LWN.net

Google Code-in (GCI) providesstudents ages 13 to 17 the opportunity to participate in open sourceprojects. Google has announced the2019 round of GCI. "New contributors bring fresh perspectives,ideas, and enthusiasm into their open source communities, helping themthrive. Throughout the last 9 years, 58 GCI organizations helped 11,000students from 108 countries make real contributions to open sourceprojects; and to this day many of those students continue to participate invarious open source communities and many have become mentors themselves!Some have even gone on to join Google Summer of Code (GSoC)."Organizations that are interested in mentoring students can apply for GCIstarting October 10. GCI begins December 2, 2019 and ends January 23, 2020.

CentOS Linux 8.0-1905 has been released. The releasenotes have more details. The CentOS project also introduces CentOSStream. "CentOS Stream is a rolling-release Linux distro thatexists as a midstream between the upstream development in Fedora Linux and thedownstream development for Red Hat Enterprise Linux (RHEL). It is acleared-path to contributing into future minor releases of RHEL whileinteracting with Red Hat and other open source developers. This pairsnicely with the existing contribution path in Fedora for future majorreleases of RHEL."

At the inaugural Databasesmicroconference at the 2019 Linux Plumbers Conference (LPC), twodevelopers who work on rather different database systems had similarcomplaints about developing for Linux. Richard Hipp, creator of the SQLitedatabase, and Andres Freund from the PostgreSQL project both lamented thelack of definitive documentation on how to best use the kernel's I/O interfaces,especially for corner cases. Both of the sessions, along with others inthe microconference, pointed to a strong need for more interaction betweenuser-space and kernel developers.

Security updates have been issued by Debian (php5), Fedora (blis, kernel, and kernel-headers), openSUSE (bird, curl, fish3, ghostscript, ibus, kernel, libgcrypt, openldap2, openssl-1_1, skopeo, and util-linux and shadow), Oracle (dovecot and kernel), Red Hat (dovecot, httpd:2.4, qemu-kvm, and redhat-virtualization-host), Scientific Linux (dovecot), SUSE (djvulibre, expat, firefox, libopenmpt, and rust), and Ubuntu (ibus and Mosquitto).

As of this writing, 9,632 non-merge changesets have been merged for the 5.4kernel. This merge window is thus off to a strong start. There hasbeen a wide range of changes merged across the kernel tree, including vastnumbers of cleanups and fixes.

Security updates have been issued by Debian (expat, php-pecl-http, and php7.0), Fedora (ImageMagick, jackson-annotations, jackson-bom, jackson-core, jackson-databind, and rubygem-rmagick), Mageia (chromium-browser-stable, ibus, kernel, samba, and thunderbird), openSUSE (chromium), Oracle (dovecot and kernel), Red Hat (dbus, kernel, kernel-alt, and kpatch-patch), Scientific Linux (dovecot and kernel), and SUSE (expat, ibus, kernel, kernel-source-rt, nmap, openssl, and webkit2gtk3).

The5.3.1,5.2.17,4.19.75,4.14.146,4.9.194, and4.4.194stable kernels are all available; each contains another set of importantfixes.

Version 9.0.0 of the LLVM compiler suite is out. Headline changes includeasm goto support — fixing one of the main impediments to compilingthe kernel on x86 with LLVM — and non-experimental support for the RISC-Varchitecture.

Some new kernel features are welcomed by the kernel development community,while others are a rather harder sell. It is fair to say that core scheduling, which makes CPU schedulingharder by placing constraints on which processes may run simultaneously ina core, is of the latter variety. Core scheduling was the topic of (atleast) three different sessions at the 2019 Linux Plumbers Conference. Oneof the most interesting outcomes, perhaps, is that there are use cases forthis feature beyond protection from side-channel attacks.

