LWN.net

The Cloudflare blog has anarticle on the company's work to improve the performance of Linux diskencryption. "As we can see the default Linux disk encryption implementation has asignificant impact on our cache latency in worst case scenarios, whereasthe patched implementation is indistinguishable from not using encryptionat all. In other words the improved encryption implementation does not haveany impact at all on our cache response speed, so we basically get it forfree!"Patches are available, but they are apparently not in any form to goupstream.

Version 10.0.0 of the LLVM compiler suite is out. New features includesupport for C++concepts, Windowscontrol flow guard support, and much more; click below for pointers toa set of language-specific release notes.

The Python Software Foundation blog looksat some changes to pip, the Python Package installer, in the process ofdeveloping a new resolver. The new resolver will reduce inconsistency and bestricter, refusing to install two packages with incompatible requirements. Also, this is a major change to a key part of pip - it's quitepossible there will initially be bugs. We would like to make sure thatthose get caught before people start using the new version inproduction. [...]We recognize that everyone's work is being disrupted by the COVID-19 pandemic, and that many data scientists and medical researchers use Python and pip in their work. We want to make the upgrade process as smooth and bug-free as possible for our users; if you can help us, you'll be helping each other.

Security updates have been issued by Debian (tomcat8), Fedora (chromium and okular), openSUSE (texlive-filesystem), Oracle (tomcat6), Scientific Linux (libvncserver, thunderbird, and tomcat6), Slackware (gd), SUSE (cloud-init, postgresql10, python36, and strongswan), and Ubuntu (ibus and vim).

Spring is coming to the northern hemisphere, and one's thoughts naturallyturn to ... being locked up inside the house and not allowed to goanywhere. That has, in turn, led to an increasing interest in alternativemechanisms for keeping up with family and coworkers, especially videoconferencing. There are a number of proprietary video-conferencingservices out there; your editor decided to look into what solutions existin the free-software realm. It turns out that there are a few; the firstto be looked at is Jitsi.

Google Open Source has announcedthe 2020 edition of Season of Docs, aprogram to connect open source projects with technical writers to improvedocumentation. Open source organizations may apply fromApril 14-May 4. Once mentoring organizations and technicalwriters are connected, there will be a month long community bonding period,beginning August 11. Writers will then work with mentors to completedocumentation projects by the December 6 deadline.

For those stuck at home looking for something to do, version 31 of the MythTV DVR and homemedia center hub, has been released. Features include, significant changesto video decoding and playback, improved channel scanning, andPython 3 support. See the release notes formore information.

Parrot OS is a security andprivacy focused distribution, with tools for cyber security operations. Parrot 4.8follows Debian testing and has many updates from the Debianrepositories. Parrot Docker containers allow you to use Parrot tools ondocker-supported operating systems. Since the previous release lastSeptember the Parrot team has put some effort into reorganizing itsinternal structure, from the operations and workflow of developers, up to the infrastructure. "After such a huge work, we have finally moved to the new workflow, and Parrot 4.8 is the proof of how hard we wanted such changes to take place in the project and how smooth development and cooperation became after achieving this goal."

Security updates have been issued by Debian (amd64-microcode, chromium, graphicsmagick, jackson-databind, phpmyadmin, python-bleach, and tor), Gentoo (exim and nodejs), openSUSE (chromium and thunderbird), Oracle (tomcat), Red Hat (devtoolset-8-gcc, libvncserver, runc, samba, thunderbird, and tomcat6), and SUSE (ruby2.5).

Version 2.26.0 of the Git source-code management system is out.Significant changes include a reimplementation of the "rebase" mechanism,improvements to sparse checkouts, performance improvements, and more. See this GitHubblog entry for more information.

The 5.6-rc7 kernel prepatch is out fortesting; this may be the last one before the final release."The world around us may be going through strange times, but at leastso far kernel development looks normal."

