Welcome to Planet openSUSE

This is a feed aggregator that collects what openSUSE contributors are writing in their respective blogs.

To have your blog added to this aggregator, please read the instructions.


Thursday
18 January, 2018


face

The hosting platform cPanel has provided the openSUSE Project with two new network cards to assist the project with its infrastructure needs.

The network cards will soon be integrated into the openSUSE infrastructure to improve the Open Build Service.

“On behalf of the openSUSE Project and the many developers and packagers who use OBS to develop open-source software, we thank cPanel for their generosity,” said Richard Brown, openSUSE Chairman. “This contribution not only helps the openSUSE project but will help other open-source projects as well.”

OBS is a generic system to build and distribute binary packages from sources in an automatic, consistent and reproducible way. It can release packages as well as updates, add-ons, appliances and entire distributions for a wide range of operating systems and hardware architectures.

“We use an internal installation of the Open Build Service, and also help customers and third parties use the public OBS at build.opensuse.org,” said Ken Power, Vice President of Product Development at cPanel. “Supporting the open source projects that we use is incredibly important to us, and we’re glad to be able to help here.”

The network cards will be used to improve the backend of OBS.

“The cards will be used to connect the OBS backend storage and network; bringing it from a 1GB to 10BG and improving the backend performance,” said Thorsent Bro, a member of the openSUSE Heroes team. “We want to thank cPanel for its generous support and giving back to the projects that help with Linux/GNU development.”


Tuesday
16 January, 2018


Michael Meeks: 2018-01-16 Tuesday

21:00 UTCmember

face
  • Sync with Andras, Jona, mail chew, commercial call, partner call, read reams of framework contract-ness. Dinner.
  • Debugged some JS horror - where we end up with a 'this' referring to an entirely different object in a class' method - type unsafety to the N'th.

face

Would you like to help fix a couple of bugs in librsvg, in preparation for the 2.42.1 release?

I have prepared a list of bugs which I'd like to be fixed in the 2.42.1 milestone. Two of them are assigned to myself, as I'm already working on them.

There are two other bugs which I'd love someone to look at. Neither of these requires deep knowledge of librsvg, just some debugging and code-writing:

  • Bug 141 - GNOME's thumbnailing machinery creates an icon which has the wrong fill: it's an image of a builder's trowel, and the inside is filled black instead of with a nice gradient. This is the only place in librsvg where a cairo_surface_t is converted to a GdkPixbuf; this involves unpremultiplying the alpha channel. Maybe the relevant function is buggy?

  • Bug 136: The stroke-dasharray attribute in SVG elements is parsed incorrectly. It is a list of CSS length values, separated by commas or spaces. Currently librsvg uses a shitty parser based on g_strsplit() only for commas; it doesn't allow just a space-separated list. Then, it uses g_ascii_strtod() to parse plain numbers; it doesn't support CSS lengths generically. This parser needs to be rewritten in Rust; we already have machinery there to parse CSS length values properly.

Feel free to contact me by mail, or write something in the bugs themselves, if you would like to work on them. I'll happily guide you through the code :)


Monday
15 January, 2018


Michael Meeks: 2018-01-15 Monday

21:00 UTCmember

face
  • Sync. with Miklos, Kendy, code review, lunch, mail, sync with Andras, customer call.

face

The  application period for organizations wanting to participate in the Google Summer of Code is now and the openSUSE project is once again looking for mentors who are willing to put forth projects to mentor GSoC students.

People interested in submitting a project for GSoC as part of an openSUSE mentors team can submit it to https://github.com/openSUSE/mentoring/issues. The submissions will be reflected on openSUSE 101 and submitted as part of a mentorship package to the official GSoC website.

“If you have a new project for this year, please open a new issue for each project immediately and label it accordingly,” said Christian Bruckmayer, an openSUSE mentor. “If you have a potential project, please email us ASAP.”

The deadline is Jan. 23 to submit the full package for GSoC, Bruckmayer said.

The full timeline of GSoC can found here at https://developers.google.com/open-source/gsoc/timeline.