Security updates have been issued by Debian (bird, opendmarc, php7.3, and qemu), Fedora (bird, dino, nbdkit, and openconnect), Oracle (nginx:1.14, patch, and thunderbird), Red Hat (dovecot, kernel, kernel-alt, and kernel-rt), Scientific Linux (thunderbird), and SUSE (kernel, openssl, openssl-1_1, python-SQLAlchemy, and python-Werkzeug).

The GNU C Library has long had a reputation for being hostile to theaddition of wrappers for new Linux system calls; that has resulted in manysystem calls being unsupported by the library for years. That situation ischanging, though. During the Toolchain microconference at the 2019 LinuxPlumbers Conference, Maciej Rozycki talked about glibc's new attitudetoward system-call wrappers, but also served notice that there is stillsignificant work to do for the addition of any new system call.

Greg Kroah-Hartman has announced the release of the 5.2.16, 4.19.74, and 4.14.145 stable kernels. Important fixes arecontained within; users should upgrade.

Security updates have been issued by CentOS (exiv2, firefox, ghostscript, http-parser, httpd, kdelibs and kde-settings, kernel, pango, qemu-kvm, and thunderbird), Debian (ibus), Fedora (kernel, kernel-headers, python34, qbittorrent, and samba), openSUSE (chromium), Oracle (go-toolset:ol8), Red Hat (kernel, nginx:1.14, patch, ruby, skydive, systemd, and thunderbird), Scientific Linux (thunderbird), SUSE (libreoffice, openssl-1_1, python-urllib3, and python-Werkzeug), and Ubuntu (tomcat9 and wpa, wpasupplicant).

The LWN.net Weekly Edition for September 19, 2019 is available.

In the Kernel Summittrack at the2019Linux Plumbers Conference, Christian Brauner and Kees Cook led adiscussion on finding a way to do deep argument inspection for seccompfiltering. Currently, seccomp filters can only look at the top-levelarguments to a system call, which means that there are use cases thatcannot be supported. There was a lively discussion in the session, but nodefinitive conclusion was reached; various ideas were considered, but noneseemed to quite fit the bill.

Security updates have been issued by CentOS (firefox and kernel), Debian (thunderbird), Fedora (curl), openSUSE (curl and python-Werkzeug), Oracle (kernel and thunderbird), Red Hat (rh-nginx114-nginx), SUSE (curl, ibus, MozillaFirefox, firefox-glib2, firefox-gtk3, openldap2, openssl, openssl1, python-urllib3, and util-linux and shadow), and Ubuntu (linux, linux-aws, linux-azure, linux-lts-trusty, linux-lts-xenial, linux-oracle, linux-raspi2, linux-snapdragon, and wpa).

The Mozilla blog has an announcementthat Firefox will be moving to 4-week release cycle, starting in 2020."Shorter release cycles provide greater flexibility to supportproduct planning and priority changes due to business or marketrequirements. With four-week cycles, we can be more agile and ship featuresfaster, while applying the same rigor and due diligence needed for ahigh-quality and stable release. Also, we put new features andimplementation of new Web APIs into the hands of developers morequickly." The Firefox ESR (Extended Support Release) release cadencewill remain the same.

At OpenSource Summit North America 2019, David Tarditi from Microsoft gave a talk onseven different properties for highly secure Internet of Things (IoT)devices. The properties are based on a Microsoft Research whitepaper [PDF] from 2017. His high-level summary of the talk was that ifyou are creating a device that will be connecting to the internet and youdon't want it to get "owned", you should pay attention to the properties hewould be describing.Overall, it was an interesting talk, with good analysis of the areas whereeffort needs to be focused to produce secure IoT devices, but it wassomewhat marred by an advertisement for a proprietary product(which, naturally, checked all the boxes) atthe end of the talk.

A new release of CentOS Linux 7 is available. This release is tagged as1908 and derived from Red Hat Enterprise Linux 7.7 source code. The releasenotes have the details. CentOS Linux 7 (1908) is also available for several alternatearchitectures.