A new batch of stable kernels has just been released: 5.5.11, 5.4.27, 4.19.112, 4.14.174, 4.9.217, and 4.4.217.As usual, these contain important fixes throughout the kernel tree; usersshould upgrade.

The io_uring subsystem has, in the lastyear, redefined how asynchronous I/O is done on Linux systems. As thissubsystem grows in both capability and users, though, it starts to run intolimitations in the types of operations that can be expressed. That isdriving a number of changes in how operations are programmed for io_uring.One example is the mechanisms considered for carrying a file descriptorbetween operations that was covered here in early March. Another has todo with how I/O buffers are chosen for operations.

The Linux Mint Debian Edition (LMDE) 4 has been released. "LMDE is a Linux Mint project which stands for 'Linux Mint Debian Edition'. Its goal is to ensure Linux Mint would be able to continue to deliver the same user experience, and how much work would be involved, if Ubuntu was ever to disappear. LMDE is also one of our development targets, to guarantee the software we develop is compatible outside of Ubuntu.LMDE aims to be as similar as possible to Linux Mint, but without using Ubuntu. The package base is provided by Debian instead." It is based on Debian 10 ("Buster") with lots of new features, including many improvements from Linux Mint 19.3. More information can be found in the release notes.

Security updates have been issued by Arch Linux (bluez and chromium), Debian (icu, rails, thunderbird, and twisted), Fedora (chromium and webkit2gtk3), Gentoo (bsdiff, cacti, clamav, fribidi, libgit2, pecl-imagick, phpmyadmin, pyyaml, and tomcat), openSUSE (wireshark), Oracle (firefox, icu, python-imaging, thunderbird, and zsh), Scientific Linux (thunderbird), SUSE (firefox, nghttp2, thunderbird, and tomcat), and Ubuntu (twisted).

Author Nick Black has written an extensive book on the creation of textualuser interfaces using the notcurses library; it's available under the Apachelicense [PDF]. "Many people asked how such a thing wasuseful. My usual response was that numerous devices don’t present a bitmapinterface, that X11 GUIs run remotely over SSH are effectively unusable,that plenty of machines don’t have a GUI environment installed, that thereare obvious applications for large outdoor displays, and that Sixel isn’twell-supported across different terminal emulators. It seems impossible inan age of gigatransistor graphics cards, but the text environment stillpresents perceivably less latency than most GUI toolkits."

The kernel's memory-management subsystem goes to great lengths to keep thepages that are actually in use in memory. But sometimes it gets thingswrong, leading to reduced performance or, in the worst cases, flat-outthrashing. We may be about to see a significant improvement, though,thanks to apatch set from Joonsoo Kim changing how anonymous pages (thosecontaining data not backed by files on disk) are managed.As it turns out, all that had to be done was to make use of some work thatalready exists in related parts of the memory-management code.

Here's adetailed blog post on how the Qubes distribution is working to isolatethe graphical interface from the rest of the system. "The upcoming4.1 release changes this protocol to a more flexible form. It will nolonger use direct memory addresses, but an abstract mechanism in which theqube has to explicitly allow access to a particular memory page. In ourcurrent implementation — under Xen — we use the grant tables mechanism,which provides a separate memory allocation API and allows working ongrants and not directly on memory pages. Other implementations will also bepossible: whether for another hypervisor (e.g. KVM) or for a completelydifferent architecture not based on shared memory (e.g. directly sendingframes to another machine)."

Security updates have been issued by Debian (gdal), Fedora (nethack), Mageia (okular, sleuthkit, and webkit2), openSUSE (salt), Oracle (icu, kernel, python-pip, python-virtualenv, and zsh), Red Hat (icu, python-imaging, thunderbird, and zsh), Scientific Linux (icu, python-imaging, and zsh), SUSE (postgresql10), and Ubuntu (apache2).

The LWN.net Weekly Edition for March 19, 2020 is available.

