LWN.net

Matrix is an open platformfor secure, decentralized, realtime communication. Matthew Hodgson,the Matrix project leader, came to FOSDEM to describe Matrix and report on its progress. Attendees learned that it was within daysof having a 1.0 release and found out how it got there. He also shed some light onwhat happened when the French reached out to them to see if Matrix couldmeet the internal messaging requirements of an entire national government.

Security updates have been issued by CentOS (ghostscript, spice, spice-server, and thunderbird), Debian (coturn, freerdp, ghostscript, libreoffice, libu2f-host, mosquitto, and openssh), Fedora (buildbot, java-1.8.0-openjdk, java-11-openjdk, phpMyAdmin, slurm, and spice), openSUSE (python3 and rsyslog), Red Hat (docker and runc), SUSE (avahi, fuse, and LibVNCServer), and Ubuntu (poppler).

Version 7.0.0 of the PyPy Python interpreter is out. This release supportsno less than three upstream Python versions: 2.7, 3.5, and 3.6 (as an alpharelease). "All the interpreters are based on much the same codebase, thus the triplerelease."

The 5.0-rc6 kernel prepatch is out."So while I would have wished for less at this point, nothing in therelooks all that odd or scary. I think we're still solidly on track fora normal release."

For those wondering what the Cloud Native Computing Foundation is up to,its 2018 annualreport [PDF] is now out. "KubeCon + CloudNativeCon has expandedfrom its start with 500 attendees in 2015 to become one of the largest andmost successful open source conferences ever. The KubeCon + CloudNativeConNorth America event in Seattle, held December 10-13, 2018, was our biggestyet and was sold out several weeks ahead of time with 8,000attendees."

The LibreOffice 6.2 release is out. The headline feature this time aroundappears to be "NotebookBar": "a radical new approach to the userinterface - based on the MUFFINconcept". Other changes include a reworking of the contextmenus, better change-tracking performance, better interoperability withproprietary file formats, and more.

The Linux kernel supports a wide variety of filesystem types, many of whichhave not seen significant use — or maintenance — in many years. Developersin the openSUSE project have concluded that many of these filesystem types are,at this point, more useful to attackers than to openSUSE users and areproposing to blacklist many of them by default. Such changes can becontroversial, but it's probably still fair to say that few people expectedthe massivediscussion that resulted, covering everything from the number of OS/2users to how openSUSE fits into the distribution marketplace.

Greg Kroah-Hartman has announced the release of the 4.4.174 stable kernel. The patches went outfor review on February 7; the kernel contains a backport of a fixfor the FragmentSmack denial-of-service vulnerability. "Many thanks to Ben Hutchings for this release, it's pretty much just hiswork here in doing the backporting of networking fixes to help resolve"FragmentSmack" (i.e. CVE-2018-5391)." As usual, users of thekernel series should upgrade.

The OpenStack Foundation has issued its2018 annual report. "2018 was a productive year for theOpenStack community. A total of 1,972 contributors approved more than65,000 changes and published two major releases of all components, codenamed Queens and Rocky. The component project teams completed work onthemes related to integrating with other OpenStack components, otherOpenStack Foundation Open Infrastructure Projects, and projects fromadjacent communities. They also worked on stability, performance, andusability improvements. In addition to that component-specific work, thecommunity continued to expand our OpenStack-wide goals process, using a fewsmaller topics to refine the goal selection process and understand how bestto complete initiatives on such a large scale."

The GTK+ toolkit project has, after extensive deliberation, decided toremove the "+" from its name. "Over the years, we had discussionsabout removing the '+' from the project name. The 'plus' was added to 'GTK'once it was moved out of the GIMP sources tree and the project gainedutilities like GLib and the GTK type system, in order to distinguish itfrom the previous, in-tree version. Very few people are aware of thishistory, and it's kind of confusing from the perspective of both newcomersand even expert users; people join the wrong IRC channel, the URLs on wikisare fairly ugly, etc."

Security updates have been issued by Debian (dovecot and libarchive), Fedora (gvfs and poppler), openSUSE (openssl-1_1 and subversion), Oracle (kernel), Slackware (php), SUSE (avahi, docker, libunwind, LibVNCServer, and spice), and Ubuntu (linux-azure and openssh).

Google has announcedthe release of its ClusterFuzz fuzz-testing system as free software."ClusterFuzz has found more than 16,000 bugs in Chrome and more than11,000 bugs in over 160 open source projects integrated with OSS-Fuzz. Itis an integral part of the development process of Chrome and many otheropen source projects. ClusterFuzz is often able to detect bugs hours afterthey are introduced and verify the fix within a day."