Security updates have been issued by Debian (dino-im, python2.7, python3.4, and wpa), Fedora (kmplayer), openSUSE (podman and samba), Oracle (thunderbird), Red Hat (thunderbird), Slackware (expat), SUSE (curl), and Ubuntu (apache2).

The final sessions at the 2019 Linux Kernel Maintainers Summit covered anumber of relatively quick topics, including the "pull depth" for codegoing into the mainline, the handling of hardware vulnerabilities, the ABIstatus of tracepoints, and more.

With a brief announcement,the Free Software Foundation has let it be known that founder RichardStallman has resigned both as president and from the board of directors."The board will be conducting a search for a new president, beginningimmediately. Further details of the search will be published onfsf.org".

The Linux Kernel Maintainers Summit is all about the development process,so it is natural to spend some time on how that process is working at thetop of the maintainer hierarchy. The "is Linus happy?" session during the2019 summit revealed that things are working fairly well at that level, butthat, as always, there are a few things that could be improved.

Stable kernels 5.2.15, 4.19.73, 4.14.144, 4.9.193, and 4.4.193 have been released. They all containimportant fixes and users should upgrade.

Security updates have been issued by Debian (ansible, faad2, linux-4.9, and thunderbird), Fedora (jbig2dec, libextractor, sphinx, and thunderbird), Mageia (expat, kconfig, mediawiki, nodejs, openldap, poppler, thunderbird, webkit2, and wireguard), openSUSE (buildah, ghostscript, go1.12, libmirage, python-urllib3, rdesktop, and skopeo), SUSE (python-Django), and Ubuntu (exim4, ibus, and Wireshark).

The stable kernel process is a perennial topic of discussion at gatheringsof kernel developers; the 2019 Linux Kernel Maintainers Summit was noexception. Sasha Levin ran a session there where developers could talkabout the problems they have with stable kernels and ponder solutions.

The 5.3 kernel is available at last. Theannouncement includes a long discussion about user-space regressions — anext4 filesystem performance improvement had caused some systems to failbooting due to a lack of entropy early after startup. "It's morethat it's an instructive example of what counts as a regression, and whatthe whole 'no regressions' kernel rule means. The reverted commit didn'tchange any API's, and it didn't introduce any new bugs. But it ended upexposing another problem, and as such caused a kernel upgrade to fail for auser. So it got reverted."Some of the more significant changes in 5.3 includescheduler utilization clamping,the pidfd_open() andclone3() system calls,bounded loop support for BPF programs,support for the 0.0.0.0/8 IPv4 address range,a new configurationoption for the soon-to-be-merged realtime preemption code,and more. See theKernelNewbies 5.3 page for lots of details.

There is value in automatic testing systems, but they also present aproblem of their own:how can one keep up with the high volume of bug reports that they generate?At the 2019 Linux Kernel Maintainers Summit, Shuah Khan ran a sessiondedicated to this issue. There was general agreement that the reports arehard to deal with, but not a lot of progress toward a solution.

The first session at the 2019 Linux Kernel Maintainers Summit was alast-minute addition to the schedule. Dmitry Vyukov's Linux PlumbersConference session on the kernel development process (slides[PDF]) had inspired a number of discussions that, it was agreed, shouldcarry over into the summit. The result was a wide-ranging conversationabout the kernel's development tools and what could be done to improvethem.

Security updates have been issued by Debian (curl, dnsmasq, and golang-go.crypto), Mageia (docker, firefox, flash-player-plugin, ghostscript, links, squid, sympa, tcpflow, thunderbird, and znc), openSUSE (srt), Oracle (.NET Core, kernel, libwmf, and poppler), Scientific Linux (firefox), SUSE (cri-o, curl, java-1_8_0-ibm, python-SQLAlchemy, and python-urllib3), and Ubuntu (curl and expat).

Hardening must be performed at all levels of a system, including in thecompiler that is used to build that system. There are two viable compilersin the free-software community now, each of which offers a different set ofsecurity features. Kees Cook ran a session during the Toolchainsmicroconference at the 2019 LinuxPlumbers Conference that examined the security-feature support providedby both GCC and LLVM Clang, noting the places where each one could stand toimprove.

