The 5.4-rc3 kernel prepatch is out fortesting. "Things continue to look fairly normal, with rc3 beinglarger than rc2, as people are starting to find more regressions, but 5.4so far remains on the smaller side of recent releases."
As notedearlier,when compiling Linux-kernel code that does a plain C-language load orstore, as in"a=b", the C standard grants the compiler the rightto assume that the affected variables are neither accessed nor modifiedby any other thread at the time of that load or store.The compiler is therefore permitted to carry out a surprisinglylarge number of optimizations, any number of which might ruin yourconcurrent code's day.Given that current compilers usually do not emit diagnostics warning ofpotential ruined days, it would be good to have other tools take on thistask.
Security updates have been issued by Debian (lucene-solr and ruby-openid), Fedora (krb5 and SDL2), openSUSE (kernel and libopenmpt), and Ubuntu (python2.7, python3.4).
The Google Open Source Blog has an announcement of the release of the SchedViz tool that is used internally at the company "to discover many opportunities for better scheduling choices and to root-cause many latency issues". SchedViz provides a GUI to explore kernel traces: "The SchedViz UI displays collections in several ways. A zoomable and pannable heatmap shows system cores on the y-axis, and the trace duration on the x-axis. Each core in the system has a swim-lane, and each swim-lane shows CPU utilization (when that CPU is being kept busy) and wait-queue depth (how many threads are waiting to run on that CPU.) The UI also includes a thread list that displays which threads were active in the heatmap, along with how long they ran, waited to run, and blocked on some event, and how many times they woke up or migrated between cores. Individual threads can be selected to show their behavior over time, or expanded to see their details."
It is no secret that much of the work on the in-kernel BPF virtual machine and associated user-space support code is being done at Facebook. But lessis known about how Facebook is actually using BPF. At Kernel Recipes 2019,BPF developer Alexei Starovoitov describeda bit of that work, though even he admitted that he didn't know what mostof the BPF programs running there were doing. He also summarized recentdevelopments with BPF and some near-future work.
Security updates have been issued by Debian (clamav, libtomcrypt, and rsyslog), Fedora (suricata), SUSE (libopenmpt and python-requests), and Ubuntu (libsoup2.4 and octavia).
The input stack for Linux is an essential part of interacting with oursystems, but it is also an area that is lacking in terms of developers.There has been progress over the last few years, however; Peter Huttererfrom Red Hat came to the 2019 X.Org Developers Conference to talk about some of the work that has been done. He gave a status report on the inputstack that covered development work that is going on now as well as thingsthat have been completed in the last two years or so. Overall, things arelooking pretty good for input on Linux, though the "bus factor" for thestack is alarmingly low.
Richard Stallman has issued a brief statement saying that there will not beany radical changes in the GNU Project's goals, principles andpolicies. "I would like to make incremental changes in how somedecisions are made, because I won't be here forever and we need to readyothers to make GNU Project decisions when I can no longer do so. But thesewon't lead to unbounded or radical changes."
Security updates have been issued by Fedora (chromium), openSUSE (rust and sqlite3), SUSE (dnsmasq, firefox, and kubernetes, patchinfo), and Ubuntu (python2.7, python3.5, python3.6, python3.7).
OpenSSH 8.1 is out. It includes some security fixes, including theencryption of keys at rest to defend them against speculative-executionattacks. There is also an experimental new signature and verificationmechanism for public keys.
Stable kernels 5.3.5, 5.2.20, 4.19.78, 4.14.148, 4.9.196, and 4.4.196 have been released. They all containthe usual set of important fixes. This is the last 5.2 kernel and usersshould move to the 5.3.y kernel series now.
Security updates have been issued by Debian (openjpeg2, openssh, and xen), openSUSE (dovecot23, jasper, libseccomp, lxc, putty, and singularity), Red Hat (bind, kernel, polkit, python, and wget), and Ubuntu (unbound).
One of the many changes in the 5.4 kernel is the completion (insofar asanything in the kernel is truly complete) of the pidfd API. Getting that work done has been "awild ride so far", according to its author Christian Brauner during asession at the 2019 Kernel Recipes conference. He went on to describethe history of this work and some lessons for others interested in addingmajor new APIs to the Linux kernel.
