LWN.net

Security updates have been issued by CentOS (kernel), Debian (libjpeg-turbo, liblivemedia, neutron, and otrs2), Fedora (SDL), Gentoo (ntp), openSUSE (java-1_8_0-openjdk), Red Hat (cloud-init), Slackware (libssh2), SUSE (libssh2_org, nodejs10, and nodejs8), and Ubuntu (tiff).

Python versions 3.5.7 and 3.4.10 have been released. Both are in"security fixes only" mode and are source-only releases. This is the finalrelease in the Python 3.4 series. The 3.4 branch has been retired, "nofurther changes to 3.4 will be accepted, and no new releases will be made.

Version 4 of theSolus distribution has been released. "We are proud to announcethe immediate availability of Solus 4 Fortitude, a new major release of theSolus operating system. This release delivers a brand new Budgieexperience, updated sets of default applications and theming, and hardwareenablement."LWN reviewed Solus in 2016.

Security updates have been issued by Debian (ikiwiki, liblivemedia, linux-4.9, rdflib, and sqlalchemy), Fedora (advancecomp, kubernetes, mingw-poppler, and php), Mageia (ikiwiki), openSUSE (chromium, file, and sssd), Red Hat (ansible, openstack-ceilometer, and openstack-octavia), Scientific Linux (kernel), SUSE (galera-3, mariadb, mariadb-connector-c, java-1_8_0-ibm, kernel, nodejs10, openwsman, wireshark, and yast2-rmt), and Ubuntu (file, linux, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon, and linux-lts-xenial, linux-aws).

By the time that 5.1-rc1 was released andthe 5.1 merge window ended, 11,241 non-merge changesets had been pulled into the mainline repository. Of those, just over 5,000 werepulled since the first 5.1 merge-windowsummary. It often happens that the biggest changes are pulledearly, with the emphasis shifting to fixes by the end of the mergewindow; this time, though, some of the most significant features were savedfor last.

Linus has released 5.1-rc1 and closed themerge window for this development cycle. "A somewhat recentdevelopment is how the tools/testing/ updates have been quite noticeablelately. That's not new to the 5.1 merge window, it's been going on for awhile, but it's maybe just worth a mention that we have more new selftestchanges than we have architecture updates, for example. The documentationsubdirectory is also quite noticeable."

Remember the KNOPPIXdistribution? KNOPPIX 8.5.0has been released. It includes a 4.20 kernel, several desktopenvironments, the ADRIANEaudio desktop, UEFI secure boot support, and more.

Your editor has never been a prolific blogger; a hard day in the LWN saltmines tends to reduce the desire to write more material for the net in thescarce free time that remains. But, still, sometimes the desire to postsomething that is not on-topic for LWN arises. Google+ has served as theoutlet for such impulses in recent years, but Google has, in its wisdom,decided to discontinue that service. That leaves a bereft editor searching foralternatives for those times when the world simply has to hear hispolitical opinions or yet another air-travel complaint, preferably one thatwon't vanish at the whim of some corporation. Recently, a simpleblog-hosting system called WriteFreelycame to light; it offers a platform that just might serve as a substitutefor centralized offerings.

Here's aSUSE press release hyping its transition to being "the largestindependent open-source company". "As it has for more than 25 years,SUSE remains committed to an open source development and business model andto actively participating in communities and projects to bring open sourceinnovation to the enterprise as high-quality, reliable and usablesolutions. This truly open, open source model refers to the flexibility andfreedom of choice provided to customers and partners to createbest-of-breed solutions that combine SUSE technologies with other productsand technologies in their IT landscape through open standards and atdifferent levels in their architecture, without forcing a locked-instack."

Thomas Haller writesabout the WireGuard integration in NetworkManager 1.16."NetworkManager provides a de facto standard API for configuringnetworking on the host. This allows different tools to integrate andinteroperate — from cli, tui, GUI, to cockpit. All these differentcomponents may now make use of the API also for configuring WireGuard. Oneadvantage for the end user is that a GUI for WireGuard is now withinreach." (See this article for moreinformation on WireGuard.)

