LWN.net

Security updates have been issued by Arch Linux (thunderbird), CentOS (firefox), openSUSE (chromium, firefox, GraphicsMagick, log4j, nodejs8, phpMyAdmin, singularity, and virglrenderer), Oracle (kernel), Red Hat (firefox), SUSE (man, nodejs10, openssl-1_1, and php7), and Ubuntu (php5, php7.0, php7.2, php7.3 and spamassassin).

The intersection of games with free and open-source software (FOSS) was thetopic of aminiconf on the first day of this year's linux.conf.au, which was held January13-17 in Gold Coast, Australia. As part of the miniconf, Bradley M. Kuhngave a talk that was well outside of his normal conference-talk fare:the game of poker and its relationship to FOSS. It turns out that he didsome side work on a FOSS-based poker site along the way, which failed bymost measures, but there was also an element of success to the project.The time for a successful FOSS poker project likely has passed at thispoint, but there are some lessons to be learned from the journey.

Stable kernels 5.4.12, 4.19.96, 4.14.165, 4.9.210, and 4.4.210 have been released with the usual setof important fixes.

Supporting network protocols at high speeds in pure software is gettingincreasingly difficult, with 25-100Gb/s interfaces available now and200-400Gb/s starting to show up. Packet processing at 100Gb/s must happen in 200 cycles or less, which doesnot leave much room for processing at the operating-systemlevel. Fortunately some operations can be performed by hardware,including checksum verification and offloading parts of the packet send andreceive paths.As modern hardware adds more functionality, new options arebecoming available. The 5.3 kernel includes a patch set from Pablo NeiraAyuso that addedsupport for offloading some packet filtering with netfilter. This patch set not only adds the offload support, but also performs a refactoring ofthe existing offload paths in the generic code and the network carddrivers. More work came in the following kernel releases. This seems like agood moment to review the recent advancements in offloading in the networkstack.

Security updates have been issued by Debian (wordpress and xen), Mageia (graphicsmagick, kernel, makepasswd, and unbound), openSUSE (containerd, docker, docker-runc,, dia, ffmpeg-4, libgcrypt, php7-imagick, proftpd, rubygem-excon, shibboleth-sp, tomcat, trousers, and xen), Oracle (firefox), Red Hat (kernel), Scientific Linux (firefox), SUSE (e2fsprogs, kernel, and libsolv, libzypp, zypper), and Ubuntu (libgcrypt20, libvirt, nginx, sdl-image1.2, and spamassassin).

Ars technica reportson the "Cable Haunt" vulnerability that afflicts a large number ofcable modems. "The first and most straightforward way is to serve malicious JavaScript that causes the browser to connect to the modem. Normally, a mechanism called cross-origin resource sharing prevents a Web application from one origin (such as malicious.example.com) from working on a different origin (such as 192.168.100.1, the address used by most or all of the vulnerable modems).Websockets, however, aren't protected by CORS, as the mechanism is usuallycalled. As a result, the modems will accept the remote JavaScript, therebyallowing attackers to reach the endpoint and serve it code." Thusfar, there doesn't seem to be any information out there on whether routersrunning OpenWrt are vulnerable.

Git 2.25 has been released. This blogpost looks at "partial clone support" and "sparse checkouts" as thesefeatures mature. "A clone of a Git repository copies all of its data: every version of every file in the history. For very large repositories, the cost of network transfer and local storage can make this awkward or even impossible, even if you're only interested in a subset of the files. In the past several versions, Git learned the ability to execute a "partial" clone, which means that it can now clone and work with repositories without having all of their contents.Partial clones are still considered an experimental feature from Git's point of view. For instance, many providers (such as GitHub) don't support this feature yet, and it's continually changing and evolving within Git from release to release."

Here is alongish blog entry from Mercurial maintainer Gregory Szorc on thepainful process of converting Mercurial to Python 3. "Ianticipate a long tail of random bugs in Mercurial on Python 3. While thetests may pass, our code coverage is not 100%. And even if it were, Pythonis a dynamic language and there are tons of invariants that aren't caughtat compile time and can only be discovered at run time. These invariantscannot all be detected by tests, no matter how good your test coverageis. This is a feature/limitation of dynamic languages. Our users willlikely be finding a long tail of miscellaneous bugs on Python 3 foryears."

Security updates have been issued by Arch Linux (file and firefox), Debian (apache-log4j1.2), Fedora (chromium, dovecot, GraphicsMagick, kubernetes, libvpx, makepasswd, matio, and slurm), Mageia (libtomcrypt, ming, oniguruma, opencv, pcsc-lite, phpmyadmin, and thunderbird), openSUSE (chromium, chromium, re2, and mozilla-nspr, mozilla-nss), Red Hat (chromium-browser, firefox, and rabbitmq-server), Slackware (mozilla), and SUSE (crowbar-core, crowbar-openstack, openstack-horizon-plugin-monasca-ui, openstack-monasca-api, openstack-monasca-log-api, openstack-neutron, rubygem-puma, rubygem-rest-client, firefox, libzypp, and openssl-1_1).

