Planet Kristof

August 30, 2016

Linux Weekly News

Remembering Vernon Adams

Open-source font developer Vernon Adams has passed away in California at the age of 49. [Vernon Adams] In 2014, Adams was injured in an automobile collision, sustaining serious trauma from which he never fully recovered. Perhaps best known within the Linux community as the creator of KDE's user-interface font Oxygen, Adams created a total of 51 font families published through Google Fonts, all under open licenses. He was also active in a number of related free-software projects, including FontForge, Metapolator, and the Open Font Library. In 2012, he co-authored the user's guide for FontForge as part of Google's Summer of Code Documentation Camp, which we reported on at that time.

Speaking personally, Vernon was always quick to offer encouragement and assistance to newcomers—regardless of their experience with type design, FontForge, or free software in general. There were also few people who put as much energy into improving the usability of free-software design tools as he did. In addition, he was a constant advocate for free-software principles in the world of fonts—not just on development lists and at libre graphics conferences, but on type forums as well, where "open source" did not automatically garner a warm reception. The tagline on his web site was "fonts for everyone," and he meant it. He'll be missed.

by n8willis at August 30, 2016 12:06 AM

August 29, 2016

Linux Weekly News

Security advisories for Monday

Arch Linux has updated wireshark-cli (multiple vulnerabilities).

Debian has updated mupdf (two denial of service flaws).

Debian-LTS has updated eog (out-of-bounds write), quagga (two vulnerabilities), ruby-actionpack-3.2 (multiple vulnerabilities), and ruby-activesupport-3.2 (denial of service).

Fedora has updated lcms2 (F24: heap memory leak), uClibc (F24: code execution), and webkitgtk4 (F24: multiple vulnerabilities).

openSUSE has updated Firefox (13.1: buffer overflow), firefox, nss (Leap42.1, 13.2: buffer overflow), phpMyAdmin (Leap42.1, 13.2; 13.1: multiple vulnerabilities), and typo3-cms-4_5 (Leap42.1, 13.2: three vulnerabilities).

Oracle has updated java-1.6.0-openjdk (OL7; OL6; OL5: multiple vulnerabilities) and kernel 4.1.12 (OL7; OL6: multiple vulnerabilities).

by ris at August 29, 2016 04:20 PM

Böck: Multiple vulnerabilities in RPM – and a rant

Hanno Böck performed some fuzz testing on the dpkg and RPM package managers and reported the results; it seems that one of the projects has been rather more responsive than the other in fixing these issues. "The development process of RPM seems to be totally chaotic, it's neither clear where one reports bugs nor where one gets the latest code and security bugs don't get fixed within a reasonable time. There's been some recent events that make me feel especially worried about this..." It seems that some of the maintenance issues with RPM may not have improved greatly since they were reported here ten years ago.

by corbet at August 29, 2016 12:29 PM

Kernel prepatch 4.8-rc4

The 4.8-rc4 kernel prepatch is out. "Everything looks normal, and it's been a bit quieter than rc3 too, so hopefully we're well into the "it's calming down" phase. Although with the usual timing-related fluctuation (different maintainers stagger their pulls differently), it's hard to tell a trend yet."

by corbet at August 29, 2016 09:32 AM

August 27, 2016

Linux Weekly News

[$] Trying out openSUSE Tumbleweed

While distribution-hopping is common among newcomers to Linux, longtime users tend to settle into a distribution they like and stay put thereafter. In the end, Linux distributions are more alike than different, and one's time is better spent getting real work done rather than looking for a shinier version of the operating system. Your editor, however, somehow never got that memo; that's what comes from ignoring Twitter, perhaps. So there is a new distribution on the main desktop machine; this time around it's openSUSE Tumbleweed.

by corbet at August 27, 2016 05:22 AM

August 26, 2016

Linux Weekly News

Nextcloud 10 released

Nextcloud 10 has been released with new features for system administrators to control and direct the flow of data between users on a Nextcloud server. "Rule based file tagging and responding to these tags as well as other triggers like physical location, user group, file properties and request type enables administrators to specifically deny access to, convert, delete or retain data following business or legal requirements. Monitoring, security, performance and usability improvements complement this release, enabling larger and more efficient Nextcloud installations."

by ris at August 26, 2016 07:20 PM

The long-awaited Maru OS source release

The Maru OS handset distribution that includes an Ubuntu desktop (reviewed here in April) is finally available in source form. "If you're interested in contributing in general, please check out the project's GitHub (, get up and running with the developer guide (, and join the developer group (!forum/maru-os-dev)"

by corbet at August 26, 2016 05:52 PM

Security advisories for Friday

Arch Linux has updated mediawiki (multiple vulnerabilities).

