Planet GNU

Aggregation of development blogs from the GNU Project

December 19, 2014

FSF Events

Richard Stallman to speak in New Delhi, India

This speech by Richard Stallman will be nontechnical, admission is free of charge, and the public is encouraged to attend.

Speech topic to be determined.

Please fill out our contact form, so that we can contact you about future events in and around New Delhi.

December 19, 2014 06:10 PM

December 18, 2014

FSF Blogs

New article by RMS, "What does it mean for a computer to be loyal?"

We say that running free software on your computer means that its operation is under your control. Implicitly this presupposes that your computer will do what your programs tell it to do, and no more. In other words, that your computer will be loyal to you.

In 1990 we took that for granted; nowadays, many computers are designed to be disloyal to their users. It has become necessary to spell out what it means for your computer to be a loyal platform that obeys your decisions, which you express by telling it to run certain programs.

Richard Stallman's latest article offers a "tentative definition" of a computer that is "loyal to you," the user.

December 18, 2014 07:51 PM

www @ Savannah

German Arias

FisicaLab update

Well, I just want to share the progress in the development of FisicaLab. As you know I want a module for thermodynamics in version 0.4.0. This means that FisicaLab needs the ability to handle data from steam tables. However, find the data in an easy format (an spreadsheet for example) was not possible. I found PDF format, which is not easy to translate to a spreadsheet, or Excel programs only for Windows and payed. Anyway after some hard work, I have the steam tables for water into FisicaLab. The new class “TablesManager” is the responsible to get the data from these tables. To test this class I added a “Properties” window that lets calculate the properties after enter some data. For the moment only the saturation data are available. But I will add the ability to get “compressed/superheated” data at next days. Of course, not only water will be available. Here an screenshot of this new window, that will be available under the new item menu “Tools”:

fisicalabProperties

Remember FisicaLab is free software and that you can support its development with a donation in PayPal, Flattr or Gratipay.


by Germán Arias at December 18, 2014 08:23 AM

December 17, 2014

FSF Blogs

Friday Free Software Directory IRC meetup: December 19

Join the FSF and friends on Friday, December 19, from 2pm to 5pm EST (19:00 to 22:00 UTC) to help improve the Free Software Directory by adding new entries and updating existing ones. We will be on IRC in the #fsf channel on freenode.


Tens of thousands of people visit directory.fsf.org each month to discover free software. Each entry in the Directory contains a wealth of useful information, from basic category and descriptions, to providing detailed info about version control, IRC channels, documentation, and licensing info that has been carefully checked by FSF staff and trained volunteers.


While the Free Software Directory has been and continues to be a great resource to the world over the past decade, it has the potential of being a resource of even greater value. But it needs your help!


If you are eager to help and you can't wait or are simply unable to make it onto IRC on Friday, our participation guide will provide you with all the information you need to get started on helping the Directory today!

December 17, 2014 04:57 PM

Nick Clifton

December 2014 GNU Toolchain Update

Hi Guys,

  There are only a few things to report for this month:

* GDB now supports the compilation and injection of source code into the inferior.  GDB will use GCC 5.0 or higher built with libcc1.so to compile the source code to object code, and if successful, inject and execute that code within the current context of the inferior.  Currently the C language is supported.  The commands used to interface with this new feature are:

    compile code [-raw|-r] [--] [source code]
     compile file [-raw|-r] filename


 * The binutils now supports Controls and Data Services VISIUMcore processor.

 * GCC's LTO optimizer can now perform aggressive devirtualizations, finding more places where virtual functions can be replaced with real ones.  Controlled by the new command line option: -fdevirtualize-at-ltrans, this feature is disabled by default because it significantly increases the size of object files.
 
  * The PowerPC port supports three new options to control the use of the vector/scalar floating point register set that was add in version 2.06 and 2.07 of the PowerPC ISA.

    -mupper-regs-df

        Generates code that uses the scalar double precision instructions.

    -mupper-regs-sf

        Generates code that uses the scalar single precision instructions.

    -mno-upper-regs

        Do not generate code that uses any of the registers.

Cheers
  Nick

December 17, 2014 10:16 AM

December 16, 2014

FSF Blogs

Print this guide

We've just released a printable version of our online Giving Guide, which helps gift-givers choose tech gifts that respect recipients' rights as computer users and avoid those that don't. The printable version (available in color as well as black and white) makes sharing and translating easy so the Giving Guide can spread far and wide.

The guide is an easy-to-use resource that can make a difference in what people buy. We just need to get it in front of them. Can you help us spread the word by organizing a Giving Guide Giveaway this winter? Giveaways are public meet-ups where free software users gather to hand out the print Giving Guide to shoppers considering electronics gifts. By having face-to-face interactions with people in your area, you'll be getting your message across way more effectively than we can by talking about it online.

To make planning Giveaways easy, we've created a primer with tips and a planning timeline. Get a few friends together for a small Giveaway, or make a splash with a big one -- it's about spreading the message in whatever way is best for you. Check out the primer now, and organize your Giveaway! If you need to do your Giveaway in January or February, don't worry; shopping doesn't stop with the holidays!

