Slashdot Mirror

An anonymous reader writes: The GNU Emacs text editor now has merged the X Widgets branch. What this work allows is for embedding GTK+ user interface widgets within Emacs for features like landing MPlayer or a full web browser in Emacs. This allows now for more endless opportunities for the 40 year old GNU text editor. The X/GTK widgets support will come with GNU Emacs 25.1.

kthreadd writes: Version 1.5.24 of the Mutt email client has been released. New features in this release includes among other things terminal status-line (TS) support, a new color object 'prompt', the ability to encrypt postponed messages and opportunistic encryption which automatically enables/disables encryption based on message recipients. SSLv3 is now also disabled by default.

jones_supa writes: The final release of Ubuntu 15.04 is now available. A modest set of improvements are rolling out with this spring's Ubuntu. While this means the OS can't rival the heavy changelogs of releases past, the adage "don't fix what isn't broken" is clearly one 15.04 plays to. The headline change is systemd being featured first time in a stable Ubuntu release, which replaces the inhouse UpStart init system. The Unity desktop version 7.3 receives a handful of small refinements, most of which aim to either fix bugs or correct earlier missteps (for example, application menus can now be set to be always visible). The Linux version is 3.19.3 further patched by Canonical. As usual, the distro comes with fresh versions of various familiar applications.

Nerval's Lobster writes: Perhaps the most famous rant against C++ came from none other than Linus Torvalds in 2007. "C++ is a horrible language," he wrote, for starters. "It's made more horrible by the fact that a lot of substandard programmers use it, to the point where it's much much easier to generate total and utter crap with it." He's not alone: A lot of developers dislike how much C++ can do "behind the scenes" with STL and Boost, leading to potential instability and inefficiency. And yet there's still demand for C++ out there. Over at Dice, Jeff Cogswell argues that C++ doesn't deserve the hatred. "I've witnessed a lot of 'over-engineering' in my life, wherein people would write reusable classes with several layers of inheritance, even though the reusable class wasn't actually used more than once," he wrote. "But I would argue that's the exception, not the norm; when done right, generic programming and other high-level aspects of C++ can provide enormous benefits." Was Linus going overboard?

ConstantineM writes: "What has been planned for a long time now, prior to the infamous heartbleed fiasco of OpenSSL (which does not affect SSH at all), is now officially a reality — with the help of some recently adopted crypto from DJ Bernstein, OpenSSH now finally has a compile-time option to no longer depend on OpenSSL. `make OPENSSL=no` has now been introduced for a reduced configuration OpenSSH to be built without OpenSSL, which would leave you with no legacy SSH-1 baggage at all, and on the SSH-2 front with only AES-CTR and chacha20+poly1305 ciphers, ECDH/curve25519 key exchange and Ed25519 public keys."

New submitter raides (881987) writes "Theo De Raadt has been on a better roll as of late. Since his rant about FreeBSD playing catch up, he has something to say about OpenSSL. It is worth the 5 second read because it is how a few thousand of us feel about the whole thing and the stupidity that caused this panic." Update: 04/10 15:20 GMT by U L : Reader badger.foo pointed out Ted Unangst (the Ted in the mailing list post) wrote two posts on the issue: "heartbleed vs malloc.conf and "analysis of openssl freelist reuse" for those seeking more detail.

An anonymous reader writes with news that John Cartwright has been forced to shut down the full disclosure list. The list was created in 2002 in response to the perception that Bugtraq was too heavily moderated, allowing security issues to remain unpublished and unpatched for too long. Quoting: "When Len and I created the Full-Disclosure list way back in July 2002, we knew that we'd have our fair share of legal troubles along the way. We were right. To date we've had all sorts of requests to delete things, requests not to delete things, and a variety of legal threats both valid or otherwise. However, I always assumed that the turning point would be a sweeping request for large-scale deletion of information that some vendor or other had taken exception to.

