LWN.net

Security updates have been issued by Debian (openssl and openssl1.0), Fedora (expat, kernel, kernel-headers, kernel-tools, and phpMyAdmin), openSUSE (nghttp2 and u-boot), Oracle (kernel), Red Hat (rh-nodejs8-nodejs), Slackware (libpcap), SUSE (bind, jasper, libgcrypt, openssl-1_0_0, and php7), and Ubuntu (clamav).

A discussion on the pgsql-hackers mailinglist at the end of August is another reminder that the suitability ofseccomp()filters is likely more narrow than was hoped. Applying filters to the PostgreSQL database is difficult for a number of reasons and thebenefit for the project and its users is not entirely clear. Thediscussion highlights the tradeoffs inherent in adding system-callfiltering to a complex software suite; it may help crystallize the thinkingof other projects that are alsolooking at supporting seccomp() filters.

Stable kernels 5.3.2, 5.2.18, and 4.19.76 have been released. They all containimportant fixes and users should upgrade.

Security updates have been issued by Debian (apache2, linux-4.9, netty, phpbb3, and poppler), openSUSE (chromium, djvulibre, ghostscript, python-numpy, SDL2, and varnish), Oracle (nodejs:10), Red Hat (httpd24-httpd and httpd24-nghttp2, kpatch-patch, and rh-nodejs10-nodejs), and Ubuntu (linux, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon, linux-oem, linux-oracle, linux-raspi2, linux-snapdragon, and SDL 2.0).

Version2.0.0 of the TensorFlow machine-learning system is out. Headlinefeatures include the "Keras" high-level API, support for distributedtraining, and more, including a number of API-breaking changes.

The release of the 5.4-rc1 kernel and the closing of the merge window forthis development cycle came one day later than would have normally beenexpected. By that time, 12,554 non-merge changesets had been pulledinto the mainline repository; that's nearly 2,900 since the first-week summary was written. Thatrelatively small number of changes belies the amount of interesting changethat arrived late in the merge window, though; read on for the full list.

Linus has tagged the 5.4-rc1 release, thus ending the merge window for thisdevelopment cycle. An apparent linux-kernel outage means that there is noannouncement to post yet; we'll do that as soon as it becomes available.Meanwhile, though, everything can be seen in his repository.Update: the 5.4-rc1 announcement isnow available. "I didn't really extend the merge window by a day here, but I gavemyself an extra day to merge my pending queue. Thus the Monday datefor the rc1 rather than the usual Sunday afternoon."

Exim 4.92.3 has been released with a fix for CVE-2019-16928, a heap-basedbuffer overflow in string_vformat that could lead to remote codeexecution. "The currently known exploit uses a extraordinary longEHLO string to crash the Exim process that is receiving the message. Whileat this mode of operation Exim already dropped its privileges, other paths toreach the vulnerable code may exist."

Security updates have been issued by CentOS (dovecot, kernel, and qemu-kvm), Debian (cimg, cups, e2fsprogs, exim4, file-roller, golang-1.11, httpie, and wpa), Fedora (curl, ghostscript, ibus, krb5, mod_md, and nbdkit), Mageia (chromium-browser-stable, libheif, and nghttp2), openSUSE (djvulibre, expat, libopenmpt, mosquitto, phpMyAdmin, and webkit2gtk3), Red Hat (nodejs:10), SUSE (gpg2), and Ubuntu (e2fsprogs and exim4).

The addition of extended BPF to the kernel has opened up a whole range ofuse cases, but few developers actually write BPF code. It is, like anyother assembly-level language, a tedious pain to work with; developerswould rather use a higher-level language. For BPF, the language of choiceis C, which is compiled to BPF with the LLVM compiler. But, as JoseMarchesi described during the Toolchainsmicroconference at the 2019 LinuxPlumbers Conference, LLVM will soon have company, as he has just addedsupport for a BPF back-end to the GCC compiler.

