LWN.net

Security updates have been issued by Arch Linux (file and firefox), Debian (apache-log4j1.2), Fedora (chromium, dovecot, GraphicsMagick, kubernetes, libvpx, makepasswd, matio, and slurm), Mageia (libtomcrypt, ming, oniguruma, opencv, pcsc-lite, phpmyadmin, and thunderbird), openSUSE (chromium, chromium, re2, and mozilla-nspr, mozilla-nss), Red Hat (chromium-browser, firefox, and rabbitmq-server), Slackware (mozilla), and SUSE (crowbar-core, crowbar-openstack, openstack-horizon-plugin-monasca-ui, openstack-monasca-api, openstack-monasca-log-api, openstack-neutron, rubygem-puma, rubygem-rest-client, firefox, libzypp, and openssl-1_1).

The 5.5-rc6 kernel prepatch is out fortesting. "Let's see how things go. I do suspect that this ends upbeing one of those 'rc8' releases, not because things look particularly badright now, but simply because the holiday season has meant that both thetesting side and the development side have been quiet. But whoknows?"On the stable side,5.4.11,4.19.95,4.14.164,4.9.209, and4.4.209have all been released with another set of important fixes.

The 5.2 kernel saw the addition of an extensive new API for the mounting(and remounting) of filesystems; thisarticle covered an early version of that API. Since then, work in thisarea has mostly focused on enabling filesystems to support this API fully.James Bottomley has taken a look at this API as part of the job ofredesigning his shiftfs filesystem andfound it to be incomplete. What has followed is a significant set ofchanges that promise to simplify the mount API — though it turns out that"simple" is often in the eye of the beholder.

Security updates have been issued by Debian (ldm and sa-exim), Mageia (firefox), openSUSE (chromium, firefox, and thunderbird), SUSE (containerd, docker, docker-runc, golang-github-docker-libnetwork, firefox, log4j, nodejs10, nodejs12, and openssl-1_0_0), and Ubuntu (firefox).

Version 19.07.0 of the OpenWrt router distribution is available."With this release, the OpenWrt project brings all supported targets backto a single common kernel version and further refines and broadensexisting device support. It also introduces a new ath79 target andbrings support for WPA3." There are some known issues; read throughthe full announcement before updating.

Stable kernels 5.4.10, 5.4.9, 4.19.94, and 4.14.163 have been released. PowerPC usersshould update to 5.4.10 to get a missing patch. Other users can stay with5.4.9.

In response to a growing desire for ways to control groups of processesfrom user space, the kernel has added a number of mechanisms that allow oneprocess to operate on another. One piece that is currently missing,though, is the ability for a process to snatch a copy of an open filedescriptor from another. That gap may soon be filled, though, if the pidfd_getfd()system-call patch set from Sargun Dhillon is merged.

Security updates have been issued by Debian (firefox-esr), Fedora (firefox), Oracle (kernel), Slackware (firefox and kernel), SUSE (apache2-mod_perl, git, java-1_7_0-ibm, java-1_7_1-ibm, log4j, mariadb, and nodejs8), and Ubuntu (gnutls28, graphicsmagick, and nss).

Samuel Maddock writesthat the adoption of the "encrypted media extensions" by the World Wide WebConsortium has had just the sort of effect that people were worried about four years ago."No longer is it possible to build your own web browser capable ofconsuming some of the most popular content on the web. Websites likeNetflix, Hulu, HBO, and others require copyright content protection whichis only accessible through browser vendors who have license agreements withlarge corporations."

There is another Firefox release out there; thisadvisory suggests that updating quickly would be a good idea:"Incorrect alias information in IonMonkey JIT compiler for settingarray elements could lead to a type confusion. We are aware of targetedattacks in the wild abusing this flaw."

The LWN.net Weekly Edition for January 9, 2020 is available.

One of Guido van Rossum's last items of business as he finished his term on the inaugural steering council for Python was toreview the Python Enhancement Proposal (PEP) that proposes a new update and unionoperators for dictionaries. He would still seem to be in favor of the idea,but it will be up to the newly elected steeringcouncil and whoever the council chooses as the PEP-deciding delegate (i.e. BDFL-Delegate).Van Rossum provided some feedback on the PEP and, inevitably, the question of how to spell the operator returned, but thepath toward getting a decision on it is now pretty clear.

