LWN.net

ZDNet reportson GitHub's blocking of users from Crimea and Iran."As GitHub notes on its page about US trade controls, US sanctionsapply to its online hosting service, GitHub.com, but its paid-foron-premise software -- aimed at enterprise users -- may be an option forusers in those circumstances. It also claims to be in discussions with USregulators about how to rectify the situation."

Over the last few kernel releases, the kernel has gained the concept of a"pidfd" — a file descriptor that represents a process. What started as away of sending signals to processes without race conditions has evolvedinto a more complete process-management interface. Now one of the lastpieces is being put into place: the ability to wait for processes usingpidfds. But, naturally, that API has had to go through some revisionsfirst.

Three new stable kernels have been released: 5.2.3, 5.1.20,and 4.19.61. These are rather largerupdates than most and, as usual, contain fixes throughout the kernel tree;users should upgrade.

Security updates have been issued by Debian (libssh2 and patch), Fedora (kernel and kernel-headers), Mageia (vlc), Red Hat (rh-redis32-redis), SUSE (libgcrypt, libsolv, libzypp, zypper, and rmt-server), and Ubuntu (exim4, firefox, libebml, linux, linux-aws, linux-kvm, linux-raspi2, and vlc).

Laurent Pinchart began his OpenSource Summit Japan 2019 talk with a statement that, once upon a time, camera devices were simple pipelines thatproduced a sequence of video frames. Applications could control cameras usingthe Video4Linux (V4L) API by way of a single device node; there were "lots ofknobs", but the overall task was straightforward. That situation haschanged over the years, and application developers need more help; that iswhere the libcamera project comes in.

Security updates have been issued by CentOS (java-1.7.0-openjdk, java-1.8.0-openjdk, and java-11-openjdk), Debian (exim4), Fedora (java-latest-openjdk), openSUSE (libsass, tomcat, and ucode-intel), Oracle (java-1.7.0-openjdk and thunderbird), SUSE (OpenEXR, spamassassin, and thunderbird), and Ubuntu (ansible and patch).

The LWN.net Weekly Edition for July 25, 2019 is available.

Python is often mentioned in the same breath with the phrase "batteriesincluded", which refers to the breadth of its standard library. But thereis an effort underway to trim back thestandard library by removing some unloved modules. In addition, there hasbeen persistent talk of a major restructuring of the library, into a fairlyminimal core as described in Amber Brown's talkat this year's Python Language Summit, or in other ways as discussed on the python-dev mailing list inJanuary (though it has come up many times before that as well).A mid-July python-ideas mailing list thread picked up on some of that; itended up showing, once again, that there is no real consensus on what the standardlibrary is—or should be.

Fedora Magazine covers thefirst preview release of Fedora CoreOS, a new Fedora edition builtspecifically for running containerized workloads. "It's the successor to both Fedora Atomic Host and CoreOS Container Linux. Fedora CoreOS combines the provisioning tools, automatic update model, and philosophy of Container Linux with the packaging technology, OCI support, and SELinux security of Atomic Host."

Security updates have been issued by Debian (kernel, linux-4.9, and neovim), Fedora (slurm), openSUSE (ImageMagick, libgcrypt, libsass, live555, mumble, neovim, and teeworlds), Oracle (java-1.7.0-openjdk, java-1.8.0-openjdk, and java-11-openjdk), Red Hat (java-1.7.0-openjdk), Scientific Linux (java-1.7.0-openjdk), SUSE (glibc and openexr), and Ubuntu (mysql-5.7 and patch).

Frequent updates are a key part of keeping systems secure, but that goalwill not be met if the update mechanism itself is compromised by anattacker. At a talk during the 2019 Open Source Summit Japan, JustinCappos described Uptane, an updatedelivery mechanism for automotive applications that, he said, can preventsuch problems, even when the attacker has the resources of a nation state.It would seem that some automobile manufacturers agree.

Zoned block devices are quite different than the block devices most peopleare used to. The concept came from shingledmagnetic recording (SMR) devices, which allow much higher densitystorage, but that extra capacity comes with a price: less flexibility. Zoneddevices have regions (zones) that can only be written sequentially; thereis no random access for writes to those zones. Linux already supports thesedevices, and filesystems are adding support as well, but some applicationsmay want a simpler, more straightforward interface; that's what a newfilesystem, zonefs, is targeting.

