You are here

Planet Ubuntu

Subscribe to Feed Planet Ubuntu
Planet Ubuntu - http://planet.ubuntu.com/
Përditësimi: 1 ditë 20 orë më parë

Sebastian Kügler: Desk lamp

Sht, 20/07/2019 - 6:02md
desk lamp with mirror behind

Some time ago, I wanted to make my own desk lamp. It should provide soft, bright task lighting above my desk, no sharp shadows that could cover part of my work area, but also some atmospheric lighting around the desk in my basement office. The lamp should have a natural look around it, but since I made it myself, I also didn’t mind exposing some of its internals.

SMD5050 LED strips

I had oak floor boards that I got from a friend (thanks, Wendy!) lying around. which I used as base material for the lamp. I combined these with some RGBW led strips that I had lying around, and a wireless controller that would allow me to connect the lamp to my Philips Hue lighting system, that I use throughout the house to control the lights. I sanded the wood until it was completely smooth, and then gave it an oild finish to make it durable and give it a more pronounced texture.

Fixed to the ceiling Internals of the desk lamp

The center board is covered in 0.5mm aluminium sheets to dissipate heat from the LED strips (again, making them last longer) and provide some extra diffusion of the light. This material is easy to work with, and also very suitable to stick the led strips to. For the light itself, I used SMD5050 LED strips that can produce warm and cold white light, as well as RGB colors. I put 3 rows of strips next to each other to provide enough light. The strips wrap around at the top, so light is not just shining down on my desk, but also reflecting from walls and ceiling around it. The front and back are another piece of wood to avoid looking directly into the LEDs, which would be distractive, annoying when working and also quite ugly. I attached a front and back board as well to the lamp, making it into an H shape.

Light reflects nicely from surrounding surfaces

The controller (a Gledopto Z-Wave controller, that is compatible with Philips Hue) is attached to the center board as well, so I just needed to run 2 12V wires to the lamp. I was being a bit creative here, and thought “why not use the power cables also to have the lamp hanging from the ceiling?”. I used coated steel wire, which I stripped here and there to have power run through steel hooks screwed into the ceiling to supply the lamp with power while also being able to adjust its height. This ended up creating a rather clean look for the whole lamp and really brought the whole thing together.

Ubuntu Podcast from the UK LoCo: S12E15 – Diablo

Pre, 19/07/2019 - 4:00md

This week we’ve been buying a new phone and playing with QEMU. We discuss the release fo Debian 10, Ubuntu users saying “Thank you”, Nvidia drivers, WSL and Ubuntu MATE for the GPD MicroPC. We also round up some events and tech news.

It’s Season 12 Episode 15 of the Ubuntu Podcast! Mark Johnson, Martin Wimpress and Stuart Langridge are connected and speaking to your brain.

In this week’s show:

That’s all for this week! You can listen to the Ubuntu Podcast back catalogue on YouTube. If there’s a topic you’d like us to discuss, or you have any feedback on previous shows, please send your comments and suggestions to show@ubuntupodcast.org or Tweet us or Toot us or Comment on our Facebook page or comment on our sub-Reddit.

Canonical Design Team: Robot lifecycle management with Ubuntu

Pre, 19/07/2019 - 1:29md

Lifecycle management entails fulfilling changing requirements over time. However, there is a gap that the existing robot development frameworks do not address, making it challenging to tackle system-level requirements (fault tolerance, system safety, maintainability, interoperability or reusability etc…). Ubuntu Core aims at closing this gap by complementing existing frameworks with a set of tools that enable the long term viability of robotic projects. Referring to system life cycle standard ISO/IEC 15288, we will describe how Ubuntu Core enables success in each specified stage.


ISO/IEC 15288: System Life Cycle Concept and Development phases: accelerating prototyping

Ubuntu makes it really easy to start a robotic POC by removing all the barriers that an innovator may encounter in getting a project off the ground. Developers can embed Ubuntu at no cost to their hardware of choice. Being open source, it is also easy to tailor Ubuntu to the specific needs of a project. Developers love Ubuntu. This popularity brings the benefits of broad community support and therefore a large pool of developers to contribute to, or help you troubleshoot your applications. What’s more, the popularity of Ubuntu drives off-the-shelf development board support, making it easy to find suitable hardware to start prototyping.

Development and production phases: bringing continuous delivery and integration to robotics

Delivering software upgrades to a fleet of robots operating in the field is a tedious task involving manual intervention and disrupted operations. As the consequence bug fixes are very costly to deploy. Additionally, the lack of agility in the delivery of security upgrades exposes to security vulnerabilities. To reduce this exposure, Ubuntu Core makes use of snaps. These are containerised software packages that are upgraded automatically. Snapcraft, the developer tool dedicated to the creation and delivery of snaps is easy to integrate into CI pipelines. On the operations side, Snapd is a tool that exposes an API to automate the deployment of snaps on robots in the field. Channels and tracks allow for the deployment of different versions of the software on the same fleet, or even on the same unit. Software be tested on dedicated units, before it is rolled out to an entire fleet.

Utilisation phase: unlocking new revenue models

Snaps open the door for robotics-as-a-platform. Robots embedded with Ubuntu Core will not be expensive single purpose assets anymore, but rather channels for services mediated by software-defined hardware. This is an important paradigm shift with the potential to unlock new business models and stimulate innovation in robotics. From application marketplaces to paid add-ons, or pay per use, new avenues to generate recurring revenue from a robot become possible.

Support phase: security and reliability through cloud integration

Ubuntu Core is designed as a security-first OS. The system is tamper-resistant and processes are strictly confined to their own environments. In addition to this inherent security, maintenance of system security is assured for as long as 10 years through Extended Security Maintenance (ESM). Snaps update automatically, which means that non-disruptive updates are provided continuously. This happens in a transactional manner that preserves data and rolls back on error, assuring system reliability.

Retirement phase: stretching the useful life of robots

The snap packages underlying Ubuntu Core enable function virtualisation. New functionalities can be packaged and delivered to a robot through self-contained snaps at any point of its service life. For instance, machine learning capabilities can be added to an existing cleaning robot, extending the scope of its functionalities. The ability to push new functions to a robot can be leveraged to delay their obsolescence. This will stretch the useful life of robot fleets, with a positive effect on the overall economics for both operators and makers of robots. This capability will have repercussions on the hardware architecture of robots. Makers will be incentivised to build more robots as futureproof platforms. Hardware and software upgrades will be delivered during the life of robots to make them evolve, pushing back the boundaries of obsolescence.