Security updates have been issued by Arch Linux (firefox), Debian (python-django and wordpress), Fedora (dovecot), Mageia (opensc, radare2, and varnish), Red Hat (rh-java-common-apache-commons-beanutils), SUSE (containerd, docker, docker-runc, golang-github-docker-libnetwork, java-1_8_0-ibm, java-1_8_0-openjdk, libzypp, openssl-1_0_0, sysstat, and tomcat), and Ubuntu (clamav, linux-azure, and linux-lts-xenial, linux-aws).

It has taken longer than anybody might have liked, but the IPv6 protocol isslowly displacing IPv4 across the Internet. A quick, highly scientific"grep the access logs" test shows that about 16% of the traffic toLWN.net is currently using IPv6, and many large corporate networks areusing IPv6 exclusively internally. This version of the IP protocol wasdesigned to be more flexible than IPv4 in a number of ways; the "extensionheader" mechanism is one way in which that flexibility is achieved. Aproposal to formalize extension-header processing in the kernel'snetworking stack has led to some concerns, though, about how this featurewill be used and what role Linux should play in its development.

Lars Ingebrigtsen providesdetails on the current status of the Gmane archive server and asks forfeedback on whether it is still useful. "Over the past few years,people have asked me what happened to Gmane, and I’ve mostly clasped myhands over my ears and gone 'la la la can’t hear you', because there’snothing about the story I’m now finally going to tell that I don’t findhighly embarrassing. I had hoped I could just continue that way until Idie, but perhaps it would be more constructive to actually tell peoplewhat’s going on instead of doing an ostrich impression." (Thanks toGiovanni Gherdovich).

Firefox 72.0 has been released. In this version Firefox’s EnhancedTracking Protection now blocks fingerprintingscripts. Also picture-in-picture video is available. See the releasenotes for the details of these features and other changes.

Security updates have been issued by Debian (nss and pillow), Red Hat (java-1.8.0-ibm and kernel), Slackware (firefox), SUSE (virglrenderer), and Ubuntu (linux, linux-aws, linux-aws-5.0, linux-azure, linux-gcp, linux-gke-5.0, linux-kvm, linux-oem-osp1, linux-oracle, linux-oracle-5.0, linux-raspi2, linux, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon, linux-kvm, linux-oracle, linux-raspi2, and linux-snapdragon).

The random-number generation facilities in the kernel have been reworkedsome over the past few months—but problems in that subsystem have beenaddressed over an even longer time frame. The most recent changes were made to stop the getrandom() system call fromblocking for long periods of time at system boot, but the underlying causewas the behavior of the blocking random pool. A recent patch set wouldremove that pool and it would seem to be headed for the mainline kernel.

Security updates have been issued by Fedora (chromium, cyrus-imapd, drupal7-l10n_update, drupal7-webform, htmldoc, nethack, php, and singularity), Mageia (advancecomp, apache-commons-compress, cyrus-imapd, cyrus-sasl, dia, freeimage, freeradius, igraph, jhead, jss, libdwarf, libextractor, libxml2, mediawiki, memcached, mozjs60, openconnect, openssl, putty, python-ecdsa, python-werkzeug, shadowsocks-libev, and upx), Oracle (container-tools:1.0 and container-tools:ol8), and Red Hat (kpatch-patch).

The 5.5-rc5 kernel prepatch has beenreleased. Linus added a note to the release announcement: "One sadpiece of news I got this past week was that Bruce Evans has passed away. Bruce wasn't really ever really much directlyinvolved in Linux development - he was active on the BSD side - but he wasthe developer behind Minix/i386, which was what I used for the originalLinux development in the very early days before Linux becameself-hosting."On the stable-update side,5.4.8,4.19.93,4.14.162,4.9.208, and4.4.208 are all available with another setof important fixes.

Anybody who has ever taken a numerical analysis course understands thatfloating-point arithmetic on computers is a messy affair. Even so, it iseasy to underestimate just how messy things can be. This topic came to thefore in an initially unrelated python-ideas mailing-list thread; whatshould the Python statisticsmodule do with floating-point values that are explicitly not numbers?

