It's not Linux but is worth a read: Google's Project Zero blog has a highly detailed analysis of several iOS exploits and how they were used to compromise large numbers of devices. "There's something thus far which is conspicuous only by its absence: is any of this encrypted? The short answer is no: they really do POST everything via HTTP (not HTTPS) and there is no asymmetric (or even symmetric) encryption applied to the data which is uploaded. Everything is in the clear. If you're connected to an unencrypted WiFi network this information is being broadcast to everyone around you, to your network operator and any intermediate network hops to the command and control server. This means that not only is the end-point of the end-to-end encryption offered by messaging apps compromised; the attackers then send all the contents of the end-to-end encrypted messages in plain text over the network to their server."

Security updates have been issued by Arch Linux (dovecot, gettext, go, go-pie, libnghttp2, and pigeonhole), Debian (djvulibre, dovecot, and subversion), Fedora (sleuthkit and wireshark), openSUSE (containerd, docker, docker-runc, and qbittorrent), Oracle (pango), SUSE (kernel, nodejs10, and python-SQLAlchemy), and Ubuntu (apache2).

For all its faults, email has long proved to be an effective communication mechanism for kernel development. Similarly, Git is an effective tool for source-code management. But there is no real connection between the two, meaning that there is no straightforward way to connect a Git commit with the email discussions that led to its acceptance. Once a patch enters a repository, it transitions into a new form of existence and leaves its past life behind. Doug Anderson recently went to the ksummit-discuss list with a proposal to add Gerrit-style change IDs as a way of connecting the two lives of a kernel patch; the end result may not be quite what he was asking for.

Greg Kroah-Hartman has released the latest batch of stable kernels: 5.2.11, 4.19.69, and 4.14.141. As usual, they contain important fixes all over the kernel tree; users should upgrade.

Blogger Ovid writes about the push to rebrand Perl 6. "So yeah, there's bitterness and the Perl community not only needs to heal, but we need to find a way forward for both languages. The suggestion to change the name of Perl 6 to 'raku' is effectively designed to make this happen. Perl 5 can figure out how to get beyond the branding issue that's been plaguing it and Perl 6 can do the same thing."

Security updates have been issued by Debian (apache2 and faad2), openSUSE (schismtracker), Red Hat (ceph and pango), Scientific Linux (pango), SUSE (apache-commons-beanutils, ceph, php7, and qemu), and Ubuntu (ceph, dovecot, and ghostscript).

The LWN.net Weekly Edition for August 29, 2019 is available.

To open-source fans, the lure of open-source voting systems is surely strong. So a talk at 2019 Open Source Summit North America on a project for open-source voting in San Francisco sounded promising; it is a city with lots of technical know-how among its inhabitants. While progress has definitely been made—though at an almost glacially slow speed—there is no likelihood that the city will be voting using open-source software in the near future. The talk by Tony Wasserman was certainly interesting, however, and provided a look at the intricacies of elections and voting that make it clear the problem is not as easy as it might at first appear.

Linux support for the exFAT filesystem has had a long and troubled history; Microsoft has long asserted patents in this area that have prevented that code from being merged into the kernel. Microsoft has just changed its tune, announcing that upstreaming exFAT is now OK: "It’s important to us that the Linux community can make use of exFAT included in the Linux kernel with confidence. To this end, we will be making Microsoft’s technical specification for exFAT publicly available to facilitate development of conformant, interoperable implementations. We also support the eventual inclusion of a Linux kernel with exFAT support in a future revision of the Open Invention Network’s Linux System Definition, where, once accepted, the code will benefit from the defensive patent commitments of OIN’s 3040+ members and licensees."

The GNOME Foundation, with support from Endless, has announced the Coding Education Challenge, a competition aimed to attract projects that offer educators and students new and innovative ideas to teach coding with free and open source software. "Anyone is encouraged to submit a proposal. Individuals and teams will be judged through three tiers of competition. Twenty winners will be selected from an open call for ideas and will each receive $6,500 in prize money. Those winners will progress to a proof of concept round and build a working prototype. Five winners from that round will be awarded $25,000 and progress to the final round where they will turn the prototype into an end product. The final winner will receive a prize of $100,000 and the second placed product a prize of $25,000."

The Linux Foundation (LF) Technical Advisory Board (TAB) is meant to give the kernel community some representation within the foundation. In a "birds of a feather" (BoF) session at the 2019 Open Source Summit North America, four TAB members participated in an "Ask the TAB" session. Laura Abbott organized the BoF and Tim Bird, Greg Kroah-Hartman, and Steven Rostedt joined in as well. In the session, the history behind the TAB, its role, and some of its activities over the years were described.

Security updates have been issued by Debian (dovecot), Fedora (docker and nghttp2), Oracle (pango), SUSE (apache2, fontforge, ghostscript-library, libreoffice, libvirt, podman, slirp4netns and libcontainers-common, postgresql10, and slurm), and Ubuntu (dovecot).

