LWN.net

The fourth 5.1 kernel prepatch is out fortesting. "Smaller than rc3, I'm happy to say. Nothingparticularly big in here, just a number of small things all over."

Security updates have been issued by Debian (pdns), Fedora (firefox, freerdp, ghostscript, gnome-boxes, gnutls, libarchive, libssh2, pidgin-sipe, poppler, and remmina), openSUSE (gd, ImageMagick, ldb, libcaca, ntp, openssl-1_1, ovmf, thunderbird, w3m, and wavpack), SUSE (apache2, firefox, and libvirt), and Ubuntu (advancecomp and apache2).

One of the new features in the 5.1 kernel is thepidfd_send_signal() system call. Combined with the (also new)ability to create a file descriptor referringto a process (a "pidfd") byopening its directory in /proc, this system call allows forthe sending of signals to processes in a race-free manner. An extension tothis feature proposed for 5.2 has, however, sparked a discussion that hasbrought the whole concept into question. It may yet be that the pidfdfeature will be put on hold before the final 5.1 release while the API aroundit is rethought.

Christian Schaller describesa long list of desktop improvements coming in the Fedora 30release. "Screen sharing support for Chrome and Firefox underWayland. The Wayland security model doesn’t allow any applicationto freely grab images or streams of the whole desktop like you could underX. This is of course a huge improvement in security, but it did cause somedisruption for valid usecases like screen sharing with things likeBlueJeans and Google Hangouts. We been working on resolving that with thehelp of PipeWire. We been at it for some time and things are now comingtogether. Chrome 73 ships with everything needed to make this work withChrome."

Security updates have been issued by Debian (apache2, golang, and putty), Gentoo (xen), and SUSE (clamav, SM3.1, and SMS3.1).

The LWN.net Weekly Edition for April 4, 2019 is available.

<p>A pair of flaws in the web interface for two small-business Cisco routersmake for a prime example of the wrong way to go about security fixes.These kinds of flaws are, sadly, fairly common, but the comedy of errorsthat resulted here is, thankfully, rather rare. Among other things, itshows thatvendors may wish to await areal fix rather than to release a small, ineffective band-aid to try to closea gaping hole.

It's been a year since we looked in on thekernel lockdown patches; that's because things have been fairly quiet onthat front since there was a loud anddiscordant dispute about them back then. But Matthew Garrett has beenposting new versions over the last two months; it would seem that thechanges that have been made might be enough to tamp down the flames and,perhaps, even allow them to be merged into the mainline.

Stable kernels 5.0.6, 4.19.33, 4.14.110, 4.9.167, 4.4.178, and 3.18.138 have been released. They all containimportant fixes throughout the tree and users should upgrade.

Security updates have been issued by Debian (apache2), Fedora (edk2 and tomcat), openSUSE (ansible, ghostscript, lftp, libgxps, libjpeg-turbo, libqt5-qtimageformats, libqt5-qtsvg, libssh2_org, openssl-1_0_0, openwsman, pdns, perl-Email-Address, putty, python-azure-agent, python-cryptography, python-pyOpenSSL, python-Flask, thunderbird, tor, unzip, and wireshark), Scientific Linux (freerdp), Slackware (wget), SUSE (bluez, file, firefox, libsndfile, netpbm, thunderbird, and xen), and Ubuntu (busybox, firebird2.5, kernel, linux, linux-aws, linux-azure, linux-gcp, linux-kvm, linux-raspi2, linux, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon, linux-hwe, linux-aws-hwe, linux-azure, linux-gcp, linux-oracle, linux-hwe, linux-azure, linux-lts-trusty, linux-lts-xenial, linux-aws, linux-raspi2, and policykit-1).

A Linux user's $PATH likely contains well over a thousand differentcommands that were installed by various packages. It's not immediatelyobvious which package is responsible for a command witha generic name, like createuser. There are ways to figure it out, ofcourse, but perhaps it would make sense for packages like PostgreSQL, whichis responsible for createuser, to give their commands names thatare less generic—and more easily disambiguated—such aspg_createuser. But renaming commands down the road has "backwardcompatibility problems" written all over it, as a recent discussion on the pgsql-hackers mailinglist shows.

