LWN.net

Stable kernels 4.19.99 and 4.14.168. As usual, there are important fixesand users should upgrade.

Stable kernel 5.4.15 has been released withimportant fixes throughout the tree. Users should upgrade.

Security updates have been issued by Debian (jsoup and slirp), Fedora (community-mysql, elog, fontforge, libuv, libvpx, mingw-podofo, nodejs, opensc, podofo, thunderbird-enigmail, transfig, and xfig), openSUSE (arc, libssh, and libvpx), Red Hat (git, java-1.8.0-openjdk, java-11-openjdk, python-reportlab, and sqlite), Slackware (thunderbird), and SUSE (java-1_8_0-openjdk, python, and samba).

In the end, Linus decided to release the 5.5kernel rather than going for another prepatch. "So despite theslight worry that the holidays might have affected the schedule, 5.5 endedup with the regular rc cadence and is out now." Some of the significantfeatures in this release areiopl() emulation,many new io_uring commands,live-patchstate tracking,type checking for BPF tracepoint programs,a new CPUload-balancing algorithm,the KUnit unit-testing framework,airtime queue limits for WiFi,and much more. See theKernelNewbies 5.5 changelog for more information.

Ars Technica reviews the Purism Librem 5 smartphone, which is made from open-source software and (mostly) open hardware. It is clearly not there yet as a replacement for the phone in our pockets, but it would seem to be on the right path. "The thing to keep in mind here is that Purism has taken on an absolutely gargantuan task. It somehow scraped together a new supply chain of mostly open source components, it came up with a smartphone design from scratch, and it is building its own smartphone distribution of Linux. Two years is not enough time to do this. The OS and app package is not nearly finished, and it lacks basic smartphone functionality. The hardware is nearly finished, but you'll have a hard time taking advantage of it right now since the power management isn't really implemented, and support for things like the cameras are non-existent. If you really want open source smartphones to be a thing, though, this is where you need to start. The Librem 5 is a proof of concept."

The Electronic Frontier Foundation (EFF) has put out a statement in support of journalist Glenn Greenwald whose "prosecution is an attempt to use computer crime law to silence an investigative reporter who exposed deep-seated government corruption". Greenwald is being charged in Brazil, where he reported on corruption within the government of that country. While the EFF said that it has seen "no actions detailed in the criminal complaint that violate Brazilian law", its main concern is the use of ill-defined "cybercrime" laws."Around the world, cybercrime laws are notoriously hazy. This is in part because it’s challenging to write good cybercrime laws: technology evolves quickly, our language for describing certain digital actions may be imprecise, and lawmakers may not always imagine how laws will later be interpreted. And while the laws are hazy, the penalties are often severe, which makes them a dangerously big stick in the hands of prosecutors. Prosecutors can and do take advantage of this disconnection, abusing laws designed to target criminals who break into computers for extortion or theft to prosecute those engaged in harmless activities, or research—or, in this case, journalists communicating with their sources."

One year ago, the io_uring subsystem didnot exist in the mainline kernel; it showed up in the 5.1 release in May2019. At its core, io_uring is a mechanism for performing asynchronousI/O, but it has been steadily growing beyond that use case and adding newcapabilities. Herein we catch up with the current state of io_uring, whereit is headed, and an interesting question or two that will come up alongthe way.

Security updates have been issued by Debian (git and python-apt), Oracle (openslp), Red Hat (chromium-browser and ghostscript), SUSE (samba, slurm, and tomcat), and Ubuntu (clamav, gnutls28, and python-apt).

Some years back, I was caught in a weak moment and somehow became thekernel documentation maintainer. More recently, I've given a few talks onthe state of kernel documentation and the sort of work that needs to bedone to make things better. A key part of getting that work done iscommunicating to potential contributors the tasks that they might helpfullytake on — a list that was, naturally, entirely undocumented. To that end,a version of the following document is currently under review and headedfor the mainline. Read on to see how you, too, can help to make thekernel's documentation better.

