LWN.net

When support for classic BPF was added to the kernel many yearsago, there was no question of whether BPF programs could block in theirexecution. Their functionality was limited to examining a packet'scontents and deciding whether the packet should be forwarded or not; therewas nothing such a program could do to block. Since then, BPF has changeda lot, but the assumption that BPF programs cannot sleep has been builtdeeply into the BPF machinery. More recently, classic BPF has been pushedaside by the extended BPF dialect; thewider applicability of extended BPF is nowforcing a rethink of some basic assumptions.

Security updates have been issued by Debian (php7.3), Fedora (gst), Mageia (libvirt, mariadb, pdns-recursor, and ruby), openSUSE (chocolate-doom, coturn, kernel, live555, ntp, python3, and rust, rust-cbindgen), Oracle (virt:ol), Red Hat (file, firefox, gettext, kdelibs, kernel, kernel-alt, microcode_ctl, nghttp2, nodejs:10, nodejs:12, php, qemu-kvm, ruby, and tomcat), SUSE (libjpeg-turbo, mozilla-nspr, mozilla-nss, mozilla-nss, nasm, openldap2, and permissions), and Ubuntu (coturn, glibc, nss, and openexr).

The Home Assistant project has released version 0.112 of the open-source home automation hub we have previously covered, which is the eighth release of the project this year. While previous releases have largely focused on new integrations and enhancements to the front-end interface, in this release the focus has shifted more toward improving the performance of the database. It is important to be aware that there are significant database changes and multiple potential backward compatibility breaks to understand before attempting an upgrade to take advantage of the improvements.

Security updates have been issued by Debian (chromium, php7.0, and thunderbird), Fedora (ceph, gssdp, gupnp, libfilezilla, libldb, mediawiki, python-pillow, python36, samba, and xpdf), Mageia (curl, docker, firefox, libexif, libupnp, libvncserver, libxml2, mailman, ntp, perl-YAML, python-httplib2, tcpreplay, tomcat, and vlc), openSUSE (chocolate-doom, python3, and Virtualbox), Slackware (libvorbis), and SUSE (mozilla-nspr, mozilla-nss, systemd, tomcat, and zstd).

The 5.8-rc4 kernel prepatch is out fortesting. "The end result is that it's been fairly calm, andthere's certainly been discussion of upcoming fixes, but I still havethe feeling that 5.8 is looking fairly normal and things aredeveloping smoothly despite the size of this release."

Dan Book has done adetailed analysis of the Perl 7transition. "Large amount of CPAN modules will not work in Perl7; plans for working around this would either involve every affected CPANauthor, which is a virtual impossibility for the stated 1 year time frame;or the toolchain group, a loose group of people who each maintain variousmodules and systems that are necessary for CPAN to function, who eitherhave not been consulted as of yet or have not revealed their plans relatedto the tools they maintain. Going into this potential problem sufficientlywould be longer than this blog post, but suffice to say that a Perl wherehighly used CPAN modules don't seamlessly work is not Perl."

Security updates have been issued by Debian (docker.io and imagemagick), Fedora (alpine, firefox, hostapd, and mutt), openSUSE (opera), Red Hat (rh-nginx116-nginx), SUSE (ntp, python3, and systemd), and Ubuntu (firefox, linux, linux-aws, linux-aws-hwe, linux-gcp, linux-gcp-4.15, linux-gke-4.15, linux-hwe, linux-kvm, linux-oem, linux-oracle, linux-raspi2, linux-snapdragon, linux, linux-aws, linux-gcp, linux-kvm, linux-oracle, linux-riscv, linux, linux-azure, linux-gcp, linux-gcp-5.3, linux-hwe, linux-kvm, linux-oracle, linux-oracle-5.3, linux-gke-5.0, linux-oem-osp1, net-snmp, and samba).

