LWN.net

The LWN.net Weekly Edition for October 15, 2020 is available.

We have looked at the problem ofconfusingly named packages in repositories such as the Python Package Index (PyPI) before. In general,malicious actors create these packages with names that can be mistaken for those oflegitimate packages in the repository in a form of "typosquatting".Since our 2016 article, the problem has not gone away—no surprise—but there has been some recent analysis of it, as well assome efforts to combat it.

Recently, John Bafford revived a years-long conversation on expanding the syntax of the PHP foreach statement to include iterating solely over keys. Bafford, who wrote a patch and request for comments (RFC) on the matter back in 2016, hopes to update his work and convince the community to adopt the abbreviated syntax in PHP 8.1. The community took Bafford's general idea and expanded it into other areas of the language.

Several flaws in the BlueZ kernel Bluetooth stack prior to Linux 5.9 are being reported by Intel and by Google (GHSA-h637-c88j-47wq, GHSA-7mh3-gq28-gfrq, and GHSA-ccx2-w2r4-x649). They are collectively being called "BleedingTooth", and more information will be forthcoming, though there is already a YouTube video demonstrating remote code execution using BleedingTooth.

Stable kernels 5.8.15, 5.4.71, 4.19.151, 4.14.201, 4.9.239, and 4.4.239 have been released. They all containimportant fixes and users should upgrade.

Security updates have been issued by Debian (jackson-databind and tomcat8), Fedora (dovecot), Oracle (firefox, spice and spice-gtk, and thunderbird), Red Hat (flash-plugin), SUSE (ansible, crowbar-core, crowbar-openstack, grafana, grafana-natel-discrete-panel, openstack-aodh, openstack-barbican, openstack-cinder, openstack-gnocchi, openstack-heat, openstack-ironic, openstack-magnum, openstack-manila, openstack-monasca-agent, openstack-murano, openstack-neutron, openstack-neutron-vpnaas, openstack-nova, openstack-sahara, python-Pillow, rubygem-crowbar-client, bind, crmsh, kernel, libproxy, php74, rubygem-activesupport-5_1, and tigervnc), and Ubuntu (dom4j, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gcp, linux-gcp-5.4, linux-hwe-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-gcp, linux-gcp-4.15, linux-gke-4.15, linux-hwe, linux-kvm, linux-oem, linux-oracle, linux-raspi2, linux-snapdragon, linux, linux-aws, linux-kvm, linux-lts-xenial, linux-raspi2, linux-snapdragon, linux, linux-lts-trusty, and linux-hwe, linux-gke-5.0, linux-gke-5.3, linux-oem-osp1, linux-raspi2-5.3).

Version 4.4.0of the Krita painting application has been released. "With a wholeslew of new fill layer types, including the really versatile SeExpr basedscriptable fill layer type, exciting new options for Krita’s brushes likethe gradient map mode for brushes, lightness and gradient modes for brushtextures, support for dynamic use of colors in gradients, webm export foranimations, new scripting features — and of course, hundreds of bug fixesthat make this version of Krita better than ever."See the releasenotes for details.

The 5.9 kernel wasreleased on October 11, at the end of a ten-week development cycle —the first release to take more than nine weeks since 5.4 at the end of 2019.While this cycle was not as busy as 5.8, whichbroke some records, it was still one of the busier ones we have seenin some time, featuring 14,858 non-merge changesets contributed by 1,914developers. Read on for our traditional look at what those developers wereup to while creating the 5.9 release.

A recent proposal on the python-ideas mailing list would add a new way to represent floating-point infinity in the language. Cade Brown suggested the change; he cited a few different reasons for it, including fixing an inconsistency in the way the string representation of infinity is handled in the language. The discussion that followed branched in a few directions, including adding a constant for "not a number" (NaN) and a more general discussion of the inconsistent way that Python handles expressions that evaluate to infinity.

Security updates have been issued by Mageia (mariadb), openSUSE (qemu and tigervnc), Oracle (kernel), Red Hat (chromium-browser and kernel), and SUSE (php5).