I never imagined that request might come from a researcher within the 'community' itself (and I use that word loosely in modern times). But today, having spent a fair amount of time dealing with complaints from a particular individual (who shall remain nameless) I realised that I'm done. The list has had its fair share of trolling, flooding, furry porn, fake exploits and DoS attacks over the years, but none of those things really affected the integrity of the list itself. However, taking a virtual hatchet to the list archives on the whim of an individual just doesn't feel right. That 'one of our own' would undermine the efforts of the last 12 years is really the straw that broke the camel's back.

I'm not willing to fight this fight any longer. It's getting harder to operate an open forum in today's legal climate, let alone a security-related one. There is no honour amongst hackers any more. There is no real community. There is precious little skill. The entire security game is becoming more and more regulated. This is all a sign of things to come, and a reflection on the sad state of an industry that should never have become an industry.

I'm suspending service indefinitely. Thanks for playing." The archives are still up on seclists.org, gmane, and Mail Archive. For now at least.

paugq writes "NuttX is a real-time operating system (RTOS) with an emphasis on standards compliance and small footprint. Scalable from 8-bit to 32-bit microcontroller environments, the primary governing standards in NuttX are POSIX and ANSI standards. Additional standard APIs from Unix and other common RTOS's (such as VxWorks) are adopted for functionality not available under these standards, or for functionality that is not appropriate for deeply-embedded environments. NuttX was first released in 2007 by Gregory Nutt under the permissive BSD license, and today the 100th release was made: NuttX 6.33. Supported platforms include ARM, Atmel AVR, x86, Z80 and others."

WebMink writes "A discussion in the Debian community reveals that last month Oracle quietly disclosed a change for the embedded BerkeleyDB database from the quirky Sleepycat License to the Affero General Public License (AGPL) in future versions. AGPL is only compatible with GPLv3 and treats web deployment as a trigger to license compliance, so developers using BerkeleyDB will need to check their code is still legally licensed. Even if they had made the switch in the interests of advancing software freedom it would be questionable to force so many developers into a new license compatibility crisis. But it seems likely their only motivation is to scare more people into buying proprietary licenses. Oracle are well within their rights, but developers are likely to treat this as a betrayal. As a poster in the Debian thread says, "Oracle move just sent the Berkeley DB to oblivion" because there are some great alternatives, like OpenLDAP's LMDB."

kthreadd writes "Version 3.8 of the GTK+ GUI framework has been released. A new feature in GTK+ 3.8 is support for Wayland 1.0, the display server that will replace X on free desktops. Among the other new features are improved support for theming, fixes to geometry management and improved accessibility. There is also better support for touch, as part of an ongoing effort in making GTK+ touch-aware."

New submitter karijes writes "Evil is a new Emacs major mode intended to implement full Vim emulation for Emacs editor, and it's reached its first stable release. Evil implements many Vim features and has support for plugins, so there is port for rails.vim, NERDCommenter and mapleader among others. You can find details about this release on the mailing list."

wehe writes "Heise News reports today some Samsung notebooks can be turned into a brick if booted just one time via UEFI into Linux. Even the firmware does not boot anymore. Some reports in the Ubuntu bug tracker system report that such notebooks can not be recovered without replacing the main board. Other Linux distributions may be affected as well. Kernel developers are discussing a change in the Samsung-laptop driver." It appears even Samsung is having trouble tracking down the problem (from the article): "According to Canonical's Steve Langasek, Samsung developers have been attempting to develop a firmware update to prevent the problem for several weeks. Langasek is advising users to start Ubuntu installation on Samsung notebooks from an up-to-date daily image, in which the Ubuntu development team has taken precautions to prevent the problem from arising. It is, however, not completely clear that these measures are sufficient."

In a scathing rant posted to a GNU project mailing list, the maintainer of grep and sed announced that he was quitting the GNU project over technical and administrative disagreements. Chief among them: He believes RMS is detrimental to the project by slowing down technical innovation (the example used was RMS's distaste for C++, not exactly a strong point against RMS). Additionally, he noted that the FSF is not doing enough to help GNU "Projects such as gnash are bound to have constant funding problems despite being (and having been for years) in the FSF's list of high priority projects.". Finally: "Attaching the GNU label to one's program has absolutely no attractiveness anymore. People expect GNU to be as slow as an elephant, rather than as slick as a gazelle, and perhaps they are right. Projects such as LLVM achieve a great momentum by building on the slowness of GNU's decision processes, and companies such as Apple get praise even if they are only embracing these projects to avoid problems with GPLv3." The author is quick to note that he has no philosophical disagreements with GNU or the FSF.

