Planet Kristof

October 20, 2016


Gone Fishin'

Well, not exactly Fishin', but I'll be on a month long vacation starting today. I won't be posting (much) new content, so we'll all have a break. Disappointing, I know. Please use this time for quiet contemplation and other inappropriate activities. See you on down the road...

by Todd Hoff at October 20, 2016 03:07 AM

Linux Weekly News

[$] Weekly Edition for October 20, 2016

The Weekly Edition for October 20, 2016 is available.

by corbet at October 20, 2016 12:02 AM

October 19, 2016

Linux Weekly News

Security advisories for Wednesday

Debian has updated quagga (stack overrun) and tor (denial of service).

Debian-LTS has updated dwarfutils (multiple vulnerabilities), guile-2.0 (two vulnerabilities), libass (two vulnerabilities), libgd2 (two vulnerabilities), libxv (insufficient validation), and tor (denial of service).

Fedora has updated epiphany (F24: unspecified), ghostscript (F24; F23: multiple vulnerabilities), glibc-arm-linux-gnu (F24: denial of service), guile (F24: two vulnerabilities), libgit2 (F24: two vulnerabilities), openssh (F23: null pointer dereference), qemu (F24: multiple vulnerabilities), and webkitgtk4 (F24: unspecified).

Mageia has updated asterisk (denial of service), flash-player-plugin (multiple vulnerabilities), kernel (multiple vulnerabilities), and mailman (password disclosure).

Red Hat has updated java-1.8.0-openjdk (RHEL6, 7: multiple vulnerabilities), kernel (RHEL6.7: use-after-free), and mariadb-galera (RHOSP8: SQL injection/privilege escalation).

by ris at October 19, 2016 04:52 PM

Live kernel patches for Ubuntu

Canonical has announced the availability of a live kernel patch service for the 16.04 LTS release. "It’s the best way to ensure that machines are safe at the kernel level, while guaranteeing uptime, especially for container hosts where a single machine may be running thousands of different workloads." Up to three systems can be patched for free; the service requires a fee thereafter. There is a long FAQ about the service in this blog post; it appears to be based on the mainline live-patching functionality with some Canonical add-ons.

by corbet at October 19, 2016 02:33 PM

October 18, 2016

Linux Weekly News

Kügler: Plasma’s road ahead

Sebastian Kügler reports on KDE's Plasma team meeting. "We took this opportunity to also look and plan ahead a bit further into the future. In what areas are we lacking, where do we want or need to improve? Where do we want to take Plasma in the next two years?" Specific topics include release schedule changes, UI and theming improvements, feature backlog, Wayland, mobile, and more. (Thanks to Paul Wise)

by ris at October 18, 2016 07:36 PM

Tuesday's security updates

Debian-LTS has updated libarchive (three vulnerabilities), libxrandr (insufficient validation), libxrender (insufficient validation), and quagga (stack overrun).

openSUSE has updated ffmpeg (Leap42.1; SPH for SLE12: multiple vulnerabilities) and kcoreaddons (Leap42.1, 13.2; SPH for SLE12: HTML injection).

Red Hat has updated atomic-openshift (RHOSCP: authentication bypass), kernel (RHEL6.5: privilege escalation), and openssl (RHEL6.7: multiple vulnerabilities).

by ris at October 18, 2016 04:22 PM

[$] Graphics world domination may be closer than it appears

The mainline kernel has support for a wide range of hardware. One place where support has traditionally been lacking, though, is graphics adapters. As a result, a great many people are still using proprietary, out-of-tree GPU drivers. Daniel Vetter went before the crowd at Kernel Recipes 2016 to say that the situation is not as bad as some think; indeed, he said, in this area as well as others, world domination is proceeding according to plan.

by corbet at October 18, 2016 02:25 PM

October 17, 2016

Linux Weekly News

Secure Your Containers with this One Weird Trick (RHEL Blog)