The python-ideas mailing list is typically used to discuss new features orenhancements for the language; ideas that gain traction will get turnedinto Python Enhancement Proposals (PEPs) and eventually make their way topython-dev for wider consideration. Steve Jorgensen recently starteda discussion of just that sort; he was looking for a way to addcustomization to the "pretty-print" module (pprint)so that objects could change the way they are displayed. The subsequentthread went in a few different directions that reflect the nature of themailing list—and the idea itself.

Konstantin Ryabitsev introducesthe "b4" tool for kernel development. Developers and LWN readers willbe familiar with b4 under its previous name: get-lore-mbox. "On top of that, b4 alsointroduces support for cryptographic patch attestation, which makes itpossible to verify that patches (and their metadata) weren't modified intransit between developers. This is still an experimental feature, butinitial tests have been pretty encouraging." See this article for early coverage of theattestation feature.

Drew DeVault complainsabout the complexity of the web and the browsers that work with it."The major projects are open source, and usually when an open-sourceproject misbehaves, we’re able to to fork them to offer an alternative. Buteven this is an impossible task where web browsers are concerned. Thenumber of W3C specifications grows at an average rate of 200 new specs peryear, or about 4 million words, or about one POSIX every 4 to 6 months. Howcan a new team possibly keep up with this on top of implementing theoutrageous scope web browsers already have now?"

Legislation recently proposed in the US Senate is ostensibly meant tocombat "child sexual abuse material" (CSAM), but it does not actually domuch to combat that horrible problem. Its target, instead, is the encryptionof user communications, which the legislation—tellingly—never mentions.The EliminatingAbusive and Rampant Neglect of Interactive Technologies Act of 2020,EARN IT for short, is an attempt to force online service providers(e.g. Facebook, Google, etc.) to follow a set of "best practices"determined by a commission, to combat the scourge of CSAM; the composition ofthat commission makes it clear that end-to-end encryption will not be oneof those practices, but companies that do not follow the best practices will loseliability protection for their users' actions. It is, in brief, anattempt to force providers to either abandon true end-to-end encryption orface ruinous lawsuits—all without "seeming" to be about encryption at all.

Stable kernels 5.5.10, 5.4.26, and 4.19.111 have been released with importantfixes. Users of those series should upgrade.

Security updates have been issued by Debian (libvncserver and twisted), Fedora (libxslt), Red Hat (kernel, kernel-rt, python-flask, python-pip, python-virtualenv, slirp4netns, tomcat, and zsh), Scientific Linux (kernel, python-pip, python-virtualenv, tomcat, and zsh), SUSE (apache2-mod_auth_openidc and skopeo), and Ubuntu (apport and dino-im).

Security updates have been issued by Arch Linux (okular, thunderbird, and webkit2gtk), Debian (webkit2gtk), Fedora (php-horde-Horde-Form), Gentoo (libvorbis, nss, and proftpd), Oracle (firefox and kernel), Red Hat (kernel), Scientific Linux (firefox), SUSE (cni, cni-plugins, conmon, fuse-overlayfs, podman, librsvg, and ovmf), and Ubuntu (ceph, icu, linux, linux-aws, linux-kvm, linux-aws-5.0, linux-gcp, linux-gke-5.0, linux-oracle-5.0, linux-kvm, linux-oracle, linux-raspi2, linux-raspi2-5.3, linux-kvm, linux-raspi2, linux-snapdragon, and linux-lts-xenial, linux-aws).

Over the last decade, the addition of a "flags"argument to all new system calls, even if no flags are actually neededat theoutset, has been widely adopted as a best practice. The result hascertainly been greater API extensibility, but we have also seen a proliferation ofvarious types of flags for related system calls. For calls related tofiles and filesystems, in particular, the available flags have reached apoint where some calls will need as many as three arguments for themrather than just one.

