Developer Catchup: Bashed, Qubes R2, Linux from Scratch, RethinkDB, Material Bootstrapped and… COBOL?

developercatchupBashed: So the Bash bug is out there and real. These quick notes are still valid. The point is that this hideous feature (really, exporting function definitions through environment variables) is horrid and leaky by design and it’s only this bug in how that feature is implemented thats bringing it to the fore. CGI scripting, Qmail, some SSH and DHCP services are all potentially vulnerable, so patch away but be prepared to patch again because the lid is off this can of worms. Safest end point is, most probably, that the functionality goes away, but thats unlikely and even if it did there’ll still be old bash installs out there. Least helpful response – the FSF statement which fails to apologise and then pats itself on the back that free software let the patches be shared and then rattles the donation tin. Funniest response – Brian J Fox, Bash creator, quoted in the NYT joking his first response was “Aha, my plan worked”.

Security in a Qube too: The Qubes OS developers have been working away steadily on their virtualisation-compartmented desktop operating system and now Joanna Rutkowska has announced Qubes OS Release 2. The OS is now described as “a powerful desktop OS” rather than a proof-of-concept, and to reinforce that, Casper Bowden, is joining the advisory board for Qubes to see if it can be brought to a wider world. If you’ve not met Qubes, imagine a desktop Linux where each app or group of apps are run in their own virtualised sandbox while the OS works to make it easy for the user to not be bothered by that. If you were looking for a “post-Snowden” OS, Qubes should be on your list – check the site for downloads, resources and white papers explaining whats in the OS.

Linux from Scratch: You may, “post-Snowden” want to go through every bit of code is in your running systems. One place to start there is Linux from Scratch which takes you through assembling your own Linux system (and automated or hardened versions) from component parts. It’s just been [updated to LFS version 7.6], along with updated to Beyond Linux From Scratch (BLFS) and systemd editions of LFS and BLFS.

RethinkDB 1.15: NoSQL… no come back… Cool NoSQL database RethinkDB just got updated to version 1.15 getting a huge set of geospatial functions to add to its already interesting suite of functions. There’s also server-side UUID generation and performance boosts through lazy deserialisation.

Material world: Some folks love Google’s Material look and feel. Well, now they can have some of that on thje web with Bootstrap Material Design, a Bootstrap theme what brings the stylings and gives a nice flat look to apps.

Finally: Via Adafruit, a picture of Grace Hopper teaching COBOL.

Codescaling catchup: Android L, MapReduce, Paho, Eclipse IDE, Bootstrap, MacDown, Moment.js, Runtime.js, Dart, Security Notes

CodescalingCatchupAnd catching up with the week just past at Codescaling….

Android L, MapReduce

Google I/O brought us a beta version of Android Studio and a developer preview of Android L with images for emulators and the Nexus 5 and Nexus 7 (Wifi only). A new look and feel, lots more APIs and a general feeling that Google’s pulling their various efforts back into one cohesive while (for good or bad and for who is another discussion). At the other end of the scale though, a more interesting, if obvious, reveal was Urs Hölze, SVP at Google who during the Google I/O keynote pointed out the company has stopped using Map-Reduce based systems for analytics – “It’s great for simple jobs but it gets too cumbersome”. This of course was on the back of announcing Cloud Dataflow, a new pipelined analytics service, but It seems Google are drawing a line where Map-Reduce ends and a self-scheduling and organising analytics system is the future. We shall see if that line holds… Hadoop isn’t endangered despite what some may say mainly because its grown into its own ecosystem and platform for more than Map Reduce work… but the entire analytics world is ripe for disruption, especially on its hardest problem – analysis discovery.

Paho 1.0 for MQTT

Over at Eclipse there’s been a few announcements, like the Paho MQTT project reaching version 1.0. That includes implementations for a C, Python, JavaScript (in the browser) and Java MQTT client. MQTT is one of the protocols in the running to fill the numerous niches in the internet of things and Paho is Eclipse’s umbrella project to make sure it has an open source implementation for all.

Moonrise for Eclipse Luna

The Eclipse release train also turned up for the synonymous IDE with the release of Eclipse Luna – Paho was on the release train along – which also brought us full Eclipse support for Java 8, a workspace with dark themes, split editors and default line numbering (to keep up with the hip editors), updated Equinox, a Java 8 capable memory analyser and a standalone C/C++ debugger. If you like Eclipse, you’ll love the improvements. A couple of bits have been dropped (Agent Modelling, EclipseLink persistence and SCA Tools) but lots more has been added including XWT (a declarative UI project) , Eclipse Sirius for modelling, Business Process Model and Notation (BPMN2) modelling and EMF clients and repositories for modelling.

Bootstrap restrapped

Bootstrap keeps evolving – The latest version of the HTML/CSS framework, Bootstrap 3.2.- has scaling embeds, responsive utility classes, more tools and more bots. You can download it or pull it with npm. It does make for a quick way to get a clean modern looking site or app together.

