News & Information


07/17/2019   Linux Journal

News briefs for July 17, 2019.

Malicious Python libraries have been found on the official Python Package Index (PyPI), which contain a hidden backdoor that would activate when installed on Linux systems. According to ZDNet, the three packages are named libpeshnx, libpesh and libari, and they "were authored by the same user (named ruri12) and had been available for download from PyPI for almost 20 months, since November 2017, before the packages were discovered earlier this month by security researchers from ReversingLabs. The PyPI team removed the packages on July 9, the same day ReversingLabs notified the PyPI repo maintainers about their findings." In addition, "None of the three packages ever listed a description, so it's impossible to tell what was their purpose. However, PyPI stats showed that the packages were being regularly downloaded, with tens of monthly installations for each."

Offensive Security, the creators of open-source Kali Linux, has launched the Kali NetHunter App Store, "a new one stop shop for security relevant Android applications. Designed as an alternative to the Google Play store for Android devices, the NetHunter store is an installable catalogue of Android apps for pentesting and forensics". The press release also notes that the NetHunter store is a slightly modified version of F-Droid: "While F-Droid installs its clients with telemetry disabled and asks for consent before submitting crash reports, the NetHunter store goes a step further by removing the entire code to ensure that privacy cannot be accidentally compromised". See the blog post for more details.

IBM to reunite original Apollo 11 mission technicians today for a live panel discussion celebrating the 50th anniversary of the Apollo 11 moon landing. The panel will be available via livestream starting at 2:30pm EDT. From the press release: "Moderated by Dr. John E. Kelly, IBM Executive Vice President, from the Johnson Space Center in Houston, Texas, the panel will reunite veterans of the Apollo 11 mission to share behind-the-scenes details of what it was like to be right in the middle of the action in the lead-up to and during this historic moment in time. The panelists will also look ahead to how the future of artificial intelligence, quantum computing, and other technologies could help us reach new frontiers." The livestream will be available here.

Azul Systems announces it has created OpenJSSE, an open-source implementation of TLS 1.3 for Java SE 8, which is now included in the latest releases of its Zulu Community and Zulu Enterprise products. You can find source code, example use cases and documentation on GitHub.

Krita 4.2.3 was released this morning. This release is mainly a bug fix release, but it does include one new feature: "it is now possible to rotate the canvas with a two-finger touch gesture. This feature was implemented by Sharaf Zaman for his 2019 Google Summer of Code work of porting Krita to Android. The feature also works on other platforms, of course."

07/17/2019   Linux Journal

“Linux is Linux is Linux,” is a direct quote I heard in a meeting I had recently with a major multi-national, critical-infrastructure company. Surprisingly and correctly, there was one intelligent and brave engineering executive who replied to this statement, made by one of his team members, with a resounding, “That’s not true.” Let’s be clear, selecting a commercial Linux is not like selecting corn flakes. This is especially true when you are targeting embedded systems. You must be considering key questions regarding the supplier of the distribution, the criticality of the target application, security and life-cycle support for your product.

Choose Wisely

There is a wonderful scene in the movie Indiana Jones and the Last Crusade when our hero, Indiana, must select the true Holy Grail. Set before him is a multitude of cups ranging from opulent, bejeweled challises to simple clay drinking cups. If you have seen the movie, Indiana reasons out the best choice, and it was a life or death selection. The knight who had been guarding the challises for centuries famously says, “You chose… wisely.” Why bring up this iconic scene? When you are selecting a commercial Linux distribution, you have a multitude of choices all bejeweled with wonderful marketing. The bottom line is that you want to save dollars that you would have otherwise spent on a DIY-Linux approach and ensure the commercial Linux selected fits your particular application. Here are some questions that you will need to keep in mind:

  • Is this for an IT application?

  • Is this for an OT (Operational Technology) application?

  • How long will this system be in the field?

  • What processes and procedures are used by my supplier to cover security vulnerabilities?

  • Can my supplier integrate in other Linux packages that support functionality I need going forward?