After "more than two years in development and half a year in testing", version 4.15.0 of the RPM package manager has been released. It has a wide range of new features, including faster parallel builds; support for %elif, %elifos, and %elifarch statements in RPM spec files; new %patchlist and %sourcelist sections; experimental support for non-privileged operation in a chroot() environment; and, of course, plenty of bug fixes and such. More details can be found in the release notes.

Ars Technica reports on the Librem 5 smartphone from Purism, which has begun shipping. The article provides an initial review of the phone, with pictures of the interface and hardware inside the case. "The Librem 5 is unlike anything else on the market. Not only is it one of the only smartphones on Earth that doesn't ship with Android, a fork of Android, or iOS—Purism's commitment to 100% open software, with no binary blobs, puts severe restrictions on what hardware it can use. Android's core might be open source, but it was always built for wide adoption above all else, with provisions for manufacturers to include as much proprietary code as they want. Purism's demand that everything be open means most of the major component manufacturers were out of the question.Perhaps because of the limited hardware options, the internal construction of the Librem 5 is absolutely wild. While smartphones today are mostly a single mainboard with every component integrated into it, the Librem 5 actually has a pair of M.2 slots that house full-size, off-the-shelf LTE and Wi-Fi cards for connectivity, just like what you would find in an old laptop. The M.2 sockets look massive on top of the tiny phone motherboard, but you could probably replace or upgrade the cards if you wanted."

Over at Fedora Magazine, Ben Cotton has an article on contributing to the Fedora distribution. Obviously, it is pretty Fedora-specific, but the general ideas can be applied to other distributions and/or projects. He lists several areas where contributors are needed—beyond just the obvious candidates: "Cooperative effort is a hallmark of open source communities. One of the best ways to contribute to any project is to help other users. In Fedora, that can mean answering questions on the Ask Fedora forum, the users mailing list, or in the #fedora IRC channel. Many third-party social media and news aggregator sites have discussion related to Fedora where you can help out as well."

A report ofa boot hang in the 5.3 series has led to an enormous, somewhat contentiousthread on the linux-kernel mailing list. The proximate cause was some changes that made theext4 filesystem do less I/O early in the boot phase, incidentally causingfewer interrupts, but the underlying issue was the getrandom()system call, which was blocking until the /dev/urandom poolwas initialized—as designed. Since the system in question was notgathering enough entropy due to the lack of unpredictable interrupttimings, that would hang more or less forever. That has called intoquestion the design and implementation of getrandom().

Security updates have been issued by Fedora (dcmtk), openSUSE (rust), Red Hat (redhat-virtualization-host), and SUSE (ghostscript, nghttp2, and u-boot).

The multipath TCP (MPTCP) protocol (and theLinux implementation of it) have beenunder development for a solid decade; MPTCP offers a number of advantages fordevices that have more than one network interface available. Despitehaving been deployed widely, though, MPTCP is still not supported by theupstream Linux kernel. At the 2019 Linux Plumbers Conference, MatthieuBaerts and Mat Martineau discussed the current state of the Linux MPTCPimplementation and what will be required to get it into the mainlinekernel.

Security updates have been issued by CentOS (dovecot), Debian (lemonldap-ng, openssl, and ruby-nokogiri), openSUSE (fish3, ibus, nmap, and openssl-1_1), Slackware (mozilla), SUSE (mariadb, python-numpy, and SDL2), and Ubuntu (firefox).

The LWN.net Weekly Edition for September 26, 2019 is available.

As part of the DistributionKernels microconference at Linux Plumbers Conference 2019, MatthiasMännich described how the Android project monitors changes to the internalkernel ABI. As Android kernels evolve, typically by adding features andbug fixes from more recent kernel versions, the project wants to ensurethat the ABI remains the same so that out-of-tree modules will stillfunction. While the talk was somewhat Android-specific, the techniques andtools used could be applied to other distributions with similar needs(e.g. enterprise distributions).

