Security updates have been issued by Arch Linux (linux-hardened), Debian (fribidi), Gentoo (oniguruma, openssh/openssh, openssl, and pump), Mageia (chromium-browser-stable, expat, firefox, freetds, proftpd, python, thunderbird, and unbound), Oracle (sudo), Scientific Linux (thunderbird), Slackware (kernel), SUSE (rubygem-haml), and Ubuntu (fribidi and webkit2gtk).
As of this writing, just over 14,000 non-merge changesets have found theirway into the mainline repository for the 5.4 release; that is a bit lessthan we saw for 5.3, but more than most of the other recent kernels. Thefinal 5.4 release is approaching, so it must be time for our usual look atwhere the code merged in this development cycle came from. It's mostlybusiness as usual in the kernel community, modulo an appearance from noneother than Hulk Robot.
Security updates have been issued by Arch Linux (squid), Fedora (chromium, libssh2, and wpa_supplicant), openSUSE (chromium), Red Hat (ansible, chromium-browser, openstack-octavia, patch, qemu-kvm-rhev, sudo, and thunderbird), Scientific Linux (sudo), SUSE (bluez, gdb, php72, and thunderbird), and Ubuntu (cpio and rygel).
Version1.39.0 of the Rust language is available. The biggest new featureappears to be the async/await mechanism, which is described in thisblog post: "So, what is async await? Async-await is a way towrite functions that can 'pause', return control to the runtime, and thenpick up from where they left off. Typically those pauses are to wait forI/O, but there can be any number of uses."
Running untrusted code in a safe manner is generally the goal of sandboxingefforts. The sandbox technique presented by Georgia Tech PhD studentAshish Bijlani at Open Source Summit Europe 2019 is no exception. He has used something of a novelscheme to allow unprivileged code to implement the sandbox policies usingBPF; the policies are then enforced by the kernel.
At OpenSource Summit Europe 2019, Michael C. Jaeger and Maximilian Huberupdated attendees on the FOSSologyproject, which is an open-source license-compliance tool. Theyintroduced FOSSology and talked about how it can be used, but they alsolooked at the new features added in the last few releases. Beyond that,they presented some experiments the project has been doing with creatingmachine-learning models for license recognition.
Linux systems have traditionally run with a single address space thatis shared by user and kernel space. That changed with the advent of theMeltdown vulnerability, which forced the merging of kernel page-table isolation (KPTI) at the end of2017. But, Mike Rapoport said during his 2019Open Source Summit Europe talk, that may not be the end of the story for address-space isolation.There is a good case to be made for increasing the separation of addressspaces, but implementing that may require some fundamental changes in howkernel memory management works.
Red Hat has announcedthe release of Red Hat Enterprise Linux 8.1. This is the first updatein what is planned to be a 6 month cadence for minor releases. The releasenotes contain more information.
Git 2.24 has been released. This blogpost covers the highlights of this release, beginning with featuremacros. "Usually, configuring some behavior requires only a single configuration change, like enabling or disabling any of the aforementioned values. But what about when it doesn’t? What do you do when you don’t know which configuration values to change? For example, let’s say you want to live on the bleeding-edge of the latest from upstream Git, but don’t have a chance to discover all the new configurable options. In Git 2.24, you can now opt into feature macros—one Git configuration that implies many others. These are hand-selected by the developers of Git, and they let you opt into a certain feature or adopt a handful of settings based on the characteristics of your repository."
Security updates have been issued by Arch Linux (electron, ghostscript, glibc, python2, and samba), Debian (webkit2gtk), Slackware (libtiff), SUSE (ImageMagick, python-ecdsa, and samba), and Ubuntu (apport, haproxy, ruby-nokogiri, and whoopsie).
The stable kernel releases are meant to contain as many important fixes aspossible; to that end, the stable maintainers have been making use of a machine-learning system to identify patches that should be considered for astable update. This exercise has had some success but, at the 2019 OpenSource Summit Europe, Sasha Levin asked whether this process could beimproved further. Might it be possible for a machine-learning system toidentify patches that create bugs and intercept them, so that thefixes never become necessary?
Security updates have been issued by Arch Linux (chromium and qt5-webengine), CentOS (firefox and php), Fedora (file, java-latest-openjdk, nspr, nss, php, t1utils, and webkit2gtk3), Mageia (ansible, aspell, golang, libsoup, and libxslt), openSUSE (chromium and chromium, re2), Oracle (php), and Ubuntu (apport and file).
