LWN.net

Greg Kroah-Hartman has released stable kernels 4.15.1, 4.14.17, 4.9.80, and 4.4.115. They all contain important fixes andusers should upgrade.

Security updates have been issued by Debian (dokuwiki and p7zip), Fedora (kernel, pdns, rsync, and webkitgtk4), openSUSE (chromium and translate-toolkit), Red Hat (jboss-ec2-eap and Red Hat Satellite 6), Slackware (php), and SUSE (bind and firefox).

The Factor Daily site has alook at work to increase the diversity of open-source contributors inIndia. "Over past two months, we interviewed at least two dozenpeople from within and outside the open source community to identify a setof women open source contributors from India. While the list is notconclusive by any measure, it’s a good starting point in identifying thewomen who are quietly shaping the future of open source from this part ofthe world and how they dealt with gender biases."

As of this writing, just over 6,700 non-merge changesets have been pulledinto the mainline repository for the 4.16 development cycle. Given thatthere are a number of significant trees yet to be pulled, the earlyindications are that 4.16 will be yet another busy development cycle. Whatfollows is a summary of the significant changes merged in the first half ofthis merge window.

Longtime embedded Linux development company Free Electrons has just changed its name to Bootlin due to a trademark dispute (with "FREE SAS, a French telecom operator, known as the owner of the free.fr website"). It is possible that Free Electrons may lose access to its "free-electrons.com" domain name as part of the dispute, so links to the many resources that Free Electrons hosts (including documentation and conference videos) should be updated to use "bootlin.com". "The services we offer are different, we target a different audience (professionals instead of individuals), and most of our communication efforts are in English, to reach an international audience. Therefore Michael Opdenacker and Free Electrons’ management believe that there is no risk of confusion between Free Electrons and FREE SAS.However, FREE SAS has filed in excess of 100 oppositions and District Court actions against trademarks or name containing “free”. In view of the resources needed to fight this case, Free Electrons has decided to change name without waiting for the decision of the District Court.This will allow us to stay focused on our projects rather than exhausting ourselves fighting a long legal battle."

Version 2.27 of the GNU C Library is out. This release includes supportfor static PIE executables, a number of security-oriented improvements (andfixes for several CVE numbers), support for memory protection keys, and much more.

Security updates have been issued by CentOS (systemd and thunderbird), Debian (squid and squid3), Fedora (firefox), Mageia (java-1.8.0-openjdk and sox), openSUSE (ecryptfs-utils and libXfont), Oracle (systemd and thunderbird), Scientific Linux (thunderbird), and Ubuntu (dovecot and w3m).

Over at Opensource.com, Christine Peterson has published her account of coining the term "open source". Originally written in 2006, her story on the origin of the term has now been published for the first time. The 20 year anniversary of the adoption of "open source" is being celebrated this year by the Open Source Initiative at various conferences (recently at linux.conf.au, at FOSDEM on February 3, and others). "Between meetings that week, I was still focused on the need for a better name and came up with the term "open source software." While not ideal, it struck me as good enough. I ran it by at least four others: Eric Drexler, Mark Miller, and Todd Anderson liked it, while a friend in marketing and public relations felt the term "open" had been overused and abused and believed we could do better. He was right in theory; however, I didn't have a better idea, so I thought I would try to go ahead and introduce it. In hindsight, I should have simply proposed it to Eric Raymond, but I didn't know him well at the time, so I took an indirect strategy instead.Todd had agreed strongly about the need for a new term and offered to assist in getting the term introduced. This was helpful because, as a non-programmer, my influence within the free software community was weak. My work in nanotechnology education at Foresight was a plus, but not enough for me to be taken very seriously on free software questions. As a Linux programmer, Todd would be listened to more closely."

Linux tries to be useful for a wide variety of use cases, but there aresome situations where it may not be appropriate; safety-criticaldeployments with tight timing constraints would be near the top of the listfor many people. On the other hand, systems that can run safety-criticalcode in a provably correct manner tend to be restricted in functionalityand often have to be dedicated to a single task. In a linux.conf.au 2018talk, Gernot Heiser presented work that is being done with the seL4 microkernel system to safely supportcomplex systems in a provably safe manner.

Here's a blog postfrom "bunnie" Huang on the tension between transparency and productliability around hardware flaws. "The open source community coulduse the Spectre/Meltdown crisis as an opportunity to reform the statusquo. Instead of suing Intel for money, what if we sue Intel fordocumentation? If documentation and transparency have real value, then thisis a chance to finally put that value in economic terms that Intelshareholders can understand. I propose a bargain somewhere along theselines: if Intel releases comprehensive microarchitectural hardware designspecifications, microcode, firmware, and all software source code (e.g. forAMT/ME) so that the community can band together to hammer out any othersecurity bugs hiding in their hardware, then Intel is absolved of anypayouts related to the Spectre/Meltdown exploits."