The Debian Project sadly announced the passing of Innocent de Marchi. "Innocent was a math teacher and a free software developer. One of hispassions was tangram puzzles, which led him to write a tangram-like gamethat he later packaged and maintained in Debian. Soon his contributionsexpanded to other areas, and he also worked as a tireless translatorinto Catalan."

Software Freedom Conservancy reportsthat the Hamburg Higher Regional Court affirmed the lower court's decision,which dismissed Christoph Hellwig's case against VMWare inGermany. Hellwig will not pursue the case further in German courts.Conservancy's staff also spent a significant amount of time and resourcesat each stage of the proceedings — most recently, analyzing what thisruling could mean for future enforcement actions. The German court made afinal decision in this case on procedure and standing, not onsubstance. While we are disappointed that the courts did not take theopportunity to deliver a clear pro-software-freedom ruling, this rulingdoes not set precedent and the implications of the decision arelimited. This matter certainly would proceed differently with differentpresentation of plaintiffs or in another jurisdiction.In addition to VMware committing to removing vmklinux from their kernel, this case also succeeded in sparking significant discussion about the community-wide implications for free software when some companies playing by the rules while others continually break them. Our collective insistence, that licensing terms are not optional, has now spurred other companies to take copyleft compliance more seriously. The increased focus on respecting licenses post-lawsuit and providing source code for derivative works — when coupled with VMware's reluctant but eventual compliance — is a victory, even if we must now look to other jurisdictions and other last-resort legal actions to adjudicate the question of the GPL and derivative works of Linux.

Security updates have been issued by CentOS (firefox, libssh2, and thunderbird), Debian (firmware-nonfree, kernel, and libssh2), Fedora (drupal7, flatpak, and mod_auth_mellon), Gentoo (burp, cairo, glusterfs, libical, poppler, subversion, thunderbird, and unbound), openSUSE (yast2-rmt), Red Hat (freerdp), and SUSE (bash, ed, libarchive, ntp, and sqlite3).

Chef, the purveyor of a popular configuration-management system, has announceda move away from the open-core business model and toward the open-sourcing of allof its software. "We aren’t making this change lightly. Over theyears we have experimented with and learned from a variety of differentopen source, community and commercial models, in search of the rightbalance. We believe that this change, and the way we have made it, bestaligns the objectives of our communities with our own businessobjectives. Now we can focus all of our investment and energy on buildingthe best possible products in the best possible way for our communitywithout having to choose between what is 'proprietary' and what is 'in thecommons.'"

One of the surest signs that the Linux Storage, Filesystem, andMemory-Management (LSFMM) Summit is approaching is the seasonal migration ofmemory-management developers toward the get_user_pages() problem.This core kernel primitive is necessary for high-performance I/O touser-space memory, but its interactions with filesystems have never beenreliable — or even fully specified. There are currently a couple of patchsets in circulation that are attempting to improve the situation, though afull solution still seems distant.

James Bottomley has posted adetailed description of how patent exhaustion might be used to mostlyeliminate the software patent threat to free software. "Theintriguing possibility this offers us is that we may be close to anenforceable court decision (at least in the US) that would render allpatents in open source owned by community members exhausted and thusunenforceable. The purpose of this blog post is to explain the currentlandscape and how we might be able to get the necessary missing courtdecisions to make this hope a reality." LWN covered the FOSDEM talk by Van Lindberg that underlies Bottomley's post.

Security updates have been issued by Debian (chromium, drupal7, gpsd, libav, libdatetime-timezone-perl, php5, rails, thunderbird, twig, tzdata, and wordpress), Fedora (edk2, flatpak, fuse, ghostscript, gnutls, golang-googlecode-go-crypto, grub2, mxml, poppler, and systemd), Mageia (file, kernel, live, mplayer, vlc, openjpeg2, pdns, and poppler), openSUSE (containerd, docker, docker-runc, golang-github-docker-libnetwork, runc, kernel, ovmf, and ucode-intel), SUSE (adcli, sssd, GraphicsMagick, kernel, liblouis, libssh2_org, nodejs6, openssl, ovmf, SDL, sysstat, tiff, various KMPs, and xen), and Ubuntu (dovecot and gpac).

Linux Journal celebrates 25years since it began publishing. "Most magazines have the life expectancy of a house plant.Such was the betting line for Linux Journal when it started in April 1994. Our budget was a shoestring. The closest our owner, SSC (Specialized System Consultants) came to the magazine business was with the reference cards it published for UNIX, C, VI, Java, Bash and so on."

