LWN.net

Security updates have been issued by Debian (proftpd-dfsg and vim), Fedora (java-11-openjdk and matrix-synapse), Gentoo (binutils and libpng), Mageia (kernel), and SUSE (openexr and python-Django).

The seccomp()mechanism is notoriously difficult to use. It also turns out to be easy tobreak unintentionally, as the development community discovered when atimekeeping change meant to address the year-2038 problem created a regression forseccomp() users in the 5.3 kernel. Work is underway to mitigatethe problem for now, but seccomp() users on 32-bit systems arelikely to have to change their configurations at some point.

Security updates have been issued by Debian (firefox-esr and thunderbird), openSUSE (openexr and rmt-server), Oracle (bind, container-tools:rhel8, cyrus-imapd, dotnet, edk2, firefox, flatpak, freeradius:3.0, ghostscript, gvfs, httpd:2.4, java-1.8.0-openjdk, java-11-openjdk, kernel, mod_auth_mellon, pacemaker, pki-deps:10.6, python-jinja2, python27:2.7, python3, python36:3.6, systemd, thunderbird, vim, virt:rhel, WALinuxAgent, and wget), Slackware (mariadb), SUSE (java-1_8_0-openjdk, polkit, and python-Django1), and Ubuntu (Sigil and sox).

Version 2.30 of the GNU CLibrary (glibc) has been released. New features include Unicode 12.1.0support; wrappers for the getdents64(),gettid(), and tgkill()system calls on Linux; addition of a bunch of POSIX-proposed pthreadscalls; protections for memory allocation functions so that they cannotcause ptrdiff_t overflows; and more, such as fixes for twosecurity problems:CVE-2019-7309: x86-64 memcmp used signed Jcc instructions to check size. For x86-64, memcmp on an object size larger than SSIZE_MAX has undefined behavior. On x32, the size_t argument may be passed in the lower 32 bits of the 64-bit RDX register with non-zero upper 32 bits. When it happened with the sign bit of RDX register set, memcmp gave the wrong result since it treated the size argument as zero. Reported by H.J. Lu.CVE-2019-9169: Attempted case-insensitive regular-expression match via proceed_next_node in posix/regexec.c leads to heap-based buffer over-read. Reported by Hongxu Chen.

The GNOME and KDE projects are teaming up to host the Linux App Summit (LAS) that will beheld in Barcelona, November 12-15. "LAS is the first collaborative event co-hosted by the two organizations since the Desktop Summit in 2009. Both organizations are eager to bring their communities together in building an application ecosystem that transcends individual distros and broadens the market for everyone involved. KDE and GNOME will no longer be taking a passive role in the free desktop sector. With the joint influence of the two desktop projects, LAS will shepherd the growth of the FOSS desktop by encouraging the creation of quality applications, seeking opportunities for compensation for FOSS developers, and fostering a vibrant market for the Linux operating system." The CfP is open until August 31.

The C switch statement has, since the beginning of the language,required the use of explicit break statements to prevent executionfrom falling through from one case to the next. This behavior canbe a useful feature, allowing for more compact code, but it can also leadto bugs. The effort to rid the kernel of implicit fall-through codingpatterns came to a conclusion with the 5.3-rc2 release, wherethe last cases were fixed. There is a good chance that these fixes willhave to be redone in the future, though.

Security updates have been issued by CentOS (httpd, libssh2, and qemu-kvm), Debian (glib2.0, squirrelmail, subversion, and wpa), Fedora (proftpd), Oracle (icedtea-web), Red Hat (icedtea-web), Scientific Linux (icedtea-web), SUSE (icedtea-web, java-1_7_0-openjdk, subversion, and zypper, libzypp and libsolv), and Ubuntu (linux-hwe, openjdk-lts, pango1.0, python-django, and subversion).

The LWN.net Weekly Edition for August 1, 2019 is available.

In theory, the public API of a Python standard library module is fullyspecified as part of its documentation, but in practice it may not be quite so clear cut. There are other ways to specify the names in a module thatare meant to be public, and there are naming conventions for things thatshould not be public (e.g. the name starts with an underscore), butthere is no real consistency in how those are used throughout the standard library.A mid-July discussion on the python-dev mailing list considered the problem and some possiblesolutions; the main outcome seems to be interest in making the rules moreexplicit.

It has been the better part of a decade since the last KernelShark article appeared here; in theinterim, the kernel-tracing visualization tool has undergone some major changes.While the high-level appearance is largely similar, the underlying codehas switched from GTK+ 2.0 to Qt 5. On July 26,maintainer Steven Rostedt announcedthe release of KernelShark version 1.0, which makes it a good time totake another peek.

