prisoninmate quotes a report from Softpedia: A year ago, we told you that, after ten long years, the Debian Project finally found a way to switch their rebranded Iceweasel web browser back to Mozilla Firefox, both the ESR (Extended Support Release) and normal versions, but one question remained: what about the Mozilla Thunderbird email, news, and calendar client? Well, that question has an official answer today, as the Mozilla Thunderbird packages appear to have landed in the Debian repositories as a replacement for Icedove, the rebranded version that Debian Project was forced to use for more than ten years due to trademark issues. "Thunderbird is back in Debian! We also renamed other related packages to use official names, e.g. iceowl-extension -> lightning. For now, we need testers to catch existing issues and things we haven't seen until now," said Christoph Goehre in the mailing list announcement. You can find out how to migrate your Icedove profiles to Thunderbird via Softpedia's report.

ZDNet summarizes some of the surprises in this year's poll on LinuxQuestions, "one of the largest Linux groups with 550,000 member". An anonymous reader quotes their report: The winner for the most popular desktop distribution? Slackware...! Yes, one of the oldest of Linux distributions won with just over 16% of the vote. If that sounds a little odd, it is. On DistroWatch, a site that covers Linux distributions like paint, the top Linux desktop distros are Mint, Debian, Ubuntu, openSUSE, and Manjaro. Slackware comes in 28th place... With more than double the votes for any category, it appears there was vote-stuffing by Slackware fans... The mobile operating system race was a runaway for Android, with over 68% of the vote. Second place went to CyanogenMod, an Android clone, which recently went out of business...

Linux users love to debate about desktop environments. KDE Plasma Desktop took first by a hair's breadth over the popular lightweight Xfce desktop. Other well-regarded desktop environments, such as Cinnamon and MATE, got surprisingly few votes. The once popular GNOME still hasn't recovered from the blowback from its disliked design change from GNOME 2 to GNOME 3.

Firefox may struggle as a web browser in the larger world, but on Linux it's still popular. Firefox took first place with 51.7 percent of the vote. Chrome came in a distant second place, with the rest of the vote being divided between a multitude of obscure browsers.
LibreOffice won a whopping 89.6% of the vote for "best office suite" -- and Vim beat Emacs.

Debian 8.7 has been released. An anonymous reader quotes Debian.org: This update mainly adds corrections for security problems to the stable release, along with a few adjustments for serious problems. Security advisories were already published separately and are referenced where available. Please note that this update does not constitute a new version of Debian 8 but only updates some of the packages included.

There is no need to throw away old "jessie" CDs or DVDs but only to update via an up-to-date Debian mirror after an installation, to cause any out of date packages to be updated. Those who frequently install updates from security.debian.org won't have to update many packages and most updates from security.debian.org are included in this update.
86 packages have been updated -- including some fixes for systemd. ("Rework logic to determine when we decide to add automatic deps for mounts; various ordering fixes for ifupdown; systemctl: Fix argument handling when invoked as shutdown...")

Friday Linux.com published their list of "what might well be the best Linux distributions to be found from the ever-expanding crop of possibilities... according to task." Here's their winners (as chosen by Jack Wallen), along with a short excerpt of his analysis.

• Best distro for sysadmins : Parrot Linux. "Based on Debian and offers nearly every penetration testing tool you could possibly want. You will also find tools for cryptography, cloud, anonymity, digital forensics, programming, and even productivity."
• Best lightweight distribution: LXLE. "Manages to combine a perfect blend of small footprint with large productivity."
• Best desktop distribution: Elementary OS "I'm certain Elementary OS Loki will do the impossible and usurp Linux Mint from the coveted 'best desktop distribution' for 2017."
• Best Linux for IoT: Snappy Ubuntu Core "Can already be found in the likes of various hacker boards (such as the Raspberry Pi) as well as Erle-Copter drones, Dell Edge Gateways, Nextcloud Box, and LimeSDR."
• Best non-enterprise server distribution: CentOS. "Since 2004, CentOS has enjoyed a massive community-driven support system."
• Best enterprise server distribution: SUSE. "Don't be surprised if, by the end of 2017, SUSE further chips away at the current Red Hat market share."