GSoC is an international program that matches mentors and students and funded 1,315 student projects last year for 201 open source organizations. Last year, five students participated in GSoC under the openSUSE organizing team.

GSoC students, mentors and projects benefit from the active involvement of new mentors.  Many previous GSoC students later become mentors in the GSoC.

Email the mentors team at gsoc-mentors@opensuse.org.


Sunday
14 January, 2018


Michael Meeks: 2018-01-14 Sunday

21:00 UTCmember

face
  • Played bass & sang at All Saints, christening & Max spoke. Back for roast lunch, slugging, playing of 'Job Simulator' by babes, Adventures on Odyssey in the evening; put babes to bed.

Saturday
13 January, 2018


Michael Meeks: 2018-01-13 Saturday

21:00 UTCmember

face
  • Out to practice with H. in the morning, caught up with N's ceramic painting party later. Home for lunch, and some slugging - watched 'Superman' with the babes. Practised bass variously with H. in the evening.

Friday
12 January, 2018


Michael Meeks: 2018-01-12 Friday

21:00 UTCmember

face
  • Mail chew. Poked at dialog code with Kendy, N's friends over for a sleepover & party, up late cleaning async dialog bits up. Collected replacement VIVE controller - excellent, remembered to cover up the mirror in the front room too (a top tip for structured laser users).

face
I guess it's hard to miss Spectre and Meltdown so you probably read about it. And there's more bad news than what's been widely reported, it seems.

You trust the cloud? HAHAHAHA

What surprised me a little was how few journalists paid attention to the fact that Meltdown in particular breaks the isolation between containers and Virtual Machines - making it quite dangerous to run your code in places like Amazon S3. Meltdown means: anything you have ran on Amazon S3 or competing clouds from Google and Microsoft has been exposed to other code running on the same systems.

And storage isn't per-se safe, as the systems handling the storage just might also be used for running apps from other customers - who then thus could have gotten at that data. I wrote a bit more about this in an opinion post for Nextcloud.

We don't know if any breaches happened, of course. We also don't know that they didn't.

That's one of my main issues with the big public cloud providers: we KNOW they hide breaches from us. All the time. For YEARS. Yahoo did particularly nasty, but was it really such an outlier? Uber hid data stolen from 57 million users for a year, which came out just November last year.

Particularly annoying if you're legally obliged to report security breaches to the users it has affected, or to your government. Which is, by the way, the case in more and more countries. You effectively can't do that if you put any data in a public cloud...

Considering the sales of the maximum allowed amount of stock just last November by the Intel CEO, forgive me if I have little trust in the ethical standards at that company, or any other for that matter. (oh, and if you thought the selling of the stock by the Intel CEO is just typical stuff, nah, it was noticed as interesting BEFORE Meltdown & Spectre became public)

So no, there's no reason to trust these guys (and girls) on their blue, brown, green or black eyes. None whatsoever.

Vendors screwed up a fair bit. More to come?

But there's more. GregKH, the inofficial number two in Linux kernel development, blogged about what-to-do wrt Meltdown/Spectre and he shared an interesting nugget of information:
We had no real information on exactly what the Spectre problem was at all
Wait. What? So the guys who had to fix the infrastructure for EVERY public and private cloud and home computer and everything else out there had... no... idea?

Yeap. Golem.de notes (in German) that the coordination around Meltdown didn't take place over the usual closed kernel security mailing list, but instead distributions created their own patches. The cleanup of the resulting mess is ongoing and might take a few more weeks. Oh, and some issues regarding Meltdown & Spectre might not be fix-able at all.

But I'm mostly curious to find out what

face

One nice thing about gitlab.gnome.org is that we can now have Continuous Integration (CI) enabled for projects there. After every commit, the CI machinery can build the project, run the tests, and tell you if something goes wrong.

Carlos Soriano posted a "tips of the week" mail to desktop-devel-list, and a link to how Nautilus implements CI in Gitlab. It turns out that it's reasonably easy to set up: you just create a .gitlab-ci.yml file in the toplevel of your project, and that has the configuration for what to run on every commit.