BPF programs have gained significantly in capabilities over the last fewyears and can now perform many useful operations. That said, BPFdevelopers have had to work around an annoying limitation until recently: they could not use loops. This restriction was recently liftedby a patchset from Alexei Starovoitov that was merged for Linux 5.3. In addition toadding support for loops, it also greatly decreases the load time ofmost BPF programs.

Stable kernels 5.2.5, 4.19.63, and 4.14.135 have been released. These updates areon the large side. The 4.14 kernel is largest with 4748 insertions and 3145deletions. As usual, users should upgrade.

Security updates have been issued by CentOS (389-ds-base, curl, and kernel), Debian (libssh2), Fedora (kernel, kernel-headers, and oniguruma), openSUSE (chromium, openexr, thunderbird, and virtualbox), Oracle (389-ds-base, curl, httpd, kernel, and libssh2), Red Hat (nss and nspr and ruby:2.5), Scientific Linux (httpd and kernel), SUSE (java-1_8_0-openjdk, mariadb, mariadb-connector-c, polkit, and python-requests), and Ubuntu (openjdk-8, openldap, and sox).

This is the final call for proposals for the containersand checkpoint/restore microconference at the Linux Plumbers Conference; thedeadline is Friday, August 2. LPC will take place September 9-11 in Lisbon,Portugal.

This is the final call for proposals for the 3 day networking track at theLinux Plumbers Conference; the deadline is Friday, August 2. LPC will takeplace September 9-11 in Lisbon, Portugal. "Any kind of advancednetworking-related topic will be considered."

The Collabora blog announcessome ongoing work to integrate Linux desktop environments with head-mounteddisplays. "In contrast to these approaches xrdesktop aims to integrate into existing Linux desktop environments, eliminating the necessity of running a dedicated compositor for only VR and thus making it usable in current setups. For our initial release, we focused on integration in the most popular Linux desktops, GNOME and KDE, but xrdesktop is designed to be integrated into any desktop. This can be done with Compiz-like plugins as for KWin or patches on the compositor in the case of GNOME Shell.This integration of xrdesktop into the window managers enables mirroring existing windows into XR and to synthesize desktop input through XR actions."

Version 2.80of the Blender 3D animation system has been released. "Blender 2.80features a redesigned user interface that puts the focus on the artworkthat you create. A new dark theme and modern icon set wereintroduced. Keyboard, mouse and tablet interaction got a refresh with leftclick select as the new default. Quick Favorites menus provide rapid accessto often-used tools."

There is anincreasingly active development effort, known as Darling, that is aiming to provide atranslation layer for macOS software on Linux; it is inspired in part by Wine. While Darling isn't nearlyas mature as Wine, contributors are continuing to build out capabilitiesthat could make the project more useful to a wider group of users in thefuture.Subscribers can read on for a look at Darling from this week's edition.

Security updates have been issued by Fedora (cutter-re and radare2), Oracle (389-ds-base, httpd, kernel, libssh2, and qemu-kvm), Red Hat (389-ds-base, chromium-browser, curl, docker, httpd, keepalived, kernel, kernel-alt, kernel-rt, libssh2, perl, podman, procps-ng, qemu-kvm, qemu-kvm-ma, ruby, samba, and vim), Scientific Linux (389-ds-base, curl, libssh2, and qemu-kvm), SUSE (bzip2 and openexr), and Ubuntu (python-urllib3 and tmpreaper).

The NumPy team has announced the release of NumPy 1.17.0. NumPy is afundamental package for scientific computing with Python. "The 1.17.0release contains a number of new features that should substantially improveits performance and usefulness. The Python versions supported are 3.5-3.7,note that Python 2.7 has been dropped."

For those didn't quite get around to putting in a proposal forlinux.conf.au 2020 (Gold Coast, January 13 to 17), there'sanother chance: the proposal deadline has been extended to August 11."We have heard that some of you would like a bit more time to submit your proposals for linux.conf.au 2020. So, we have decided to extend the due date by two weeks to help everyone have a chance to submit."

Security updates have been issued by Debian (patch, sdl-image1.2, and unzip), Fedora (deepin-clone, dtkcore, dtkwidget, and sqlite), Mageia (virtualbox), openSUSE (firefox), and SUSE (cronie and firefox).

The 5.3-rc2 kernel prepatch is availablefor testing. "There are fixes all over, I don't think there's much of a patternhere. The three areas that do stand out are Documentation (more rstconversions), arch updates (mainly because of the netx arm platformremoval) and misc driver fixes (gpu, iommu, net, nvdimm, sound..)".

The 5.2.4,5.1.21, and4.19.62stable kernel updates have been released; each contains another set ofimportant fixes. Note that 5.1.21 is the end of the line for the 5.1.xseries.