Security updates have been issued by Debian (kernel, libgcrypt20, and spip), Fedora (compat-openssl10, expat, ghostscript, ibus, java-1.8.0-openjdk-aarch32, and SDL2_image), openSUSE (bird, chromium, kernel, libreoffice, links, and varnish), Oracle (httpd:2.4 and qemu-kvm), Red Hat (kernel), Scientific Linux (qemu-kvm), SUSE (djvulibre, dovecot22, ghostscript, kernel, libxml2, and python-Twisted), and Ubuntu (file-roller and libreoffice).

A company called Rothschild Patent Imaging LLC has filed alawsuit [PDF] against the GNOME Foundation, alleging that the Shotwellphoto manager violates patent9,936,086. Stay tuned, more details will surely emerge.

Google Code-in (GCI) providesstudents ages 13 to 17 the opportunity to participate in open sourceprojects. Google has announced the2019 round of GCI. "New contributors bring fresh perspectives,ideas, and enthusiasm into their open source communities, helping themthrive. Throughout the last 9 years, 58 GCI organizations helped 11,000students from 108 countries make real contributions to open sourceprojects; and to this day many of those students continue to participate invarious open source communities and many have become mentors themselves!Some have even gone on to join Google Summer of Code (GSoC)."Organizations that are interested in mentoring students can apply for GCIstarting October 10. GCI begins December 2, 2019 and ends January 23, 2020.

CentOS Linux 8.0-1905 has been released. The releasenotes have more details. The CentOS project also introduces CentOSStream. "CentOS Stream is a rolling-release Linux distro thatexists as a midstream between the upstream development in Fedora Linux and thedownstream development for Red Hat Enterprise Linux (RHEL). It is acleared-path to contributing into future minor releases of RHEL whileinteracting with Red Hat and other open source developers. This pairsnicely with the existing contribution path in Fedora for future majorreleases of RHEL."

At the inaugural Databasesmicroconference at the 2019 Linux Plumbers Conference (LPC), twodevelopers who work on rather different database systems had similarcomplaints about developing for Linux. Richard Hipp, creator of the SQLitedatabase, and Andres Freund from the PostgreSQL project both lamented thelack of definitive documentation on how to best use the kernel's I/O interfaces,especially for corner cases. Both of the sessions, along with others inthe microconference, pointed to a strong need for more interaction betweenuser-space and kernel developers.

Security updates have been issued by Debian (php5), Fedora (blis, kernel, and kernel-headers), openSUSE (bird, curl, fish3, ghostscript, ibus, kernel, libgcrypt, openldap2, openssl-1_1, skopeo, and util-linux and shadow), Oracle (dovecot and kernel), Red Hat (dovecot, httpd:2.4, qemu-kvm, and redhat-virtualization-host), Scientific Linux (dovecot), SUSE (djvulibre, expat, firefox, libopenmpt, and rust), and Ubuntu (ibus and Mosquitto).

As of this writing, 9,632 non-merge changesets have been merged for the 5.4kernel. This merge window is thus off to a strong start. There hasbeen a wide range of changes merged across the kernel tree, including vastnumbers of cleanups and fixes.

Security updates have been issued by Debian (expat, php-pecl-http, and php7.0), Fedora (ImageMagick, jackson-annotations, jackson-bom, jackson-core, jackson-databind, and rubygem-rmagick), Mageia (chromium-browser-stable, ibus, kernel, samba, and thunderbird), openSUSE (chromium), Oracle (dovecot and kernel), Red Hat (dbus, kernel, kernel-alt, and kpatch-patch), Scientific Linux (dovecot and kernel), and SUSE (expat, ibus, kernel, kernel-source-rt, nmap, openssl, and webkit2gtk3).

The5.3.1,5.2.17,4.19.75,4.14.146,4.9.194, and4.4.194stable kernels are all available; each contains another set of importantfixes.

Version 9.0.0 of the LLVM compiler suite is out. Headline changes includeasm goto support — fixing one of the main impediments to compilingthe kernel on x86 with LLVM — and non-experimental support for the RISC-Varchitecture.

