LWN.net

As of this writing, exactly 6,666 non-merge changesets have been pulledinto the mainline repository for the 5.3 development cycle. The mergewindow has thus just begun, there is still quite a bit in the way ofinteresting changes to look at. Read on for a list of what has been mergedso far.

Fedora Magazine has posted an introduction tothe Silverblue distribution. "One of the main benefits is security. The base operating system is mounted as read-only, and thus cannot be modified by malicious software. The only way to alter the system is through the rpm-ostree utility.Another benefit is robustness. It’s nearly impossible for a regular user to get the OS to the state when it doesn’t boot or doesn’t work properly after accidentally or unintentionally removing some system library."

Security updates have been issued by CentOS (dbus), Debian (firefox-esr, python3.4, and redis), Mageia (ffmpeg), Oracle (firefox, libvirt, and qemu), Red Hat (firefox and virt:8.0.0), Scientific Linux (firefox), and SUSE (kernel).

When it comes to new filesystems for Linux, patience is certainly avirtue. Btrfs took years to mature and, according to some, still isn'tready yet. Tux3 has kept users waitingsince at least 2008; as of 2018 its developer still saidthat it was progressing. By these measures, bcachefs is a relative youngster, havingbeen first announced a mere four yearsago. Development of this next-generation filesystem continues, and bcachefs developer Kent Overstreet recently proclaimedhis desire to "get this sucker merged", but there are someobstacles to overcome still.

Damian Conway writesabout the power of infinite sequences in Perl 6.The sequence of primes is just the sequence of positive integers,filtered (with a .grep) to keep only the ones that are prime.And, of course, Perl 6 already has a prime number tester: the built-in&is-prime function. The sequence of primes never changes, so we candeclare it as a constant:

Security updates have been issued by Debian (dosbox and openjpeg2), Oracle (dbus and kernel), Scientific Linux (dbus), Slackware (mozilla), and SUSE (fence-agents, libqb, postgresql10, and sqlite3).

The LWN.net Weekly Edition for July 11, 2019 is available.

The third edition of the Operating-System-Directed Power-Management (OSPM) summit was heldMay 20-22 at the ReTiS Lab of the Scuola Superiore Sant'Anna in Pisa,Italy. The summit is organized to collaborate on ways to reduce the energyconsumption of Linux systems, while still meeting performance and othergoals. It is attended by scheduler, power-management, and other kerneldevelopers, as well as academics, industry representatives, and othersinterested in the topics.As with previous years (2018 and 2017), LWN is happy to be able to bring ourreaders some extensive writeups of the talks and discussions that went onat OSPM. Subscribers can read on for the start of the writeups from thesummit, which were authored by a long list of the participants.

Stable kernels 5.1.17, 4.19.58, 4.14.133, 4.9.185, and 4.4.185 have been released. They all containimportant fixes throughout the tree and users should upgrade.

Security updates have been issued by Debian (redis), Fedora (expat), Mageia (dosbox, irssi, microcode, and postgresql11), Red Hat (bind, dbus, openstack-ironic-inspector, openstack-tripleo-common, python-novajoin, and qemu-kvm-rhev), Scientific Linux (kernel), SUSE (kernel-firmware, libdlm, libqb, and libqb), and Ubuntu (apport).

Python does not lack for web frameworks, from all-encompassing frameworkslike Django to"nanoframeworks" such as WebCore. A recent "sparetime" project caused me to look into options in the middle of this range ofchoices, which is where the Python "microframeworks" live. In particular,I tried out the Bottle and Flask microframeworks—and learned a lotin the process.Subscribers can read on for the full report by Jake Edge from this week'sedition.

GnuPG 2.2.17 has been released to mitigate attacks on keyservers. In particular, GPG willnow ignore all key-signatures received from keyservers by default.

Firefox 68.0 has been released, with an Extended Support Release (ESR)version available, in addition to the usual rapid release version. Therapid release version features a dark mode in reader view, improvedextension security and discovery, and more. See the releasenotes for details. The ESRrelease notes list some additional policies and other improvements.