Greg Kroah-Hartman has announced the release of the 4.4.211, 4.9.211, 4.14.167, 4.19.98, and 5.4.14 stable kernels. As usual, thesecontain important fixes throughout the kernel tree; users should upgrade.

Security updates have been issued by openSUSE (chromium, libredwg, and thunderbird), Oracle (apache-commons-beanutils, java-1.8.0-openjdk, libarchive, and python-reportlab), Red Hat (kernel), Scientific Linux (apache-commons-beanutils, libarchive, and openslp), SUSE (java-11-openjdk), and Ubuntu (e2fsprogs, graphicsmagick, python-apt, and zlib).

The LWN.net Weekly Edition for January 23, 2020 is available.

Keith Packard is no stranger to the linux.conf.au stage; he has spoken on a wide variety of topics since he started going to the conference in 2004(which was held inAdelaide, where organizers apparently had a lot of ice cream forattendees). One of his talks at this year's conference was on aneducation-focused project that he has been working on for around a year:a version of Python called "Snek" targeting embedded processors.He gave a look at some of the history of his work with 10-12 year-old students that led to thedevelopment of Snek as well as some plans for the language—and hardware torun it on—moving forward.

Security updates have been issued by Debian (tiff and transfig), Fedora (thunderbird-enigmail), Mageia (ffmpeg and sox), openSUSE (fontforge, python3, and tigervnc), Oracle (python-reportlab), Red Hat (apache-commons-beanutils, java-1.8.0-openjdk, kernel, kernel-alt, libarchive, openslp, openvswitch2.11, openvswitch2.12, and python-reportlab), Scientific Linux (java-1.8.0-openjdk and python-reportlab), SUSE (samba and tigervnc), and Ubuntu (python-pysaml2).

Control-flowintegrity (CFI) is a technique used to reduce the ability toredirect the execution of a program's code in attacker-specified ways. TheClang compiler has some features that can assist in maintainingcontrol-flow integrity, which have been applied to the Android kernel. KeesCook gave a talk about CFI for the Linux kernel at the recently concludedlinux.conf.au in Gold Coast, Australia.

Wine 5.0 has been released. The mainhighlights are builtin modules in PE format, multi-monitor support, XAudio2reimplementation, and Vulkan 1.1 support. Wine is capable of running Windowsapplications on Linux and other POSIX-compliant systems.

Brent Roose argues thatit is time to take another look at PHP. "In this post, I want tolook at this bright side of PHP development. I want to show you that,despite its many shortcomings, PHP is a worthwhile language to learn. Iwant you to know that the PHP 5 era is coming to an end. That, if you wantto, you can write modern and clean PHP code, and leave behind much of themess it was 10 years ago."

Security updates have been issued by Debian (openconnect), Fedora (e2fsprogs, glibc, kernel, and nss), openSUSE (Mesa, php7, and slurm), Oracle (.NET Core, java-1.8.0-openjdk, java-11-openjdk, and thunderbird), Red Hat (java-1.8.0-openjdk, openvswitch, and openvswitch2.11), Scientific Linux (java-1.8.0-openjdk), SUSE (java-11-openjdk, libssh, libvpx, Mesa, and thunderbird), and Ubuntu (libbsd and samba).

Once upon a time, there were few ways for one process to operate uponanother after its creation; sending signals and ptrace() wereabout it. In recent years, interest inproviding ways for processes to control others has been on the increase,and the kernel's process-management API has been expanded accordingly.Along these lines, the process_madvise() system call has been proposed as a way for one process to influencehow memory management is done in another. There is a newprocess_madvise() series which is interesting in its own right,but this series has also raised a couple of questions about how processmanagement should be improved in general.

GNU make 4.3 is out. New features include explicit grouped targets, a new.EXTRA_PREREQS variable, the ability to specify parallel builds inthe makefile itself, and more. There are also a couple ofbackward-incompatible changes; see the announcement for details.

