Security updates have been issued by openSUSE (amavisd-new, apache2, and containerd, docker, docker-runc,), Red Hat (java-1.7.1-ibm and java-1.8.0-ibm), and Ubuntu (linux, linux-azure, linux-gcp, linux-kvm, linux-raspi2, linux-hwe, linux-azure, and php5, php7.0).
It should come as no surprise that plugging untrusted devices into acomputer system can lead to a wide variety of bad outcomes—though oftenenough it works just fine. We have reported on a number of these kinds ofvulnerabilities (e.g. BadUSB in 2014) alongthe way. So it will not shock readers to find out that anothervulnerability of this type has beendiscovered, though it may not sit well that, even after years of vulnerableplug-in buses, there are still no solid protections against these roguedevices. This most-recent entrant into this space targets the Thunderboltinterface; thevulnerabilities found have been dubbed "Thunderclap".
The Maru distribution adds a full Linux desktop to Android devices; it wasreviewed here in 2016. The 0.6release is now available. Changes include a rebase onto LineageOS andDebian 9, and the ability to stream the desktop to a Chromecastdevice.
The recently announcedcontainer-confinement breakout for containers started with runc is interesting froma few different perspectives.For one, it affects more than just runc-based containers as privileged LXC-based containers (and likelyothers) are alsoaffected, though the LXC-based variety are harder to compromise than therunc ones.But it also, once again, shows that privilegedcontainers are difficult—perhaps impossible—to create in a secure manner.Beyond that, itexploits some Linux kernel interfaces in novel ways and the fixes use aperhaps lesser-known system call that was added to Linux less than fiveyears back.
Security updates have been issued by CentOS (java-1.7.0-openjdk and java-11-openjdk), Debian (mumble and sox), Fedora (drupal7, drupal7-link, firefox, gpsd, ignition, ming, php-erusev-parsedown, and php-Smarty), openSUSE (hiawatha, python, and supportutils), Oracle (java-1.7.0-openjdk), Red Hat (java-1.7.0-openjdk), Scientific Linux (java-1.7.0-openjdk), and Ubuntu (linux, linux-aws, linux-gcp, linux-kvm, linux-oem, linux-oracle, linux-raspi2 and linux-hwe, linux-aws-hwe, linux-azure, linux-gcp, linux-oracle).
Corporations that get their feet wet in the sea of free softwareoften find out that not only do they now have obligations toprovide source code, but that people will actually try to accessit and complain loudly if they can't get it. At the first Copyleft Conference,Alexios Zavras from Intel spoke alongside Stefano Zacchiroli from Software Heritage abouthow the two organizations are working together. Software Heritage's missionmakes it ideally suited to host Intel's many source-code releases in a waythat provides stable long-term repositories that Intel can then reference.
Kernel code must often access data that is stored in user space. Most ofthe time, this access is uneventful, but it is not without its dangers andcannot be done without exercising due care. A couple of recent discussionshave made it clear that this care is not always being taken, and that notall kernel developers fully understand how user-space access should beperformed. The good news is that kernel developers are currently workingon a set of changes to make user-space access safer in the future.
Security updates have been issued by Debian (nss), openSUSE (procps), Red Hat (redhat-virtualization-host, rhvm-appliance, and vdsm), SUSE (freerdp, kernel, and obs-service-tar_scm), and Ubuntu (openssh).
Here's alengthy piece from Alyssa Rosenzweig on preserving freedom despite theinevitable centralization of successful information services."Indeed, it seems all networked systems tend towards centralisationas the natural consequence of growth. Some systems, both legitimate andillegitimate, are intentionally designed for centralisation. Other systems,like those in the Mastodon universe, are specifically designed to avoidcentralisation, but even these succumb to the centralised black hole astheir user bases grow towards the event horizon."
Security updates have been issued by Arch Linux (chromium, file, gdm, lib32-openssl-1.0, openssl-1.0, and pcre), Debian (advancecomp, ceph, jackson-databind, openssh, and openssl), Fedora (community-mysql, distcc, freerdp, gdm, gnome-boxes, libexif, openocd, pidgin-sipe, remmina, SDL, and xpdf), openSUSE (kernel-firmware and php5), Oracle (java-1.8.0-openjdk and java-11-openjdk), Slackware (infozip and python), and SUSE (caasp-container-manifests, changelog-generator-data-sles12sp3-velum, kubernetes-salt, rubygem-aes_key_wrap, rubygem-json-jwt, sles12sp3-velum-image, velum and gdm).
