LWN.net

Linus has released 5.6-rc1 and closed themerge window for this development cycle. "This was actually aslightly smaller merge window than usual, but I think that what happened issimply that the holiday season impacted new development. It impacted the5.5 rc series less than I had expected, but seems to instead have caused5.6 to have slightly less development than normal."

One of the more eyebrow-raising features to go into the 5.6 kernel is theability to load TCP congestion-control algorithms as BPF programs; networking developer Toke Høiland-Jørgensen described it as acontinuation of the kernel's "march towards becoming BPFruntime-powered microkernel". On itsface, congestion control is a significant new functionality to hand over toBPF, taking it farbeyond its existing capabilities. When one looks closer, though, one'seyebrow altitude may well increase further; the implementation of thisfeature breaks new ground in a couple of areas.

Over on the Ardour forum, Paul Davis wonders whether access to the source code is truly what users these days want or need. There are other closed-source digital audio workstations that are far more customizable than Ardour via a scripting language without needing any access to the source. "But perhaps for applications like Ardour, ones that do not yet exist, there ought to be a different development pathway. I remember once wondering if we should have implemented the entire GUI in PyGTK (i.e. Python). We didn't, and most of my curiosity was about whether it would have helped or hindered our development process. However, had we done so, one of the consequences would have been that many changes to the program would have been made simpler, easier to access and would require no 'rebuild'. I wonder if going forward, large-scale apps like Ardour ought to (as Reaper did relatively early in its life) consider the 'script extension system' to be a vital and critical part of the application infrastructure. This would mean, for example, writing large parts of 'core functionality' using this system, rather than dropping back into C++ to get things done. There are precedents for this: GNU Emacs, for example, is at some level written in C, but almost everything about the program is actually constructed in Emacs Lisp, its own 'scripting extension'. The C core of Emacs is so small and so irrelevant that it almost doesn't matter that it is there: if you want to modify or extend Emacs, you (almost always) write Lisp, not C."

Security updates have been issued by Arch Linux (chromium, python-django, and sudo), Debian (libexif and libxmlrpc3-java), Fedora (upx and xar), openSUSE (ucl and upx), Oracle (ipa), Scientific Linux (kernel), SUSE (e2fsprogs, libqt5-qtbase, nginx, pcp, php7, rubygem-rack, systemd, wicked, and xen), and Ubuntu (mariadb-10.1, mariadb-10.3, mesa, pillow, and python-reportlab).

On his blog, Peter Hutterer writes about some changes that will allow users to start deploying their own rules to modify keyboard layouts without driving themselves crazy.Many many moons ago before the Y2K bug was even in its larvae stage, the idea was that you could configure all of those because every UNIX tool had to be more flexible than your yoga teacher. I'm unsure to what extent this was actually ever the case but around 2007-ish the old keyboard driver got deprecated and the evdev driver made it's grand entrance. And one side-effect of that was that things broke. evdev uses different keycodes, so all those users that copy-pasted unnecessary XKB configuration into their xorg.conf now had broken keys because they were applying the wrong rules. After whacking enough moles that we got in trouble with the RSPCA [Royal Society for the Prevention of Cruelty to Animals] we started hardcoding the "evdev" ruleset everywhere. The xorg.conf option "XKBRules" became a noop and thus stopped breaking users' setups.Except that it also stopped users from deploying their own rules files - something that probably didn't really matter anyway. This had some unintended side-effects though. First, to have a working custom XKB layout you basically had to get it merged upstream. Yes, you could edit the files locally but they'd just be overwritten next time you update the packages. Second, getting rid of hardcoded things is hard so we're stuck with the evdev ruleset for the forseeable future. This was the situation until, well, now.

By many accounts, the kernel project uses outdated tooling, far behind thestate of the art that Kids Today tend to favor. The kernel's workflow hasworked well (enough) for years, but there are signs that it may not besustainable indefinitely. As a result, there has been an ongoing conversation aboutimproving the kernel's workflow, but little has changed so far. Thepostingof a simple tool called get-lore-mboxis a sign that the rate of change may be about to increase.

Security updates have been issued by CentOS (kernel-rt, qemu-kvm, spamassassin, and Xorg), Debian (ruby-rack-cors), Fedora (glibc), openSUSE (ImageMagick), Oracle (ipa, kernel, and qemu-kvm), SUSE (systemd), and Ubuntu (exiv2, mbedtls, and systemd).

The LWN.net Weekly Edition for February 6, 2020 is available.