This is the short list. Other elements to keep in mind are the specific distribution’s origin and the Open Source community upon which it is based. How important is that specific Linux supplier with regard to the Open Source community upon which the distribution is based? These elements need to be part of the thought process.

I’ll Let My Silicon Choose

An update that fixes 10 vulnerabilities is now available.
An update that solves 5 vulnerabilities and has 10 fixes is now available.
Several security issues were fixed in Squid.
Two security issues have been discovered in LibreOffice: CVE-2019-9848
An update that solves three vulnerabilities and has 7 fixes is now available.
An update for thunderbird is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability
WavPack could be made to crash if it received a specially crafted WAV file.
An update that solves one vulnerability and has two fixes is now available.
07/16/2019   Linux Journal

News briefs for July 16, 2019.

IBM this morning announces three new open-source projects that "make it faster and easier for you to develop and deploy applications for Kubernetes". Kabanero "integrates the runtimes and frameworks that you already know and use (Node.js, Java, Swift) with a Kubernetes-native DevOps toolchain". Appsody "gives you pre-configured stacks and templates for a growing set of popular open source runtimes and frameworks, providing a foundation on which to build applications for Kubernetes and Knative deployments". And Codewind "provides extensions to popular integrated development environments (IDEs) like VS Code, Eclipse, and Eclipse Che (with more planned), so you can use the workflow and IDE you already know to build applications in containers."

IBM also today announces the Data Asset eXchange (DAX), which is "an online hub for developers and data scientists to find carefully curated free and open datasets under open data licenses". The press release notes that whenever possible, "datasets posted on DAX will use the Linux Foundation's Community Data License Agreement (CDLA) open data licensing framework to enable data sharing and collaboration. Furthermore, DAX provides unique access to various IBM and IBM Research datasets. IBM plans to publish new datasets on the Data Asset eXchange regularly. The datasets on DAX will integrate with IBM Cloud and AI services as appropriate."

In honor of Sysadmin Day, the Linux Foundation is offering all IT certification and prep course bundles for $325 each, along with a bonus course valued at $299 and a free Linux Foundation ball cap. The sale runs today until July 26th.

The city of London launches an open-source app for homebuilding. Arch News reports that "The freely-available app, titled PRISM, is aimed at the design and construction of high-quality, factory-built homes to address the current demand of 50,000+ houses per year."

Clonezilla live (2.6.2-15) was released recently. This release include major enhancements and bug fixes. The Linux kernel was updated to 4.19.37-5, the underling OS is based on the Debian Sid repository (as of 2019/Jul/07), the mechanism to update uEFI nvram boot entry was improved, and much more. The Clonezilla live 2.6.2-15 download link is here.

Several security issues were fixed in NSS.
An update is now available for Red Hat JBoss BPM Suite. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability
07/16/2019   Linux Journal
assorted micro controllers

Love Arduino but hate the GUI? Try arduino-cli.

In this article, I explore a new tool released by the Arduino team that can free you from the existing Java-based Arduino graphical user interface. This allows developers to use their preferred tools and workflow. And perhaps more important, it'll enable easier and deeper innovation into the Arduino toolchain itself.

The Good-Old Days

When I started building hobby electronics projects with microprocessors in the 1990s, the process entailed a discrete processor, RAM, ROM and masses of glue logic chips connected together using a point-to-point or "wire wrapping" technique. (Look it up kids!) Programs were stored on glass-windowed EPROM chips that needed to be erased under UV light. All the tools were expensive and difficult to use, and development cycles were very slow. Figures 1–3 show some examples of my mid-1990s microprocessor projects with discrete CPU, RAM and ROM. Note: no Flash, no I/O, no DACs, no ADCs, no timers—all that means more chips!


Figure 1. Example Mid-1990s Microprocessor


Figure 2. Example Mid-1990s Microprocessor


Figure 3. Example Mid-1990s Microprocessor

It all changed in 2003 with Arduino.