Security updates have been issued by Debian (chromium-browser, krb5, and smarty3), Fedora (firefox, GraphicsMagick, and moodle), Mageia (rsync), openSUSE (bind, chromium, freeimage, gd, GraphicsMagick, libtasn1, libvirt, nodejs6, php7, systemd, and webkit2gtk3), Red Hat (chromium-browser, systemd, and thunderbird), Scientific Linux (systemd), and Ubuntu (curl, firefox, and ruby2.3).

The LWN.net Weekly Edition for February 1, 2018 is available.

For anyone who has followed Daniel Vetter's talks over the last year ortwo, it is fairly clear that he is not happy with the kerneldevelopment process and the role played by kernel maintainers. In astrongly worded talk at linux.conf.au (LCA) 2018 in Sydney, he further exploredthe topic (that he also raised atLCA 2017) in a talk entitled "Burning down the castle". In his view,kernel development is broken and it is unlikely to improve anytime soon.

Christian Schaller providesus with an update on the state of the new PipeWire multimedia system."So as you probably noticed one thing we didn’t mention above is howto deal with PulseAudio applications. Handling this usecase is still on thetodo list and the plan is to at least initially just keep PulseAudiorunning on the system outputting its sound through PipeWire. That said weare a bit unsure how many applications would actually be using this pathbecause as mentioned above all GStreamer applications for instance would bePipeWire native automatically through the PipeWire GStreamerplugins."

In a linux.conf.au 2018 keynote called "Containers from user space" — anexplicit reference to the cult film "Plan 9 from Outer Space" — JessieFrazelle took the audience on a fast-moving tour of the past, present, andpossible future of container technology. Describing the container craze as"amazing", she covered topics like the definition of a container, security,runtimes, container concepts in programming languages, multi-tenancy, andmore.

The latest stable kernel updates are:4.14.16,4.9.79,4.4.114, and3.18.93.Each contains a relatively large set of important fixes and updates.

A late-breaking development in the computing world led to a somewhathastily arranged panel discussion at this year's linux.conf.au in Sydney.The embargo for the Meltdown and Spectrevulnerabilities broke on January 4; three weeks later, Jonathan Corbet convenedrepresentatives from five separate parts of our community, from cloud tokernel to the BSDs and beyond. As Corbet noted in the opening, the panelitself was organized much like the response to the vulnerabilitiesthemselves, which is why it didn't even make it onto the conference scheduleuntil a few hours earlier.

Version 8.1 of the GDB debugger is out. Changes include better supportfor the Rust language and various other improvements to make debuggingeasier; see the announcement and thenews file for the full list.

The LibreOffice 6.0 release is available. Changes include a new helpsystem, a better spelling checker, OpenPGP support, better documentinteroperability, improvements to LibreOffice Online, and more."LibreOffice 6.0 represents the bleeding edge in term of features foropen source office suites, and as such is targeted at technologyenthusiasts, early adopters and power users."

Security updates have been issued by Arch Linux (dnsmasq, libmupdf, mupdf, mupdf-gl, mupdf-tools, and zathura-pdf-mupdf), CentOS (kernel), Debian (smarty3, thunderbird, and unbound), Fedora (bind, bind-dyndb-ldap, coreutils, curl, dnsmasq, dnsperf, gcab, java-1.8.0-openjdk, libxml2, mongodb, poco, rubygem-rack-protection, transmission, unbound, and wireshark), Red Hat (collectd, erlang, and openstack-nova), SUSE (bind), and Ubuntu (clamav and webkit2gtk).

Open-source software has an inclusiveness problem that will take someinnovative approaches to fix. But, Andrew "bunnie" Huang said in hisfast-movinglinux.conf.au 2018 talk, if we don't fix it we may find we have biggerproblems in the near future. His approach to improving the situation is tomake technology more accessible — by enabling people to create electroniccircuits on paper and write code for them.

Shawn Pearce, a longtime contributor to the Git community (and beyond), haspassed away. The thread on the Git mailing list makes it clear that hewill be missed by many people.

PostgreSQL developer Robert Haas describesa new storage module that is under development. "We are workingto build a new table storage format for PostgreSQL, which we’re callingzheap. In a zheap, whenever possible, we handle an UPDATE by moving the oldrow version to an undo log, and putting the new row version in the placepreviously occupied by the old one. If the transaction aborts, we retrievethe old row version from undo and put it back in the original location; ifa concurrent transaction needs to see the old row version, it can find itin undo. [...] This means that there is no need for VACUUM, or any similarprocess, to scan the table looking for dead rows."