Security updates have been issued by CentOS (git, java-11-openjdk, and thunderbird), Debian (cacti, chromium, gpac, kernel, openjdk-11, ruby-excon, and thunderbird), Fedora (chromium and rubygem-rack), Mageia (suricata, tigervnc, and wireshark), openSUSE (glusterfs, libredwg, and uftpd), and Ubuntu (linux-hwe and sysstat).

The 5.5-rc7 kernel prepatch is out. Linusis still unsure whether the final 5.5 release will come out next week ornot: "if it looks like there's pent-up fixes pending nextweek, I'll make another rc".

Stable kernels 5.4.13, 4.19.97, and 4.14.166 have been released. They all containimportant fixes and users should upgrade.

The "kernel runtime security instrumentation" (or KRSI) patch set enablesthe attachment of BPF programs to every security hook in the kernel; LWN covered this work in December. That articlefocused on ABI issues, but it deferred another potential problem toour 2020 predictions: the possibility thatvendors could start shipping proprietary BPF programs for use withframeworks like KRSI. Other developers did pick up on the possibility that KRSI could be abused this way, though,leading to a discussion on whether KRSI should continue to allow the loading of BPF programs that do not carrya GPL-compatible license.

Fedora Magazine reportsthat the Fedora CoreOS distribution is now deemed ready for use."Fedora CoreOS is a new Fedora Edition built specifically for runningcontainerized workloads securely and at scale. It’s the successor to bothFedora Atomic Host and CoreOS Container Linux and is part of our effort toexplore new ways of assembling and updating an OS. Fedora CoreOS combinesthe provisioning tools and automatic update model of Container Linux withthe packaging technology, OCI support, and SELinux security of AtomicHost."

Security updates have been issued by Arch Linux (chromium), Fedora (gnulib, ImageMagick, jetty, ocsinventory-agent, phpMyAdmin, python-django, rubygem-rmagick, thunderbird, and xar), Mageia (e2fsprogs, kernel, and libjpeg), openSUSE (icingaweb2), Oracle (git, java-11-openjdk, and thunderbird), Red Hat (.NET Core), Scientific Linux (git, java-11-openjdk, and thunderbird), SUSE (fontforge and LibreOffice), and Ubuntu (kamailio and thunderbird).

Android users make heavy use of the displays on their devices for almostall of their interaction; good display performance is thus critical for asatisfactory user experience. Achieving that performance is not alwayseasy; there are a lot of pieces that need to work together, and the kerneldoes not always support this collaboration as well as one might like. TheAndroid team is currently considering a number of combinations of existingkernel features and possible enhancements in its efforts to provide thebest display experience possible.

Version 3.0.0 of the Guile implementation of the Scheme programminglanguage has been released. There's a lot of work here, including a new,lower-level byte code implementation, interleaved internal definitions, anew exception implementation, and much more. "Guile programs now run up to 4 times faster, relative to Guile 2.2,thanks to just-in-time (JIT) native code generation. Notably, thisbrings the performance of "eval" as written in Scheme back to the levelof 'eval' written in C, as in the days of Guile 1.8."

Security updates have been issued by Debian (debian-lan-config and phpmyadmin), openSUSE (openssl-1_1), Oracle (firefox and kernel), Red Hat (.NET Core, git, java-11-openjdk, and thunderbird), SUSE (Mesa, python3, shibboleth-sp, slurm, and tigervnc), and Ubuntu (libpcap and nginx).

The LWN.net Weekly Edition for January 16, 2020 is available.

Everyone has expertise in some things, which is normally seen as a goodthing to have. But Dr. Sean Brady gave some examples of ways that ourexpertise can lead us astray, and actually cause us to make worse decisions,in a keynote at the 2020 linux.conf.au. Brady is a forensicengineer who specializes in analyzing engineering failures to try to discover the root causes behind them. The talk gave real-world examples of expertise gone wrong, as well as looking at some of thepsychological research that demonstrates the problem. It was aninteresting view into the ways that our brains work—and fail to work—insituations where our expertise may be sending our thoughts down the wrong path.

The CentOS Project has announced the release of CentOS 8-1911, derivedfrom Red Hat Enterprise Linux 8.1. See the releasenotes for details.