The post Robot lifecycle management with Ubuntu appeared first on Ubuntu Blog.

Kubuntu General News: Kubuntu 18.10 reaches end of life

Pre, 19/07/2019 - 11:32pd

Kubuntu 18.10 Cosmic Cuttlefish was released on October 18th 2018 with 9 months support. As of 18th July 2019, 18.10 reaches ‘end of life’. No more package updates will be accepted to 18.10, and it will be archived to old-releases.ubuntu.com in the coming weeks.

The official end of life announcement for Ubuntu as a whole can be found here [1].

Kubuntu 19.04 Disco Dingo continues to be supported, receiving security and high-impact bugfix updates until January 2020.

Users of 18.10 can follow the Kubuntu 18.10 to 19.04 Upgrade [2] instructions.

Should for some reason your upgrade be delayed, and you find that the 18.10 repositories have been archived to old-releases.ubuntu.com, instructions to perform a EOL Upgrade can be found on the Ubuntu wiki [3].

Thank you for using Kubuntu 18.10 Cosmic Cuttlefish.

The Kubuntu team.

[1] – https://lists.ubuntu.com/archives/ubuntu-announce/2019-July/000247.html
[2] – https://help.ubuntu.com/community/DiscoUpgrades/Kubuntu
[3] – https://help.ubuntu.com/community/EOLUpgrades

Daniel Pocock: Codes of Conduct and Hypocrisy

Pre, 19/07/2019 - 9:20pd

In recent times, there has been increasing attention on all forms of abuse and violence against women.

Many types of abuse are hidden from public scrutiny. Yet there is one that is easily visible: the acid attack.

Reshma Qureshi, pictured above, was attacked by an estranged brother-in-law. He had aimed to attack her sister, his ex-wife. This reveals one of the key attributes of these attacks: they are often perpetrated by somebody who the victim trusted.

When so many other forms of abuse are hidden, why is the acid attack so visible? This is another common theme: the perpetrator is often motivated to leave lasting damage, to limit the future opportunities available to the victim. It is not about hurting the victim, it is about making sure they will be rejected by others.

It is disturbing then that we find similar characteristics in online communities. Debian and Wikimedia (beware: scandal) have both recently decided to experiment with publicly shaming, humiliating and denouncing people. In the world of technology, trust is critical. People in positions of leadership have found that a simple email to the press can be used to undermine trust in a rival, leaving a smear that will linger, like the scars intended by Qureshi's estranged brother-in-law. Here is an example:

Jackson's virtual acid attack was picked up by at least one journalist and used to create a news story.

Some people spend endless hours talking (or writing) about safety and codes of conduct, yet they seem to completely miss the point. Personally, I don't object to codes of conduct, but we have to remember that not all codes of conduct are equal. In practice, the use of codes of conduct in many free software communities today looks like this:

If you search for sample codes of conduct online, you may well find some organizations use alternative titles, such as a statement of member's rights and obligations. This reminds us that you need to have both.

When we see organizations like FSFE and Debian trying to make up excuses to explain why members can't be members of their respective legal bodies, what they are really saying is that they want the members to have less rights.

When you have obligations without rights, you end up with slavery and cult-like phenomena.

History lessons

One of the first codes of conduct may be the Magna Carta from the year 1215. Lord Denning described it as the greatest constitutional document of all times – the foundation of the freedom of the individual against the arbitrary authority of the despot.

In other words, 800 years ago in medieval England they came to the conclusion that members of a community couldn't be punished arbitrarily.

What is significant about this document is that the king himself chose to be subjected to this early code of conduct.

An example of rights

In 2016, when serious accusations of sexual misconduct were made against a volunteer who participates in multiple online communities, the Debian Account Managers sent him a threat of expulsion and gave him two days to respond.

Yet in 2018, when Chris Lamb decided to indulge in removing members from the Debian keyring, he simply did it spontaneously, using the Debian Account Managers as puppets to do his bidding. Members targetted by these politically-motivated assassinations weren't given the same two day notice period as the person facing allegations of sexual assault.

Two days hardly seems like sufficient time to respond to such allegations, especially for the member who was ambushed the week before Christmas. What if such a message was sent when he was already on vacation and didn't even receive the message until January? Nonetheless, however crude, a two day response period is a process. Chris Lamb threw that process out the window. There is something incredibly arrogant about that, a leader who doesn't need to listen to people before making such a serious decision, it is as if he thinks being Debian Project Leader is equivalent to being God.

The Universal Declaration of Human Rights, Article 10 tells us that Everyone is entitled in full equality to a fair and public hearing by an independent and impartial tribunal, in the determination of his rights and obligations. They were probably thinking about more than a two day response period when they wrote that.

Any organization seeking to have a credible code of conduct seeks to have a clause equivalent to article 10. Yet the recent scandals in Debian and Wikimedia demonstrate what happens in the absence of such clauses. As Lord Denning put it, without any process or hearing, members are faced with the arbitrary authority of the despot.

The trauma of incarceration

In her FOSDEM 2019 talk about Enforcement, Molly de Blanc has chosen pictures of a cat behind bars and a cat being squashed in a sofa.

It is abhorrent that de Blanc chose to use this imagery just three days after another member of the Debian community passed away. Locking up people (or animals) is highly abusive and not something to joke about. For example, we wouldn't joke with a photo of an animal being raped, so why is it OK to display an image of a cat behind bars?

Deaths in custody are a phenomena that is both disturbing and far too common. Debian's founder had taken his life immediately after a period of incarceration.

Virtual incarceration

The system of secretly shaming people, censoring people, demoting people and running huge lynching threads on the debian-private mailing list has many psychological similarities to incarceration.

Here is a snapshot of what happens on debian-private:

It resembles the medieval practice of locking people in the pillory or stocks and inviting the rest of the community to throw rocks and garbage at them.

How would we feel if somebody either responded to this virtual lynching with physical means, or if they took their own life or the lives of other people? In my earlier blog about secret punishments, I referred to the research published in Social Psychology of Education which found that psychological impacts of online bullying, which includes shaming, are just as harmful as the psychological impact from child abuse.

