cron.weekly issue #98: Caddy, Equifax, Struts, Curl, Arch, compsize, CentOS & moreSeptember 17, 2017 - Mattias Geniar
Welcome to cron.weekly issue #98 for Sunday, September 17th, 2017.
A bit of an atypical issue this, with a lot of news about the community & open source projects, with a fair amount of web-related content. Should keep you busy for at least a coffee or 2. Or when you’re in line at the bakery. Or still lying in bed. Yes, I envy you.
Totally unrelated, tomorrow’s my birthday, so here’s by BTC address for donations: ha, just kidding!
Take care folks!
A several-months unpatched Apache Struts flaw appears to have been the cause of the massive Equifax breach, disclosed 2 weeks ago. Lots of good write-ups about the breach in other locations, too.
… and here’s the Apache Project’s response to said breach, explaining their approach to security releases and how those are handled.
This post makes several good arguments as to why open source project maintainers should (or: could) be compensated financially for their time in running & managing the project, donated by the community that uses it.
A list of – mostly US based – tech conferences and upcoming Call For Presentations, for those that like to go presenting at these conferences.
If you happen to have certificates issued by Symantec, be aware that Chrome plans to mark them all as untrusted in one of the upcoming releases, as Symantec violated the rules of
engagement Certificate Authorities. If you’re worried about your site certificates (or HTTPS in general) I suggest having a look at the Oh Dear! app, the beta opens soon and will help give visibility into these kind of CA revocations & general certificate errors.
This isn’t a very technical post, but gives you great insights into the open source licensing used by Facebook and how they used & bought license patents in order to defend themselves in lawsuits. If you think legacy code is complicated, you should dive into the world of
Microsoft Open Source licensing!
Say you’ve got an open source project used on more than 3 billion instances, what would you do to protect that project? The maintainer of Curl explains in this post.
Last week I mentioned IPv10, but many readers were right in pointing out this is mostly a fake proposal not based on real world usage. I stand correct and shouldn’t have included it in previous issue. It sounded good (“IPv4 + IPv6 = IPv10”), but you can forget about IPv10. For now.
This post gives actual feedback & arguments why that IPv10 post is a load of rubbish.
Why is software created using taxpayers’ money not released as Free Software? This petition aims to get publicly financed software developed for the public sector be made publicly available under a Free and Open Source Software licence. I endorse!
Github’s code editor, Atom, now has support for a fully featured IDE (Integrated Development Environment), elevating it from a code editor to a full development environment. I’m using the beta now and it’s pretty solid!
To further aid open source development, the Caddy webserver now offers commercial licenses to help fund the project. It also added a fair bit of commotion around an additional HTTP header that was added to the free version, to thank sponsors, that was later removed again.
Jess Frazelle, of Docker faim, recently joined the Windows team. As a die-hard Linux & container user, that’s an interesting move to make. Lots of background to WSL (Windows Subsystem for Linux) & how systems calls get translated.
Well, not me, per sé, but the author makes several good arguments why someone might consider Arch Linux. Even if you’re not planning to, there’s a lot of background & terminology used by Arch in this post that can clarify a thing or two.
Software Licenses in Plain English, this post allows you to lookup popular software licenses and get them summarized at-a-glance.
An interesting project that aims to get statistics on how often PyPi (Python package manager) misspelled or “typosquatted” packages get installed by accident.
Tools & Projects
Go from a global view of your infrastructure to inspecting an individual request trace, all in one developer-friendly platform. Start a free 14-day trial. (Sponsored)
Squash is a “debugger for microservices” and allows for live debugging of containers, pods, services, … by setting breakpoints and tracing code. Looks very powerful!
This has to be the biggest compiled list of security for Linux I ever saw. Just reading the titles will keep you occupied for hours, let alone actually understanding what each one does! (note: there’s pagination at the top)
compsize takes a list of files (given as arguments) on a btrfs filesystem and measures used compression types and effective compression ratio.
After 4y of development, Sublime Text 3 is out: a refreshed UI theme, new color schemes, and a new icon. Some of the other highlights are big syntax highlighting improvements, touch input support on Windows, Touch Bar support on macOS, and apt/yum/pacman repositories for Linux.
It took a bit longer than usual (more details in the post), but CentOS 7.4 is out and available for updates. Includes a modern OpenSSL version, a lot of package updates, stronger ciphers in OpenSSH, …
Nulis is an open source tree editor for writers, inspired by Gingko.
A simple tool to print the page table content of a process in Linux. Useful for predicting page faults.
Zircon is the core platform that powers the Fuchsia OS (a real-time OS by Google). Zircon is composed of a microkernel (source in kernel/…) as well as a small set of userspace services, drivers, and libraries (source in system/…) necessary for the system to boot, talk to hardware, load userspace processes and run them, etc. Fuchsia builds a much larger OS on top of this foundation.
Guides & Tutorials
This free reference guide will take you back to the basics. You’ll find visuals and definitions on key concepts and questions you need to answer about your teams to determine your readiness for continuous delivery. Download and share with your team. (Sponsored)
A practical glance at CoreDNS, the once-a-fork-of-the-Caddy-webserver DNS server that relies on plugins & middleware to allow for supplying your own data as DNS results.
Jan-Piet is in a roll, so here’s a 2nd article from his blog: dnstap offers a standardised way of logging both DNS requests and responses in a performant way.
A step-by-step guide in using Hugo, the static site generator, together with Git and set up your own fast little website.
This is already an older post (2011!), but I still find myself using deprecated commands on a near daily basis. It’s hard to get ifconfig/route/arp out of a hardwired brain!
A lot of good details on using the Nginx ingress controller in your Kubernetes environment, with plenty of technical details on queue dropping, latency, response times, monitoring, …
It’s a shameless link-post, but there’s some good content in here; watch, readlink, ulimit, w, nohup, … plenty of good commands to refresh your Linux memory.