Of course instead of reading the manual, I copied-and-pasted the file from Nautilus and just changed some things in it. There is a .yml linter so you can at least check the syntax before pushing a full job.

Then I read Robert Ancell's reply about how simple-scan builds its CI jobs on both Fedora and Ubuntu... and then the realization hit me:

This lets me CI librsvg on multiple distros at once. I've had trouble with slight differences in fontconfig/freetype in the past, and this would let me catch them early.

However, people on IRC advised against this, as we need more hardware to run CI on a large scale.

Linux distros have a vested interest in getting code out of gnome.org that works well. Surely they can give us some hardware?


face

Dear Tumbleweed users and hackers,

The 2nd week of the year was had a slightly lower snapshot count than the first one, with 4 snapshots delivered this week (0104, 0106, 0107 and 0109). The next one to come (0110) will likely ask for more bandwidth to update, more about that snapshot later, in the ‘things to come’ section.

The last week brought us these changes:

  • Linux Kernel 4.14.11 and 4.14.12
  • LibreOffice 6 (RC1, but with KDE interface back, which was greatly awaited by many)
  • Kernel Firmware and intel ucode update
  • Python 3.6.4
  • LLVM 5.0.1
  • KDE Frameworks 5.41.0
  • Poppler 0.62
  • cmake prefers python3 over python2 when finding an interpreter

The things to reach Tumbleweed in the near future are:

  • MPFR 4.0 (Multi-Precision floating point) in snapshot 0110. As this library is so deeply nested into the compiler suite, a complete rebuilt of the distro was triggered, which will result in a larger upgrade for you
  • Mesa 17.3.2, coming with reworked package (mainly build time optimization, some reorganization, no effect at runtime expected)
  • Bind 9.11.2
  • RPM 4.14.0
  • Rust 1.23.0
  • librsvg2.42.0 – rustified version
  • The YaST Team’s libstorage-ng reimplementation

face


I'm glad to annouce that there will be a Ceph Day on the 7th of February 2018 in Darmstadt. Deutsche Telekom will host the event. The day will start at 08:30 with registration and end around 17:45 with an one hour networking reception. 
We have already several very interesting presentations from SUSE, SAP, CERN, 42.com, Deutsche Telekom AG and Red Hat on the agenda and more to come. If you have an interesting  15-45 min presentation about Ceph, please contact me to discuss if we can add it to the agenda. Presentation language should be German or English.

I would like to thank our current sponsors SUSE and Deutsche Telekom and the Ceph Community  for the support. We are still in  negotiation with potential sponsors and will hopefully announce them soon.

The agenda will be available here soon. You can register through this link. Stay tuned for updates! See you in Darmstadt!

Thursday
11 January, 2018


Michael Meeks: 2018-01-11 Thursday

21:00 UTCmember

face
  • N's birthday - fun present opening at breakfast. Admin, calls, some code-reading, ESC call, catchup with JanI. Julie over for dinner & Smash-Up playing action.

face

Several openSUSE Tumbleweed snapshots arrive before and after the new year and this post will focus on the most recent snapshots released this week.

Much of the efforts of developers this week have focused on patching the Meltdown and Spectre vulnerabilities. openSUSE’s rolling distribution produced four openSUSE Tumbleweed snapshots so far this week.

While the Long-Term Support 4.4 Linux Kernel has patched many of the vulnerabilities associated with Meltdown and Spectre, the 4.14.12 Linux Kernel released in snapshot 20180107  hasn’t, but Tumbleweed users will likely see the vulnerabilities patched soon.

The most recent snapshot 20180109, which was released within the past hour, brought KDE Frameworks 5.41.0, which brought 70 addon libraries to Qt. A major version was released for LibreOffice as the libreoffice 6.0.0.1 package had many fixes in gpg4libre and new features for Writer, Calc and Draw. Poppler 0.62.0 was also included in the snapshot and removed Qt4 poppler package following upstream change

Newer packages that arrived in the 20180107 snapshot were Chat Client irssi 1.0.6, which fixed some random memory bugs, and the llvm 5.0.1, which delete intermediate files during build to reduce total disk usage. And kcm_sddm 5.11.5 was a bug fix release.