Wallen also chose Gentoo for "Best distribution for those with something to prove," saying "This is for those who know Linux better than most and want a distribution built specifically to their needs... a source-based Linux distribution that starts out as a live instance and requires you to then build everything you need from source." And surprisingly, he didn't mention his own favorite Linux distro, Bodhi Linux, which he describes elsewhere as "a melding of Ubuntu and Enlightenment".

An anonymous reader writes: According to CVE Details, a website that aggregates historical data on security bugs that have received a CVE identifier, during 2016, security researchers have discovered and reported 523 security bugs in Google's Android OS, winner by far of this "award." The rest of the top 10 is made up by Debian (319 bugs), Ubuntu (278 bugs), Adobe Flash Player (266 bugs), openSUSE Leap (259 bugs), openSUSE (228 bugs), Adobe Acrobat DC (227 bugs), Adobe Acrobat Reader DC (227 bugs), Adobe Acrobat (224 bugs), and the Linux Kernel (216 bugs).

When it comes to software vendors, the company for which the largest number of new CVE numbers have been assigned was Oracle, with a whopping 798 CVEs, who edged out Google (698 bugs), Adobe (548 bugs), Microsoft (492 bugs), Novell (394), IBM (382 bugs), Cisco (353 bugs), Apple (324 bugs), Debian Project (320 bugs), and Canonical (280 bugs).

From a report on BetaNews: If you own a Raspberry Pi, you're probably familiar with PIXEL. The desktop environment is included in the Raspbian OS. The Raspberry Pi Foundation describes PIXEL as the "GNU/Linux we would want to use" and understandably so. It offers a smart, clean interface, a decent selection of software, the Chromium web browser with plug-ins, and more -- and from today it's available for PC and Mac. The version of Debian+PIXEL for x86 platforms is described as "experimental" but having taken it for a spin, it seems pretty stable to me. To run PIXEL on your PC or Mac, download the image, burn it onto a DVD or flash it onto a USB memory stick, and boot from it. The desktop environment will load ready for use.

Long-time Slashdot reader Billly Gates writes, "For all the systemd haters who want a modern distro feel free to rejoice. The Debian fork called Devuan is almost done, completing a daunting task of stripping systemd dependencies from Debian." From The Register: Devuan came about after some users felt [Debian] had become too desktop-friendly. The change the greybeards objected to most was the decision to replace sysvinit init with systemd, a move felt to betray core Unix principles of user choice and keeping bloat to a bare minimum. Supporters of init freedom also dispute assertions that systemd is in all ways superior to sysvinit init, arguing that Debian ignored viable alternatives like sinit, openrc, runit, s6 and shepherd. All are therefore included in Devuan.
Devuan.org now features an "init freedom" logo with the tagline, "watching your first step. Their home page now links to the download site for Devuan Jessie 1.0 Beta2, promising an OS that "avoids entanglement".

msm1267 quotes a report from Threatpost: A vulnerability in cryptsetup, a utility used to set up encrypted filesystems on Linux distributions, could allow an attacker to retrieve a root rescue shell on some systems. From there, an attacker could have the ability to copy, modify, or destroy a hard disk, or use the network to exfiltrate data. Cryptsetup, a utility used to setup disk encryption based on the dm-crypt kernel module, is usually deployed in Debian and Ubuntu. Researchers warned late last week that if anyone uses the tool to encrypt system partitions for the operating systems, they're likely vulnerable. Two researchers, Hector Marco of the University of the West of Scotland and Ismael Ripoll, of the Polytechnic University of Valencia, in Spain, disclosed the vulnerability on Friday at DeepSec, a security conference held at the Imperial Riding School Renaissance Vienna Hotel in Austria. According to a post published to the Full Disclosure mailing list, the vulnerability (CVE-2016-4484) affects packages 2.1 and earlier. Systems that use Dracut, an infrastructure commonly deployed on Fedora in lieu of initramfs -- a simple RAM file system directory, are also vulnerable, according to the researchers. The pair say additional Linux distributions outside of Debian and Ubuntu may be vulnerable, they just haven't tested them yet. The report adds: "The problem stems from the incorrect handling of a password check when a partition is ciphered with LUKS, or Linux Unified Key Setup, a disk encryption specification that's standard for Linux. Assuming an attacker has access to the computer's console, when presented with the LUKS password prompt, they could exploit the vulnerability simply by pressing 'Enter' over and over again until a shell appears. The researchers say the exploit could take as few as 70 seconds. After a user exceeds the maximum number of three password tries, the boot sequence continues normally. Another script in the utility doesn't realize this, and drops a BusyBox shell. After carrying out the exploit, the attacker could obtain a root initramfs, or rescue shell. Since the shell can be executed in the initrd, or initial ram disk, environment, it can lead to a handful of scary outcomes, including elevation of privilege, information disclosure, or denial of service."