Security updates have been issued by Arch Linux (exim, firefox, and webkit2gtk), Debian (libonig and opensc), Fedora (cobbler), Oracle (firefox and kernel), Red Hat (flash-plugin, kernel, kernel-rt, rh-maven35-jackson-databind, rh-nginx110-nginx, and rh-nginx112-nginx), Scientific Linux (kernel), Slackware (curl, mozilla, and openssl), SUSE (ceph, libvirt, and python-Werkzeug), and Ubuntu (vlc and webkit2gtk).

The LWN.net Weekly Edition for September 12, 2019 is available.

On day two of the 2019Linux Plumbers Conference, two of the principals behind the Open Printingproject led the very first Open Printingmicroconference. Project leader Till Kamppeter and program managerAveek Basu described the current state of printing on Linux and some of theplans for the future, including supporting scanning for multi-functiondevices. The picture they painted was rosy, at least for printing, whichmay not quite match the experience of many Linux users. As with manyprojects, though, Open Printing is starved for contributors—something thatwas reflected in the sparse attendance at the microconference.

At the 2019EmbeddedLinux Conference North America, which was held in San Diego in August,Krzysztof Opasiak gave a presentation on demystifying the ways to monitor—andeven change—USB traffic on a Linux system. He started with the basics ofthe USB protocol and worked up into software and hardware tools toobserve, modify, and fuzz the messages that get sent. Those tools are part of thearsenal that is available to those interested in looking deeply into USB.

Software Guard Extensions (SGX) is a set of security-relatedinstructions for Intel processors; it allows the creation of privateregions of memory, called "enclaves". The aim of this feature is to worklike an inverted sandbox: instead of protecting the system from maliciouscode, it protects an application from a compromised kernel hypervisor,or other application. Linux support for SGX has existed out-of-treefor years, and the effort of upstreaming it has reached animpressive version22 of the patch set. During the upstreaming discussion, the kerneldevelopers discoveredthat the proposed SGX API did not play nicely with existing securitymechanisms, including Linux security modules(LSMs).

Security updates have been issued by Fedora (python38), openSUSE (nginx, nodejs10, nodejs8, python-Twisted, python-Werkzeug, SDL2_image, SDL_image, and util-linux and shadow), Oracle (firefox and nghttp2), Red Hat (.NET Core, firefox, kernel, libwmf, pki-deps:10.6, and poppler), Scientific Linux (firefox), SUSE (ghostscript, libgcrypt, podman, python-SQLAlchemy, qemu, and webkit2gtk3), and Ubuntu (curl, linux-hwe, linux-kvm, linux-oracle, linux-raspi2, systemd, and tomcat8).

The CodeWeavers blog carries the sadnews that Józef Kucia died last month. "Józef first contributed to Wine in March of 2012, showing remarkable skill with Wine’s D3D technology. He became a key contributor to Wine, submitting over 2,500 patches. He also contributed to other open source projects including Mesa and Debian. Józef founded and led the vkd3d project and provided insight and guidance to the Vulkan working group.Józef joined CodeWeavers in 2015, and quickly became one of our most valued employees."

Stable kernels 5.2.14, 4.19.72, 4.14.143, 4.9.192, and 4.4.192 have been released. They all containimportant fixes and users should upgrade.

Security updates have been issued by Debian (docker.io, icedtea-web, and trafficserver), openSUSE (opera), Red Hat (bind, firefox, go-toolset:rhel8, kernel, nghttp2, and polkit), SUSE (buildah, curl, java-1_7_1-ibm, and skopeo), and Ubuntu (freetype, memcached, python2.7, python3.4, and python2.7, python3.5, python3.6, python3.7).