ZDNet reportson GitHub's blocking of users from Crimea and Iran."As GitHub notes on its page about US trade controls, US sanctionsapply to its online hosting service, GitHub.com, but its paid-foron-premise software -- aimed at enterprise users -- may be an option forusers in those circumstances. It also claims to be in discussions with USregulators about how to rectify the situation."

Over the last few kernel releases, the kernel has gained the concept of a"pidfd" — a file descriptor that represents a process. What started as away of sending signals to processes without race conditions has evolvedinto a more complete process-management interface. Now one of the lastpieces is being put into place: the ability to wait for processes usingpidfds. But, naturally, that API has had to go through some revisionsfirst.

Three new stable kernels have been released: 5.2.3, 5.1.20,and 4.19.61. These are rather largerupdates than most and, as usual, contain fixes throughout the kernel tree;users should upgrade.

Security updates have been issued by Debian (libssh2 and patch), Fedora (kernel and kernel-headers), Mageia (vlc), Red Hat (rh-redis32-redis), SUSE (libgcrypt, libsolv, libzypp, zypper, and rmt-server), and Ubuntu (exim4, firefox, libebml, linux, linux-aws, linux-kvm, linux-raspi2, and vlc).

Laurent Pinchart began his OpenSource Summit Japan 2019 talk with a statement that, once upon a time, camera devices were simple pipelines thatproduced a sequence of video frames. Applications could control cameras usingthe Video4Linux (V4L) API by way of a single device node; there were "lots ofknobs", but the overall task was straightforward. That situation haschanged over the years, and application developers need more help; that iswhere the libcamera project comes in.

Security updates have been issued by CentOS (java-1.7.0-openjdk, java-1.8.0-openjdk, and java-11-openjdk), Debian (exim4), Fedora (java-latest-openjdk), openSUSE (libsass, tomcat, and ucode-intel), Oracle (java-1.7.0-openjdk and thunderbird), SUSE (OpenEXR, spamassassin, and thunderbird), and Ubuntu (ansible and patch).

The LWN.net Weekly Edition for July 25, 2019 is available.

Python is often mentioned in the same breath with the phrase "batteriesincluded", which refers to the breadth of its standard library. But thereis an effort underway to trim back thestandard library by removing some unloved modules. In addition, there hasbeen persistent talk of a major restructuring of the library, into a fairlyminimal core as described in Amber Brown's talkat this year's Python Language Summit, or in other ways as discussed on the python-dev mailing list inJanuary (though it has come up many times before that as well).A mid-July python-ideas mailing list thread picked up on some of that; itended up showing, once again, that there is no real consensus on what the standardlibrary is—or should be.

Fedora Magazine covers thefirst preview release of Fedora CoreOS, a new Fedora edition builtspecifically for running containerized workloads. "It's the successor to both Fedora Atomic Host and CoreOS Container Linux. Fedora CoreOS combines the provisioning tools, automatic update model, and philosophy of Container Linux with the packaging technology, OCI support, and SELinux security of Atomic Host."

Security updates have been issued by Debian (kernel, linux-4.9, and neovim), Fedora (slurm), openSUSE (ImageMagick, libgcrypt, libsass, live555, mumble, neovim, and teeworlds), Oracle (java-1.7.0-openjdk, java-1.8.0-openjdk, and java-11-openjdk), Red Hat (java-1.7.0-openjdk), Scientific Linux (java-1.7.0-openjdk), SUSE (glibc and openexr), and Ubuntu (mysql-5.7 and patch).

Frequent updates are a key part of keeping systems secure, but that goalwill not be met if the update mechanism itself is compromised by anattacker. At a talk during the 2019 Open Source Summit Japan, JustinCappos described Uptane, an updatedelivery mechanism for automotive applications that, he said, can preventsuch problems, even when the attacker has the resources of a nation state.It would seem that some automobile manufacturers agree.

Zoned block devices are quite different than the block devices most peopleare used to. The concept came from shingledmagnetic recording (SMR) devices, which allow much higher densitystorage, but that extra capacity comes with a price: less flexibility. Zoneddevices have regions (zones) that can only be written sequentially; thereis no random access for writes to those zones. Linux already supports thesedevices, and filesystems are adding support as well, but some applicationsmay want a simpler, more straightforward interface; that's what a newfilesystem, zonefs, is targeting.

Security updates have been issued by Debian (libsdl2-image and libxslt), Oracle (java-1.8.0-openjdk and java-11-openjdk), Scientific Linux (java-1.8.0-openjdk and java-11-openjdk), SUSE (bzip2, microcode_ctl, and ucode-intel), and Ubuntu (clamav, evince, linux-hwe, linux-gcp, linux-snapdragon, and squid3).