CentOS has updated java-1.6.0-openjdk (C7; C6; C5: multiple vulnerabilities).

Debian has updated flex (code execution), imagemagick (multiple vulnerabilities), quagga (two vulnerabilities), and rails (cross-site scripting).

Fedora has updated gnupg (F24: flawed random number generation), openvpn (F24: information disclosure), and rubygem-actionview (F24; F23: cross-site scripting).

Red Hat has updated java-1.6.0-openjdk (RHEL5,6,7: multiple vulnerabilities).

Scientific Linux has updated java-1.6.0-openjdk (SL5,6,7: multiple vulnerabilities).

by ris at August 26, 2016 04:51 PM


Stuff The Internet Says On Scalability For August 26th, 2016

Hey, it's HighScalability time:



The Pixar render farm in 1995 is half of an iPhone (@BenedictEvans)


If you like this sort of Stuff then please support me on Patreon.
  • 33.0%: of all retail goods sold online in the US are sold on Amazon;  110.9 million: monthly Amazon unique visitors; 21 cents: cost of 30K batch derived page views on Lambda; 4th: grade level of Buzzfeed articles; $1 trillion: home value threatened by rising sea levels; $1.2B: Uber lost $1.2B on $2.1B in revenue in H1 2016; 1.58 trillion: miles Americans drove through June; 

  • Quotable Quotes:
    • @bendystraw: My best technical skill isn't coding, it's a willingness to ask questions, in front of everyone, about what I don't understand
    • @vmg: "ls is the IDE of producing lists of filenames"
    • @nicklockwood: The hardest problem in computer science is fighting the urge to solve a different, more interesting problem than the one at hand.
    • @RexRizzo: Wired: "Machine learning will TAKE OVER THE WORLD!" Amazon: "We see you bought a wallet. Would you like to buy ANOTHER WALLET?"
    • @viktorklang: "The very existence of Ethernet flow control may come as a shock" - 
    • @JoeEmison: 4/ (c) if you need stuff on prem, keep it on prem. No need to make your life harder by hooking it up to some bullshit that doesn't work well
    • @grayj_: Also people envision more than you think. Wright Brothers to cargo flights: 7 yrs. Steam engine to car: 7 yrs.
    • David Wentzlaff: With Piton, we really sat down and rethought computer architecture in order to build a chip specifically for data centres and the cloud
    • @thenewstack: In 2015, there was 1 talk about #microservcies at OSCON; in 2016, there were 30: @dberkholz #CloudNativeDay
    • The Memory Guy: Now for the bad news: This new technology [3D XPoint] will not be a factor in the market if Intel and Micron can’t make it, and last week’s IDF certainly gave little reason for optimism.
    • @Carnage4Life: $19 billion just to link WhatsApp graph with Facebook's is mundane. Expect deeper, more insidious connections coming
    • Seth Lloyd~ The universe is a quantum computer. Biological life is all about extracting meaningful information from a sea of bits.
    • Facebookk: To automate such design changes, the team introduced new models to FBNet in which IPs and circuits were allocated using design tools based on predefined rules, and relevant config snippets were generated for deployment.
    • Robert Graham: Despite the fact that everybody and their mother is buying iPhone 0days to hack phones, it's still the most secure phone. Androids are open to any old hacker -- iPhone are open only to nation state hackers.
    • oppositelock: I'm a former Google engineer working at another company now, and we use http/json rpc here. This RPC is the single highest consumer of cpu in our clusters, and our scale isn't all that large. I'm moving over to gRPC asap, for performance reasons.
    • Gary Sims: The purposes and goals of Fuchsia are still a mystery, however it is a serious undertaking. Dart is certainly key, as is Flutter.
    • @mjpt777: "We haven't made all that much progress on parallel computing in all those years." - Barbara Liskov
    • @AnupGhosh_: Just another sleepy August: 1. NSA crown jewels hacked. 2. Apple triple 0-day weaponized. 3. Short selling vulnerabilities for fun & profit.
    • @JoeEmison: Hypothesis: enterprises adopted CloudFoundry because at least it gets up and running (cf OpenStack), but now finding it so inferior to AWS.
    • Robert Metcalfe: I predict the Internet will soon go spectacularly supernova and in 1996 catastrophically collapse.
    • Alan Cooper~ Form follows function to Hell. If you are building something out of bits what does form follows function mean? Function follows the user. If you are focussing on functions you are missing the point. 
    • @etherealmind: I've _never_ seen a successful outsourcing arrangement. And I've work on both sides in more than 10 companies.
    • @musalbas: Schools need to stop spending years teaching kids garbage Microsoft PowerPoint skills and teach them Unix sysadmin skills.
    • Dan Woods: With data lakes there’s no inherent way to prioritize what data is going into the supply chain and how it will eventually be used. The result is like a museum with a huge collection of art, but no curator with the eye to tell what is worth displaying and what’s not.
    • Jay Kreps: Unlike scalability, multi-tenancy is something of a latent variable in the success of systems. You see hundreds of blog posts on benchmarking infrastructure systems—showing millions of requests per second on vast clusters—but far fewer about the work of scaling a system to hundreds or thousands of engineers and use cases. It’s just a lot harder to quantify multi-tenancy than it is to quantify scalability.
    • Jay Kreps: the advantage of Kafka is not just that it can handle that large application but that you can continue to deploy more and more apps to the same cluster as your adoption grows, without needing a siloed cluster for each use. 
    • @vambenepe: My secret superpower is using “reply” in situations where most others would use “reply all”.
    • @tvanfosson: Developer progression: instead of junior to senior 1. Simple and wrong 2. Complicated and wrong 3. Complicated and right 4. Simple and right
    • Maria Konnikova: The real confidence game feeds on the desire for magic, exploiting our endless taste for an existence that is more extraordinary and somehow more meaningful.
    • gpderetta: Apple A9 is a quite sophisticate CPU, there is no reason to believe is not using a state of the art predictor. The Samsung CPU might not have any advantage at all on this area.
    • Chetan Sharma: For 4G, we went from 0% to 25% penetration in 60 months, 25-50% in 21 months, 50-75% in 24 months and by the end of 2020, we will have 95%+ penetration. By 2020, US is likely to be 4 years ahead of Europe and 3 years ahead of China in LTE penetration. In fact, the industry vastly underestimated the growth of 4G in the US market. Will 5G growth curves be any different?

