LWN.net

Stable-kernel updates are, unsurprisingly, supposed to be stable; that iswhy the first of the rulesfor stable-kernel patches requires them to be "obviously correctand tested". Even so, for nearly as long as the kernel community has been producing stable updatereleases, said community has also been complaining about regressions thatmake their way intothose releases. Back in 2016, LWN did someanalysis that showed the presence of regressions in stable releases, thoughat a rate that many saw as being low enough. Since then, the volume ofpatches showing up in stable releases has grown considerably, so perhapsthe time has come to see what the situation with regressions is with current stable kernels.

Security updates have been issued by Arch Linux (dovecot, firefox, ksh, and webkit2gtk), Debian (firefox-esr and openjdk-8), Mageia (exiv2, flash-player-plugin, python-waitress, and vim and neovim), openSUSE (pcp and rubygem-rack), Oracle (kernel), Red Hat (sudo), and Slackware (libarchive).

The LWN.net Weekly Edition for February 13, 2020 is available.

It seems unlikely that anyone on any "side" of the systemd war that hasraged in Debian over the last few years thought that the results of the recent general resolution (GR)vote ended the matter. The vote showed a clear preference for moving aheadwith systemd as the preferred init system, though it was far from any kindof landslide—there were definitely plenty of voters who would have preferred adifferent outcome. It was a complicatedGR, with a wide spectrum of options, but at this point, the project as a whole has spoken. Actually implementing some of the changes that theGR enabled may not have the smooth path that some might have hoped for, however.

On the Google Project Zero blog, Jann Horn looksat a number of vulnerabilities in a Samsung Android kernel, some ofwhich are caused by the addition of out-of-tree "security" features."The Samsung kernel on the A50 contains an extra security subsystem(named 'PROCA', short for 'Process Authenticator', with code insecurity/proca/) to track process identities. By combining several logicissues in this subsystem (which, on their own, can already cause a mismatchbetween the tracking state and the actual process state) with a brittlecode pattern, it is possible to cause memory unsafety by winning a racecondition."

Security updates have been issued by CentOS (spice-gtk), Debian (libemail-address-list-perl), openSUSE (chromium, libqt5-qtbase, nginx, systemd, and wicked), Oracle (spice-gtk), Slackware (firefox and thunderbird), and Ubuntu (libexif and Yubico PIV Tool).

Stable kernels 5.5.3, 5.4.19, and 4.19.103 have been released. They all containmany important fixes throughout the tree and users should upgrade.

From a high-level perspective, Lua and Python are similar languages; both are "scripting" languages that are compiled into bytecode instructions that run on avirtual machine. But the focus of Lua has generally been toward embeddingthe language into some larger application or system, rather than as an alternative for, say, Python, Perl, or Ruby as a general-purposelanguage. That is not to say that Lua is not capable of handling any ofthe tasks those other languages do, but that it has not really been thetarget, seemingly. Some recent discussions in the Lua community haveexplored possible changes in that regard, particularly around the idea ofproviding a larger, richer standard library.

Firefox 73.0 has been released. This version includes two features thathelp users view and read website content more easily; a new global defaultzoom level setting and a "readability backplate" solution to make websitesin High Contrast Mode more readable without disabling backgroundimages. See the releasenotes for details.

Security updates have been issued by Debian (checkstyle), Fedora (poppler), Oracle (kernel), Red Hat (389-ds:1.4, java-1.7.1-ibm, java-1.8.0-ibm, nss-softokn, and spice-gtk), and Scientific Linux (spice-gtk).

Daniel Aleksandersen showshow to sandbox a daemon process using a set of systemd features."These directives combined would have stopped the specific remotecode execution vulnerability that afflicted OpenSMTPD. However, the keytakeaway is that you should strive to sandbox long-running andinternet-exposed services. There’s no need for your webserver to be able toload a kernel module, your email server to change the hostname, or your DNSserver to launch wget and schedule reoccurring tasks with cron."

Linus Torvalds released the 5.6-rc1prepatch and closed the merge window on February 9; at that point, 10,780 non-mergechangesets had been pulled into the mainline repository for 5.6. That issubstantially less than recent development cycles (14,350 for 5.5, 14,619for 5.4), but is similar to what was going on at this time last year(10,843 for 5.0-rc1 in January 2019). About 6,000 of those changes werepulled since the first 5.6 merge-windowarticle was written; read on for what was included in those changes.