The Free Software Foundation has announcedthe recipients of the 2019 Free Software Awards. A new category was addedthis year; the Award forOutstanding New Free Software Contributor went to Clarissa Lima Borges,"a talented young Brazilian software engineering student whoseOutreachy internship work focused on usability testing for various GNOMEapplications". The Project of social benefitaward went to Let's Encrypt, and the Award for the Advancement ofFree Software was given to Jim Meyering, "a prolific free software programmer, maintainer, and writer".

Stable kernel 4.19.110 has been released. "This fixes a problem in 4.19.109 in the KVM subsystem. If you use KVM,you are strongly encouraged to upgrade. If not, no big deal, you canignore this release."

Security updates have been issued by Debian (graphicsmagick, qemu, and slurm-llnl), Fedora (ansible, couchdb, mediawiki, and python3-typed_ast), Gentoo (atftp, curl, file, gdb, git, gst-plugins-base, icu, libarchive, libgcrypt, libjpeg-turbo, libssh, libvirt, musl, nfdump, ppp, python, ruby-openid, runc, sqlite, squid, sudo, SVG Salamander, systemd, thunderbird, tiff, and webkit-gtk), Mageia (firefox, kernel, and thunderbird), openSUSE (firefox, librsvg, php7, and tomcat), Red Hat (firefox), Slackware (thunderbird), and SUSE (firefox, kernel, salt, and wireshark).

Version 4.4 of The Amnesic Incognito Live System (or Tails) has been released. It has fixed a bunch of security vulnerabilities in Tails 4.3; users are advised to "upgrade as soon as possible". Tails 4.4 brings new versions of the Tor Browser (9.0.6), Thunderbird (68.5.0), and the Linux kernel (5.4.19). It also fixes some problems with WiFi. Tails is a Linux distribution that runs from removable media; it is focused on privacy, security, and anonymity.

The 5.6-rc6 kernel prepatch has beenreleased. "Diffstat looks normal, and the number of commits is right in themiddle of the usual range too. And I don't think any of the commitslook all that strange either - it's all pretty small."

The HypertextTransfer Protocol (HTTP) is a core component of the world-wideweb. Over its evolution it has added features, including encryption, but time has revealed its limitations andthose of the whole protocol stack. At FOSDEM 2020, Daniel Stenberg delivered a talkabout anew version of the protocol called HTTP/3. It is under development andincludes some big changes under the hood. There is no more TCP, forexample; a new transport protocol called QUIC is expected to improve performance and allow newfeatures.

Wired has an article on an open-source tool that is being used to track strains of Covid-19 throughout the world."In the case of the Seattle area teenager, genetic data about his strain of Covid-19 was uploaded to Gisaid, a platform for sharing genomic data. Then researchers at Nextstrain made the connection with the earlier patient.Nextstrain is an open source application that tracks the evolution of viruses and bacteria, including Covid-19, Ebola, and lesser-known outbreaks such as Enterovirus D68 using data sourced largely from Gisaid. Hodcroft and other researchers involved with the project analyze the data shared on Gisaid for mutations and visualize the results. That’s how the team was able to spot the connection between the two Covid-19 cases in Washington."

Psycopg is the database adapter usedby most Python programs needing to work with the PostgreSQL databasemanager. In thisblog post, psycopg maintainer Daniele Varrazzo looks forward to thenext major version. "There is a chance now to rethink how thick theC libpq wrapper should be. We can reduce the C implementation to a minimalwrapper around the libpq (replaceable by a CFFI Python wrapper if compilingC is not available on the client), using it as a foundation to build afamiliar DBAPI blocking interface. A blocking behaviour is not bad initself: it allows to write most of the programs, the ones which don't needcrazy concurrency, in a simple and familiar paradigm; the async layer wouldbe available under the hood to squeeze the best performance in programs whohave embraced an asynchronous pattern and framework."