The 5.4-rc6 kernel prepatch is out fortesting. "There's no particular area or outstanding issue that isworrisome, but if things don't calm down this week, I suspect we'll belooking at one of those releases when we have an rc8. We'll see how thingsevolve here over the next couple of weeks."
The kernel project's email-based development process is well establishedand has some strong defenders, but it isalso showing its age. At the 2019 KernelMaintainers Summit, it became clear that the kernel's processes aremuch in need of updating, and that the maintainers are beginning tounderstand that. It is one thing, though, to establish goals for animproved process; it is another to actually implement that process andconvince developers to use it. At the 2019Open Source Summit Europe, a group of 20 or so maintainers anddevelopers met in the corner of a noisy exhibition hall to try to work out what some ofthe first steps in that direction might be.
The long discussion on changing the Pythonproject's release cadence has come to a conclusion: the project will now bereleasing new versions on an annual basis. See PEP 602 for thedetails on how it is expected to work.
Security updates have been issued by CentOS (firefox, sudo, and thunderbird), Debian (libarchive and qtbase-opensource-src), Oracle (php), Red Hat (php, rh-php71-php, and rh-php72-php), Scientific Linux (firefox and php), and SUSE (kernel and samba).
Steven Rostedt has been a part of the Linux kernel tracing community formost of its existence, it seems. He was the developer of ftrace,which was one of the early mainline additions for tracing. There are nowmany tracing facilities in the kernel. At the 2019Open Source Summit Europe in Lyon, France, Rostedt wanted to present an ideathat he has been thinking about for a long time: a unified tracing platformto provide access to all of the kernel tracing facilities from user-space applications.
Security updates have been issued by Debian (imapfilter, libvncserver, and pam-python), Fedora (tcpdump), Mageia (file, graphviz, kernel, and php, pcre2), openSUSE (nfs-utils), Red Hat (heketi and samba), Scientific Linux (thunderbird), SUSE (libtomcrypt, php7, and runc), and Ubuntu (apport, libarchive, libidn2, samba, and whoopsie).
Fedora Magazine announces therelease of Fedora 31. This release includes the Fedora Toolbox forlaunching and managing personal workspace containers. The Fedora Editionsinclude Workstation, Server, with CoreOS and IoT in a previewstate. Alternate architectures include ARM AArch64, Power, andS390x. However the 32-bit only i686 system has been dropped. The releasenotes contain additional information.
Back in March, we looked at a discussionand Python Enhancement Proposal (PEP) for a new dictionary "addition"operator forPython. The discussion back then was lively and voluminous, but the PEP needed someupdates and enhancements in order to proceed. That work has now been doneand a postabout the revisedPEP to the python-ideas mailing list has set off another mega-thread.
Stable kernels 5.3.8, 4.19.81, 4.14.151, 4.9.198, and 4.4.198 have been released. They all containimportant fixes throughout the tree and users should upgrade.
Security updates have been issued by Debian (php7.0, php7.3, ruby-loofah, and spip), Fedora (proftpd), openSUSE (lz4 and sysstat), Red Hat (chromium-browser, jss, kernel, kernel-alt, kpatch-patch, pango, polkit, sudo, systemd, and thunderbird), SUSE (graphite-web, python3, and samba), and Ubuntu (php5, php7.0, php7.2, php7.3, and samba).
The BPF in-kernel virtual machine hasbrought a new set of capabilities to a number of functional areas in thekernel, including, significantly, tracing.Since BPF programs run in the kernel, much effort goes into ensuring thatthey will not cause problems for the running system;to that end, the BPF verifier checks every possible aspect of each BPF program'sbehavior to ensure that it is safe to run in the kernel — with one notableexception. With a patch set titled "revolutionizebpf tracing", Alexei Starovoitov aims to close that loophole andeliminate a set of potential problems in a widely used class of BPFprograms.
A long-anticipated move has finally been madeofficial: the KernelCIcontinuous-integration project has found a new home under the LinuxFoundation umbrella. "The primary goal of KernelCI is to use an opentesting philosophy to improve the quality, stability and long-termmaintenance of the Linux kernel. Expected improvements to the platformunder the Linux Foundation include improved LTS kernel testing andvalidation; consolidation of existing testing initiatives; quality-of-lifeimprovements to the current service; expanded compute resources; andincreased pool of hardware to be tested. In the long-term, members expectto modernize the architecture; test software beyond the Linux kernel; anddefine testing standards and engage in cross-project collaboration."