Stable kernels 5.4.18, 4.19.102, and 4.14.170 have been released. They containimportant fixes and users should upgrade.

Browser tracking across different sites is certainly a major privacyconcern and one that is more acute when the boundaries between sites andbrowsers blur—or disappear altogether. That seems to be the underlyingtension in a "discussion" of an only tangentially related proposal beingmade by Google to the W3C TechnicalArchitecture Group (TAG). The proposal would change the handling ofthe User-Agent headers sent by browsers, but the discussion turnedto the unrelated X-Client-Data header that Chrome sends toGoogle-owned sites. The connection is that in both casessome feel that the web-search giant is misusing its position to the detriment ofits users and its competitors in the web ecosystem.

Support for the CoreOS Container Linux distribution is coming to an end on May 26;there will be no further updates after that date. Users are recommended tomove to Fedora CoreOS or someother distribution.

Stable kernels 5.5.2, 4.9.213, and 4.4.213 have been released with importantfixes. Users should upgrade.

Security updates have been issued by Debian (storebackup), openSUSE (e2fsprogs and wicked), Red Hat (containernetworking-plugins, ipa, kernel, kernel-rt, ksh, and qemu-kvm), Scientific Linux (ipa and qemu-kvm), SUSE (libqt5-qtbase, python-reportlab, and terraform), and Ubuntu (graphicsmagick, OpenSMTPD, spamassassin, and sudo).

Python 2 was officially "retired" on the last day of 2019, so no bugswill be fixed or changes made in that version of the language, at least by the coredevelopers—distributions and others will continue for some time tocome. But there are lots of Python projects that still supportPython 2.7 and may not be ready for an immediate clean break. Some changes thatwere made for the upcoming Python 3.9 release (which is currently scheduledfor October) are causing headaches because support for long-deprecated2.7-compatibility features is being dropped. That led to a discussion onthe python-dev mailing list about postponing thosechanges to give a bit more time to projects that want to dropPython 2.7 support soon, but not immediately.

Security updates have been issued by Arch Linux (salt), CentOS (git), Debian (qtbase-opensource-src), Fedora (java-11-openjdk), Mageia (kernel and openjpeg2), openSUSE (mailman, python-reportlab, ucl, and upx), Oracle (git), Red Hat (container-tools:rhel8, go-toolset:rhel8, grub2, kernel, kernel-rt, php:7.2, and sudo), SUSE (crowbar-core, crowbar-openstack, openstack-neutron-fwaas, rubygem-crowbar-client and python36), and Ubuntu (python-django).

The Git source-code management system is famously built on the SHA‑1hashing algorithm,which has become an increasingly weak foundation over the years. SHA‑1 isnow considered to be broken and, despite the fact that it does not yet seemto be so broken that it could be used to compromise Git repositories, usersare increasingly worried about its security. The good news is that work onmoving Git past SHA‑1 has been underway for some time, and is slowlycoming to fruition; there is a version of the code that can be looked atnow.

Security updates have been issued by Arch Linux (opensmtpd), Debian (firefox-esr, libidn2, libjackson-json-java, prosody-modules, qemu, qtbase-opensource-src, spamassassin, and sudo), Fedora (e2fsprogs, java-1.8.0-openjdk, mingw-openjpeg2, openjpeg2, samba, sox, upx, webkit2gtk3, and xar), Red Hat (git), Scientific Linux (git), Slackware (sudo), SUSE (ceph and rmt-server), and Ubuntu (sudo).

The GNU libc 2.31 release is out. Significant changes include some initialC2X standard support, some DNS stub resolver changes, a newpthread_clockjoin_np() POSIX threads extension, a number ofchanges to time-related functions, and more.

The5.5.1,5.4.17, and4.19.101stable kernel updates have been released; each contains another set ofimportant fixes.

The longtime tech writer for the Yocto Project, Scott Rifenbark, has died after a battle with cancer. Project architect Richard Purdie announced the sad news on the yocto mailing list; he also reflected on Rifenbark and his impact: "I remember interviewing Scott over 10 years ago when forming a team atIntel to work on what became the Yocto Project, he was with it from thestart. He warned me he wasn't an entirely traditional tech writer but Iwarned we weren't aiming to be a traditional project either. It was agreat match. He stayed with the project ever since in one way oranother, he enjoyed working on the project and we enjoyed working withhim.The concept of having a tech writer as part of the team was a decisionI'm proud of and it shows in the material supporting the project todaybut that success belongs to Scott and his approach to it. Someone elseput that best, 'He would first try the procedure or instructions beforedocumenting it, I was really impressed'. He was hands on and wantedthings to be understandable and correct, a huge challenge with some ofthe complexities we deal with."

