RealTime IT News

Blog Archives

ownCloud Gets Its Own Foundation

By Sean Michael Kerner   |    May 31, 2016

The open-source ownCloud storage project has had a tumultuous 2016 so far, with the public exit of founder Frank Karlitschek from ownCloud Inc on April 27. Today in what really does feel like a 'knee-jerk' reaction, ownCloud Inc announced the formation of an ownCloudownCloud Foundation.

Contrary to the common trend of bringing an open-source project like ownCloud into an established model, like the Linux Foundation's Collaborative Project approach, where the Cloud Foundry Foundation, the Cloud Native Computing Foundation, node js foundation, OpenDayLight and so many other now live, ownCloud is building its own Foundation.

The initial documents setting up the foundation are live at: https://foundation.owncloud.org/ and look fairly innocuous. But there are a few key elements that are missing. Notably, with any major open-source foundation creation in recent years, there have always been multiple vendors at the outset that sponsor and support the effort. Looking at the ownCloud announcement today I see no such thing, only ownCloud inc.

Also missing is any included statement from Frank Karlitschek, which is critically important for the community to actually come together.

In some respects this move from ownCloud makes a whole lot of sense and it follows a well known path for popular open-source projects. By having a separate foundation that is distinct from the lead corporate sponsor, there is the opportunity for more participation, transparency and open governance.

Time will tell though if there is enough trust and goodwill though in the ownCloud community to actually make the Foundation work.

Sean Michael Kerner is a senior editor at InternetNews.com. Follow him on Twitter @TechJournalist

PHP 7.0.7 Released Fixing 28 Bugs

By Sean Michael Kerner   |    May 26, 2016


Though it seem like it was just yesterday that PHP 7 was first released (it was actually December 17, 2015), today the seventh incremental update is being released with PHP 7.0.7.php

As is the case with a .xy update, this is mostly a bug fix update, with at least 28 different issues being fixed in an effort to make PHP 7.x more stable. Though the PHP project hasn't identified any specific security vulnerabilities that are fixed in the update, I see at least one with bug #72162.


------------
Use after free condition can be triggered by simple script attached below. It's caused by call zend_string_release():

    #1 0xea66f0 in _efree /home/shm/src/php-7.0.6/Zend/zend_alloc.c:2461
    #2 0xf72839 in zend_string_release /home/shm/src/php-7.0.6/Zend/zend_string.h:271
    #3 0xf773cc in zif_error_reporting /home/shm/src/php-7.0.6/Zend/zend_builtin_functions.c:730

 in error_reporting function in case when DateTimeImmutable is supplied to the function. This can be turned in code execution.


That's kinda/sorta serious and i can see how an attacker could make use of that flaw in chain that could do…bad things. As always, it's a good move to update, that is if you're actually running PHP 7.x, which is still fairly new. Many organization I know are waiting for PHP 7.1 before they make the jump.


Sean Michael Kerner is a senior editor at InternetNews.com. Follow him on Twitter @TechJournalist

Nginx 1.11 Web Server Improves HTTP/2

By Sean Michael Kerner   |    May 24, 2016

The latest incremental update of the open-source Nginx web server is out today and once again, HTTP/2 related fixes/improvement are part of the mix. Looking through nginxthe release noted two HTTP/2 changes are noteworthy:

 *) Change: the "421 Misdirected Request" response now used when
       rejecting requests to a virtual server different from one negotiated
       during an SSL handshake; this improves interoperability with some
       HTTP/2 clients when using client certificates.

    *) Change: HTTP/2 clients can now start sending request body
       immediately; the "http2_body_preread_size" directive controls size of
       the buffer used before nginx will start reading client request body.

Sean Michael Kerner is a senior editor at InternetNews.com. Follow him on Twitter @TechJournalist

Linux 4.7 Gets a Security Boost with ChromeOS Feature

By Sean Michael Kerner   |    May 23, 2016

We're currently inside of the two week merge window where code is being pulled in to form the Linux 4.7 kernel. One of the GIT pull requests came from Linux kernel developer James Morris and includes at least one really interesting new security feature, by way of a new Linux Security Module (LSM).

A new LSM, "LoadPin", from Kees Cook is added, which allows forcing of modules and firmware to be loaded from a specific device (this is from ChromeOS, where the device as a whole is verified cryptographically via dm-verity). This is disabled by default but can be configured to be enabled by default (don't do this if you don't know what you're doing).

That's particularly interesting as it extends a chain of trust in a way that is kinda/sort similar (yet different) to secure computing forms of attestation for hardware integrity. No this isn't a Secure Boot redux, though the net effect is the same - Linux will only boot on known hardware.

Sean Michael Kerner is a senior editor at InternetNews.com. Follow him on Twitter @TechJournalist

CoreOS Fest: Runway Provides a New Model Distributed Systems Design

By Sean Michael Kerner   |    May 10, 2016

BERLIN - Diego Ongaro, lead software engineer at Salesforce is well known in the computer science community for his work on the Raft fault-tolerant consensus algorithm, which is used in etcd (used by CoreOS and a key part of Kubernetes) At the CoreOS FestRunway here Ongaro detailed his latest big idea called Runway.

Ongaro explained that Runway is a new tool for distributed systems design. He noted that distributed systems are hard, they are hard to understand and hard to communicate about.

"Machines are spread across a network all communicating at the same time, so there concurrency issues and possible delays," Ongaro said. "Failures are common."

The typical approaches to find design issues are often too late in the process according to Ongaro, and it's always better to find the right design sooner.

"Design tools use system models," Ongaro explained. "A model is a representation of a system that captures its essential concepts and omits irrelevant details."

The Runway approach takes a model, runs it through a randomized simulators, then executees and is fed in to a visualization. In a pair of demos including a 'too many bananas simulation' Ongaro demonstrated how Runway can work.

Ongaro noted that specification, simulation and model checking all benefit from visualization, which is all part of Runway. Runway combines spec, model checking, simulation and interactive visualization and demos are available on Runway.systems.

"I'm a Salesforce and we're now applying this internally," Ongaro said. "Solve design problems in the design phase."

 

Sean Michael Kerner is a senior editor at InternetNews.com. Follow him on Twitter @TechJournalist