While Richard Stallman has resigned from the Free Software Foundation andMIT, he continues to hold onto his position as the head of the GNU project. Now, the FSF has announced that it is"working with GNU leadership on a shared understanding of the relationship for the future" and is seeking comments from thecommunity on what that should be.Meanwhile, a group of maintainers for specific GNU projects has posteda joint statement calling for new leadership at GNU. "We believethat Richard Stallman cannot represent all of GNU. We think it is now timefor GNU maintainers to collectively decide about the organization of theproject. The GNU Project we want to build is one that everyone can trust todefend their freedom."
The second 5.4 kernel prepatch is out fortesting. "So nothing looks particularly worrisome, but usually rc2is fairly calm and it takes a while for any regressions to benoticed." This release also changes the code name to "NestingOpossum".
The5.3.4,5.2.19,4.19.77,4.14.147,4.9.195, and4.4.195stable kernel updates have all been released; each contains a relativelylarge set of important fixes and updates.
Common Vulnerability and Exposure (CVE) numbers have been used for manyyears as a way of uniquely identifying software vulnerabilities. It hasbecome increasingly clear in recent years that there are problems with CVEnumbers, though, and increasing numbers ofvulnerabilities are not being assigned CVE numbers at all. At the 2019 Kernel Recipes event, GregKroah-Hartman delivered a "40-minute rant with an unsatisfactoryconclusion" on CVE numbers and how the situation might be improved. The conclusion may be"unsatisfactory", but it seems destined to stir up some discussionregardless.
Security updates have been issued by Arch Linux (exim, ruby, ruby-rdoc, ruby2.5, and systemd), Debian (openconnect), Mageia (thunderbird), openSUSE (lxc and mosquitto), Oracle (kernel and patch), Scientific Linux (patch), SUSE (firefox, java-1_7_0-ibm, and sqlite3), and Ubuntu (clamav).
Version 4.0 of theCalibre ebook management application is out. "It has been two years since calibre 3.0. This time has been spent mostly in making the calibre Content server ever more capable as well as migrating calibre itself from Qt WebKit to Qt WebEngine, because the former is no longer maintained.The Content server has gained the ability to Edit metadata, Add/removebooks and even Convert books to and from all the formats calibre itselfsupports. It is now a full fledged interface to your calibrelibraries."
The kernel's printk()function seems like it should be relatively simple; all it does is format astring and output it to the kernel logs. That simplicity hides a lot ofunderlying complexity, though, and that complexity is why kernel developersare still unhappy with printk() after 28 years. At the 2019 LinuxPlumbers Conference, John Ogness explainedwhere the complexity in printk() comes from and what is being doneto improve the situation.
Security updates have been issued by CentOS (kernel), Debian (jackson-databind, libapreq2, and subversion), Fedora (glpi, memcached, and zeromq), openSUSE (rust), Oracle (kernel), Red Hat (patch), and SUSE (dovecot23, git, jasper, libseccomp, and thunderbird).
Version 12 of the PostgreSQL database management system is out. "PostgreSQL 12 enhancements include notable improvements to queryperformance, particularly over larger data sets, and overall spaceutilization. This release provides application developers with newcapabilities such as SQL/JSON path expression support, optimizations forhow common table expression ('WITH') queries are executed, and generatedcolumns. The PostgreSQL community continues to support the extensibilityand robustness of PostgreSQL, with further additions tointernationalization, authentication, and providing easier ways toadministrate PostgreSQL. This release also introduces the pluggabletable storage interface, which allows developers to create their ownmethods for storing data."
The Document Foundation (TDF) isthe home of the LibreOfficefree-software office suite; it provides financial, governance, andother administrative services to LibreOffice. The foundation wasestablished in part to ensure that commercial entities did not have undueinfluence on the project, which limited the types of activities in which itcan engage. In particular, selling branded versions of LibreOffice in themacOS and Windows app stores has not been something that TDF could tackle.The TDFboard of directors is looking to change that with the creation of a new entity, The Document Collective (TDC), to engage in commercial activity thatis complementary to that of TDF members—hopefully as an income source tohelp support TDF.
Security updates have been issued by Debian (openssl and openssl1.0), Fedora (expat, kernel, kernel-headers, kernel-tools, and phpMyAdmin), openSUSE (nghttp2 and u-boot), Oracle (kernel), Red Hat (rh-nodejs8-nodejs), Slackware (libpcap), SUSE (bind, jasper, libgcrypt, openssl-1_0_0, and php7), and Ubuntu (clamav).
