LWN.net

Kernel developers are used to having to defend their work when posting itto the mailing lists, so when a longtime kernel developer describes theirown work as "expensive and nasty", one tends to wonder what is going on. The patch set in question is corescheduling from Peter Zijlstra. It is intended to make simultaneousmultithreading (SMT) usable on systems where cache-based side channels area concern, but even its author is far from convinced that it shouldactually become part of the kernel.

Security updates have been issued by Debian (gpac, qemu, and sox), openSUSE (libqt5-qtbase), Red Hat (java-1.8.0-openjdk and java-11-openjdk), SUSE (bluez), and Ubuntu (nss and openssl, openssl1.0).

The LWN.net Weekly Edition for February 28, 2019 is available.

A report of a potential security problem in the GNU Multiple Precision Arithmetic (GMP)library was met with a mixed reaction, from skepticism to responses verging on hostility, but the report ultimatelyraised a question worth pondering. What role should assertions(i.e. calls to the POSIX assert()macro)play in error handling? An assertion that fails leads to a process exit, which may not be what adeveloper calling into a library expects. Unexpected behavior is, ofcourse, one step on a path that can lead to security holes.

With the uptake of Python 3 (and the imminent end of life forPython 2.7), there is a question ofwhich version of Python a user should get when they type "python"at the command line or have it as part of a shebang("#!") line in a script. Back in 2011, PEP 394 ("The'python' Command on Unix-Like Systems") was created as an informational PEPthat relayed the recommendations of the Python core developers to Linuxdistributions and others in a similar position about which versionto point python to. Now, Petr Viktorin, one of the authors of thePEP, would like to revisitthose recommendations, which is something that is suggestedin the PEP itself.

Stable kernels 4.20.13, 4.19.26, 4.14.104, and 4.9.161 have been released. They all containimportant fixes and users should upgrade.

Security updates have been issued by Arch Linux (elasticsearch and logstash), CentOS (java-1.8.0-openjdk, kernel, and polkit), Debian (chromium, exiv2, and phpmyadmin), Fedora (java-1.8.0-openjdk-aarch32 and mgetty), openSUSE (docker-runc, gvfs, qemu, systemd, and thunderbird), Oracle (java-1.8.0-openjdk, kernel, and polkit), Red Hat (polkit), Scientific Linux (java-1.8.0-openjdk, kernel, and polkit), Slackware (openssl), SUSE (amavisd-new, apache2, ceph, containerd, docker, docker-runc, golang-github-docker-libnetwork, runc, openssh, and webkit2gtk3), and Ubuntu (firefox and thunderbird).

The venerable printk() function has been part of Linux since the verybeginning, though it has undergone a fair number of changes along the way.Now, John Ogness is proposing to fundamentally rework printk() inorder to get rid of handful of issues that currently plague it. The proposed code does thisby adding yet another ring-buffer implementation to the kernel; this one is aimed atmaking printk() work better from hard-to-handle contexts. Fora task that seems conceptually simple—printing messages to theconsole—printk() is actually a rather complex beast; that won'tchange if these patches are merged, though many of the problems with the current implementationwill be removed.

Security updates have been issued by Arch Linux (bind, kibana, systemd, and thunderbird), Debian (elfutils and liblivemedia), Fedora (kernel, kernel-headers, kernel-tools, and SDL), openSUSE (dovecot23, firefox, kauth, python-Jinja2, python-numpy, and thunderbird), Red Hat (java-1.8.0-openjdk and kernel), SUSE (python, python-amqp, python-oslo.messaging, python-ovs, python-paramiko, python-psql2mysql, qemu, and supportutils), and Ubuntu (ghostscript, gnome-keyring, and ldb).

Version 1.12 of the Golanguage has been released. "Some of the highlights includeopt-in support for TLS 1.3, improved modules support (in preparation forbeing the default in Go 1.13), support for windows/arm, and improved macOS& iOS forwards compatibility". See the release notes for details.