Software in the Public Interest (SPI) has announcedthat nominations are open until July 15 for 3 seats on the SPIboard. "The ideal candidate will have an existing involvement in theFree and Open Source community, though this need not be with a projectaffiliated with SPI."

Security updates have been issued by Arch Linux (irssi, python-django, and python2-django), Debian (libspring-security-2.0-java and zeromq3), Red Hat (python27-python), SUSE (ImageMagick, postgresql10, python-Pillow, and zeromq), and Ubuntu (apport, Docker, glib2.0, gvfs, whoopsie, and zeromq3).

Fedora project leader Matthew Miller reassures the community that IBM'sacquisition of Red Hat, which just closed, will not affect Fedora. "In Fedora, our mission, governance, and objectives remain the same. RedHat associates will continue to contribute to the upstream in the sameways they have been."

The Android system has shipped a couple of allocators for DMA buffersover the years; first came PMEM, then itsreplacement ION. The ION allocator hasbeen in use since around 2012, but it remains stuck in the kernel's stagingtree. The work to add ION to the mainline started in 2013;at that time, the allocator had multiple issues that made inclusionimpossible. Recently, John Stultz posteda patch set introducing DMA-BUF heaps, an evolution of ION, that isdesigned to do exactly that — get the Android DMA-buffer allocator tothe mainline Linux kernel.

Konstantin Ryabitsev has posted alengthy blog entry describing his vision for moving away from email forkernel development. "I think it's way past due time for us to comeup with a solution that would offer decentralized, self-archiving, fullyattestable, 'cradle-to-grave' development platform that covers all aspectsof project development and not just the code. It must move us away frommailing lists, but avoid introducing single points of trust, authority, andfailure."

Security updates have been issued by Debian (dosbox, python-django, squid3, and unzip), Fedora (filezilla, libfilezilla, and samba), openSUSE (gvfs), Oracle (kernel), Red Hat (firefox and redhat-virtualization-host), SUSE (bash and libpng16), and Ubuntu (libvirt).

Linus Torvalds has released the 5.2 kernel.He originally planned for an rc8 this week, rather than 5.2, due to his travel schedule, but was pleasantly surprised at how calm things have been. "So despite a fairly late core revert, I don't see any real reason for another week of rc, and so we have a v5.2 with the normal releasetiming."Some of the more significant changes in 5.2 area new CLONE_PIDFD flag to clone() to obtain a pidfd for thenew process,a significant BPF verifier performance improvement that allows the maximumsize of a BPF program to be raised to 1 million instructions,a BPF hook to manage sysctl knobs,a new set of system calls for filesystemmounting,case-insensitive lookups for the ext4filesystem,a process freezer for version-2 control groups,pressure-stall monitors,and, of course, a vast number of fixes.See the KernelNewbies 5.2page for a lot more details.

Debian version 10, code named "Buster", has been released. It has lots of new features, including: "In this release, GNOME defaults to using the Wayland display server instead of Xorg. Wayland has a simpler and more modern design, which has advantages for security. However, the Xorg display server is still installed by default and the default display manager allows users to choose Xorg as the display server for their next session.Thanks to the Reproducible Builds project, over 91% of the source packages included in Debian 10 will build bit-for-bit identical binary packages. This is an important verification feature which protects users against malicious attempts to tamper with compilers and build networks. Future Debian releases will include tools and metadata so that end-users can validate the provenance of packages within the archive.For those in security-sensitive environments AppArmor, a mandatory access control framework for restricting programs' capabilities, is installed and enabled by default. Furthermore, all methods provided by APT (except cdrom, gpgv, and rsh) can optionally make use of seccomp-BPF sandboxing. The https method for APT is included in the apt package and does not need to be installed separately." More information can be found in the release notes.

The kernel development community continues to propose new system calls at ahigh rate. Three ideas that are currently in circulation on the mailinglists are clone3(), fchmodat4(), and fsinfo().In some cases, developers are just trying to make more flag bits available,but there is also some significant new functionality being discussed.

