Google Chrome will no longer support HTTP/2 on vanilla 14.04 after May 15th [0], even if you're using the latest official upstream NGINX packages. This is because 14.04 ships with a version of OpenSSL that does not support the ALPN extension (prior to OpenSSL 1.0.2 you're limited to NPN, now deprecated). There was a bit of back-and-forth about the exact date, as the change was originally scheduled for earlier. However, Chrome decided to specifically push back the date so that there would be an Ubuntu LTS release available with the required support [1]. If you're still stuck on SPDY, that's going to be dropped too, so there's really no good reason not to simply use HTTP/2 at this point.
[0] http://blog.chromium.org/2016/02/transitioning-from-spdy-to-...
[1] https://bugs.chromium.org/p/chromium/issues/detail?id=557197
The ppa[1] notes there's a newer version[2] also
[1] https://launchpad.net/~nginx/+archive/ubuntu/development [2] https://launchpad.net/ubuntu/+source/nginx/1.9.15-0ubuntu1
nginx recommends using mainline over stable: "We recommend that in general you deploy the NGINX mainline branch at all times." [1]
The stable branch will fork from the mainline branch shortly. The version shipped in 16.04 is very close to what the stable will be, because the fork hadn't taken place before 16.04's release. I expect there to be very few changes, which is why (as someone else pointed out) we expect to update 16.04 to the stable branch as soon as it is available.
> The ppa[1] notes there's a newer version[2] also
That's just noting that the version released in 16.04 is newer than the version provided in the PPA.
> Nginx's own development PPA
Actually it's a PPA maintained by a team that care about Nginx's availability in Ubuntu. In this case, the uploads to that PPA were made by the very same person who looks after the official Ubuntu Nginx packages available to Ubuntu users by default.
Is this outdated or not applicable to servers?
Either way, personally I would never upgrade a server in place these days. Treat your servers like cattle not pets: Rebuild from new base image, validate, put into LB/proxy, terminate old stack.
However, you can also "upgrade" your stack by building a new image using 16.04 from scratch, and that doesn't need to wait until 16.04.1.
http://caniuse.com/#feat=spdy (77.39% global)
http://caniuse.com/#feat=http2 (70.15% global)
[0] https://wiki.ubuntu.com/XenialXerus/ReleaseNotes#HTTP.2F2_su...
Doe this mean 14.04 with Apache 2.2 is affected? Their blog doesnt explain and leave plenty of people confused...
No need for bash scripts, custom watchdog and daemonise tools, etc.
Friends don't let friends write shell scripts targeting bash.
For context: Bash is not available|installed everywhere, and has some inter-version weirdness.
Write clean, posix-compliant shell scripts (i.e. target /bin/sh commonly referred to as bourne shell) and you're in a much better position.
On Debian your script will be run by Dash, on OS X it will be run by Bash, on Ubuntu or RedHat it could be different again, but the point is, they are specifically running in POSIX mode, so that you get reliable, reproducible results across systems and even across Bash versions.
Can you cite some sources here? No one knows what you're talking about.
https://www.freedesktop.org/software/systemd/man/systemd.ser...
There's going to be a 16.04.1 release just 3 months away from the initial LTS release; I believe it is just for that.
https://wiki.ubuntu.com/TrustyTahr/ReleaseSchedule - this schedule is for 14.04, but I believe it's been the same for quite a few years already.
For that matter, Ubuntu 14.04 is still supported for another two years, and that's still upstart.
The big deal now is that all the major distributions support the same mechanism.
Now, I would love to know, if I'm a maintainer of Foo (and you can get it today via `apt-get install foo`), how will I be able to start packaging using snap rather than relying on deb packages that come from debian? I'd love any feedback, cheers!
Bleargh. More container bullshit, now with even less control over it by end users. Now each tiny library update (think OpenSSL security fixes) will pull hundreds of "snaps" instead of a single package… assuming the developers even realize they have to rebuild their snaps.
If I want to install software that's outside the stuff that the packagers have prepared, like Firefox with correct KDE integration on Kubuntu, I am relying on a number of hard to track things working correctly together. Which tehy have regularly failed to do for me in the past.
Contrast to the OSX install experience: An application is a folder which contains everything related to the application that the base system does not provide. It's brilliant. Installing is copying. Uninstalling is deleting. As a user I feel more in control of the process than with apt.
Depending on the software stack you're looking at, dependency isolation might or might not make sense. I think OSX and Windows both are good case stuides that show that some level of isolation is sensible.
Do you think that's worse than the alternative where each tiny (shared) library update potentially breaks hundreds of programs?
Good thing I abandoned Ubuntu a long time ago.
`apt-get` is depreciated, they've moved to just plain `apt`
`apt install foo`
I'd very much prefer to standardize on plain apt, but it doesn't seem ready yet.
https://developer.ubuntu.com/en/snappy/build-apps/
The ubuntu developer page has a good description of snaps and how to create them.
In short its a package that contains all its dependencies.