The 5.1-rc3 kernel prepatch is out fortesting. Linus says: "Nothing particularly unusual going onhere".

On the Guix blog, Ludovic Courtès writes about connecting reproducible builds for the Guix package manager with the Software Heritage archive."It quickly became clear that reproducible builds had 'reproducible source code downloads', so to speak, as a prerequisite. The Software Heritage archive is the missing piece that would finally allow us to reproduce software environments years later in spite of the volatility of code hosting sites. Software Heritage’s mission is to archive essentially 'all' the source code ever published, including version control history. Its archive already periodically ingests release tarballs from the GNU servers, repositories from GitHub, packages from PyPI, and much more.We quickly settled on a scheme where Guix would fall back to the Software Heritage archive whenever it fails to download source code from its original location. That way, package definitions don’t need to be modified: they still refer to the original source code URL, but the downloading machinery transparently goes to Software Heritage when needed."

BFQis a proportional-share I/O scheduler available for blockdevices since the 4.12 kernel release. It associates each process or groupof processes with a weight, and grants a fraction of the available I/O bandwidthproportionalto that weight. BFQ also triesto maximize system responsiveness and to minimize latency fortime-sensitive applications. Finally, BFQ aims at boostingthroughput and at running efficiently. A new set of changes has improvedBFQ’s performance with respect to all of these criteria. Inparticular, they increase the throughput that BFQ reacheswhile handling the most challenging workloads for this I/O scheduler. Anotable example is DBENCHworkloads, for which BFQ now provides 150% more throughput. Thesechanges also improve BFQ’s I/O control — applications start about 80% morequickly under load — and BFQ itself now runs about 10% faster.

Linux.com interviews Richard Hughes about the Linux Vendor Firmware Service (LVFS), which has recently joined the Linux Foundation as a new project. Hughes is the founder and maintainer of the project. "The short-term goal was to get 95% of updatable consumer hardware supported. With the recent addition of HP that's now a realistic target, although you have to qualify the 95% with 'new consumer non-enterprise hardware sold this year' as quite a few vendors will only support hardware no older than a few years at most, and most still charge for firmware updates for enterprise hardware. My long-term goal is for the LVFS to be seen like a boring, critical part of infrastructure in Linux, much like you’d consider an NTP server for accurate time, or a PGP keyserver for trust.With the recent Spectre and Meltdown issues hitting the industry, firmware updates are no longer seen as something that just adds support for new hardware or fixes the occasional hardware issue. Now the EFI BIOS is a fully fledged operating system with networking capabilities, companies and government agencies are realizing that firmware updates are as important as kernel updates, and many are now writing in 'must support LVFS' as part of any purchasing policy."

Security updates have been issued by Arch Linux (dovecot and imagemagick), Debian (dovecot, libraw, pdns, and ruby2.1), Fedora (mingw-podofo, openwsman, podofo, qemu, and svgsalamander), openSUSE (chromium, ffmpeg-4, firefox, libssh2_org, nodejs4, and qemu), Red Hat (libssh2), Scientific Linux (libssh2 and thunderbird), SUSE (kernel, liblouis, ntp, openssl-1_1, and tiff), and Ubuntu (firefox, freeimage, libapache2-mod-auth-mellon, and thunderbird).

In the real world, text is expressed in many languages using a wide varietyof character sets; those character sets can be encoded in a lot ofdifferent ways. In the kernel, life has always been simpler; file namesand other string data are just opaque streams of bytes. In the few caseswhere the kernel must interpret text, nothing more than ASCII is required.The proposed addition of case-insensitivefile-name lookups to the ext4 filesystem changes things, though; nowsome kernel code must deal with the full complexity of Unicode. A look at the API being providedto handle encodings illustrates nicely just how complicated this task is.

Security updates have been issued by Debian (kernel and wpa), Fedora (firefox and pdns), Gentoo (apache, cabextract, chromium, gd, nasm, sdl2-image, and zeromq), openSUSE (GraphicsMagick and lftp), Red Hat (thunderbird), Scientific Linux (firefox), Slackware (gnutls), and SUSE (ImageMagick).

The LWN.net Weekly Edition for March 28, 2019 is available.