Earlier this year, Netflix developed and released a new Apache-licensed project named Dispatch. It is designed to coordinate the response to and the resolution of security-related incidents, but the project aims for more than just that. Rather, it hopes to be valuable for any type of one-off incident that needs coordination across an organization, such as a service outage.

The Linux Plumbers Conference has announcedthe second in a brief series of "town hall" events leading up to the full(virtual) conference starting August 24. This one features LWN editorJonathan Corbet presenting a version of his "Kernel Report" talk coveringthe current and future state of the kernel-development community. Thistalk is scheduled for July 16 at 9:00AM US/Mountain time (8:00AMUS/Pacific, 3:00PM UTC). Mark your calendars.

The Btrfs filesystem has had a long and sometimes turbulent history; LWNfirst wrote about it in 2007. It offersfeatures not found in any other mainline Linux filesystem, but reliabilityand performance problems have prevented its widespread adoption. There is atleast one company that is using Btrfs on a massive scale, though:Facebook. At the 2020Open Source Summit North America virtual event, Btrfs developer JosefBacik described why and how Facebook has invested deeply in Btrfs and where the remainingchallenges are.

The openSUSELeap 15.2 release is now available; see the announcement for a longlist of new features. "In general, software packages in thedistribution grew by the hundreds. Data fusion, Machine Learning and AIaren't all that is new in openSUSE Leap 15.2; a Real-Time Kernel formanaging the timing of microprocessors to ensure time-critical events areprocessed as efficiently as possible is available in this release."

Security updates have been issued by Debian (chromium and firefox-esr), Fedora (chromium and ntp), SUSE (ntp and unbound), and Ubuntu (libvncserver).

The LWN.net Weekly Edition for July 2, 2020 is available.

In what may have seemed like an April Fool'sDay joke to some, Python creator Guido van Rossum recently floatedthe idea of bringing back the print statement—several months afterPython 2, which had such a statement, reached its end of life. In fact, VanRossum acknowledged that readers of his message to the python-ideas mailinglist might be checking the date: "No, it's not April 1st." Hewas serious about the idea—at least if others were interested in having thefeature—but he withdrew it fairly quickly when it became clear that therewere few takers. The main reason he brought it up is interesting, though:the new parser for CPython makes iteasy to bring back print from Python 2 (and before).

Stable kernels 5.7.7, 5.4.50, 4.19.131, 4.14.187, 4.9.229, and 4.4.229 have been released. They all containimportant fixes and users should upgrade.

The Go programming language was first releasedin 2009, with its 1.0 release made in March 2012. Even before the 1.0 release,some developers criticized the language as being too simplistic, partly dueto its lack of user-defined generictypes and functions parameterized by type. Despite this omission, Go is widely used, with an estimated 1-2 milliondevelopers worldwide. Over the years there have been several proposals toadd some form of generics to the language, but the recentproposal written by core developers Ian Lance Taylor and RobertGriesemer looks likely to be included in a future version of Go.

Security updates have been issued by Arch Linux (bind, chromium, freerdp, imagemagick, sqlite, and tomcat8), Debian (coturn, imagemagick, jackson-databind, libmatio, mutt, nss, and wordpress), Fedora (libEMF, lynis, and php-PHPMailer), Red Hat (httpd24-nghttp2), and SUSE (ntp, openconnect, squid, and transfig).

Firefox 78.0 has been released. This is an Extended Support Release(ESR). The ProtectionsDashboard has new features to track the number of breaches that wereresolved from the dashboard and to see if any of your saved passwords mayhave been exposed in a breach. More details about this and other newfeatures can be found in the release notes.

The PHP project has released the first alpha of PHP 8, which is slated for general availability in November 2020. This initial test release includes many new features such as just-in-time (JIT) compilation, new constructs like Attributes, and more. One of twelve planned releases before the general availability release, it represents a feature set that is still subject to change.