Concurrency is hard even when the hardware's behavior is entirelydeterministic; it gets harder in situations where operations can bereordered in seemingly random ways. In these cases, developers tend toreach for barriers as a way of enforcing ordering, but explicit barriersare tricky to use and are often not the best way to think about theproblem. It is thus common to see explicit barriers removed as codematures. That now seems to be happening with an especially obscuretype of barrier used with memory-mapped I/O (MMIO) operations.

Git v2.21.0 has been released. "It is comprised of 500 non-mergecommits since v2.20.0, contributed by 74 people, 20 of which are newfaces." The release notes are included in the announcement.

Version 8.3 of the GNU Compiler Collection has been released. "GCC8.3 is a bug-fix release from the GCC 8 branch containing important fixesfor regressions and serious bugs in GCC 8.2 with more than 153 bugs fixedsince the previous release."

Security updates have been issued by Arch Linux (msmtp and python-mysql-connector), Debian (freedink-dfarc, rssh, sox, and waagent), Fedora (docker-latest, java-1.8.0-openjdk, koji, pagure, poppler, and spice), openSUSE (ansible, GraphicsMagick, mosquitto, pspp, spread-sheet-widget, and python-python-gnupg), Red Hat (chromium-browser), Slackware (file), SUSE (kernel, python-Django, qemu, and thunderbird), and Ubuntu (bind9).

Anybody expecting the 5.0 kernel to come out today will have beendisappointed; Linus released 5.0-rc8instead. "This may be totally unnecessary, but we actually had morepatches come in this last week than we had for rc7, which just didn't makeme feel the warm and fuzzies. And while none of the patches looked all thatscary, some of them were to pretty core files, so it wasn't all just randomrare drivers (although those kinds also existed)."

The latest updates from the stable kernel machine are4.20.12,4.19.25,4.14.103,4.9.160,4.4.176, and3.18.136.Each contains a relatively small set of important fixes.

Linus Torvalds once famously saidthat there is no design behind the Linux kernel. That may be true, butthere are still some guiding principles behind the evolution of the kernel;one of those, to date, has been that the kernel does not recognize"containers" as objects in their own right. Instead, the kernel providesthe necessary low-level features, such as namespaces and control groups, toallow user space to create its own container abstraction. This refusal todictate the nature of containers has led to a diverse variety of containermodels and a lot of experimentation. But that doesn't stop those who wouldstill like to see the kernel recognize containers as first-classkernel-supported objects.

Security updates have been issued by Mageia (libreoffice, libtiff, spice, and spice-gtk), openSUSE (build, mosquitto, and nodejs6), Red Hat (firefox, flatpak, and systemd), Scientific Linux (firefox, flatpak, and systemd), SUSE (kernel-firmware and texlive), and Ubuntu (bind9 and ghostscript).

The Linux Foundation has announced the formation of the Enabling Linux in Safety Applications (ELISA) project to create tools and processes for companies to use to build and certify safety-critical Linux applications. "Building off the work being done by SIL2LinuxMP project and Real-Time Linux project, ELISA will make it easier for companies to build safety-critical systems such as robotic devices, medical devices, smart factories, transportation systems and autonomous driving using Linux. Founding members of ELISA include Arm, BMW Car IT GmbH, KUKA, Linutronix, and Toyota.To be trusted, safety-critical systems must meet functional safety objectives for the overall safety of the system, including how it responds to actions such as user errors, hardware failures, and environmental changes. Companies must demonstrate that their software meets strict demands for reliability, quality assurance, risk management, development process, and documentation. Because there is no clear method for certifying Linux, it can be difficult for a company to demonstrate that their Linux-based system meets these safety objectives."

The announcement of the 5.0-rc7 kernelprepatch on February 17 signaled the imminent release of the final 5.0kernel and the end of this development cycle. 5.0, as it turns out,brought in fewer changesets than its immediate predecessors, but it wasstill a busy cycle with a lot of developers participating. Read on for anoverview of where the work came from in this release cycle.