This paper version is in English for letter sized paper, but we don't want to be limited to it! If you have the skills, please translate the printable version of this guide into any language you can and adapt it to other paper sizes, like A4. Send translated and resized versions as attachments to campaigns@fsf.org, with matching directory structure and file types to the original archive. Feel free to credit yourself on the translation.

If you're in the Boston-area, you are invited to the Giveaway the Free Software Foundation is organizing on Thursday, December 18th, meeting at 6:30 PM in the Harvard Square Station. Please RSVP to campaigns@fsf.org if you're coming.

Happy holidays!

Thanks to your support, 2015 marks 30 years of the FSF! In the next 30 years, we want to do even more to defend computer user rights. To kick off in that direction, we're setting our highest-ever fundraising goal of $525,000 by January 31st. Donate, join as a member, or read more about our work.

December 16, 2014 04:30 PM

GNUCash News

December 12, 2014

GNUnet News

Introductory tasks for new GNUnet hackers (updated)

We sometimes get requests for easy tasks to get started and join the GNUnet hacker community. However, it is often difficult for potential new contributors which areas they might be able to contribute to, especially as not all tasks are suitable for people that are just starting to work with GNUnet.

by Christian Grothoff at December 12, 2014 07:39 PM

December 11, 2014

FSF Blogs

How many LibrePlanet scholarships will we give?

Karen Sandler speaking at LibrePlanet 2014

Sandler at LibrePlanet 2014

We're excited to announce our first keynote speaker for LibrePlanet 2015: Karen Sandler, executive director of the Software Freedom Conservancy and co-host of the “Free as in Freedom” podcast. Ms. Sandler's closing keynotes have been a highlight at LibrePlanet, and we're so excited to have her back. In other words, LibrePlanet 2015 is shaping up to be a really great event.

We hope you'll join us, and that you'll give a little extra so that a fellow free software enthusiast will be able to attend with a travel scholarship.

Each year, free software enthusiasts from around the world get together for the LibrePlanet conference, co-produced by the FSF and Student Information Processing Board at MIT (SIPB). At LibrePlanet, the movement has key conversations about how to keep free software strong and growing, and how to make sure that it is accessible to everyone, no matter what their needs or skills. In order to make the conference as rich and dynamic as possible, the Free Software Foundation works hard to offer travel scholarships to people who might be otherwise unable to attend. This year, we will also be offering funding for childcare.

Will you help us bring important voices to LibrePlanet 2015 by making a contribution to our scholarship fund?

A donation of $50 will provide a night in a shared hotel room. A donation of $300 will fund a domestic flight. A donation of $1,000 will fund an international flight.

In 2014, the Free Software Foundation spent $6,000 to bring fourteen people to LibrePlanet. This year, we've received a record number of scholarship applications: sixty three people from thirty countries who would like to attend LibrePlanet but need financial assistance. How many of them will we be able to offer scholarships? It depends, in part, on the donation you make between now and December 15th. Will you help us?

You can make a donation here, or donate when you register for the conference yourself. Remember, every donation you make also helps us meet our goal of raising $525,000 by January 31st.

December 11, 2014 10:47 PM

FSF Events

Richard Stallman - "Free Software and Your Freedom" (Jodhpur, India)

The Free Software Movement campaigns for computer users' freedom to cooperate and control their own computing. The Free Software Movement developed the GNU operating system, typically used together with the kernel Linux, specifically to make these freedoms possible.

Richard Stallman's speech will be nontechnical, admission is free of charge, and the public is encouraged to attend.

Please fill out our contact form, so that we can contact you about future events in and around Jodhpur.

December 11, 2014 04:30 PM

Richard Stallman to speak in Hamburg, Germany

Richard Stallman will be speaking at the "31C3: 31st Chaos Communication Congress" (2014-12-27--30). His speech will be nontechnical and the public is encouraged to attend.

Speech topic to be determined.

If you wish to attend, you have the option of doing so without registering, by paying the admission fee in cash, at the front door, on the days of the event.

Please fill out our contact form, so that we can contact you about future events in and around Hamburg.

December 11, 2014 03:25 PM

freeipmi @ Savannah

FreeIPMI 1.4.7

http://ftp.gnu.org/gnu/freeipmi/freeipmi-1.4.7.tar.gz

FreeIPMI 1.4.7 - 12/10/14
-------------------------
o Fix typo from FRU spec, language "Tegulu" is actually "Telugu".
o Fix typo in SEL session output, "Invalid Username of Password" to
"Invalid Username or Password".
o Loop on select() call if interrupted by EINTR in openipmi, ssif,
and sunbmc inband drivers.
o Fix integer overflow bug in ipmi-config when configure vlan ID >
255.
o Add workaround for ipmi-config issue on Supermicro X10DDW-i.
o Fix error handling bug in bmc-info.

by Albert Chu at December 11, 2014 12:44 AM

GNUtls

GnuTLS 3.3.11, 3.2.21

Released GnuTLS 3.3.11, and 3.2.21, which are bug-fix releases on the current and old stable branches respectively.

by Nikos Mavrogiannopoulos (nmav@gnutls.org) at December 11, 2014 12:00 AM

December 09, 2014

GNUnet News

New GPG key

I created a new GPG key today. You can find the full key on keyservers, my homepage and in the profile on gnunet.org. The fingerprint is D842 3BCB 326C 7907 0339 29C7 939E 6BE1 E29F C3CC. This key will be used to sign future releases of GNUnet.

by Christian Grothoff at December 09, 2014 02:57 PM

December 08, 2014

FSF News

Committee begins review of High Priority Projects list -- your input is needed

High Priority Projects logo

This announcement was written by the FSF's volunteer High Priority Projects Committee.