Security updates have been issued by Debian (coturn, drupal7, libvncserver, mailman, php5, and qemu), openSUSE (curl, graphviz, mutt, squid, tomcat, and unbound), Red Hat (chromium-browser, file, kernel, microcode_ctl, ruby, and virt:rhel), Slackware (firefox), and SUSE (mariadb-100, mutt, unzip, and xmlgraphics-batik).

Linux Mint 20 "Ulyana" has been released in Cinnamon, MATE, and Xfce editions. Linux Mint 20is based on Ubuntu 20.04 and will be supported until 2025. Release notesare available for Cinnamon, MATE, and Xfce.

The next release of the Fedora distribution — Fedora 33 — is currently scheduledfor the end of October. Fedora's nature as a fast-moving distributionensures that each release will contain a number of attention-gettingchanges, but Fedora 33 is starting to look like it may be a bit morevolatile than its immediate predecessors. Several relatively controversialchanges are currently under discussion on the project's mailing lists; readon for a summary.

OpenSUSE Leap 15.2 iscomplete and ready for a planned release on July 2. Leap is theversion based on SUSE Linux Enterprise, but with many updated packages; seethe 15.2 featurespage for an overview of what's coming. "Leap 15.2 is filled withseveral containerization technologies like Singularity, which bringcontainers and reproducibility to scientific computing and thehigh-performance computing (HPC) world. Singularity first appeared in theLeap distribution in Leap 42.3 and provides functionality to build smallestminimal containers and runs the containers as single applicationenvironments. Another official package in Leap 15.2 islibcontainers-common, which allows the configuration of files and manpagesshared by tools that are based on the github.com/containers libraries, suchas Buildah, CRI-O, Podman and Skopeo. Docker containers and tooling makebuilding and shipping applications easy and fast."

The Zephyr project is aneffort to provide anopen-source realtime operating system (RTOS) that is designed to bridge the gapbetweenfull-featured operating systems like Linux and bare-metal developmentenvironments. It'sbeen over four years since Zephyr was publicly announced and discussed here(apparentlyto a bit of puzzlement). In thisarticle, guest authors Martí Bolívar and Carles Cufí give an update onthe project and its community as ofits v2.3.0release in June 2020; they also make some guesses about its near future.

Version 4.0 of the GnuCash finance manager is out. Significant changesinclude a command-line tool for performing a number of functions outside ofthe graphical interface, explicit support for accounts payable and accountsreceivable, translation improvements, and more.

Security updates have been issued by Debian (libtasn1-6, libtirpc, mcabber, picocom, pngquant, trafficserver, and zziplib), Fedora (curl and xen), openSUSE (bluez, ceph, chromium, curl, grafana, grafana-piechart-panel,, graphviz, mariadb, and mercurial), Oracle (nghttp2), Red Hat (microcode_ctl), SUSE (mutt, python3-requests, and tomcat), and Ubuntu (glib-networking and mailman).

The third 5.8 kernel prepatch is out fortesting. "Well, we had a big merge window, and we have a fairly big rc3 heretoo. The calm period for rc2 is clearly over.That said, I don't think there's anything _particularly_ scary inhere, and the size of this rc is probably simply a direct result ofthe fact that 5.8 is a big release."

Ricardo Cañuelo Navarro describesthe challenges associated with fuzzing complex device drivers with Syzkaller — andsome solutions. "V4L2, however, is only supported in the sense thatthe involved system calls (including the myriad V4L2 ioctls) and datastructures are described. This is already useful and, equipped with thosedescriptions, Syzkaller has been able to find many V4L2 bugs. But thefuzzing process contains a lot of randomness and, while that's a good thingin many cases when it comes to fuzzing, due to the complexity of the V4L2API, simply randomizing the system calls and its inputs may not be enoughto reach most of the code in some drivers, especially in drivers withcomplicated interfaces such as those based on the Request API, includingstateless drivers."