The word "Arduino" often invokes a wide range of opinions and sometimes emotion. For many, it represents a very low bar to entry into the world of microcontrollers. This world before 2003 often required costly, obscure and closed-source development tools. Arduino has been a great equalizer, blowing the doors off the walled garden. Arduino now represents a huge ecosystem of hardware that speaks a (mostly) common language and eases transition from one hardware platform to another. Today, if you are a company that sells microcontrollers, it's in your best interest to get your dev boards working with Arduino. It offers a low-friction path to getting your products into lots of hands quickly.

It's also important to note that Arduino's simplicity does not inhibit digging deep into the microcontroller. Nothing stops you from directly twiddling registers and using advanced features. It does, however, decrease your portability between boards.

Several security issues were fixed in Redis.
An update for vim is now available for Red Hat Enterprise Linux 7.5 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,
07/15/2019   Linux Journal

News briefs for July 15, 2019.

Q4OS 3.8 stable was released today. This is a long-term support (LTS) release based on Debian Buster 10 with Plasma 5.14 and optionally Trinity 14.0.6 for desktop environments. Its primary aim is stability, and it's code-named Centaurus. It's available for 64bit and 32bit/i686pae computers, and also for older i386 systems without PAE extension. Support for ARM devices is in the works. Go here to download.

Linux kernel 5.2.1 was released yesterday. Greg Kroah-Hartman writes, "All users of the 5.2 kernel series must upgrade. The updated 5.2.y git tree can be found at: git:// linux-5.2.y and can be browsed at the normal git web browser:;a=summary."

Cloudera recently announced an new open-source licensing model. The company's Vision blog post states that the new strategy "aligns the licensing models previously used by each of Hortonworks and Cloudera and also introduces some new changes. We take our open source leadership role seriously, and recognize that our need to align our own licenses is also an opportunity to lead and to renew our commitment to open source software." Moving forward all of the company's open-source licenses "will adhere to one of two OSI approved licenses: the Apache License, Version 2, or the GNU Affero General Public License, Version 3 ('AGPL')". The post also notes Cloudera's open-source goals: "freedom from vendor lock-in", "community standards, not Cloudera standards" and "open ecosystem". See the Cloudera Licensing Policy FAQ for more details.

Microsoft's Quantum Development Kit is now available as an open source project on GitHub. According to Windows Central, "The QDK, which launched in preview last year, gives developers access to the Q# programming language, quantum simulators, and the libraries needed to start experimenting with quantum computing before it goes mainstream." See also the Microsoft Quantum blog for more information.

The Bank of England has announced that Alan Turing will be on the new £50 note in the UK. Gizmodo quotes Bank of England Governor Mark Carney: "Why Turing? Turing was an outstanding mathematician whose works had an enormous impact on how we live today. As the father of computer science and artificial intelligence, Alan Turing's contributions were far-ranging and path-breaking. His genius lay in a unique ability to link the philosophical and the abstract with the practical and the concrete. And all around us his legacy continues to build. Turing is a giant on whose shoulders so many now stand."

07/15/2019   Linux Journal

A look at using OpenAI's Generative Pretrained Transformer 2 (GPT-2) to generate text.

It's probably fair to say that there's more than one person out there who is worried about some version of artificial intelligence, or AI, possibly in a robot body of some kind, taking people's jobs. Anything that is repetitive or easily described is considered fair game for a robot, so driving a car or working in a factory is fair game.

Until recently, we could tell ourselves that people like yours truly—the writers and those who create things using some form of creativity—were more or less immune to the march of the machines. Then came GPT-2, which stands for Generative Pretrained Transformer 2. I think you'll agree, that isn't the sexiest name imaginable for a civilization-ending text bot. And since it's version 2, I imagine that like Star Trek's M-5 computer, perhaps GPT-1 wasn't entirely successful. That would be the original series episode titled, "The Ultimate Computer", if you want to check it out.

So what does the name "GPT-2" stand for? Well, "generative" means pretty much what it sounds like. The program generates text based on a predictive model, much like your phone suggests the next word as you type. The "pretrained" part is also quite obvious in that the model released by OpenAI has been built and fine-tuned for a specific purpose. The last word, "Transformer", refers to the "transformer architecture", which is a neural network design architecture suited for understanding language. If you want to dig deeper into that last one, I've included a link from a Google AI blog that compares it to other machine learning architecture (see Resources).

