Firefox 75.0 has been released. New features include improvementsto the address bar, making search easier, all trusted Web PKI CertificateAuthority certificates known to Mozilla will be cached locally, and Firefoxis available as a Flatpak. See the release notesfor more details.
Security updates have been issued by Fedora (kernel, kernel-headers, and kernel-tools), openSUSE (glibc and qemu), Red Hat (chromium-browser, container-tools:1.0, container-tools:rhel8, firefox, ipmitool, kernel, kernel-rt, krb5-appl, ksh, nodejs:10, nss-softokn, python, qemu-kvm, qemu-kvm-ma, telnet, and virt:rhel), Scientific Linux (ipmitool and telnet), SUSE (ceph and firefox), and Ubuntu (haproxy, linux, linux-aws, linux-gcp, linux-gcp-5.3, linux-hwe, linux-kvm, linux-oracle, linux-oracle-5.3, linux-raspi2, linux-raspi2-5.3, linux, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon, and linux, linux-hwe).
Some applications require guaranteed access to the CPU without even briefinterruptions; realtime systems and high-bandwidth networking applicationswith user-space drivers can fall into the category. While Linux providessome support for CPU isolation (moving everything but the critical task offof one or more CPUs) now, it is an imperfect solution that is still subjectto some interruptions. Work has been continuing in the community toimprove the kernel's CPU-isolation capabilities, notably with improvementsin the nohz (tickless) mode, but it is not finished yet. Recently, AlexBelits submitteda patch set (based on work by Chris Metcalfin 2015) that introduces a completely predictable environment for Linuxapplications — as long as they do not need any kernel services.
Security updates have been issued by Debian (firefox-esr, gnutls28, and libmtp), Fedora (cyrus-sasl, firefox, glibc, squid, and telnet), Gentoo (firefox), Mageia (dcraw, firefox, kernel, kernel-linus, librsvg, and python-nltk), openSUSE (firefox, haproxy, icu, and spamassassin), Red Hat (nodejs:10, openstack-manila, python-django, python-XStatic-jQuery, and telnet), Slackware (firefox), SUSE (bluez, exiv2, and libxslt), and Ubuntu (firefox).
Firefox 74.0.1 has been released with twosecurity fixes. CVE-2020-6819 is a use-after-free when running thensDocShell destructor and CVE-2020-6820 is a use-after-free when handling aReadableStream. In both cases there have been targeted attacks in the wildabusing these flaws. These issues have also been fixed in Firefox ESR 68.6.1.
As of this writing, 7,233 non-merge changesets have been pulled into themainline repository for the 5.7 kernel development cycle — over the courseof about three days. If current world conditions are slowing down kerneldevelopment, it would seem that the results are not yet apparent at thislevel. As usual, these changesets bring no end of fixes, improvements, andnew features; read on for a summary of what the first part of the 5.7 mergewindow has brought in.
Security updates have been issued by Debian (mediawiki and qbittorrent), Gentoo (gnutls), Mageia (bluez, kernel, python-yaml, varnish, and weechat), Oracle (haproxy and nodejs:12), SUSE (exiv2, haproxy, libpng12, mgetty, and python3), and Ubuntu (libgd2).
The kernel provides a number of CPU-frequency governors to choose from; bymost accounts, the most effective of those is "schedutil", which was merged for the 4.7kernel in 2016. While schedutil is used on mobile devices, it stilldoesn't see much use on x86 desktops; the intel_pstategovernor isgenerally seen giving better results on those processors as a result of thesecret knowledge embodied therein. A set of patches merged for 5.7, though,gives schedutil a better idea of what the true utilization of x86processors is and, as a result, greatly improves its effectiveness.
Security updates have been issued by Arch Linux (chromium, kernel, linux-hardened, linux-lts, and pam-krb5), Debian (haproxy, libplist, and python-bleach), Fedora (tomcat), Gentoo (ghostscript-gpl, haproxy, ledger, qtwebengine, and virtualbox), Red Hat (haproxy, nodejs:12, qemu-kvm-rhev, and rh-haproxy18-haproxy), SUSE (memcached and qemu), and Ubuntu (apport).
LineageOS 17.1 is out.This release of the Android-based distribution once known as CyanogenModincludes a rebase onto the Android 10 release of the Android Open SourceProject, improved theme support, support for on-screen fingerprint sensors, the ability to use biometric sensors tocontrol access to apps, and more. "On the whole, we feel that the17.1 branch has reached feature and stability parity with 16.0 and is readyfor initial release. With 17.1 being the most recent and most activelydeveloped branch, on April 1st, 2020 it will begin receiving nightly buildsand 16.0 will be moved to weekly builds."