Linus has released the 5.0 kernel."But I'dlike to point out (yet again) that we don't do feature-based releases,and that "5.0" doesn't mean anything more than that the 4.x numbersstarted getting big enough that I ran out of fingers and toes."Headline features from this release includethe energy-awarescheduling patch set,a bunch of year-2038 work that comes closeto completing the core-kernel transition,zero-copy networking for UDP traffic,the Adiantum encryption algorithm,the seccomp trap to user space mechanism,and, of course, lots of new drivers and fixes.See the KernelNewbies 5.0page for lots of details.
For much of its history, the kernel has had little in the way of formaltesting infrastructure. It is not entirely an exaggeration to say thattesting is what the kernel community kept users around for. Over theyears, though, that situation has improved; internal features likekselftest and services like the 0day testing system have increased our testcoverage considerably. The story is unlikely to end there, though; thenext addition to the kernel's testing arsenal may be a unit-testing frameworkcalled KUnit.
Security updates have been issued by Debian (bind9, file, ikiwiki, ldb, openssl1.0, php7.0, uw-imap, and wordpress), Fedora (ansible, file, flatpak, kernel, kernel-headers, and python-django), openSUSE (kernel and systemd), Scientific Linux (java-1.8.0-openjdk and java-11-openjdk), SUSE (openssl-1_1 and webkit2gtk3), and Ubuntu (libgd2).
Over at Opensource.com, Richard Fontana argues that contributor license agreements (CLAs) are not particularly useful or helpful for open-source projects. "Since CLAs continue to be a minority practice and originate from outside open source community culture, I believe that CLA proponents should bear the burden of explaining why they are necessary or beneficial relative to their costs. I suspect that most companies using CLAs are merely emulating peer company behavior without critical examination. CLAs have an understandable, if superficial, appeal to risk-averse lawyers who are predisposed to favor greater formality, paper, and process regardless of the business costs." He goes on to look at some of the arguments that CLA proponents make and gives his perspective on why they fall short.
Kernel developers are used to having to defend their work when posting itto the mailing lists, so when a longtime kernel developer describes theirown work as "expensive and nasty", one tends to wonder what is going on. The patch set in question is corescheduling from Peter Zijlstra. It is intended to make simultaneousmultithreading (SMT) usable on systems where cache-based side channels area concern, but even its author is far from convinced that it shouldactually become part of the kernel.
Security updates have been issued by Debian (gpac, qemu, and sox), openSUSE (libqt5-qtbase), Red Hat (java-1.8.0-openjdk and java-11-openjdk), SUSE (bluez), and Ubuntu (nss and openssl, openssl1.0).
A report of a potential security problem in the GNU Multiple Precision Arithmetic (GMP)library was met with a mixed reaction, from skepticism to responses verging on hostility, but the report ultimatelyraised a question worth pondering. What role should assertions(i.e. calls to the POSIX assert()macro)play in error handling? An assertion that fails leads to a process exit, which may not be what adeveloper calling into a library expects. Unexpected behavior is, ofcourse, one step on a path that can lead to security holes.
With the uptake of Python 3 (and the imminent end of life forPython 2.7), there is a question ofwhich version of Python a user should get when they type "python"at the command line or have it as part of a shebang("#!") line in a script. Back in 2011, PEP 394 ("The'python' Command on Unix-Like Systems") was created as an informational PEPthat relayed the recommendations of the Python core developers to Linuxdistributions and others in a similar position about which versionto point python to. Now, Petr Viktorin, one of the authors of thePEP, would like to revisitthose recommendations, which is something that is suggestedin the PEP itself.
Security updates have been issued by Arch Linux (elasticsearch and logstash), CentOS (java-1.8.0-openjdk, kernel, and polkit), Debian (chromium, exiv2, and phpmyadmin), Fedora (java-1.8.0-openjdk-aarch32 and mgetty), openSUSE (docker-runc, gvfs, qemu, systemd, and thunderbird), Oracle (java-1.8.0-openjdk, kernel, and polkit), Red Hat (polkit), Scientific Linux (java-1.8.0-openjdk, kernel, and polkit), Slackware (openssl), SUSE (amavisd-new, apache2, ceph, containerd, docker, docker-runc, golang-github-docker-libnetwork, runc, openssh, and webkit2gtk3), and Ubuntu (firefox and thunderbird).
The venerable printk() function has been part of Linux since the verybeginning, though it has undergone a fair number of changes along the way.Now, John Ogness is proposing to fundamentally rework printk() inorder to get rid of handful of issues that currently plague it. The proposed code does thisby adding yet another ring-buffer implementation to the kernel; this one is aimed atmaking printk() work better from hard-to-handle contexts. Fora task that seems conceptually simple—printing messages to theconsole—printk() is actually a rather complex beast; that won'tchange if these patches are merged, though many of the problems with the current implementationwill be removed.