Would you want to holiday in a village that re-introduced this type of cruel punishment? It turns out, studies have also shown that witnesses to the bullying, which could include any subscribers to the debian-private mailing list, may be suffering as much or more harm than the victims.

If Debian's new leader took bullying seriously, he would roll back all decisions made through such vile processes, delete all evidence of the bullying from public mailing list archives and give a public statement to confirm that the organization failed. Instead, we see people continuing to try and justify a kangaroo court, using grievance procedures sketched on the back of a napkin.

What is leadership for?

It is generally accepted that leaders of modern organizations should act to prevent lynchings and mobbings in their organizations. Yet in recent cases in both Debian and Wikimedia, it appears that the leaders have been the instigators, using the lynching to turn opinion against their victims before there is any time to analyse evidence or give people a fair hearing.

What's more, many people have formed the impression that Molly de Blanc's talks on this subject are not only encouraging these practices but also trolling the victims. She is becoming a trauma trigger for anybody who has ever been bullied.

Looking over the debian-project mailing list since December 2018, it appears all the most abusive messages, such as the call for dirt on another member, or the public announcement that a member is on probation, have been written by people in a position of leadership or authority, past or present. These people control the infrastructure, they know the messages will reach a lot of people and they intend to preserve them publicly for eternity. That is remarkably similar to the mindset of the men who perpetrate acid attacks on women they can't control.

Therefore, if the leader of an organization repeatedly indulges himself, telling volunteers they are not real developers, has he really made them less of a developer, or has he simply become less of a leader, demoting himself to become one of the despots Lord Denning refers to?

The Fridge: Ubuntu 18.10 (Cosmic Curtlefish) End of Life reached on July 18, 2019

Pre, 19/07/2019 - 7:34pd

This is a follow-up to the End of Life warning sent earlier this month to confirm that as of today (July 18, 2019), Ubuntu 18.10 is no longer supported. No more package updates will be accepted to 18.10, and it will be archived to old-releases.ubuntu.com in the coming weeks.

The original End of Life warning follows, with upgrade instructions:

Ubuntu announced its 18.10 (Cosmic Cuttlefish) release almost 9 months ago, on October 18, 2018. As a non-LTS release, 18.10 has a 9-month support cycle and, as such, the support period is now nearing its end and Ubuntu 18.10 will reach end of life on Thursday, July 18th.

At that time, Ubuntu Security Notices will no longer include information or updated packages for Ubuntu 18.10.

The supported upgrade path from Ubuntu 18.10 is via Ubuntu 19.04. Instructions and caveats for the upgrade may be found at:

https://help.ubuntu.com/community/DiscoUpgrades

Ubuntu 19.04 continues to be actively supported with security updates and select high-impact bug fixes. Announcements of security updates for Ubuntu releases are sent to the ubuntu-security-announce mailing list, information about which may be found at:

https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce

Since its launch in October 2004 Ubuntu has become one of the most highly regarded Linux distributions with millions of users in homes, schools, businesses and governments around the world. Ubuntu is Open Source software, costs nothing to download, and users are free to customise or alter their software in order to meet their needs.

Originally posted to the ubuntu-announce mailing list on Fri Jul 19 00:10:53 UTC 2019 by Adam Conrad, on behalf of the Ubuntu Release Team

Canonical Design Team: 企业专业支持:Ubuntu Advantage介绍

Pre, 19/07/2019 - 3:27pd

Ubuntu Advantage  for Infrastructure为业内最全面的软件、安全和IaaS提供单一 ,每节点包支持。OpenStack和Kubernetes支持的加入,UA基础设施建设提供了验证未来数据中心所需要的一切。 Ubuntu Advantage也是Canonical为企业所提供的专业技术支持,旨在降低生成环境维护成本,确保企业生产、服务正常运行免除安全威胁。

Ubuntu Advantage 为企业提供安全、合规性支持,在提高效率的同时降低了复杂性和成本支出。Ubuntu Advantage for Infrastructure帮助全球领先的组织管理生产环境中的Ubuntu的部署。(以下简称Ubuntu Advantage为UA)
包含:

  • 扩展安全维护更新(ESM)
  • Kernel live patch 服务可避免重启
  • Landscape内部系统管理工具
  • 24×7的电话和ticket支持
  • 支持OpenStack,Kubernetes,Ceph/Swift及更多
  • 知识库访问
  • IP(知识产权)法律支持计划
  • 通过FIPS 140-2认证的加密模块和普通标准
扩展安全维护更新(ESM)

扩展的安全维护(ESM)通过UA for Infrastructure确保Ubuntu长期支持(LTS)系统的持续安全性和完整性。

Canonical Ubuntu安全团队将提供Ubuntu main archive上常用的服务器包的高危漏洞、已知的安全风险修复服务。其包含12.04 LTS及14.04 LTS的支持。

Kernel live patch(内核热补丁服务)

Kernel live patch:无需重启即可给内核高危漏洞打补丁,特点如下:

  • 无需重启系统即可自动修补安全漏洞
  • 减少下载时间,为你的LTS系统增加安全保障
  • 已包含在UA for Infrastructure内
UA价格列表:

以下提及到相关价格为2019年7月19日,已包含扩展安全维护更新服务(ESM)。最新价格可访问此页面或者联系我们

1、虚拟服务器(Virtual Server 

  • 基础版:75美元/年
  • 标准版:250美元/年
  • 高级版:500美元/年
各版本服务支持描述(上到下对应左到右)

2、物理服务器(Physical Server 

UA服务只能提供给通过Canonical的服务器认证流程的物理服务器。已认证服务器列表见:链接

  • 基础版:225美元/年
  • 标准版:750美元/年
  • 高级版:1500美元/年
各版本服务支持描述(上到下对应左到右)

3、桌面系统(Desktop)

  • 基础版:25美元/年(100台起售)
  • 标准版:150美元/年(20台起售)
  • 高级版:300美元/年(10台起售)
各版本服务支持描述(上到下对应左到右)

更多内容请访问Ubuntu企业支持。如需要其他支持服务,请联系我们

The post 企业专业支持:Ubuntu Advantage介绍 appeared first on Ubuntu Blog.

Podcast Ubuntu Portugal: Ep 59 – Caça aos gambozinos

Enj, 18/07/2019 - 4:23md

Neste episódio tivemos a de novo participação do João Jotta e do André Paula do Linuxtechpt onde discutimos práticas de segurança e privacidade e snaps. Já sabes, ouve, subscreve e partilha!