The biggest snapshot releases so far this week was snapshot 20180106. The release of Mozilla Firefox 57.0.4 in snapshot 20180106 brought security fixes to address the Meltdown and Spectre timing attacks. Regular expressions library oniguruma 6.7.0 restructured StackType and now use string pool of gperf for the Unicode Property lookup function. The new python-setuptools 38.4.0 version removes a warning and update copyright year. Python 3.6.4 provided more than a 100 bug fixes and dropped the upstreamed python3-ncurses-6.0-accessors.patch. Better timer error messages and an additional unit test was implemented with the perl-IPC-Run 0.96 package. RE2 was updated to version 2018-01-01; libre2-0-32bit was created in order to satisfy the dependency from libqt5-qtwebengine-32bit.

Snapshot 20180104 brought the official distributed compiler release of icecream 1.1, which update dependencies to fix building for SUSE Linux Enterprise. The snapshot also provided the 4.14.11 Linux Kernel.


face

Today is a big day. The Nextcloud community is launching a new product and solution called Nextcloud Talk. It’s a full audio/video/chat communication solution which is self hosted, open source and super easy to use and run. This is the result of over 1.5 years of planing and development.

For a long time it was clear to me that the next step for a file sync and share solution like Nextcloud is to have communication and collaboration features build into the same platform. You want to have a group chat with the people you have a group file share with. You want to have a video call with the people while you are collaborative editing a document. You want to call a person directly from within Nextcloud to collaborate and discuss a shared file, a calendar invite, an email or anything else. And you want to do this using the same login, the same contacts and the same server infrastructure and webinterface.

So this is why we announced, at the very beginning of Nextcloud, that we will integrate the Spreed.ME WebRTC solution into Nextcloud. And this is what we did. But it became clear that whats really needed is something that is fully integrated into Nextcloud, easy to run and has more features. So we did a full rewrite the last 1.5 years. This is the result.

Nextcloud Talk can, with one click, be installed on every Nextcloud server. It contains a group chat feature so that people and teams can communicate and collaborate easily. It also has WebRTC video/voice call features including screen-sharing. This can be used for one on one calls, web-meetings or even full webinars. This works in the Web UI but the Nextxloud community also developed completely new Android and iOS apps so it works great on mobile too. Thanks to push notifications, you can actually call someone directly on the phone via Nextcloud or a different phone. So this is essentially a fully open source, self hosted, phone system integrated into Nextcloud. Meeting rooms can be public or private and invites can be sent via the Nextcloud Calendar. All calls are done peer to peer and end to end encrypted.

So what are the differences with WhatsApp Calls, Threema, Signal Calls or the Facebook Messenger?
All parts of Nextcloud Talk are fully Open Source and it is self hosted. So the signalling of the calls are done by your own Nextcloud server. This is unique. All the other mentioned solutions might be encrypted, which is hard to check if the source-code is not open, but they all use one central signalling server. So the people who run the service know all the metadata. Who is calling whom, when, how long and from where. This is not the case with Nextcloud Talk. No metadata is leaked. Another benefit is the full integration into all the other file sharing, communication, groupware and collaboration features of Nextcloud.

So when is it


face

openSUSE is pleased to announce that registration and the call for papers for the openSUSE Conference 2018 (oSC18), which takes place in Prague, Czech Republic, are open.

The dates for this year’s conference will be May 25 through May 27 at Faculty of Information Technologies of Czech Technical University in Prague. Submission for the call for papers will be open until April 20. There are 99 day from today to submit a proposal, but don’t wait until the late minute. Registration will be open from today until the day oSC18 begins; make sure to answer the survey question regarding the T-Shirt size.

