The eighth and presumably final 5.3prepatch is out for testing. "So we probably didn't strictly need an rc8 this release, but with LPCand the KS conference travel this upcoming week it just makeseverything easier."
Anybody running the Exim mail system will want to apply the updates thatare being released today; there is a remote code-execution vulnerability inits TLS-handling code with a known proof-of-concept exploit. As the advisorysays: "If your Exim server accepts TLS connections, it isvulnerable".
The5.2.12,4.19.70,4.14.142,4.9.191, and4.4.191stable kernels have been released with another set of important fixes.Milliseconds thereafter,5.2.13 and4.19.71were released to fix a regression with the elantech mouse driver.
Google has a long and interesting history contributing to the upstreamLinux kernel. With Chrome OS, Google has tried to learn from some ofthe mistakes of its past and is now working with the upstream Linux kernel asmuch as it can. In a session at the 2019Open Source Summit North America, Google software engineer DougAnderson detailed how and why Chrome OS developers work upstream. Itis an effort intended to help the Linux community as well as Google.
Security updates have been issued by Debian (exim4 and firefox-esr), Fedora (lxc, lxcfs, pdfresurrect, python3-lxc, rdesktop, and seamonkey), Oracle (kernel), and SUSE (nginx, python-Werkzeug, SUSE Manager Client Tools, and util-linux and shadow).
The staging tree was added to the kernel in 2008for the 2.6.28 development cycle as a way to ease the process ofgetting substandard device drivers into shape and merged into themainline. It has been followed by controversy for just about as long. Therecent disagreements over the EROFS and exFAT filesystems have reignited many of thearguments over whether the staging tree is beneficial to the kernelcommunity or not. LWN cannot answer that question, but we can look into what has transpired in thestaging tree in its first eleven years to see if there are any conclusionsto be drawn there.A lot of code has gone into the staging tree over the years; what happenedto it thereafter?
Security updates have been issued by Debian (webkit2gtk), Fedora (systemd), openSUSE (go1.11, python-Twisted, SDL2_image, SDL_image, and wavpack), Oracle (kdelibs and kde-settings, kernel, and qemu-kvm), Red Hat (chromium-browser and firefox), Slackware (seamonkey), SUSE (java-1_8_0-ibm, kernel, and python-urllib3), and Ubuntu (firefox and npm/fstream).
Google has announcedthe release of a new library for applications using differential privacytechniques. "Differentially-private data analysis is a principledapproach that enables organizations to learn from the majority of theirdata while simultaneously ensuring that those results do not allow anyindividual's data to be distinguished or re-identified. This type ofanalysis can be implemented in a wide variety of ways and for manydifferent purposes. For example, if you are a health researcher, you maywant to compare the average amount of time patients remain admitted acrossvarious hospitals in order to determine if there are differences incare. Differential privacy is a high-assurance, analytic means of ensuringthat use cases like this are addressed in a privacy-preservingmanner."
The Linux Plumbers Conference has filled up and has closed its waiting list. "All of the spots available have been allocated, so anyone whois not registered at this point will have to wait for next year. Therewill be no on-site registration. We regret that we could notaccommodate everyone. The good news is that all of themicroconferences, refereed talks, Kernel summit track, and Networkingtrack will be recorded on video and made available as soon as possibleafter the conference. Anyone who could not make it to Lisbon this yearwill at least be able to catch up with what went on. Hopefully thosewho wanted to come will make it to a future LPC." LPC will be held in Lisbon, Portugal, September 9-11.
Finding ways to make it easier and faster to mitigate an ongoing attackagainst a Linux system at runtime is part of the motivation behind thekernel runtime security instrumentation (KRSI) project. Its developer, KPSingh, gave a presentation about the project at the 2019LinuxSecurity Summit North America (LSS-NA), which was held in late Augustin San Diego. A prototype of KRSI is implemented as a Linux securitymodule (LSM) that allows eBPF programs to be attached to the kernel'ssecurity hooks.
Security updates have been issued by Arch Linux (grafana, irssi, and jenkins), Debian (freetype, samba, and varnish), Fedora (community-mysql, kernel, kernel-headers, kernel-tools, and python-mitogen), openSUSE (postgresql10 and python-SQLAlchemy), Oracle (kdelibs and kde-settings and squid:4), Red Hat (kdelibs and kde-settings, kernel, kernel-rt, openstack-nova, qemu-kvm, and redis), Scientific Linux (kdelibs and kde-settings, kernel, and qemu-kvm), SUSE (ansible, java-1_7_1-ibm, libosinfo, php53, and qemu), and Ubuntu (irssi, samba, and systemd).
A typical kernel development cycle involves pulling patches from over 100repositories into the mainline. Any of those pulls could conceivablybring with it malicious code, leaving the kernel (and its users) open tocompromise. The kernel's web of trust helps maintainers to ensure thatpull requests are legitimate, but that web has become difficult to maintainin the wake of the recent attacks on keyservers and other problems. So now the kernel community istaking management of its web of trust into its own hands.