In October, Linus Torvalds expressed concerns that udev was making "...changes that were known to be problematic, and are pure and utter stupidity." Several Gentoo developers were also concerned about the removal of features and uncooperative nature of udev maintained by the systemd developers, so they've announced a fork: "After speaking with several other Gentoo developers that share Linus' concerns, I have decided to form a team to fork udev. Our plan is to eliminate the separate /usr requirement from our fork, among other things. We will announce the project later this week." The project name (for now) is udev-ng, and you can grab the code from Github. Update: 11/16 21:29 GMT by U L : One of the developers commented that this isn't yet an official Gentoo project (but hopefully it will be!). There's also an informative flamewar about the fork on debian-devel.

An anonymous reader writes "The Nvidia binary driver has been exploited by an anonymous hacker, who reported it to nvidia months ago and it was never fixed. Now the exploit was made public." The one releasing the exploit (relayed to him anonymously) is David Arlie, well known X hacker. The bug lets the attacker write to any part of memory on the system by shifting the VGA window; the attached exploit uses this to attain superuser privileges. It appears that this has been known to Nvidia for at least a month.

First time accepted submitter bheading writes "Following years under controversial leadership which, among other things, led to a fork (which was in turn adopted by some of the major distributions) the glibc development process has been reinvented to follow a slightly more informal, community-based model. Here's hoping glibc benefits from a welcome dose of pragmatism."

supersloshy writes "The popular GNOME desktop environment has just announced the release of version 3.4. User-facing updates include, among others, a new look for many GNOME applications, smooth scrolling support in GTK, integrated document search in GNOME Shell, a new dynamic background, improved accessibility configuration options, new high-contrast icons, and more documentation. Developer-facing improvements include the release of GTK+ 3.4 and updates to standard GNOME libraries as part of the latest GNOME Developer Platform."

An anonymous reader writes "Matt Dillon of DragonFly BSD just announced that AMD confirmed a CPU bug he found. Matt quotes part of the mail exchange and it looks like 'consecutive back-to-back pops and (near) return instructions can create a condition where the processor incorrectly updates the stack pointer.' The specific manifestations in DragonFly were random segmentation faults under heavy load."

An anonymous reader writes "Matt Dillon of DragonFly BSD just announced that AMD confirmed a CPU bug he found. Matt quotes part of the mail exchange and it looks like 'consecutive back-to-back pops and (near) return instructions can create a condition where the processor incorrectly updates the stack pointer.' The specific manifestations in DragonFly were random segmentation faults under heavy load."

bonch writes "In an attempt to tackle the inefficient complexity of its current template system, Wikipedia will be adopting the Lua scripting language. Known most for its use in videogame scripting, particularly World of Warcraft, Lua is lightweight and designed for easy integration into existing applications. The transition is expected to begin after the release of MediaWiki 1.19, possibly in May." Basically, the template system started turning into an ugly programming language. There was debate over using Javascript or Lua; Lua ultimately won due to implementation concerns. The mailing list threads announcing the decision and discussing the change have further details.

An anonymous reader writes "Arthur David Olson, the creator and maintainer of the timezone database used in about every unix/linux platform in use on the planet, just sent the message to the timezone mailing list: 'A civil suit was filed on September 30 in federal court in Boston; I'm a defendant; the case involves the time zone database. The ftp server at elsie.nci.nih.gov has been shut down. The mailing list will be shut down after this message. Electronic mail can be sent to me at @gmail.com. I hope there will be better news shortly. --ado' A Google search does not yet reveal anything about this; does someone know what is going on?"

tal197 writes "Zero Install, the decentralized cross-distribution software installation system, announced 0install 1.0 today after 8 years in development. 0install allows authors to publish directly from their own web-sites while supporting familiar features such as shared libraries, automatic updates, and digital signatures. Is this the end of the walled-gardens of traditional app stores and Linux distributions and the beginning of a true 'Web of Software'?"