On the 20th anniversary of the open-sourcing of the OpenOffice.org suite,the LibreOffice project has sent anopen letter to the Apache OpenOffice project suggesting that it is timefor the latter to recognize that the game is over. "If ApacheOpenOffice wants to still maintain its old 4.1 branch from 2014, sure,that’s important for legacy users. But the most responsible thing to do in2020 is: help new users. Make them aware that there’s a much more modern,up-to-date, professionally supported suite, based on OpenOffice, with manyextra features that people need."

Plausible, a web-analytics package thatwas reviewed here in June, has announced a movefrom the MIT license to the Affero GPL, version 3. "This changemakes no difference to any of you who subscribe to Plausible Cloud or whoself-host Plausible, but it may upset a few corporations who tried to useour software to directly compete with us without contributing back."

The Open InventionNetwork, which offers patent protection for a wide range of open-sourcesoftware, has expanded its Linux SystemDefinition — the set of software covered by the OIN patentnon-aggression agreement. In particular, the new definition includes theexFAT filesystem (once the subject of a lot of patent worries), the KDE Frameworks, the Robot Operating System, and version 10of the Android Open Source Project.

Version 5.20 ofthe Plasma KDE desktop is out. "A massive release, containing improvements to dozens of components,widgets, and the desktop behavior in general.Everyday utilities and tools, such as the Panels, Task Manager,Notifications and System Settings, have all been overhauled to make themmore usable, efficient, and friendlier." There are also significantimprovements in Plasma's Wayland support.

Security updates have been issued by Debian (eclipse-wtp, httpcomponents-client, rails, and spice), Fedora (crun, oniguruma, and podman), openSUSE (grafana, kdeconnect-kde, kernel, nextcloud, nodejs10, nodejs8, and permissions), Oracle (kernel), and SUSE (tigervnc).

Version11.0.0 of the LLVM compiler suite is out. Significant change includethe addition of a Fortran frontend and a lot more; see the collection ofrelease-note sets in the announcement for details.

David Miller is the long-time maintainer of the kernel's networkingsubsystem. On October 10, he wrote this to hisTwitter feed: "I had a stroke on Tuesday and have been recoveringsince please pray for me". We at LWN wish David a fast and completerecovery. (Thanks to Harald Welte for the heads-up).

Linus has released the 5.9 kernel."Ok, so I'll be honest - I had hoped for quite a bit fewer changesthis last week, but at the same time there doesn't really seem to beanything particularly scary in here. It's just more commits and more lineschanged than I would have wished for."Some of the significant features in this release are:x86 FSGSBASE support,capacity awareness in the deadlinescheduler,the close_range() system call,proactive compaction in thememory-management subsystem,the rationalization of kernel-threadpriorities, and more.See the KernelNewbies 5.9page for more details.

Systems that manage large amounts of network traffic end up dedicating asignificant part of their available CPU time to the network stack itself.Much of this work is done in software-interrupt context, which can beproblematic in a number of ways. That may be about to change, though,once thispatch series posted by Wei Wang is merged into the mainline.

Security updates have been issued by Oracle (bind, kernel, libcroco, nss and nspr, qemu-kvm, spice and spice-gtk, and squid) and SUSE (kernel).

One of the key rules of Linux kernel development is that the ABI betweenthe kernel and user space cannot be broken; any change that breakspreviously working programs will, outside of exceptional circumstances, bereverted. The rule seems clear, but there are ambiguities when it comes todetermining just what constitutes the kernel ABI; tracepoints are a perennial example of this. A recentdiscussion has brought another one of those ambiguities to light: the on-disk format of Linuxfilesystems.

Security updates have been issued by Debian (activemq, golang-go.crypto, packagekit, and sympa), Fedora (php and xen), Red Hat (bind, kernel, and qemu-kvm), SUSE (qemu), and Ubuntu (golang-github-seccomp-libseccomp-golang and spice).

The LWN.net Weekly Edition for October 8, 2020 is available.