The security of the MD5 has been severely compromised, with its weaknesses having been exploited in the field, most infamously by the Flame malware in 2012. The CMU Software Engineering Institute considers MD5 essentially "cryptographically broken and unsuitable for further use". [1]
I.e. what's "broken" about MD5 is if you have a lot of CPU time and I allow you to give me two unrelated blobs, you can craft those blobs to have the same MD5 sum.
What's not "broken" (beyond a theoretical 2^123.4 attack) with MD5 and not broken at all for SHA1 is preimage attacks. E.g. if I work for Canonical, make an Ubuntu ISO and you have to produce a malicious ISO with the same MD5 sum.
We should be considerate of collision / preimage attacks, but please don't spread FUD by conflating the two. Publishing MD5 sums for ISOs is just fine.
Yes, MD5 preimage resistance is not broken (to a reasonable degree).
If you have the Ubuntu 16.04 ISO (you do), and if you have its hash, the attack to craft a different ISO with the same hash is a collision attack.
A preimage attack is if you had some hash y where y=H(x) where x is some file/whatever, and trying to find out possible values of u that give rise to y when you do H(u), without the knowledge of x.
Any insight?
$ gpg --no-default-keyring --keyring /usr/share/keyrings/ubuntu-archive-keyring.gpg --verify SHA256SUMS{.gpg,}
gpg: Signature made Thu 21 Apr 2016 10:40:38 UTC using DSA key ID FBB75451
gpg: Good signature from "Ubuntu CD Image Automatic Signing Key <cdimage@ubuntu.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: C598 6B4F 1257 FFA8 6632 CBA7 4618 1433 FBB7 5451
gpg: Signature made Thu 21 Apr 2016 10:40:38 UTC using RSA key ID EFE21092
gpg: Good signature from "Ubuntu CD Image Automatic Signing Key (2012) <cdimage@ubuntu.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 8439 38DF 228D 22F7 B374 2BC0 D94A A3F0 EFE2 1092
$ sha256sum --ignore-missing -c SHA256SUMS
ubuntu-16.04-desktop-amd64.iso: OK
PS. anyone know of a CLI download tool that supports this format of GPG signatures?
edit: why the downvotes for the parent? it's a fine question
Coincidentally it requires the checksum to be propagated through an other, more secure mean, so distributing the checksum on the very same site increases the chance for an attacker to act, however there is no other way as widespread as this to give the checksum anyway.
It's okay though, I honestly feel we can take most of what we learned and apply it to the Commodore 64, which, while closed source, most "black hat" hackers can patch the kernel of to include execution of the Binaries Formerly Known As Ubuntu.
The process will be different, though: After powering on the system and reaching the READY string signaling the BASIC interpreter, you'll POKE the unicode name-string of the package you want to update to the user space at $C000, then execute an SYS command to set the CPU's program counter to the vector of the package installation.
Screenshot: https://imgur.com/nvsf24E
At the moment, I think Unity is the only one that is not a horrendous misdesign (Gnome 3) or consists of a shoddy and insecure plugin framework that is a moving target stability wise (Gnome 3 and Cinnamon). I never liked the fussiness and the looks of KDE. So far, Unity has been the most stable, configurable (Compiz) and, most importantly, productive experience for me.
I can also recommend Cinnamon.
It's nice to have good choices that use the old paradigms.
XFCE 4.12 pretty much feels exactly like Gnome 2 towards the end.
I'm hoping Owncloud starts to use Snaps.
There were some issues with earlier Ubuntu/Linux/BIOS versions, but most have disappeared with new releases. The last one is a palm detection issue with the touchpad, but it should to be fixed in 16.04. And if you can't wait, at least you can fix things yourself if you want.
> sudo: unable to resolve host ubuntu-xenial
> mesg: ttyname failed: Inappropriate ioctl for device
I hope this PR (https://github.com/mitchellh/vagrant/pull/7241) gets merged because the private_network issue has been around since 15.04
You can downgrade VirtualBox, dropping to 5.0.16 worked for me: http://download.virtualbox.org/virtualbox/5.0.16/
https://blog.mozilla.org/futurereleases/2016/04/21/firefox-d...
$ hardening-check ./firefox
./firefox:
Position Independent Executable: no, normal executable!
Stack protected: no, not found!
Fortify Source functions: no, only unprotected functions found!
Read-only relocations: no, not found!
Immediate binding: no, not found!
It should also be noted that Firefox is one of the few packages that Canonical keeps aligned with Mozilla releases (even 12.04 LTS has the latest firefox), and:
$ hardening-check /usr/lib/firefox/firefox
/usr/lib/firefox/firefox:
Position Independent Executable: yes
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: yesA welcome and saner default. I'm thinking of moving back to Ubuntu from LinuxMint (I was thinking of Arch as well but not too confident of being on the bleeding edge).
The last major show stopper I can recall was when Arch dropped security hooks from the kernel and I had to get rid of my MAC.