Markdown on Mac

Love Markdown? You might well have liked Mou, a markdown editor on the Mac. But development on that has stalled. Now in its place comes the open source MacDown which is already in heavy development and already looking quite feature rich. So, check it out. Of course, everyone does Markdown these days; I’m using various editors including WriteDown (very simple with a nice preview toggle) and Atom (good MarkDown preview plugin).

Time for a Moment.js

Moment.js was recently updated to version 2.7.0. The very useful date and time manipulation library for JavaScript has got itself four new languages, configurable relative times and various bug fixes both in general and for specific languages.

Time for a Run…time.js

Maybe you will run it on Runtime.js an OS kernel thats being built in JavaScript only running on a V8 engine. A curious little bit of research – everything runs in ring 0 and relies on software for isolation, has sandboxed and limited resources for apps and V8 to build trusted native code – it also runs one V8 instance per core. You won’t be running it tomorrow, but it does feel like its an idea worth pursuing.

Darting to Mobile

You’re probably more likely to be running Google’s JavaScript alternative Dart. That got an update too with Dart 1.5 which is focussed on mobile devices, bringing better debugging, and an update to the Polymer web components package. Full details in the release notes.

Security Notes

Of course the broken world of security rolls on. An IBM team found a stack buffer overflow in Android’s KeyStore. Thats probably the worst place to find a hole – a bit like finding the clasp on your keyring is faulty. A more controversial bug is the LZO/LZ4 hole. It’s an integer overflow in compression code and yes it could lead to code execution… if you are on a 32-bit system… and you are processing 16MB or greater blocks… and you’ve crafted the exploit to the particular implementation of LZO/LZ4 on the system. It’s a high barrier to jump but there’ll still be plenty of updates to numerous packages to close the door before there’s an exploit crafted to jump the high bar.

And thats it for this week…. thats quite a bit. Do let us know how you are finding the catchups in the comments.

Tails goes 1.0, Debian goes 7.5 and Apache OO goes 4.1

Snippets
Tails 1.0: The developers of Tails, the Linux distro built for anonymity and privacy, have declared the latest version Tails 1.0. Tails wires all its networking through Tor and leaves no traces on machines where its been livebooted. Its ideal in situations where you want your digital footprint minimised. Version 1.0 sees browser updates, Tor patches including a Heartbleed vulnerable blacklist, bug fixes and a new logo for the project. The announcement also lays out plans for 1.1 (A switch to Debian 7), 2.0 (better building for a longer life) and 3.0 (sandboxing and isolation) and invites developers to contribute… it is a project which has got some great reviews.

Debian 7.5: Talking about Debian, the latest bugfix and patch rollup release, Debian 7.5 has just arrived. If you keep your Debian system up to date, you’re already good, but if you install a lot of systems from spinning or stickish media then you may want to take this opportunity to update your images. Full details of the fixes, bug and security, are in the announcement.

Apache OpenOffice 4.1: The Apache OpenOffice project has announced AOo 4.1, the latest iteration in the direct descendent of the original OpenOffice. The release notes highlight the Windows version’s IAccessible2 support for better screen reader integration and the addition of comments and annotations for text ranges. In place field editing, interactive cropping, unified import/drag/drop for images, better vectors and new (Bulgarian, Danish, Hebrew, Hindi, Thai and Norwegian Bokmal) translations and other updated translations and dictionaries. Also, behind the scenes, AOo now uses NSS libraries rather than the older Mozilla networking code so that it is a bit more secure and a lot easier to build.

Linux 3.14, Etherpad 1.4, Pass and an RGB/LED/Pi tutorial – Snippets

snippets07
Linux 3.14 lands: And another ten week dev cycle of Linux ends with the release of Linux 3.14. There’s a new realtime scheduler (deadline), event triggers for tracing, graphics driver updates (stablised Broadwell support, NVIDIA GK110 support, dynamic power management for newer AMD hardware), new TCP autocorking for better small packet handling and the usual gamut of driver improvements, patches and enhancements. For a good list, check LWN.net‘s three part listing (1, 2, 3) (and if you are interested in Linux and don’t subscribe to LWN.net, why not?). As of writing, Kernel Newbies has yet to catch up with its pages, while German speakers can read Thorsten Leemhuis’s Die Neuerungen von Linux 3.14 which is packed full of details.

Etherpad 1.4 arrives: For Etherpad, it’s mostly lots of bugfixes and security patches, but it’s worth noting the arrival of Etherpad 1.4. The Node.js-based collaborative editor’s changelog has the details.

Pass, you may: Pass is an interesting idea – password management using a simple text file (encrypted of course) with a simple (and configurable) file storage heirachy, with simple commands to manipulate them and use them from the keyboard. Now to see if I can get the password manager I use elsewhere to export its contents in Pass format – there’s already scripts for lots of other passwords managers.