In the beginning, programs run on the in-kernel BPF virtual machine had nopersistent internal state and no data that was shared with any other partof the system. The arrival of eBPF and, in particular, its mapsfunctionality, has changed that situation, though, since a map can beshared between two or more BPF programs as well as with processes runningin user space. That sharing naturally leads to concurrency problems, sothe BPF developers have found themselves needing to addprimitives to manage concurrency (the "exchange and add" or XADDinstruction, for example). The next step is the addition of aspinlock mechanism to protect data structures, which has also led to some wider discussions on what theBPF memory model should look like.

The call for proposals for the 2019 Linux Storage, Filesystem, andMemory-Management Summit has been updated with an important addition: thisyear's event (April 30 to May 2, San Juan, Puerto Rico) willinclude a BPF track. The submission deadline has been extended toFebruary 22 to allow BPF developers to put together their proposals.

Security updates have been issued by Debian (curl, golang, libthrift-java, mumble, netmask, python3.4, and rssh), openSUSE (python-python-gnupg), Oracle (kernel), Scientific Linux (thunderbird), Slackware (curl), SUSE (firefox, python, and rmt-server), and Ubuntu (curl, libarchive, and libreoffice).

The LWN.net Weekly Edition for February 7, 2019 is available.

At the start of his linux.conf.au2019 talk, Kristoffer Grönlund said that he would be taking attendeesback 60 years or more. That is not quite to the dawn of computing history,but it is close—farther back than most of us were alive to remember. Heencountered John McCarthy's famous Lisppaper [PDF] via Papers We Loveand it led him to dig deeply into the Lisp world; he brought back a report forthe LCA crowd.

The4.20.7,4.19.20,4.14.98,4.9.155,4.4.173, and3.18.134stable kernels have all been released. The usual drill applies: eachcontains a number of important fixes and upgrading is recommended.

Two members of the CacophonyProject came to linux.conf.au2019 to give an overview of what the project is doing to increase theamount of bird life in New Zealand. The idea is to use computer vision and machinelearning to identify and eventually eliminate predators in order to helpbird populations; one measure of success will be the volume and variety ofbird song throughout the islands. The endemic avian species in New Zealand evolved without thepresence of predatory mammals, so many of them have been decimated bythe predation of birds and their eggs. The Cacophony Project is looking atways to reverse that.

Security updates have been issued by Debian (dovecot and libav), openSUSE (kernel and krb5), Scientific Linux (thunderbird), SUSE (curl, lua53, python3, and spice), and Ubuntu (dovecot).

Jack Moffitt started off his 2019linux.conf.au talk by calling attention to Facebook's "Portal" device. It is,he said, a cool product, but raises an important question: why wouldanybody in their right mind put a surveillance device made by Facebook intheir kitchen?There are a lot of devices out there — including the Portal — usingdeep-learning techniques; theyoffer useful functionality, but also bring a lot of problems. We as acommunity need to figure out a way to solve those problems; he was there tohighlight a set of Mozilla projects working toward that goal.

The kernel's page cache, which holds copies of data stored in filesystems,is crucial to the performance of the system as a whole. But, as hasrecently been demonstrated, it can also be exploited to learn about what other usersin the system are doing and extract information that should be keptsecret. In January, the behavior of the mincore()system call waschanged in an attempt to close this vulnerability, but that solution was shown to break existing applications while notfully solving the problem. A better solution will have to wait for the5.1 development cycle, but the shape of the proposed changes has started tocome into focus.

Security updates have been issued by Debian (libgd2), Fedora (java-11-openjdk, kernel, and kernel-headers), openSUSE (firefox, mysql-community-server, and pdns-recursor), Oracle (thunderbird), Red Hat (rh-haproxy18-haproxy, systemd, and thunderbird), SUSE (haproxy, spice, and uriparser), and Ubuntu (dovecot, kernel, linux, linux-aws, linux-gcp, linux-kvm, linux-raspi2, linux, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon, linux-aws, linux-gcp, linux-kvm, linux-oem, linux-raspi2, linux-hwe, linux-aws-hwe, linux-gcp, linux-lts-trusty, and linux-lts-xenial, linux-aws).

After a two-week voting period, which followed a two-week nominationwindow, Python now has its governanceback in place—with a familiar name in the mix.As specified in PEP 13 ("PythonLanguage Governance"), five nominees were elected to the steering council,which will govern the language moving forward.It may come as a surprise to some that Guido vanRossum, whose resignation as benevolent dictator for life (BDFL)led to the need for a new governance model and, ultimately, tothe vote for a council, was one of the 17 candidates. It is perhaps muchless surprising that he was electedto share the duties he once wielded solo.