Version 9.1 of the GNU debugger is out. There are many improvements; seethe announcement and thechangelog for details.

Security updates have been issued by Debian (ipmitool, libexif, and ppp), Fedora (glib2, java-1.8.0-openjdk, java-11-openjdk, libasr, libuv, mingw-gdk-pixbuf, mingw-SDL2, nethack, nghttp2, nodejs, nodejs-mixin-deep, nodejs-set-value, nodejs-yarn, opensmtpd, python-feedgen, runc, samba, sox, and texlive-base), Mageia (chromium-browser-stable, mgetty, openslp, qtbase5, spamassassin, sudo, and xmlrpc), openSUSE (ceph and chromium), Oracle (grub2 and kernel), SUSE (docker-runc, LibreOffice, and wicked), and Ubuntu (libxml2 and qtbase-opensource-src).

Linus has released 5.6-rc1 and closed themerge window for this development cycle. "This was actually aslightly smaller merge window than usual, but I think that what happened issimply that the holiday season impacted new development. It impacted the5.5 rc series less than I had expected, but seems to instead have caused5.6 to have slightly less development than normal."

One of the more eyebrow-raising features to go into the 5.6 kernel is theability to load TCP congestion-control algorithms as BPF programs; networking developer Toke Høiland-Jørgensen described it as acontinuation of the kernel's "march towards becoming BPFruntime-powered microkernel". On itsface, congestion control is a significant new functionality to hand over toBPF, taking it farbeyond its existing capabilities. When one looks closer, though, one'seyebrow altitude may well increase further; the implementation of thisfeature breaks new ground in a couple of areas.

Over on the Ardour forum, Paul Davis wonders whether access to the source code is truly what users these days want or need. There are other closed-source digital audio workstations that are far more customizable than Ardour via a scripting language without needing any access to the source. "But perhaps for applications like Ardour, ones that do not yet exist, there ought to be a different development pathway. I remember once wondering if we should have implemented the entire GUI in PyGTK (i.e. Python). We didn't, and most of my curiosity was about whether it would have helped or hindered our development process. However, had we done so, one of the consequences would have been that many changes to the program would have been made simpler, easier to access and would require no 'rebuild'. I wonder if going forward, large-scale apps like Ardour ought to (as Reaper did relatively early in its life) consider the 'script extension system' to be a vital and critical part of the application infrastructure. This would mean, for example, writing large parts of 'core functionality' using this system, rather than dropping back into C++ to get things done. There are precedents for this: GNU Emacs, for example, is at some level written in C, but almost everything about the program is actually constructed in Emacs Lisp, its own 'scripting extension'. The C core of Emacs is so small and so irrelevant that it almost doesn't matter that it is there: if you want to modify or extend Emacs, you (almost always) write Lisp, not C."

Security updates have been issued by Arch Linux (chromium, python-django, and sudo), Debian (libexif and libxmlrpc3-java), Fedora (upx and xar), openSUSE (ucl and upx), Oracle (ipa), Scientific Linux (kernel), SUSE (e2fsprogs, libqt5-qtbase, nginx, pcp, php7, rubygem-rack, systemd, wicked, and xen), and Ubuntu (mariadb-10.1, mariadb-10.3, mesa, pillow, and python-reportlab).

On his blog, Peter Hutterer writes about some changes that will allow users to start deploying their own rules to modify keyboard layouts without driving themselves crazy.Many many moons ago before the Y2K bug was even in its larvae stage, the idea was that you could configure all of those because every UNIX tool had to be more flexible than your yoga teacher. I'm unsure to what extent this was actually ever the case but around 2007-ish the old keyboard driver got deprecated and the evdev driver made it's grand entrance. And one side-effect of that was that things broke. evdev uses different keycodes, so all those users that copy-pasted unnecessary XKB configuration into their xorg.conf now had broken keys because they were applying the wrong rules. After whacking enough moles that we got in trouble with the RSPCA [Royal Society for the Prevention of Cruelty to Animals] we started hardcoding the "evdev" ruleset everywhere. The xorg.conf option "XKBRules" became a noop and thus stopped breaking users' setups.Except that it also stopped users from deploying their own rules files - something that probably didn't really matter anyway. This had some unintended side-effects though. First, to have a working custom XKB layout you basically had to get it merged upstream. Yes, you could edit the files locally but they'd just be overwritten next time you update the packages. Second, getting rid of hardcoded things is hard so we're stuck with the evdev ruleset for the forseeable future. This was the situation until, well, now.