It is not all that often that the mainstream press looks at issues in the open-source world, but this article from The Atlantic does just that; it looks at the controversy surrounding GitHub renewing its contract with the US Immigration and Customs Enforcement (ICE) agency and the concerns some have had with their code being used by ICE. "So when news of GitHub’s contract with ICE emerged, its employees weren’t the only ones outraged. Because of the transitive nature of open source, volunteer developers—who host code on the site to share with others—may have unwittingly contributed to the code GitHub furnished for ICE, the agency responsible for enforcing immigration policy. Some were troubled by the idea that their code might in some way be used to help agents detain and deport undocumented migrants. But their outrage—and the backlash to it—reveals existential questions about the very nature of open source."

Security updates have been issued by Debian (netty) and Fedora (libssh, nethack, php, samba, and xen).

One of the advantages of the in-kernel BPF virtual machine is that it isfast. BPF programs are just-in-time compiled and run directly by the CPU,so there is no interpreter overhead. For many of the intended use cases,though, "fast" can never be quite fast enough. It is thus unsurprisingthat there are currently anumber of patch sets under development that are intended to speed up oneaspect or another of using BPF in the system. A few, in particular, seemabout ready to hit the mainline.

Over the holiday week, we missed the announcement of Ruby 2.7 on December 25. It is the most recent release of the Ruby programming language and was more than a year in development. There are quite a few new features including experimental pattern matching for case statements (more information can be found in these slides), a new compaction garbage collector for the heap, support for separating positional and keyword arguments, and plenty more.

Security updates have been issued by Red Hat (chromium-browser and rh-git218-git) and SUSE (java-1_8_0-ibm and openssl-1_1).

The LWN.net Weekly Edition for January 2, 2020 is available.

Python prides itself on being a newbie-friendly language; its developershave gone out of their way to try to ensure that easy tasks arestraightforward to program. A recent discussion on the python-ideasmailing list looked at a use case that is common, but often implemented in aninefficient, incorrect fashion, with an eye toward making it easier to docorrectly. Finding the first match for a regular expression in a body oftext is where the conversation started, but it went in some otherinteresting directions as well.

January 1, 2020 marks the beginning of a new year and a new decade. Manythings will doubtless change over the course of this year in thefree-software community and beyond, while others will remain the same. One thing that will certainlyhold true is LWN's tradition of starting the new year with some ill-advisedpredictions about what may be in store. Your editor has no special vision,but neither does he fear being proved badly wrong in a public setting —it's all in a day's work.

Security updates have been issued by Debian (igraph, jhead, libgcrypt20, otrs2, and waitress) and Mageia (clamaw, exiv2, filezilla, hunspell, libidn2, pdfresurrect, roundcubemail, and xpdf).

A proposal to periodically run the fstrimcommand on Fedora 32 systems was discussed recently on the Fedoradevel mailing list.fstrim is used to cause a filesystem to inform the underlyingstorage of unused blocks, which can help SSDs and other types of blockdevices perform better.There were a number of questions and concerns raised,including whether to change the behavior of earlier versions of thedistribution when they get upgraded and if the kernel should be responsiblefor handling the whole problem.

Stable kernels 5.4.7, 4.19.92, and 4.14.161 have been released. They all containimportant fixes and users should upgrade.

Security updates have been issued by Debian (intel-microcode and libbsd), openSUSE (chromium, LibreOffice, and spectre-meltdown-checker), and SUSE (mozilla-nspr, mozilla-nss and python-azure-agent).

Security updates have been issued by Debian (debian-lan-config, freeimage, imagemagick, libxml2, mediawiki, openssl1.0, php5, and tomcat8).

The results from the Debian general resolutionvote on init systems are in; the project's developers chose the option titled "Systemd but wesupport exploring alternatives". It makes systemd into the preferredinit system, and allows packages to use systemd-specific features;packagers are not required to support other init systems, but support forother systems is encouraged where it is practical.

The 5.5-rc4 kernel prepatch is out fortesting. "To absolutely nobody's surprise, last week was very quietindeed. It's hardly even worth making an rc release, but there are _some_fixes in here, so here's the usual weekly Sunday afternoon rc."

Matthew Garrett worksout how to avoid being recorded by "Ring" door cameras in his apartmentbuilding. "The most interesting one here is the deauthenticationframe that access points can use to tell clients that they're no longerwelcome. These can be sent for a variety of reasons, including resourceexhaustion or authentication failure. And, by default, they're entirelyunprotected. Anyone can inject such a frame into your network and causeclients to believe they're no longer authorised to use the network, atwhich point they'll have to go through a new authentication cycle - andwhile they're doing that, they're not able to send any otherpackets."

Security updates have been issued by SUSE (dia, kernel, and libgcrypt).