"Debian developer Cyril Brulebois was pleased to announce this past weekend the release and immediate availability of the eighth Alpha development snapshot of the Debian GNU/Linux 9 'Stretch' installer," reports Softpedia. An anonymous reader quotes their article: It's been four long months since Alpha 7 of Debian GNU/Linux 9 "Stretch" hit the testing channels back in July, but the wait was worth it as the Alpha 8 release adds a huge number of changes, starting with initial support for the GNU Screen terminal multiplexer and lots of debootstrap fixes, which now defaults to merged-/usr.

"debootstrap now defaults to merged-/usr, that is with /bin, /sbin, /lib* being symlinks to their counterpart in /usr (more details on: https://lists.debian.org/debian-devel/2016/09/msg00269.html)," wrote Cyril Brulebois in the mailing list announcement, where it states that default debootstrap mirror was switched to deb.debian.org.

Slashdot reader ttsiod is an embedded software engineer at the European Space Agency, and shares this story about his quest to "dominate" his new tablet: Just like it's predecessor, I wanted to run a Debian chroot inside it -- that would allow me to apt-get install and run things like Privoxy, SSH SOCKS/VPN tunnels, Flask mini-servers, etc; and in general allow me to stay in control. But there was no open-source way to do this... and I could never trust "one-click roots" that communicate with servers in China... It took me weeks to reverse engineer my tablet -- and finally succeed in becoming root. The journey was quite interesting, and included both hardware and software tinkering. I learned a lot while doing it -- and wanted to share the experience with my fellow Slashdotters...
He writes that "I trust Debian. Far more than I trust the Android ecosystem," and describes everything from how he probed the boot process and created his own boot image to hunting for a way "to tell SELinux to get off my lawn".

An anonymous reader writes: System administrator Andrew Ayer has discovered a potentially critical bug in systemd which can bring a vulnerable Linux server to its knees with one command. "After running this command, PID 1 is hung in the pause system call. You can no longer start and stop daemons. inetd-style services no longer accept connections. You cannot cleanly reboot the system." According to the bug report, Debian, Ubuntu, and CentOS are among the distros susceptible to various levels of resource exhaustion. The bug, which has existed for more than two years, does not require root access to exploit.

Raspberry Pi Foundation's Simon Long has unveiled a new desktop environment for the Debian-based Raspbian GNU/Linux operating system for Raspberry Pi devices. From a Softpedia report (submitted by an anonymous reader):Until today, Raspbian shipped with the well-known and lightweight LXDE desktop environment, which looks pretty much the same as on any other Linux-based distribution out there that is built around LXDE (Lightweight X11 Desktop Environment). But Simon Long, a UX engineer working for Raspberry Pi Foundation, was hired to make it better, transform it into something that's more appealing to users. So after two years of work, he managed to create a whole new desktop environment for Raspbian, the flagship operating system for Raspberry Pi single-board computers developed and distributed by Raspberry Pi Foundation. Called PIXEL, the new Raspbian desktop offers a more eye-candy design with the panel on top (not on the bottom like on a default LXDE setup), new icons, new Applications Menu, and new theme. "It's actually surprisingly easy to hack about with the LXDE desktop once you get your head around what all the bits do, and since then I've been slowly chipping away at the bits that I felt would most benefit from tweaking," reveals Simon Long. "Stuff has slowly been becoming more and more like my original concept for the desktop; with the latest changes, I think the desktop has reached the point where it's a complete product in its own right and should have its own name."