In unusually stark terms, Mozilla is trying to rally thetroops to take back the internet from the forces of evil—or at least "misinformation,corruption and greed"—that have overtaken it. In aSeptember 30 blogpost, the organization behind the Firefox web browserwarned that "the internet needs our love". While there is lots tocelebrate about the internet, it is increasingly under threat fromvarious types of bad actors, so Mozilla is starting a campaign to try topush back against those threats.

The first preview of Ruby version 3.0 was released on September 25. It includes better support for type checking, additional language features, and two new experimental features: a parallel execution mechanism called Ractor, and Scheduler, which provides concurrency improvements.

Stable kernels 5.8.14, 5.4.70, and 4.19.150 have been released with someimportant fixes. Users should upgrade.

Security updates have been issued by Arch Linux (brotli, lib32-brotli, lib32-zeromq, samba, yaws, and zeromq), Debian (php7.0, puma, sane-backends, thunderbird, and tigervnc), Fedora (ghc-cmark-gfm, ghc-hakyll, gitit, pandoc, pandoc-citeproc, and patat), openSUSE (kdeconnect-kde and perl-DBI), Oracle (kernel), Red Hat (chromium-browser and spice and spice-gtk), SUSE (hexchat and nodejs8), and Ubuntu (vino).

The Zig programming language is arelatively recent entrant into the "systems programming" realm; it looksto interoperate with C, while adding safety features without sacrificingperformance. The language has been gaining some attention of late and hasannouncedprogress toward a Zig compiler written in Zig in September. Thatchange will allow LLVM to become an optional component, which will be a big step forward for the"maturity and stability" of Zig.

Security updates have been issued by Fedora (chromium, libproxy, mumble, and thunderbird), openSUSE (perl-DBI), Red Hat (qemu-kvm-rhev, rh-mariadb102-mariadb and rh-mariadb102-galera, rh-maven35-jackson-databind, spice and spice-gtk, and unbound), SUSE (gnutls, java-1_7_0-openjdk, openssl1, and perl-DBI), and Ubuntu (brotli, cyrus-imapd, openconnect, opendmarc, python-urllib3, ruby-rack-cors, spice, tika, and yaws).

Version 3.9 of the Python programming language has been released. The changelog, "What's New in Python 3.9" document, and our recent article have lots more information on the release."Maintenance releases for the 3.9 series will follow at regular bi-monthly intervals starting inlate November of 2020.OK, boring! Where is Python 4?Not so fast! The next release after 3.9 will be 3.10. It will be an incremental improvement over3.9, just as 3.9 was over 3.8, and so on."

At Akademy 2020, theannual KDE conference that was held virtually this year, KDE developer NateGraham delivered a talk entitled "Visions of the Future" (YouTube video) about thepossible future of KDE on commercial products. Subtitled "Plasma sold on retail hardware — lots of it", the session concentrated on ways tomake KDE applications (and the Plasma desktop) the defaultenvironment on hardware sold to the general public. The proposal includes creating anofficial KDE distribution with a hardware certification program anddirectly paying developers.

U-Boot (the Universal Boot Loader) v2020.10 is out. "With this releasewe have a number of 'please migrate to DM [Driver Model [PDF]]' warnings that are now 1 yearpast their warning date, and well past 1 year of those warnings beingprinted. It's getting up there on my TODO list to see if removingfeatures or boards in these cases is easier."

Security updates have been issued by Debian (libvirt, snmptt, squid3, and xen), Fedora (chromium, libproxy, mumble, samba, and xawtv), openSUSE (bcm43xx-firmware, dpdk, grafana, nodejs12, python-pip, xen, and zabbix), Oracle (thunderbird), Red Hat (cockpit-ovirt, imgbased, redhat-release-virtualization-host, redhat-virtualization-host and qemu-kvm-rhev), and SUSE (perl-DBI).