It's that time of the development cycle again: work on the 5.3 kernel iswinding down with an expected final release date of September 15. Read onfor LWN's traditional look at where the code in 5.3 came from in thisrelatively busy development cycle.

Security updates have been issued by Debian (expat, ghostscript, libreoffice, and memcached), Fedora (chromium, grafana, kea, nsd, pdfbox, roundcubemail, and SDL), Gentoo (apache, dbus, exim, libsdl2, pango, perl, vlc, and webkit-gtk), Mageia (dovecot, giflib, golang, icedtea-web, irssi, java-1.8.0-openjdk, libgcrypt, libmspack, mercurial, monit, php, poppler, python-urllib3, rdesktop, SDL12, sdl2, sigil, sqlite3, subversion, tomcat, and zstd), openSUSE (chromium, exim, go1.12, httpie, libmirage, python-SQLAlchemy, and srt), Oracle (firefox, ghostscript, and kernel), SUSE (apache2, mariadb, mariadb-connector-c, postgresql94, python-Django1, python-Pillow, python-urllib3, and qemu), and Ubuntu (exim4).

The eighth and presumably final 5.3prepatch is out for testing. "So we probably didn't strictly need an rc8 this release, but with LPCand the KS conference travel this upcoming week it just makeseverything easier."

Anybody running the Exim mail system will want to apply the updates thatare being released today; there is a remote code-execution vulnerability inits TLS-handling code with a known proof-of-concept exploit. As the advisorysays: "If your Exim server accepts TLS connections, it isvulnerable".

The5.2.12,4.19.70,4.14.142,4.9.191, and4.4.191stable kernels have been released with another set of important fixes.Milliseconds thereafter,5.2.13 and4.19.71were released to fix a regression with the elantech mouse driver.

Google has a long and interesting history contributing to the upstreamLinux kernel. With Chrome OS, Google has tried to learn from some ofthe mistakes of its past and is now working with the upstream Linux kernel asmuch as it can. In a session at the 2019Open Source Summit North America, Google software engineer DougAnderson detailed how and why Chrome OS developers work upstream. Itis an effort intended to help the Linux community as well as Google.

Security updates have been issued by Debian (exim4 and firefox-esr), Fedora (lxc, lxcfs, pdfresurrect, python3-lxc, rdesktop, and seamonkey), Oracle (kernel), and SUSE (nginx, python-Werkzeug, SUSE Manager Client Tools, and util-linux and shadow).

The staging tree was added to the kernel in 2008for the 2.6.28 development cycle as a way to ease the process ofgetting substandard device drivers into shape and merged into themainline. It has been followed by controversy for just about as long. Therecent disagreements over the EROFS and exFAT filesystems have reignited many of thearguments over whether the staging tree is beneficial to the kernelcommunity or not. LWN cannot answer that question, but we can look into what has transpired in thestaging tree in its first eleven years to see if there are any conclusionsto be drawn there.A lot of code has gone into the staging tree over the years; what happenedto it thereafter?

Security updates have been issued by Debian (webkit2gtk), Fedora (systemd), openSUSE (go1.11, python-Twisted, SDL2_image, SDL_image, and wavpack), Oracle (kdelibs and kde-settings, kernel, and qemu-kvm), Red Hat (chromium-browser and firefox), Slackware (seamonkey), SUSE (java-1_8_0-ibm, kernel, and python-urllib3), and Ubuntu (firefox and npm/fstream).

Google has announcedthe release of a new library for applications using differential privacytechniques. "Differentially-private data analysis is a principledapproach that enables organizations to learn from the majority of theirdata while simultaneously ensuring that those results do not allow anyindividual's data to be distinguished or re-identified. This type ofanalysis can be implemented in a wide variety of ways and for manydifferent purposes. For example, if you are a health researcher, you maywant to compare the average amount of time patients remain admitted acrossvarious hospitals in order to determine if there are differences incare. Differential privacy is a high-assurance, analytic means of ensuringthat use cases like this are addressed in a privacy-preservingmanner."