cron.weekly issue #98: Caddy, Equifax, Struts, Curl, Arch, compsize, CentOS & more


cron.weekly is a newsletter about Linux, open source & webdevelopment. Want to get it in your inbox every Sunday? Subscribe below!

I respect your privacy and you won't get spam. Ever. Just a weekly-ish newsletter about Linux and open source.

Want to help support this blog? Try out Oh Dear, the best all-in-one monitoring tool for your entire website, co-founded by me (the guy that wrote this blogpost). Start with a 10-day trial, no strings attached.

We offer uptime monitoring, SSL checks, broken links checking, performance & cronjob monitoring, branded status pages & so much more. Try us out today!

Image of Mattias Geniar

Mattias Geniar, September 17, 2017

Follow me on Twitter as @mattiasgeniar

Welcome to cron.weekly issue #98 for Sunday, September 17th, 2017.

A bit of an atypical issue this, with a lot of news about the community & open source projects, with a fair amount of web-related content. Should keep you busy for at least a coffee or 2. Or when you’re in line at the bakery. Or still lying in bed. Yes, I envy you.

Totally unrelated, tomorrow’s my birthday, so here’s by BTC address for donations: ha, just kidding!

Take care folks!

News

The hackers who broke into Equifax exploited a flaw in open-source server software

A several-months unpatched Apache Struts flaw appears to have been the cause of the massive Equifax breach, disclosed 2 weeks ago. Lots of good write-ups about the breach in other locations, too.

Apache Struts Statement on Equifax Security Breach

… and here’s the Apache Project’s response to said breach, explaining their approach to security releases and how those are handled.

Give away your code, but never your time

This post makes several good arguments as to why open source project maintainers should (or: could) be compensated financially for their time in running & managing the project, donated by the community that uses it.

Conference Radar

A list of – mostly US based – tech conferences and upcoming Call For Presentations, for those that like to go presenting at these conferences.

Chrome’s Plan to Distrust Symantec Certificates

If you happen to have certificates issued by Symantec, be aware that Chrome plans to mark them all as untrusted in one of the upcoming releases, as Symantec violated the rules of engagement Certificate Authorities. If you’re worried about your site certificates (or HTTPS in general) I suggest having a look at the Oh Dear! app, the beta opens soon and will help give visibility into these kind of CA revocations & general certificate errors.

The React license for founders and CTOs

This isn’t a very technical post, but gives you great insights into the open source licensing used by Facebook and how they used & bought license patents in order to defend themselves in lawsuits. If you think legacy code is complicated, you should dive into the world of Microsoft Open Source licensing!

Curl’s backdoor threat

Say you’ve got an open source project used on more than 3 billion instances, what would you do to protect that project? The maintainer of Curl explains in this post.

IPv10 follow-up

Last week I mentioned IPv10, but many readers were right in pointing out this is mostly a fake proposal not based on real world usage. I stand correct and shouldn’t have included it in previous issue. It sounded good (“IPv4 + IPv6 = IPv10”), but you can forget about IPv10. For now.

One more anecdotal Internet Protocol version

This post gives actual feedback & arguments why that IPv10 post is a load of rubbish.

Public money, public code

Why is software created using taxpayers’ money not released as Free Software? This petition aims to get publicly financed software developed for the public sector be made publicly available under a Free and Open Source Software licence. I endorse!

Introducing Atom-IDE

Github’s code editor, Atom, now has support for a fully featured IDE (Integrated Development Environment), elevating it from a code editor to a full development environment. I’m using the beta now and it’s pretty solid!

Caddy Commercial Licenses

To further aid open source development, the Caddy webserver now offers commercial licenses to help fund the project. It also added a fair bit of commotion around an additional HTTP header that was added to the free version, to thank sponsors, that was later removed again.

Windows for Linux nerds

Jess Frazelle, of Docker faim, recently joined the Windows team. As a die-hard Linux & container user, that’s an interesting move to make. Lots of background to WSL (Windows Subsystem for Linux) & how systems calls get translated.