The 5.4-rc5 kernel prepatch is out fortesting."So we have a bit more fixes than normal during this stage, but nothinglooks very strange, and the diffstat looks _mostly_ flat (with thecpufrequency power-QoS and io_uring changes looking a bit bigger)which is my sign for 'small changes all over'". The codename haschanged again; now it's "Kleptomanic Octopus", suggesting some interestingencounters in Linus's latest diving outing.
The io_uring mechanism is a relatively newinterface for asynchronous I/O; it first appeared in the 5.1 kernel inMay. Since then, though, it has quickly grown in capabilities and inusers; now it appears that it is outgrowing some of the kernelinfrastructure that supports it. Thus, we have a proposal from Jens Axboe(the io_uring maintainer) for a newworkqueue subsystem for io_uring that hints at some interesting plansfor the future.
Security updates have been issued by Debian (firefox-esr), Gentoo (php), Oracle (firefox), Scientific Linux (sudo), and SUSE (accountsservice, binutils, nfs-utils, and xen).
The GNU Project was created by RichardStallman in 1983 to further his goal of developing an entirely freeoperating system — a goal that seemed impossibly ambitious at the time.Stallman has recently resigned from some of his roles, but asof this writing his personal site stillleads off with this proclamation: "I continue to be the ChiefGNUisance of the GNU Project. I do not intend to stop any time soon". Within the project itself,though, it has become clear that this intention lacks universal support.We appear to be seeing the beginning of a governance transition for thisvenerable project.
Security updates have been issued by Debian (file), Mageia (bind, chromium-browser-stable, java-1.8.0-openjdk, libsndfile, mediawiki, and virtualbox), Oracle (firefox), Red Hat (firefox and sudo), Scientific Linux (firefox and OpenAFS), SUSE (kernel, lz4, rust, and xen), and Ubuntu (firefox).
Back in July, Linus Torvalds merged a patchin the 5.3 merge windowthat added the PREEMPT_RT option to the kernel build-time configuration.That was meant as a signal that the realtime patch set was moving from its longtime status asout-of-tree code to a fully supported kernel feature. As the code behindthe configuration option makes its way into the mainline, some friction canbe expected; we are seeing a bit of that now with respect to the BPF subsystem.
There has been discussion about the release cadence of Python for a coupleof years now. The 18-month cycle between major releases of the languageis seen by some core developers as causingtoo muchdelay in getting new features into the hands of users. Now there are twocompeting proposals for ways to shorten that cycle, either to one year orby creating a rolling-release model. In general, the steering councilhas seemed inclined toward making some kind of release-cycle change—one ofthose Python Enhancement Proposals (PEPs) may well form the basis ofPython's release cadence moving forward.
Security updates have been issued by Arch Linux (go, go-pie, pacman, and xpdf), CentOS (java-1.7.0-openjdk, java-1.8.0-openjdk, java-11-openjdk, and patch), openSUSE (gcc7), Red Hat (firefox, kernel, and qemu-kvm-rhev), Slackware (mozilla), SUSE (kernel, libcaca, openconnect, python, sysstat, and zziplib), and Ubuntu (libxslt, linux-azure, and linux-lts-xenial, linux-aws).
Tails (The Amnesic Incognito LiveSystem) is, as the spelled out name implies, a privacy focuseddistribution, designed to run from removable media. Version 4.0 has been released. "We are especially proud to present you Tails 4.0, the first version of Tails based on Debian 10 (Buster). It brings new versions of most of the software included in Tails and some important usability and performance improvements. Tails 4.0 introduces more changes than any other version since years."
Version70 of the Firefox web browser is out. The headline features include anew password generator and a "privacy protection report" showing userswhich trackers have been blocked. "Amazing user features and protections aside, we’ve also got plentyof cool additions for developers in this release. These include DOMmutation breakpoints and inactive CSS rule indicators in the DevTools,several new CSS text properties, two-value display syntax, and JS numericseparators." See the releasenotes for more details.