A discussion on the pgsql-hackers mailinglist at the end of August is another reminder that the suitability ofseccomp()filters is likely more narrow than was hoped. Applying filters to the PostgreSQL database is difficult for a number of reasons and thebenefit for the project and its users is not entirely clear. Thediscussion highlights the tradeoffs inherent in adding system-callfiltering to a complex software suite; it may help crystallize the thinkingof other projects that are alsolooking at supporting seccomp() filters.
Security updates have been issued by Debian (apache2, linux-4.9, netty, phpbb3, and poppler), openSUSE (chromium, djvulibre, ghostscript, python-numpy, SDL2, and varnish), Oracle (nodejs:10), Red Hat (httpd24-httpd and httpd24-nghttp2, kpatch-patch, and rh-nodejs10-nodejs), and Ubuntu (linux, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon, linux-oem, linux-oracle, linux-raspi2, linux-snapdragon, and SDL 2.0).
Version2.0.0 of the TensorFlow machine-learning system is out. Headlinefeatures include the "Keras" high-level API, support for distributedtraining, and more, including a number of API-breaking changes.
The release of the 5.4-rc1 kernel and the closing of the merge window forthis development cycle came one day later than would have normally beenexpected. By that time, 12,554 non-merge changesets had been pulledinto the mainline repository; that's nearly 2,900 since the first-week summary was written. Thatrelatively small number of changes belies the amount of interesting changethat arrived late in the merge window, though; read on for the full list.
Linus has tagged the 5.4-rc1 release, thus ending the merge window for thisdevelopment cycle. An apparent linux-kernel outage means that there is noannouncement to post yet; we'll do that as soon as it becomes available.Meanwhile, though, everything can be seen in his repository.Update: the 5.4-rc1 announcement isnow available. "I didn't really extend the merge window by a day here, but I gavemyself an extra day to merge my pending queue. Thus the Monday datefor the rc1 rather than the usual Sunday afternoon."
Exim 4.92.3 has been released with a fix for CVE-2019-16928, a heap-basedbuffer overflow in string_vformat that could lead to remote codeexecution. "The currently known exploit uses a extraordinary longEHLO string to crash the Exim process that is receiving the message. Whileat this mode of operation Exim already dropped its privileges, other paths toreach the vulnerable code may exist."
Security updates have been issued by CentOS (dovecot, kernel, and qemu-kvm), Debian (cimg, cups, e2fsprogs, exim4, file-roller, golang-1.11, httpie, and wpa), Fedora (curl, ghostscript, ibus, krb5, mod_md, and nbdkit), Mageia (chromium-browser-stable, libheif, and nghttp2), openSUSE (djvulibre, expat, libopenmpt, mosquitto, phpMyAdmin, and webkit2gtk3), Red Hat (nodejs:10), SUSE (gpg2), and Ubuntu (e2fsprogs and exim4).
The addition of extended BPF to the kernel has opened up a whole range ofuse cases, but few developers actually write BPF code. It is, like anyother assembly-level language, a tedious pain to work with; developerswould rather use a higher-level language. For BPF, the language of choiceis C, which is compiled to BPF with the LLVM compiler. But, as JoseMarchesi described during the Toolchainsmicroconference at the 2019 LinuxPlumbers Conference, LLVM will soon have company, as he has just addedsupport for a BPF back-end to the GCC compiler.
After "more than two years in development and half a year in testing", version 4.15.0 of the RPM package manager has been released. It has a wide range of new features, including faster parallel builds; support for %elif, %elifos, and %elifarch statements in RPM spec files; new %patchlist and %sourcelist sections; experimental support for non-privileged operation in a chroot() environment; and, of course, plenty of bug fixes and such. More details can be found in the release notes.
Ars Technica reports on the Librem 5 smartphone from Purism, which has begun shipping. The article provides an initial review of the phone, with pictures of the interface and hardware inside the case. "The Librem 5 is unlike anything else on the market. Not only is it one of the only smartphones on Earth that doesn't ship with Android, a fork of Android, or iOS—Purism's commitment to 100% open software, with no binary blobs, puts severe restrictions on what hardware it can use. Android's core might be open source, but it was always built for wide adoption above all else, with provisions for manufacturers to include as much proprietary code as they want. Purism's demand that everything be open means most of the major component manufacturers were out of the question.Perhaps because of the limited hardware options, the internal construction of the Librem 5 is absolutely wild. While smartphones today are mostly a single mainboard with every component integrated into it, the Librem 5 actually has a pair of M.2 slots that house full-size, off-the-shelf LTE and Wi-Fi cards for connectivity, just like what you would find in an old laptop. The M.2 sockets look massive on top of the tiny phone motherboard, but you could probably replace or upgrade the cards if you wanted."