Security updates have been issued by Debian (libsdl2-image and libxslt), Oracle (java-1.8.0-openjdk and java-11-openjdk), Scientific Linux (java-1.8.0-openjdk and java-11-openjdk), SUSE (bzip2, microcode_ctl, and ucode-intel), and Ubuntu (clamav, evince, linux-hwe, linux-gcp, linux-snapdragon, and squid3).

At the end of the 5.3 merge window, 12,608 non-merge changesets had beenpulled into the mainline repository. Nearly 6,000 of those were pulledafter the first-half summary was written.As expected, there was still a lot of material yet to be merged for thisdevelopment cycle.

Security updates have been issued by Debian (bind9, exiv2, kernel, nss, openjdk-11, openjdk-8, patch, and squid3), Fedora (gvfs, libldb, and samba), Mageia (firefox, gvfs, libreswan, rdesktop, and thunderbird), openSUSE (bzip2, clementine, dbus-1, expat, fence-agents, firefox, glib2, kernel, kernel-firmware, ledger, libqb, libu2f-host, pam_u2f, libvirt, neovim, php7, postgresql10, python-requests, python-Twisted, ruby-bundled-gems-rpmhelper, ruby2.5, samba, webkit2gtk3, zeromq, and znc), Red Hat (java-1.8.0-openjdk, java-11-openjdk, rh-maven35-jackson-databind, rh-nodejs8-nodejs, and rh-redis5-redis), Slackware (kernel), and SUSE (ucode-intel).

Linus has released 5.3-rc1 and closed themerge window for this development cycle. "Anyway, despite the rockystart, and the big size, things mostly smoothed out towards the end of themerge window. And there's a lot to like in 5.3".

Greg Kroah-Hartman has announced the release of the 5.2.2, 5.1.19,4.19.60, 4.14.134, 4.9.186, and 4.4.186 stable kernels. As usual, theycontain fixes throughout the kernel tree; users should upgrade.

Documentation, said Riona MacNamara at the beginning of her OpenSourceSummit Japan 2019 talk, is the superpower that we can use to energize usersand developers; it is an important part of the creation of a vibrant andinclusive community. While there are a number of roadblocks that can impedeparticipation in a development community, many of those can be addressedwith better documentation. The talk was a call for all projects to thinkabout what they are trying to accomplish and to ensure that theirdocumentation is helping to get there.

Security updates have been issued by Debian (bzip2), Fedora (freetds, kernel, kernel-headers, and knot-resolver), openSUSE (bubblewrap, fence-agents, kernel, libqb, libu2f-host, pam_u2f, and tomcat), Oracle (vim), SUSE (kernel, LibreOffice, libxml2, and tomcat), and Ubuntu (libmspack and squid, squid3).

Over on his blog, Kees Cook runs through the security changes that came in Linux 5.2. "While the SLUB and SLAB allocator freelists have been randomized for a while now, the overarching page allocator itself wasn’t. This meant that anything doing allocation outside of the kmem_cache/kmalloc() would have deterministic placement in memory. This is bad both for security and for some cache management cases. Dan Williams implemented this randomization under CONFIG_SHUFFLE_PAGE_ALLOCATOR now, which provides additional uncertainty to memory layouts, though at a rather low granularity of 4MB (see SHUFFLE_ORDER). Also note that this feature needs to be enabled at boot time with page_alloc.shuffle=1 unless you have direct-mapped memory-side-cache (you can check the state at /sys/module/page_alloc/parameters/shuffle)."

At the 2019 Linux Storage, Filesystem,and Memory-Management Summit (LSFMM) Brendan Gregg gave a keynote on BPF observability that included a kernel issue he had debugged on Netflixproduction servers using bpftrace. In thisarticle, he provides a crash course on bpftrace for kernel developers—to help them moreeasily analyze their code.Subscribers can read on for a look at kernel analysis usingbpftrace from the upcoming weekly edition.

Security updates have been issued by Arch Linux (chromium, firefox, and squid), CentOS (thunderbird and vim), Debian (libonig), SUSE (firefox, glibc, kernel, libxslt, and tomcat), and Ubuntu (libreoffice and thunderbird).

The LWN.net Weekly Edition for July 18, 2019 is available.