When Leaderless Debian was written, itseemed entirely plausible that there would still be no candidates for theproject leader office even after the extended nomination deadline passed.It is now clear that there will be no need to extend the deadline further,since three candidates (Joerg Jaspert,JonathanCarter, andSam Hartman)have stepped forward. It seems likely that the wider discussion on therole of the Debian project leader will continue but, in the meantime, theoffice will not sit empty.Update: nominations from MartinMichlmayr andSimonRichter also came in before the deadline, so this year's election willbe a five-way race.

Security updates have been issued by Fedora (mingw-poppler and php), Mageia (apache, gnome-keyring, gnupg2, hiawatha, and rsyslog), openSUSE (libcomps and obs-service-tar_scm), and Ubuntu (libvirt and linux-lts-trusty).

The GNOME project has released GNOME 3.32, which is code named "Taipei"."This release brings a refreshed visual style, new icons, the demise of the'application menu' and a new on-screen keyboard, among other things.Improvements to core GNOME applications include a shell extension fordesktop icons, improved automation and reader mode in GNOME Web,an 'Application Permissions' panel, and many more." In addition,there is an experimental option for fractional scaling, improvements toGNOME Software, and more. See the release notesfor more information.

Greg Kroah-Hartman has announced the release of the 5.0.2, 4.20.16, 4.19.29, 4.14.106, and 4.9.163 stable kernels. All contain the usualpile of important fixes; users of those series should upgrade.

Sharing a disk between users in Linux is awful. Different applicationshave different I/O patterns, they have different latency requirements, andthey are never consistent. Throttling can help ensure that users get theirfair share of the available bandwidth but, since most I/O is in thewriteback path, it's often too late to throttle without putting pressureelsewhere on the system. Disks are all different as well. You havespinning rust, solid-state devices (SSDs), awful SSDs, and barely usableSSDs. Each class of device has its own performance characteristics and,even in a single class, they'll perform differently based on the workload.Trying to address all of these issues with a single I/O controller wastricky, but we at Facebook think that we have come up with a reasonablesolution.

Security updates have been issued by Arch Linux (chromium), Debian (libsdl1.2 and libsdl2), Fedora (firefox), Gentoo (bind, glibc, openssl, oracle-jdk-bin, webkit-gtk, and xrootd), Mageia (kernel), openSUSE (freerdp, mariadb, and obs-service-tar_scm), Oracle (openssl), Red Hat (kernel, kernel-rt, openstack-ceilometer, openstack-octavia, and tomcat), Scientific Linux (cockpit, openssl, and tomcat), and SUSE (java-1_7_1-ibm and mariadb).

The LWN.net Weekly Edition for March 14, 2019 is available.

The Czech Republic top-level domain registrar, CZ.NIC, wondered about the safety of homerouters, so it set out to gather some information on the prevalence ofattacks against them. It turns out that one good way to do that is tocreate a home router that logs statistics and other information.Michal Hrušecký from CZ.NIC came to the 2019 Southern CaliforniaLinux Expo (SCALE 17x) in Pasadena, CA to describe the experiment and how it grew intoa larger project that makes and sells open-source routers.

A proposal to add a new dictionary operator for Python has spawned a PEPand two large threads on the python-ideas mailing list. To a certainextent, it is starting to look a bit like the "PEP 572 mess"; there are plenty of opinions onwhether the feature should be implemented and how it should be spelled, forexample. As yet, there has been no formal decision made on how the new steering council will be handling PEPpronouncements, though a reviewof open PEPs is the council's "highest priority". This PEP will presumably be added intothe process; it is likely too late to be included in Python 3.8 evenif it were accepted soon,so there is plenty of time to figure it all out before 3.9 is releasedsometime in 2021.

Security updates have been issued by Debian (libsndfile, systemd, waagent, and xmltooling), Fedora (guacamole-server, postgresql-jdbc, and xen), Oracle (cockpit and kernel), Red Hat (cockpit, docker, kernel-alt, and openssl), SUSE (ceph, java-1_7_0-ibm, java-1_7_1-ibm, openssl-1_0_0, python-azure-agent, python-numpy, and supportutils), and Ubuntu (kernel, php5, and walinuxagent).