The eighth and presumably final 5.9prepatch is out for testing. "So things have been pretty calm, and rc8 is fairly small. I'm stillwaiting for a networking pull with some fixes, so it's not like Icould have made a final 5.9 release even if I had wanted to, but therewas nothing scary going on this past week, and it all feels ready fora final 5.9 next weekend."

The Document Foundation (TDF) was formed in2010 as a home for the newly created LibreOffice project; it has just celebratedits tenth anniversary. As it begins its second decade, though, TDF isshowing some signs of strain. Evidence of this could be seen in the disagreement over a five-year marketingplan in July. More recently, the TDF membership committee sent an open letter to the board of directorsdemanding more transparency and expressing fears of conflicts of interestwithin the board. Now the situation has advanced with one of the TDF'slargest contributing companies announcing that it will be moving some ofits work out of the foundation entirely.

Security updates have been issued by Debian (jruby and ruby2.3), Fedora (crun, pdns, and podman), openSUSE (go1.14 and kernel), Oracle (qemu-kvm and virt:ol), Red Hat (qemu-kvm-ma and thunderbird), SUSE (nodejs10, nodejs12, perl-DBI, permissions, and xen), and Ubuntu (ntp).

The Software Freedom Conservancy has announced that it is embarking on "a new strategy toward improving compliance and the freedom of users of devices that contain Linux-based systems". That includes GPL enforcement, an effort to create alternative firmware for embedded Linux devices, and collaboration with other organizations "to promote copyleft compliance as a feature for consumers to protect their privacy and get more out of their devices". The work is being sponsored by an initial $150,000 grant from Amateur Radio Digital Communications (ARDC). "We take this holistic approach because compliance is not an end in itself, but rather a lever to help people advance technology for themselves and the world. Bradley Kuhn, Conservancy’s Policy Fellow and Hacker-in-Residence remarked: 'GPL enforcement began as merely an education process more than twenty years ago. We all had hoped that industry-wide awareness of copyleft’s essential role in spreading software freedom would yield widespread, spontaneous compliance. We were simply wrong about that. Today, we observe almost universal failure in compliance throughout the (so-called) Internet of Things (IoT) market. Only unrelenting enforcement that holds companies accountable can change this abysmal reality. ARDC, a visionary grant-maker, recognizes the value of systemic enforcement that utilizes the legal system to regain software freedom. That process also catalyzes community-led projects to build liberated firmware for many devices.'"

On his blog, David Edmundson writes about a new optional mechanism for starting up the KDE Plasma desktop using systemd. "Another big motivating factor was the ability for customisation. The root of Plasma's startup is very hardcoded. What if you want to run krunner with a different environment variable set? or have a script run every time plasmashell restarts, or show a UI after kwin is loaded but before plasma shell to perform some user setup? You can edit the code, but that's not easy and you're very much on your own.Systemd provides that level of customisation; both at a distro or a user level out of the box. From our POV for free."

The 5.8.13, 5.4.69, 4.19.149, 4.14.200, and 4.4.238 stable kernels have been released.Note that 4.9.238 was in the review cycle with the rest of these kernelsbut needed a respindue to some test failures, so it will be released on or after October 3. Asusual, all five of the released kernels have fixes throughout the tree;users should upgrade.Update: Apparently October 3 came early for Greg Kroah-Hartmanbecause 4.9.238 has now been released.

The ability to execute the contents of a file is controlled by theexecute-permission bits — some of the time. If a given file contains codethat can be executed by an interpreter — such as shell commands or code in alanguage like Perl or Python, for example — there are easy ways to run the interpreter onthe file regardless of whether it has execute permission enabled or not.Mickaël Salaün has been working on tightening up the administrator'scontrol over execution by interpreters for some time, but has struggled tofind an acceptable home for this feature. His latest attempt takes theform of a new system call named trusted_for().

Security updates have been issued by Debian (ruby-json-jwt and ruby-rack-cors), Fedora (xen), SUSE (aspell and tar), and Ubuntu (ruby-gon, ruby-kramdown, and ruby-rack).

The LWN.net Weekly Edition for October 1, 2020 is available.