Over on the Red Hat Enterprise Linux Blog, Dan Walsh writes about using Linux capabilities to help secure Docker containers. "Let’s look at the default list of capabilities available to privileged processes in a docker container: chown, dac_override, fowner, fsetid, kill, setgid, setuid, setpcap, net_bind_service, net_raw, sys_chroot, mknod, audit_write, setfcap. In the OCI/runc spec they are even more drastic only retaining, audit_write, kill, and net_bind_service and users can use ocitools to add additional capabilities. As you can imagine, I like the approach of adding capabilities you need rather than having to remember to remove capabilities you don’t." He then goes through the capabilities listed describing what they govern and when they might need to be turned on for a container application.

by jake at October 17, 2016 05:55 PM


Datanet: a New CRDT Database that Let's You Do Bad Bad Things to Distributed Data


We've had databases targeting consistency. These are your typical RDBMSs. We've had databases targeting availability. These are your typical NoSQL databases.

If you're using your CAP decoder ring you know what's next...what databases do we have that target making concurrency a first class feature? That promise to thrive and continue to function when network partitions occur?

No many, but we have a brand new concurrency oriented database: Datanet - a P2P replication system that utilizes CRDT algorithms to allow multiple concurrent actors to modify data and then automatically & sensibly resolve modification conflicts.

Datanet is the creation of Russell Sullivan. Russell spent over three years hidden away in his mad scientist layer researching, thinking, coding, refining, and testing Datanet. You may remember Russell. He has been involved with several articles on HighScalability and he wrote AlchemyDB, a NoSQL database, which was acquired by Aerospike.

So Russell has a feel for what's next. When he built AlchemyDB he was way ahead of the pack and now he thinks practical, programmer friendly CRDTs are what's next. Why?

Concurrency and data locality. To quote Russell:

Datanet lets you ship data to the spot where the action is happening. When the action happens it is processed locally, your system's reactivity is insanely quick. This is pretty much the opposite of the non-concurrent case where you need to go to a specific machine in the cloud to modify a piece of data regardless of where the action takes place. As your system grows, the concurrent approach is superior.

We have been slowly moving away from transactions towards NoSQL for reasons of scalability, availability, robustness, etc. Datanet continues this evolution by taking the next step and moving towards extreme distribution: supporting tons of concurrent writers.

The shift is to more distribution in computation. We went from one app-server & one DB to app-server-clusters and clustered-DBs, to geographically distributed data-centers, and now we are going much further with Datanet, data is distributed anywhere you need it to a local cache that functions as a database master.

How does Datanet work?

In Datanet, the same piece of data can simultaneously exist as a write-able entity in many many places in the stack. Datanet is a different way of looking at data: Datanet more closely resembles an internet routing protocol than a traditional client-server database ... and this mirrors the current realities that data is much more in flight than it used to be.

What bad bad things can you do to your distributed data? Here's an amazing video of how Datanet recovers quickly, predictably, and automatically from Chaos Monkey level extinction events. It's pretty slick. 


Here's an email interview I did with Russell. He goes into a lot more detail about Datanet and what it's all about. I think you will find it interesting. 

Let's start with your name and a little of your background?

by Todd Hoff at October 17, 2016 04:44 PM

Linux Weekly News

Security advisories for Monday

Arch Linux has updated guile (two vulnerabilities).

Debian has updated libgd2 (denial of service).

Debian-LTS has updated icedove (multiple vulnerabilities), libarchive (file overwrite), libdbd-mysql-perl (denial of service), and mpg123 (denial of service).

Fedora has updated chromium (F24: multiple vulnerabilities).

Gentoo has updated oracle-jdk-bin (multiple vulnerabilities).

openSUSE has updated thunderbird (13.1: multiple vulnerabilities) and tiff (13.1: denial of service).

Oracle has updated openssl (OL5: multiple vulnerabilities).

Red Hat has updated chromium-browser (RHEL6: multiple vulnerabilities).

by ris at October 17, 2016 03:40 PM

October 16, 2016

Linux Weekly News

A set of stable kernels

The 4.8.2, 4.7.8, and 4.4.25 stable kernels have been released. Each contains the usual set of important fixes.

by corbet at October 16, 2016 06:35 PM