Kees Cook reviewssome of the security-related enhancements in the 5.0 kernel."While the C language has a statement to indicate the end of a switchcase ('break'), it doesn’t have a statement to indicate that executionshould fall through to the next case statement (just the lack of a 'break'is used to indicate it should fall through — but this is not always thecase), and such 'implicit fall-through' may lead to bugs. Gustavo Silva hasbeen the driving force behind fixing these since at least v4.14, with wellover 300 patches on the topic alone (and over 20 missing break statementsfound and fixed as a result of the work). The goal is to be able to add-Wimplicit-fallthrough to the build so that the kernel will stay entirelyfree of this class of bug going forward. From roughly 2300 warnings, thekernel is now down to about 200. It’s also worth noting that with StephenRothwell’s help, this bug has been kept out of linux-next by him sendingwarning emails to any tree maintainers where a new instance is introduced(for example, here’s a bug introduced on Feb 20th and fixed on Feb21st)."

The Linux Foundation has announceda new initiative called CommunityBridge; its purpose is tohelp with funding and support for open-source developers. It includes somesecurity-related services and a means for connecting developers withmentors. The program is in an "early access" mode for now.The Linux Foundation is not the first to provide such services, of course;see thisstatement from the Software Freedom Conservancy for its take on thisnew initiative.

One of the bigger developments of the last year has beenthe introduction of licenses that purport to address perceivedshortcomings in existing free and open-source software licenses. Much hasbeen said and written about them, some of it here, and they are clearlymuch on the community's mind. At FOSDEM2019, Michael Cheng gave his view on the motivations for the introduction of these licenses,whether they've been effective in addressing those motivations, whatunintended consequences they may also have had, and the need for thecommunity to develop some ground rules about them going forward.

Security updates have been issued by Arch Linux (pacman), CentOS (java-1.7.0-openjdk), Debian (zabbix), Fedora (kernel-headers), openSUSE (libcomps), Oracle (kernel), Red Hat (chromium-browser), SUSE (ovmf and qemu), and Ubuntu (tiff).

One of the traditional rites of the (northern hemisphere) spring is theelection for the Debian project leader. Over a six-week period, interestedcandidates put their names forward, describe their vision for the projectas a whole, answer questions from Debian developers, then wait and watchwhile the votes come in. But what would happen if Debian were to hold anelection and no candidates stepped forward? The Debian project has justfound itself in that situation and is trying to figure out what will happennext.

Drew DeVault has announcedthe first stable release of sway, an i3-compatible Wayland desktop forLinux and FreeBSD. "Sway 1.0 adds a huge variety of features which were sorely missed on 0.x, improves performance in every respect, offers a more faithful implementation of Wayland, and exists as a positive political force in the Wayland ecosystem pushing for standardization and cooperation among Wayland projects."

Google Open Source has announcedSeason of Docs. "During Season of Docs, technical writers will spend a few months working closely with open source communities. Each writer works with their chosen open source project. The writers bring their expertise to the projects’ documentation while at the same time learning about open source and new technologies.Mentors from participating open source organizations share knowledge oftheir communities’ processes and tools. Together the technical writers andmentors build a new doc set, improve the structure of the existing docs,develop a much-needed tutorial, or improve contribution processes andguides." Open source organizations may apply to take part in Seasonof Docs starting April 2.

Software in the Public Interest has released its annualreport [PDF] for 2018. "During the current board term SPIcontinues to strive for self-improvement and renewal. Treasuryteamsprints, bank visits, and legal consultations during in-person meetingshave helped keep the wheels turning. An overhaul of our corporate bylawsthat better meets our needs is being presented to the members for theirapproval. And we have improved our reimbursement workflow with a viewtoward speedier and smoother processing."

Security updates have been issued by CentOS (polkit), Debian (chromium, openjpeg2, php7.0, poppler, and symfony), Fedora (evolution, kernel, and kernel-headers), Gentoo (curl, firefox, keepalived, rdesktop, systemd, tar, wget, and zsh), openSUSE (gdm and hiawatha), Slackware (ntp), SUSE (audit, containerd, docker, docker-runc, golang-github-docker-libnetwork, runc, file, java-1_8_0-openjdk, mariadb, openssl-1_0_0, and sssd), and Ubuntu (poppler).