Some new kernel features are welcomed by the kernel development community,while others are a rather harder sell. It is fair to say that core scheduling, which makes CPU schedulingharder by placing constraints on which processes may run simultaneously ina core, is of the latter variety. Core scheduling was the topic of (atleast) three different sessions at the 2019 Linux Plumbers Conference. Oneof the most interesting outcomes, perhaps, is that there are use cases forthis feature beyond protection from side-channel attacks.

Security updates have been issued by Debian (bird, opendmarc, php7.3, and qemu), Fedora (bird, dino, nbdkit, and openconnect), Oracle (nginx:1.14, patch, and thunderbird), Red Hat (dovecot, kernel, kernel-alt, and kernel-rt), Scientific Linux (thunderbird), and SUSE (kernel, openssl, openssl-1_1, python-SQLAlchemy, and python-Werkzeug).

The GNU C Library has long had a reputation for being hostile to theaddition of wrappers for new Linux system calls; that has resulted in manysystem calls being unsupported by the library for years. That situation ischanging, though. During the Toolchain microconference at the 2019 LinuxPlumbers Conference, Maciej Rozycki talked about glibc's new attitudetoward system-call wrappers, but also served notice that there is stillsignificant work to do for the addition of any new system call.

Greg Kroah-Hartman has announced the release of the 5.2.16, 4.19.74, and 4.14.145 stable kernels. Important fixes arecontained within; users should upgrade.

Security updates have been issued by CentOS (exiv2, firefox, ghostscript, http-parser, httpd, kdelibs and kde-settings, kernel, pango, qemu-kvm, and thunderbird), Debian (ibus), Fedora (kernel, kernel-headers, python34, qbittorrent, and samba), openSUSE (chromium), Oracle (go-toolset:ol8), Red Hat (kernel, nginx:1.14, patch, ruby, skydive, systemd, and thunderbird), Scientific Linux (thunderbird), SUSE (libreoffice, openssl-1_1, python-urllib3, and python-Werkzeug), and Ubuntu (tomcat9 and wpa, wpasupplicant).

The LWN.net Weekly Edition for September 19, 2019 is available.

In the Kernel Summittrack at the2019Linux Plumbers Conference, Christian Brauner and Kees Cook led adiscussion on finding a way to do deep argument inspection for seccompfiltering. Currently, seccomp filters can only look at the top-levelarguments to a system call, which means that there are use cases thatcannot be supported. There was a lively discussion in the session, but nodefinitive conclusion was reached; various ideas were considered, but noneseemed to quite fit the bill.

Security updates have been issued by CentOS (firefox and kernel), Debian (thunderbird), Fedora (curl), openSUSE (curl and python-Werkzeug), Oracle (kernel and thunderbird), Red Hat (rh-nginx114-nginx), SUSE (curl, ibus, MozillaFirefox, firefox-glib2, firefox-gtk3, openldap2, openssl, openssl1, python-urllib3, and util-linux and shadow), and Ubuntu (linux, linux-aws, linux-azure, linux-lts-trusty, linux-lts-xenial, linux-oracle, linux-raspi2, linux-snapdragon, and wpa).

The Mozilla blog has an announcementthat Firefox will be moving to 4-week release cycle, starting in 2020."Shorter release cycles provide greater flexibility to supportproduct planning and priority changes due to business or marketrequirements. With four-week cycles, we can be more agile and ship featuresfaster, while applying the same rigor and due diligence needed for ahigh-quality and stable release. Also, we put new features andimplementation of new Web APIs into the hands of developers morequickly." The Firefox ESR (Extended Support Release) release cadencewill remain the same.