The 5.5-rc6 kernel prepatch is out fortesting. "Let's see how things go. I do suspect that this ends upbeing one of those 'rc8' releases, not because things look particularly badright now, but simply because the holiday season has meant that both thetesting side and the development side have been quiet. But whoknows?"On the stable side,5.4.11,4.19.95,4.14.164,4.9.209, and4.4.209have all been released with another set of important fixes.

The 5.2 kernel saw the addition of an extensive new API for the mounting(and remounting) of filesystems; thisarticle covered an early version of that API. Since then, work in thisarea has mostly focused on enabling filesystems to support this API fully.James Bottomley has taken a look at this API as part of the job ofredesigning his shiftfs filesystem andfound it to be incomplete. What has followed is a significant set ofchanges that promise to simplify the mount API — though it turns out that"simple" is often in the eye of the beholder.

Security updates have been issued by Debian (ldm and sa-exim), Mageia (firefox), openSUSE (chromium, firefox, and thunderbird), SUSE (containerd, docker, docker-runc, golang-github-docker-libnetwork, firefox, log4j, nodejs10, nodejs12, and openssl-1_0_0), and Ubuntu (firefox).

Version 19.07.0 of the OpenWrt router distribution is available."With this release, the OpenWrt project brings all supported targets backto a single common kernel version and further refines and broadensexisting device support. It also introduces a new ath79 target andbrings support for WPA3." There are some known issues; read throughthe full announcement before updating.

Stable kernels 5.4.10, 5.4.9, 4.19.94, and 4.14.163 have been released. PowerPC usersshould update to 5.4.10 to get a missing patch. Other users can stay with5.4.9.

In response to a growing desire for ways to control groups of processesfrom user space, the kernel has added a number of mechanisms that allow oneprocess to operate on another. One piece that is currently missing,though, is the ability for a process to snatch a copy of an open filedescriptor from another. That gap may soon be filled, though, if the pidfd_getfd()system-call patch set from Sargun Dhillon is merged.

Security updates have been issued by Debian (firefox-esr), Fedora (firefox), Oracle (kernel), Slackware (firefox and kernel), SUSE (apache2-mod_perl, git, java-1_7_0-ibm, java-1_7_1-ibm, log4j, mariadb, and nodejs8), and Ubuntu (gnutls28, graphicsmagick, and nss).

Samuel Maddock writesthat the adoption of the "encrypted media extensions" by the World Wide WebConsortium has had just the sort of effect that people were worried about four years ago."No longer is it possible to build your own web browser capable ofconsuming some of the most popular content on the web. Websites likeNetflix, Hulu, HBO, and others require copyright content protection whichis only accessible through browser vendors who have license agreements withlarge corporations."

There is another Firefox release out there; thisadvisory suggests that updating quickly would be a good idea:"Incorrect alias information in IonMonkey JIT compiler for settingarray elements could lead to a type confusion. We are aware of targetedattacks in the wild abusing this flaw."

The LWN.net Weekly Edition for January 9, 2020 is available.

One of Guido van Rossum's last items of business as he finished his term on the inaugural steering council for Python was toreview the Python Enhancement Proposal (PEP) that proposes a new update and unionoperators for dictionaries. He would still seem to be in favor of the idea,but it will be up to the newly elected steeringcouncil and whoever the council chooses as the PEP-deciding delegate (i.e. BDFL-Delegate).Van Rossum provided some feedback on the PEP and, inevitably, the question of how to spell the operator returned, but thepath toward getting a decision on it is now pretty clear.

Security updates have been issued by Arch Linux (firefox), Debian (python-django and wordpress), Fedora (dovecot), Mageia (opensc, radare2, and varnish), Red Hat (rh-java-common-apache-commons-beanutils), SUSE (containerd, docker, docker-runc, golang-github-docker-libnetwork, java-1_8_0-ibm, java-1_8_0-openjdk, libzypp, openssl-1_0_0, sysstat, and tomcat), and Ubuntu (clamav, linux-azure, and linux-lts-xenial, linux-aws).

It has taken longer than anybody might have liked, but the IPv6 protocol isslowly displacing IPv4 across the Internet. A quick, highly scientific"grep the access logs" test shows that about 16% of the traffic toLWN.net is currently using IPv6, and many large corporate networks areusing IPv6 exclusively internally. This version of the IP protocol wasdesigned to be more flexible than IPv4 in a number of ways; the "extensionheader" mechanism is one way in which that flexibility is achieved. Aproposal to formalize extension-header processing in the kernel'snetworking stack has led to some concerns, though, about how this featurewill be used and what role Linux should play in its development.