At the end of the 5.3 merge window, 12,608 non-merge changesets had beenpulled into the mainline repository. Nearly 6,000 of those were pulledafter the first-half summary was written.As expected, there was still a lot of material yet to be merged for thisdevelopment cycle.

Security updates have been issued by Debian (bind9, exiv2, kernel, nss, openjdk-11, openjdk-8, patch, and squid3), Fedora (gvfs, libldb, and samba), Mageia (firefox, gvfs, libreswan, rdesktop, and thunderbird), openSUSE (bzip2, clementine, dbus-1, expat, fence-agents, firefox, glib2, kernel, kernel-firmware, ledger, libqb, libu2f-host, pam_u2f, libvirt, neovim, php7, postgresql10, python-requests, python-Twisted, ruby-bundled-gems-rpmhelper, ruby2.5, samba, webkit2gtk3, zeromq, and znc), Red Hat (java-1.8.0-openjdk, java-11-openjdk, rh-maven35-jackson-databind, rh-nodejs8-nodejs, and rh-redis5-redis), Slackware (kernel), and SUSE (ucode-intel).

Linus has released 5.3-rc1 and closed themerge window for this development cycle. "Anyway, despite the rockystart, and the big size, things mostly smoothed out towards the end of themerge window. And there's a lot to like in 5.3".

Greg Kroah-Hartman has announced the release of the 5.2.2, 5.1.19,4.19.60, 4.14.134, 4.9.186, and 4.4.186 stable kernels. As usual, theycontain fixes throughout the kernel tree; users should upgrade.

Documentation, said Riona MacNamara at the beginning of her OpenSourceSummit Japan 2019 talk, is the superpower that we can use to energize usersand developers; it is an important part of the creation of a vibrant andinclusive community. While there are a number of roadblocks that can impedeparticipation in a development community, many of those can be addressedwith better documentation. The talk was a call for all projects to thinkabout what they are trying to accomplish and to ensure that theirdocumentation is helping to get there.

Security updates have been issued by Debian (bzip2), Fedora (freetds, kernel, kernel-headers, and knot-resolver), openSUSE (bubblewrap, fence-agents, kernel, libqb, libu2f-host, pam_u2f, and tomcat), Oracle (vim), SUSE (kernel, LibreOffice, libxml2, and tomcat), and Ubuntu (libmspack and squid, squid3).

Over on his blog, Kees Cook runs through the security changes that came in Linux 5.2. "While the SLUB and SLAB allocator freelists have been randomized for a while now, the overarching page allocator itself wasn’t. This meant that anything doing allocation outside of the kmem_cache/kmalloc() would have deterministic placement in memory. This is bad both for security and for some cache management cases. Dan Williams implemented this randomization under CONFIG_SHUFFLE_PAGE_ALLOCATOR now, which provides additional uncertainty to memory layouts, though at a rather low granularity of 4MB (see SHUFFLE_ORDER). Also note that this feature needs to be enabled at boot time with page_alloc.shuffle=1 unless you have direct-mapped memory-side-cache (you can check the state at /sys/module/page_alloc/parameters/shuffle)."

At the 2019 Linux Storage, Filesystem,and Memory-Management Summit (LSFMM) Brendan Gregg gave a keynote on BPF observability that included a kernel issue he had debugged on Netflixproduction servers using bpftrace. In thisarticle, he provides a crash course on bpftrace for kernel developers—to help them moreeasily analyze their code.Subscribers can read on for a look at kernel analysis usingbpftrace from the upcoming weekly edition.

Security updates have been issued by Arch Linux (chromium, firefox, and squid), CentOS (thunderbird and vim), Debian (libonig), SUSE (firefox, glibc, kernel, libxslt, and tomcat), and Ubuntu (libreoffice and thunderbird).

The LWN.net Weekly Edition for July 18, 2019 is available.

The Python 3.8 beta cycle is already underway, with Python 3.8.0b1released on June 4, followed by the second betaon July 4. That means that Python 3.8 is feature complete atthis point, which makes it a good time to see what will be part of it whenthe final release is made. That is currently scheduledfor October, so users don't have that long to wait to start using those newfeatures.

A question about the future of package distribution is at the heart of adisagreement about the snap plugin for the GNOME Software applicationin Fedora. In a Fedora devel mailing list thread,Richard Hughes raisedmultiple issues about the plugin and the direction that he sees Canonical taking with snaps for Ubuntu.He plans to remove support for the plugin for GNOME Software inFedora 31.

Security updates have been issued by Debian (libreoffice), Red Hat (thunderbird), SUSE (ardana and crowbar, firefox, libgcrypt, and xrdp), and Ubuntu (nss, squid3, and wavpack).