A new announcement on their web site reads: LinuxScreenshots.org is closed. An archive of all screenshot tours from this site has been made freely available to the community, which consists of 2300 releases from 580 distributions. You may download this archive for fun, or to start your own Linux screenshots website. Please help seed torrents. I contacted the site's owner, who confirmed the news, saying their goal is to let the community take control of the screenshots. The archives are available on Dropbox and BitTorrent.

prisoninmate writes: What's Kali Linux 2016.2? Well, it's an updated Live ISO image of the popular GNU/Linux distribution designed for ethical hackers and security professionals who want to harden the security of their networks, which contains the latest software versions and enhancements for those who want to deploy the OS on new systems. It's been quite some time since the last update to the official Kali Linux Live ISOs and new software releases are announced each day, which means that the packages included in the previous Kali Linux images are very old, and bugs and improvements are always implemented in the most recent versions of the respective security tools. Best of all, the new Kali Linux 2016.2 release comes in KDE, MATE, Xfce, LXDE, and Enlightenment E17 flavors.
Their blog also points out that Kali recently appeared in an episode of Mr. Robot.

An anonymous Slashdot reader writes: I'm surprised this hasn't surfaced on Slashdot already, but yesterday Phoronix reported that systemd will soon be handling file system mounts, along with all the other stuff that systemd has encompassed. The report generated the usual systemd arguments over on Reddit.com/r/linux with Lennart Poettering, systemd developer and architect, chiming in with a few clarifications.
Lennart argued it will greatly improve the handling of removable media like USB sticks.

An anonymous Slashdot reader writes: Hacking researchers have uncovered a new attack technique which can alter the memory of virtual machines in the cloud. The team, based at Vrije Universiteit, Amsterdam, introduced the attack, dubbed Flip Feng Shui (FFS)...and explained that hackers could use the technique to crack the keys of secured VMs or install malicious code without it being noticed...

Using FFS, the attacker rents a VM on the same host as their chosen victim. They then write a memory page which they know exists on the vulnerable memory location and let it de-duplicate. The identical pages, with the same information, will merge in order to save capacity and be stored in the same part of memory of the physical computer. This allows the hacker to change information in the general memory of the computer.
The researchers demonstrated two attacks on Debian and Ubuntu systems -- flipping a bit to change a victim's RSA public key, and installing a software package infected with malware by altering a URL used by apt-get. "Debian, Ubuntu and other companies involved in the research were notified before the paper was published, and have all responded to the issue."

"I just set up a lot of Onion Services for many of Debian's static websites," announced Debian sys-admin Peter "weasel" Palfrader on Friday. "You can find the entire list of services on onion.debian.org. More might come in the future." Longtime Slashdot reader alfino writes: Yay for privacy. We don't care about where you come from, and now you don't even have to tell anyone that you're using Debian. The archive at ftp.debian.org is already in the list. Support for more redundant Debian archive access is expected to come When It's Ready.

An anonymous Slashdot reader writes: "This is one of the coolest tickets I've seen on GitHub," writes Ubuntu developer Adolfo Jayme Barrientos, adding "this kind of surreal compatibility between platforms is now enabled...the fact that you can execute and use Linux window managers there, without virtual machines, is simply mind-blowing."

"The Windows 10 Anniversary Update coming in August includes an unusual feature aimed at developers: an Ubuntu sub-system that lets you run Linux software using a command-line interface," explains Liliputing.com "Preview versions have been available since April, and while Microsoft and Canonical worked together to bring support for the Bash terminal to Windows 10, it didn't take long for some users to figure out that they could get some desktop Linux apps to run in Windows. Now it looks like you can even load Ubuntu's Unity desktop environment, making windows 10 look like Ubuntu.

gosand writes: According to a story on The Register, the death of Ian Murdock in late 2015 has been ruled a suicide. This news brings some closure to the sad ending of his life. An interesting note from the article that I never knew before: "he was the Ian in Debian; his girlfriend at the time, Debra Lynn, was the Deb." Debian has truly been a cornerstone in the Linux world, and the founder will be missed. The medical report was obtained on Wednesday by CNN journalists.

Slashdot reader Type44Q writes: The Linux Mint team announced the immediate availability of their latest release, Mint 18 "Sarah," in Cinnamon and MATE flavors. These follow on the heels of their respective beta versions, which have been out for nearly a month.
"Linux Mint 18 is a long-term support release which will be supported until 2021," the team announces on MATE's "new features" page, adding they've improved their update manager, included support for the Debian syntax of "apt", and are working on the "X-Apps" project to "produce generic applications for traditional GTK desktop environments...to replace applications which no longer integrate properly outside of a particular environment."