Heise.de's Kernel Log has a look at the ext4 filesystem as Linus Torvalds has integrated a large collection of patches for it into the kernel main branch. "This signals that with the next kernel version 2.6.28, the successor to ext3 will finally leave behind its 'hot' development phase." The article notes that ext4 developer Theodore Ts'o (tytso) is in favor of ultimately moving Linux to a modern, "next-generation" file system. His preferred choice is btrfs, and Heise notes an email Ts'o sent to the Linux Kernel Mailing List a week back positioning ext4 as a bridge to btrfs.

SecurityBob writes "Debian package maintainers tend to very often modify the source code of the package they are maintaining so that it better fits into the distribution itself. However, most of the time, their changes are not sent back to upstream for validation, which might cause some tension between upstream developers and Debian packagers. Today, a critical security advisory has been released: a Debian packager modified the source code of OpenSSL back in 2006 so as to remove the seeding of OpenSSL random number generator, which in turns makes cryptographic key material generated on a Debian system guessable. The solution? Upgrade OpenSSL and re-generate all your SSH and SSL keys. This problem not only affects Debian, but also all its derivatives, such as Ubuntu." Reader RichiH also points to Debian's announcement and Ubuntu's announcement.

NormalVisual writes "The mailing lists were buzzing recently when Michael Buesch, one of the maintainers for the GPL'd bc43xx Broadcom wireless chip driver project, called the OpenBSD folks to task for apparently including code without permission from his project in the OpenBSD bcw project, which aims to provide functionality with Broadcom wireless chips under that OS. It seems that the problem has been resolved for now with the BSD driver author totally giving up on the project and Theo De Raadt taking the position that Buesch's posts on the subject were 'inhuman.'" More commentary from the BSD community is over at undeadly.org.

Simon (S2) writes "Ruby on Rails 1.0 has been released. From the announcement: 'Rails 1.0 is mostly about making all the work we've been doing solid. So it's not packed with new features over 0.14.x, but has spit, polish, and long nights applied to iron out kinks and ensure that it works mostly right, most of the time, for most of the people.' " The Ruby on Rails website has also been given a new look.

loquacious d asks: "This has been a spectacular summer for open-source student internships. Google funded a huge variety of open-source projects through the Summer of Code, including GCC-CIL and other improvements to Mono, new features and fixes for Gaim, and even new packages for Common Lisp. Joel Spolsky at Fog Creek hired four interns to produce a highly modified version of VNC called Fog Creek Copilot, and Paul Graham's new venture capital firm Y Combinator helped students create their own tech companies. What internships did people enjoy this summer, and which ones didn't work out so well? Which ones would you recommend to next year's applicants, and which should they avoid?"

Daniel Goldman writes "According to this post, from Ted Hardie Co-Area Director for Applications, the IETF will be closing the MARID Working Group. This working group planned to develop a DNS-based mechanism for storing and distributing information associated with MTA authorization to prevent spam. It was chartered after extensive discussion of the issues in the IRTF's Anti-spam Research Group."

NW writes "As a followup to yesterday story, Eben Moglen of FSF and Larry Rosen of OSI have publically spoken out against Microsoft's Sender-ID license calling it incompatible with the GPL and Open Source. A related eWeek story also covers this and includes the following quote from Eric Allman, the author of Sendmail: "It's pretty clear that it's going to take an act of whatever deity Microsoft worships in order to get them to back down on the sublicensing issue. They made it absolutely clear to us that they were not even going to consider changing this, and the legal folks made it further clear that they would rather see Sender ID die than back down.""

joeljkp writes "According to today's Gentoo Weekly News, Gentoo has released a new project: Gentoo MacOS (sic). This new distribution adds Portage, Gentoo's package manager, to Mac OS X, among other things."

bdowne01 writes "Gentoo Linux has experienced rapid growth in the past year--much to the credit of Daniel Robbins, the founder and Chief Architect of the project. Earlier today, he announced his resignation from his role on the gentoo-nfp mailing list." Tester adds "But before leaving, he has set up a non-profit foundation that will own all of the copyrights to Gentoo. The initial board of trustees will be appointed by Daniel, but next year they will be elected. The membership of the foundation will be open." Reader burnitall points out a note on the Gentoo homepage reading "... We are extremely sad to see Daniel Robbins depart, and we both wish him the best in his new endeavors and promise that the door will always be open for his return." Robbins' message also indicates he hopes to continue working on the release engineering aspect of Gentoo.