Python string objects are immutable, so changing the value of a stringrequires that a new string object be created with the new value. That isfairly well-understood within the community, but there are some"anti-patterns" that arise; it is pretty common for new users to build up alonger string by repeatedly concatenating to the end of the "same" string.The performance penalty for doing that could be avoided by switching to atype that is geared toward incremental updates, but Python 3 hasalready optimized the penalty away for regular strings. A recent thread on the python-ideasmailing list explored this topic some.
The LXD system container and virtual manager, LXC container runtime, andLXCFS FUSE filesystem projects have released version 4.0 LTS. LTS versionsof these intertwined projects are released every 2 years and receive 5years of security and bugfix support.
The annual Debian project leader (DPL) election is well underway at this point;voting begins in early April and the outcome will be known after the pollsclose on April 18. Outgoing DPL Sam Hartman posted a lengthy"non-platform" in the run-up to the election, which detailed the highs andlows of his term, perhaps providing something of a roadmap, complete withpitfalls, for potential candidates—Hartman is not running again thistime. When the nomination period completed, three people put their hatsinto the ring: Jonathan Carter, Sruthi Chandran, and Brian Gupta.Their platforms have been posted and there have been several threads on thedebian-vote mailing list with questions for the candidates; it seems like agood time to look in on the race.
Ars Technica reportson the recently disclosed OpenWrt package verification vulnerability. Theheadline may be a bit overwrought, though. "These code-executionexploits are limited in their scope because adversaries must either be in aposition to conduct a man-in-the-middle attack or tamper with the DNSserver that a device uses to find the update on the Internet. That meansrouters on a network that has no malicious users and using a legitimate DNSserver are safe from attack." It also assumes that people actuallyupdate their routers, which seems unlikely in most cases in the real world.
The Free Software Foundation is focusingon the shortage of medical equipment and using 3D printers to makemore. "That's why we're looking into what we can make with ourin-office Respects Your Freedom (RYF)-certified 3D printers, and we'retalking to the brand new Mass General Brigham Center for COVID Innovationso they can direct our efforts. We're also gathering resources for our"HACKERS and HOSPITALS" plan at the LibrePlanet wiki page, and if you have expertise, 3D printers, or supplies to contribute, please contact Michael via sysadmin@fsf.org. If you do not have the means to produce medical gear and you still want to help, research can be done from anywhere with only a computer and an Internet connection. Add any projects that are freely licensed working towards helping with COVID-19 to the wiki!"
The Mozilla Open Source Support Program (MOSS) has launcheda COVID-19 Solutions Fund, which will provide awards of up to $50,000 eachto open source technology projects which are responding to the COVID-19pandemic in some way. "As part of the COVID-19 Solutions Fund, we will accept applications that are hardware (e.g., an open source ventilator), software (e.g., a platform that connects hospitals with people who have 3D printers who can print parts for that open source ventilator), as well as software that solves for secondary effects of COVID-19 (e.g., a browser plugin that combats COVID related misinformation)."
Security updates have been issued by Debian (tinyproxy), Fedora (okular), Gentoo (ffmpeg, libxls, and qemu), openSUSE (GraphicsMagick), Red Hat (qemu-kvm-rhev), SUSE (cloud-init and spamassassin), and Ubuntu (bluez, libpam-krb5, linux, linux-aws, linux-azure, linux-azure-5.3, linux-gcp, linux-gcp-5.3, linux-gke-5.3, linux-hwe, linux-kvm, linux-oracle, linux-oracle-5.3,linux-raspi2, linux-raspi2-5.3, and Timeshift).
OpenBSD developer Ted Unangst looksfor lessons in a set of recent vulnerabilities in that system."Even OpenBSD is subject to compromise for the sake of practicality,which is how some legacy designs stick around. So the lesson perhaps is toreally stick with the principles that work, and not just whenconvenient. But not always an easy choice to make."
When the 5.6 kernel was released onMarch 29, 12,665 non-merge changesets had been accepted from 1,712developers, making this a fairly typical development cycle in a number ofways. As per longstanding LWN tradition, what follows is a look at wherethose changesets came from and who supported the work that created them.This may have been an ordinary cycle, but there are still a couple ofdifferences worth noting.
Back in February, LWN reported on theprocess of gathering requirements for a Git forge system. That processthen went relatively quiet until March 28, when the posting of a"CPE Weekly" news summary included, under "other updates", a note thatthe decision has been made. It appears that the project will be pushedtoward a not-fully-free version of the GitLab offering. It is fair to saythat this decision — or how it was presented — was not met with universalacclaim in the Fedora community; see thisresponse from Neal Gompa for more.