The 5.0.1,4.20.15,and 4.19.28stable kernel updates have been released; each contains the usual set ofimportant fixes.

As of this writing, 6,135 non-merge changesets have been pulled into themainline repository for the 5.1 release. That is approximately halfwaythrough the expected merge-window volume, which is a goodtime for a summary. A number of important new features have been mergedfor this release; read on for the details.

Security updates have been issued by Fedora (php-typo3-phar-stream-wrapper2), Mageia (gnutls, nagios, openssl, and python-gnupg), openSUSE (apache2, ceph, chromium, openssh, and webkit2gtk3), and Ubuntu (nvidia-graphics-drivers-390).

David Malcolm writesabout improved diagnostics and more in the GCC 9 release."Speaking of annotations, this example shows another new GCC 9feature: diagnostics can label regions of the source code to show pertinentinformation. Here, what’s most important are the types of the left-hand andright-hand sides of the '+' operator, so GCC highlights them inline. Noticehow the diagnostic also uses color to distinguish the two operands fromeach other and the operator."

The recent addition of support for direct (peer-to-peer) operations between PCIe devices in thekernel has opened the door for different use cases. The initial workconcentrated on in-kernel support and the NVMe subsystem; it alsoadded support for memory regions that can be used for such transfers.Jérôme Glisse recently proposedtwo extensions that would allow the mapping of those regions into userspace and mapping device files between two devices. The resulting discussion surprisingly led to consideration of thefuture of core kernel structures dealing with memory management.

Security updates have been issued by openSUSE (amavisd-new, apache2, and containerd, docker, docker-runc,), Red Hat (java-1.7.1-ibm and java-1.8.0-ibm), and Ubuntu (linux, linux-azure, linux-gcp, linux-kvm, linux-raspi2, linux-hwe, linux-azure, and php5, php7.0).

The LWN.net Weekly Edition for March 7, 2019 is available.

It should come as no surprise that plugging untrusted devices into acomputer system can lead to a wide variety of bad outcomes—though oftenenough it works just fine. We have reported on a number of these kinds ofvulnerabilities (e.g. BadUSB in 2014) alongthe way. So it will not shock readers to find out that anothervulnerability of this type has beendiscovered, though it may not sit well that, even after years of vulnerableplug-in buses, there are still no solid protections against these roguedevices. This most-recent entrant into this space targets the Thunderboltinterface; thevulnerabilities found have been dubbed "Thunderclap".

The Maru distribution adds a full Linux desktop to Android devices; it wasreviewed here in 2016. The 0.6release is now available. Changes include a rebase onto LineageOS andDebian 9, and the ability to stream the desktop to a Chromecastdevice.

The recently announcedcontainer-confinement breakout for containers started with runc is interesting froma few different perspectives.For one, it affects more than just runc-based containers as privileged LXC-based containers (and likelyothers) are alsoaffected, though the LXC-based variety are harder to compromise than therunc ones.But it also, once again, shows that privilegedcontainers are difficult—perhaps impossible—to create in a secure manner.Beyond that, itexploits some Linux kernel interfaces in novel ways and the fixes use aperhaps lesser-known system call that was added to Linux less than fiveyears back.

Stable kernels 4.20.14, 4.19.27, 4.14.105, and 4.9.162 have been released. They all containthe usual set of important fixes and users should upgrade.

Security updates have been issued by CentOS (java-1.7.0-openjdk and java-11-openjdk), Debian (mumble and sox), Fedora (drupal7, drupal7-link, firefox, gpsd, ignition, ming, php-erusev-parsedown, and php-Smarty), openSUSE (hiawatha, python, and supportutils), Oracle (java-1.7.0-openjdk), Red Hat (java-1.7.0-openjdk), Scientific Linux (java-1.7.0-openjdk), and Ubuntu (linux, linux-aws, linux-gcp, linux-kvm, linux-oem, linux-oracle, linux-raspi2 and linux-hwe, linux-aws-hwe, linux-azure, linux-gcp, linux-oracle).