Over at Fedora Magazine, Ben Cotton has an article on contributing to the Fedora distribution. Obviously, it is pretty Fedora-specific, but the general ideas can be applied to other distributions and/or projects. He lists several areas where contributors are needed—beyond just the obvious candidates: "Cooperative effort is a hallmark of open source communities. One of the best ways to contribute to any project is to help other users. In Fedora, that can mean answering questions on the Ask Fedora forum, the users mailing list, or in the #fedora IRC channel. Many third-party social media and news aggregator sites have discussion related to Fedora where you can help out as well."
A report ofa boot hang in the 5.3 series has led to an enormous, somewhat contentiousthread on the linux-kernel mailing list. The proximate cause was some changes that made theext4 filesystem do less I/O early in the boot phase, incidentally causingfewer interrupts, but the underlying issue was the getrandom()system call, which was blocking until the /dev/urandom poolwas initialized—as designed. Since the system in question was notgathering enough entropy due to the lack of unpredictable interrupttimings, that would hang more or less forever. That has called intoquestion the design and implementation of getrandom().
Security updates have been issued by Fedora (dcmtk), openSUSE (rust), Red Hat (redhat-virtualization-host), and SUSE (ghostscript, nghttp2, and u-boot).
The multipath TCP (MPTCP) protocol (and theLinux implementation of it) have beenunder development for a solid decade; MPTCP offers a number of advantages fordevices that have more than one network interface available. Despitehaving been deployed widely, though, MPTCP is still not supported by theupstream Linux kernel. At the 2019 Linux Plumbers Conference, MatthieuBaerts and Mat Martineau discussed the current state of the Linux MPTCPimplementation and what will be required to get it into the mainlinekernel.
Security updates have been issued by CentOS (dovecot), Debian (lemonldap-ng, openssl, and ruby-nokogiri), openSUSE (fish3, ibus, nmap, and openssl-1_1), Slackware (mozilla), SUSE (mariadb, python-numpy, and SDL2), and Ubuntu (firefox).
As part of the DistributionKernels microconference at Linux Plumbers Conference 2019, MatthiasMännich described how the Android project monitors changes to the internalkernel ABI. As Android kernels evolve, typically by adding features andbug fixes from more recent kernel versions, the project wants to ensurethat the ABI remains the same so that out-of-tree modules will stillfunction. While the talk was somewhat Android-specific, the techniques andtools used could be applied to other distributions with similar needs(e.g. enterprise distributions).
Security updates have been issued by Debian (kernel, libgcrypt20, and spip), Fedora (compat-openssl10, expat, ghostscript, ibus, java-1.8.0-openjdk-aarch32, and SDL2_image), openSUSE (bird, chromium, kernel, libreoffice, links, and varnish), Oracle (httpd:2.4 and qemu-kvm), Red Hat (kernel), Scientific Linux (qemu-kvm), SUSE (djvulibre, dovecot22, ghostscript, kernel, libxml2, and python-Twisted), and Ubuntu (file-roller and libreoffice).
A company called Rothschild Patent Imaging LLC has filed alawsuit [PDF] against the GNOME Foundation, alleging that the Shotwellphoto manager violates patent9,936,086. Stay tuned, more details will surely emerge.
Google Code-in (GCI) providesstudents ages 13 to 17 the opportunity to participate in open sourceprojects. Google has announced the2019 round of GCI. "New contributors bring fresh perspectives,ideas, and enthusiasm into their open source communities, helping themthrive. Throughout the last 9 years, 58 GCI organizations helped 11,000students from 108 countries make real contributions to open sourceprojects; and to this day many of those students continue to participate invarious open source communities and many have become mentors themselves!Some have even gone on to join Google Summer of Code (GSoC)."Organizations that are interested in mentoring students can apply for GCIstarting October 10. GCI begins December 2, 2019 and ends January 23, 2020.
LWN.net