The Open Build Service (OBS) project has announced the release of version 2.10 of OBS, which is a system to build and distribute binary packages built from source code. The new version has revamped the web user interface and upgraded the container delivery mechanisms. Beyond that, it has fixed plenty of bugs (of course), added a bunch of smaller features, and now provides integration with other online tools: "Another trend in the professional software world is to plug various tools together into grand continuous integration/deployment cycles (CI/CD). You, of course, also want to throw the OBS into the mix and we traditionally supported you to do that on GitHub with webhooks. The 2.10 release now brings the same kind of support to other tools like Gitlab and Pagure. You can trigger all kinds of actions on OBS for every git commit or other events that happen on those tools."

Security updates have been issued by SUSE (firefox, mozilla-nss, mozilla-nspr, helm-mirror, libu2f-host, and libu2f-host, pam_u2f) and Ubuntu (bzip2 and irssi).

On NUMA systems with a lot of CPUs, it is common to assign parts of theworkload to different subsets of the available processors. Thispartitioning can improve performance while reducing the ability of jobs tointerfere with each other. The partitioning mechanisms available oncurrent kernels might just do too good a job in some situations, though,leaving some CPUs idle while others are overutilized. The softaffinity patch set from Subhra Mazumdar is an attempt to improveperformance by making that partitioning more porous.

Security updates have been issued by CentOS (libssh2 and qemu-kvm), Debian (lemonldap-ng), Fedora (tomcat), Oracle (kernel), and SUSE (elfutils, kernel, and php5).

The LWN.net Weekly Edition for July 4, 2019 is available.

There is no doubt that the transition from Python 2 to Python 3has been a difficult one, but Linux distributions have been particularlyhard hit. For many people, that transition is largely over; Python 2 will beretired at the end of this year, at least by the core development team.But distributions will have to support Python 2 for quite a whileafter that. As part of any transition, the version that gets run fromthepython binary (or symbolic link) is something that needs to beworked out. Fedora is currently discussing what to do about that forFedora 31.

Debian typically uses code names to refer to its releases, startingwith the Toy Story character names used (mostly) instead of numbers.The "Buster" release is due on July 6 and you will rarely hear itreferred to as "Debian 10". There are some other code names used forrepository (or suite) names in the Debian infrastructure; "stable", "testing","unstable", "oldstable", and sometimes even "oldoldstable" are all used aspart of the sources for the APTpackaging tool. But code names of any sort are hard to keep track of; adiscussion on the debian-devel mailing list looks at moving away from, atleast, some of the repository code names.

Stable kernels 5.1.16, 4.19.57, and 4.14.132 have been released. They all containimportant fixes and users should upgrade.

Security updates have been issued by Debian (pdns), Fedora (kernel and kernel-headers), Mageia (cgit and firefox), Oracle (libssh2 and qemu-kvm), Red Hat (openstack-ironic-inspector, openstack-tripleo-common, and qemu-kvm-rhev), Scientific Linux (libssh2 and qemu-kvm), SUSE (bzip2, cronie, libtasn1, nmap, php7, php72, python-Twisted, and taglib), and Ubuntu (thunderbird and znc).

A problem with the way that OpenPGPpublic-key certificates are handled by key servers and applications iswreaking some havoc, but not just for those who own the certificates (andkeys)—anyone who has those keys on their keyring and does regular updateswill be affected. It is effectively a denial of service attack, but onethat propagates differently than most others. The mechanism of this"certificate flooding" is one that isnormally used to add attestations to the key owner's identity (also known as"signing the key"), but becauseof the way most key servers work, it can be used to fill a certificate with"spam"—with far-reaching effects.

Security updates have been issued by Arch Linux (firefox, firefox-developer-edition, libarchive, and vlc), CentOS (firefox, thunderbird, and vim), Debian (firefox-esr, openssl, and python-django), Fedora (glpi and xen), Mageia (thunderbird), openSUSE (ImageMagick, irssi, libheimdal, and phpMyAdmin), Red Hat (libssh2 and qemu-kvm), Scientific Linux (firefox, thunderbird, and vim), SUSE (389-ds, cf-cli, curl, dbus-1, dnsmasq, evolution, glib2, gnutls, graphviz, java-1_8_0-openjdk, and libxslt), and Ubuntu (python-django).

