interactive announces that Total War: THREE KINGDOMS is out on Linux and macOS, the same day as the Windows release. The game was developed by Creative Assembly and is the first in the Total War series to be set in ancient China. It's available now from the Feral Interactive Store for $59.99, and you can watch the trailer here.

IBM announces global expansion of its IBM Watson Decision Platform for Agriculture. From the press release: "For the first time, IBM is providing a global agriculture solution that combines predictive technology with data from The Weather Company, an IBM Business, and IoT data to help give farmers around the world greater insights about planning, plowing, planting, spraying and harvesting."

Elisa 0.4.0 has been released. This version of the KDE community-developed music player has several new features, including improved grid views elements, support for libVLC and more. You can get it via the flathub package or the source code tarball.

NASA has deployed three "Astrobee" robots on the International Space Station to do house-keeping tasks. According to Linux Gizmos "the bots run Ubuntu/ROS and Android 7.1 on Snapdragon-based Inforce modules and a Wandboard and feature 3x payload bays, 6x cameras, and a touchscreen." The Astrobees are named Honey, Queen and Bumble. Linux Gizmos writes that their chief job "is to let astronauts remotely monitor equipment via the bots' cameras and mic while the they're working elsewhere on the ISS. They can also perform inventory and do other housekeeping chores, or act as a general-purpose floating touchscreen computer."

Crazy Compiler Optimizations

Kernel development is always strange. Andrea Parri recently posted a patch to change the order of memory reads during multithreaded operation, such that if one read depended upon the next, the second could not actually occur before the first.

The problem with this was that the bug never could actually occur, and the fix made the kernel's behavior less intuitive for developers. Peter Zijlstra, in particular, voted nay to this patch, saying it was impossible to construct a physical system capable of triggering the bug in question.

And although Andrea agreed with this, he still felt the bug was worth fixing, if only for its theoretical value. Andrea figured, a bug is a bug is a bug, and they should be fixed. But Peter objected to having the kernel do extra work to handle conditions that could never arise. He said, "what I do object to is a model that's weaker than any possible sane hardware."

Will Deacon sided with Peter on this point, saying that the underlying hardware behaved a certain way, and the kernel's current behavior mirrored that way. He remarked, "the majority of developers are writing code with the underlying hardware in mind and so allowing behaviours in the memory model which are counter to how a real machine operates is likely to make things more confusing, rather than simplifying them!"

Still, there were some developers who supported Andrea's patch. Alan Stern, in particular, felt that it made sense to fix bugs when they were found, but that it also made sense to include a comment in the code, explaining the default behavior and the rationale behind the fix, even while acknowledging the bug never could be triggered.

But, Andrea wasn't interested in forcing his patch through the outstretched hands of objecting developers. He was happy enough to back down, having made his point.

It was actually Paul McKenney, who had initially favored Andrea's patch and had considered sending it up to Linus Torvalds for inclusion in the kernel, who identified some of the deeper and more disturbing issues surrounding this whole debate. Apparently, it cuts to the core of the way kernel code is actually compiled into machine language. Paul said:

We had some debates about this sort of thing at the C++ Standards Committee meeting last week.

Pointer provenance and concurrent algorithms, though for once not affecting RCU! We might actually be on the road to a fix that preserves the relevant optimizations while still allowing most (if not all) existing concurrent C/C++ code to continue working correctly. (The current thought is that loads and stores involving inline assembly, C/C++ atomics, or volatile get their provenance stripped. There may need to be some other mechanisms for plain C-language loads and stores in some cases as well.)

The Antergos Distro Is Ending, HP Linux Imaging and Printing Software Updated to Version 3.19.5, Kail Linux 2019.2 Is Out, Tails 3.14 Released and openSUSE 15.1 Leap Is Now Available

News briefs for May 22, 2019.

The Antergos Linux distro is calling it quits. The developers of the Arch-based distro say they no longer have time to maintain it properly, and are taking the action now while the code is still working in case other developers want to start their own projects with it. From the Antergos blog: "For existing Antergos users: there is no need to worry about your installed systems as they will continue to receive updates directly from Arch. Soon, we will release an update that will remove the Antergos repos from your system along with any Antergos-specific packages that no longer serve a purpose due to the project ending. Once that is completed, any packages installed from the Antergos repo that are in the AUR will begin to receive updates from there."

HP Linux Imaging and Printing (HPLIP) software has been updated to version 3.19.5 for Linux-based OSes. According to Softpedia News, this new release of the open-source and free print, scan and fax driver solution for HP printers and scanners supports "a plethora of new HP printers" (too many to list here), and it also brings support for several new distros, such as "Ubuntu 19.04 (Disco Dingo), Debian GNU/Linux 9.8, and Fedora 30". See the official HPLIP 3.19.5 Release Notes for more information.

Kali Linux announces its second release of the year, Kali Linux 2019.2. This release "brings our kernel up to version 4.19.28, fixes numerous bugs, includes many updated packages, and most excitingly, features a new release of Kali Linux NetHunter!" You can download it from here.