  • https://linuxtech.pt/
  • https://ubucon.eu
  • https://sintra2019.ubucon.org/call-for-papers-announcement/
  • https://framaforms.org/volunteers-voluntarios-ubucon-europe-2019-sintra-1559899302
Apoios

Este episódio foi produzido e editado por Alexandre Carrapiço (Thunderclaws Studios – captação, produção, edição, mistura e masterização de som) contacto: thunderclawstudiosPT–arroba–gmail.com.

Outra forma de nos apoiarem é usarem os links de afiliados do Humble Bundle, porque ao usarem esses links para fazer uma compra, uma parte do valor que pagam reverte a favor do Podcast Ubuntu Portugal
E podem obter tudo isso com 15 dólares ou diferentes partes dependendo de pagarem 1, ou 8.
Achamos que isto vale bem mais do que 15 dólares, pelo que se puderem paguem mais um pouco mais visto que têm a opção de pagar o quanto quiserem.

    • Sugestão de bundle:
  • https://www.humblebundle.com/books/open-source-bookshelf?partner=pup
  • https://www.humblebundle.com/books/programmable-boards-make-books?partner=pup

Se estiverem interessados em outros bundles se acrescentarem no fim do link para qualquer bundle: ?partner=pup (da mesma forma como no link da sugestão) e vão estar também a apoiar-nos.

Atribuição e licenças

“Dingo”by PaulBalfe is licensed under CC BY 2.0

A música do genérico é: “Won’t see it comin’ (Feat Aequality & N’sorte d’autruche)”, por Alpha Hydrae e está licenciada nos termos da [CC0 1.0 Universal License](https://creativecommons.org/publicdomain/zero/1.0/).

Este episódio está licenciado nos termos da licença: Attribution-NonCommercial-NoDerivatives 4.0 International (CC BY-NC-ND 4.0), cujo texto integral pode ser lido aqui. Estamos abertos a licenciar para permitir outros tipos de utilização, contactem-nos para validação e autorização.

Raphaël Hertzog: Freexian’s report about Debian Long Term Support, June 2019

Enj, 18/07/2019 - 2:08md

Like each month, here comes a report about the work of paid contributors to Debian LTS.

Individual reports

In June, 201 work hours have been dispatched among 14 paid contributors. Their reports are available:

  • Abhijith PA did 7 hours (out of 14 hours allocated plus 7 extra hours from May, thus carrying over 14h to July).
  • Adrian Bunk did 6 hours (out of 8 hours allocated plus 8 extra hours from May, thus carrying over 10h to July).
  • Ben Hutchings did 17 hours (out of 17 hours allocated).
  • Brian May did 10 hours (out of 10 hours allocated).
  • Chris Lamb did 17 hours (out of 17 hours allocated plus 0.25 extra hours from May, thus carrying over 0.25h to July).
  • Emilio Pozuelo Monfort did not provide his June report yet. (He got 17 hours allocated and carried over 0.25h from May).
  • Hugo Lefeuvre did 4.25 hours (out of 17 hours allocated and he gave back 12.75 hours to the pool, thus he’s not carrying over any hours to July).
  • Jonas Meurer did 16.75 hours (out of 17 hours allocated plus 1.75h extra hours from May, thus he is carrying over 2h to July).
  • Markus Koschany did 17 hours (out of 17 hours allocated).
  • Mike Gabriel did 9.75 hours (out of 17 hours allocated, thus carrying over 7.25h to July).
  • Ola Lundqvist did 4.5 hours (out of 8 hours allocated plus 6h from June, then he gave back 1.5h to the pool, thus he is carrying over 8h to July).
  • Roberto C. Sanchez did 8 hours (out of 8 hours allocated).
  • Sylvain Beucler did 17 hours (out of 17 hours allocated).
  • Thorsten Alteholz did 17 hours (out of 17 hours allocated).
DebConf sponsorship

Thanks to the Extended LTS service, Freexian has been able to invest some money in DebConf sponsorship. This year, Debconf attendees should have Debian LTS stickers and flyer in their welcome bag. And while we were thinking of marketing, we also opted to create a promotional video explaining LTS and Freexian’s offer. This video will be premiered at Debconf 19!

Evolution of the situation

We continue to be looking for new contributors. Please contact Holger if you are interested to become a paid LTS contributor.

The security tracker (now for oldoldstable as Buster has been released and thus Stretch became oldoldstable) currently lists 41 packages with a known CVE and the dla-needed.txt file has 43 packages needing an update.

Thanks to our sponsors

New sponsors are in bold.

No comment | Liked this article? Click here. | My blog is Flattr-enabled.

Ubuntu Studio: Ubuntu Studio 18.10 Reaches End-Of-Life (EOL)

Enj, 18/07/2019 - 3:00pd
As of today, July 18, 2019, Ubuntu Studio 18.10 has reached the end of its support cycle. We strongly urge all users of 18.10 to upgrade to Ubuntu Studio 19.04 for support through January 2020 and then after the release of Ubuntu Studio 19.10, codenamed Eoan Ermine, in October 2019 which will also be supported […]

Kees Cook: security things in Linux v5.2

Enj, 18/07/2019 - 2:07pd

Previously: v5.1.

Linux kernel v5.2 was released last week! Here are some security-related things I found interesting:

page allocator freelist randomization
While the SLUB and SLAB allocator freelists have been randomized for a while now, the overarching page allocator itself wasn’t. This meant that anything doing allocation outside of the kmem_cache/kmalloc() would have deterministic placement in memory. This is bad both for security and for some cache management cases. Dan Williams implemented this randomization under CONFIG_SHUFFLE_PAGE_ALLOCATOR now, which provides additional uncertainty to memory layouts, though at a rather low granularity of 4MB (see SHUFFLE_ORDER). Also note that this feature needs to be enabled at boot time with page_alloc.shuffle=1 unless you have direct-mapped memory-side-cache (you can check the state at /sys/module/page_alloc/parameters/shuffle).

stack variable initialization with Clang
Alexander Potapenko added support via CONFIG_INIT_STACK_ALL for Clang’s -ftrivial-auto-var-init=pattern option that enables automatic initialization of stack variables. This provides even greater coverage than the prior GCC plugin for stack variable initialization, as Clang’s implementation also covers variables not passed by reference. (In theory, the kernel build should still warn about these instances, but even if they exist, Clang will initialize them.) Another notable difference between the GCC plugins and Clang’s implementation is that Clang initializes with a repeating 0xAA byte pattern, rather than zero. (Though this changes under certain situations, like for 32-bit pointers which are initialized with 0x000000AA.) As with the GCC plugin, the benefit is that the entire class of uninitialized stack variable flaws goes away.