Corporations that get their feet wet in the sea of free softwareoften find out that not only do they now have obligations toprovide source code, but that people will actually try to accessit and complain loudly if they can't get it. At the first Copyleft Conference,Alexios Zavras from Intel spoke alongside Stefano Zacchiroli from Software Heritage abouthow the two organizations are working together. Software Heritage's missionmakes it ideally suited to host Intel's many source-code releases in a waythat provides stable long-term repositories that Intel can then reference.

Kernel code must often access data that is stored in user space. Most ofthe time, this access is uneventful, but it is not without its dangers andcannot be done without exercising due care. A couple of recent discussionshave made it clear that this care is not always being taken, and that notall kernel developers fully understand how user-space access should beperformed. The good news is that kernel developers are currently workingon a set of changes to make user-space access safer in the future.

Security updates have been issued by Debian (nss), openSUSE (procps), Red Hat (redhat-virtualization-host, rhvm-appliance, and vdsm), SUSE (freerdp, kernel, and obs-service-tar_scm), and Ubuntu (openssh).

Here's alengthy piece from Alyssa Rosenzweig on preserving freedom despite theinevitable centralization of successful information services."Indeed, it seems all networked systems tend towards centralisationas the natural consequence of growth. Some systems, both legitimate andillegitimate, are intentionally designed for centralisation. Other systems,like those in the Mastodon universe, are specifically designed to avoidcentralisation, but even these succumb to the centralised black hole astheir user bases grow towards the event horizon."

Security updates have been issued by Arch Linux (chromium, file, gdm, lib32-openssl-1.0, openssl-1.0, and pcre), Debian (advancecomp, ceph, jackson-databind, openssh, and openssl), Fedora (community-mysql, distcc, freerdp, gdm, gnome-boxes, libexif, openocd, pidgin-sipe, remmina, SDL, and xpdf), openSUSE (kernel-firmware and php5), Oracle (java-1.8.0-openjdk and java-11-openjdk), Slackware (infozip and python), and SUSE (caasp-container-manifests, changelog-generator-data-sles12sp3-velum, kubernetes-salt, rubygem-aes_key_wrap, rubygem-json-jwt, sles12sp3-velum-image, velum and gdm).

Linus has released the 5.0 kernel."But I'dlike to point out (yet again) that we don't do feature-based releases,and that "5.0" doesn't mean anything more than that the 4.x numbersstarted getting big enough that I ran out of fingers and toes."Headline features from this release includethe energy-awarescheduling patch set,a bunch of year-2038 work that comes closeto completing the core-kernel transition,zero-copy networking for UDP traffic,the Adiantum encryption algorithm,the seccomp trap to user space mechanism,and, of course, lots of new drivers and fixes.See the KernelNewbies 5.0page for lots of details.

For much of its history, the kernel has had little in the way of formaltesting infrastructure. It is not entirely an exaggeration to say thattesting is what the kernel community kept users around for. Over theyears, though, that situation has improved; internal features likekselftest and services like the 0day testing system have increased our testcoverage considerably. The story is unlikely to end there, though; thenext addition to the kernel's testing arsenal may be a unit-testing frameworkcalled KUnit.

Security updates have been issued by Debian (bind9, file, ikiwiki, ldb, openssl1.0, php7.0, uw-imap, and wordpress), Fedora (ansible, file, flatpak, kernel, kernel-headers, and python-django), openSUSE (kernel and systemd), Scientific Linux (java-1.8.0-openjdk and java-11-openjdk), SUSE (openssl-1_1 and webkit2gtk3), and Ubuntu (libgd2).

Over at Opensource.com, Richard Fontana argues that contributor license agreements (CLAs) are not particularly useful or helpful for open-source projects. "Since CLAs continue to be a minority practice and originate from outside open source community culture, I believe that CLA proponents should bear the burden of explaining why they are necessary or beneficial relative to their costs. I suspect that most companies using CLAs are merely emulating peer company behavior without critical examination. CLAs have an understandable, if superficial, appeal to risk-averse lawyers who are predisposed to favor greater formality, paper, and process regardless of the business costs." He goes on to look at some of the arguments that CLA proponents make and gives his perspective on why they fall short.