Bashed: So the Bash bug is out there and real. These quick notes are still valid. The point is that this hideous feature (really, exporting function definitions through environment variables) is horrid and leaky by design and it’s only this bug in how that feature is implemented thats bringing it to the fore. CGI scripting, Qmail, some SSH and DHCP services are all potentially vulnerable, so patch away but be prepared to patch again because the lid is off this can of worms. Safest end point is, most probably, that the functionality goes away, but thats unlikely and even if it did there’ll still be old bash installs out there. Least helpful response – the FSF statement which fails to apologise and then pats itself on the back that free software let the patches be shared and then rattles the donation tin. Funniest response – Brian J Fox, Bash creator, quoted in the NYT joking his first response was “Aha, my plan worked”.
Security in a Qube too: The Qubes OS developers have been working away steadily on their virtualisation-compartmented desktop operating system and now Joanna Rutkowska has announced Qubes OS Release 2. The OS is now described as “a powerful desktop OS” rather than a proof-of-concept, and to reinforce that, Casper Bowden, is joining the advisory board for Qubes to see if it can be brought to a wider world. If you’ve not met Qubes, imagine a desktop Linux where each app or group of apps are run in their own virtualised sandbox while the OS works to make it easy for the user to not be bothered by that. If you were looking for a “post-Snowden” OS, Qubes should be on your list – check the site for downloads, resources and white papers explaining whats in the OS.
Linux from Scratch: You may, “post-Snowden” want to go through every bit of code is in your running systems. One place to start there is Linux from Scratch which takes you through assembling your own Linux system (and automated or hardened versions) from component parts. It’s just been [updated to LFS version 7.6], along with updated to Beyond Linux From Scratch (BLFS) and systemd editions of LFS and BLFS.
RethinkDB 1.15: NoSQL… no come back… Cool NoSQL database RethinkDB just got updated to version 1.15 getting a huge set of geospatial functions to add to its already interesting suite of functions. There’s also server-side UUID generation and performance boosts through lazy deserialisation.
Material world: Some folks love Google’s Material look and feel. Well, now they can have some of that on thje web with Bootstrap Material Design, a Bootstrap theme what brings the stylings and gives a nice flat look to apps.
Finally: Via Adafruit, a picture of Grace Hopper teaching COBOL.
Docker 0.9 unloads: Docker bumps its version number to Docker 0.9 and as it approaches version 1.0 makes a big change. Docker’s been pretty tightly tied to Linux Containers (LXC) technology to run applications packaged with it but in 0.9 there’s now execution drivers so the option to plug in any one of a range of isolation systems is now available. “OpenVZ, systemd-nspawn, libvirt-lxc, libvirt-sandbox, qemu/kvm, BSD Jails, Solaris Zones, and even good old chroot” are on Docker’s planned list with more to come from various projects. There’s also a new libcontainer which lets Docker plug straight into the Linux kernel to control things – this Go library is likely to see a lot of use outside of Docker too as it wraps up container configuration into a neat JSON specified bundle. Next stop for Docker is a production quality 0.10 which will serve as a release candidate for 1.0. Its lively down at the docks.
Vagrant 1.5 roams out: The developer environment manager Vagrant has been updated too. The new Vagrant 1.5 has added a sharing system to make collaboration easier, versioning for boxes, rsync and smb sync’d folders and Hyper-V support. Simpler SSH authentircation setup, a reworked plugin manager and support for Funtoo, NetBSD and TinyCore Linux as guests wrap out the wedge of features in this release. Alongside the release is the announcement of Vagrant Cloud, a hosted box sharing service built to use Vagrant 1.5’s sharing functions.
Xen 4.4 meditates: Meanwhile, the other Linux virtualisation platform, Xen, has made the first release on its aspirational six month cycle (taking 8 months in this case). The announcement for Xen 4.4 highlights an improved libvirt/libxl interface for better integration with VM managers or cloud platforms, a more flexible event channel interface allowing for over tens of thousands of guests and a rapidly maturing ARM port now with a stable ABI going forwards. There’s also a ‘tech preview’ of nested virtualisation on Intel.
- Firefox 26 digs in: Today we’ll see the release of Firefox 26, latest in the overly regular Firefox release cycle. From the (currently beta) release notes, we can see the big changes. All but the Flash plug-in are now click-to-play by default, Windows users can update their Firefox without having to write into the Firefox folders, the password manager can handle password fields generated by scripts and on Linux, if the installed gstreamer can handle h264, so can Firefox. A couple of fixes, some developer enhancements and thats about it. There’s also a Firefox for Android update due today. The release notes note some performance improvements, the same password manager enhancement and some fixes. The developer page for Firefox 26 covers changes of interest to developers in more detail. Firefox 26 will be turning up in updates and for download later today.
Netfix’s Suro goes open: From the people who brought you a cloud full of monkeys… Netflix’s latest open source release is Suro, an application monitoring system used by the video stream vendor to track the behaviour of their Amazon AWS deployed applications. Originally based on Apache Chukwa and adapted to fit Netflix’s demands, Suro pulls the company’s monitoring data from the various app clusters and pushes it to S3 (for Hadoop based analytics), to Apache Kafka (and on to Storm, Amazon ElasticSearch and Druid and to other event processors. There’s a lot more detail in the announcement including in production stats and how the pipeline is used to analyse errors.
Vagrant meets Docker: The latest update to Vagrant, version 1.4 has been announced and the big improvement in system that has traditionally been used to create automatically reproducible development environment is the addition of Docker support. The Docker provisioner can install Docker and then lets Vagrant cirtual machine pull and configure Docker containers within it. There’s also some enhancements to the scriptability of Vagrant itself, the ability to require a particular version of Vagrant and support for standalone file sync plugins.
websocketd: And finally, have you wanted to make a shell script or other app into a WebSocket server but lacked a library or access to the code to do it? Websocketd might be the answer as it turns anything with console I/O into a WebSocket server in a style rather reminiscent of CGI. Remember, most command line applications are not suitable for being exposed to the raw web, but the app could get you out of a hole when prototyping.
And, for reference, everything mentioned today is open source software.