Nine and a half years ago the first version of the High Priority Free Software Projects (HPP) list debuted with only four projects, three of them related to Java. Eighteen months later, Sun began to free Java users. The current HPP list includes fourteen categories mentioning over forty distinct projects. Computing is ever more ubiquitous and diverse, multiplying challenges to surmount in order for all computer users to be free.

Undoubtedly there are thousands of free software projects that are high priority, each having potential to displace non-free programs for many users, substantially increasing the freedom of those users. But the potential value of a list of High Priority Free Software Projects maintained by the Free Software Foundation is its ability to bring attention to a relatively small number of projects of great strategic importance to the goal of freedom for all computer users. Over the years the list has received praise and criticism -- frankly not nearly enough, given the importance of its aims -- and been rebooted. As the list approaches its tenth year, we aim to revitalize and rethink it, on an ongoing basis.

The first step has been to assemble a committee which will maintain the list, initially composed of the following free software activists: ginger coons, Máirín Duffy, Matthew Garrett, Benjamin Mako Hill, Mike Linksvayer, Lydia Pintscher, Karen Sandler, Seth Schoen, and Stefano Zacchiroli. The committee has drafted this announcement and the following plan.

We need your input! Send your suggestions of projects to hpp-feedback@gnu.org. Remember, we're looking for projects of great strategic importance to the goal of freedom for all computer users. If you wish, we encourage you to publish your thoughts independently (e.g., on your blog) and send a us a link. Keep in mind that not every project of great strategic importance to the goal of freedom for all computer users will be a software development project. If you believe other forms of activism, internal or external (e.g., making free software communities safe for diverse participants, mandating use of free software in the public sector), are most crucial, please make the case and suggest such a project!

Based on the received input, the current content of the list, and our own contributions, we will publish a substantially revised list and an analysis before LibrePlanet 2015 and expect a lively discussion at that event. If we are successful, we will have the immediate impact of bringing widespread coverage of free software movement strategy and the ongoing impact of garnering substantial attention and new effort for listed projects. (Note that we're also interested in outreach and measurement suggestions. A revised and maintained list is necessary but not sufficient for success.)

Finally, we've already made a few minor changes to the HPP list in order to fix long-standing issues that have been reported in the past. We are looking forward to your feedback at hpp-feedback@gnu.org as we work on more substantial improvements!

About the Free Software Foundation

The Free Software Foundation, founded in 1985, is dedicated to promoting computer users' right to use, study, copy, modify, and redistribute computer programs. The FSF promotes the development and use of free (as in freedom) software -- particularly the GNU operating system and its GNU/Linux variants -- and free documentation for free software. The FSF also helps to spread awareness of the ethical and political issues of freedom in the use of software, and its Web sites, located at fsf.org and gnu.org, are an important source of information about GNU/Linux. Donations to support the FSF's work can be made at https://donate.fsf.org. Its headquarters are in Boston, MA, USA.

Media Contacts

John Sullivan
Executive Director
Free Software Foundation
+1 (617) 542 5942
campaigns@fsf.org

December 08, 2014 10:40 PM

wget @ Savannah

GNU wget 1.16.1 released

  • Noteworthy changes in Wget 1.16.1
    • Add --enable-assert configure option.
    • Use pkg-config to check for libraries presence.
    • Do not limit --secure-protocol=auto|pfs to TLSv1.0.
    • Add --secure-protocol=TLSv1_1|TLSv1_2 .
    • Full C89 source code compliance.
    • Select and use the most secure authentication scheme with HTTP connections.
    • Fix issues with turkish locales.
    • Handle 504 Gateway Timeout.
    • New option --crl-file to load Certificate Revocation Lists.
    • Add valgrind support to tests suite.
    • Fix an off-by-one problem in the progress bar (introduced in 1.16.1).

by Giuseppe Scrivano at December 08, 2014 11:00 AM

December 07, 2014

GNU Remotecontrol

Newsletter – December 2014

THIS MONTH…..
-TRENDS
-EYE CATCHING
-ANNUAL PLAN
-2014 YEAR IN REVIEW
-EXISTING CODE
-LASTLY

-TRENDS
The stuff going on in the big picture now…..

