Developer Catchup: Bashed, Qubes R2, Linux from Scratch, RethinkDB, Material Bootstrapped and… COBOL?

developercatchupBashed: So the Bash bug is out there and real. These quick notes are still valid. The point is that this hideous feature (really, exporting function definitions through environment variables) is horrid and leaky by design and it’s only this bug in how that feature is implemented thats bringing it to the fore. CGI scripting, Qmail, some SSH and DHCP services are all potentially vulnerable, so patch away but be prepared to patch again because the lid is off this can of worms. Safest end point is, most probably, that the functionality goes away, but thats unlikely and even if it did there’ll still be old bash installs out there. Least helpful response – the FSF statement which fails to apologise and then pats itself on the back that free software let the patches be shared and then rattles the donation tin. Funniest response – Brian J Fox, Bash creator, quoted in the NYT joking his first response was “Aha, my plan worked”.

Security in a Qube too: The Qubes OS developers have been working away steadily on their virtualisation-compartmented desktop operating system and now Joanna Rutkowska has announced Qubes OS Release 2. The OS is now described as “a powerful desktop OS” rather than a proof-of-concept, and to reinforce that, Casper Bowden, is joining the advisory board for Qubes to see if it can be brought to a wider world. If you’ve not met Qubes, imagine a desktop Linux where each app or group of apps are run in their own virtualised sandbox while the OS works to make it easy for the user to not be bothered by that. If you were looking for a “post-Snowden” OS, Qubes should be on your list – check the site for downloads, resources and white papers explaining whats in the OS.

Linux from Scratch: You may, “post-Snowden” want to go through every bit of code is in your running systems. One place to start there is Linux from Scratch which takes you through assembling your own Linux system (and automated or hardened versions) from component parts. It’s just been [updated to LFS version 7.6], along with updated to Beyond Linux From Scratch (BLFS) and systemd editions of LFS and BLFS.

RethinkDB 1.15: NoSQL… no come back… Cool NoSQL database RethinkDB just got updated to version 1.15 getting a huge set of geospatial functions to add to its already interesting suite of functions. There’s also server-side UUID generation and performance boosts through lazy deserialisation.

Material world: Some folks love Google’s Material look and feel. Well, now they can have some of that on thje web with Bootstrap Material Design, a Bootstrap theme what brings the stylings and gives a nice flat look to apps.

Finally: Via Adafruit, a picture of Grace Hopper teaching COBOL.

Docker 0.9, Vagrant 1.5 and Xen 4.4 – Virtually Snippets

snippets03
Docker 0.9 unloads: Docker bumps its version number to Docker 0.9 and as it approaches version 1.0 makes a big change. Docker’s been pretty tightly tied to Linux Containers (LXC) technology to run applications packaged with it but in 0.9 there’s now execution drivers so the option to plug in any one of a range of isolation systems is now available. “OpenVZ, systemd-nspawn, libvirt-lxc, libvirt-sandbox, qemu/kvm, BSD Jails, Solaris Zones, and even good old chroot” are on Docker’s planned list with more to come from various projects. There’s also a new libcontainer which lets Docker plug straight into the Linux kernel to control things – this Go library is likely to see a lot of use outside of Docker too as it wraps up container configuration into a neat JSON specified bundle. Next stop for Docker is a production quality 0.10 which will serve as a release candidate for 1.0. Its lively down at the docks.

Vagrant 1.5 roams out: The developer environment manager Vagrant has been updated too. The new Vagrant 1.5 has added a sharing system to make collaboration easier, versioning for boxes, rsync and smb sync’d folders and Hyper-V support. Simpler SSH authentircation setup, a reworked plugin manager and support for Funtoo, NetBSD and TinyCore Linux as guests wrap out the wedge of features in this release. Alongside the release is the announcement of Vagrant Cloud, a hosted box sharing service built to use Vagrant 1.5’s sharing functions.

Xen 4.4 meditates: Meanwhile, the other Linux virtualisation platform, Xen, has made the first release on its aspirational six month cycle (taking 8 months in this case). The announcement for Xen 4.4 highlights an improved libvirt/libxl interface for better integration with VM managers or cloud platforms, a more flexible event channel interface allowing for over tens of thousands of guests and a rapidly maturing ARM port now with a stable ABI going forwards. There’s also a ‘tech preview’ of nested virtualisation on Intel.

OIN and OpenStack, X and Security, Docker and Mac OS X – Snippets

snippets07

  • Linux patent pool now covers clouds: By deftly expanding the list of packages it considers part of the Linux ecosystem to include OpenStack and Red Hat’s OpenShift Origin, the Open Invention Network in now including the cloud computing platforms as part of its protective cross-licence network. The change is set to take effect in March Companies can join OIN by dint of agreeing not to pursue patent litigation against other companies with respect to that package list. In return, they get a royalty free licence to the OIN’s patent pool. It will be interesting to see how well the OIN’s new safe harbour works for cloud providers.

  • X Security – It ain’t good: At the Chaos Computer Club’s 30th Congress, one presentation took on the issue of the security of X Window System in terms of its implementation in the X.org code. Ilja van Sprundel has been working through the code over the past year and after finding 80 bugs in the client code, he’s gone on to just submit 120 bugs for the server side and he says he’s far from finished.

  • Docker on OS X: Mac OS X doesn’t have containers so running Docker natively is a no-no. The advice has been to setup a Linux VM with Vagrant, ssh into that and run Docker on there. But some people wanted a bit more simplicity and came up with Docker-osx which is a shell script which lets you run docker commands. It uses VirtualBox and Vagrant, automatically configuring the VM if needed. From then on, running “docker docker-command” sees the command automatically passed through to docker in the VM. There’s also two “new” docker commands, “halt” (to stop the VM) and “ssh” (to open a terminal session). A simple enough script but rather handy.