As network interfaces get faster, the amount of CPU time available toprocess each packet becomes correspondingly smaller. The good news is thatmany tasks, including packet filtering, can be offloaded to the hardwareitself. The bad news is that the Linux kernel required quite a bit of work to beable to take advantage of that capability. The first article in this series provided anoverview of how hardware-based packet filtering can work and the supportfor this feature that already existedin the kernel. This series now concludes with a detailed look at howoffloaded packet filtering works in the netfilter subsystem and howadministrators can make use of it.

Security updates have been issued by Debian (libsolv, libxmlrpc3-java, openjpeg2, qemu, and suricata), Fedora (ansible, chromium, java-latest-openjdk, links, mingw-openjpeg2, nss, openjpeg2, python-pillow, thunderbird, webkit2gtk3, and xen), Mageia (gdal, java-1.8.0-openjdk, mariadb, openjpeg2, and sqlite3), Oracle (kernel), Red Hat (rh-java-common-xmlrpc), SUSE (e2fsprogs, ImageMagick, php72, tigervnc, and wicked), and Ubuntu (keystone).

As of this writing, 4,726 non-merge changesets have been pulled into themainline repository for the 5.6 development cycle. That is a relativelyslow start by contemporary kernel standards, but it still is enough tobring a number of new features, some of which have been pending for years,into the mainline. Read on for a summary of the changes pulled in theearly part of the 5.6 merge window.

Ian Jackson posted a note to the xen-announce mailing list with the sad news that Xen community manager and project advisory board member Lars Kurth has died. "I'm very sad to inform you that Lars Kurth passed away earlier thisweek. Many of us regarded Lars as a personal friend, and his loss is agreat loss to the Xen Project.We plan to have a tribute to Lars on the XenProject blog in the nearfuture. Those who are attending FOSDEM may wish to attend the shorttribute we plan for Sunday morning: https://fosdem.org/2020/schedule/event/vai_memory_of_lars_kurth/"

Five new stable kernels have been released: 5.4.16, 4.19.100, 4.14.169, 4.9.212, and 4.4.212. As usual, each contains importantfixes throughout the kernel tree. Users should upgrade.

Security updates have been issued by Debian (graphicsmagick, opensmtpd, webkit2gtk, wget, and zlib), openSUSE (apt-cacher-ng, GraphicsMagick, java-1_8_0-openjdk, mailman, mumble, rubygem-excon, sarg, and shadowsocks-libev), Oracle (libarchive and openjpeg2), Red Hat (firefox, fribidi, openjpeg2, SDL, and thunderbird), Scientific Linux (openjpeg2), SUSE (glibc, java-1_8_0-openjdk, and rmt-server), and Ubuntu (Apache Solr and webkit2gtk).

The LWN.net Weekly Edition for January 30, 2020 is available.

Fedora currently uses Pagure to hostmany of its Git repositories and to handle things like documentation andbug tracking. But Pagure is maintained by the Red Hat Community PlatformEngineering (CPE) team, which is currently straining under the load ofmanaging the infrastructure and tools for Fedora and CentOS, while also maintainingthe tools used by the Red Hat Enterprise Linux (RHEL) team. That has ledto a discussion about identifying the requirements for a "Git forge" andpossibly moving away from Pagure.

Qualys has put out an advisory regarding a vulnerability in OpenBSD'sOpenSMTPD mail server. It "allows an attacker to execute arbitrary shellcommands, as root: either locally, in OpenSMTPD's default configuration (which listens on the loopback interface and only accepts mail from localhost); or locally and remotely, in OpenSMTPD's 'uncommented' default configuration (which listens on all interfaces and accepts external mail)." OpenBSD users would be well advised to update quickly.

Security updates have been issued by CentOS (apache-commons-beanutils, java-1.8.0-openjdk, libarchive, openjpeg2, openslp, python-reportlab, and sqlite), Debian (hiredis, otrs2, and unzip), openSUSE (apt-cacher-ng, git, samba, sarg, and storeBackup), Oracle (openjpeg2), Red Hat (libarchive, openjpeg2, sqlite, and virt:rhel), SUSE (aws-cli and python-reportlab), and Ubuntu (libgcrypt11, linux-aws-5.0, linux-gcp, linux-gke-5.0, linux-oracle-5.0, linux-hwe, linux-hwe, linux-aws-hwe, linux-lts-xenial, linux-aws, and openjdk-8, openjdk-lts).