Linux and me: Why I fell in love with Arch Linux

Well, not me, per sé, but the author makes several good arguments why someone might consider Arch Linux. Even if you’re not planning to, there’s a lot of background & terminology used by Arch in this post that can clarify a thing or two.

tl;dr legal

Software Licenses in Plain English, this post allows you to lookup popular software licenses and get them summarized at-a-glance.

Pytosquatting

An interesting project that aims to get statistics on how often PyPi (Python package manager) misspelled or “typosquatted” packages get installed by accident.

Tools & Projects

Get full-stack observability with Datadog

Go from a global view of your infrastructure to inspecting an individual request trace, all in one developer-friendly platform. Start a free 14-day trial. (Sponsored)

squash

Squash is a “debugger for microservices” and allows for live debugging of containers, pods, services, … by setting breakpoints and tracing code. Looks very powerful!

Security Tools

This has to be the biggest compiled list of security for Linux I ever saw. Just reading the titles will keep you occupied for hours, let alone actually understanding what each one does! (note: there’s pagination at the top)

compsize

compsize takes a list of files (given as arguments) on a btrfs filesystem and measures used compression types and effective compression ratio.

Sublime Text 3.0

After 4y of development, Sublime Text 3 is out: a refreshed UI theme, new color schemes, and a new icon. Some of the other highlights are big syntax highlighting improvements, touch input support on Windows, Touch Bar support on macOS, and apt/yum/pacman repositories for Linux.

CentOS 7.4

It took a bit longer than usual (more details in the post), but CentOS 7.4 is out and available for updates. Includes a modern OpenSSL version, a lot of package updates, stronger ciphers in OpenSSH, …

nulis

Nulis is an open source tree editor for writers, inspired by Gingko.

ptexplore

A simple tool to print the page table content of a process in Linux. Useful for predicting page faults.

zircon

Zircon is the core platform that powers the Fuchsia OS (a real-time OS by Google). Zircon is composed of a microkernel (source in kernel/…) as well as a small set of userspace services, drivers, and libraries (source in system/…) necessary for the system to boot, talk to hardware, load userspace processes and run them, etc. Fuchsia builds a much larger OS on top of this foundation.

Guides & Tutorials

Free continuous delivery eBook from GoCD

This free reference guide will take you back to the basics. You’ll find visuals and definitions on key concepts and questions you need to answer about your teams to determine your readiness for continuous delivery. Download and share with your team. (Sponsored)

A first look at CoreDNS

A practical glance at CoreDNS, the once-a-fork-of-the-Caddy-webserver DNS server that relies on plugins & middleware to allow for supplying your own data as DNS results.

DNS query/response logging with dnstap

Jan-Piet is in a roll, so here’s a 2nd article from his blog: dnstap offers a standardised way of logging both DNS requests and responses in a performant way.

Build a fast, secured and free static site in less than 3 hours

A step-by-step guide in using Hugo, the static site generator, together with Git and set up your own fast little website.

Deprecated Linux networking commands and their replacements

This is already an older post (2011!), but I still find myself using deprecated commands on a near daily basis. It’s hard to get ifconfig/route/arp out of a hardwired brain!

Pain(less) NGINX Ingress on Kubernetes

A lot of good details on using the Nginx ingress controller in your Kubernetes environment, with plenty of technical details on queue dropping, latency, response times, monitoring, …

30 interesting commands for the Linux shell

It’s a shameless link-post, but there’s some good content in here; watch, readlink, ulimit, w, nohup, … plenty of good commands to refresh your Linux memory.



Want to subscribe to the cron.weekly newsletter?

I write a weekly-ish newsletter on Linux, open source & webdevelopment called cron.weekly.

It features the latest news, guides & tutorials and new open source projects. You can sign up via email below.

No spam. Just some good, practical Linux & open source content.