GIMP 2.9.6 now in Gentoo 2017-08-26 No Comments
Here’s what upstream has to say about the new release 2.9.6. Enjoy 🙂
Expat 2.2.4 released 2017-08-23 No Comments
Expat 2.2.4 has recently been released. It features one major bugfix regarding files encoded as UTF-8, and improvements to the build system.
If you are using a more ancient version of Visual Studio like 2012, please check the post-2.2.4 commits in Git for related fixes to compilation.
Also, founding of Rhodri’s work on Expat by the Core Infrastructure Initiative is coming to an end. If you can fund additional developers for work on Expat — including smooth integration of by-default protection against billion laughs denial-of-service attacks — please get in touch.
Sebastian Pipping
Openmailbox.org turns against existing users, drops IMAP support without prior notice 2017-08-06 No Comments
- Short version:
Openmailbox “upgrade”: outages, broken app, paywalled or removed features
https://news.ycombinator.com/item?id=14935004 - Longer version:
Openmailbox 2.0: new owner, outages, brokenness, paywalled and removed features
http://phoe-krk.tumblr.com/post/163837468388/openmailbox-20-new-owner-outages-brokenness
Update: I moved to disroot.org now.
Expat 2.2.3 released, includes security fixes for Windows 2017-08-02 No Comments
Just a quick note that Expat 2.2.3 has been released. For Windows users, it fixes DLL hijacking (CVE-2017-11742). On Linux, extracting entropy for Hash DoS protection no longer blocks, which affected D-Bus and systems that are low on entropy early in the boot process. For more details, please check the change log.
Expat 2.2.2 released 2017-07-14 No Comments
(This article first appeared on XML.com.)
A few weeks after release 2.2.1 of the free software XML parsing library Expat, version 2.2.2 now improves on few rough edges (mostly related to compilation) but also fixes security issues.
Windows binaries compiled with _UNICODE now use proper entropy for seeding the SipHash algorithm. On Unix-like platforms, accidentally missing out on high quality entropy sources is now prevented from going unnoticed: It would happen when some other build system than the configure script was used, e.g. the shipped CMake one or when the source code was copied into some parent project’s build system without paying attention to the new compile flags (that the configure script would auto-detect for you). After some struggle with a decision about C99, Expat requires a C99 compiler now; 18 years after its definition, that’s a defendable move. The uint64_t type and ULL integer literals (unsigned long long) for SipHash made us move.
Expat would like to thank the community for the bug reports and patches that went into Expat 2.2.2. If you maintain a bundled copy of Expat somewhere, please make sure it gets updated.
Sebastian Pipping
for the Expat development team
Expat 2.2.1 with security fixes has been released 2017-06-18 No Comments
Expat 2.2.1 has been released. It’s a security release with a variety of security fixes, for instance: An infinite loop denial-of-service fix (that Rhodri James wrote more about), introduction of SipHash against sophisticated hash flooding, use of OS-specific high quality entropy providers like getrandom, integer overflow fixes, and more. We also got better code coverage, moved all but the downloads from SourceForge to GitHub, … but maybe have a look at the detailed change log yourself 🙂
So if you control copies of Expat somewhere, please get them updated.
Let me use the occasion to point out that we are looking for help with a few things Expat. There are tickets with details up here. If you can help, please get in touch.
Thanks and best
Sebastian
Fwd: Issues with window.opener (HTML, not just JavaScript) 2017-06-11 No Comments
Fwd: Facebook’s manual on credible threats of violence (theguardian.com) 2017-05-24 No Comments
Interesting and disturbing:
Facebook’s manual on credible threats of violence (theguardian.com)
Re-introducing app-portage/fetchcommandwrapper 2017-05-16 No Comments
Hi!
When I started fetchcommandwrapper about 6 years ago it was a proof of concept: It plugged into portage replacing wget for downloads, facilitating ${GENTOO_MIRRORS} and aria2 to both download faster and distribute loads across mirrors. A hack for sure, but with some potential.
Back then public interest was non-existent, fetchcommandwrapper had some issues — e.g. metadata.xsd downloads failed and some sites rejected downloading before it made aria2 dress like wget — and I stopped using it myself, eventually.
With the latest bug reports, bugfixes and release of version 0.8 in Gentoo, fetchcommandwrapper is ready for general use now. To give it a shot, you emerge app-portage/fetchcommandwrapper and append source /usr/share/fetchcommandwrapper/make.conf to /etc/portage/make.conf. Done.
If you have extra options that you would like to pass to aria2c, put them in ${FETCHCOMMANDWRAPPER_EXTRA}, or ${FETCHCOMMANDWRAPPER_OPTIONS} for fetchcommendwrapper itself; for example
FETCHCOMMANDWRAPPER_OPTIONS="--link-speed=600000"
tells fetchcommandwrapper that my download link has 600KB/s only and makes aria2 in turn drop connections to mirrors that cannot keep up with at least a third of that, so that faster mirrors get a chance to take their place.
For non-ebuild bugs, feel free to use https://github.com/gentoo/fetchcommandwrapper/issues to report.
Best, Sebastian