Presentations can be submitted in one of the following formats:

  • Lightning Talks (15 mins)
  • Short Talks (30 mins)
  • Normal Talks (45 mins)
  • Long Workshop (3 hours)
  • Short Workshop (90 mins)

The tracks listed for the conference are:

  • openSUSE
  • Open Source Software
  • Cloud and Containers
  • Embedded Systems
  • Desktop and Applications

While these tracks might be refined to better categorize or consolidate topics, people should submit proposals even if they don’t think it fits into one of the tracks.

A Program Committee will evaluate the proposals based on the submitted abstracts and the accepted proposals will be announced no later than April 21.

Volunteers who would like to participate on the Program Committee or the Organizing Team for the conference should email ddemaio (@) suse.de and phodac (@) suse.cz.

Visit events.opensuse.org for more information about oSC18.


Wednesday
10 January, 2018


Michael Meeks: 2018-01-10 Wednesday

21:00 UTCmember

face
  • Mail, admin, calls, more admin; a little patch review.

Tuesday
09 January, 2018


Michael Meeks: 2018-01-09 Tuesday

21:00 UTCmember

face
  • Mail chew; suspiciously little - odd, poked sysadmins. Fixed a page border rendering issue in LOOL, ESC bits arrived, built stats.

face

What you need to know about the new storage stack (storage-ng)

Changes to YaST are coming and people using openSUSE Tumbleweed will be the first to experience these planned changes in a snapshot that is expected to be released soon.

Those following the YaST Team blog may have been read about the implementation changes expected for libstorage-ng, which have been discussed for nearly two years. Libstorage is the component used by YaST; specially used in the installer, the partitioner and AutoYaST to access disks, partitions, LVM volumes and more.

This relatively low-level component has been a constant source of headaches for YaST developers for years, but all that effort is about to bear fruit. The original design has fundamental flaws that limited YaST in many ways and the YaST Team have been working to write a replacement for it: the libstorage-ng era has begun.

This document offers an incomplete but very illustrative view of the new things that libstorage-ng will allow in the future and the libstorage limitations it will allow to leave behind. For example, it already makes possible to install a fully encrypted system with no LVM using the automatic proposal and to handle much better filesystems placed directly on a disk without any partitioning. In the short future, it will allow to fully manage Btrfs multi-device filesystems, bcache and many other technologies that were impossible to accommodate into the old system.

What’s new, right here right now

Rewriting libstorage with a new approach means that all the other components that sit on top must also be adapted or rewritten to take advantage of the new capabilities. Alongside the replacement of libstorage with libstorage-ng, the yast2-storage module will be replaced by yast2-storage-ng, which offers a re-implementation of almost everything related to storage in YaST.

New partitioning proposal during installation

The times in which one root partition, one swap of a predefined size and one optional separate Home partition were enough to satisfy all the Linux use-cases are gone. Nowadays SUSE and the openSUSE community produce many products for scenarios that go beyond the classic server and desktop paradigms, like SLES4SAP, SUSE CaaSP or openSUSE Kubic.

The new proposal allows more control to those who create products and flavors based on SLE or openSUSE and offers more possibilities to the users (like encrypting partitions with no need to use LVM, something largely requested by the community). But with great power comes great responsibility and very likely it will take some snapshots to fully tweak the new configurable aspects of the proposal to match the Tumbleweed requirements precisely.

Tumbleweed users will experience this implementation and tweaks, so be please be aware of these gradual adjustments taking place with YaST over the next couple months.

Rewritten expert partitioner

The YaST partitioner is known for being very powerful, but it has always come with several bugs (most of them very hard to track and fix) and inconsistencies here and there. In the mid-term, libstorage-ng will make the partitioner much more powerful


face

The YaST team finished its 47th Sprint right before the Christmas break but, sadly, we had not published the corresponding report… until now. The last sprint of the year brought some interesting changes, like Chrony support for AutoYaST, better multi-products medium handling, etc. So let’s recap those changes.