Inused to hate on Ubuntu, but on my 2014 Macbook Pro, it was the one distro that "just worked", and since I mostly run debian servers, I figure Sticking to the similar ecosystem reduces mental load of switching.
I still have my issues with Shuttleworth and Canonical, but hey, it's linux, so I can remove the crap I dont like (unlike some things, staring at you windows 10).
I clicked the Start Menu. Fully half of it was made up of flashing animated crap - things moving about, very colourful adverts, the actual things I wanted to do were obscured by it.
I tried a few machines. They did the same thing. Maybe it's a manufacturer default.
Hey, maybe it's customizable. I don't know. It just struck me as being so far from what I think of a computer as being - not a tool to be used, but a flashy, childish entertainment box, like a children's rainbow cake.
My ego betrays me at this point, I suppose. I don't understand how the engineers at Microsoft got to this point.
It reminds me a lot of the Xbox 360 dashboard. That was the point I left 'mainstream' video gaming - it felt like my hackery, fun world had turned into a world of consuming advertising, of subscribing, of being someone else's plaything. Perhaps it was always like that, and I was too young to see?
Also, see: https://github.com/dfkt/win10-unfuck
sudo do-release-upgrade
sudo do-release-upgrade -d
It took about half an hour followed by a reboot. Occasionally had to intervene to tell it to overwrite config files I hadn't touched or to let me do a merge if I had.
Obviously make sure you have backups first.
Another thing I've done is keep /home on a separate partition so I can nuke everything else for a clean install if needed. In such cases, I backup the /etc directory beforehand to recover configuration details as needed.
1) If you use the nvidia drivers from the graphics-drivers PPA, starting the default non-root X server will hang with no graphics output. Installing xserver-xorg-legacy fixes this.
2) LXC+Linux 4.4 seems to be very broken: https://github.com/lxc/lxd/issues/1666#issuecomment-21290311...
3) Pulseaudio now uses shared memory and playing audio inside a firejail will break the pulseaudio server: https://github.com/netblue30/firejail/issues/69#issuecomment...
Seeing as my main use for my current 14.04 install is LXC containers, I think I will hold off a little then.
Thanks for the warning :)
After all the Issues i had with intel/amd/nvidia stiwching gpus in the ivy bridge days i just gave up buying nvidia and AMD, and boy has it made linux easier.
but it seems even Ubuntus Server are not speedy today (Atlas server are also slow)
(Update) it seems I'm getting an error with it :/
The guest machine entered an invalid state while waiting for it
to boot. Valid states are 'starting, running'. The machine is in the
'gurumeditation' state. Please verify everything is configured
properly and try again.
If the provider you're using has a GUI that comes with it,
it is often helpful to open that and watch the machine, since the
GUI often has more helpful error messages than Vagrant can retrieve.
For example, if you're using VirtualBox, run `vagrant up` while the
VirtualBox GUI is open.
The primary issue for this error is that the provider you're using
is not properly configured. This is very rarely a Vagrant issue.I'm running 16.04 with the Vagrant/Virtualbox image from atlas. I've tried getting it to work in the google cloud but had no luck there so far (it's possibly just the ssh key injection that failed, haven't had time to investigate).
I think this is just an issue if you are doing 3D graphics work or gaming.
edit: Also, you can get Vulkan with the new drivers.
http://releases.ubuntu.com/16.04/
For some reason these are not linked yet from the 'Downloads' page at ubuntu.com.
https://paste.sh/zaodLcyn#uLrtH-WS00hxtIJTYVEgE9zS #horrible hn text editor
So 4k resolution support is becoming recognized here?
Most applications seem to work out of the box. The ones that have given me the most problems are a handful of desktop apps implemented in an embedded browser (like Spotify) where I have to set an extra command flag to properly scale.
A few weeks ago I had to dig up an old 12.04 machine and bring it back to the modern age. Much to my surprise, I was able to upgrade it all the way to 15.10 with minimal hassle. While the normal apt repos were dead for 12.04, Canonical keeps around an archived mirror. So you just edit the sources file to point at the archive, and then you can upgrade from there. Impressive.
Not that Canonical/Ubuntu don't have their warts. The Amazon fiasco, Unity, their cloud services, etc. And at the end of the day it's still Linux, with all the problems that brings. But, all things considered, I rate Ubuntu as the best of the bunch and feel grateful for the gift they give to the community.
If in doubt, boot from a live-cd/usb and see if you can mount your drives ok.
[1] https://lists.fedoraproject.org/pipermail/kde/2015-October/0...
[0]: https://insights.ubuntu.com/2015/08/17/ibm-and-canonical-pla...
[1]: https://help.ubuntu.com/16.04/installation-guide/s390x/
Always worth a read before you fire up the installer...
Cephfs v10.2.0 Jewel: "This major release of Ceph will be the foundation for the next long-term stable release. (...) This is the first release in which CephFS is declared stable and production ready!"
* https://news.ycombinator.com/item?id=11326457