Lars Ingebrigtsen providesdetails on the current status of the Gmane archive server and asks forfeedback on whether it is still useful. "Over the past few years,people have asked me what happened to Gmane, and I’ve mostly clasped myhands over my ears and gone 'la la la can’t hear you', because there’snothing about the story I’m now finally going to tell that I don’t findhighly embarrassing. I had hoped I could just continue that way until Idie, but perhaps it would be more constructive to actually tell peoplewhat’s going on instead of doing an ostrich impression." (Thanks toGiovanni Gherdovich).

Firefox 72.0 has been released. In this version Firefox’s EnhancedTracking Protection now blocks fingerprintingscripts. Also picture-in-picture video is available. See the releasenotes for the details of these features and other changes.

Security updates have been issued by Debian (nss and pillow), Red Hat (java-1.8.0-ibm and kernel), Slackware (firefox), SUSE (virglrenderer), and Ubuntu (linux, linux-aws, linux-aws-5.0, linux-azure, linux-gcp, linux-gke-5.0, linux-kvm, linux-oem-osp1, linux-oracle, linux-oracle-5.0, linux-raspi2, linux, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon, linux-kvm, linux-oracle, linux-raspi2, and linux-snapdragon).

The random-number generation facilities in the kernel have been reworkedsome over the past few months—but problems in that subsystem have beenaddressed over an even longer time frame. The most recent changes were made to stop the getrandom() system call fromblocking for long periods of time at system boot, but the underlying causewas the behavior of the blocking random pool. A recent patch set wouldremove that pool and it would seem to be headed for the mainline kernel.

Security updates have been issued by Fedora (chromium, cyrus-imapd, drupal7-l10n_update, drupal7-webform, htmldoc, nethack, php, and singularity), Mageia (advancecomp, apache-commons-compress, cyrus-imapd, cyrus-sasl, dia, freeimage, freeradius, igraph, jhead, jss, libdwarf, libextractor, libxml2, mediawiki, memcached, mozjs60, openconnect, openssl, putty, python-ecdsa, python-werkzeug, shadowsocks-libev, and upx), Oracle (container-tools:1.0 and container-tools:ol8), and Red Hat (kpatch-patch).

The 5.5-rc5 kernel prepatch has beenreleased. Linus added a note to the release announcement: "One sadpiece of news I got this past week was that Bruce Evans has passed away. Bruce wasn't really ever really much directlyinvolved in Linux development - he was active on the BSD side - but he wasthe developer behind Minix/i386, which was what I used for the originalLinux development in the very early days before Linux becameself-hosting."On the stable-update side,5.4.8,4.19.93,4.14.162,4.9.208, and4.4.208 are all available with another setof important fixes.

Anybody who has ever taken a numerical analysis course understands thatfloating-point arithmetic on computers is a messy affair. Even so, it iseasy to underestimate just how messy things can be. This topic came to thefore in an initially unrelated python-ideas mailing-list thread; whatshould the Python statisticsmodule do with floating-point values that are explicitly not numbers?

It is not all that often that the mainstream press looks at issues in the open-source world, but this article from The Atlantic does just that; it looks at the controversy surrounding GitHub renewing its contract with the US Immigration and Customs Enforcement (ICE) agency and the concerns some have had with their code being used by ICE. "So when news of GitHub’s contract with ICE emerged, its employees weren’t the only ones outraged. Because of the transitive nature of open source, volunteer developers—who host code on the site to share with others—may have unwittingly contributed to the code GitHub furnished for ICE, the agency responsible for enforcing immigration policy. Some were troubled by the idea that their code might in some way be used to help agents detain and deport undocumented migrants. But their outrage—and the backlash to it—reveals existential questions about the very nature of open source."

Security updates have been issued by Debian (netty) and Fedora (libssh, nethack, php, samba, and xen).

One of the advantages of the in-kernel BPF virtual machine is that it isfast. BPF programs are just-in-time compiled and run directly by the CPU,so there is no interpreter overhead. For many of the intended use cases,though, "fast" can never be quite fast enough. It is thus unsurprisingthat there are currently anumber of patch sets under development that are intended to speed up oneaspect or another of using BPF in the system. A few, in particular, seemabout ready to hit the mainline.

Over the holiday week, we missed the announcement of Ruby 2.7 on December 25. It is the most recent release of the Ruby programming language and was more than a year in development. There are quite a few new features including experimental pattern matching for case statements (more information can be found in these slides), a new compaction garbage collector for the heap, support for separating positional and keyword arguments, and plenty more.

Security updates have been issued by Red Hat (chromium-browser and rh-git218-git) and SUSE (java-1_8_0-ibm and openssl-1_1).