Tails 3.14 has been released. The release fixes many security issues, so you are urged to update as soon as possible. Some changes include an update to kernel 4.19.37, enabling "all available mitigations for the MDS (Microarchitectural Data Sampling) attacks and disable SMT (simultaneous multithreading) on all vulnerable processors to fix the RIDL, Fallout and ZombieLoad security vulnerabilities" and updating the Tor Browser to 8.5, among others.

openSUSE 15.1 Leap has been released. This release includes a huge number of new features, such as improved YaST functionality, an entirely new graphics stack update and much more. Go here to download the ISO image and see the openSUSE Wiki for more details on all of the new features in 15.1

Bringing the Benefits of Linux Containers to Operational Technology


Linux container technology was introduced more than a decade ago and has recently jumped in adoption in IT environments. However, the OT (operational technology) environments, typically made up of heterogenous embedded systems, have lagged in the adoption of container technologies, due to both the unique technology requirements and the business models that relied on proprietary systems. In this article, I explore recent innovation in open-source offerings that are enabling the use of containers in OT use cases, such as industrial control systems, IoT gateways, medical devices, Radio Access Network (RAN) products and network appliances.

Enterprise IT leaders have adopted “cloud-native” computing architectures because of the innovation velocity and cost benefits derived by the approach. To leverage containers, developers segment applications into modular micro-services that enable flexible development and deployment models. These micro-services are then deployed as containers where the service itself is integrated with the required libraries and functions. On containerization, these application components have small footprints and fast speeds of deployment. The applications become highly portable across compute architectures due to the abstraction away from the hardware and the operating system.

The benefits of flexibility and the modularity offered by container-based architectures are fully realized when leveraged in conjunction with higher-level orchestration systems that can manage the containers throughout their entire lifecycle. Kubernetes, the leading open-source orchestration system for containers, has gained a lot of traction over the last few years. Initially developed by Google, the Kubernetes project is now maintained by the Cloud Native Compute Foundation (CNCF). CNCF is dedicated to reducing the friction around the adoption of cloud-native technologies and brings to bear a few key cloud-native projects, such as Kubernetes, Prometheus and Envoy. This is an example of an open-source organization that has fostered collaboration among the entire value chain – developers, end-users and vendors. Today’s CNCF membership includes significant technology brands, such as Amazon, Cisco, Google, Microsoft, Oracle, SAP and many others.

Containers and other cloud-native paradigms were initially developed with IT environments in mind. And as these technologies have matured and the capability of the cloud-native technologies increased, the OT decision-makers have taken notice. And as more developers get access to container technology, they are going through a journey of their own, albeit one that is different from the journey of the IT developers over the last decade.

Firefox 67.0 Released, ownCloud Announces New Server Version 10.2, Google Launches «Glass Enterprise Edition 2» Headset, Ubuntu Expands Its Kernel Uploader Team and Kenna Security Reports Almost 20% of Popular Docker Containers Have No Root Password

News briefs for May 21, 2019.

Firefox 67.0 was released today. From the Mozilla blog: "Today's new Firefox release continues to bring fast and private together right at the crossroads of performance and security. It includes improvements that continue to keep Firefox fast while giving you more control and assurance through new features that your personal information is safe while you're online with us." You can download it from here, and see the release notes for details.

ownCloud announces its new server version 10.2, which introduces advanced sharing permissions, a secure view feature and automatic synchronization between federated clouds. From the press release: "the new server version of ownCloud focuses on more freedom and security in file distribution. The "Advanced Sharing Permissions" feature in particular provides developers with far-reaching options for implementing individual release functions at user and group level as well as providing data with special security settings."

Google has launched a "Glass Enterprise Edition 2" headset. According to Linux Gizmos, the new device has a "faster processor, longer battery life, improved camera and wireless features, and a reduced $999 price" compared with the previous Glass Enterprise Edition. It "runs Android Oreo on a faster, quad-core, 1.7GHz Snapdragon XR1 SoC with an 8MP camera, WiFi-ac, BT 5.x, a USB Type-C port, and longer battery life."

Ubuntu has expanded its Kernel Uploader Team. Phoronix reports that it's "a sign of the times with the Linux kernel being affected by an increasing number of CVEs (and particularly high profile ones at that), there are now more Ubuntu developers with upload rights for sending down new kernel upgrades." New to the Kernel Uploaders Team are Tyler Hicks, Juerg Haefliger and Khalid Elmously.

Kenna Security reports that "nearly 20% of the 1000 most popular Docker containers have no root password". Researcher Jerry Gamblin built a script to find null root Docker containers, available on GitHub that found some well known names: "govuk/governmentpaas, hashicorp, microsoft, monsanto, and mesosphere. kylemanna/openvpn is the most popular container on the list and it has over 10,000,000 pulls." He also notes that "The findings are interesting, but I don't want to be overly alarmist. Just because a container has no root password does not mean that it is automatically vulnerable. These findings could lead to configuration-based vulnerabilities in certain situations, as was the case with this the Alpine Linux vulnerability."