Chrony support in AutoYaST

As part of our effort to support Chrony as the default NTP service for (open)SUSE, we have revamped how AutoYaST handles the configuration of such a service. The first noticeable change is that we have redesigned the schema which, instead of containing low level configuration options, is now composed of a set of high level ones that are applied on top of the default settings.

And here is how the new (and nicer) configuration looks like:

<ntp-client>
  <ntp_policy>auto</ntp_policy>
  <ntp_servers config:type="list">
    <ntp_server>
      <iburst config:type="boolean">false</iburst>
      <address>cz.pool.ntp.org</address>
      <offline config:type="boolean">true</offline>
    </ntp_server>
  </ntp_servers>
  <ntp_sync>15</ntp_sync>
</ntp-client>

Updating the Remote Administration Capabilities

During this sprint, the remote administration client has been deeply modified. To begin with, as xinetd is being replaced by systemd sockets, we have dropped that dependency (adjusting the code accordingly).

Additionally the VNC handling have been improved too. Until now, YaST offered the possibility to connect through a web browser using a Java applet. Now YaST allows the user to enable/disable this feature (check the screenshot below to see how it looks now). It is worth to mention that Michal Srb has replaced the old viewer with novnc, a JavaScript based one. Thanks a lot for that, Michal!

And last but not least, we have seized the occasion to do some code cleaning, reimplementing some dialogs using the Common Widget Manipulation object oriented API.

Modifying AutoYaST Profile During Installation

AutoYaST offers a cool feature that allows the profile to be modified during the initial stages of the installation using an user script. So you can run a script which adjusts the profile and AutoYaST will read it again. If you are interested in such a feature, you could find more information in the official documentation.

On the other hand, in our previous report, we mentioned that AutoYaST was able again to use multipath devices using the new storage stack. But we didn’t count that it was possible to modify the profile on runtime so the initialization happened too early.

Now the bug is fixed so you can again adjust any storage setting using the aforementioned feature.

Properly Handling Selected Modules

As you may know, some time ago we added a support for the multi-product media (DVDs which contain more than one repository/product in separate subdirectories). This time we fixed some issues regarding this functionality.

Originally after selecting several products only one of them was actually selected to install and only one product was displayed in the installation proposal. Fortunately, those issues have been addressed now.

Unified Look & Feel for Multi-Product Selection Dialog

For the multi-product DVD media we


Monday
08 January, 2018


Michael Meeks: 2018-01-08 Monday

21:00 UTCmember

face
  • Mail chew, sync with Miklos; contract review.

face

I'm loving gitlab.gnome.org. It has been only a couple of weeks since librsvg moved to gitlab, and I've already received and merged two merge requests. (Isn't it a bit weird that Github uses "pull request" and Everyone(tm) knows the PR acronym, but Gitlab uses "merge request"?)

Notifications about merge requests

One thing to note if your GNOME project has moved to Gitlab: if you want to get notified of incoming merge requests, you need to tell Gitlab that you want to "Watch" that project, instead of using one of the default notification settings. Thanks to Carlos Soriano for making me aware of this.

Notifications from Github's mirror

The github mirror of git.gnome.org is configured so that pull requests are automatically closed, since currently there is no way to notify the upstream maintainers when someone creates a pull request in the mirror (this is super-unfriendly by default, but at least submitters get notified that their PR would not be looked at by anyone, by default).

If you have a Github account, you can Watch the project in question to get notified — the bot will close the pull request, but you will get notified, and then you can check it by hand, review it as appropriate, or redirect the submitter to gitlab.gnome.org instead.


face

Collabora has now released LibreOffice Vanilla 5.4.4 on the Mac App Store. It is built from the official LibreOffice 5.4.4 sources. If you have purchased LibreOffice Vanilla earlier from the App Store, it will be upgraded in the normally automatic manner of apps purchased from the App Store.


LibreOffice Vanilla from the Mac App Store is recommended to Mac users who want LibreOffice with the minimum amount of manual hassle with installation and upgrades. If you don't mind that, by all means download and install the build from TDF instead.