At OpenSource Summit North America 2019, David Tarditi from Microsoft gave a talk onseven different properties for highly secure Internet of Things (IoT)devices. The properties are based on a Microsoft Research whitepaper [PDF] from 2017. His high-level summary of the talk was that ifyou are creating a device that will be connecting to the internet and youdon't want it to get "owned", you should pay attention to the properties hewould be describing.Overall, it was an interesting talk, with good analysis of the areas whereeffort needs to be focused to produce secure IoT devices, but it wassomewhat marred by an advertisement for a proprietary product(which, naturally, checked all the boxes) atthe end of the talk.

A new release of CentOS Linux 7 is available. This release is tagged as1908 and derived from Red Hat Enterprise Linux 7.7 source code. The releasenotes have the details. CentOS Linux 7 (1908) is also available for several alternatearchitectures.

Security updates have been issued by Debian (dino-im, python2.7, python3.4, and wpa), Fedora (kmplayer), openSUSE (podman and samba), Oracle (thunderbird), Red Hat (thunderbird), Slackware (expat), SUSE (curl), and Ubuntu (apache2).

The final sessions at the 2019 Linux Kernel Maintainers Summit covered anumber of relatively quick topics, including the "pull depth" for codegoing into the mainline, the handling of hardware vulnerabilities, the ABIstatus of tracepoints, and more.

With a brief announcement,the Free Software Foundation has let it be known that founder RichardStallman has resigned both as president and from the board of directors."The board will be conducting a search for a new president, beginningimmediately. Further details of the search will be published onfsf.org".

The Linux Kernel Maintainers Summit is all about the development process,so it is natural to spend some time on how that process is working at thetop of the maintainer hierarchy. The "is Linus happy?" session during the2019 summit revealed that things are working fairly well at that level, butthat, as always, there are a few things that could be improved.

Stable kernels 5.2.15, 4.19.73, 4.14.144, 4.9.193, and 4.4.193 have been released. They all containimportant fixes and users should upgrade.

Security updates have been issued by Debian (ansible, faad2, linux-4.9, and thunderbird), Fedora (jbig2dec, libextractor, sphinx, and thunderbird), Mageia (expat, kconfig, mediawiki, nodejs, openldap, poppler, thunderbird, webkit2, and wireguard), openSUSE (buildah, ghostscript, go1.12, libmirage, python-urllib3, rdesktop, and skopeo), SUSE (python-Django), and Ubuntu (exim4, ibus, and Wireshark).

The stable kernel process is a perennial topic of discussion at gatheringsof kernel developers; the 2019 Linux Kernel Maintainers Summit was noexception. Sasha Levin ran a session there where developers could talkabout the problems they have with stable kernels and ponder solutions.

The 5.3 kernel is available at last. Theannouncement includes a long discussion about user-space regressions — anext4 filesystem performance improvement had caused some systems to failbooting due to a lack of entropy early after startup. "It's morethat it's an instructive example of what counts as a regression, and whatthe whole 'no regressions' kernel rule means. The reverted commit didn'tchange any API's, and it didn't introduce any new bugs. But it ended upexposing another problem, and as such caused a kernel upgrade to fail for auser. So it got reverted."Some of the more significant changes in 5.3 includescheduler utilization clamping,the pidfd_open() andclone3() system calls,bounded loop support for BPF programs,support for the 0.0.0.0/8 IPv4 address range,a new configurationoption for the soon-to-be-merged realtime preemption code,and more. See theKernelNewbies 5.3 page for lots of details.

There is value in automatic testing systems, but they also present aproblem of their own:how can one keep up with the high volume of bug reports that they generate?At the 2019 Linux Kernel Maintainers Summit, Shuah Khan ran a sessiondedicated to this issue. There was general agreement that the reports arehard to deal with, but not a lot of progress toward a solution.

The first session at the 2019 Linux Kernel Maintainers Summit was alast-minute addition to the schedule. Dmitry Vyukov's Linux PlumbersConference session on the kernel development process (slides[PDF]) had inspired a number of discussions that, it was agreed, shouldcarry over into the summit. The result was a wide-ranging conversationabout the kernel's development tools and what could be done to improvethem.