Security updates have been issued by Arch Linux (thunderbird), CentOS (firefox), openSUSE (chromium, firefox, GraphicsMagick, log4j, nodejs8, phpMyAdmin, singularity, and virglrenderer), Oracle (kernel), Red Hat (firefox), SUSE (man, nodejs10, openssl-1_1, and php7), and Ubuntu (php5, php7.0, php7.2, php7.3 and spamassassin).

The intersection of games with free and open-source software (FOSS) was thetopic of aminiconf on the first day of this year's linux.conf.au, which was held January13-17 in Gold Coast, Australia. As part of the miniconf, Bradley M. Kuhngave a talk that was well outside of his normal conference-talk fare:the game of poker and its relationship to FOSS. It turns out that he didsome side work on a FOSS-based poker site along the way, which failed bymost measures, but there was also an element of success to the project.The time for a successful FOSS poker project likely has passed at thispoint, but there are some lessons to be learned from the journey.

Stable kernels 5.4.12, 4.19.96, 4.14.165, 4.9.210, and 4.4.210 have been released with the usual setof important fixes.

Supporting network protocols at high speeds in pure software is gettingincreasingly difficult, with 25-100Gb/s interfaces available now and200-400Gb/s starting to show up. Packet processing at 100Gb/s must happen in 200 cycles or less, which doesnot leave much room for processing at the operating-systemlevel. Fortunately some operations can be performed by hardware,including checksum verification and offloading parts of the packet send andreceive paths.As modern hardware adds more functionality, new options arebecoming available. The 5.3 kernel includes a patch set from Pablo NeiraAyuso that addedsupport for offloading some packet filtering with netfilter. This patch set not only adds the offload support, but also performs a refactoring ofthe existing offload paths in the generic code and the network carddrivers. More work came in the following kernel releases. This seems like agood moment to review the recent advancements in offloading in the networkstack.

Security updates have been issued by Debian (wordpress and xen), Mageia (graphicsmagick, kernel, makepasswd, and unbound), openSUSE (containerd, docker, docker-runc,, dia, ffmpeg-4, libgcrypt, php7-imagick, proftpd, rubygem-excon, shibboleth-sp, tomcat, trousers, and xen), Oracle (firefox), Red Hat (kernel), Scientific Linux (firefox), SUSE (e2fsprogs, kernel, and libsolv, libzypp, zypper), and Ubuntu (libgcrypt20, libvirt, nginx, sdl-image1.2, and spamassassin).

Ars technica reportson the "Cable Haunt" vulnerability that afflicts a large number ofcable modems. "The first and most straightforward way is to serve malicious JavaScript that causes the browser to connect to the modem. Normally, a mechanism called cross-origin resource sharing prevents a Web application from one origin (such as malicious.example.com) from working on a different origin (such as 192.168.100.1, the address used by most or all of the vulnerable modems).Websockets, however, aren't protected by CORS, as the mechanism is usuallycalled. As a result, the modems will accept the remote JavaScript, therebyallowing attackers to reach the endpoint and serve it code." Thusfar, there doesn't seem to be any information out there on whether routersrunning OpenWrt are vulnerable.

Git 2.25 has been released. This blogpost looks at "partial clone support" and "sparse checkouts" as thesefeatures mature. "A clone of a Git repository copies all of its data: every version of every file in the history. For very large repositories, the cost of network transfer and local storage can make this awkward or even impossible, even if you're only interested in a subset of the files. In the past several versions, Git learned the ability to execute a "partial" clone, which means that it can now clone and work with repositories without having all of their contents.Partial clones are still considered an experimental feature from Git's point of view. For instance, many providers (such as GitHub) don't support this feature yet, and it's continually changing and evolving within Git from release to release."