The Python 3.8 beta cycle is already underway, with Python 3.8.0b1released on June 4, followed by the second betaon July 4. That means that Python 3.8 is feature complete atthis point, which makes it a good time to see what will be part of it whenthe final release is made. That is currently scheduledfor October, so users don't have that long to wait to start using those newfeatures.

A question about the future of package distribution is at the heart of adisagreement about the snap plugin for the GNOME Software applicationin Fedora. In a Fedora devel mailing list thread,Richard Hughes raisedmultiple issues about the plugin and the direction that he sees Canonical taking with snaps for Ubuntu.He plans to remove support for the plugin for GNOME Software inFedora 31.

Security updates have been issued by Debian (libreoffice), Red Hat (thunderbird), SUSE (ardana and crowbar, firefox, libgcrypt, and xrdp), and Ubuntu (nss, squid3, and wavpack).

Security updates have been issued by Fedora (expat and radare2), Oracle (thunderbird), Red Hat (389-ds-base, keepalived, libssh2, perl, and vim), Scientific Linux (thunderbird), SUSE (bzip2, kernel, podofo, systemd, webkit2gtk3, and xrdp), and Ubuntu (bash, nss, redis, squid, squid3, and Zipios).

The LXD team has announcedthe release of LXD 3.15. "One big highlight is the transition to the dqlite 1.0 branch which will bring us more performance and reliability, both for our cluster users and for standalone installations. This rework moves a lot of the low-level database/replication logic to dedicated C libraries and significantly reduces the amount of back and forth going on between C and Go."

Our increasingly aggressive moderncompilers produce increasingly surprising code optimizations. Some ofthese optimizations might be especially surprising to developers who assumethat each plain C-language load or store will always result in anassembly-language load or store. Although this article is written forLinux kernel developers, many of these scenarios also apply to otherconcurrent code bases, keeping in mind that "concurrent code bases" alsoincludes single-threaded code bases that use interrupts or signals.

Security updates have been issued by CentOS (firefox), Debian (libspring-java, ruby-mini-magick, and thunderbird), Fedora (fossil, python-django, snapd-glib, and thunderbird), openSUSE (helm and monitoring-plugins), Red Hat (cyrus-imapd, thunderbird, and vim), Scientific Linux (vim), Slackware (bzip2), SUSE (bubblewrap, bzip2, expat, glib2, kernel, php7, python3, and tomcat), and Ubuntu (exiv2, firefox, and flightcrew).

Greg Kroah-Hartman has announced the release of the 5.2.1, 5.1.18,and 4.19.59 stable kernels. As is usual,they contain important fixes throughout the tree; users of those seriesshould upgrade.

As of this writing, exactly 6,666 non-merge changesets have been pulledinto the mainline repository for the 5.3 development cycle. The mergewindow has thus just begun, there is still quite a bit in the way ofinteresting changes to look at. Read on for a list of what has been mergedso far.

Fedora Magazine has posted an introduction tothe Silverblue distribution. "One of the main benefits is security. The base operating system is mounted as read-only, and thus cannot be modified by malicious software. The only way to alter the system is through the rpm-ostree utility.Another benefit is robustness. It’s nearly impossible for a regular user to get the OS to the state when it doesn’t boot or doesn’t work properly after accidentally or unintentionally removing some system library."

Security updates have been issued by CentOS (dbus), Debian (firefox-esr, python3.4, and redis), Mageia (ffmpeg), Oracle (firefox, libvirt, and qemu), Red Hat (firefox and virt:8.0.0), Scientific Linux (firefox), and SUSE (kernel).

When it comes to new filesystems for Linux, patience is certainly avirtue. Btrfs took years to mature and, according to some, still isn'tready yet. Tux3 has kept users waitingsince at least 2008; as of 2018 its developer still saidthat it was progressing. By these measures, bcachefs is a relative youngster, havingbeen first announced a mere four yearsago. Development of this next-generation filesystem continues, and bcachefs developer Kent Overstreet recently proclaimedhis desire to "get this sucker merged", but there are someobstacles to overcome still.

Damian Conway writesabout the power of infinite sequences in Perl 6.The sequence of primes is just the sequence of positive integers,filtered (with a .grep) to keep only the ones that are prime.And, of course, Perl 6 already has a prime number tester: the built-in&is-prime function. The sequence of primes never changes, so we candeclare it as a constant:

Security updates have been issued by Debian (dosbox and openjpeg2), Oracle (dbus and kernel), Scientific Linux (dbus), Slackware (mozilla), and SUSE (fence-agents, libqb, postgresql10, and sqlite3).