Security updates have been issued by CentOS (firefox, flatpak, and systemd), Fedora (createrepo_c, dnf, dnf-plugins-core, dnf-plugins-extras, docker, libcomps, libdnf, and runc), Mageia (giflib, irssi, kernel, kernel-linus, libexif, poppler, tcpreplay, and zziplib), and SUSE (php5, procps, and qemu).

The LWN.net Weekly Edition for February 21, 2019 is available.

On his blog, Karim Yaghmour writes about an experimental social network that he and a colleague cobbled together using Git. While it is simply a proof of concept at this point, he is looking for feedback and, perhaps, collaborators to take it further. "It turns out that git has practically everything that's needed to act both as storage and protocol for a social network. Not only that, but it's very well-known within and used, deployed and maintained in the circles I navigate, it scales very well (see github), it's used for critical infrastructure (see kernel.org), it provides history, it's distributed by nature, etc. It's got *almost* everything, but not quite everything needed.So what's missing from git? A few basic things that it turns out aren't very hard to take care of: ability to 'follow', getting followee notifications, 'commenting' and an interface for viewing feeds. And instead of writing a whole online treatise of how this could be done, I asked my colleague Francois-Denis Gonthier to implement a proof and concept of this that we called 'gitgeist' and just published on github [https://github.com/opersys/gitgeist-poc]."

These days applications are generally moving away from the desktop andtoward the mobile space. But taking a multi-platform desktop application and addingtwo mobile platforms into the mix is difficult to do, as Dirk Hohndeldescribed in his linux.conf.au2019 talk. Hohndel maintains the Subsurface dive log application,which has added mobile support over the past few years; he wanted to explain the processthat the project went through to support all of those platforms.As the subtitle of the talk, "Developing for multiple platforms withoutlosing your mind", indicates, it is a hard problem to solve sanely.

Stable kernels 4.20.11, 4.19.24, 4.14.102, 4.9.159, 4.4.175, and 3.18.135 have been released. They all containimportant fixes and users should upgrade.

Security updates have been issued by Debian (ansible, drupal7, and systemd), Fedora (botan2, ceph, and firefox), Oracle (firefox, flatpak, and systemd), Red Hat (firefox), SUSE (gvfs, kernel, libqt5-qtbase, python-numpy, and qemu), and Ubuntu (gdm3).

The digiKam team has announcedthe release of digiKam 6.0.0. New features include full support ofvideo files management working as photos; an integration of allimport/export web-service tools in LightTable, Image editor, and Showfoto;raw file decoding engine supporting new cameras; similarity data is nowstored in a separate file; simplified web-service authentication usingOAuth protocol; and more.

When patents and free software crop up together, theusual question is about patent licensing. Patent exhaustion —the principle that patent rights don't reach past the firstsale of a product — is muchless frequently discussed. At FOSDEM 2019,US lawyer Van Lindberg argued that several US courtdecisions related to exhaustion, most of them recent but some less so,could come togetherto have surprising beneficial effects for free software. He was clear that theargument applied only in the US but, since court systems tend tolook to each other for consistency's sake, and because Lindberg is anengaging speaker, the talk was of great interest even in Brussels.

Security updates have been issued by Debian (chromium, rdesktop, rssh, systemd, and uriparser), Fedora (bouncycastle, eclipse-jgit, eclipse-linuxtools, jackson-annotations, jackson-bom, jackson-core, jackson-databind, jackson-dataformat-xml, jackson-dataformats-binary, jackson-dataformats-text, jackson-datatype-jdk8, jackson-datatype-joda, jackson-datatypes-collections, jackson-jaxrs-providers, jackson-module-jsonSchema, jackson-modules-base, jackson-parent, moby-engine, and subversion), openSUSE (chromium, docker-runc, firefox, GraphicsMagick, kernel, LibVNCServer, php7, pspp, spread-sheet-widget, and runc), SUSE (kernel-firmware, qemu, and systemd), and Ubuntu (nss and systemd).