Thisgrsecurity blog entry looks at how an ineffective Spectre fix found itsway into the stable kernel releases. If one looks past the advertising,it's a good summary of how the kernel processes can produce the wrongresult. "Despite this warning, this code was merged into ThomasGleixner's x86/tip tree verbatim, as can be seen here.Prior to merging the fix for 5.3-rc1, Linus Torvalds noticed the warning asseen on the LKML mailing list here and fixed it correctly.However, when the actual mergeof the tree was performed, no mention was made of the correction to thefix, and with no specific commit mentioning the correction and fixing italone, everyone else's processes that depended on cherry-picking specificcommits ended up grabbing the bad warning-inducing change.As a further failure, instead of looking at Linus' correct fix (observableby checking out the master tree at the time), the approach seems to havebeen to naively silence the warning by simply swapping the order of the twolines."
Providing meaningful metrics for open-source projects has long been achallenge, as simply measuring downloads, commits, or GitHub stars typicallydoesn't say much about the health or diversity of a project. It's achallenge the Linux Foundation's Community Health Analytics Open Source Software (CHAOSS) project islooking to help solve. At the 2019Open Source Summit North America (OSSNA), Matt Germonprez, one of the foundingmembers of CHAOSS, outlined what the group is currently doing and why itsinitial efforts didn't work out as expected.
Google has announcedthe release of Android 10, the free parts of which are available fromthe Android Open Source Project now. "Privacy is a central focus inAndroid 10, from stronger protections in the platform to new featuresdesigned with privacy in mind. Building on previous releases, Android 10includes extensive changes to protect privacy and give users control, withimproved system UI, stricter permissions, and restrictions on what dataapps can use."
Firefox 69.0 has been released. This release enables on-by-default EnhancedTracking Protection for all users and gives more control over blockingplayback of videos which start playing automatically. See the release notesfor details.
The success stories that have gathered around data analyticsdrive broader adoption of the newest artificial-intelligence-basedtechniques—but risks come along with these techniques. The large numbers of freshlyanointed data scientists piling into industry and the sensitivity of theareas given over to machine-learning models—hiring, loans, evensentencing for crime—means there is a danger of misapplied models,which is earning the attention of the public. Two sessions at the recent MinneBOS 2019 conference focused on maintaining ethics andaddressingbias in machine-learning applications.
The 5.3-rc7 kernel prepatch is out fortesting, one day later than usual. The final 5.3 release may also bedelayed a week to accommodate Linus's travel schedule: "So I dosuspect that with my timing (and a number of other developers are probablygoing to be traveling for LPC and KS too) I'll just make an rc8 even if itturns this Labor Day week ends up being very quiet and there might not beany _technical_ reason to delay the release."
Security updates have been issued by Debian (gosa, libav, libextractor, nghttp2, pump, and python2.7), Fedora (dovecot, mod_http2, and pango), Gentoo (dovecot, gnome-desktop, libofx, and nautilus), Mageia (ansible, ghostscript, graphicsmagick, memcached, mpg123, pango, vlc, wavpack, webmin, wireshark, and wpa_supplicant, hostapd), openSUSE (flatpak, libmirage, podman, slirp4netns and libcontainers-common, python-SQLAlchemy, and qemu), Red Hat (ghostscript, java-1.8.0-ibm, and squid:4), and SUSE (kernel, libsolv, libzypp, zypper, NetworkManager, nodejs10, nodejs8, perl, python-Django, and python-SQLAlchemy).
Linux kernel developers like to get support for new features — such asfilesystem types — merged quickly. In the case of the exFATfilesystem, that didn't happen; exFAT was created by Microsoft in 2006 foruse in larger flash-storage cards, but there has never been support in thekernel for this filesystem. Microsoft's recent announcementthat it wanted to get exFAT support into the mainline kernel would appearto have removed the largest obstacle to Linux exFAT support. But, as is sooften the case, it seems that some challenges remain.
It's not Linux but is worth a read: Google's Project Zero blog has ahighly detailed analysis of several iOS exploits and how they were usedto compromise large numbers of devices. "There's something thus far which is conspicuous only by its absence: is any of this encrypted? The short answer is no: they really do POST everything via HTTP (not HTTPS) and there is no asymmetric (or even symmetric) encryption applied to the data which is uploaded. Everything is in the clear. If you're connected to an unencrypted WiFi network this information is being broadcast to everyone around you, to your network operator and any intermediate network hops to the command and control server.This means that not only is the end-point of the end-to-end encryptionoffered by messaging apps compromised; the attackers then send all thecontents of the end-to-end encrypted messages in plain text over thenetwork to their server."