Security updates have been issued by Arch Linux (bind, kibana, systemd, and thunderbird), Debian (elfutils and liblivemedia), Fedora (kernel, kernel-headers, kernel-tools, and SDL), openSUSE (dovecot23, firefox, kauth, python-Jinja2, python-numpy, and thunderbird), Red Hat (java-1.8.0-openjdk and kernel), SUSE (python, python-amqp, python-oslo.messaging, python-ovs, python-paramiko, python-psql2mysql, qemu, and supportutils), and Ubuntu (ghostscript, gnome-keyring, and ldb).
Version 1.12 of the Golanguage has been released. "Some of the highlights includeopt-in support for TLS 1.3, improved modules support (in preparation forbeing the default in Go 1.13), support for windows/arm, and improved macOS& iOS forwards compatibility". See the release notes for details.
Concurrency is hard even when the hardware's behavior is entirelydeterministic; it gets harder in situations where operations can bereordered in seemingly random ways. In these cases, developers tend toreach for barriers as a way of enforcing ordering, but explicit barriersare tricky to use and are often not the best way to think about theproblem. It is thus common to see explicit barriers removed as codematures. That now seems to be happening with an especially obscuretype of barrier used with memory-mapped I/O (MMIO) operations.
Git v2.21.0 has been released. "It is comprised of 500 non-mergecommits since v2.20.0, contributed by 74 people, 20 of which are newfaces." The release notes are included in the announcement.
Version 8.3 of the GNU Compiler Collection has been released. "GCC8.3 is a bug-fix release from the GCC 8 branch containing important fixesfor regressions and serious bugs in GCC 8.2 with more than 153 bugs fixedsince the previous release."
Security updates have been issued by Arch Linux (msmtp and python-mysql-connector), Debian (freedink-dfarc, rssh, sox, and waagent), Fedora (docker-latest, java-1.8.0-openjdk, koji, pagure, poppler, and spice), openSUSE (ansible, GraphicsMagick, mosquitto, pspp, spread-sheet-widget, and python-python-gnupg), Red Hat (chromium-browser), Slackware (file), SUSE (kernel, python-Django, qemu, and thunderbird), and Ubuntu (bind9).
Anybody expecting the 5.0 kernel to come out today will have beendisappointed; Linus released 5.0-rc8instead. "This may be totally unnecessary, but we actually had morepatches come in this last week than we had for rc7, which just didn't makeme feel the warm and fuzzies. And while none of the patches looked all thatscary, some of them were to pretty core files, so it wasn't all just randomrare drivers (although those kinds also existed)."
The latest updates from the stable kernel machine are4.20.12,4.19.25,4.14.103,4.9.160,4.4.176, and3.18.136.Each contains a relatively small set of important fixes.
Linus Torvalds once famously saidthat there is no design behind the Linux kernel. That may be true, butthere are still some guiding principles behind the evolution of the kernel;one of those, to date, has been that the kernel does not recognize"containers" as objects in their own right. Instead, the kernel providesthe necessary low-level features, such as namespaces and control groups, toallow user space to create its own container abstraction. This refusal todictate the nature of containers has led to a diverse variety of containermodels and a lot of experimentation. But that doesn't stop those who wouldstill like to see the kernel recognize containers as first-classkernel-supported objects.
Security updates have been issued by Mageia (libreoffice, libtiff, spice, and spice-gtk), openSUSE (build, mosquitto, and nodejs6), Red Hat (firefox, flatpak, and systemd), Scientific Linux (firefox, flatpak, and systemd), SUSE (kernel-firmware and texlive), and Ubuntu (bind9 and ghostscript).
The Linux Foundation has announced the formation of the Enabling Linux in Safety Applications (ELISA) project to create tools and processes for companies to use to build and certify safety-critical Linux applications. "Building off the work being done by SIL2LinuxMP project and Real-Time Linux project, ELISA will make it easier for companies to build safety-critical systems such as robotic devices, medical devices, smart factories, transportation systems and autonomous driving using Linux. Founding members of ELISA include Arm, BMW Car IT GmbH, KUKA, Linutronix, and Toyota.To be trusted, safety-critical systems must meet functional safety objectives for the overall safety of the system, including how it responds to actions such as user errors, hardware failures, and environmental changes. Companies must demonstrate that their software meets strict demands for reliability, quality assurance, risk management, development process, and documentation. Because there is no clear method for certifying Linux, it can be difficult for a company to demonstrate that their Linux-based system meets these safety objectives."
The announcement of the 5.0-rc7 kernelprepatch on February 17 signaled the imminent release of the final 5.0kernel and the end of this development cycle. 5.0, as it turns out,brought in fewer changesets than its immediate predecessors, but it wasstill a busy cycle with a lot of developers participating. Read on for anoverview of where the work came from in this release cycle.
