Security updates have been issued by Arch Linux (chromium, firefox, haproxy, libssh, and wireshark-cli), Fedora (firefox, glibc, nss, and rubygem-puma), openSUSE (ceph, exim, firefox, and gnuhealth), Oracle (firefox, kernel, and qemu-kvm), and SUSE (djvulibre and firefox).
A new parser for the CPython implementation of the Python language has beenin the works for a while, but the announcement of a Python Enhancement Proposal (PEP) for it indicates thatwe may see it fairly soon. The intent is to add the parser, and make it the default for Python 3.9,which is due in October.If that plan holds, the current parser will not be going away for anotheryear or so after that. The change should go completelyunnoticed within the community; the benefits are mainly for the CPython coredevelopers in the form of easier maintenance.
The openSUSE Leapdistribution is a community effort built on top of a set of stable packagesfrom the SUSE Linux Enterprise offering. SUSE is now floating a proposalto unify the work of building those two distributions; click below for thedetails or see the"closing the Leap gap" FAQ, which summarizes things this way:"Today, SUSE is also offering the pre-built binaries from SLE inaddition to the sources, to increase compatibility and to leveragesynergies." The intended advantages (or "leveraged synergies") seemto be reducing the effort required to create Leap and making it easier to migrate a system betweenthe two distributions.
Here's amessage posted by Olaf Schmidt-Wischhöfer to the kde-community mailinglist detailing the current state of discussions between the KDE community,the Qt development project, and the Qt Company. It seems they are notgoing entirely well. "But last week, thecompany suddenly informed both the KDE e.V. board and the KDE Free QTFoundation that the economic outlook caused by the Corona virus puts morepressure on them to increase short-term revenue. As a result, they arethinking about restricting ALL Qt releases to paid license holders for thefirst 12 months. They are aware that this would mean the end ofcontributions via Open Governance in practice."There is a responsefrom the Qt Company that doesn't add a whole lot.
Security updates have been issued by CentOS (firefox, ipmitool, krb5-appl, and telnet), Debian (ceph and firefox-esr), Mageia (firefox), openSUSE (bluez and exiv2), Red Hat (firefox), SUSE (ceph, libssh, mgetty, permissions, python-PyYAML, rubygem-actionview-4_2, and vino), and Ubuntu (libiberty and libssh).
Security updates have been issued by Arch Linux (firefox), Debian (chromium and firefox-esr), Oracle (ipmitool and telnet), Red Hat (firefox and qemu-kvm), Scientific Linux (firefox, krb5-appl, and qemu-kvm), Slackware (firefox), SUSE (gmp, gnutls, libnettle and runc), and Ubuntu (firefox, gnutls28, linux-aws, linux-aws-hwe, linux-azure, linux-gcp, linux-gke-4.15, linux-kvm, linux-oem, linux-oracle, linux-raspi2, linux-snapdragon, and linux-azure, linux-gcp, linux-gke-5.0, linux-oem-osp1, linux-oracle-5.0).
The first installment of the"big bad" series described how a compiler can optimize your concurrentprogram into oblivion, while the second installment introduceda tool to analyze small litmus tests for such problems. Those twoarticles can be especially helpful for training, designdiscussions, and checking small samples of code. Although suchautomated training and design tools are welcome, automated codeinspection that could locate even one class of concurrency bugs would beeven better. In this two-part article, we look at a tool to do that kindof analysis.
One of the many features merged for the 5.7 kernel is split-lock detection for the x86 architecture.This feature has encountered a fair amount ofcontroversy over the course of its development, with the result thatthe time between its initial posting and appearance in a released kernelwill end up being over two years. As it happens, there is another hurdlefor split-lock detection even after its merging into the mainline; thisfeature threatens to create problems for a number of virtualizationsolutions, and it's not clear what the solution would be.
Firefox 75.0 has been released. New features include improvementsto the address bar, making search easier, all trusted Web PKI CertificateAuthority certificates known to Mozilla will be cached locally, and Firefoxis available as a Flatpak. See the release notesfor more details.
Security updates have been issued by Fedora (kernel, kernel-headers, and kernel-tools), openSUSE (glibc and qemu), Red Hat (chromium-browser, container-tools:1.0, container-tools:rhel8, firefox, ipmitool, kernel, kernel-rt, krb5-appl, ksh, nodejs:10, nss-softokn, python, qemu-kvm, qemu-kvm-ma, telnet, and virt:rhel), Scientific Linux (ipmitool and telnet), SUSE (ceph and firefox), and Ubuntu (haproxy, linux, linux-aws, linux-gcp, linux-gcp-5.3, linux-hwe, linux-kvm, linux-oracle, linux-oracle-5.3, linux-raspi2, linux-raspi2-5.3, linux, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon, and linux, linux-hwe).