Bootsy Collins writes "Yesterday, we discussed Mandrake's decision to revert their release-in-development from XFree86 version 4.4 back to version 4.3 because of issues with the new XFree86 license. To update this, the list of OS distributors opting out of XF86 Version 4.4, and future releases, based on licensing concerns continues to grow. While Fedora seems to be "preparing to support multiple X11 implementations", Red Hat has explicitly stated that they have no plans to ship XFree86 v4.4 under its current license. Also add to the growing list list Debian, Gentoo, and OpenBSD."

An anonymous reader writes "Manfred Spraul has released a GPLed driver for the ethernet device found in motherboards based on the Nvidia Nforce/Nforce2/Nforce3 chipsets. Drivers provided by Nvidia on the other hand, are closed. Andrew Morton has integrated this driver in the 2.6.9-mm2 release of his mm tree. And if you are using a 2.4x kernel, you may want to check out this post."

Realistic_Dragon writes "The first discussion has been sighted on the Linux kernel mailing list to put together a feature list of things that should go into Linux 2.7 - including hotplug CPU & Ram support, network transparent sound and improvements to Netfilter to bring it up to the the level of OpenBSD's Packet Filter. And all this before most of us have started to run 2.6.0-preX, or even a 2.6 series stable release happening. Perhaps if you have a (sensible) idea now would be a good time to voice it, otherwise you will have to wait for 2.9 to get it included."

A reader writes: "If you run Freenet and have noticed that you practically can't access anything on the network, you are not alone; a group of Freenet users has organized a Freenet Revolt by forming a separate network running an old, proven build of Freenet, and things have been heating up on the freenet-devel mailing list with a scary declaration by project leader Ian Clarke that Freenet is a research project and has always been, which scared some list members, since Freenet has been actively promoted as a production network and has a sensitive userbase, including Chinese dissidents. Some people are already moving to similar networks like GNUnet and Entropy. " Of course, that does sound different then what has been said before.

A reader writes: "If you run Freenet and have noticed that you practically can't access anything on the network, you are not alone; a group of Freenet users has organized a Freenet Revolt by forming a separate network running an old, proven build of Freenet, and things have been heating up on the freenet-devel mailing list with a scary declaration by project leader Ian Clarke that Freenet is a research project and has always been, which scared some list members, since Freenet has been actively promoted as a production network and has a sensitive userbase, including Chinese dissidents. Some people are already moving to similar networks like GNUnet and Entropy. " Of course, that does sound different then what has been said before.

A reader writes: "If you run Freenet and have noticed that you practically can't access anything on the network, you are not alone; a group of Freenet users has organized a Freenet Revolt by forming a separate network running an old, proven build of Freenet, and things have been heating up on the freenet-devel mailing list with a scary declaration by project leader Ian Clarke that Freenet is a research project and has always been, which scared some list members, since Freenet has been actively promoted as a production network and has a sensitive userbase, including Chinese dissidents. Some people are already moving to similar networks like GNUnet and Entropy. " Of course, that does sound different then what has been said before.

carlfish writes "According to this post to POI-dev, Dave Turner (Mr License) of the FSF has decreed that the steps required to use an LGPL'd Java library will actually infect client code with substantial GNU-ness via Section 6 of the LGPL. (The "Lesser" GPL is supposed to protect only the Library, without infecting code using the library) This, as you might imagine, puts a few LGPL Java projects that previously thought they were embeddable without being viral in a bit of a bind. Various weblogs have further coverage." Update: 07/18 02:44 GMT by CN : The FSF's Executive Director, Brad Kuhn adds "LGPL's S. 6 allows you to make new works that link with the LGPL'ed code, and license them any way you see fit. Only the LGPL'ed code itself must remain Free. Such 'client code' can even be proprietary; it need not be LGPL'ed."