Worth a read: this blogposting from Leonardo Chiariglione, the founder and chair of MPEG, onhow (in his view) the group is being destroyed by free codecs and patent trolls."Good stories have an end, so the MPEG business model could not lastforever. Over the years proprietary and 'royalty free' products haveemerged but have not been able to dent the success of MPEG standards. Moreimportantly IP holders – often companies not interested in exploiting MPEGstandards, so called Non Practicing Entities (NPE) – have become more andmore aggressive in extracting value from their IP." (Thanks to Paul Wise).

Security updates have been issued by Arch Linux (curl, lib32-curl, lib32-libcurl-compat, lib32-libcurl-gnutls, libcurl-compat, libcurl-gnutls, and rsync), Debian (curl), Fedora (clamav and java-1.8.0-openjdk), openSUSE (apache2), Oracle (kernel), and Ubuntu (linux-kvm and thunderbird).

On his blog, embedded developer Karim Yaghmour has written about his ten-day trip to Shenzen, China, which is known as the "Silicon Valley of hardware". His lengthy trip report covers much that would be of use to others who are thinking of making the trip, but also serves as an interesting travelogue even for those who are likely to never go. "The map didn't disappoint and I was able to find a large number of kiosks selling some of the items I was interested in. Obviously many kiosks also had items that I had seen on Amazon or elsewhere as well. I was mostly focusing on things I hadn't seen before. After a few hours of walking floors upon floors of shops, I was ready to start focusing on other aspects of my research: hard to source and/or evaluate components, tools and expanding my knowledge of what was available in the hardware space. Hint: TEGES' [The Essential Guide to Electronics in Shenzhen] advice about having comfortable shoes and comfortable clothing is completely warranted.Finding tools was relatively easy. TEGES indicates the building and floor to go to, and you'll find most anything you can think of from rework stations, to pick-and-place machines, and including things like oscilloscopes, stereo microscopes, multimeters, screwdrivers, etc. In the process I saw some tools which I couldn't immediately figure out the purpose for, but later found out their uses on some other visits. Satisfied with a first glance at the tools, I set out to look for one specific component I was having a hard time with. That proved a lot more difficult than anticipated. Actually I should qualify that. It was trivial to find tons of it, just not something that matched exactly what I needed. I used TEGES to identify one part of the market that seemed most likely to have what I was looking for, but again, I could find lots of it, just not what I needed."

The TCP protocol has become so ubiquitous that, to many people, the terms"TCP/IP" and "networking" are nearly synonymous. The fact that introducingnew protocols (or even modifying existing protocols) has become nearly impossible tends toreinforce that situation. That is not stopping people from trying, though.At linux.conf.au 2018, Jana Iyengar, a developer at Google, discussed thecurrent state of the QUIC protocol which, he said, is now used for about 7% of the traffic on theInternet as a whole.

Security updates have been issued by Arch Linux (glibc, lib32-glibc, and zziplib), Debian (clamav, ffmpeg, thunderbird, tiff, tiff3, and wireshark), Fedora (firefox, mingw-libtasn1, and webkitgtk4), Gentoo (fossil), Mageia (webkit2), openSUSE (chromium, clamav, and thunderbird), and SUSE (clamav and kernel).

Here's anopensource.com article on the virtues of CopperheadOS."Unlike other custom ROMs that strive to add lots of newfunctionality, Copperhead runs a pretty vanilla version of AOSP. Also,while the first thing you usually do when playing with a custom ROM is toadd root access to the device, not only does Copperhead prevent that, italso requires that you have a device that has verified boot, so there's nounlocking the bootloader. This is to prevent malicious code from gettingaccess to the handset."

Linus has released the 4.15 kernel."After a release cycle that was unusual in so many (bad) ways, thislast week was really pleasant. Quiet and small, and no last-minutepanics, just small fixes for various issues. I never got a feelingthat I'd need to extend things by yet another week, and 4.15 looksfine to me."Some of the more significant features in this release include:the long-awaited CPU controller for theversion-2 control-group interface,significant live-patching improvements,initial support for the RISC-V architecture,support for AMD's secure encrypted virtualization feature, andthe MAP_SYNC mechanism for workingwith nonvolatile memory.This release also, of course, includes mitigations for the Meltdown and Spectre variant-2vulnerabilities though, as Linus points out in the announcement, thework of dealing with these issues is not yet done.

The Linux Foundation has announced a new project, called LinuxBoot, that is working on replacements for much of the firmware used to boot our systems. The project is based on work by Google and others to use Linux (and Go programs) to replace most of the UEFI boot firmware. "Firmware has always had a simple purpose: to boot the OS. Achieving that has become much more difficult due to increasing complexity of both hardware and deployment. Firmware often must set up many components in the system, interface with more varieties of boot media, including high-speed storage and networking interfaces, and support advanced protocols and security features.LinuxBoot addresses the often slow, often error-prone, obscured code that executes these steps with a Linux kernel. The result is a system that boots in a fraction of the time of a typical system, and with greater reliability."