Security updates have been issued by CentOS (firefox, flatpak, and systemd), Fedora (createrepo_c, dnf, dnf-plugins-core, dnf-plugins-extras, docker, libcomps, libdnf, and runc), Mageia (giflib, irssi, kernel, kernel-linus, libexif, poppler, tcpreplay, and zziplib), and SUSE (php5, procps, and qemu).
On his blog, Karim Yaghmour writes about an experimental social network that he and a colleague cobbled together using Git. While it is simply a proof of concept at this point, he is looking for feedback and, perhaps, collaborators to take it further. "It turns out that git has practically everything that's needed to act both as storage and protocol for a social network. Not only that, but it's very well-known within and used, deployed and maintained in the circles I navigate, it scales very well (see github), it's used for critical infrastructure (see kernel.org), it provides history, it's distributed by nature, etc. It's got *almost* everything, but not quite everything needed.So what's missing from git? A few basic things that it turns out aren't very hard to take care of: ability to 'follow', getting followee notifications, 'commenting' and an interface for viewing feeds. And instead of writing a whole online treatise of how this could be done, I asked my colleague Francois-Denis Gonthier to implement a proof and concept of this that we called 'gitgeist' and just published on github [https://github.com/opersys/gitgeist-poc]."
These days applications are generally moving away from the desktop andtoward the mobile space. But taking a multi-platform desktop application and addingtwo mobile platforms into the mix is difficult to do, as Dirk Hohndeldescribed in his linux.conf.au2019 talk. Hohndel maintains the Subsurface dive log application,which has added mobile support over the past few years; he wanted to explain the processthat the project went through to support all of those platforms.As the subtitle of the talk, "Developing for multiple platforms withoutlosing your mind", indicates, it is a hard problem to solve sanely.
Stable kernels 4.20.11, 4.19.24, 4.14.102, 4.9.159, 4.4.175, and 3.18.135 have been released. They all containimportant fixes and users should upgrade.
Security updates have been issued by Debian (ansible, drupal7, and systemd), Fedora (botan2, ceph, and firefox), Oracle (firefox, flatpak, and systemd), Red Hat (firefox), SUSE (gvfs, kernel, libqt5-qtbase, python-numpy, and qemu), and Ubuntu (gdm3).
The digiKam team has announcedthe release of digiKam 6.0.0. New features include full support ofvideo files management working as photos; an integration of allimport/export web-service tools in LightTable, Image editor, and Showfoto;raw file decoding engine supporting new cameras; similarity data is nowstored in a separate file; simplified web-service authentication usingOAuth protocol; and more.
When patents and free software crop up together, theusual question is about patent licensing. Patent exhaustion —the principle that patent rights don't reach past the firstsale of a product — is muchless frequently discussed. At FOSDEM 2019,US lawyer Van Lindberg argued that several US courtdecisions related to exhaustion, most of them recent but some less so,could come togetherto have surprising beneficial effects for free software. He was clear that theargument applied only in the US but, since court systems tend tolook to each other for consistency's sake, and because Lindberg is anengaging speaker, the talk was of great interest even in Brussels.
The Debian project has announced the eighth update of Debian 9"stretch". As a stable point release, this version mainly adds bugfixes forsecurity issues and other serious problems. Click below for a list of changes.
Regressions are an unavoidable side effect of software development; thekernel is no different in that regard. The 5.0 kernel introduced a changein the handling of the "#!" (or "shebang") lines used to indicatewhich interpreter should handle an executable text file. The problem hasbeen duly fixed, but the incident shows how easy it can be to introduceunexpected problems and highlights some areas where the kernel'sdevelopment process does not work as well as we might like.
Security updates have been issued by Arch Linux (cairo, firefox, flatpak, hiawatha, and webkit2gtk), Debian (gsoap, mosquitto, php5, thunderbird, and tiff), Fedora (elfutils, ghostscript, gsi-openssh, kernel, kernel-headers, kernel-tools, kf5-kauth, mingw-podofo, mingw-poppler, mosquitto, podofo, and python-markdown2), Mageia (firefox, flash-player-plugin, lxc, and thunderbird), openSUSE (avahi, docker, libu2f-host, LibVNCServer, nginx, phpMyAdmin, and pspp, spread-sheet-widget), Red Hat (rhvm-appliance), and SUSE (python-numpy).
The 5.0-rc7 kernel prepatch has beenreleased. Linus says: "Nothing particularly odd stands out, andeverything is pretty small. Just the way I like it."
Version 0.13.0 of the Geary graphical email client is out."This is a major new release, featuring a number of new features — including a new user interface for creating and managing email accounts, integration with GNOME Online Accounts (which also provides OAuth login support for some services), improvements in displaying conversations, composing new messages, interacting with other email apps, reporting problems as they occur, and number of important bug fixes, server compatibility fixes, and security fixes."
LWN.net