One quote from Douglas Adams has always stayed with me: "I lovedeadlines. I like the whooshing sound they make as they fly by". Weall lead busy lives and few ever see the bottom of our long to-do lists.One of the oldest items on my list, ironically, is to find a better systemto manage all my tasks. Can task-management systems make us more productivewhile, at the same time, reducing the stress caused by the sheer number ofoutstanding tasks?This article, from guest author Martin Michlmayr, looks at todo.txt and Taskwarrior.

Security updates have been issued by Debian (alpine), Fedora (fwupd, microcode_ctl, mingw-libjpeg-turbo, mingw-sane-backends, suricata, and thunderbird), openSUSE (uftpd), Red Hat (nghttp2), SUSE (ceph, curl, mutt, squid, tigervnc, and unbound), and Ubuntu (linux kernel and nvidia-graphics-drivers-390, nvidia-graphics-drivers-440).

Greg Kroah-Hartman has announced the release of the 5.7.6, 5.4.49,4.19.130, and 4.14.186 stable kernels. These all contain arather large number of fixes all over the kernel tree; users of thoseseries should upgrade.

The idea of handling system calls differently depending on the origin of eachcall in the process's address space is not entirely new. OpenBSD, forexample, disallows system calls entirely ifthey are not made from the system's C library as a security-enhancingmechanism. At the end of May, Gabriel Krisman Bertazi proposeda similar mechanism for Linux, but the objective was not security atall; instead, he is working to make Windows games run better under Wine. That involves detecting and emulating Windows system calls; this can bedone through origin-based filtering, but that may not be the solution thatis merged in the end.

Security updates have been issued by Fedora (libexif, php-horde-horde, and tcpreplay), openSUSE (rubygem-bundler), Oracle (docker-cli docker-engine, kernel, and ntp), Slackware (curl and libjpeg), and Ubuntu (mutt).

The LWN.net Weekly Edition for June 25, 2020 is available.

Last week, we introduced the privacyconcerns with using Google Analytics (GA) and presented two lightweightopen-source options: GoatCounter and Plausible. Those tools are usefulfor site owners who need relatively basic metrics. In this second article,we present several heavier-weight GA replacements for those who need moredetailed analytics. We also look at some tools that produce analytics databased on web-server-access logs, GoAccess, in particular.

One of the responses to the COVID-19 pandemic consists of identifyingcontacts of infected people so they can be informed about the risk; that will allow themto search for medical care, if needed. This is laborious work if it is donemanually, so a number of applications have been developed to help withcontact tracing. But they are causing debates about their effectiveness andprivacy impacts. Many of the applications were released under open-sourcelicenses. Here, we look at theprinciples of these applications and the software frameworks used to build them;part two will look into some applications in more detail,along with the controversies (especially related to privacy) around these tools.

The Perl project has announced theupcoming release of Perl 7. Unlike Perl 6, though, this is not aradical departure, yet at least: "Perl 7.0 is going to be v5.32 butwith different, saner, more modern defaults. You won’t have to enable mostof the things you are already doing because they are enabled for you. Themajor version jump sets the boundary between how we have been doing thingsand what we can do in the future."The plan is to have a Perl 7 release "within the nextyear".

Security updates have been issued by CentOS (kernel, ntp, and unbound), Fedora (php-horde-horde and tcpreplay), openSUSE (chromium, java-1_8_0-openj9, mozilla-nspr, mozilla-nss, and opera), Oracle (gnutls, grafana, thunderbird, and unbound), Red Hat (candlepin and satellite, docker, microcode_ctl, openstack-keystone, openstack-manila and openstack-manila, and qemu-kvm-rhev), Scientific Linux (kernel and ntp), Slackware (ntp), SUSE (curl, libreoffice, libssh2_org, and php5), and Ubuntu (curl).

PHP is used extensively on the web. How new features, security fixes, and bug fixes make their way into a release is important to understand. Likewise, understanding what can be expected in community support for previous releases is even more important. Since PHP-based sites are typically exposed to the Internet, keeping up-to-date is not something a security-minded administrator can afford to ignore.