By many accounts, the kernel project uses outdated tooling, far behind thestate of the art that Kids Today tend to favor. The kernel's workflow hasworked well (enough) for years, but there are signs that it may not besustainable indefinitely. As a result, there has been an ongoing conversation aboutimproving the kernel's workflow, but little has changed so far. Thepostingof a simple tool called get-lore-mboxis a sign that the rate of change may be about to increase.

Security updates have been issued by CentOS (kernel-rt, qemu-kvm, spamassassin, and Xorg), Debian (ruby-rack-cors), Fedora (glibc), openSUSE (ImageMagick), Oracle (ipa, kernel, and qemu-kvm), SUSE (systemd), and Ubuntu (exiv2, mbedtls, and systemd).

The LWN.net Weekly Edition for February 6, 2020 is available.

Stable kernels 5.4.18, 4.19.102, and 4.14.170 have been released. They containimportant fixes and users should upgrade.

Browser tracking across different sites is certainly a major privacyconcern and one that is more acute when the boundaries between sites andbrowsers blur—or disappear altogether. That seems to be the underlyingtension in a "discussion" of an only tangentially related proposal beingmade by Google to the W3C TechnicalArchitecture Group (TAG). The proposal would change the handling ofthe User-Agent headers sent by browsers, but the discussion turnedto the unrelated X-Client-Data header that Chrome sends toGoogle-owned sites. The connection is that in both casessome feel that the web-search giant is misusing its position to the detriment ofits users and its competitors in the web ecosystem.

Support for the CoreOS Container Linux distribution is coming to an end on May 26;there will be no further updates after that date. Users are recommended tomove to Fedora CoreOS or someother distribution.

Stable kernels 5.5.2, 4.9.213, and 4.4.213 have been released with importantfixes. Users should upgrade.

Security updates have been issued by Debian (storebackup), openSUSE (e2fsprogs and wicked), Red Hat (containernetworking-plugins, ipa, kernel, kernel-rt, ksh, and qemu-kvm), Scientific Linux (ipa and qemu-kvm), SUSE (libqt5-qtbase, python-reportlab, and terraform), and Ubuntu (graphicsmagick, OpenSMTPD, spamassassin, and sudo).

Python 2 was officially "retired" on the last day of 2019, so no bugswill be fixed or changes made in that version of the language, at least by the coredevelopers—distributions and others will continue for some time tocome. But there are lots of Python projects that still supportPython 2.7 and may not be ready for an immediate clean break. Some changes thatwere made for the upcoming Python 3.9 release (which is currently scheduledfor October) are causing headaches because support for long-deprecated2.7-compatibility features is being dropped. That led to a discussion onthe python-dev mailing list about postponing thosechanges to give a bit more time to projects that want to dropPython 2.7 support soon, but not immediately.

Security updates have been issued by Arch Linux (salt), CentOS (git), Debian (qtbase-opensource-src), Fedora (java-11-openjdk), Mageia (kernel and openjpeg2), openSUSE (mailman, python-reportlab, ucl, and upx), Oracle (git), Red Hat (container-tools:rhel8, go-toolset:rhel8, grub2, kernel, kernel-rt, php:7.2, and sudo), SUSE (crowbar-core, crowbar-openstack, openstack-neutron-fwaas, rubygem-crowbar-client and python36), and Ubuntu (python-django).

The Git source-code management system is famously built on the SHA‑1hashing algorithm,which has become an increasingly weak foundation over the years. SHA‑1 isnow considered to be broken and, despite the fact that it does not yet seemto be so broken that it could be used to compromise Git repositories, usersare increasingly worried about its security. The good news is that work onmoving Git past SHA‑1 has been underway for some time, and is slowlycoming to fruition; there is a version of the code that can be looked atnow.

Security updates have been issued by Arch Linux (opensmtpd), Debian (firefox-esr, libidn2, libjackson-json-java, prosody-modules, qemu, qtbase-opensource-src, spamassassin, and sudo), Fedora (e2fsprogs, java-1.8.0-openjdk, mingw-openjpeg2, openjpeg2, samba, sox, upx, webkit2gtk3, and xar), Red Hat (git), Scientific Linux (git), Slackware (sudo), SUSE (ceph and rmt-server), and Ubuntu (sudo).