While a few weeks back it looked like theremight be a complete lack of Debian project leader (DPL) candidates, that situation has changed. After a one-weekdelay, five Debian developers have nominated themselves. We are now abouthalfway through the campaign phase; platforms have been posted andquestions have been asked and answered. It seems a good time to have alook at the candidates and their positions.

Stable kernels 5.0.5, 4.19.32, 4.14.109, and 4.9.166 have been released. They all containimportant fixes and users should upgrade.

<p>Handling file names in a case-insensitive way for Linux filesystems hasbeen an ongoing discussion topic for many years. It is a (dubious) feature of filesystemsfor other operating systems (e.g. Android, Windows, macOS), but Linux haslimited support for it. Over the last year or more, Gabriel KrismanBertazi has been working on the problem forext4, but it is a messy one to solve. He recently posted his latest patchset, which reflects some changes made at the behest of Linus Torvalds.

Security updates have been issued by Debian (openjdk-7), Fedora (cfitsio, firefox, librsvg2, and pdns), openSUSE (firefox), Red Hat (firefox), Scientific Linux (firefox), SUSE (gd, grub2, ImageMagick, kernel, libcaca, libmspack, ntp, ovmf, w3m, and wavpack), and Ubuntu (php7.0, php7.2, qemu, and xmltooling).

The Oregon State University Open SourceLab (OSU OSL) has been a longtime hosting site for a wide variety offree and open-source software (FOSS) projects. At SCALE 17x, OSLdirector Lance Albertson gave an overview of what the lab does, some of its history, and itsrole in mentoring undergraduates at OSU. There are a lot of facets to thelab and its work, most of which flies under the radar, which is why Albertsoncame to Pasadena, CA to fill attendees in.

Security updates have been issued by CentOS (ghostscript), Debian (libssh2 and wireshark), openSUSE (aubio, blueman, and kauth), Red Hat (kernel-rt and openwsman), Scientific Linux (openwsman), Slackware (mozilla), and SUSE (ovmf and ucode-intel).

It has been just over one full year since the WireGuard virtual privatenetwork implementation was reviewed here.WireGuard has advanced in a number of ways since that article was written;it has gained many happy users, has been endorsedby Linus Torvalds, and is now supported by tools like NetworkManager.There is one notable thing that has not happened, though: WireGuardhas not yet been merged into the mainline kernel. After a period ofsilence, WireGuard is back, and it would appear that the long process ofgetting upstream is nearly done.

The Free Software Foundation has announcedthe winners of FSF awards, that were presented at the LibrePlanet 2019conference. OpenStreetMap received the 2018 Free Software Award forProjects of Social Benefit and Deborah Nicholson received the Award for theAdvancement of Free Software.

Security updates have been issued by Arch Linux (firefox, libssh2, and powerdns), Debian (bash, firefox-esr, libapache2-mod-auth-mellon, ntfs-3g, openssh, passenger, rsync, and wireshark), Fedora (filezilla, libarchive, libssh2, mxml, php-twig, php-twig2, qemu, and tcpreplay), Slackware (mozilla), SUSE (ghostscript, kernel, libgxps, libjpeg-turbo, libqt5-qtimageformats, libqt5-qtsvg, openstack-cinder, openstack-horizon-plugin-designate-ui, openstack-neutron, openstack-neutron-lbaas, ucode-intel, and unzip), and Ubuntu (firefox).

The 5.1-rc2 kernel prepatch is out."Well, we're a week away from the merge window close, and here's rc2.Things look fairly normal, but honestly, rc2 is usually too early to tell.People haven't necessarily had time to notice problems yet. Which is justanother way of saying 'please test harder'."

The5.0.4,4.19.31,4.14.108,4.9.165,4.4.177,and 3.18.137stable kernel updates are all available. Each contains a relatively largeset of important fixes.