Packt has published a lengthy writeup of a talk by Josh Triplett on work being done to advance the Rust language for system-level programming. "Systems programming often involves low-level manipulations and requires low-level details of the processors such as privileged instructions. For this, Rust supports using inline Assembly via the 'asm!' macro. However, it is only present in the nightly compiler and not yet stabilized. Triplett in a collaboration with other Rust developers is writing a proposal to introduce more robust syntax for inline Assembly."

The encryption of data at rest is increasingly mandatory in a wide range of settings from mobile devices to data centers. Linux has supported encryption at both the filesystem and block-storage layers for some time, but that support comes with a cost: either the CPU must encrypt and decrypt vast amounts of data moving to and from persistent storage or it must orchestrate offloading that work to a separate device. It was thus only a matter of time before ways were found to offload that overhead to the storage hardware itself. Satya Tangirala's inline encryption patch set is intended to enable the kernel to take advantage of this hardware in a general manner.

Security updates have been issued by Debian (apache2 and xymon), openSUSE (putty and vlc), Red Hat (kernel and ruby), Scientific Linux (advancecomp, bind, binutils, blktrace, compat-libtiff3, curl, dhcp, elfutils, exempi, exiv2, fence-agents, freerdp and vinagre, ghostscript, glibc, gvfs, http-parser, httpd, kde-workspace, keepalived, kernel, keycloak-httpd-client-install, libarchive, libcgroup, libguestfs-winsupport, libjpeg-turbo, libmspack, libreoffice, libsolv, libssh2, libtiff, libvirt, libwpd, linux-firmware, mariadb, mercurial, mod_auth_openidc, nss, nss-softokn, nss-util, and nspr, ntp, opensc, openssh, openssl, ovmf, patch, perl-Archive-Tar, polkit, poppler, procps-ng, python, python-requests, python-urllib3, qemu-kvm, qt5, rsyslog, ruby, samba, sox, spice-gtk, sssd, systemd, tomcat, udisks2, unixODBC, unzip, uriparser, Xorg, zsh, and zziplib), Slackware (kernel), and SUSE (ardana-ansible, ardana-db, ardana-freezer, ardana-glance, ardana-input-model, ardana-nova, ardana-osconfig, ardana-tempest, caasp-openstack-heat-templates, crowbar-core, crowbar-ha, crowbar-openstack, crowbar-ui, documentation-suse-openstack-cloud, galera-python-clustercheck, openstack-cinder, openstack-glance, openstack-heat, openstack-horizon-plugin-monasca-ui, openstack-horizon-plugin-neutron-fwaas-ui, openstack-ironic, openstack-keystone, openstack-manila, openstack-monasca-agent, openstack-monasca-api, openstack-monasca-persister, openstack-monasca-persister-java, openstack-murano, openstack-neutron, openstack-neutron-gbp, openstack-neutron-lbaas, openstack-nova, openstack-octavia, python-Beaver, python-oslo.db, python-osprofiler, python-swiftlm, venv-openstack-magnum, venv-openstack-monasca, venv-openstack-monasca-ceilometer, venv-openstack-murano, venv-openstack-neutron and qemu).

Before a program can be run, it needs to be built. It's a well-known fact that modern software, in general, consumes more runtime resources than before, sometimes to the point of forcing users to upgrade their computers. But it also consumes more resources at build time, forcing operators of the distributions' build farms to invest in new hardware, with faster CPUs and more memory. For 32-bit architectures, however, there exists a fundamental limit on the amount of virtual memory, which is never going to disappear. That is leading to some problems for distributions trying to build packages for those architectures.

Security updates have been issued by Arch Linux (firefox, libreoffice-still, nginx, nginx-mainline, and subversion), Debian (commons-beanutils, h2o, libapache2-mod-auth-openidc, libmspack, qemu, squid, and tiff), Fedora (kubernetes, libmodbus, nfdump, and nodejs), openSUSE (dkgpg, libTMCG, go1.12, neovim, python, qbittorrent, schismtracker, teeworlds, thunderbird, and zstd), and SUSE (go1.11, go1.12, python-SQLAlchemy, and python-Twisted).

On the development side, Linus has released 5.3-rc6 for testing. "I’m doing a (free) operating system (more than just a hobby) for 486 AT clones and a lot of other hardware. This has been brewing for the last 28 years, and is still not done. I’d like any feedback on any bugs introduced this release (or older bugs too, for that matter)."

For those wanting something more stable, 5.2.10, 4.19.68, 4.14.140, 4.9.190, and 4.4.190 have all been released.

If one were to ask a group of free-software developers whether the community needs more software licenses, the majority of the group would almost certainly answer "no". We have the licenses we need to express a range of views of software freedom, and adding to the list just tends to create confusion and compatibility issues. That does not stop people from writing new licenses, though. While much of the "innovation" in software licenses in recent times is focused on giving copyright holders more control over how others use their code (while still being able to brand it "open source"), there are exceptions. The proposed "Cryptographic Autonomy License" (CAL) is one of those; its purpose is to give users of CAL-licensed code control over the data that is processed with that code.

Security updates have been issued by Debian (cups, nginx, and openjdk-7), Fedora (httpd, mod_md, nghttp2, and patch), and SUSE (rubygem-loofah).