The governance model adopted by the Pythoncommunity after Guido van Rossum stepped down included the election of aSteering Council. The first such election has just concluded; the councilwill be made up of Barry Warsaw, Brett Cannon, Carol Willing, Guido vanRossum, and Nick Coghlan.

Security updates have been issued by CentOS (bind, firefox, GNOME, kernel, systemd, and thunderbird), Debian (debian-security-support, drupal7, libreoffice, libvncserver, phpmyadmin, and rssh), Fedora (binutils and firefox), Mageia (firefox and netatalk), openSUSE (avahi and python-paramiko), Red Hat (Red Hat Gluster Storage Web Administration), Slackware (mariadb), and SUSE (java-11-openjdk, kernel, and python).

The 5.0-rc5 kernel prepatch is out."Nothing looks particularly worrisome, so assuming the trend holds, welook to be on track for a fairly normal release cycle despite theearly hiccups due to the holidays."

Rusty Russell was one of the first developers paid to work on the Linuxkernel and the founder of the conference now known as linux.conf.au (LCA); he isone of the most highly respected figures in the Australian free-softwarecommunity. The 2019 LCA was the20th edition of this long-lived event; the organizers felt that it was anappropriate time to invite Russell to deliver the closing keynote talk.He used the opportunity to review his path into free software and thecreation of LCA, but first a change of clothing was required.

Version 2.29 of the GNU Clibrary (glibc) is now available. It includes a wrapper for the getcpu()system call, optimized generic versions of multiple math functions(e.g. exp(), log2(), sinf()), new functions toallow posix_spawn() to run the new process in a differentdirectory, and more.

Security updates have been issued by Debian (agg, golang-1.7, golang-1.8, mariadb-10.0, and postgis), Fedora (kernel, kernel-headers, and kernel-tools), Mageia (gitolite and libvorbis), openSUSE (pdns-recursor and webkit2gtk3), Oracle (firefox, ghostscript, kernel, polkit, spice, and spice-server), Red Hat (etcd, ghostscript, polkit, spice, and spice-server), Scientific Linux (ghostscript, polkit, spice, and spice-server), SUSE (python3), and Ubuntu (libvncserver).

Greg Kroah-Hartman has released the 4.20.6,4.19.19, 4.14.97, and 4.9.154. These kernels contain importantfixes throughout the kernel tree; users should upgrade.

Security updates have been issued by Arch Linux (ghostscript), Debian (firefox-esr, libgd2, libvncserver, php-pear, rssh, and spice), Fedora (docker, docker-latest, firefox, moodle, and wireshark), Mageia (bluez, ghostscript, php-tcpdf, phpmyadmin, virtualbox, and zeromq), openSUSE (ghostscript), Red Hat (firefox), Scientific Linux (firefox), Slackware (kernel), and Ubuntu (avahi, firefox, and openjdk-8, openjdk-lts).

The LWN.net Weekly Edition for January 31, 2019 is available.

Serena Chen began her talk in the Security,Identity & Privacy miniconf at linux.conf.au 2019 with a plan todispel a pervasive myth that "usability and security are mutuallyexclusive". She hoped that by the end of her talk, she could convince theaudience that the opposite is true: good user experience design and goodsecurity cannot exist without each other. It makes sense, she said,because a secure system must be reliable and controllable, which means itmust be usable, while a usable system must be less confusing, thus it is moresecure.

Alpine Linux 3.9 has been released.This version features support for armv7, a switch from LibreSSL to OpenSSL,improved GRUB support, and more.

Dana Lewis said that her keynote at linux.conf.au 2019 would be abouther journey of learning about open source and how it could be applied inthe healthcare world. She hoped it might lead some attendees to usetheir talents on solutions for healthcare. Her efforts and those of othersin the community have led to a much better quality of life for a number ofthose who suffer from a chronic, time-consuming disease.

Security updates have been issued by Arch Linux (subversion), Debian (apache2, firefox-esr, qemu, rssh, and spice), Fedora (lua, mingw-python-qt5, mingw-qt5-qt3d, mingw-qt5-qtactiveqt, mingw-qt5-qtbase, mingw-qt5-qtcharts, mingw-qt5-qtdeclarative, mingw-qt5-qtgraphicaleffects, mingw-qt5-qtimageformats, mingw-qt5-qtlocation, mingw-qt5-qtmultimedia, mingw-qt5-qtquickcontrols, mingw-qt5-qtscript, mingw-qt5-qtsensors, mingw-qt5-qtserialport, mingw-qt5-qtsvg, mingw-qt5-qttools, mingw-qt5-qttranslations, mingw-qt5-qtwebkit, mingw-qt5-qtwebsockets, mingw-qt5-qtwinextras, mingw-qt5-qtxmlpatterns, mingw-sip, nagios, and radvd), Oracle (bind, kernel, and systemd), Red Hat (bind, kernel, kernel-alt, kernel-rt, and systemd), Scientific Linux (bind, kernel, and systemd), Slackware (mozilla), SUSE (kernel, openssl-1_1, and subversion), and Ubuntu (openvswitch).