The team behind the Scribus libre desktop-publishing toolis mourning the passing of Peter Linnell. "It is no understatement to say that without Peter Scribus wouldn’t be what it is today. It was Peter who spotted the potential of Franz Schmid’s initially humble Python program and, as a pre-press consultant at the time, contacted Franz to make him aware of the necessities of PostScript and PDF support, among other things. Peter also wrote the first version of the Scribus online documentation, which resulted in his nickname 'mrdocs' in IRC and elsewhere. Until recently, and despite his detoriating health, Peter continued to be involved in building and releasing new Scribus versions.Scribus was the project he helped to set on track and which marked the beginning of his journey into the world of Free Software development. While it remained at the heart of his commitments to Open Source in general and Libre Graphics software in particular, Peter contributed to Free Software in many other ways as well. For example via contributions to projects related to freedesktop.org, as a package builder of many Free programs for several Linux distributions on the openSUSE Build Service, and later as an openSUSE board member. Peter was also crucial in bringing the Libre Graphics community together by way of sharing his expertise with other graphics-oriented projects and his assistance in organizing the first Libre Graphics Meetings. In the sometimes ego-driven and often emotional world of Open Source development, Peter managed to get along very well with almost everybody and never lost his sense of humour."

Most of the time, the dreary work of writing protocol standards atorganizations like the IETF and beyond happens in the background, with mostof us being blissfully unaware of what is happening. Recently, though, adisagreement over protocols for congestion notification and latencyreduction has come to a head in a somewhat messy conflict. The outcome ofthis discussion may well affect how well the Internet of the future works —and whether Linux systems can remain first-class citizens of that net.

Security updates have been issued by CentOS (firefox), Debian (cron and ntfs-3g), Fedora (firefox, ghostscript, libzip, python2-django1.11, PyYAML, tcpflow, and xen), Mageia (ansible, firefox, and ImageMagick/GraphicsMagick), Red Hat (ghostscript), Scientific Linux (firefox and ghostscript), SUSE (libxml2, unzip, and wireshark), and Ubuntu (firefox, ghostscript, libsolv, ntfs-3g, p7zip, and snapd).

Kernel developers learn, one way or another, to be careful about memoryuse; any memory taken by the kernel is not available for use by the actualapplications that people keep the computer around to run. So it isunsurprising that eyebrows went up when Joel Fernandes proposed buildingthe source for all of the kernel's headers files into thekernel itself, at a cost of nearly 4MB of unswappable, kernel-space memory.The discussion is ongoing, but it has already highlighted some pain points felt by Androiddevelopers in particular.

Security updates have been issued by Debian (drupal7, firefox-esr, and openjdk-8), Fedora (ghostscript, python2-django1.11, and SDL), Red Hat (firefox), Scientific Linux (firefox), SUSE (nodejs4 and openssl-1_1), and Ubuntu (gdk-pixbuf).

The LWN.net Weekly Edition for March 21, 2019 is available.

In software, we tend to build abstraction layers. But, at times, thoselayers get in the way, so we squash them. In a talk at SCALE 17x inPasadena, CA, Kyle Anderson surveyed some of the layers that we havebuilt and squashed along the way. He also looked at some of the layersthat are being created today with an eye toward where, how, and why they mightget squashed moving forward.

Security updates have been issued by Arch Linux (libelf and wordpress), CentOS (cloud-init, cockpit, openssl, and tomcat), Gentoo (openssh), openSUSE (ovmf), Scientific Linux (cloud-init), and SUSE (go1.11, ldb, lftp, libssh2_org, and openwsman).

Version 8.0.0 of the LLVM compiler suite is out."It's the result of the LLVMcommunity's work over the past six months, including: speculative loadhardening, concurrent compilation in the ORC JIT API, no longerexperimental WebAssembly target, a Clang option to initializeautomatic variables, improved pre-compiled header support in clang-cl,the /Zc:dllexportInlines- flag, RISC-V support in lld."For details one can see separate release notes forLLVM,Clang,ExtraClang Tools,lld, andlibc++.

Bradley Kuhn of the Software FreedomConservancy (SFC) first heard the term "sustainability" being appliedto free and open-source software (FOSS) four or five years ago in the wake of Heartbleed. He wondered what the term meantin that context, so he looked into it some. He came to SCALE 17x inPasadena, CA to give his thoughts on the topic in a talk entitled "If OpenSource Isn't Sustainable, Maybe Software Freedom Is?".

Mozilla has released Firefox 66.0. The releasenotes contain details. New in this release: Firefox now preventswebsites from automatically playing sound, improved search experience,smoother scrolling, improved performance and better user experience forextensions, and more.

Stable kernels 5.0.3, 4.20.17, 4.19.30, 4.14.107, and 4.9.164 have been released with the usual setof important fixes. This is the last 4.20.y kernel and users should upgradeto 5.0.y at this time.