Kernel Userspace Access Prevention on powerpc
Like SMAP on x86 and PAN on ARM, Michael Ellerman and Russell Currey have landed support for disallowing access to userspace without explicit markings in the kernel (KUAP) on Power9 and later PPC CPUs under CONFIG_PPC_RADIX_MMU=y (which is the default). This is the continuation of the execute protection (KUEP) in v4.10. Now if an attacker tries to trick the kernel into any kind of unexpected access from userspace (not just executing code), the kernel will fault.

Microarchitectural Data Sampling mitigations on x86
Another set of cache memory side-channel attacks came to light, and were consolidated together under the name Microarchitectural Data Sampling (MDS). MDS is weaker than other cache side-channels (less control over target address), but memory contents can still be exposed. Much like L1TF, when one’s threat model includes untrusted code running under Symmetric Multi Threading (SMT: more logical cores than physical cores), the only full mitigation is to disable hyperthreading (boot with “nosmt“). For all the other variations of the MDS family, Andi Kleen (and others) implemented various flushing mechanisms to avoid cache leakage.

unprivileged userfaultfd sysctl knob
Both FUSE and userfaultfd provide attackers with a way to stall a kernel thread in the middle of memory accesses from userspace by initiating an access on an unmapped page. While FUSE is usually behind some kind of access controls, userfaultfd hadn’t been. To avoid things like Use-After-Free heap grooming, Peter Xu added the new “vm.unprivileged_userfaultfd” sysctl knob to disallow unprivileged access to the userfaultfd syscall.

temporary mm for text poking on x86
The kernel regularly performs self-modification with things like text_poke() (during stuff like alternatives, ftrace, etc). Before, this was done with fixed mappings (“fixmap”) where a specific fixed address at the high end of memory was used to map physical pages as needed. However, this resulted in some temporal risks: other CPUs could write to the fixmap, or there might be stale TLB entries on removal that other CPUs might still be able to write through to change the target contents. Instead, Nadav Amit has created a separate memory map for kernel text writes, as if the kernel is trying to make writes to userspace. This mapping ends up staying local to the current CPU, and the poking address is randomized, unlike the old fixmap.

ongoing: implicit fall-through removal
Gustavo A. R. Silva is nearly done with marking (and fixing) all the implicit fall-through cases in the kernel. Based on the pull request from Gustavo, it looks very much like v5.3 will see -Wimplicit-fallthrough added to the global build flags and then this class of bug should stay extinct in the kernel.

That’s it for now; let me know if you think I should add anything here. We’re almost to -rc1 for v5.3!

© 2019, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.

Canonical Design Team: Issue #2019.07.22 – Kubeflow and Conferences, 2019

Mër, 17/07/2019 - 5:50md
  • Kubeflow at OSCON 2019 – Over 10 sessions! Covering security, pipelines, productivity, ML ops and more. Some of the sessions are led by end-users, which means you’ll get the real deal about using Kubeflow in your production solution
  • Kubeflow at KubeCon Europe 2019 in Barcelona – The top Kubeflow events from Kubecon in Barcelona, 2019. Tutorials, Pipelines, and Kubeflow 1.0 ruminations. The discussion on when Kubeflow will reach 1.0 should be of interest to those waiting for that milestone.
  • Kubeflow Contributor Summit 2019 – Presentations and Slide decks, 22+ of them. Reviewing them will help you understand how the sausage is made. One of the interesting videos focuses on a panel discussion with machine learning practitioners and experts discussing the dynamics of machine learning at their workplace.
  • Kubeflow events calendar – Find a past or future event. This is a great resource for reviewing content from community leaders and leveling up on the current state of Kubeflow. If you are aware of something that is missing, feel free to add the content through github – become a community member! 
  • Use Case Spotlight: IBM’s photo-scraping scandal shows what a weird bubble AI researchers live in. This bubble is all about data – who owns it, who can monopolize it, who is monetizing it, and what the expectations around it. The expectations is the crux of the issue – people using the data may be at odds with the people supplying the data.

The post Issue #2019.07.22 – Kubeflow and Conferences, 2019 appeared first on Ubuntu Blog.

Daniel Pocock: Google, Money and Censorship in Free Software communities

Mër, 17/07/2019 - 12:05pd

On 30 June 2019, I sent the email below to the debian-project mailing list.

It never appeared.

Alexander Wirt (formorer) has tried to justify censoring the mailing list in various ways. Wirt has multiple roles, as both Debian mailing list admin and also one of Debian's GSoC administrators and mentors. Google money pays for interns to do work for him. It appears he has a massive conflict of interest when using the former role to censor posts about Google, which relates to the latter role and its benefits.

Wirt has also made public threats to censor other discussions, for example, the DebConf Israel debate. In that case he has wrongly accused people of antisemitism, leaving people afraid to speak up again. The challenges of holding a successful event in that particular region require a far more mature approach, not a monoculture.

Why are these donations and conflicts of interest hidden from the free software community who rely on, interact with and contribute to Debian in so many ways? Why doesn't Debian provide a level playing field, why does money from Google get this veil of secrecy?

Is it just coincidence that a number of Google employees who spoke up about harassment are forced to resign and simultaneously, Debian Developers who spoke up about abusive leadership are obstructed from competing in elections? Are these symptoms of corporate influence?

Is it coincidence that the three free software communities censoring my recent blog about human rights from their Planet sites (FSFE, Debian and Mozilla, evidence of censorship) are also the communities where Google money is a disproportionate part of the budget?

Could the reason for secrecy about certain types of donation be motivated by the knowledge that unpleasant parts of the donor's culture also come along for the ride?