Some applications require guaranteed access to the CPU without even briefinterruptions; realtime systems and high-bandwidth networking applicationswith user-space drivers can fall into the category. While Linux providessome support for CPU isolation (moving everything but the critical task offof one or more CPUs) now, it is an imperfect solution that is still subjectto some interruptions. Work has been continuing in the community toimprove the kernel's CPU-isolation capabilities, notably with improvementsin the nohz (tickless) mode, but it is not finished yet. Recently, AlexBelits submitteda patch set (based on work by Chris Metcalfin 2015) that introduces a completely predictable environment for Linuxapplications — as long as they do not need any kernel services.
Security updates have been issued by Debian (firefox-esr, gnutls28, and libmtp), Fedora (cyrus-sasl, firefox, glibc, squid, and telnet), Gentoo (firefox), Mageia (dcraw, firefox, kernel, kernel-linus, librsvg, and python-nltk), openSUSE (firefox, haproxy, icu, and spamassassin), Red Hat (nodejs:10, openstack-manila, python-django, python-XStatic-jQuery, and telnet), Slackware (firefox), SUSE (bluez, exiv2, and libxslt), and Ubuntu (firefox).
Firefox 74.0.1 has been released with twosecurity fixes. CVE-2020-6819 is a use-after-free when running thensDocShell destructor and CVE-2020-6820 is a use-after-free when handling aReadableStream. In both cases there have been targeted attacks in the wildabusing these flaws. These issues have also been fixed in Firefox ESR 68.6.1.
As of this writing, 7,233 non-merge changesets have been pulled into themainline repository for the 5.7 kernel development cycle — over the courseof about three days. If current world conditions are slowing down kerneldevelopment, it would seem that the results are not yet apparent at thislevel. As usual, these changesets bring no end of fixes, improvements, andnew features; read on for a summary of what the first part of the 5.7 mergewindow has brought in.
Security updates have been issued by Debian (mediawiki and qbittorrent), Gentoo (gnutls), Mageia (bluez, kernel, python-yaml, varnish, and weechat), Oracle (haproxy and nodejs:12), SUSE (exiv2, haproxy, libpng12, mgetty, and python3), and Ubuntu (libgd2).
The kernel provides a number of CPU-frequency governors to choose from; bymost accounts, the most effective of those is "schedutil", which was merged for the 4.7kernel in 2016. While schedutil is used on mobile devices, it stilldoesn't see much use on x86 desktops; the intel_pstategovernor isgenerally seen giving better results on those processors as a result of thesecret knowledge embodied therein. A set of patches merged for 5.7, though,gives schedutil a better idea of what the true utilization of x86processors is and, as a result, greatly improves its effectiveness.
Security updates have been issued by Arch Linux (chromium, kernel, linux-hardened, linux-lts, and pam-krb5), Debian (haproxy, libplist, and python-bleach), Fedora (tomcat), Gentoo (ghostscript-gpl, haproxy, ledger, qtwebengine, and virtualbox), Red Hat (haproxy, nodejs:12, qemu-kvm-rhev, and rh-haproxy18-haproxy), SUSE (memcached and qemu), and Ubuntu (apport).
LineageOS 17.1 is out.This release of the Android-based distribution once known as CyanogenModincludes a rebase onto the Android 10 release of the Android Open SourceProject, improved theme support, support for on-screen fingerprint sensors, the ability to use biometric sensors tocontrol access to apps, and more. "On the whole, we feel that the17.1 branch has reached feature and stability parity with 16.0 and is readyfor initial release. With 17.1 being the most recent and most activelydeveloped branch, on April 1st, 2020 it will begin receiving nightly buildsand 16.0 will be moved to weekly builds."
Python string objects are immutable, so changing the value of a stringrequires that a new string object be created with the new value. That isfairly well-understood within the community, but there are some"anti-patterns" that arise; it is pretty common for new users to build up alonger string by repeatedly concatenating to the end of the "same" string.The performance penalty for doing that could be avoided by switching to atype that is geared toward incremental updates, but Python 3 hasalready optimized the penalty away for regular strings. A recent thread on the python-ideasmailing list explored this topic some.
The LXD system container and virtual manager, LXC container runtime, andLXCFS FUSE filesystem projects have released version 4.0 LTS. LTS versionsof these intertwined projects are released every 2 years and receive 5years of security and bugfix support.