Version6.4 of the LibreOffice productivity suite is out. It is said to be"a new major release providing better performance, especially whenopening and saving spreadsheets and presentations, and excellentcompatibility with DOCX, XLSX and PPTX files."

The Thunderbird email client has been movedinto a separate company called "MZLA Technologies Corporation", whichremains wholly owned by the Mozilla Foundation. "Moving to MZLA Technologies Corporation will not only allow the Thunderbird project more flexibility and agility, but will also allow us to explore offering our users products and services that were not possible under the Mozilla Foundation. The move will allow the project to collect revenue through partnerships and non-charitable donations, which in turn can be used to cover the costs of new products and services.Thunderbird’s focus isn’t going to change. We remain committed to creatingamazing, open source technology focused on open standards, user privacy,and productive communication."

Transparent and verifiable electronic elections are technically feasible,but for a variety of reasons, the techniques used are not actually viable forrunning most elections—and definitely not for remote voting. That was one of themain takeaways from a keynote at this year's linux.conf.au given by University ofMelbourne AssociateProfessor Vanessa Teague. She is a cryptographer who, along with hercolleagues, has investigated several kinds of e-voting software; as isprobably not all that much of a surprise, what they found is buggyimplementations. She described some of that work in atalk that was a mix of math with software-company and government missteps; the latter maydirectly impact many of the Australian locals who were in attendance.

Security updates have been issued by Debian (iperf3, openjpeg2, and tomcat7), Mageia (ansible, c3p0, fontforge, glpi, gthumb, libbsd, libmediainfo, libmp4v2, libqb, libsass, mbedtls, opencontainers-runc, php, python-pip, python-reportlab, python3, samba, sysstat, tomcat, virtualbox, and webkit2), openSUSE (java-11-openjdk, libredwg, and sarg), Oracle (sqlite), Red Hat (libarchive, nss, and openjpeg2), Scientific Linux (sqlite), SUSE (nodejs6), and Ubuntu (cyrus-sasl2, linux, linux-aws, linux, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon, linux, linux-aws, linux-oem, mysql-5.7, mysql-8.0, tcpdump, and tomcat8).

The 5.5 kernel was released onJanuary 26. Over the course of this development cycle, it wasoccasionally said that the holidays were slowing contributions. At theend, though, 5.5 saw the merging of 14,350 non-merge changesets from 1,885developers — not exactly a slow-moving cycle. Indeed, 5.5 just barelyedged out 5.4 as the kernel with the most developers ever. Read on for ourtraditional look at where the contributions to 5.5 came from, along with adigression into the stable-update process.

The Qt blog has announced somechanges in how the Qt toolkit is offered to consumers. Notably,installation of Qt binaries will require a Qt Account andlong-term-supported (LTS) releases and the offline installer will becomeavailable to commercial licensees only. "From February onward, everyone, including open-source Qt users, will require valid Qt accounts to download Qt binary packages. We changed this because we think that a Qt account lets you make the best use of our services and contribute to Qt as an open-source user.We want open-source users to help improve Qt in one form or another, be that through bug reports, forums, code reviews, or similar. These are currently only accessible from a Qt account, which is why having one will become mandatory."

Stable kernels 4.19.99 and 4.14.168. As usual, there are important fixesand users should upgrade.

Stable kernel 5.4.15 has been released withimportant fixes throughout the tree. Users should upgrade.

Security updates have been issued by Debian (jsoup and slirp), Fedora (community-mysql, elog, fontforge, libuv, libvpx, mingw-podofo, nodejs, opensc, podofo, thunderbird-enigmail, transfig, and xfig), openSUSE (arc, libssh, and libvpx), Red Hat (git, java-1.8.0-openjdk, java-11-openjdk, python-reportlab, and sqlite), Slackware (thunderbird), and SUSE (java-1_8_0-openjdk, python, and samba).

In the end, Linus decided to release the 5.5kernel rather than going for another prepatch. "So despite theslight worry that the holidays might have affected the schedule, 5.5 endedup with the regular rc cadence and is out now." Some of the significantfeatures in this release areiopl() emulation,many new io_uring commands,live-patchstate tracking,type checking for BPF tracepoint programs,a new CPUload-balancing algorithm,the KUnit unit-testing framework,airtime queue limits for WiFi,and much more. See theKernelNewbies 5.5 changelog for more information.