CPU scheduling is a difficult task in the best of times; it is not trivialto pick the next process to run while maintaining fairness, minimizingenergy use, and using the available CPUs to their fullest potential. Theadvent of increasingly complex system architectures is not making thingseasier; scheduling on asymmetric systems (such as the big.LITTLEarchitecture) is a case in point. The "turbo" mode provided by some recentprocessors is another. The TurboSchedpatch set from Parth Shah is an attempt to improve the scheduler'sability to get the best performance from such processors.

GnuPG contributors Robert J. Hansen (rjh) and Daniel Kahn Gillmor (dkg) werevictims of a certificate spamming attack over the past week.This attack exploited a defect in the OpenPGP protocol itself in order to "poison" rjh and dkg's OpenPGP certificates. Anyone who attempts to import a poisoned certificate into a vulnerable OpenPGP installation will very likely break their installation in hard-to-debug ways. Poisoned certificates are already on the SKS keyserver network. There is no reason to believe the attacker will stop at just poisoning two certificates. Further, given the ease of the attack and the highly publicized success of the attack, it is prudent to believe other certificates will soon be poisoned.This attack cannot be mitigated by the SKS keyserver network in any reasonable time period. It is unlikely to be mitigated by the OpenPGP Working Group in any reasonable time period. Future releases of OpenPGP software will likely have some sort of mitigation, but there is no time frame. The best mitigation that can be applied at present is simple: stop retrieving data from the SKS keyserver network.(Thanks to Kareem Khazem.)

Forbes reportsthat Google has launched a new website, fuchsia.dev, with documentationand source for Fuchsia OS, including the Zirconmicrokernel. "Zircon was previously known as Magenta and it was designed to scale to any application from embedded RTOS (Real-Time Operating Systems) to mobile and desktop devices of all kinds. As a result, there has been much speculation that Fuchsia will be the natural successor to Android and Chrome OS, combining capabilities of both with backwards compatibility to run legacy applications built on either. In short, this thing is designed to run on anything from 32-bit or 64-bit ARM cores to 64-bit X86 processors and it has a potential to be rather disruptive."

Security updates have been issued by Debian (expat, golang-go.crypto, gpac, and rdesktop), Fedora (chromium, GraphicsMagick, kernel, kernel-headers, pdns, and xen), openSUSE (chromium, dbus-1, evince, libvirt, postgresql96, tomcat, and wireshark), Oracle (thunderbird and vim), Scientific Linux (thunderbird), Slackware (irssi), SUSE (gvfs), and Ubuntu (linux-lts-xenial, linux-aws, linux-azure and linux-oem, linux-oracle, linux-raspi2, linux-snapdragon).

The Mageia distribution has releasedversion 7. "Mageia 7 comes with a huge variety of desktops andwindow managers, improved support for Wayland and for hybrid graphicscards. On a more fun note, an effort was made to enhance gaming in Mageia,so there are many new upgrades and additions to the gamecollection." See the releasenotes for details.

The 5.2-rc7 kernel prepatch is out fortesting. "All small and fairly uninteresting. Arch updates,networking, core kernel, filesystems, misc drivers. Nothing stands out -just read the appended shortlog."

Over on Opensource.com, FreeDOS founder Jim Hall writes about the origin of the MS-DOS replacement on the 25th anniversary of FreeDOS. "While I announced the project as PD-DOS (for "public domain," although the abbreviation was meant to mimic IBM's "PC-DOS"), we soon changed the name to Free-DOS and later FreeDOS.I started working on it right away. First, I shared the utilities I had written to expand the DOS command line. Many of them reproduced MS-DOS features, including CLS, DATE, DEL, FIND, HELP, and MORE. Some added new features to DOS that I borrowed from Unix, such as TEE and TRCH (a simple implementation of Unix's tr). I contributed over a dozen FreeDOS utilitiesBy sharing my utilities, I gave other developers a starting point. And by sharing my source code under the GNU General Public License (GNU GPL), I implicitly allowed others to add new features and fix bugs."

