Linux 2.2.18 Released

If you haven't heard yet, another version of the Linux kernel has hit the mirrors. This is the first release to the 2.2 tree in quite some time, so it's probably worth updating on those machines which can afford a reboot. There's a whole bunch of changes, most notably the backport of USB code from the 2.4 tree, so all those neat-o USB devices you get over the holiday season won't be gathering dust.

For ReiserFS users...

[Wakko+Warner]

There's a patch which (purportedly) works against 2.2.18 here. You'll also need the latest full ReiserFS patch. Patch as usual, ignore the failures, and then patch again with this patch.

- A.P.

--
* CmdrTaco is an idiot.

Re:Linux Security

[Malor]

Security through obscurity is really only a temporary stopgap. It slows down an attacker but it doesn't prevent him/her/it from eventually finding and attacking holes. Worse, most of the proprietary vendors have been quite slow about releasing patches.

I don't have any way of knowing how long it will take, but you are seeing the bugs getting shaken out of the operating systems we depend on. They're very complex creations and there are probably whole classes yet of undiscovered security exploits.

Open source allows people to more effectively find and attack holes. This means that they are both found and fixed faster. It is my belief that eventually, the open source operating systems will come pretty close to being free of security holes. It's unlikely to ever be 100%, but the number of remaining, unfound security flaws should slowly approach 0 without ever quite touching it.

The closed-source operating systems, Microsoft's in particular, are a long way further up that curve. I'm guessing that you're going to be seeing nasty system holes in those operating systems for years and years after they have slowed to a mere trickle on the Unices. You just can't assemble forty million lines of code and put it into production without there being problems. Linux has 1/10th the code size, and because of that probably 1/1000th of the potential security-breaking unforeseen interactions.

The so-far-unstated assumption I have is that systems will eventually get extremely secure. This could be wrong. If new bugs get added as fast as, or faster than, old ones get taken away, then the high number of found bugs in Open Source software will prove to be only a detriment.

I'm *assuming* that we are paying now to have security later. But if we aren't, then the security through obscurity model is probably RIGHT -- because if there will ALWAYS be new security holes, any method of slowing down detection of those holes makes sysadmins' lives a little easier.

We will probably know which of these two models is right within the next 3 or 4 years. In the interim, fight very hard any suggestion to suppress information about hacks/exploits or cracking tools. The ultimate goal is secure systems, and it will take some time for us to find out which way is more secure in actual practice. If one method is hamstrung by legal action, then we may never know the right approach and may forever suffer with buggier software than we needed to.

By the 2004-2005 timeframe, the overall progression in the number of bugs reported on Open Source versus proprietary systems should be much clearer, and we will likely make much more intelligent decisions.

NFS v3 support is quite notable

[DenialS]

Let me just say that the NFS (network file system) support in 2.2.18 is vastly improved over the previous kernels. Alan rolled in the patches that most distros had been adding to the 2.2 kernel, fixed their bugs, and made me a very happy man. NFS v3 support is there for the taking, folks... enjoy.

Re:Linux Security

[Platinum+Dragon]

I was wondering about the disadvantages of open source systems.
The problem is in security bugs (as in Red Hat) with people who are not IT professionals.

News flash: this is a general issue with most (all?) operating systems, not just open source ones. It's not a disadvantage of open source alone, but a general difficulty all admins and end users deal with on a daily basis. The difference is, the sysadmin is expected to keep the doors closed and locked. That's part of his/her job description. An end user just wants to check e-mail, browse the web, maybe play a game or write a letter, in which event, they won't religiously follow security mailing lists.

Helix Code, Red Hat, and MS are probably doing end users a favour with automatic update systems, although I'm sure everyone here can rattle off three potential attacks and security holes involving these autoupdaters without thinking (man-in-the-middle attacks, spoofed routing entries, spoofed DNS entries, leading to trojaned packages being downloaded and installed without the user's input).

In the end, it's just an eternal conflict between the developers of new software and the developers of ways to poke holes in new software. That's life.

Re:Arch-based Downloads

[Spoing]

Don't download everything, only download the bzip2 patch. Most 2.2.x relase patches are about a meg, and I've never had a problem getting one even after a big announcement.`

Here's a mangled section from a kernel maker script to give you an idea how simple using patches can be;

cd /usr/src
tar Ixfv /usr/src/usr/src/linux-2.2.14.tar.bz2
cd /usr/src/linux
patch -p1 < /usr/src/kernel/patch-2.2.15
patch -p1 < /usr/src/kernel/patch-2.2.16
patch -p1 < /usr/src/kernel/patch-2.2.17
patch -p1 < /usr/src/kernel/patch-2.2.18

If you want to make this a little fancier, you can put in a loop that only decompresses the patches just before being applied and does not need hard coding like the above. Symlinks and other parts are also missing from the example above...and are not needed to get the job done.

For that matter, you can tar the whole patched release up once in a while when you get annoyed with all those extra patch files hanging around.

Re:backporting driver frameworks?

[bonzoesc]

The reason the 2.4 usb support is being backported is because users want it *now*. Our silly win9x-bound relatives send us USB stuff to use, and we can't because it doesn't work in Linux. So, USB support is a high-demand backport. Backporting stuff that isn't high-demand is silly, because nobody will appreciate it. The Linux kernel folks (Linux included) have to obey politics, too, even if it is among a group of presumably understanding Linux hackers. (Hackers meaning intelligent users, not h4x0rz.)

Tell me what makes you so afraid
Of all those people you say you hate

Re:A rant, I know, but I can't help it.

[Frymaster]

I wish Linus would pull his socks up

The man wrote (most of) an operating system. If his socks were any higher, he'd be wearing pantyhose.

Who do Linus and Cox answer to?

Themselves. I think you're forgetting that this is a free operating system. In the "Real World" we answer to whoever's writing the paycheque. It's mildly nauseating to see people download their free iso and then complain about release dates.

I'd like to see some sort of body set up that has soveriegnty over Linus and Cox,

Okay, these people, who are working for free, aren't meeting you're timeline. You're solution is not to write a cheque or organize some other funding effort to encourage the development process or to pitch in yourself, but rather to demand some sort of "linux police force".

If you want to complain about customer service, I suggest you call your Sun sales representative

ReiserFS/ EMU10K1 patches

[bconway]

Keep in mind before upgrading that if you're running ReiserFS (as you should be =) ), the latest 2.2.17 won't patch correctly, be it 2.2.18 + patch or 2.2.17 + patch + 2.2.18 patch. These should be out imminently, however, so keep an eye on their web site. Also, be sure to check out opensource.creative.com for the latest EMU10K1, as the drivers are far more recent than the ones included in 2.2.18, and a great bit better, I've found. This is definitely worth the upgrade, for no other reason than the USB backporting, as well as the AGPgart and DRI drivers.