The GNU libc 2.31 release is out. Significant changes include some initialC2X standard support, some DNS stub resolver changes, a newpthread_clockjoin_np() POSIX threads extension, a number ofchanges to time-related functions, and more.

The5.5.1,5.4.17, and4.19.101stable kernel updates have been released; each contains another set ofimportant fixes.

The longtime tech writer for the Yocto Project, Scott Rifenbark, has died after a battle with cancer. Project architect Richard Purdie announced the sad news on the yocto mailing list; he also reflected on Rifenbark and his impact: "I remember interviewing Scott over 10 years ago when forming a team atIntel to work on what became the Yocto Project, he was with it from thestart. He warned me he wasn't an entirely traditional tech writer but Iwarned we weren't aiming to be a traditional project either. It was agreat match. He stayed with the project ever since in one way oranother, he enjoyed working on the project and we enjoyed working withhim.The concept of having a tech writer as part of the team was a decisionI'm proud of and it shows in the material supporting the project todaybut that success belongs to Scott and his approach to it. Someone elseput that best, 'He would first try the procedure or instructions beforedocumenting it, I was really impressed'. He was hands on and wantedthings to be understandable and correct, a huge challenge with some ofthe complexities we deal with."

As network interfaces get faster, the amount of CPU time available toprocess each packet becomes correspondingly smaller. The good news is thatmany tasks, including packet filtering, can be offloaded to the hardwareitself. The bad news is that the Linux kernel required quite a bit of work to beable to take advantage of that capability. The first article in this series provided anoverview of how hardware-based packet filtering can work and the supportfor this feature that already existedin the kernel. This series now concludes with a detailed look at howoffloaded packet filtering works in the netfilter subsystem and howadministrators can make use of it.

Security updates have been issued by Debian (libsolv, libxmlrpc3-java, openjpeg2, qemu, and suricata), Fedora (ansible, chromium, java-latest-openjdk, links, mingw-openjpeg2, nss, openjpeg2, python-pillow, thunderbird, webkit2gtk3, and xen), Mageia (gdal, java-1.8.0-openjdk, mariadb, openjpeg2, and sqlite3), Oracle (kernel), Red Hat (rh-java-common-xmlrpc), SUSE (e2fsprogs, ImageMagick, php72, tigervnc, and wicked), and Ubuntu (keystone).

As of this writing, 4,726 non-merge changesets have been pulled into themainline repository for the 5.6 development cycle. That is a relativelyslow start by contemporary kernel standards, but it still is enough tobring a number of new features, some of which have been pending for years,into the mainline. Read on for a summary of the changes pulled in theearly part of the 5.6 merge window.

Ian Jackson posted a note to the xen-announce mailing list with the sad news that Xen community manager and project advisory board member Lars Kurth has died. "I'm very sad to inform you that Lars Kurth passed away earlier thisweek. Many of us regarded Lars as a personal friend, and his loss is agreat loss to the Xen Project.We plan to have a tribute to Lars on the XenProject blog in the nearfuture. Those who are attending FOSDEM may wish to attend the shorttribute we plan for Sunday morning: https://fosdem.org/2020/schedule/event/vai_memory_of_lars_kurth/"

Five new stable kernels have been released: 5.4.16, 4.19.100, 4.14.169, 4.9.212, and 4.4.212. As usual, each contains importantfixes throughout the kernel tree. Users should upgrade.

Security updates have been issued by Debian (graphicsmagick, opensmtpd, webkit2gtk, wget, and zlib), openSUSE (apt-cacher-ng, GraphicsMagick, java-1_8_0-openjdk, mailman, mumble, rubygem-excon, sarg, and shadowsocks-libev), Oracle (libarchive and openjpeg2), Red Hat (firefox, fribidi, openjpeg2, SDL, and thunderbird), Scientific Linux (openjpeg2), SUSE (glibc, java-1_8_0-openjdk, and rmt-server), and Ubuntu (Apache Solr and webkit2gtk).

The LWN.net Weekly Edition for January 30, 2020 is available.

Fedora currently uses Pagure to hostmany of its Git repositories and to handle things like documentation andbug tracking. But Pagure is maintained by the Red Hat Community PlatformEngineering (CPE) team, which is currently straining under the load ofmanaging the infrastructure and tools for Fedora and CentOS, while also maintainingthe tools used by the Red Hat Enterprise Linux (RHEL) team. That has ledto a discussion about identifying the requirements for a "Git forge" andpossibly moving away from Pagure.