United States Electricity Price per KWH
Current and Past

September October Trend % Change
$0.141 $0.136 Decrease -3.55%
Year October Trend % Change % Since Difference
2004 $0.094 Same 0.00% 0.00% 0.00%
2005 $0.102 Increase 8.51% 8.51% 8.51%
2006 $0.112 Increase 9.80% 19.15% 10.64%
2007 $0.117 Increase 4.46% 24.47% 5.32%
2008 $0.126 Increase 7.69% 34.04% 9.57%
2009 $0.126 Same 0.00% 34.04% 0.00%
2010 $0.127 Increase 0.79% 35.11% 1.06%
2011 $0.130 Increase 2.36% 38.30% 3.19%
2012 $0.128 Decrease -1.54% 36.17% -2.13%
2013 $0.132 Increase 3.13% 40.43% 4.26%
2014 $0.136 Increase 3.03% 44.68% 4.26%

United Kingdom Utility Prices
Current and Past

London by night, seen from the International Space Station

-EYE CATCHING
The stuff that has caught our eye…..

Demand Response

Power Line Communication

Smart Grid – Consumer

  • An article, describing how consumers cannot understand their HVAC thermostat.
  • An opinion, explaining how to make the Smart Grid brilliant.
  • An article, depicting how the modifying utility-customer relationship is changing home energy management.
  • An article, explaining why average energy consumption figures cannot be located.

Smart Grid – Producer

  • An article, calling for leadership to build a better connected Smart Grid in Nigeria.
  • An article, explaining why both integration and public policy are keys to the success of any Smart Grid effort.
  • An article, stating the UK Smart Meter roll out has been temporarily halted.

Smart Grid – Security

  • An article, from the United States Department of Homeland Defense (DHS), warning of cyber threat to critical U.S. infrastructure.
  • An article, finding the United States DHS has identified 79 electrical grid cyber attacks within the Untied States this year.

-ANNUAL PLAN
Status Update of our 2014 Plan…..

Demand Response

  • Further discussions with members of the electronics industry.
  • No other work since the April newsletter.

Unattended Server Side Automation

  • No other work since the April newsletter.

Power Line Communication

  • Further discussions with the members of the electronics industry.
  • No other work since the January newsletter.

Talk to us with your comments and suggestions on our plan for this year.

-2014 YEAR IN REVIEW
We believe our 2014 annual plan turned out pretty well. You may want to review our June 2014 and July 2014 newsletters, for a refresher on dynamic Demand Response. Now, let’s see how we did with our annual plan.

Unattended Server Side Automation
We released our first script on 29 March 2014. This script is integral to any Demand Response effort. We realized there are many ways to automate what we have built. We also realized we can do a better job separating the front-end of the code from the back-end of the code. HINT…..this realization is going to show up in our 2015 Annual Plan.

Demand Response
We worked on this effort through Unattended Server Side Automation. We spoke at length with many members of the electronics industry. The summary position of most of the folks we spoke with is they like GNU remotecontrol, but want a bit more maturity in the code, by means of increased ease to access the code through automation by external technologies. HINT…..this realization is going to show up in our 2015 Annual Plan.

Power Line Communication
IEEE 1901-2010 is protected by copyright. Anyone wanting to discuss this standard with us must first own a copy of this standard. Suffice it to say, there is a struggle in the electronics industry to know how to use this standard. We love the IEEE 1901-2010 standard. Everyone we spoke with at IEEE provided us loads of help to understand the construct of an IEEE standard and their individual viewpoint of how the electronics industry operates. We are quite impressed with IEEE as an organization. They do have the ear of most of the electronics world, for both standard development and standard implementation. The forward progress of Power Line Communication has stopped, until the electronics manufacturers discover how to implement this standard in a cost effective manner. GNU remotecontrol firmly believes Power Line Communication technology will become pervasive in the residential premise. It is a matter of how long this prevailing position will take to occur. Specifically, getting the Power Line Communication technology into the hands of homeowners at a price point they will accept.

So, boiling everything down to a simple set of statements……

  • GNU remotecontrol does not see any possibility for safe and effective Demand Response to occur without an internationally accepted technology standard for the residential network connected HVAC thermostat.
  • GNU remotecontrol believes the only way an internationally accepted technology standard for the residential network connected HVAC thermostat will ever succeed is if the electronics manufacturers want this standard.
  • GNU remotecontrol believes the consumer, the residential homeowner, is the only source capable of convincing the electronics manufacturers to generate an internationally accepted technology standard for the residential network connected HVAC thermostat.
  • GNU remotecontrol believes the consumer will find a way to convince the electronics manufacturers to produce an internationally accepted technology standard for the residential network connected HVAC thermostat, by having the combination of money to spend and the nationalized authority to accomplish Demand Response. This authority, in the United States, will come from some judicial decision defining the authority of the Federal Energy Regulatory Commission. We have spoken about the Federal Energy Regulatory Commission case, at length, since our June 2014 newsletter.

So, there we have it. The intersection between consumer and supplier, again, will decide a matter dramatically impacting a culture. Throw in some government regulations, and we have a new culture. This new culture will have not only the consumption of energy monitored in real time, but also the price of energy established on a national basis. This is a culture change like nothing seen in history, because it is about to happen on a national level. The data privacy matters are paramount. Security of both the application operating these technologies, and the data generated by these collective technologies, is uncertain during the maturing of this new technology platform.

In conclusion, GNU remotecontrol firmly believes any approach using only a propriety technology platform will fail. We hold this position because there would be insufficient resources thinking about, checking on, and helping to improve the technology platform. As you read above, the United States Supreme Court having to decide both the definition of Demand Response and who has the authority to regulate Demand Response illustrates the magnitude of this subject.