SELinux is asecurity mechanism with a lot of ability to restrict user-space compromisesin various useful ways. It has also generally been considered aheavyweight option that is not suitable for more resource-restrictedsystems like wireless routers. Undeterred by this perception, some OpenWrt developers are adding SELinux asan option for protecting the distribution, which targets embedded devices.

Keeping device firmware up-to-date can be a challenge for end users. Firmware updates are often important for correct behavior, and they can have security implications as well. The Linux Vendor Firmware Service (LVFS) project is playing an increasing role in making firmware updates more straightforward for both end users and vendors; LVFS just announced its 20-millionth firmware download. Since even a wireless mouse dongle can pose a security threat, the importance of simple, reliable, and easily applied firmware updates is hard to overstate.

Version 4.16.0 of the RPM package manager has been released. "Thisturned out to be a much bigger release than anticipated with severalgroundbreaking new features, despite finally being back to annual cyclealmost to date." Highlights include new database backends, macro and%if expressions including ternary operator and native version comparison,optional MIME type based file classification, new version parsing andcomparison API in C and Python, license clarification, and more. The release notes have more details.

Security updates have been issued by Arch Linux (chromium, firefox, libvirt, and podman), Debian (firefox-esr and nss), Gentoo (bitcoind, chromium, cifs-utils, gpsd, libuv, and xen), Mageia (firefox, gnutls, mediawiki, samba, and Thunderbird), openSUSE (brotli and cifs-utils), Red Hat (audiofile, bluez, cloud-init, cpio, cups, curl, dbus, dnsmasq, e2fsprogs, evince and poppler, exiv2, expat, firefox, fontforge, freeradius, freerdp, glib2 and ibus, glibc, httpd, hunspell, ipa, kernel, kernel-rt, libcroco, libexif, libmspack, libpng, librabbitmq, libsndfile, libsrtp, libssh2, libtiff, libvirt, libvpx, libwmf, libxml2, libxslt, mariadb, mod_auth_openidc, NetworkManager, nss and nspr, okular, OpenEXR, openldap, openwsman, pcp, python, python-pillow, python3, qemu-kvm, qemu-kvm-ma, qt5-qtbase, samba, SDL, spamassassin, squid, subversion, systemd, tigervnc, tomcat, unoconv, and webkitgtk4), SUSE (bcm43xx-firmware, nodejs8, pdns, python-pip, and xen), and Ubuntu (libapreq2, netqmail, samba, and tomcat6).

Fish (the "friendly interactiveshell") hasthe explicit goal of being more user-friendly than other shells.It features a modern command-line interface with syntax highlighting, tabcompletion, and auto-suggestions out of the box(all with no configuration required). Unlike many of its competitors, it doesn't careabout being POSIX-compliant but attempts to blaze its own path. Since ourlast look at the project, way back in 2013, ithas seen lots of new releases with features, bug fixes, and refinementsaimed at appealing to a wide range of users. Some of the biggest additions landed in the3.0 release, butwe will also describe some other notable changes from version 2.1 up throughlatest version.

Security updates have been issued by Debian (firefox-esr and mediawiki), openSUSE (firefox, libqt5-qtbase, and rubygem-actionpack-5_1), Red Hat (qemu-kvm, qemu-kvm-ma, and virt:rhel), SUSE (dpdk, firefox, and go1.15), and Ubuntu (dpdk, imagemagick, italc, libpgf, libuv1, pam-python, squid3, ssvnc, and teeworlds).

Recently, the Mercurial project has been discussing its plans to migrate away from the compromised SHA-1 hashing algorithm in favor of a more secure alternative. So far, the discussion is in the planning stages of algorithm selection and migration strategy, with a general transition plan for users. The project, for the moment, is favoring the BLAKE2 hashing algorithm.

OpenSSH 8.4 is out. The SHA-1 algorithm is deprecated and the "ssh-rsa"public key signature algorithm will be disabled by default "in anear-future release." They note that it is possible to performchosen-prefix attacks against the SHA-1 algorithm for less than USD$50K.