One of the first uses of the BPF virtualmachine outside of networking was to implement access-control policiesfor the seccomp()system call. Since then, though, the role of BPF in the security area hasnot changed much in the mainline kernel, even though BPF has evolvedconsiderably from the "classic" variant still used with seccomp()to the "extended" BPF now supported by the kernel. That has not been for alack of trying, though. The out-of-tree Landlock security module was covered here over three years ago. We also looked at the kernel runtime securityinstrumentation (KRSI) patch set in September. KP Singh has posted a newKRSI series, so the time seems right for a closer look.

Andrew 'bunnie' Huang has posted a detailed article onwhy creating trustable hardware is so difficult and describing a projecthe's working on to do it anyway. "While open hardware has the opportunity toempower users to innovate and embody a more correct and transparent designintent than closed hardware, at the end of the day any hardware ofsufficient complexity is not practical to verify, whether open orclosed. Even if we published the complete mask set for a modernbillion-transistor CPU, this 'source code' is meaningless without apractical method to verify an equivalence between the mask set and the chipin your possession down to a near-atomic level without simultaneouslydestroying the CPU."

Security updates have been issued by CentOS (firefox, fribidi, nss, nss-softokn, nss-util, openslp, and thunderbird), Debian (opensc), and Mageia (389-ds-base, apache, apache-mod_auth_openidc, kernel, libofx, microcode, php, and ruby).

Security updates have been issued by CentOS (freetype, kernel, nss, nss-softokn, nss-util, and thunderbird), Mageia (ghostpcl, libmirage, and spamassassin), Oracle (fribidi), and SUSE (mariadb-100, shibboleth-sp, and slurm).

Security updates have been issued by Debian (cups, cyrus-sasl2, tightvnc, and x2goclient), Fedora (cacti and cacti-spine), openSUSE (mariadb and samba), Oracle (fribidi, git, and python), Red Hat (fribidi, libyang, and qemu-kvm-rhev), Slackware (openssl and tigervnc), and SUSE (firefox, nspr, nss and kernel).

The third 5.5 kernel prepatch is out; itwas a bit bigger than Linus would have liked."Anyway, I'm hoping rc3 is a one-off. In fact, with the holiday seasoncoming up, I'd be very surprised indeed if it wasn't. So I suspectthings will calm down a lot over the next couple of weeks, but pleasedo use the down-time to do some extra testing instead, ok?"

The5.4.6,4.19.91,4.14.160,4.9.207, and4.4.207stable kernel updates have all been released; each contains another set ofimportant fixes.

The Linux control-group mechanism was designed to make it easy to assignprocesses to groups or move them around; it is a simple matter of writing aprocess ID to the appropriate cgroup.procs file in thecontrol-group filesystem hierarchy. That only works for processes thatactually exist, though. Adding the ability to place a new process into acontrol group at birth is the subject of thispatch set from Christian Brauner.

Michał Górny describesan effort to create something one might have never expected to see: abinary kernel package for the Gentoo distribution. "I have manuallyconfigured the kernels for my private systems long time ago. Today, Iwouldn’t really have bothered. In fact, I realized that for some time I’mreally hesitant to even upgrade them because of the effort needed to updateconfiguration. The worst part is, whenever a new kernel does not boot, Ihave to ask myself: is it a real bug, or is it my fault for configuring itwrong?"

Security updates have been issued by Debian (cyrus-imapd and gdk-pixbuf), Fedora (cacti, cacti-spine, and fribidi), Red Hat (fribidi, git, and openstack-keystone), Scientific Linux (fribidi), Slackware (wavpack), and SUSE (firefox, kernel, mariadb, spectre-meltdown-checker, and trousers).

Version3.11 of the lightweight Alpine Linux distribution is available.Changes include the 5.4 kernel, Raspberry Pi 4 support, GNOME and KDEsupport, and the deprecation of Python 2.

The Cloud Native Computing Foundation (CNCF) is part of the Linux Foundation that is focused on Kubernetes and other cloud technologies. It has announced that The Update Framework (TUF) has graduated to a full member project. "TUF, an open-source technology that secures software update systems, is the first specification and first security-focused project to graduate. Justin Cappos, associate professor of computer science and engineering at NYU Tandon School of Engineering, initially developed the project in 2009. Cappos is also the first academic researcher to lead a graduated project and TUF is the first project born out of a university to graduate.