The Linux Foundation's CoreInfrastructure Initiative (CII) and the Laboratory for Innovation Science atHarvard (LISH) have developed a surveyfor contributors to free and open-source software (FOSS) projects. The aim is "to identify how to improve security, including the sustainability of the FOSS ecosystem, especially the FOSS systems heavily relied upon by organizations worldwide."

Security updates have been issued by CentOS (thunderbird), Debian (wordpress), Fedora (ca-certificates, kernel, libexif, and tomcat), openSUSE (chromium, containerd, docker, docker-runc, golang-github-docker-libnetwork, fwupd, osc, perl, php7, and xmlgraphics-batik), Oracle (unbound), Red Hat (containernetworking-plugins, dpdk, grafana, kernel, kernel-rt, kpatch-patch, libexif, microcode_ctl, ntp, pcs, and skopeo), Scientific Linux (unbound), SUSE (kernel, mariadb, mercurial, and xawtv), and Ubuntu (mutt and nfs-utils).

Stable kernels 5.7.5, 5.4.48, 4.19.129, 4.14.185, 4.9.228, and 4.4.228 have been released. They all containimportant fixes and users should upgrade.

Security updates have been issued by Debian (lynis, mutt, neomutt, ngircd, and rails), Mageia (gnutls), Oracle (thunderbird), Red Hat (chromium-browser, gnutls, grafana, thunderbird, and unbound), Scientific Linux (thunderbird and unbound), and SUSE (bind, java-1_8_0-openjdk, kernel, libgxps, and osc).

The second 5.8 kernel prepatch is out fortesting. "So rc2 isn't particularly big or scary, and falls right inthe normal range".

Mark your calendars: the LinuxPlumbers Conference has scheduledan online town hall for June 25at 15:00 GMT. "The first purpose is to test our remote conferenceset up. This is the first time we are holding Linux Plumbers virtually andwhile we can run simulated tests, it’s much more effective to test oursetup with actual participants with differing hardware set ups around theworld. The second purpose is to present on our planning and give everyone alittle bit of an idea of what to expect when we hold Plumbers at the end ofAugust. We plan to have time for questions." Testing thescalability of the conference system requires a lot of participants; theLPC organizers would appreciate it if a lot of people can find a moment toconnect and help out.

The Git source-code management system has for years been moving toward abandoning the Secure Hash Algorithm 1 (SHA-1) in favor of the more secure SHA-256 algorithm. Recently, the project moved a step closer to that goal with contributors implementing new Git protocol capabilities to enable the transition.

Security updates have been issued by Debian (drupal7), Fedora (dbus, kernel, microcode_ctl, mingw-glib-networking, moby-engine, and roundcubemail), Mageia (libjpeg), openSUSE (chromium and rmt-server), Oracle (kernel and microcode_ctl), Red Hat (rh-nodejs8-nodejs and thunderbird), Slackware (bind), and SUSE (adns, containerd, docker, docker-runc, golang-github-docker-libnetwork, dbus-1, fwupd, gegl, gnuplot, guile, java-1_7_1-ibm, java-1_8_0-ibm, kernel, mozilla-nspr, mozilla-nss, perl, and php7).

The Linux futex()system call is a bit of a strange beast. It is widely used to providelow-level synchronization support in user space, but there is no wrapperfor it in the GNU C Library. Its implementation was meant to be simple,but kernel developers have despaired at the complex beast that it hasbecome, and few dare to venture into that code. Recently, though, a neweffort has begun to rework futexes; it is limited to a new system-callinterface for now, but the plans go far beyond that.

The 5.7.4 stable kernel has been released.It contains a single fix fora problemintroduced in the rework of the VDSO clock code that affects paravirtualizedguests. Users should upgrade.

ESPHome is a project that brings together two recent subjects at LWN: The open-source smart hub Home Assistant, and the Espressif ESP8266 microcontroller. With this project, smart home devices can be created and integrated quickly — without needing to write a single line of code.