Security updates have been issued by Arch Linux (dovecot, gettext, go, go-pie, libnghttp2, and pigeonhole), Debian (djvulibre, dovecot, and subversion), Fedora (sleuthkit and wireshark), openSUSE (containerd, docker, docker-runc, and qbittorrent), Oracle (pango), SUSE (kernel, nodejs10, and python-SQLAlchemy), and Ubuntu (apache2).
For all its faults, email has long provedto be an effective communication mechanism for kernel development. Similarly, Git is an effective tool forsource-code management. But there is no real connection between the two,meaning that there is no straightforward way to connect a Git commit withthe email discussions that led to its acceptance. Once a patch enters arepository, it transitions into a new form of existence and leaves its pastlife behind. Doug Anderson recently went to the ksummit-discuss list withaproposal to add Gerrit-style change IDs as a way of connecting the twolives of a kernel patch; the end result may not be quite what he was askingfor.
Greg Kroah-Hartman has released the latest batch of stable kernels: 5.2.11, 4.19.69, and 4.14.141. As usual, they containimportant fixes all over the kernel tree; users should upgrade.
Blogger Ovid writesabout the push to rebrand Perl 6. "So yeah, there'sbitterness and the Perl community not only needs to heal, but we need tofind a way forward for both languages. The suggestion to change the name ofPerl 6 to 'raku' is effectively designed to make this happen. Perl 5 canfigure out how to get beyond the branding issue that's been plaguing it andPerl 6 can do the same thing."
Security updates have been issued by Debian (apache2 and faad2), openSUSE (schismtracker), Red Hat (ceph and pango), Scientific Linux (pango), SUSE (apache-commons-beanutils, ceph, php7, and qemu), and Ubuntu (ceph, dovecot, and ghostscript).
To open-source fans, the lure of open-source voting systems is surely strong. Soa talk at 2019Open Source Summit North America on a project for open-source voting inSan Francisco sounded promising; it is a city with lots of technicalknow-how among its inhabitants. While progress has definitely beenmade—though at an almost glacially slow speed—there is no likelihood thatthe city will be voting using open-source software in the near future. The talk byTony Wasserman was certainly interesting, however, and provided a look atthe intricacies of elections and voting that make it clear the problem isnot as easy as it might at first appear.
Linux support for the exFAT filesystem has had a long and troubled history; Microsoft haslong asserted patents in this area that have prevented that code from beingmerged into the kernel. Microsoft has just changed its tune, announcingthat upstreaming exFAT is now OK: "It’s important to us that theLinux community can make use of exFAT included in the Linux kernel withconfidence. To this end, we will be making Microsoft’s technicalspecification for exFAT publicly available to facilitate development ofconformant, interoperable implementations. We also support the eventualinclusion of a Linux kernel with exFAT support in a future revision of theOpen Invention Network’s Linux System Definition, where, once accepted, thecode will benefit from the defensive patent commitments of OIN’s 3040+members and licensees."
The GNOME Foundation, with support from Endless, has announcedthe Coding Education Challenge, a competition aimed to attract projectsthat offer educators and students new and innovative ideas to teach codingwith free and open source software. "Anyone is encouraged to submit a proposal. Individuals and teams will be judged through three tiers of competition. Twenty winners will be selected from an open call for ideas and will each receive $6,500 in prize money. Those winners will progress to a proof of concept round and build a working prototype. Five winners from that round will be awarded $25,000 and progress to the final round where they will turn the prototype into an end product. The final winner will receive a prize of $100,000 and the second placed product a prize of $25,000."
The Linux Foundation (LF) TechnicalAdvisory Board (TAB) is meant to give the kernel community somerepresentation within the foundation.In a "birds of a feather" (BoF) session at the 2019Open Source Summit North America, four TAB members participated in an"Ask the TAB" session. Laura Abbott organized the BoF and Tim Bird, GregKroah-Hartman, and Steven Rostedt joined in as well. In the session, thehistory behind the TAB, its role, and some of its activities over the yearswere described.
Security updates have been issued by Debian (dovecot), Fedora (docker and nghttp2), Oracle (pango), SUSE (apache2, fontforge, ghostscript-library, libreoffice, libvirt, podman, slirp4netns and libcontainers-common, postgresql10, and slurm), and Ubuntu (dovecot).
Packt has published alengthy writeup of a talk by Josh Triplett on work being done toadvance the Rust language for system-level programming. "Systemsprogramming often involves low-level manipulations and requires low-leveldetails of the processors such as privileged instructions. For this, Rustsupports using inline Assembly via the 'asm!' macro. However, it is onlypresent in the nightly compiler and not yet stabilized. Triplett in acollaboration with other Rust developers is writing a proposal to introducemore robust syntax for inline Assembly."