The annual Debian project leader (DPL) election is well underway at this point;voting begins in early April and the outcome will be known after the pollsclose on April 18. Outgoing DPL Sam Hartman posted a lengthy"non-platform" in the run-up to the election, which detailed the highs andlows of his term, perhaps providing something of a roadmap, complete withpitfalls, for potential candidates—Hartman is not running again thistime. When the nomination period completed, three people put their hatsinto the ring: Jonathan Carter, Sruthi Chandran, and Brian Gupta.Their platforms have been posted and there have been several threads on thedebian-vote mailing list with questions for the candidates; it seems like agood time to look in on the race.
Ars Technica reportson the recently disclosed OpenWrt package verification vulnerability. Theheadline may be a bit overwrought, though. "These code-executionexploits are limited in their scope because adversaries must either be in aposition to conduct a man-in-the-middle attack or tamper with the DNSserver that a device uses to find the update on the Internet. That meansrouters on a network that has no malicious users and using a legitimate DNSserver are safe from attack." It also assumes that people actuallyupdate their routers, which seems unlikely in most cases in the real world.
The Free Software Foundation is focusingon the shortage of medical equipment and using 3D printers to makemore. "That's why we're looking into what we can make with ourin-office Respects Your Freedom (RYF)-certified 3D printers, and we'retalking to the brand new Mass General Brigham Center for COVID Innovationso they can direct our efforts. We're also gathering resources for our"HACKERS and HOSPITALS" plan at the LibrePlanet wiki page, and if you have expertise, 3D printers, or supplies to contribute, please contact Michael via sysadmin@fsf.org. If you do not have the means to produce medical gear and you still want to help, research can be done from anywhere with only a computer and an Internet connection. Add any projects that are freely licensed working towards helping with COVID-19 to the wiki!"
The Mozilla Open Source Support Program (MOSS) has launcheda COVID-19 Solutions Fund, which will provide awards of up to $50,000 eachto open source technology projects which are responding to the COVID-19pandemic in some way. "As part of the COVID-19 Solutions Fund, we will accept applications that are hardware (e.g., an open source ventilator), software (e.g., a platform that connects hospitals with people who have 3D printers who can print parts for that open source ventilator), as well as software that solves for secondary effects of COVID-19 (e.g., a browser plugin that combats COVID related misinformation)."
Security updates have been issued by Debian (tinyproxy), Fedora (okular), Gentoo (ffmpeg, libxls, and qemu), openSUSE (GraphicsMagick), Red Hat (qemu-kvm-rhev), SUSE (cloud-init and spamassassin), and Ubuntu (bluez, libpam-krb5, linux, linux-aws, linux-azure, linux-azure-5.3, linux-gcp, linux-gcp-5.3, linux-gke-5.3, linux-hwe, linux-kvm, linux-oracle, linux-oracle-5.3,linux-raspi2, linux-raspi2-5.3, and Timeshift).
OpenBSD developer Ted Unangst looksfor lessons in a set of recent vulnerabilities in that system."Even OpenBSD is subject to compromise for the sake of practicality,which is how some legacy designs stick around. So the lesson perhaps is toreally stick with the principles that work, and not just whenconvenient. But not always an easy choice to make."
When the 5.6 kernel was released onMarch 29, 12,665 non-merge changesets had been accepted from 1,712developers, making this a fairly typical development cycle in a number ofways. As per longstanding LWN tradition, what follows is a look at wherethose changesets came from and who supported the work that created them.This may have been an ordinary cycle, but there are still a couple ofdifferences worth noting.
Back in February, LWN reported on theprocess of gathering requirements for a Git forge system. That processthen went relatively quiet until March 28, when the posting of a"CPE Weekly" news summary included, under "other updates", a note thatthe decision has been made. It appears that the project will be pushedtoward a not-fully-free version of the GitLab offering. It is fair to saythat this decision — or how it was presented — was not met with universalacclaim in the Fedora community; see thisresponse from Neal Gompa for more.
The Debian community has announced a one-week, online "biohackathon" as afocused effort to improve the available free biomedical tools."Most tasks do not require any knowledge of biology or medicine, and alltypes of contributions are welcome: bug triage, testing, documentation,CI, translations, packaging, and code contributions."
Security updates have been issued by Debian (php-horde-form and tika), Fedora (dcraw and libmodsecurity), Gentoo (libidn2 and screen), openSUSE (cloud-init, cni, cni-plugins, conmon, fuse-overlayfs, podman, opera, phpMyAdmin, python-mysql-connector-python, ruby2.5, strongswan, and tor), Oracle (ipmitool), Scientific Linux (ipmitool), SUSE (spamassassin and tomcat), and Ubuntu (twisted and webkit2gtk).