Security updates have been issued by Arch Linux (firefox, golang-golang-x-crypto, kernel, mbedtls, ppp, and python-django), Debian (slirp and yubikey-val), Fedora (firefox, java-1.8.0-openjdk-aarch32, mbedtls, monit, seamonkey, sympa, and zsh), Gentoo (chromium, e2fsprogs, firefox, groovy, postgresql, rabbitmq-c, ruby, and vim), Mageia (ppp), openSUSE (kernel), and SUSE (glibc, kernel, openstack-manila, php5, and squid).

As expected, the5.5.9,5.4.25,4.19.109,4.14.173,4.9.216, and4.4.216stable kernels have all been released; each contains another set ofimportant fixes.

Back in 2017, Waiman Long posted a patchset placing limits on the number of "negative dentries" stored by thekernel. The better part of three years later, that work continues with,seemingly, no better prospects for getting into the mainline. It would beunderstandable, though, if many people out there don't really know whatnegative dentries are or why kernel developers care about them. That, atleast, can be fixed, even if the underlying problem seems to be moredifficult.

Security updates have been issued by CentOS (kernel), Debian (dojo, firefox-esr, sleuthkit, and wpa), Fedora (cacti, cacti-spine, and python-psutil), Oracle (kernel), Red Hat (kernel), Scientific Linux (kernel), SUSE (ardana-ansible, ardana-cinder, ardana-cobbler, ardana-db, ardana-horizon, ardana-input-model, ardana-monasca, ardana-mq, ardana-nova, ardana-octavia, ardana-osconfig, ardana-tempest, ardana-tls, crowbar-core, crowbar-ha, crowbar-openstack, crowbar-ui, keepalived, openstack-barbican, openstack-ceilometer, openstack-cinder, openstack-dashboard, openstack-dashboard-theme-SUSE, openstack-designate, openstack-heat, openstack-horizon-plugin-designate-ui, openstack-horizon-plugin-ironic-ui, openstack-horizon-plugin-neutron-lbaas-ui, openstack-horizon-plugin-octavia-ui, openstack-ironic, openstack-ironic-python-agent, openstack-keystone, openstack-magnum, openstack-monasca-agent, openstack-neutron, openstack-neutron-fwaas, openstack-neutron-gbp, openstack-neutron-vpnaas, openstack-nova, openstack-octavia, openstack-octavia-amphora-image, openstack-sahara, openstack-swift, python-amqp, python-ironic-lib, python-keystoneauth1, python-keystoneclient, python-keystonemiddleware, python-ovs, supportutils-plugin-suse-openstack-cloud, rubygem-crowbar-client, rubygem-puma, venv-openstack-horizon, ardana-cinder, ardana-cobbler, ardana-designate, ardana-extensions-example, ardana-extensions-nsx, ardana-glance, ardana-heat, ardana-input-model, ardana-ironic, ardana-keystone, ardana-logging, ardana-monasca, ardana-monasca-transform, ardana-mq, ardana-neutron, ardana-nova, ardana-octavia, ardana-osconfig, ardana-tempest, crowbar-core, crowbar-ha, crowbar-openstack, crowbar-ui, keepalived, mariadb, openstack-cinder, openstack-dashboard, openstack-dashboard-theme-SUSE, openstack-heat, openstack-heat-templates, openstack-horizon-plugin-designate-ui, openstack-horizon-plugin-neutron-lbaas-ui, openstack-ironic, openstack-keystone, openstack-monasca-agent, openstack-neutron, openstack-neutron-gbp, openstack-neutron-vsphere, openstack-nova, openstack-octavia, openstack-octavia-amphora-image, openstack-resource-agents, openstack-sahara, openstack-trove, python-cinderlm, python-congressclient, python-designateclient, python-ironic-lib, python-ne tworking-cisco, python-osc-lib, python-oslo.context, python-oslo.rootwrap, python-oslo.serialization, python-oslo.service, python-stevedore, python-taskflow, rubygem-crowbar-client, rubygem-pumavenv-openstack-swift, firefox, ipmitool, kernel, and php72), and Ubuntu (firefox).