We would have loved to continue to include a link to the TDF download site directly in the app's description, as we have promised, but we were not allowed to do that this time by Apple's reviewer.

Because of the restrictions on apps distributed in the App Store, features implemented in Java are not available in LibreOffice Vanilla. Those features are mainly the HSQLDB database engine in Base, and some wizards.

This time we include the localised help files, as there were some issues in accessing the on-line help.

Since the LibreOffice Vanilla 5.2 build that was made available in the Mac App Store in September 2016, there have been a few Mac-specific fixes, like the one related to landscape vs. portrait mode printing on Letter paper. There are more Mac-specific bugs in Bugzilla that will be investigated as resources permit.

Some fine-tuning to the code signing script has been necessary. For instance, one cannot include shell scripts in the Contents/MacOS subfolder of the application bundle when building for upload to the App Store. This is because the code signatures for such shell scripts would be stored as extended attributes and those won't survive the mechanism used to upload a build to the App Store for review and distribution. (For other non-binary files, in the Resources folder, signatures are stored in a separate file.)

We also have made sure the LibreOffice code builds with a current Xcode (and macOS SDK).


Sunday
07 January, 2018


Michael Meeks: 2018-01-07 Sunday

21:00 UTCmember

face
  • Off to All Saints, enjoyed the family service; back for lunch, Got N's minetest pieces going nicely with her, played Smash-Up, with the family, Organ practice with H. Detectorists before bed.

Saturday
06 January, 2018


Michael Meeks: 2018-01-06 Saturday

21:00 UTCmember

face
  • Breakfast in bed for J. - babes did homework, re-silicone'd the shower window, took H. into Cambridge; slugging away from the cold with the family; Julie over in the evening.

face

By now, everyone knows that something “big” just got announced regarding computer security. Heck, when the Daily Mail does a report on it , you know something is bad…

Anyway, I’m not going to go into the details about the problems being reported, other than to point you at the wonderfully written Project Zero paper on the issues involved here. They should just give out the 2018 Pwnie award right now, it’s that amazingly good.

If you do want technical details for how we are resolving those issues in the kernel, see the always awesome lwn.net writeup for the details.

Also, here’s a good summary of lots of other postings that includes announcements from various vendors.

As for how this was all handled by the companies involved, well this could be described as a textbook example of how NOT to interact with the Linux kernel community properly. The people and companies involved know what happened, and I’m sure it will all come out eventually, but right now we need to focus on fixing the issues involved, and not pointing blame, no matter how much we want to.

What you can do right now

If your Linux systems are running a normal Linux distribution, go update your kernel. They should all have the updates in them already. And then keep updating them over the next few weeks, we are still working out lots of corner case bugs given that the testing involved here is complex given the huge variety of systems and workloads this affects. If your distro does not have kernel updates, then I strongly suggest changing distros right now.

However there are lots of systems out there that are not running “normal” Linux distributions for various reasons (rumor has it that it is way more than the “traditional” corporate distros). They rely on the LTS kernel updates, or the normal stable kernel updates, or they are in-house franken-kernels. For those people here’s the status of what is going on regarding all of this mess in the upstream kernels you can use.

Meltdown – x86

Right now, Linus’s kernel tree contains all of the fixes we currently know about to handle the Meltdown vulnerability for the x86 architecture. Go enable the CONFIG_PAGE_TABLE_ISOLATION kernel build option, and rebuild and reboot and all should be fine.

However, Linus’s tree is currently at 4.15-rc6 + some outstanding patches. 4.15-rc7 should be out tomorrow, with those outstanding patches to resolve some issues, but most people do not run a -rc kernel in a “normal” environment.