The Debian project has announced the eighth update of Debian 9"stretch". As a stable point release, this version mainly adds bugfixes forsecurity issues and other serious problems. Click below for a list of changes.

Regressions are an unavoidable side effect of software development; thekernel is no different in that regard. The 5.0 kernel introduced a changein the handling of the "#!" (or "shebang") lines used to indicatewhich interpreter should handle an executable text file. The problem hasbeen duly fixed, but the incident shows how easy it can be to introduceunexpected problems and highlights some areas where the kernel'sdevelopment process does not work as well as we might like.

Security updates have been issued by Arch Linux (cairo, firefox, flatpak, hiawatha, and webkit2gtk), Debian (gsoap, mosquitto, php5, thunderbird, and tiff), Fedora (elfutils, ghostscript, gsi-openssh, kernel, kernel-headers, kernel-tools, kf5-kauth, mingw-podofo, mingw-poppler, mosquitto, podofo, and python-markdown2), Mageia (firefox, flash-player-plugin, lxc, and thunderbird), openSUSE (avahi, docker, libu2f-host, LibVNCServer, nginx, phpMyAdmin, and pspp, spread-sheet-widget), Red Hat (rhvm-appliance), and SUSE (python-numpy).

The 5.0-rc7 kernel prepatch has beenreleased. Linus says: "Nothing particularly odd stands out, andeverything is pretty small. Just the way I like it."

Version 0.13.0 of the Geary graphical email client is out."This is a major new release, featuring a number of new features — including a new user interface for creating and managing email accounts, integration with GNOME Online Accounts (which also provides OAuth login support for some services), improvements in displaying conversations, composing new messages, interacting with other email apps, reporting problems as they occur, and number of important bug fixes, server compatibility fixes, and security fixes."

The Ubuntu team has announced the release of Ubuntu 18.04.2 LTS for itsDesktop, Server, and Cloud products, as well as other flavors of Ubuntuwith long-term support. Support periods vary for different flavors."Like previous LTS series, 18.04.2 includes hardware enablement stacksfor use on newer hardware. This support is offered on all architecturesand is installed by default when using one of the desktop images."Ubuntu Server installs the GA kernel, however the HWE kernel may beselected from the installer bootloader.

Software interrupts (or "softirqs") are one of the oldestdeferred-execution mechanisms in the kernel, and that age shows at times.Some developers have occasionally been heard to mutter about removing them, butsoftirqs are too deeply embedded into how the kernel works to be easily rippedout; most developers just leave them alone. So the recent per-vectorsoftirq masking patch set from Frederic Weisbecker is noteworthy as anexception to that rule. Weisbecker is not getting rid of softirqs, but heis trying to reduce their impact and improve their latency.

Greg Kroah-Hartman released a set of stable kernels that should *not* beused, including: 4.20.9, 4.19.22, 4.14.100, and 4.9.157. Those kernels caused a regressionthat was reverted in the following kernels: 4.20.10, 4.19.23, 4.14.101, and 4.9.158.

Security updates have been issued by Debian (firefox-esr and unbound), Fedora (docker, libexif, and runc), openSUSE (mozilla-nss, python, rmt-server, and thunderbird), Slackware (mozilla), and SUSE (couchdb, dovecot23, kvm, nodejs6, php53, podofo, python-PyKMIP, rubygem-loofah, util-linux, and velum).

The cynical among us might be tempted to think that an announcement fromthe GNOME project about the removal of a feature — a relatively unusedfeature at that — would be an unremarkableevent. In practice, though, Debarshi Ray's announcement that the GNOME OnlineAccounts (GOA)subsystem would no longer support the "documents" access point touched offa lengthy discussion within the project itself. The resulting discussionrevealed a few significant problems with GOA and, indeed, with the conceptof online-account management in any sort of open-source umbrella projectlike GNOME.

Security updates have been issued by Debian (python-gnupg), Mageia (avahi, dom4j, gvfs, kauth, libwmf, logback, mad, python, python-django, and radvd), openSUSE (curl, haproxy, lua53, python-slixmpp, runc, spice, and uriparser), Red Hat (flash-plugin), Slackware (mozilla), and SUSE (build and docker-runc).