Ars Technica reviews the Purism Librem 5 smartphone, which is made from open-source software and (mostly) open hardware. It is clearly not there yet as a replacement for the phone in our pockets, but it would seem to be on the right path. "The thing to keep in mind here is that Purism has taken on an absolutely gargantuan task. It somehow scraped together a new supply chain of mostly open source components, it came up with a smartphone design from scratch, and it is building its own smartphone distribution of Linux. Two years is not enough time to do this. The OS and app package is not nearly finished, and it lacks basic smartphone functionality. The hardware is nearly finished, but you'll have a hard time taking advantage of it right now since the power management isn't really implemented, and support for things like the cameras are non-existent. If you really want open source smartphones to be a thing, though, this is where you need to start. The Librem 5 is a proof of concept."

The Electronic Frontier Foundation (EFF) has put out a statement in support of journalist Glenn Greenwald whose "prosecution is an attempt to use computer crime law to silence an investigative reporter who exposed deep-seated government corruption". Greenwald is being charged in Brazil, where he reported on corruption within the government of that country. While the EFF said that it has seen "no actions detailed in the criminal complaint that violate Brazilian law", its main concern is the use of ill-defined "cybercrime" laws."Around the world, cybercrime laws are notoriously hazy. This is in part because it’s challenging to write good cybercrime laws: technology evolves quickly, our language for describing certain digital actions may be imprecise, and lawmakers may not always imagine how laws will later be interpreted. And while the laws are hazy, the penalties are often severe, which makes them a dangerously big stick in the hands of prosecutors. Prosecutors can and do take advantage of this disconnection, abusing laws designed to target criminals who break into computers for extortion or theft to prosecute those engaged in harmless activities, or research—or, in this case, journalists communicating with their sources."

One year ago, the io_uring subsystem didnot exist in the mainline kernel; it showed up in the 5.1 release in May2019. At its core, io_uring is a mechanism for performing asynchronousI/O, but it has been steadily growing beyond that use case and adding newcapabilities. Herein we catch up with the current state of io_uring, whereit is headed, and an interesting question or two that will come up alongthe way.

Security updates have been issued by Debian (git and python-apt), Oracle (openslp), Red Hat (chromium-browser and ghostscript), SUSE (samba, slurm, and tomcat), and Ubuntu (clamav, gnutls28, and python-apt).

Some years back, I was caught in a weak moment and somehow became thekernel documentation maintainer. More recently, I've given a few talks onthe state of kernel documentation and the sort of work that needs to bedone to make things better. A key part of getting that work done iscommunicating to potential contributors the tasks that they might helpfullytake on — a list that was, naturally, entirely undocumented. To that end,a version of the following document is currently under review and headedfor the mainline. Read on to see how you, too, can help to make thekernel's documentation better.

Greg Kroah-Hartman has announced the release of the 4.4.211, 4.9.211, 4.14.167, 4.19.98, and 5.4.14 stable kernels. As usual, thesecontain important fixes throughout the kernel tree; users should upgrade.

Security updates have been issued by openSUSE (chromium, libredwg, and thunderbird), Oracle (apache-commons-beanutils, java-1.8.0-openjdk, libarchive, and python-reportlab), Red Hat (kernel), Scientific Linux (apache-commons-beanutils, libarchive, and openslp), SUSE (java-11-openjdk), and Ubuntu (e2fsprogs, graphicsmagick, python-apt, and zlib).

The LWN.net Weekly Edition for January 23, 2020 is available.

Keith Packard is no stranger to the linux.conf.au stage; he has spoken on a wide variety of topics since he started going to the conference in 2004(which was held inAdelaide, where organizers apparently had a lot of ice cream forattendees). One of his talks at this year's conference was on aneducation-focused project that he has been working on for around a year:a version of Python called "Snek" targeting embedded processors.He gave a look at some of the history of his work with 10-12 year-old students that led to thedevelopment of Snek as well as some plans for the language—and hardware torun it on—moving forward.

Security updates have been issued by Debian (tiff and transfig), Fedora (thunderbird-enigmail), Mageia (ffmpeg and sox), openSUSE (fontforge, python3, and tigervnc), Oracle (python-reportlab), Red Hat (apache-commons-beanutils, java-1.8.0-openjdk, kernel, kernel-alt, libarchive, openslp, openvswitch2.11, openvswitch2.12, and python-reportlab), Scientific Linux (java-1.8.0-openjdk and python-reportlab), SUSE (samba and tigervnc), and Ubuntu (python-pysaml2).