WebAuthn Web Authentication with YubiKey 5


A look at the recently released YubiKey 5 hardware authenticator series and how web authentication with the new WebAuthn API leverages devices like the YubiKey for painless website registration and strong user authentication.

I covered the YubiKey 4 in the May 2016 issue of Linux Journal, and the magazine has published a number of other articles on both YubiKeys and other forms of multi-factor authentication since then. Yubico recently has introduced the YubiKey 5 line of products. In addition to the YubiKey's long-time support of multiple security protocols, the most interesting feature is the product's new support for FIDO2 and WebAuthn.

WebAuthn is an application programming interface (API) for web authentication. It uses cryptographic "authenticators", such as a YubiKey 5 hardware token to authenticate users, in addition to (or even instead of) a typical user name/password combination. WebAuthn is currently a World Wide Web Consortium (W3C) candidate recommendation, and it's already implemented by major browsers like Chrome and Firefox.

This article provides an overview of the YubiKey 5 series, and then goes into detail about how the WebAuthn API works. I also look at how hardware tokens, such as the YubiKey 5 series, hide the complexity of WebAuthn from users. My goal is to demonstrate how easy it is to use a YubiKey to register and authenticate with a website without having to worry about the underlying WebAuthn API.

About the YubiKey 5 Series

The YubiKey 5 series supports a broad range of two-factor and multi-factor authentication protocols, including:

  • Challenge-response (HMAC-SHA1 and Yubico OTP).
  • Client to Authenticator Protocol (CTAP).
  • FIDO Universal 2nd-Factor authentication (U2F).
  • FIDO2.
  • Open Authorization, HMAC-Based One-Time Password (OATH-HOTP).
  • Open Authorization, Time-Based One-Time Password (OATH-TOTP).
  • OpenPGP.
  • Personal Identity Verification (PIV).
  • Web Authentication (WebAuthn).
  • Yubico One-Time Password (OTP).

In addition, the entire YubiKey 5 series (with the exception of the U2F/FIDO2-only Security Key model) now supports OpenPGP public key cryptography with RSA key sizes up to 4096 bits. This is a notable bump from the key sizes supported by some earlier models. Yubico's OpenPGP support also includes an additional slot for an OpenPGP authentication key for use within an SSH-compatible agent, such as GnuPG's gpg-agent.

Figure 1. YubiKey 5 Series

Kernel 5.2-rc1 Is Out, Xfce 4.14 Pre-Release Now Available, Microsoft Open-Sources Its SPTAG Algorithm, South Korean Government Switching to Linux and Arduino Launches Four New Nano Boards

News briefs for May 20, 2019.

Linux kernel 5.2-rc1 is out. Linus Torvalds writes: "Things look fairly normal. Just about two thirds of the patch is drivers (all over), with the bulk of the rest being arch updates, tooling, documentation and vfs/filesystem updates, of which there were more than usual (the unicode tables for ext4 case insensitivity do end up being a big part of the "bulk" side). But there's core networking, kernel and vm changes too - it's just that the other areas tend to simply be much bulkier."

The the first pre-release of Xfce 4.14 is now available. Simon Steinbeiß's blog post covers only the changes in the latest development release, as the Xfce 4.12 was four years ago. Highlights include FailSafeSession has been fixed, improvements to vertical blanking support, a new colord front end was added, and much more.

Microsoft recently released its SPTAG algorithm as MIT-licensed open source on GitHub. Ars Technica reports that this algorithm is part of what gives Bing its smarts, noting that "Developers can use this algorithm to search their own sets of vectors and do so quickly: a single machine can handle 250 million vectors and answer 1,000 queries per second." This release is part of the company's effort to "Democratize AI".

The South Korean government plans to switch to Linux as the end of Windows 7 support nears. According to ZDNet, "the nation's Interior Ministry last week announced plans for a potentially major Linux deployment as part of a plan to cut tech costs and reduce its reliance on a single operating system. It's not known what mix of Windows 7 and Windows 10 the Korean government currently uses, however the plan to adopt Linux more widely comes as organizations around the world prepare for the end of Windows 7 support on January 14, 2020."

The Arduino team announced the launch of four new Nano boards: Arduino Nano Every, "perfect for everyday projects"; Arduino Nano 33 IoT, "small, secure, and Internet-connected"; Arduino Nano 33 BLE, "small, low-power, and Bluetooth-connected"; and Arduino Nano BLE Sense, "small, low-power, and Bluetooth-connected with a wide range of on-board sensors". The boards start at just $9.90 for the Nano Every. Arduino co-founder Massimo Banzi commented that the new Nanos "are for those millions of makers who love using the Arduino IDE for its simplicity and open source aspect, but just want a great value, small and powerful board they can trust for their compact projects".