The PostgreSQL project has put out updated releases for all supportedversions. "This release changes the behavior in how PostgreSQLinterfaces with 'fsync()' and includes fixes for partitioning and over70 other bugs that were reported over the past three months."The fsync() issue was covered herein April 2018.

The LWN.net Weekly Edition for February 14, 2019 is available.

The io_uring mechanism that was described here inJanuary has been through a number of revisions since then; those changes havegenerally been fixing implementation issues rather than changing theuser-space API. In particular, this patch set seems to have received morethan the usual amount of security-related review, which can only be a goodthing. Security concerns became a bit of an obstacle for io_uring, though,when virtual filesystem (VFS) maintainer Al Viro threatenedto veto the merging of the whole thing. It turns out that there weresome reference-counting issues that required his unique experience tostraighten out.

Security updates have been issued by Arch Linux (aubio, curl, lib32-curl, lib32-libcurl-compat, lib32-libcurl-gnutls, libcurl-gnutls, libu2f-host, python-django, python2-django, rdesktop, and runc), Debian (flatpak), Fedora (flatpak, pdns-recursor, rdesktop, tomcat, and xerces-c27), Mageia (cinnamon, docker, dovecot, golang, java-1.8.0-openjdk, jruby, libarchive, libgd, libtiff, libvncserver, opencontainers-runc, openssh, python-marshmallow, thunderbird, and transfig), openSUSE (python-slixmpp), Oracle (kernel), Red Hat (redhat-virtualization-host), Slackware (lxc), SUSE (curl, firefox, LibVNCServer, nginx, php7, python-numpy, runc, SMS3.2, and thunderbird), and Ubuntu (gvfs, python-django, snapd, and webkit2gtk).

Stable kernels 4.20.8, 4.19.21, 4.14.99, and 4.9.156 have been released. They all contain arelatively large number of fixes and users should upgrade.

KDE has announcedthe release of Plasma 5.15. "Plasma 5.15 brings a number of changesto the configuration interfaces, including more options for complex networkconfigurations. Many icons have been added or redesigned to make themclearer. Integration with third-party technologies like GTK and Firefox hasbeen improved substantially." This release also featuresimprovements to the Discover software manager. Many other tweaks andimprovements are covered in the changelog.

Bradley Kuhn works for the Software Freedom Conservancy (SFC)and part of what that organization does is to think about the problems thatsoftware freedom may encounter in the future. SFC worries about what will happenwith the fourfreedoms as things change in the world. One of those changes is already upon us: the Internet of Things (IoT) hasbecome quite popular, but it has many dangers, he said. Copyleftcan help; his talk is meant to show how.

Anybody running containerized workloads with runc (used by Docker,cri-o, containerd, and Kubernetes, among others) will want to make note ofa newly disclosed vulnerability known as CVE-2019-5736. "The vulnerability allows a malicious container to (with minimal userinteraction) overwrite the host runc binary and thus gain root-levelcode execution on the host." LXC is also evidently vulnerable to avariant of the exploit.

Security updates have been issued by Arch Linux (chromium, dovecot, firefox, and spice), Debian (curl, php5, rssh, and wordpress), Fedora (curl, ghostscript, mingw-libconfuse, and radvd), openSUSE (java-11-openjdk and python-urllib3), Red Hat (chromium-browser and kernel), and SUSE (etcd and kernel).

The Free Software Foundation has announcedthat its annual report for fiscal year 2017 is available. "The Annual Report reviews the FSF's activities, accomplishments, and financial picture from October 1, 2016 to September 30, 2017. It is the result of a full external financial audit, along with a focused study of program results. It examines the impact of the FSF's events, programs, and activities, including the annual LibrePlanet conference, the Respects Your Freedom (RYF) hardware certification program, and the fight against Digital Restrictions Management (DRM)."