Firefox 26, Netflix’s Suro, Vagrants and Dockers and Websockets for all – Snippets

snippets03

  • Firefox 26 digs in: Today we’ll see the release of Firefox 26, latest in the overly regular Firefox release cycle. From the (currently beta) release notes, we can see the big changes. All but the Flash plug-in are now click-to-play by default, Windows users can update their Firefox without having to write into the Firefox folders, the password manager can handle password fields generated by scripts and on Linux, if the installed gstreamer can handle h264, so can Firefox. A couple of fixes, some developer enhancements and thats about it. There’s also a Firefox for Android update due today. The release notes note some performance improvements, the same password manager enhancement and some fixes. The developer page for Firefox 26 covers changes of interest to developers in more detail. Firefox 26 will be turning up in updates and for download later today.

  • Netfix’s Suro goes open: From the people who brought you a cloud full of monkeys… Netflix’s latest open source release is Suro, an application monitoring system used by the video stream vendor to track the behaviour of their Amazon AWS deployed applications. Originally based on Apache Chukwa and adapted to fit Netflix’s demands, Suro pulls the company’s monitoring data from the various app clusters and pushes it to S3 (for Hadoop based analytics), to Apache Kafka (and on to Storm, Amazon ElasticSearch and Druid and to other event processors. There’s a lot more detail in the announcement including in production stats and how the pipeline is used to analyse errors.

  • Vagrant meets Docker: The latest update to Vagrant, version 1.4 has been announced and the big improvement in system that has traditionally been used to create automatically reproducible development environment is the addition of Docker support. The Docker provisioner can install Docker and then lets Vagrant cirtual machine pull and configure Docker containers within it. There’s also some enhancements to the scriptability of Vagrant itself, the ability to require a particular version of Vagrant and support for standalone file sync plugins.

  • websocketd: And finally, have you wanted to make a shell script or other app into a WebSocket server but lacked a library or access to the code to do it? Websocketd might be the answer as it turns anything with console I/O into a WebSocket server in a style rather reminiscent of CGI. Remember, most command line applications are not suitable for being exposed to the raw web, but the app could get you out of a hole when prototyping.

And, for reference, everything mentioned today is open source software.

EOL for Python 2.6, Docker Inc and more iconic fonts – Snippets

Snippets

  • Python 2.6 signs out: Python 2.6.9 is the last source-only security fix release for the Python 2.6 family. The 2.6.9 release sees 2.6 officially retired after five years in the field. If you are still running 2.6, UPDATE! At the other end of the scale, Python 3.3.3 got its first release candidate with full support for Mac OS X 10.9 Mavericks.
  • dotCloud becomes Docker Inc: Acknowledging how important its Docker container software has become, dotCloud has announced it is becoming Docker Inc. The platform-as-a-service business of dotCloud will be maintained, but the company’s resources are going into Docker, Docker services and building out the Docker ecosystem.
  • More icon fontage: Bootstrap is not alone in having a fine icon font for its graphical imagery. Say hi to Ionicons, created for the Ionic front-end framework. Very stylish, and MIT licensed open source.

Talend go Apache, Mozilla and Xiph, Oracle and Java and Virtualbox updates – Snippets

Snippets

  • Talend go Apache: Talend, makers of integration, ETL and other data management products, have long been proponents of the GPL license for their products. I’ve asked them about this in the past and they’ve been robust in their reasoning about why the GPL is right for them. It appears though that that era has come to an end with an announcement that the company will be stepping towards more permissive licensing. They first plan to move to LGPL with version 5.4 of their products then to Apache in 2014. They’ve been steadily exposed to permissive licensing as they have built Talend ESB on Apache projects and when they went to release “Talend Open Studio for Big Data” they decided to go with Apache for better compatibility with the Hadoop ecosystem. That product, they say, is “arguably the most adopted product from Talend, ever” and that inspired a licensing rethink. An interesting change (and if you’ve not looked at Talend’s software, check it out… there’s some powerful integration mojo in there).
  • Mozilla’s new video hire: Xiph.org founder Monty Montgomery is off to Mozilla amicably leaving his current employer, Red Hat, for a chance to work at Mozilla with the other Xiph developers. Current work in progress is the Dalaa video codec which is setting out to be a free to implement and use, and technically superior alternative to h.265 and Google’s VP9. Mozilla is primary sponsor on the project and talking to Gigaom, Montgomery says progress on Dalaa is solid and there could be commercial products using it by the end of 2015. It looks like Mozilla are making sure that they aren’t caught again between a rock (h.264) and a hard place (VP8) in the future.
  • Oracle and Java fix time: It’s time for Oracle to drop its metric shedload of fixes for October. Short version, there’s a Java 7 update 45 (release notes) now available with security fixes for 51 vulnerabilities nearly all of which are remotely exploitable and with eleven scoring the full 10.0 on CVSS scores and nine scoring 9.3. Typically, most Java holes are around the sandbox, WebStart and applets, but two of the 10.0 critical holes affect servers too. Update your Java 7; if you are still on Java 6, you now have two problems.
  • VirtualBox 4.3: A new version of Oracle’s open source VirtualBox has arrived. The changes in version 4.3 are sufficient for it to be called a major update. The VT-x code and AMD-V code, the guts of the virtualisation, has been rewritten to fix bugs and improve performance. There’s a new instruction interpreter that can step in when hardware virtualisation isn’t able to handle something. New notifications, better keyboard short cuts and support for video capture have been added to the GUI while support for emulating USB touch devices, webcam passthrough and SCSI CD-ROM emulation have also been added. There is also a new virtual router mode which lets multiple VMs share one NAT service. And obviously, there’s oodles of bug fixes.