On his blog, Kees Cook looks at some graphs of package hardening efforts in Ubuntu and Debian, noting that they have nearly completely flattened out over the last few years. He wonders what might be the next hardening feature on the horizon and speculates some on that: "What new compiler feature adoption could be measured? I think there are still a few good candidates…How about enabling -fstack-clash-protection (only in GCC, Clang still hasn’t implemented it).Or how about getting serious and using forward-edge Control Flow Integrity? (Clang has -fsanitize=cfi for general purpose function prototype based enforcement, and GCC has the more limited -fvtable-verify for C++ objects.)Where is backward-edge CFI? (Is everyone waiting for CET?)"

Part of the kernel's job is to arbitrate access to the available hardwareresources and ensure that every process gets its fair share, with "its fairshare" being defined by policies specified by the administrator. Oneresource that must be managed this way is I/O bandwidth to storage devices;if due care is not taken, an I/O-hungry process can easily saturate adevice, starving out others. The kernel has had a few I/O-bandwidthcontrollers over the years, but the results have never been entirelysatisfactory. But there is a newcontroller on the block that might just get the job done.

Security updates have been issued by Debian (expat and mupdf), Fedora (drupal7-uuid, php-brumann-polyfill-unserialize, and php-typo3-phar-stream-wrapper2), openSUSE (thunderbird), Oracle (thunderbird and vim), SUSE (glibc), and Ubuntu (poppler).

The bpf()system call allows user space to load a BPF program into the kernel forexecution, manipulate BPF maps, and carry out a number of other BPF-relatedfunctions. BPF programs are verified and sandboxed, but they are still running in a privileged context and, depending on the type of programloaded, are capable of creating various types of mayhem. As a result, mostBPF operations, including theloading of almost all types of BPF program, are restricted to processes withthe CAP_SYS_ADMIN capability — those running as root, as a generalrule. BPF programs are useful in many contexts, though, so there has long beeninterest in making access to bpf() more widely available. One step in that direction has been postedby Song Liu; it works by adding a novel security-policy mechanism to thekernel.

Greg Kroah-Hartman has released the 4.14.131, 4.9.184, and 4.4.184 stable kernels. Each contains asingle patch that fixes a problem in the TCPSACK panic fixes that was commonly seen by the Steam gamingcommunity.

Security updates have been issued by Fedora (drupal7-uuid, php-brumann-polyfill-unserialize, and php-typo3-phar-stream-wrapper2), openSUSE (ansible, compat-openssl098, exempi, glib2, gstreamer-0_10-plugins-base, gstreamer-plugins-base, libmediainfo, libssh2_org, SDL2, sqlite3, and wireshark), Oracle (firefox), Red Hat (thunderbird and vim), Scientific Linux (firefox), SUSE (java-1_8_0-ibm), and Ubuntu (bzip2 and expat).

The LWN.net Weekly Edition for June 27, 2019 is available.

Over the past couple of months, things have been moving fairly swiftlytoward the establishment of a separate entity to govern the openSUSEproject. The idea is mainly meant to set up an organization that canreceive and disburse funds on behalf of the project, rather than as somekind of move away from its parent company, SUSE. Also, while SUSE seems tobe in a healthy position with a strong interest in supporting and workingon openSUSE, that could change down the road, so a foundation or similarorganization seems like the right way to go. At this point, the firstdraft of the foundation proposal has been posted; it generally has thesupport of SUSE management, so it is time to see what thoughts thecommunity has.

Security updates have been issued by Debian (python3.4), Oracle (firefox), Red Hat (firefox and kernel-alt), SUSE (ImageMagick and SUSE Manager Server 3.2), and Ubuntu (bzip2).

More bugs in free software are being found these days, which is good formany reasons, but there are some possible downsides to that as well. Inaddition, projects like OSS-Fuzz arefinding lots of bugs in an automated fashion—many of which may be securityrelevant. The sheer number of bugs being reported is overwhelming many(most?) free-software projects, which simply do not have enough eyeballs tofix, or even triage, many of the reports they receive. A discussion aboutthat is currently playing out on the oss-security mailing list.