The LWN.net Weekly Edition for March 12, 2020 is available.

A recent message tothe debian-project mailing list by Debian project leader (DPL) Sam Hartman isabout a proposal to moderate the mailing list. There have been repeatedattacks on various project members and the distribution itself posted tothe list over the last few years, many from sock-puppet, throwaway email accounts, which spawned a recent discussion onthe debian-private mailing list; Hartman was summarizing that discussionfor those who are not on the private list. But the problems ondebian-project (and other Debian public lists) are kind of just the tip ofthe iceberg; there is an ongoing, persistent effort to roil thedistribution and its community.

Version 3.36 of the GNOME desktop environment is out. "This release brings a new lock screen and a new app for managing shellextensions, among other things. Once again, the shell has received manyperformance improvements.Improvements to core GNOME applications include better support for meterednetworks and parental controls in GNOME Software, a new look for the initialsetup assistant, a redesigned GNOME Clocks, and many more." See the releasenotes for details and screenshots.

For those who are interested in the details of graphics synchronization:Jason Ekstrand describes in detail the value of explicit synchronization,the reason why we can't have it now, and a proposal for eventually makingit possible to go explicit. "Explicit synchronization is the future of graphics and media. Atleast, that seems to be the consensus among all the graphics peopleI've talked to. I had a chat with one of the lead Android graphicsengineers recently who told me that doing explicit sync from the startwas one of the best engineering decisions Android ever made. It'salso the direction being taken by more modern APIs such as Vulkan."

Security updates have been issued by CentOS (qemu-kvm and sudo), Debian (chromium), Mageia (gpac, libseccomp, and tomcat), openSUSE (gd and postgresql10), Oracle (qemu-kvm), Red Hat (chromium-browser), Scientific Linux (qemu-kvm), Slackware (firefox), and SUSE (ipmitool, java-1_7_0-openjdk, librsvg, and tomcat).

The Let's Encrypt project has madereal strides in helping to ensure that every web site can use the encryptedHTTPS protocol; it has provided TLS certificates at no charge that areaccepted by most or all web browsers. Free certificates accepted by thebrowsers are something that was difficult to find prior to the advent of the project in 2014; as of the end of February, theproject has issuedover a billion certificates. But a bug that was recentlyfound in the handling of Certificate AuthorityAuthorization (CAA) by the project put roughly 2.6% of the activecertificates—roughly three million—at risk of immediate revocation. As might beexpected, that caused a bit of panic in some quarters, but it turned outthat the worst outcome was largely averted.

The latest release of Firefox features some login management improvements,the ability to add custom sites to the Facebook Container, better privacyfor web voice and video calls, and better add-on management. See the release notesfor more information.

Security updates have been issued by Debian (libvpx and network-manager-ssh), Fedora (cacti, cacti-spine, and podman), openSUSE (chromium and python-bleach), Oracle (curl), Red Hat (ansible and qemu-kvm), SUSE (gd, ipmitool, and php7), and Ubuntu (runc and sqlite3).

The Linux development community is spread out over the planet andinteracts primarily through email and online systems. It is widelyfelt, though, that there is great value in getting people together inperson occasionally to talk about current issues and get to knoweach other as people. This year, though, the coronavirus pandemic isdisrupting the conference schedule to an extent that won't be known forsome time. But there are longer-term concerns as well, to the point thatthe head organizer for one of the kernel community's most successful eventsis questioning whether it should continue to exist.

LibrePlanet was scheduled for March 14-15 but it has been canceled. "However, just because we won't be holding a conference in person this year doesn't mean that we've given up our fight to "free the future." Instead, LibrePlanet will be a fully free (as in freedom) virtual conference and livestream. We had an extremely exciting program planned, and we're going to try and maintain as much of that schedule as possible with all of the speakers who are willing and able to participate remotely. The resulting livestream will be run on and entirely accessible via free software, so that you can enjoy these amazing talks from the comfort of your home."