The email the cabal didn't want you to see Subject: Re: Realizing Good Ideas with Debian Money Date: Sun, 30 Jun 2019 23:24:06 +0200 From: Daniel Pocock <daniel@pocock.pro> To: debian-project@lists.debian.org, debian-devel@lists.debian.org On 29/05/2019 13:49, Sam Hartman wrote: > > [moving a discussion from -devel to -project where it belongs] > >>>>>> "Mo" == Mo Zhou <lumin@debian.org> writes: > > Mo> Hi, > Mo> On 2019-05-29 08:38, Raphael Hertzog wrote: > >> Use the $300,000 on our bank accounts? > > So, there were two $300k donations in the last year. > One of these was earmarked for a DSA equipment upgrade. When you write that it was earmarked for a DSA equipment upgrade, do you mean that was a condition imposed by the donor or it was the intention of those on the Debian side of the transaction? I don't see an issue either way but the comment is ambiguous as it stands. Debian announced[1] a $300k donation from Handshake foundation. I couldn't find any public disclosure about other large donations and the source of the other $300k. In Bits from the DPL (December 2018), former Debian Project Leader (DPL) Chris Lamb opaquely refers[2] to a discussion with Cat Allman about a "significant donation". Although there is a link to Google later in Lamb's email, Lamb fails to disclose the following facts: - Cat Allman is a Google employee (some people would already know that, others wouldn't) - the size of the donation - any conditions attached to the donation - private emails from Chris Lamb indicated he felt some pressure, influence or threat from Google shortly before accepting their money The Debian Social Contract[3] states that Debian does not hide our problems. Corporate influence is one of the most serious problems most people can imagine, why has nothing been disclosed? Therefore, please tell us, 1. who did the other $300k come from? 2. if it was not Google, then what is the significant donation from Cat Allman / Google referred[2] to in Bits from the DPL (December 2018)? 3. if it was from Google, why was that hidden? 4. please disclose all conditions, pressure and influence relating to any of these donations and any other payments received Regards, Daniel 1. https://www.debian.org/News/2019/20190329 2. https://lists.debian.org/debian-devel-announce/2018/12/msg00006.html 3. https://www.debian.org/social_contract Censorship on the Google Summer of Code Mentor's mailing list

Google also operates a mailing list for mentors in Google Summer of Code. It looks a lot like any other free software community mailing list except for one thing: censorship.

Look through the "Received" headers of messages on the mailing list and you can find examples of messages that were delayed for some hours waiting for approval. It is not clear how many messages were silently censored, never appearing at all.

Recent attempts to discuss the issue on Google's own mailing list produced an unsurprising result: more censorship.

However, a number of people have since contacted me personally about their negative experiences with Google Summer of Code. I'm publishing below the message that Google didn't want you to see.

Subject: [GSoC Mentors] discussions about GSoC interns/students medical status Date: Sat, 6 Jul 2019 10:56:31 +0200 From: Daniel Pocock <daniel@pocock.pro> To: Google Summer of Code Mentors List <google-summer-of-code-mentors-list@googlegroups.com> Hi all, Just a few months ago, I wrote a blog lamenting the way some mentors have disclosed details of their interns' medical situations on mailing lists like this one. I asked[1] the question: "Regardless of what support the student received, would Google allow their own employees' medical histories to be debated by 1,000 random strangers like this?" Yet it has happened again. If only my blog hadn't been censored. If our interns have trusted us with this sensitive information, especially when it concerns something that may lead to discrimination or embarrassment, like mental health, then it highlights the enormous trust and respect they have for us. Many of us are great at what we do as engineers, in many cases we are the experts on our subject area in the free software community. But we are not doctors. If an intern goes to work at Google's nearby office in Zurich, then they are automatically protected by income protection insurance (UVG, KTG and BVG, available from all major Swiss insurers). If the intern sends a doctor's note to the line manager, the manager doesn't have to spend one second contemplating its legitimacy. They certainly don't put details on a public email list. They simply forward it to HR and the insurance company steps in to cover the intern's salary. The cost? Approximately 1.5% of the payroll. Listening to what is said in these discussions, many mentors are obviously uncomfortable with the fact that "failing" an intern means they will not even be paid for hours worked prior to a genuine accident or illness. For 1.5% of the program budget, why doesn't Google simply take that burden off the mentors and give the interns peace of mind? On numerous occasions Stephanie Taylor has tried to gloss over this injustice with her rhetoric about how we have to punish people to make them try harder next year. Many of our interns are from developing countries where they already suffer injustice and discrimination. You would have to be pretty heartless to leave these people without pay. Could that be why Googlespeak clings to words like "fail" and "student" instead of "not pay" and "employee"? Many students from disadvantaged backgrounds, including women, have told me they don't apply at all because of the uncertainty about doing work that might never be paid. This is an even bigger tragedy than the time mentors lose on these situations. Regards, Daniel 1. https://danielpocock.com/google-influence-free-open-source-software-community-threats-sanctions-bullying/ -- Former Debian GSoC administrator https://danielpocock.com

Ubucon Europe 2019: Our Diamond Sponsor – Ubuntu!

Mar, 16/07/2019 - 6:30md

Our Diamond Sponsor of this event is Ubuntu, an open source software operating system that runs from the desktop, to the cloud, to all your internet connected things.

Linux was already established in 2004, but it was fragmented into proprietary and unsupported community editions, and free software was not a part of everyday life for most computer users. That’s when Mark Shuttleworth gathered a small team of Debian developers who together founded Canonical and set out to create an easy-to-use Linux desktop called Ubuntu.
However, the governance of Ubuntu is somewhat independent of Canonical, with volunteer leaders from around the world taking responsibility for many critical elements of the project. Mark Shuttleworth, as project founder, short-lists public nominees as candidates for the Community Council and Technical Board, and they in turn screen and nominate candidates for a wide range of boards, councils and teams that take responsibility for aspects of the project.

Thanks to them, we have received a significant support to sustain our event and our journey to give you one of the best open source experiences in Sintra.

What to jump onboard as well?
Visit our Call for Sponsor post for more information.

Ubucon Europe 2019: Call for Sponsors

Mar, 16/07/2019 - 3:29md
Corporate sponsorships

This event can only be possible thanks to our sponsors. Your investment helps us create a greater experience for the open source community, while you still benefit from a considerable amount of exposure.

If you are interested in sponsoring the event, please view the packages offered below and get in touch with us (the document describes how to do so).