OTHER TYPES OF THERMOSTATS?
Many people have asked us about adding other types of thermostats to GNU remotecontrol. There are three questions that need to be answered before we can offer GNU remotecontrol support for any IP thermostat. These questions are:

  • How to CONNECT to it (NETWORK).
  • How to READ from it (CODE).
  • How to WRITE to it (CODE).

It is our hope to have dozens and dozens of thermostat types that work with GNU remotecontrol. Let us know if you designed or manufactured a device and you would like to test it with GNU remotecontrol.

-EXISTING CODE
The stuff you may want to consider…..

BUGS
We have 0 new bugs and 0 fixed bugs since our last Blog posting. Please review these changes and apply to your GNU remotecontrol installation, as appropriate.

TASKS
We have 0 new tasks and 0 completed tasks since our last Blog posting. Please review these changes and apply to your GNU remotecontrol installation, as appropriate.

REMEMBER
GNU remotecontrol relies on OS file access restrictions, Apache authentication, MySQL authentication, and SSL encryption to secure your data. Talk to us you want to find out how you can further strengthen the security of your system, or you have suggestions for improving the security of our current system architecture.

-LASTLY
Whatever you do…..don’t get beat up over your Energy Management strategy. GNU remotecontrol is here to help simplify your life, not make it more complicated. Talk to us if you are stuck or cannot figure out the best option for your GNU remotecontrol framework. The chances are the answer you need is something we have already worked through. We would be happy to help you by discussing your situation with you.

…..UNTIL NEXT MONTH!

Why the Affero GPL?

GNU Affero General Public License LOGO

GNU remotecontrol LOGO


by gnuremotecontrol at December 07, 2014 05:58 PM

cgicc @ Savannah

GNU Cgicc 3.2.16 released

Hello

I am happy to announce the next release of GNU Cgicc.
This release is numbered 3.2.16 .

Description
===========
GNU cgicc is an ANSI C++ compliant class library that greatly
simplifies the creation of CGI applications for the World Wide Web.
cgicc performs the following functions:

  • Parses both GET and POST form data transparently.
  • Provides string, integer, floating-point and single- and

multiple-choice retrieval methods for form data.

  • Provides methods for saving and restoring CGI environments to aid in

application debugging.

  • Provides full on-the-fly HTML/XHTML generation capabilities, with

support for cookies.

  • Supports HTTP file upload with size limit.
  • Compatible with FastCGI.

Changes in 3.2.16: 7 December 2014
==========================

  • Patches

patch #7845: HTTP PUT method support

patch #8581: Added HTML5 Support

Download
========
Gzipped tarballs are available from

ftp://ftp.gnu.org/gnu/cgicc/
or
http://ftp.gnu.org/gnu/cgicc/

and its mirror sites. SHA1 sums may be found there as well.

The web site of GNU cgicc is at:

http://www.gnu.org/software/cgicc/

Sébastien DIAZ <sebastien.diaz@gmail.com>
GNU Cgicc Maintainer

by sebastien diaz at December 07, 2014 05:14 PM

December 05, 2014

FSF Blogs

Reclaiming the PDF from Adobe Reader

While it is still possible to install Adobe Reader on GNU/Linux, Adobe's attempts to hide access to the product for certain users is only one example of its systematic neglect of its GNU/Linux user base, and falls in line with many others as a demonstration of the importance of free software--software that no company or developer can neglect or hide. As the Windows and OSX versions of the software were developed through version 11, the GNU/Linux version was long stuck at version nine. For several years the software has lacked important features, security improvements, and support against malware attacks and other intrusions. Yet, by "locking in" Adobe Reader users and making it difficult for them to migrate to a free software PDF viewer, Adobe has, in effect, degraded the power of the PDF as a free document format, a standard the purpose of which is to be implemented by any potential piece of software and to be compatible with all. The company has abandoned the principle of program-agnostic documents, bringing about a lose-lose situation for all.

By being led to rely on the proprietary software for tasks like sharing documents and filling out forms without the option to use a free software reader in its place, entreprises, the public sector, and institutions of higher learning have also fallen victim to this neglect, all as Adobe insidiously seeks to maintain a hold on its market share. Within institutions such as government--institutions that ought not to rely on any proprietary software, to begin with--it is concerning that Adobe Reader has often been taken to be the only option for interacting with PDF files and for communicating with the electorate.

Thankfully, there are several free software PDF readers available for both GNU/Linux users and users of other operating systems, such as Evince for Gnome and Okular for KDE. These programs are often lauded for being more reliable, user-friendly, and secure than Adobe Reader, and are on the frontier of the many examples of free software programs which outperform their proprietary competitors. If you'd like to view a comparison of these free software PDF readers, alongside a range of other programs that serve the same purpose, pdfreaders.org, a campaign by The Free Software Foundation Europe, is a great place to start.

Also, if you're a programmer, writer, designer, or planner, pitch in to the efforts to improve free software PDF readers, whether by fixing bugs and adding new features, writing documentation, or creating interfaces and graphics. Happy hacking!