The LWN.net Weekly Edition for January 2, 2020 is available.

Python prides itself on being a newbie-friendly language; its developershave gone out of their way to try to ensure that easy tasks arestraightforward to program. A recent discussion on the python-ideasmailing list looked at a use case that is common, but often implemented in aninefficient, incorrect fashion, with an eye toward making it easier to docorrectly. Finding the first match for a regular expression in a body oftext is where the conversation started, but it went in some otherinteresting directions as well.

January 1, 2020 marks the beginning of a new year and a new decade. Manythings will doubtless change over the course of this year in thefree-software community and beyond, while others will remain the same. One thing that will certainlyhold true is LWN's tradition of starting the new year with some ill-advisedpredictions about what may be in store. Your editor has no special vision,but neither does he fear being proved badly wrong in a public setting —it's all in a day's work.

Security updates have been issued by Debian (igraph, jhead, libgcrypt20, otrs2, and waitress) and Mageia (clamaw, exiv2, filezilla, hunspell, libidn2, pdfresurrect, roundcubemail, and xpdf).

A proposal to periodically run the fstrimcommand on Fedora 32 systems was discussed recently on the Fedoradevel mailing list.fstrim is used to cause a filesystem to inform the underlyingstorage of unused blocks, which can help SSDs and other types of blockdevices perform better.There were a number of questions and concerns raised,including whether to change the behavior of earlier versions of thedistribution when they get upgraded and if the kernel should be responsiblefor handling the whole problem.

Stable kernels 5.4.7, 4.19.92, and 4.14.161 have been released. They all containimportant fixes and users should upgrade.

Security updates have been issued by Debian (intel-microcode and libbsd), openSUSE (chromium, LibreOffice, and spectre-meltdown-checker), and SUSE (mozilla-nspr, mozilla-nss and python-azure-agent).

Security updates have been issued by Debian (debian-lan-config, freeimage, imagemagick, libxml2, mediawiki, openssl1.0, php5, and tomcat8).

The results from the Debian general resolutionvote on init systems are in; the project's developers chose the option titled "Systemd but wesupport exploring alternatives". It makes systemd into the preferredinit system, and allows packages to use systemd-specific features;packagers are not required to support other init systems, but support forother systems is encouraged where it is practical.

The 5.5-rc4 kernel prepatch is out fortesting. "To absolutely nobody's surprise, last week was very quietindeed. It's hardly even worth making an rc release, but there are _some_fixes in here, so here's the usual weekly Sunday afternoon rc."

Matthew Garrett worksout how to avoid being recorded by "Ring" door cameras in his apartmentbuilding. "The most interesting one here is the deauthenticationframe that access points can use to tell clients that they're no longerwelcome. These can be sent for a variety of reasons, including resourceexhaustion or authentication failure. And, by default, they're entirelyunprotected. Anyone can inject such a frame into your network and causeclients to believe they're no longer authorised to use the network, atwhich point they'll have to go through a new authentication cycle - andwhile they're doing that, they're not able to send any otherpackets."

Security updates have been issued by SUSE (dia, kernel, and libgcrypt).

One of the first uses of the BPF virtualmachine outside of networking was to implement access-control policiesfor the seccomp()system call. Since then, though, the role of BPF in the security area hasnot changed much in the mainline kernel, even though BPF has evolvedconsiderably from the "classic" variant still used with seccomp()to the "extended" BPF now supported by the kernel. That has not been for alack of trying, though. The out-of-tree Landlock security module was covered here over three years ago. We also looked at the kernel runtime securityinstrumentation (KRSI) patch set in September. KP Singh has posted a newKRSI series, so the time seems right for a closer look.

Andrew 'bunnie' Huang has posted a detailed article onwhy creating trustable hardware is so difficult and describing a projecthe's working on to do it anyway. "While open hardware has the opportunity toempower users to innovate and embody a more correct and transparent designintent than closed hardware, at the end of the day any hardware ofsufficient complexity is not practical to verify, whether open orclosed. Even if we published the complete mask set for a modernbillion-transistor CPU, this 'source code' is meaningless without apractical method to verify an equivalence between the mask set and the chipin your possession down to a near-atomic level without simultaneouslydestroying the CPU."

Security updates have been issued by CentOS (firefox, fribidi, nss, nss-softokn, nss-util, openslp, and thunderbird), Debian (opensc), and Mageia (389-ds-base, apache, apache-mod_auth_openidc, kernel, libofx, microcode, php, and ruby).

Security updates have been issued by CentOS (freetype, kernel, nss, nss-softokn, nss-util, and thunderbird), Mageia (ghostpcl, libmirage, and spamassassin), Oracle (fribidi), and SUSE (mariadb-100, shibboleth-sp, and slurm).