The Kodi team has announced therelease of Kodi 18.0 "Leia". "One of the big features of this release: support for gaming emulators, ROMs and controls. This is a significant topic in its own right, so look out for future posts on this, but suffice it to say at this time that you now have a whole world of retro gaming at your fingertips, all from the same interface as your movies, music and TV shows. For the genuine experience as well, we've also introduced support for joysticks, gamepads, and other platform-specific controls, so the games will work just as was intended."

Firefox 65.0 is out. The releasenotes list a few new features, including: "Enhanced tracking protection: Simplified content blocking settings give users standard, strict, and custom options to control online trackers. A redesigned content blocking section in the site information panel (viewed by expanding the small “i” icon in the address bar) shows what Firefox detects and blocks on each website you visit."

Security updates have been issued by Arch Linux (go-pie), Debian (wireshark), openSUSE (freerdp, libraw, openssh, pdns-recursor, singularity, and systemd), and Ubuntu (kernel, linux-hwe, and spice).

Tragedy, according toWikipedia, is "a form of drama based on human suffering thatinvokes an accompanying catharsis or pleasure in audiences". Benno Rice tookhis inspiration from that definition for his 2019 linux.conf.au talk on the story ofsystemd which, he said, involves no shortage of suffering. His attempt tocast that story for the pleasure of his audience resulted in a sympatheticand nuanced look at a turbulent chapter in the history of the Linux system.

Security updates have been issued by Arch Linux (apache, go, haproxy, matrix-synapse, nasm, and powerdns-recursor), Debian (coturn, ghostscript, krb5, policykit-1, and qtbase-opensource-src), Fedora (wireshark), openSUSE (nodejs4, nodejs8, openssh, PackageKit, and wireshark), Oracle (qemu and thunderbird), Scientific Linux (thunderbird), and SUSE (avahi, krb5, and python-paramiko).

The 5.0-rc4 kernel prepatch is out."Go test and report any oddities you can find, but I think we'redoing fine."

Version 3.3 of the Bison parser generator is out."The new option --update replaces deprecated features with their modernspelling, but also applies fixes such as eliminating duplicate directives,etc. It is now possible to annotate rules with their number of expectedconflicts. Bison can be made relocatable. The symbol declaration syntaxwas overhauled, and in particular, %nterm, that exists since the origins ofBison, is now an officially supported (and documented!) feature. C++parsers now feature genuine symbol constructors, and use noexcept/constexpr.The GLR parsers in C++ now support the syntax_error exceptions. There arealso many smaller improvements, including a fix for a bug which is at least31 years old."

Stable kernels 4.20.5, 4.19.18, 4.14.96, 4.9.153, 4.4.172, and 3.18.133 have been released. They all containimportant fixes and users should upgrade.

Many projects use continuous-integration (CI) testing to improve thequality of the software they produce. By running a set of tests afterevery commit, CI systems can identify problems quickly, before they findtheir way into a releaseand bite unsuspecting users. The Linux kernel project lags many others inits use of CI testing for a number of reasons, including a fundamentalmismatch with how kernel developers tend to manage their workflows. At linux.conf.au 2019, Russell Curreydescribed a CI system called Snowpatch that, he hopes,will bridge the gap and bring better testing to the kernel developmentprocess.

The MythTV Team has announced therelease of MythTV 30.0. The release notescontain more information. This version includes support for mythfrontend running oncertain Android TV devices. "Over 500 commits made significant improvements to the infrastructure. For the most part, these are invisible to end users."

Security updates have been issued by Debian (mxml, postgresql-9.4, and tmpreaper), Fedora (haproxy and runc), openSUSE (krb5, soundtouch, virtualbox, and zeromq), Oracle (thunderbird), Red Hat (thunderbird), and Ubuntu (subversion and thunderbird).

Rory Aronson started his 2019 linux.conf.au keynote with astatement that gardening just isn't his passion; an early attempt degenerated into aweed-choked mess when he couldn't be bothered to keep it up. But he turnedout to be passionate indeed about building a machine that would do the gardening for him. That led to the FarmBot project, a successful exercise inthe creation of open hardware, open software, and an open business. A bigpart of that success, it turns out, lies in the project's documentation.

The Debian Project has announced an update toDebian 9 "stretch". "This point release incorporates the recent security update for APT, in order to help ensure that new installations of stretch are not vulnerable. No other updates are included."