Qualys has put out an advisory regarding a vulnerability in OpenBSD'sOpenSMTPD mail server. It "allows an attacker to execute arbitrary shellcommands, as root: either locally, in OpenSMTPD's default configuration (which listens on the loopback interface and only accepts mail from localhost); or locally and remotely, in OpenSMTPD's 'uncommented' default configuration (which listens on all interfaces and accepts external mail)." OpenBSD users would be well advised to update quickly.

Security updates have been issued by CentOS (apache-commons-beanutils, java-1.8.0-openjdk, libarchive, openjpeg2, openslp, python-reportlab, and sqlite), Debian (hiredis, otrs2, and unzip), openSUSE (apt-cacher-ng, git, samba, sarg, and storeBackup), Oracle (openjpeg2), Red Hat (libarchive, openjpeg2, sqlite, and virt:rhel), SUSE (aws-cli and python-reportlab), and Ubuntu (libgcrypt11, linux-aws-5.0, linux-gcp, linux-gke-5.0, linux-oracle-5.0, linux-hwe, linux-hwe, linux-aws-hwe, linux-lts-xenial, linux-aws, and openjdk-8, openjdk-lts).

Version6.4 of the LibreOffice productivity suite is out. It is said to be"a new major release providing better performance, especially whenopening and saving spreadsheets and presentations, and excellentcompatibility with DOCX, XLSX and PPTX files."

The Thunderbird email client has been movedinto a separate company called "MZLA Technologies Corporation", whichremains wholly owned by the Mozilla Foundation. "Moving to MZLA Technologies Corporation will not only allow the Thunderbird project more flexibility and agility, but will also allow us to explore offering our users products and services that were not possible under the Mozilla Foundation. The move will allow the project to collect revenue through partnerships and non-charitable donations, which in turn can be used to cover the costs of new products and services.Thunderbird’s focus isn’t going to change. We remain committed to creatingamazing, open source technology focused on open standards, user privacy,and productive communication."

Transparent and verifiable electronic elections are technically feasible,but for a variety of reasons, the techniques used are not actually viable forrunning most elections—and definitely not for remote voting. That was one of themain takeaways from a keynote at this year's linux.conf.au given by University ofMelbourne AssociateProfessor Vanessa Teague. She is a cryptographer who, along with hercolleagues, has investigated several kinds of e-voting software; as isprobably not all that much of a surprise, what they found is buggyimplementations. She described some of that work in atalk that was a mix of math with software-company and government missteps; the latter maydirectly impact many of the Australian locals who were in attendance.

Security updates have been issued by Debian (iperf3, openjpeg2, and tomcat7), Mageia (ansible, c3p0, fontforge, glpi, gthumb, libbsd, libmediainfo, libmp4v2, libqb, libsass, mbedtls, opencontainers-runc, php, python-pip, python-reportlab, python3, samba, sysstat, tomcat, virtualbox, and webkit2), openSUSE (java-11-openjdk, libredwg, and sarg), Oracle (sqlite), Red Hat (libarchive, nss, and openjpeg2), Scientific Linux (sqlite), SUSE (nodejs6), and Ubuntu (cyrus-sasl2, linux, linux-aws, linux, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon, linux, linux-aws, linux-oem, mysql-5.7, mysql-8.0, tcpdump, and tomcat8).

The 5.5 kernel was released onJanuary 26. Over the course of this development cycle, it wasoccasionally said that the holidays were slowing contributions. At theend, though, 5.5 saw the merging of 14,350 non-merge changesets from 1,885developers — not exactly a slow-moving cycle. Indeed, 5.5 just barelyedged out 5.4 as the kernel with the most developers ever. Read on for ourtraditional look at where the contributions to 5.5 came from, along with adigression into the stable-update process.

The Qt blog has announced somechanges in how the Qt toolkit is offered to consumers. Notably,installation of Qt binaries will require a Qt Account andlong-term-supported (LTS) releases and the offline installer will becomeavailable to commercial licensees only. "From February onward, everyone, including open-source Qt users, will require valid Qt accounts to download Qt binary packages. We changed this because we think that a Qt account lets you make the best use of our services and contribute to Qt as an open-source user.We want open-source users to help improve Qt in one form or another, be that through bug reports, forums, code reviews, or similar. These are currently only accessible from a Qt account, which is why having one will become mandatory."