The Debian community has announced a one-week, online "biohackathon" as afocused effort to improve the available free biomedical tools."Most tasks do not require any knowledge of biology or medicine, and alltypes of contributions are welcome: bug triage, testing, documentation,CI, translations, packaging, and code contributions."
Security updates have been issued by Debian (php-horde-form and tika), Fedora (dcraw and libmodsecurity), Gentoo (libidn2 and screen), openSUSE (cloud-init, cni, cni-plugins, conmon, fuse-overlayfs, podman, opera, phpMyAdmin, python-mysql-connector-python, ruby2.5, strongswan, and tor), Oracle (ipmitool), Scientific Linux (ipmitool), SUSE (spamassassin and tomcat), and Ubuntu (twisted and webkit2gtk).
Linus has released the 5.6 kernel.Some of the headline features in this release includeArm EOPD support,time namespaces,the BPF dispatcher and batched BPF map operations (both described in this article),the openat2() system call,the WireGuard virtual private networkimplementation,the flow queue PIE packetscheduler,nearly complete year-2038 support,many new io_uring features,the pidfd_getfd() system call,the ZoneFS filesystem,the ability to implement TCPcongestion-control algorithms in BPF,the dma-buf heaps subsystem,and the removal of the /dev/randomblocking pool.See the LWN merge-window summaries (part 1 and part 2) and the (under construction) KernelNewbies 5.6 pagefor more details.
In recent years, the kernel has (finally) upped its game when it comes tohardening. It is rather harder to compromise a running kernel than it usedto be. But "rather harder" is relative: attackers still manage to findways to exploit kernel bugs. One piece of information that can be helpfulto attackers is the location of the kernel stack; thispatch set from Kees Cook and Elena Reshetova may soon make thatinformation harder to come by and nearly useless in any case.
Security updates have been issued by Debian (bluez and php5), Fedora (chromium, kernel, and PyYAML), Gentoo (adobe-flash, libvpx, php, qtcore, and unzip), openSUSE (chromium, kernel, and mcpp), Oracle (ipmitool and libvncserver), Red Hat (ipmitool and rh-postgresql10-postgresql), Slackware (kernel), and SUSE (ldns and tomcat6).
David Malcolm writesabout the static-analysis features that he is working on adding to theGCC compiler. "This issue is, of course, a huge problem totackle. For this release, I’ve focused on the kinds of problems seen in Ccode—and, in particular double-free bugs—but with a view toward creating aframework that we can expand on in subsequent releases (when we can addmore checks and support languages other than C)."
January 2018 was a sad time in the kernel community. The Meltdown andSpectre vulnerabilities had finally been disclosed, and the requiredworkarounds hurt kernel performance in a number of ways. One of thoseworkarounds — retpolines —continues to cause pain, with developers goingout of their way to avoid indirect calls, since they must now be implementedwith retpolines. In some cases, though, there may be a way to avoid retpolines and regain much of the lost performance;after a long gestation period, the "static calls" mechanism may finally benearing the point where it can be merged upstream.
The KDE.News site is carrying anannouncement for the PlasmaBigscreen environment, which is meant for large-screen televisions. "Talking of interacting from the couch,voice control provides users with the ultimate comfort when it comes to TVviewing. But most big brands not only do not safeguard the privacy of theircustomers, but actively harvest their conversations even when they are notsending instructions to their TV sets. We use Mycroft's Open Source voiceassistant to solve this problem."
Security updates have been issued by CentOS (firefox, icu, kernel-rt, libvncserver, python-imaging, python-pip, python-virtualenv, thunderbird, tomcat, tomcat6, and zsh), Debian (icu and okular), Fedora (libxslt and php), Gentoo (bluez, chromium, pure-ftpd, samba, tor, weechat, xen, and zsh), Oracle (libvncserver), Red Hat (ipmitool and zsh), and SUSE (python-cffi, python-cryptography and python-cffi, python-cryptography, python-xattr).
The effects of the Coronavirusdisease 2019 (COVID-19) pandemic are horrific and far-reaching; wereally do not yet know just how bad it will get. One far less serious areathat has been affected is conferences forand about free and open-source software (FOSS). On the grand scale, these problems are pretty low on thepriority list.There are a fair number of non-profit organizations behind thegatherings, however, that have spent considerable sums setting upnow-canceled events or depend on the conferences for a big chunk of their budget—or both. A neworganization, FOSS Responders,has formed to try to help out.