The LWN.net Weekly Edition for July 11, 2019 is available.

The third edition of the Operating-System-Directed Power-Management (OSPM) summit was heldMay 20-22 at the ReTiS Lab of the Scuola Superiore Sant'Anna in Pisa,Italy. The summit is organized to collaborate on ways to reduce the energyconsumption of Linux systems, while still meeting performance and othergoals. It is attended by scheduler, power-management, and other kerneldevelopers, as well as academics, industry representatives, and othersinterested in the topics.As with previous years (2018 and 2017), LWN is happy to be able to bring ourreaders some extensive writeups of the talks and discussions that went onat OSPM. Subscribers can read on for the start of the writeups from thesummit, which were authored by a long list of the participants.

Stable kernels 5.1.17, 4.19.58, 4.14.133, 4.9.185, and 4.4.185 have been released. They all containimportant fixes throughout the tree and users should upgrade.

Security updates have been issued by Debian (redis), Fedora (expat), Mageia (dosbox, irssi, microcode, and postgresql11), Red Hat (bind, dbus, openstack-ironic-inspector, openstack-tripleo-common, python-novajoin, and qemu-kvm-rhev), Scientific Linux (kernel), SUSE (kernel-firmware, libdlm, libqb, and libqb), and Ubuntu (apport).

Python does not lack for web frameworks, from all-encompassing frameworkslike Django to"nanoframeworks" such as WebCore. A recent "sparetime" project caused me to look into options in the middle of this range ofchoices, which is where the Python "microframeworks" live. In particular,I tried out the Bottle and Flask microframeworks—and learned a lotin the process.Subscribers can read on for the full report by Jake Edge from this week'sedition.

GnuPG 2.2.17 has been released to mitigate attacks on keyservers. In particular, GPG willnow ignore all key-signatures received from keyservers by default.

Firefox 68.0 has been released, with an Extended Support Release (ESR)version available, in addition to the usual rapid release version. Therapid release version features a dark mode in reader view, improvedextension security and discovery, and more. See the releasenotes for details. The ESRrelease notes list some additional policies and other improvements.

Software in the Public Interest (SPI) has announcedthat nominations are open until July 15 for 3 seats on the SPIboard. "The ideal candidate will have an existing involvement in theFree and Open Source community, though this need not be with a projectaffiliated with SPI."

Security updates have been issued by Arch Linux (irssi, python-django, and python2-django), Debian (libspring-security-2.0-java and zeromq3), Red Hat (python27-python), SUSE (ImageMagick, postgresql10, python-Pillow, and zeromq), and Ubuntu (apport, Docker, glib2.0, gvfs, whoopsie, and zeromq3).

Fedora project leader Matthew Miller reassures the community that IBM'sacquisition of Red Hat, which just closed, will not affect Fedora. "In Fedora, our mission, governance, and objectives remain the same. RedHat associates will continue to contribute to the upstream in the sameways they have been."

The Android system has shipped a couple of allocators for DMA buffersover the years; first came PMEM, then itsreplacement ION. The ION allocator hasbeen in use since around 2012, but it remains stuck in the kernel's stagingtree. The work to add ION to the mainline started in 2013;at that time, the allocator had multiple issues that made inclusionimpossible. Recently, John Stultz posteda patch set introducing DMA-BUF heaps, an evolution of ION, that isdesigned to do exactly that — get the Android DMA-buffer allocator tothe mainline Linux kernel.

Konstantin Ryabitsev has posted alengthy blog entry describing his vision for moving away from email forkernel development. "I think it's way past due time for us to comeup with a solution that would offer decentralized, self-archiving, fullyattestable, 'cradle-to-grave' development platform that covers all aspectsof project development and not just the code. It must move us away frommailing lists, but avoid introducing single points of trust, authority, andfailure."

Security updates have been issued by Debian (dosbox, python-django, squid3, and unzip), Fedora (filezilla, libfilezilla, and samba), openSUSE (gvfs), Oracle (kernel), Red Hat (firefox and redhat-virtualization-host), SUSE (bash and libpng16), and Ubuntu (libvirt).