  • You know what's cool? A rubberband powered refrigerator. Or trillions of space mining. Space Mining Company Plans to Launch Asteroid-Surveying Spacecraft by 2020. Billionaires get your rockets ready. It's a start: Weighing about 110 pounds, Prospector-1 will be powered by water, expelling superheated vapor to generate thrust. Since water will be the first resource mined from asteroids, this water propulsion system will allow future spacecraft–the ones that do the actual mining–to refuel on the go.

  • False positives in the new fully automated algorithmic driven world are red in tooth and claw. We may need a law. You know that feeling when you use your credit and you are told it is no longer valid? You are cutoff. Some algorithm has decided to isolate you from the world. At least you can call a credit card company. Have you ever tried to call a Cloud Company? Fred Trotter tells a scary story of not being able to face his accuser in Google Intrusion Detection Problem: So today our Google Cloud Account was suspended...Google threatened to shut our cloud account down in 3 days unless we did something…but made it impossible to complete that action...Google Cloud services shutdown the entire project...It is not safe to use any part of Google Cloud Services because their threat detection system has a fully automated allergic reaction to anything that has not seen before, and it is capable of taking down all of your cloud services, without limitation. 

  • In the "every car should come with a buggy whip" department we have The Absurd Fight Over Fund Documents You Probably Don't Read. $200 million would be saved if investors got their mutual fund reports online instead of on paper. You guessed it, there's a paper lobby against it. 

Don't miss all that the Internet has to say on Scalability, click below and become eventually consistent with all scalability knowledge (which means this post has many more items to read so please keep on reading)...

by Todd Hoff at August 26, 2016 03:56 PM

Linux Weekly News

OpenSSL 1.1.0 released

Version 1.1.0 of the OpenSSL TLS library is available. A list of changes can be found on this page; they include a new threading API, a number of new algorithms and the removal of a number of older ones, pipelining (parallel processing) support, extended master secret support, and more.

by corbet at August 26, 2016 12:24 PM