December 05, 2014 03:55 PM

December 04, 2014

ghostscript @ Savannah

GNU Ghostscript 9.14.0 released

Since the last GNU GS release Artifex Software have moved from GPL to the GNU Affero GPL V3 the gpl-ghostscript package (at version 9.07), and GNU-GS moved to this license too with this release.

A huge work on new functionalities and bugfixes was done between version 9.06 and 9.14, completely imported in GNU's last version.

Happy printing !

by Didier LINK at December 04, 2014 06:37 PM

denemo @ Savannah

Release 1.2.0 is out now.

New features:
Palette Shortcuts
Execute Palette Commands from Keyboard
Label is typed in
Label truncation allowed
Switch active palette
Works even on hidden palettes
Automatic Cues
Install Reference to Cued Part
Automatically detects difference in clef
Changes are automatically reflected in cue
Fret Diagrams
Can be placed in any score
Can be embedded in text
Can be re-positioned by dragging
Accidental Styles
16 styles available
Apply across entire score
Lyrics Improvements
Choose Font Face
Choose Font Size
Chord Chart Improvements
Interface for Customized Chord Symbols
Page size and measures per line control
One-off arbitrary chord symbol creation
Tailored shortcuts for fast keyboard entry.
MIDI information on double-click
Timing information
Volume (velocity) information.
Default Font Faces
Choose from system installed fonts
Titles, Lyrics etc
Chord Names and other sans serif text
Mono-spaced font
General Improvements
More checks for user errors
Better flow of notes into new measures.

by Richard Shann at December 04, 2014 09:40 AM

December 03, 2014

FSF Events

Richard Stallman - "Free Software and Your Freedom" (Jaipur, India)

Richard Stallman will speak about the goals and philosophy of the Free Software Movement, and the status and history of the GNU operating system, which in combination with the kernel Linux is now used by tens of millions of users world-wide.

This speech will be nontechnical, admission is gratis, and the public is encouraged to attend.

Registration, which can be done anonymously, while not required, is appreciated; it will help us ensure we can accommodate all the people who wish to attend.

Please fill out our contact form, so that we can contact you about future events in and around Jaipur.

December 03, 2014 10:40 PM

Richard Stallman - "The Free Software Movement" (Liverpool, United Kingdom)

Richard Stallman will speak about the goals and philosophy of the Free Software Movement, and the status and history of the GNU operating system, which in combination with the kernel Linux is now used by tens of millions of users world-wide.

Richard Stallman's speech will be nontechnical, admission is free of charge, and the public is encouraged to attend.

Please fill out our contact form, so that we can contact you about future events in and around Liverpool.

December 03, 2014 02:45 AM

GNUtls

December 02, 2014

Andy Wingo

there are no good constant-time data structures

Imagine you have a web site that people can access via a password. No user name, just a password. There are a number of valid passwords for your service. Determining whether a password is in that set is security-sensitive: if a user has a valid password then they get access to some secret information; otherwise the site emits a 404. How do you determine whether a password is valid?

The go-to solution for this kind of problem for most programmers is a hash table. A hash table is a set of key-value associations, and its nice property is that looking up a value for a key is quick, because it doesn't have to check against each mapping in the set.

Hash tables are commonly implemented as an array of buckets, where each bucket holds a chain. If the bucket array is 32 elements long, for example, then keys whose hash is H are looked for in bucket H mod 32. The chain contains the key-value pairs in a linked list. Looking up a key traverses the list to find the first pair whose key equals the given key; if no pair matches, then the lookup fails.

Unfortunately, storing passwords in a normal hash table is not a great idea. The problem isn't so much in the hash function (the hash in H = hash(K)) as in the equality function; usually the equality function doesn't run in constant time. Attackers can detect differences in response times according to when the "not-equal" decision is made, and use that to break your passwords.

Edit: Some people are getting confused by my use of the term "password". Really I meant something more like "secret token", for example a session identifier in a cookie. I thought using the word "password" would be a useful simplification but it also adds historical baggage of password quality, key derivation functions, value of passwords as an attack target for reuse on other sites, etc. Mea culpa.

So let's say you ensure that your hash table uses a constant-time string comparator, to protect against the hackers. You're safe! Or not! Because not all chains have the same length, "interested parties" can use lookup timings to distinguish chain lookups that take 2 comparisons compared to 1, for example. In general they will be able to determine the percentage of buckets for each chain length, and given the granularity will probably be able to determine the number of buckets as well (if that's not a secret).

Well, as we all know, small timing differences still leak sensitive information and can lead to complete compromise. So we look for a data structure that takes the same number of algorithmic steps to look up a value. For example, bisection over a sorted array of size SIZE will take ceil(log2(SIZE)) steps to get find the value, independent of what the key is and also independent of what is in the set. At each step, we compare the key and a "mid-point" value to see which is bigger, and recurse on one of the halves.