On February 14, 2019, Valentine's Day, OpenAI released GPT-2 with a warning:

Our model, called GPT-2 (a successor to GPT), was trained simply to predict the next word in 40GB of Internet text. Due to our concerns about malicious applications of the technology, we are not releasing the trained model. As an experiment in responsible disclosure, we are instead releasing a much smaller model for researchers to experiment with, as well as a technical paper.

I've included a link to the blog in the Resources section at the end of this article. It's worth reading partly because it demonstrates a sample of what this software is capable of using the full model (see Figure 1 for a sample). We already have a problem with human-generated fake news; imagine a tireless machine capable of churning out vast quantities of news and posting it all over the internet, and you start to get a feel for the dangers. For that reason, OpenAI released a much smaller model to demonstrate its capabilities and to engage researchers and developers.

07/12/2019   Linux Journal

News briefs for July 12, 2019.

Google yesterday announced Docsy, a website theme for technical documentation. From the Google blog post: "Docsy builds on existing open source tools, like Hugo, and our experience with open source docs, providing a fast and easy way to stand up an OSS documentation website with features specifically designed to support technical documentation. Special features include everything from site navigation to multi-language support—with easy site deployment options provided by Hugo. We also created guidance on how to add additional pages, structure your documentation, and accept community contributions, all with the goal of letting you focus on creating great content."

Several KDE releases came this week. KDE Applications 19.04.3 was released yesterday. This release contains more than 60 bugfixes and translation updates. See the full changelog for details.

KDE Plasma 5.16.3 also was released. This update comes just two weeks after the 5.16 release and contains several bugfixes and new translations. See the full Changelog for specifics.

And, Kdenlive 19.04.3 was released today. This release contains a ton of fixes, including "fixing compositing and speed effect regressions, thumbnail display issues of clips in the timeline and many Windows fixes. You can get the AppImage from the download page.

Alpine Linux 3.10.1 has been released. See the git log for the full list of changes in this version of the security-oriented lightweight distro.

Valve has launched Steam Labs, which gives users a peek at new experiments in development. According to TechCrunch, "Valve is quick to point out that all of these experiments are just that—there's no promising that any of the stuff that hits the Labs will make it all the way to the official client. They also say that even 'Steam Labs is itself an experiment', which will probably change and evolve a bunch over time." The first three experiments on Steam Labs are Micro Trailers, Interactive Recommender and Automatic Show.

07/12/2019   Linux Journal

In this article, I want to look at a GIS option available for Linux—specifically, a program called SAGA (System for Automated Geoscientific Analyses). SAGA was developed at the Department of Physical Geography in Germany. It is built with a plugin module architecture, where various functions are provided by individual modules. A very complete API is available to allow users to extend SAGA's functionality with newly written modules. I take a very cursory look at SAGA here and describe a few things you might want to do with it.

Installing SAGA should be as easy as looking at the software repository for your favourite distribution. For Debian-based distros, you can install it with the command:

sudo apt-get install saga

When you first start it, you get a blank workspace where you can begin your project.


Figure 1. SAGA starts up with a central project window, several tool panes on the left and console messages at the bottom.

Two major categories of data sets are available that you can use within your projects: satellite imagery and terrain data. The tutorial website provides detailed walk-throughs that show how you can get access to these types of data sets for use in your own projects. The tutorial website also has sections on some of the processing tools available for doing more detailed analysis.

SAGA understands several data file formats. The typical ones used in GIS, like SHP files or point clouds, are the default options in the file selector window. You can work with these types of data, or satellite imagery or terrain data.

Let's start by looking at terrain analysis in SAGA. You'll need digital elevation data, in DEM format, which is available from the SRTM Tile Grabber site. You will get a zip file for each region you select, and these zip files contain geotiff files for the selected regions.

Load the geotiff file by clicking File→Open. By default, it will show only the common project file formats. To locate your downloaded geotiff files, you'll need to change the filter at the bottom of the file selector window to be all files. Once it is loaded, it will show up in the list of data sources in the bottom-left window pane.