Linus has released the 5.6 kernel.Some of the headline features in this release includeArm EOPD support,time namespaces,the BPF dispatcher and batched BPF map operations (both described in this article),the openat2() system call,the WireGuard virtual private networkimplementation,the flow queue PIE packetscheduler,nearly complete year-2038 support,many new io_uring features,the pidfd_getfd() system call,the ZoneFS filesystem,the ability to implement TCPcongestion-control algorithms in BPF,the dma-buf heaps subsystem,and the removal of the /dev/randomblocking pool.See the LWN merge-window summaries (part 1 and part 2) and the (under construction) KernelNewbies 5.6 pagefor more details.
In recent years, the kernel has (finally) upped its game when it comes tohardening. It is rather harder to compromise a running kernel than it usedto be. But "rather harder" is relative: attackers still manage to findways to exploit kernel bugs. One piece of information that can be helpfulto attackers is the location of the kernel stack; thispatch set from Kees Cook and Elena Reshetova may soon make thatinformation harder to come by and nearly useless in any case.
Security updates have been issued by Debian (bluez and php5), Fedora (chromium, kernel, and PyYAML), Gentoo (adobe-flash, libvpx, php, qtcore, and unzip), openSUSE (chromium, kernel, and mcpp), Oracle (ipmitool and libvncserver), Red Hat (ipmitool and rh-postgresql10-postgresql), Slackware (kernel), and SUSE (ldns and tomcat6).
David Malcolm writesabout the static-analysis features that he is working on adding to theGCC compiler. "This issue is, of course, a huge problem totackle. For this release, I’ve focused on the kinds of problems seen in Ccode—and, in particular double-free bugs—but with a view toward creating aframework that we can expand on in subsequent releases (when we can addmore checks and support languages other than C)."
January 2018 was a sad time in the kernel community. The Meltdown andSpectre vulnerabilities had finally been disclosed, and the requiredworkarounds hurt kernel performance in a number of ways. One of thoseworkarounds — retpolines —continues to cause pain, with developers goingout of their way to avoid indirect calls, since they must now be implementedwith retpolines. In some cases, though, there may be a way to avoid retpolines and regain much of the lost performance;after a long gestation period, the "static calls" mechanism may finally benearing the point where it can be merged upstream.
The KDE.News site is carrying anannouncement for the PlasmaBigscreen environment, which is meant for large-screen televisions. "Talking of interacting from the couch,voice control provides users with the ultimate comfort when it comes to TVviewing. But most big brands not only do not safeguard the privacy of theircustomers, but actively harvest their conversations even when they are notsending instructions to their TV sets. We use Mycroft's Open Source voiceassistant to solve this problem."
Security updates have been issued by CentOS (firefox, icu, kernel-rt, libvncserver, python-imaging, python-pip, python-virtualenv, thunderbird, tomcat, tomcat6, and zsh), Debian (icu and okular), Fedora (libxslt and php), Gentoo (bluez, chromium, pure-ftpd, samba, tor, weechat, xen, and zsh), Oracle (libvncserver), Red Hat (ipmitool and zsh), and SUSE (python-cffi, python-cryptography and python-cffi, python-cryptography, python-xattr).
The effects of the Coronavirusdisease 2019 (COVID-19) pandemic are horrific and far-reaching; wereally do not yet know just how bad it will get. One far less serious areathat has been affected is conferences forand about free and open-source software (FOSS). On the grand scale, these problems are pretty low on thepriority list.There are a fair number of non-profit organizations behind thegatherings, however, that have spent considerable sums setting upnow-canceled events or depend on the conferences for a big chunk of their budget—or both. A neworganization, FOSS Responders,has formed to try to help out.
O'Reilly has announcedthat it is canceling all of its upcoming in-person conferences and shuttingdown its conference group permanently. "Without understanding whenthis global health emergency may come to an end, we can’t plan for orexecute on a business that will be forever changed as a result of thiscrisis. With large technology vendors moving their events completelyon-line, we believe the stage is set for a new normal moving forward whenit comes to in-person events." There is still no notice to thiseffect on the OSCON page, butone assumes that is coming.
The Django web framework hascome a long way since it was first released as open source in 2005. Itstarted with a benevolent dictator for life (BDFL) governance model, likethe language it is implemented in, Python, but switched to a differentmodel in 2014. When Python switchedaway from the BDFL model in 2018, it followed Django's lead to someextent. But now Django is changing yet again, moving from governance basedaround a "core team" to one that is more inclusive and better reflects theway the project is operating now.
Security updates have been issued by Debian (e2fsprogs, ruby2.1, and weechat), Fedora (java-1.8.0-openjdk and webkit2gtk3), openSUSE (apache2-mod_auth_openidc, glibc, mcpp, nghttp2, and skopeo), Oracle (libvncserver and thunderbird), and SUSE (keepalived).
LWN.net