CHECK OUR SPONSOR PACKAGES Individual sponsorships

Individual sponsorships are donations made by individuals help this Ubucon happen as well. Individual sponsors will not be provided with free tickets but will be highlighted on the website and during the event. Donate by clicking here

Balint Reczey: Introducing ubuntu-wsl, the package making Ubuntu better and better on WSL

Mar, 16/07/2019 - 9:31pd

The Ubuntu apps for the Windows Subsystem for Linux provide the very same packages you can find on Ubuntu servers, desktops, cloud instances and containers, and this ensures maximal compatibility with other Ubuntu installations. Until recently there was little work done to integrate Ubuntu with the Windows system running the WSL environment, but now this is changing.

In Ubuntu metapackages collect packages useful for a common purpose by depending on them and ubuntu-wsl is the new metapackage to collect integration packages to be installed on every Ubuntu WSL system. It pulls in wslu, “A collection of utilities for WSL” to let you create shortcuts on the Windows desktop with wslusc, start the default Windows browser with wslview, and do a few other things:

With updates to the ubuntu-wsl metapackage we will add new features to Ubuntu WSL installations to make them even more comfortable to use, thus if you have an older installation please install the package manually:

sudo apt update sudo apt install ubuntu-wsl

Oh, and one more thing, you can even set up sound and run graphical apps if you make a few manual steps. For details check out https://wiki.ubuntu.com/WSL!

The Fridge: Ubuntu Weekly Newsletter Issue 587

Mar, 16/07/2019 - 12:18pd

Welcome to the Ubuntu Weekly Newsletter, Issue 587 for the week of July 7 – 13, 2019. The full version of this issue is available here.

In this issue we cover:

The Ubuntu Weekly Newsletter is brought to you by:

  • Krytarik Raido
  • Bashing-om
  • Chris Guiver
  • Wild Man
  • And many others

If you have a story idea for the Weekly Newsletter, join the Ubuntu News Team mailing list and submit it. Ideas can also be added to the wiki!

Except where otherwise noted, this issue of the Ubuntu Weekly Newsletter is licensed under a Creative Commons Attribution ShareAlike 3.0 License

Full Circle Magazine: Full Circle Weekly News #139

Hën, 15/07/2019 - 8:43md
System 76’s Linux-powered Thelio desktop now available with 3rd gen AMD Ryzen Processors
https://betanews.com/2019/07/07/system76-linux-thelio-amd-ryzen3/

PyOxidizer Can Turn Python Code Into Apps for Windows, MacOS, Linux

https://fossbytes.com/pyoxidizer-can-turn-python-code-apps-for-windows-macos-linux/

Thousands of Android Apps Can Track Your Phone — Even if You Deny Permissions
https://www.theverge.com/2019/7/8/20686514/android-covert-channel-permissions-data-collection-imei-ssid-location

Anubis Android Banking Malware Returns with Extensive Financial App Hit List
https://www.zdnet.com/article/anubis-android-banking-malware-returns-with-a-bang/

Mozilla Firefox and the Nomination for Internet Villain Award
https://itsfoss.com/mozilla-internet-villain/

Ubuntu LTS Will Now Get the Latest Nvidia Driver Updates
https://itsfoss.com/ubuntu-lts-latest-nvidia-drivers/

Credits:
Ubuntu “Complete” sound: Canonical
  Theme Music: From The Dust – Stardust

https://soundcloud.com/ftdmusic
https://creativecommons.org/licenses/by/4.0/

Thierry Carrez: Open source in 2019, Part 3/3

Hën, 15/07/2019 - 3:52md

21 years in, the landscape around open source evolved a lot. In part 1 and part 2 of this 3-part series, I explained why today, while open source is more necessary than ever, it appears to no longer be sufficient. In this part, I'll discuss what we, open source enthusiasts and advocates, can do about that.

This is not a call to change open source

First, let me clarify what we should not do.

As mentioned in part 2, since open source was coined in 1998, software companies have evolved ways to retain control while producing open source software, and in that process stripped users of some of the traditional benefits associated with F/OSS. But those companies were still abiding to the terms of the open source licenses, giving users a clear base set of freedoms and rights.

Over the past year, a number of those companies have decided that they wanted even more control, in particular control of any revenue associated with the open source software. They proposed new licenses, removing established freedoms and rights in order to be able to assert that level of control. The open source definition defines those minimal freedoms and rights that any open source software should have, so the Open Source Initiative (OSI), as steadfast guardians of that definition, rightfully resisted those attempts.

Those companies quickly switched to attacking OSI's legitimacy, pitching "Open Source" more as a broad category than a clear set of freedoms and rights. And they created new licenses, with deceptive naming ("community", "commons", "public"...) in an effort to blur the lines and retain some of the open source definition aura for their now-proprietary software.

The solution is not in redefining open source, or claiming it's no longer relevant. Open source is not a business model, or a constantly evolving way to produce software. It is a base set of user freedoms and rights expressed in the license the software is published under. Like all standards, its value resides in its permanence.

Yes, I'm of the opinion that today, "open source" is not enough. Yes, we need to go beyond open source. But in order to do that, we need to base that additional layer on a solid foundation: the open source definition.

That makes the work of the OSI more important than ever. Open source used to be attacked from the outside, proprietary software companies claiming open source software was inferior or dangerous. Those were clear attacks that were relatively easy to resist: it was mostly education and advocacy, and ultimately the quality of open source software could be used to prove our point. Now it's attacked from the inside, by companies traditionally producing open source software, claiming that it should change to better fit their business models. We need to go back to the basics and explain why those rights and freedoms matter, and why blurring the lines ultimately weakens everyone. We need a strong OSI to lead that new fight, because it is far from over.

A taxonomy of open source production models

As I argued in previous parts, how open source is built ultimately impacts the benefits users get. A lot of us know that, and we all came up with our own vocabulary to describe those various ways open source is produced today.

Even within a given model (say open collaboration between equals on a level playing field), we use different sets of principles: the OpenStack Foundation has the 4 Opens (open source, open development, open design, open community), the Eclipse Foundation has the Open Source Rules of Engagement (open, transparent, meritocracy), the Apache Foundation has the Apache Way... We all advocate for our own variant, focusing on differences rather than what we have in common: the key benefits those variants all enable.

This abundance of slightly-different vocabulary makes it difficult to rally around and communicate efficiently. If we have no clear way to differentiate good all-benefits-included open source from twisted some-benefits-withheld open source, the confusion (where all open source is considered equal) benefits the twisted production models. I think it is time for us to regroup, and converge around a clear, common classification of open source production models.