One problem is, I don't know of a nice constant-time comparison algorithm for (say) 160-bit values. (The "passwords" I am thinking of are randomly generated by the server, and can be as long as I want them to be.) I would appreciate any pointers to such a constant-time less-than algorithm. However a bigger problem is that the time it takes to access memory is not constant; accessing element 0 of the sorted array might take more or less time than accessing element 10. In algorithms we typically model access on a more abstract level, but in hardware there's a complicated parallel and concurrent protocol of low-level memory that takes a non-deterministic time for any given access. "Hot" (more recently accessed) memory is faster to read than "cold" memory.

Non-deterministic memory access leaks timing information, and in the case of binary search the result is disaster: the attacker can literally bisect the actual values of all of the passwords in your set, by observing timing differences. The worst!

You could get around this by ordering "passwords" not by their actual values but by their cryptographic hashes (e.g. by their SHA256 values). This would force the attacker to bisect not over the space of password values but of the space of hash values, which would protect actual password values from the attacker. You still leak some timing information about which paths are "hot" and which are "cold", but you don't expose actual passwords.

It turns out that, as far as I am aware, it is impossible to design a key-value map on common hardware that runs in constant time and is sublinear in the number of entries in the map. As Zooko put it, running in constant time means that the best case and the worst case run in the same amount of time. Of course this is false for bucket-and-chain hash tables, but it's false for binary search as well, as "hot" memory access is faster than "cold" access. The only plausible constant-time operation on a data structure would visit each element of the set in the same order each time. All constant-time operations on data structures are linear in the size of the data structure. Thems the breaks! All you can do is account for the leak in your models, as we did above when ordering values by their hash and not their normal sort order.

Once you have resigned yourself to leaking some bits of the password via timing, you would be fine using normal hash tables as well -- just use a cryptographic hashing function and a constant-time equality function and you're good. No constant-time less-than operator need be invented. You leak something on the order of log2(COUNT) bits via timing, where COUNT is the number of passwords, but since that's behind a hash you can't use it to bisect on actual key values. Of course, you have to ensure that the hash table isn't storing values in sorted order and short-cutting early. This sort of detail isn't usually part of the contract of stock hash table implementations, so you probably still need to build your own.

Edit: People keep mentioning Cuckoo hashing for some reason, despite the fact that it's not a good open-hashing technique in general (Robin Hood hashes with linear probing are better). Thing is, any operation on a data structure that does not touch all of the memory in the data structure in exactly the same order regardless of input leaks cache timing information. That's the whole point of this article!

An alternative is to encode your data structure differently, for example for the "key" to itself contain the value, signed by some private key only known to the server. But this approach is limited by network capacity and the appropriateness of copying for the data in question. It's not appropriate for photos, for example, as they are just too big.

Edit: Forcing constant-time on the data structure via sleep() or similar calls is not a good mitigation. This either massively slows down your throughput, or leaks information via side channels. Remote attackers can measure throughput instead of latency to determine how long an operation takes.

Corrections appreciated from my knowledgeable readers :) I was quite disappointed when I realized that there were no good constant-time data structures and would be happy to be proven wrong. Thanks to Darius Bacon, Zooko Wilcox-O'Hearn, Jan Lehnardt, and Paul Khuong on Twitter for their insights; all mistakes are mine.

by Andy Wingo at December 02, 2014 10:01 PM

December 01, 2014

FSF Blogs

GNU Spotlight with Karl Berry: 21 new GNU releases!

acct-6.6.2
  • auctex-11.88
  • bash-4.3.30
  • ccrtp-2.1.1
  • freeipmi-1.4.6
  • gcc-4.9.2
  • gcl-2.6.12
  • gnupg-2.1.0gdb-7.8.1
  • grep-2.21
  • groff-1.22.3
  • guile-ncurses-1.6
  • hello-2.10
  • kawa-1.90
  • libksba-1.3.2/related_software/libksba/))
  • librejs-6.0.6
  • libtool-2.4.3
  • parallel-20141122
  • teximpatient-2.4
  • ucommon-6.2.2
  • wget-1.16
  • xboard-4.8.0
  • To get announcements of most new GNU releases, subscribe to the info-gnu mailing list: http://lists.gnu.org/mailman/listinfo/info-gnu. Nearly all GNU software is available from http://ftp.gnu.org/gnu/, or preferably one of its mirrors (http://www.gnu.org/prep/ftp.html). You can use the url http://ftpmirror.gnu.org/ to be automatically redirected to a (hopefully) nearby and up-to-date mirror.

    This month, we welcome Roel Jansen as the author of the new GNU package InklingReader.

    A number of GNU packages, as well as the GNU operating system as a whole, are looking for maintainers and other assistance: please see http://www.gnu.org/server/takeaction.html#unmaint if you'd like to help. The general page on how to help GNU is at http://www.gnu.org/help/help.html. To submit new packages to the GNU operating system, see http://www.gnu.org/help/evaluation.html.

    As always, please feel free to write to me, karl@gnu.org, with any GNUish questions or suggestions for future installments.

    December 01, 2014 06:47 PM

    Friday Free Software Directory IRC meetup: December 5

    Join the FSF and friends on Friday, December 5, from 2pm to 5pm EST (19:00 to 22:00 UTC) to help improve the Free Software Directory by adding new entries and updating existing ones. We will be on IRC in the #fsf channel on freenode.