Security updates have been issued by CentOS (jss and kernel), Debian (libpcap, openjdk-8, and tcpdump), Fedora (java-11-openjdk), openSUSE (libreoffice), Oracle (java-1.7.0-openjdk), Red Hat (java-1.7.0-openjdk, python, and wget), Scientific Linux (java-1.7.0-openjdk), SUSE (ceph, ceph-iscsi, ses-manual_en, dhcp, openconnect, and procps), and Ubuntu (exiv2, linux, linux-aws, linux-azure, linux-gcp, linux-kvm, linux-raspi2, linux, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon, linux-hwe, linux-azure, linux-gcp, linux-gke-5.0, linux-snapdragon, and uw-imap).
Rothschild Patent Imaging LLC filed a patentsuit against the GNOME Foundation in September, asserting a violationin the Shotwell photo manager. GNOME has now goneon the counterattack, questioning the validity of the patent and whetherit applies to Shotwell at all. There is also an unspecified counterclaimto strike back against Rothschild. "We want to send a message to allsoftware patent trolls out there — we will fight your suit, we will win,and we will have your patent invalidated. To do this, we need yourhelp."
When a kernel subsystem maintainer has a set of commits to send up thechain toward the mainline, the git request-pullcommand is usuallythe right tool for the job. But various maintainers have noticed over theyears that this command can sometimes generate confusing results whenconfronted with anything but the simplest of histories. A briefconversation on the linux-kernel mailing list delved into why thissituation comes about and what maintainers can do in response.
Security updates have been issued by Debian (aspell, graphite-web, imagemagick, mediawiki, milkytracker, nfs-utils, and openjdk-11), Fedora (kernel, kernel-headers, kernel-tools, mediawiki, and radare2), openSUSE (dhcp, libpcap, lighttpd, and tcpdump), Scientific Linux (java-1.8.0-openjdk), Slackware (python), SUSE (bluez, kernel, and python-xdg), and Ubuntu (aspell).
The 5.4-rc4 kernel prepatch is out fortesting. "This release cycle remains pretty normal. In fact, the rc's have beena bit on the smaller side of the average of the last few releases, andrc4 continues this, if only barely."
kmalloc() is a frequently used primitive for the allocation ofsmall objects in the kernel. During the 2019Linux Storage, Filesystem, and Memory Management Summit, VlastimilBabka led a session about the unexpectedalignment problems developers face when using this function. After a fewmonths he has come back with the secondversion of a patch set implementing a natural alignment guarantee forkmalloc(). From the strong opposition it facedinitially, it seemed that the change would not get accepted. However, itended up in Linus Torvalds's tree. Let's explore what happened.
After more than two years of development, the Linux trace toolkit next generation (LTTng)project has released version 2.11.0 of the kernel and user-space tracingtool. The release covers the LTTng tools, LTTng user-space tracer, andLTTng kernel modules. It includes a number of new features that aredescribed in the announcement including session rotation, dynamic user-space tracing,call-stack capturing for the kernel and user space, improved networkingperformance, NUMA awareness for user-space tracing buffer allocation, andmore. "The biggest feature of this release is the long-awaited sessionrotation support. Session rotations now allow you to rotate anongoing tracing session much in the same way as you would rotatelogs.The 'lttng rotate' command rotates the current trace chunk ofthe current tracing session. Once a rotation is completed, LTTng doesnot manage the trace chunk archive anymore: you can read it, modify it,move it, or remove it.Because a rotation causes the tracing session’s current sub-buffersto be flushed, trace chunk archives are never redundant, that is, theydo not overlap over time, unlike snapshots.Once a rotation is complete, offline analyses can be performed onthe resulting trace, much like in 'normal' mode. However, the bigadvantage is that this can be done without interrupting tracing, andwithout being limited to tools which implement the 'live' protocol."
Greg Kroah-Hartman has announced the release of the 5.3.7, 4.19.80, 4.14.150, 4.9.197, and 4.4.197 stable kernels. All five containimportant fixes throughout the kernel tree, as usual. Users of thoseseries should upgrade.
Security updates have been issued by Debian (poppler, sudo, and wordpress), Oracle (java-1.8.0-openjdk), Red Hat (java-1.8.0-openjdk), Scientific Linux (java-1.8.0-openjdk, java-11-openjdk, and kernel), and SUSE (kernel and postgresql10).
LWN.net