Figure 2. You can load data sources, such as geotiffs, into your project.

07/11/2019   Linux Journal

News briefs for July 11, 2019.

The Electronic Frontier Foundation is celebrating its 29th birthday "by building a future where tech respects and empowers users". From now until July 24, 2019, the EFF is offering a $20 membership, which includes a set of limited-edition enamel pins. (Note also that the EFF is a US 501(c)(3) nonprofit, so contributions are tax-deductible as allowed by law.)

Linode yesterday launched new GPU-optimized cloud computing instances, specifically for developers and business that need massive parallel computational power. From the press release: "The new instances are built on NVIDIA Quadro RTX 6000 GPU cards with all three major types of processing cores (CUDA, Tensor, and Real-Time Ray Tracing) available to users. Linode is one of the first cloud providers to deploy NVIDIA's latest GPU architecture." For more information, see

Syncthing 1.2.0 was released recently. Linux Uprising reports that this version of the open-source peer-to-peer synchronization tool "adds QUIC with NAT traversal as a new transport protocol, fixes some bugs and enables automatic error reporting." The article notes Syncthing's emphasis on privacy: "None of your data is ever store anywhere else other than your own computers (no central server); all communication is secured using TSL and authenticated using a strong cryptographic certificate. Basically, it can replace Dropbox and other similar services with something decentralized, where your data is your data alone." Go here to download.

Kali Linux for Raspberry Pi 4 was released recently, "complete with on-board wifi monitor mode & frame injection support!" You can download it from the Kali Linux ARM Images page. Currently there is support only for 32-bit, but 64-bit is coming soon.

GNOME developers plan to disable the Snap plugin for GNOME Software, as Canonical has started creating its own Snap Store and won't be using GNOME Software in Ubuntu 20.04 LTS. According to Phoronix, "Canonical's in-development Snap Store will obviously be focused just on their own Snap effort and not supporting the likes of Flatpak. Due to the likelihood that the GNOME Software Snap plug-in will quickly suffer from bit-rot and pose a maintenance burden to GNOME developers with little to no return, it's certainly reasonable that they would at least disable this plug-in."

07/11/2019   Linux Journal

Introducing the Yocto Project and the benefits of using it in embedded Linux development.

In embedded Linux development, there are two approaches when it comes to what operating system to run on your device. You either build your own distribution (with tools such as Yocto/OpenEmbedded-Core, Buildroot and so on), or you use a binary distribution where Debian and derivatives are common.

It's common to start out with a binary distribution. This is a natural approach, because it's a familiar environment for most people who have used Linux on a PC. All the commodities are in place, and someone else has created the distribution image for you to download. There normally are custom vendor images for specific hardware that contain optimizations to make it easy to get started to utilize your hardware fully.

Any package imaginable is an apt install command away. This, of course, makes it suitable for prototyping and evaluation, giving you a head start in developing your application and your product. In some cases, you even might ship pre-series devices using this setup to evaluate your idea and product further. This is referred to as the "golden image" approach and involves the following steps:

  1. Flash the downloaded Debian image to an SD card.
  2. Boot the SD card, log in and make any modifications needed (for example, installing custom applications). Once all the modifications are complete, this becomes your golden image.
  3. Duplicate the SD card into an image on your workstation (for example, using dd).
  4. Flash the "golden image" to a fleet of devices.

And every time you need to make a change, you just repeat steps 2–4, with one change—that is, you boot the already saved "golden image" in step 2 instead of the "vanilla" image.

At a certain point, the approach of downloading a pre-built distribution image and applying changes to it manually will become a problem, as it does not scale well and is error-prone due to the amount of manual labor that can lead to inconsistent output. The optimization would be to find ways to automate this, generating distribution images that contain your applications and your configuration in a reproducible way.

This is a crossroad where you decide either to stick with a binary distribution or move your idea and the result of the evaluation and prototyping phase to a tool that's able to generate custom distributions and images in a reproducible and automated way.