The encryption of data at rest is increasingly mandatory in a wide range ofsettings from mobile devices to data centers. Linux has supportedencryption at both the filesystem and block-storage layers for some time,but that support comes with a cost: either the CPU must encrypt and decrypt vastamounts of data moving to and from persistent storage or it mustorchestrate offloading that work to a separate device. It wasthus only a matter of time before ways were found to offload that overhead to thestorage hardware itself. Satya Tangirala's inlineencryption patch set is intended to enable the kernel to take advantageof this hardware in a general manner.
Before a program can be run, it needs to be built. It's a well-known factthat modern software, in general, consumes more runtime resources thanbefore, sometimes to the point offorcing users to upgrade their computers. But it also consumes more resourcesat build time, forcing operators of the distributions' build farms to investin new hardware, with faster CPUs and more memory. For32-bit architectures, however, there exists a fundamental limit on the amountof virtual memory, which is never going to disappear. That is leading tosome problems for distributions trying to build packages for those architectures.
Security updates have been issued by Arch Linux (firefox, libreoffice-still, nginx, nginx-mainline, and subversion), Debian (commons-beanutils, h2o, libapache2-mod-auth-openidc, libmspack, qemu, squid, and tiff), Fedora (kubernetes, libmodbus, nfdump, and nodejs), openSUSE (dkgpg, libTMCG, go1.12, neovim, python, qbittorrent, schismtracker, teeworlds, thunderbird, and zstd), and SUSE (go1.11, go1.12, python-SQLAlchemy, and python-Twisted).
On the development side, Linus has released 5.3-rc6 for testing. "I’m doing a (free) operating system (more than just a hobby) for 486AT clones and a lot of other hardware. This has been brewing for thelast 28 years, and is still not done. I’d like any feedback on anybugs introduced this release (or older bugs too, for that matter)."For those wanting something more stable,5.2.10,4.19.68,4.14.140,4.9.190, and4.4.190have all been released.
If one were to ask a group of free-software developers whether thecommunity needs more software licenses, the majority of the group wouldalmost certainly answer "no". We have the licenses we need to express arange of views of software freedom, and adding to the list just tends tocreate confusion and compatibility issues. That does not stop people fromwriting new licenses, though. While much of the "innovation" in software licenses in recent times is focused on giving copyright holders more controlover how others use their code (while still being able to brand it "opensource"), there are exceptions. The proposed "Cryptographic Autonomy License" (CAL) is one of those; itspurpose is to give users of CAL-licensed code control over the data that isprocessed with that code.
Looking up a file given a path name seems like a straightforward task, butit turns out to be one of the more complex things the kernel does. Thingsget more complicated if one is trying to write robust (user-space) codethat can do the right thing with paths that are controlled by a potentiallyhostile user. Attempts to make the open() andopenat() system calls safer date backat least to an attempt to add O_BENEATH in 2014, but numerous problems remain. Aleksa Sarai, who has been working in this area for a while, has nowconcluded that a new version of openat(), naturally called openat2(),is required to truly solve this problem.
Anybody using Webmin, a web-basedsystem-administration tool, will want to update now, as it turns out thatthe system has beenbackdoored for over a year. "At some time in April 2018, theWebmin development build server was exploited and a vulnerability added tothe password_change.cgi script. Because the timestamp on the file was setback, it did not show up in any Git diffs. This was included in the Webmin1.890 release."
ZDNet reportson the discovery of a set of malicious libraries in the RubyGemsrepository. "The individual behind this scheme was active for more than a month, and their actions were not detected.Things changed when the hacker managed to gain access to the RubyGems account of one of the rest-client developers, which he used to push four malicious versions of rest-client on RubyGems.However, by targeting such a high-profile project that has over 113 million total downloads on RubyGems, the hacker also brought a lot of light to their operation, which was taken down within a few hours after users first spotted the malicious code in the rest-client library."
Security updates have been issued by Fedora (nginx), openSUSE (ImageMagick and putty), Red Hat (Ansible, atomic-openshift-web-console, ceph, and qemu-kvm-rhev), SUSE (kvm, libssh2_org, postgresql96, qemu, and wavpack), and Ubuntu (libzstd and openjpeg2).
In what was to prove something of a theme throughout the morning, HughBlemings said that he had been feeling a bit like a kid waiting forChristmas recently, but that the day when the presents can be unwrapped hadfinally arrived. He is the executive director of the OpenPOWERFoundation and was kicking off the keynotes for the second day of the2019OpenPOWER Summit North America; the keynotes would reveal the "mostsignificant and impressive announcements" in the history of the project, hesaid. Multiple presentations outlined a major change in the openness ofthe OpenPOWER instruction set architecture (ISA), along with variousrelated hardware and software pieces; in short, OpenPOWER can be used bycompliant products without paying royalties and with a grant of the patentsthat IBM holds on it. In addition, the foundation will be moving under theaegis of the Linux Foundation.
LWN.net