Here is alongish blog entry from Mercurial maintainer Gregory Szorc on thepainful process of converting Mercurial to Python 3. "Ianticipate a long tail of random bugs in Mercurial on Python 3. While thetests may pass, our code coverage is not 100%. And even if it were, Pythonis a dynamic language and there are tons of invariants that aren't caughtat compile time and can only be discovered at run time. These invariantscannot all be detected by tests, no matter how good your test coverageis. This is a feature/limitation of dynamic languages. Our users willlikely be finding a long tail of miscellaneous bugs on Python 3 foryears."

Security updates have been issued by Arch Linux (file and firefox), Debian (apache-log4j1.2), Fedora (chromium, dovecot, GraphicsMagick, kubernetes, libvpx, makepasswd, matio, and slurm), Mageia (libtomcrypt, ming, oniguruma, opencv, pcsc-lite, phpmyadmin, and thunderbird), openSUSE (chromium, chromium, re2, and mozilla-nspr, mozilla-nss), Red Hat (chromium-browser, firefox, and rabbitmq-server), Slackware (mozilla), and SUSE (crowbar-core, crowbar-openstack, openstack-horizon-plugin-monasca-ui, openstack-monasca-api, openstack-monasca-log-api, openstack-neutron, rubygem-puma, rubygem-rest-client, firefox, libzypp, and openssl-1_1).

The 5.5-rc6 kernel prepatch is out fortesting. "Let's see how things go. I do suspect that this ends upbeing one of those 'rc8' releases, not because things look particularly badright now, but simply because the holiday season has meant that both thetesting side and the development side have been quiet. But whoknows?"On the stable side,5.4.11,4.19.95,4.14.164,4.9.209, and4.4.209have all been released with another set of important fixes.

The 5.2 kernel saw the addition of an extensive new API for the mounting(and remounting) of filesystems; thisarticle covered an early version of that API. Since then, work in thisarea has mostly focused on enabling filesystems to support this API fully.James Bottomley has taken a look at this API as part of the job ofredesigning his shiftfs filesystem andfound it to be incomplete. What has followed is a significant set ofchanges that promise to simplify the mount API — though it turns out that"simple" is often in the eye of the beholder.

Security updates have been issued by Debian (ldm and sa-exim), Mageia (firefox), openSUSE (chromium, firefox, and thunderbird), SUSE (containerd, docker, docker-runc, golang-github-docker-libnetwork, firefox, log4j, nodejs10, nodejs12, and openssl-1_0_0), and Ubuntu (firefox).

Version 19.07.0 of the OpenWrt router distribution is available."With this release, the OpenWrt project brings all supported targets backto a single common kernel version and further refines and broadensexisting device support. It also introduces a new ath79 target andbrings support for WPA3." There are some known issues; read throughthe full announcement before updating.

Stable kernels 5.4.10, 5.4.9, 4.19.94, and 4.14.163 have been released. PowerPC usersshould update to 5.4.10 to get a missing patch. Other users can stay with5.4.9.

In response to a growing desire for ways to control groups of processesfrom user space, the kernel has added a number of mechanisms that allow oneprocess to operate on another. One piece that is currently missing,though, is the ability for a process to snatch a copy of an open filedescriptor from another. That gap may soon be filled, though, if the pidfd_getfd()system-call patch set from Sargun Dhillon is merged.

Security updates have been issued by Debian (firefox-esr), Fedora (firefox), Oracle (kernel), Slackware (firefox and kernel), SUSE (apache2-mod_perl, git, java-1_7_0-ibm, java-1_7_1-ibm, log4j, mariadb, and nodejs8), and Ubuntu (gnutls28, graphicsmagick, and nss).

Samuel Maddock writesthat the adoption of the "encrypted media extensions" by the World Wide WebConsortium has had just the sort of effect that people were worried about four years ago."No longer is it possible to build your own web browser capable ofconsuming some of the most popular content on the web. Websites likeNetflix, Hulu, HBO, and others require copyright content protection whichis only accessible through browser vendors who have license agreements withlarge corporations."

There is another Firefox release out there; thisadvisory suggests that updating quickly would be a good idea:"Incorrect alias information in IonMonkey JIT compiler for settingarray elements could lead to a type confusion. We are aware of targetedattacks in the wild abusing this flaw."