Because of this, the x86 kernel developers have done a wonderful job in their development of the page table isolation code, so much so that the backport to the latest stable kernel, 4.14, has been almost trivial for me to do. This means that the latest 4.14 release (4.14.12 at this moment in time), is what you should be running. 4.14.13 will be out in a


Friday
05 January, 2018


Michael Meeks: 2018-01-05 Friday

21:00 UTCmember

face
  • Moderately irritated (as a remain voter) by the repeated, flaccid argument (now on the BBC) that old voters (who are dying out) voted for Brexit, and young people voted to stay: so things are somehow unfair. What a bag of hammers! It is deeply unclear to me that we should dis-enfranchise the old (and hopefully experienced & wise) in favour of the young (and arguably politically naive); but at least there is an argument there for decisions that only impact the young's future. However - the idea that as young people age and they experience life (or their brains ossify) - that their political views remain entirely static seems really unlikely and is an intrinsic assumption here. The old of today would seem to me to be a good proxy for the views of the old of tomorrow.
  • Worked on nailing some contract / admin backlog. Fixed a bug at lunch. Intersted to see the X86_BUG_CPU_INSECURE patch from AMD.

face

Dear Tumbleweed users and hackers,

The year started with a big bang. Be it that since the last review, there have actually been 7 snapshots released (20171228, 1229, 1230, 1231, 20180101, 0102 and 0103) or that the news is full with reports about security issues.  Let’s hope we can keep up the rate of snapshot releases (we won’t be able to keep it for the whole year; 7 in a week means I get no weekends) – but for the 2nd part, let’s hope we won’t have to cope with such things too often this year.

The 7 snapshots contained those interesting bits and pieces:

  • Evolution 3.26.3
  • Linux kernel 4.14.9
  • AppArmor 2.12
  • KDE Plasma 5.11.5

Some snapshots were a bit smaller than others, but holiday season brings this as a consequence. But the stagings are full of things happening:

  • Linux Kernel 4.14.11 (incl fixes for Meltdown, in snapshot 0104)
  • RPM 4.14
  • LibreOffice 6.0; this reached RC quality, which the maintainer declared ‘fit for use’ (KDE users will get the KDE4-based UI back)
  • KDE Frameworks 5.41
  • CMake logic change: newer python versions will be favored (meaning, python3)
  • The YaST Team’s libstorage-ng reimplementation

This all promises to be some interesting time ahead of us


Thursday
04 January, 2018


Michael Meeks: 2018-01-04 Thursday

21:00 UTCmember

face
  • Mail chew; admin, sync with Jona, then Kendy, ESC call.
  • Irritated by dish-washer, why is it that a dish-washer cannot have a colored LED on the front with a large diffuser that shows green: if it has been through a wash-cycle, and the door has not been opened yet (ie. 'clean'), that slowly decays into red over a minute or so after opening the door. The current effort has an un-lit display to denote both dirty and clean states, with a lit-up one for washing; hey ho.

face

Hi folks,

By now you probably heard about the new “Spectre” and “Meltdown” side channel
attacks against current processors.

openSUSE, same as almost all other current operating systems, is affected by
these problems.

For SUSE Linux Enterprise we posted these blog and technical information
pages that in their descriptions also match openSUSE, so I would not duplicate
all of this information:

https://www.suse.com/c/suse-addresses-meltdown-spectre-vulnerabilities/

https://www.suse.com/support/kb/doc/?id=7022512

SUSE engineers have been working with other hardware and operating systems
vendors to prepare patches to mitigate these flaws over the last weeks
and have been preparing updates.

As the embargo was lifted last night, we could now also start openSUSE
updates.

For openSUSE Leap 42.2 and 42.3, we have the advantage that the
kernel codebase is shared between SUSE Linux Enterprise 12 SP2 and SP3
respectively, so the work mostly consisted of simply merging git branches.

The openSUSE Leap 42.2 and 42.3 kernel updates are currently building
and once they have passed a quick openQA check they will be released.

For openSUSE Tumbleweed we have ported patches on top of Linux Kernel 4.14
and a submission against the Factory projects has been done.

Here also a quick openQA check will be run and then it will be released
for our Tumbleweed users in the next days.

Additionally, these updates are accompanied also by ucode-intel,
kernel-firmware and qemu updates needed for one variant of the Spectre
Attack.

Regards,

Marcus Meissner & the openSUSE Security Team

Older blog entries ->