Your name in lights: A nice little tutorial from the folks at Adafruit ahows how to use a 16×32 RGB LED matrix panel, which happens to be available over at Phenoptix, with a Raspberry Pi. The matrix usually comes with instructions to use it with an Arduino due to the bit bangy nature of getting stuff onto the display so the Pi instructions offer a whole new set of opportunities for hacking. The next edition of CodeScaling might be in 16×32 format real soon now.

Python upped, Persona non grata, Markdown marked and more – Snippets

Snippets
Python 3.3.5 released: The latest update to Python 3.3 fixes two regressions, in zipimport and executing scripts and alleviates a potential denial of service. Mac users should pay specific attention as this 3.3.5 version now fully support OS X 10.9 fixing a bug which could cause “previous versions of Python to crash when typing in interactive mode”.

Persona (non grata): Mozilla’s Persona is being “transferred to community ownership”. As yet another project is cut adrift from Mozilla in a fuzzy, vaguely friendly way, its worth making a note that you shouldn’t bet on Mozilla projects for the long term, unless they are called Firefox or run on a phone. Mozilla’s habit of creating projects which don’t fulfill one of their needs seems to have created this problem but at least on the plus side, they are not decommissioning it so they aren’t pulling a Google Reader. Which is good given folks like microco.sm use Persona for login.

Markdown editing for the web: Markdown is everywhere there days and whats been missing is a good editor for Markdown formatted plain text which can be embedded in the browser as a replacement for the WYSYWIGto-no-particular-format editors. And here it could well be in the form of EpicEditor, complete with import, export, in-place preview, full screen (with 50/50 edit/preview), custom parsers, extensions, event hooks and theming and more and all invokable from a single line of JavaScript.

Loose bits: Ivan Ristic shows you how to roll your own Apple ‘goto fail’ TLS bug test server though the process is worth noting for future SSL/TLS tests – Or, post GNUtls’s ‘goto cleanup’ fail, you can get your head down and help audit GNUtls with this handy list of “places to look” where unchecked data comes into the library – Or you can kick back with the 6809, a great CPU, and now being emulated in JavaScript.

LXC’s 1.0, Thrift opened again, WhatsApp serving and more – Snippets

Snippets.png

LXC goes 1.0: Linux Containers, LXC, is now at version 1.0, a major milestone which also brings together and completes a lot of things that have been working their way through the Linux kernel, like support for unprivileged containers, long term stuff like a stable API – this’ll be supported for five years, bindings for Lua and Python3 (and Go and Ruby out-of-tree support), backing storage support for directories, btrfs, zfs and more, cloning, snapshotting… and you may wonder “Hey, doesn’t Docker do many of these things” and yes it does, so it’ll be interesting to watch how things all work out. More details at the news post and check out Stephane Graber’s 10 part blog series on LXC 1.0 which is packed full of useful stuff.

Thrift double opened: Facebook brought Thrift(PDF) to the world in 2007 via Apache Thrift and many people found the network/data serialisation framework well handy. Thing is though that Facebook went and forked their own internal version of Thrift as they filled out the features and ramped up performance, something that took major rengineering over time. Now the company has announced fbthrift, available on Facebook’s Github repo, now open sourced under the same Apache 2.0 licence Apache Thrift is under.

Worth reading: WhatsApp’s Serving : From 2012, here’s a presentation on how WhatsApp does scale(PDF) with a combination of FreeBSD and Erlang – A New York Times profile of security reporter Brian Krebs who’s more like an entire security intel op in one person – Enjoy Stephen Colebourne on video presenting the Java 8’s Date and Time API at JAX 2013.

Docker officially for Mac, Tails fixes updates and CoffeeScript’s fresh brew – Snippets

snippets03

Docker 0.8: As Docker, the application-packaging-with-containers platform, switches to a new release schedule, the first of the monthly releases has arrived and Docker 0.8 has couple of new goodies along with the focus on quality and . One item worth mentioning is the official support for Mac OS X. No, they haven’t added containers to OS X, but instead use a daemon as an intermediary between a VirtualBox VM populated with a 24MB Linux image based on Tiny Core. There’s also experimental BTRFS filesystem support which might be very useful in future.

Tails 0.22.1 out: Tails, the Linux distribution for those who want to be secure, private and anonymous, has been updated to version 0.22.1 which has a number of security fixes in the browser and name services, wipes the fingerprinting off its use of some small icons and, probably most importantly, adds an update checker which can offer to install incremental updates when needed.

CoffeeScript updated: A little late to this, but there’s been an update to CoffeeScript with version 1.7.0 (and a typo fixing 1.7.1) landing at the end of last month. Aseem Kishore summarised the changes which include chaining without parenthases, multi-line strings, new ways to destructure an array, new math operators for power, floor and modulo, and more.