We need to classify those models based on which benefits they guarantee to the users of the produced software. Open-core does not guarantee availability, single-vendor does not provide sustainability nor does it allow to efficiently engage and influence the direction of the software, while open-collaboration gives you all three.

Once we have this classification, we'll need to heavily communicate around it, with a single voice. As long as we use slightly different terms (or mean slightly different things when using common terms), we maintain confusion which ultimately benefits the most restrictive models.

Get together

Beyond that, I think we need to talk more. Open source conferences used to be all about education and advocacy: what is this weird way of producing software, and why you should probably be interested in it. Once open source became ubiquitous, those style of horizontal open source conferences became less relevant, and were soon replaced by more vertical conferences around a specific stack or a specific use case.

This is a good evolution: this is what winning looks like. The issue is: the future of open source is not discussed anymore. We rest on our laurels, while the world continually evolves and adapts. Some open source conference islands may still exist, with high-level keynotes still raising the issues, but those are generally one-way conversations.

To do this important work of converging vocabulary and defining common standards on how open source is produced, Twitter won't cut it. To bootstrap the effort we'll need to meet, get around a table and take the time to discuss specific issues together. Ideally that would be done around some other event(s) to avoid extra travel.

And we need to do that soon. This work is becoming urgent. "Open source" as a standard has lots of value because of all the user benefits traditionally associated with free and open source software. That created an aura that all open source software still benefits from today. But that aura is weakening over time, thanks to twisted production models. How much more single-vendor open source can we afford until "open source" no longer means you can engage with the community and influence the direction of the software ?

So here is my call to action, which concludes this series.

In 2019, open source is more important than ever. Open source has not "won", this is a continuous effort, and we are today at a critical junction. I think open source advocates and enthusiasts need to get together, defining clear, standard terminology on how open source software is built, and start communicate heavily around it with a single voice. And beyond that, we need to create forums where those questions on the future of open source are discussed. Because whatever battles you win today, the world does not stop evolving and adapting.

Obviously I don't have all the answers. And there are lots of interesting questions. It's just time we have a place to ask those questions and discuss the answers. If you are interested and want to get involved, feel free to contact me.

Canonical Design Team: 在边缘端部署Kubernetes第一部分——模块搭建

Hën, 15/07/2019 - 3:17md

为帮助解决电信,多媒体,运输,物流,农业和其他细分市场的独特挑战,边缘计算继续备受关注,迎来了大增长。如果你刚接触以上几个边缘计算体系结构,下图是新兴架构体系的简单抽象。

在此图中,你可以看到边缘云位于现场设备旁边。事实上,有一个极端边缘计算的概念,它将计算资源放在现场设备上——即最左边的圆圈。连接你办公室,家电和
所有传感器网关设备就是一个极端边缘计算的例子。

到底什么是边缘计算呢?

边缘计算是云计算的一种变体,你的基础设施服务(计算,存储和网络)在物理上更靠近生成数据的现场设备。从而为你提供更低延迟和更低网络流量的双重优势。低延迟可提高现场设备的性能,使其不仅能够更快地响应,还能响应更多事件。降低网络流量有助于降低成本并提高整体吞吐量——你的核心数据中心可以支持更多现场设备。应用程序或服务是否位于边缘云或核心数据中心将取决于用例。

如何才能创建边缘云呢?

边缘云服务应该有至少两层,两层都将最大限度地提高操作效率和开发人员的工作效率,且每层都以不同的方式构建。

第一层是基础设施即服务(IaaS),除此还提供计算和存储资源,IaaS层应该满足超低延迟和高带宽的性能需求。

第二层是Kubernetes层,提供一个让你运行应用和服务的通用平台。当然,是否用Kubernetes是可选的,但今天它已经被证明是一个让企业和组织充分利用边缘计算能力的平台。你可以在现场设备、边缘云、核心数据中心和公有云上部署你的Kubernetes。这种多云部署功能为你提供了在选择的任何地方部署工作负载的完全灵活性。Kubernetes为你的开发人员提供了简化其devop实践的能力,并最大限度地缩短了与异构操作环境集成所花费的时间。

接下来的问题是,怎么部署这些层?在Canonical,我们通过使用定义明确的专用技术来实现这一目标。让我们先开始Kubernetes所需要的IaaS层。

物理基础设施生命周期管理

第一步是考虑物理基础设施,什么技术可以更有效地管理基础设施,将原始的硬件转换到你的IaaS层。在这方面,Metal-as-a-Service (MAAS),裸机即为服务已经被证明了其具有的高效性。MAAS提供可用于硬件发现的底层系统,使你可以灵活地分配计算资源并动态重新利用它们。这些底层系统通过开放API将裸机服务器暴露给更高级别的业务流程,就像你使用OpenStack和公共云一样。

随着最新版MAAS发布,你可以基于KVM pod自动创建边缘云,从而有效地使操作者能够创建具有预定义资源集(内存,处理器,存储和超额预订比)的虚拟机。你可以通过命令行和浏览器界面以及MAAS API来完成上面操作。你也可以是用Canonical的高级编排解决方案Juju来构建自己的自动化框架。

正如我们在柏林的OpenStack峰会期间所展示的那样。MAAS还可以被优化过的方式部署以便在机架交换机上运行。

边缘应用的编排

一旦边缘云的物理基础架构的发现和配置完成,第二步就是选择一个业务流程工具,以便在边缘基础架构上轻松安装Kubernetes或其他软件。你可以通过Juju简单安装一个完全兼容上游Kubernetes的Charmed Kubernetes。使用Kubernetes时,你可以安装容器化工作负载,为其提供最高性能。 在电信领域,容器网络功能(CNFs)等工作负载非常适合这种架构。

Charmed Kubernetes还有其他的优点。能够在虚拟化环境中运行或直接在裸机上运行,全自动Charmed Kubernetes部署内置高可用性设计,允许就地,零停机升级。这些都是经过验证的,真正具有弹性的边缘基础架构和解决方案。Charmed Kubernetes的另一个好处是能够自动检测和配置GPGPU资源,以加速AI模型论证和容器化转码工作负载。

下一步

当选择好了合适的技术,现在是时候部署环境和开始验证程序。下一部分的博客文章将包含实际操作的例子。

The post 在边缘端部署Kubernetes第一部分——模块搭建 appeared first on Ubuntu Blog.

Faqet