O'Reilly has announcedthat it is canceling all of its upcoming in-person conferences and shuttingdown its conference group permanently. "Without understanding whenthis global health emergency may come to an end, we can’t plan for orexecute on a business that will be forever changed as a result of thiscrisis. With large technology vendors moving their events completelyon-line, we believe the stage is set for a new normal moving forward whenit comes to in-person events." There is still no notice to thiseffect on the OSCON page, butone assumes that is coming.
The Django web framework hascome a long way since it was first released as open source in 2005. Itstarted with a benevolent dictator for life (BDFL) governance model, likethe language it is implemented in, Python, but switched to a differentmodel in 2014. When Python switchedaway from the BDFL model in 2018, it followed Django's lead to someextent. But now Django is changing yet again, moving from governance basedaround a "core team" to one that is more inclusive and better reflects theway the project is operating now.
Security updates have been issued by Debian (e2fsprogs, ruby2.1, and weechat), Fedora (java-1.8.0-openjdk and webkit2gtk3), openSUSE (apache2-mod_auth_openidc, glibc, mcpp, nghttp2, and skopeo), Oracle (libvncserver and thunderbird), and SUSE (keepalived).
The Cloudflare blog has anarticle on the company's work to improve the performance of Linux diskencryption. "As we can see the default Linux disk encryption implementation has asignificant impact on our cache latency in worst case scenarios, whereasthe patched implementation is indistinguishable from not using encryptionat all. In other words the improved encryption implementation does not haveany impact at all on our cache response speed, so we basically get it forfree!"Patches are available, but they are apparently not in any form to goupstream.
Version 10.0.0 of the LLVM compiler suite is out. New features includesupport for C++concepts, Windowscontrol flow guard support, and much more; click below for pointers toa set of language-specific release notes.
The Python Software Foundation blog looksat some changes to pip, the Python Package installer, in the process ofdeveloping a new resolver. The new resolver will reduce inconsistency and bestricter, refusing to install two packages with incompatible requirements. Also, this is a major change to a key part of pip - it's quitepossible there will initially be bugs. We would like to make sure thatthose get caught before people start using the new version inproduction. [...]We recognize that everyone's work is being disrupted by the COVID-19 pandemic, and that many data scientists and medical researchers use Python and pip in their work. We want to make the upgrade process as smooth and bug-free as possible for our users; if you can help us, you'll be helping each other.
Security updates have been issued by Debian (tomcat8), Fedora (chromium and okular), openSUSE (texlive-filesystem), Oracle (tomcat6), Scientific Linux (libvncserver, thunderbird, and tomcat6), Slackware (gd), SUSE (cloud-init, postgresql10, python36, and strongswan), and Ubuntu (ibus and vim).
Spring is coming to the northern hemisphere, and one's thoughts naturallyturn to ... being locked up inside the house and not allowed to goanywhere. That has, in turn, led to an increasing interest in alternativemechanisms for keeping up with family and coworkers, especially videoconferencing. There are a number of proprietary video-conferencingservices out there; your editor decided to look into what solutions existin the free-software realm. It turns out that there are a few; the firstto be looked at is Jitsi.
Google Open Source has announcedthe 2020 edition of Season of Docs, aprogram to connect open source projects with technical writers to improvedocumentation. Open source organizations may apply fromApril 14-May 4. Once mentoring organizations and technicalwriters are connected, there will be a month long community bonding period,beginning August 11. Writers will then work with mentors to completedocumentation projects by the December 6 deadline.
For those stuck at home looking for something to do, version 31 of the MythTV DVR and homemedia center hub, has been released. Features include, significant changesto video decoding and playback, improved channel scanning, andPython 3 support. See the release notes formore information.
Parrot OS is a security andprivacy focused distribution, with tools for cyber security operations. Parrot 4.8follows Debian testing and has many updates from the Debianrepositories. Parrot Docker containers allow you to use Parrot tools ondocker-supported operating systems. Since the previous release lastSeptember the Parrot team has put some effort into reorganizing itsinternal structure, from the operations and workflow of developers, up to the infrastructure. "After such a huge work, we have finally moved to the new workflow, and Parrot 4.8 is the proof of how hard we wanted such changes to take place in the project and how smooth development and cooperation became after achieving this goal."
Security updates have been issued by Debian (amd64-microcode, chromium, graphicsmagick, jackson-databind, phpmyadmin, python-bleach, and tor), Gentoo (exim and nodejs), openSUSE (chromium and thunderbird), Oracle (tomcat), Red Hat (devtoolset-8-gcc, libvncserver, runc, samba, thunderbird, and tomcat6), and SUSE (ruby2.5).
Version 2.26.0 of the Git source-code management system is out.Significant changes include a reimplementation of the "rebase" mechanism,improvements to sparse checkouts, performance improvements, and more. See this GitHubblog entry for more information.
LWN.net