    Tens of thousands of people visit directory.fsf.org each month to discover free software. Each entry in the Directory contains a wealth of useful information, from basic category and descriptions, to providing detailed info about version control, IRC channels, documentation, and licensing info that has been carefully checked by FSF staff and trained volunteers.


    While the Free Software Directory has been and continues to be a great resource to the world over the past decade, it has the potential of being a resource of even greater value. But it needs your help!


    If you are eager to help and you can't wait or are simply unable to make it onto IRC on Friday, our participation guide will provide you with all the information you need to get started on helping the Directory today!

    December 01, 2014 04:08 PM

    librejs @ Savannah

    GNU LibreJS 6.0.7 released

    There's a new version of LibreJS - version 6.0.7.

    Here's the changes since 6.0.6:
    * Added support for using the BSD 3-Clause license in a JavaScript
    Web Labels table. Thanks to Enoch Root for pointing out that this
    wasn't working.

    * Added a "Web Labels pages being used for this session" list on
    the main display panel.

    * The JavaScript Web Labels section of the LibreJS manual now contains
    a reminder to put a copying permission statement at the beginning of
    each of your source files.

    This project's website is here:
    https://www.gnu.org/software/librejs/

    The source files are here:
    https://ftp.gnu.org/gnu/librejs/librejs-6.0.7.tar.gz (915k)

    And here's the executable you can install in your browser:
    https://ftp.gnu.org/gnu/librejs/librejs-6.0.7.xpi (441k)

    by Nik Nyby at December 01, 2014 04:34 AM

    November 29, 2014

    libtool @ Savannah

    GNU libtool-2.4.4 released [stable]

    Libtoolers!

    The Libtool Team is pleased to announce the release of libtool 2.4.4.

    GNU Libtool hides the complexity of using shared libraries behind a
    consistent, portable interface. GNU Libtool ships with GNU libltdl, which
    hides the complexity of loading dynamic runtime libraries (modules)
    behind a consistent, portable interface.

    This is a bugfix release to clean-up some of the small issues in 2.4.3
    for which you kindly provided patches. There are still some known (and
    unknown!) regressions, especially on unusual platforms. Patches to fix
    those are not only welcome, but necessary to keep Libtool working in
    those places.

    Here are the compressed sources:
    http://ftpmirror.gnu.org/libtool/libtool-2.4.4.tar.gz (1.7MB)
    http://ftpmirror.gnu.org/libtool/libtool-2.4.4.tar.xz (936KB)

    Here are the GPG detached signatures[*]:
    http://ftpmirror.gnu.org/libtool/libtool-2.4.4.tar.gz.sig
    http://ftpmirror.gnu.org/libtool/libtool-2.4.4.tar.xz.sig

    Use a mirror for higher download bandwidth:
    http://www.gnu.org/order/ftp.html

    [*] Use a .sig file to verify that the corresponding file (without the
    .sig suffix) is intact. First, be sure to download both the .sig file
    and the corresponding tarball. Then, run a command like this:

    gpg --verify libtool-2.4.4.tar.gz.sig

    If that command fails because you don't have the required public key,
    then run this command to import it:

    gpg --keyserver keys.gnupg.net --recv-keys 151308092983D606

    and rerun the 'gpg --verify' command.

    This release was bootstrapped with the following tools:
    Autoconf 2.69
    Automake 1.14.1
    Gnulib v0.1-270-g1b6c775

    NEWS

    • Noteworthy changes in release 2.4.4 (2014-11-29) [stable]
      • New features:

    - Libltdl maintains its own fork of argz, with macros and files in
    the LT_ and lt__ namespaces (resp.) where they cannot clash with
    client projects' use of gnulib argz.

      • Bug fixes:

    - Installation of 'libtoolize' once again obeys '--program-prefix',
    '--program-suffix' and '--program-transform-name' configure options.

    - `libtoolize` doesn't remove any files that it can't reinstall,
    including old versions of the snippet directory, and gnulib's
    version of the argz module and supporting files.

    - LT_FUNC_DLYSM_USCORE now works correctly on systems that don't
    support self dlopen()ing.

      • Important incompatible changes:

    - LT_LIB_DLLOAD no longer prepends -ldl or -ldld to LIBS, causing
    duplicate occurrences in libltdl link lines. If you need to
    add a library for dlopen() or shl_load() in your Makefile, then
    use $(LIBADD_DLOPEN) or $(LIBADD_SHL_LOAD) respectively. If you
    are using libltdl, this all happens automatically, and the only
    difference you'll see is no more duplicated library names in the
    verbose link line.

      • Changes in supported systems or compilers:

    - Preliminary support for tcc on linux*. Although it already worked
    sometimes in previous releases, making sure to set LD correctly now
    avoids mis-matching GNU ld with tcc:

    ./configure CC=tcc LD=tcc

    - Added -os2dllname option to work around 8 character base name
    limit on OS/2. The option has no effect on other systems.

    - Support for DLL versioning, -export-symbols and -export-symbols-regex
    on OS/2.

    - Support filename-based shared library versioning on AIX. See manual
    for details.

    Enjoy!

    by Gary V. Vaughan at November 29, 2014 06:21 PM