Security updates have been issued by CentOS (389-ds-base, dhcp, kernel, and nautilus), Debian (curl, openssh, and wireshark), Fedora (clamav, firefox, java-9-openjdk, and poco), Gentoo (clamav), openSUSE (curl, libevent, mupdf, mysql-community-server, newsbeuter, php5, redis, and tre), Oracle (389-ds-base, dhcp, kernel, and nautilus), Slackware (mozilla), and Ubuntu (kernel and linux-hwe, linux-azure, linux-gcp, linux-oem).

GCC 7.3 is out. This is mainly a bug-fix release, but it does also containthe "retpoline" support needed to build the kernel (and perhaps other code)with resistance to the Spectre variant-2 vulnerability.

Here's a34c3 conference report in CSO suggesting that the BSDs are losingdevelopers. "von Sprundel says he easily found around 115 kernel bugs across thethree BSDs, including 30 for FreeBSD, 25 for OpenBSD, and 60 forNetBSD. Many of these bugs he called 'low-hanging fruit.' He promptlyreported all the bugs, but six months later, at the time of his talk, manyremained unpatched.'By and large, most security flaws in the Linux kernel don't have a longlifetime. They get found pretty fast,' von Sprundel says. 'On the BSD side,that isn't always true. I found a bunch of bugs that have been around avery long time.' Many of them have been present in code for a decade ormore."

Security updates have been issued by CentOS (firefox), Debian (firefox-esr, gcab, and poppler), Fedora (clamav and firefox), Mageia (bind, firefox, glibc, graphicsmagick, squid, systemd, and virtualbox), openSUSE (firefox, GraphicsMagick, libexif, and libvpx), Red Hat (389-ds-base, dhcp, kernel, kernel-alt, kernel-rt, and nautilus), Scientific Linux (389-ds-base, dhcp, kernel, and nautilus), Slackware (curl), SUSE (kernel and webkit2gtk3), and Ubuntu (firefox, libtasn1-6, and mysql-5.5).

The LWN.net Weekly Edition for January 25, 2018 is available.

2017 was a big year for the Prometheus project, as it publishedits 2.0 release in November. The new release ships numerousbug fixes, new features, and, notably, a new storage engine that brings majorperformance improvements. This comes at the cost of incompatible changes tothe storage and configuration-file formats. An overview ofPrometheus and its new release was presented to the Kubernetes community in a talkheld during KubeCon+ CloudNativeCon. This article covers what changed in this new releaseand what is brewing next in the Prometheus community; it is a companion tothis article, which provided a generalintroduction to monitoring with Prometheus.

Richard Fontana exploresthe intersection of containers and copyleft licensing onopensource.com."One imperfect way of framing the question is whether GPL-licensedcode, when combined in some sense with proprietary code, forms a singlemodified work such that the proprietary code could be interpreted as beingsubject to the terms of the GPL. While we haven’t yet seen much of thatconcern directed to Linux containers, we expect more questions to be raisedas adoption of containers continues to grow. But it’s fairlystraightforward to show that containers do not raise new or concerning GPLscope issues."

Security updates have been issued by openSUSE (clamav-database and virtualbox), Oracle (firefox and kernel), Red Hat (firefox), Scientific Linux (firefox), and Ubuntu (gcab).

Firefox 58 has been released. "With this release, we’re building on the great foundation provided by our all-new Firefox Quantum browser. We're optimizing the performance gains we released in 57 by improving the way we render graphics and cache JavaScript. We also made functional and privacy improvements to Firefox Screenshots. On Firefox for Android, we’ve added support for Progressive Web Apps (PWAs) so you can add websites to your home screen and use them like native apps."

Sometimes, a data structure proves to be inadequate for its intended task.Other times, though, the problem may be somewhere else — in the API used toaccess it, for example. Matthew Wilcox's presentation during the 2018linux.conf.au Kernel miniconf made the case that, for the kernel'svenerable radix tree data structure, thelatter situation holds. His response is a new approach to an old datastructure that he is calling the "XArray".

The Free Software Foundation blog has a guestpost from GNU MediaGoblin founder Christopher Lemmer Webber announcing that ActivityPub has been made anofficial W3C recommended standard. "ActivityPub is a protocol for building decentralized social networking applications. It provides both a server-to-server protocol (i.e. federation) and a client-to-server protocol (for desktop and mobile applications to connect to your server). You can use the server-to-server protocol or the client-to-server protocol on their own, but one nice feature is that the designs for both are very similar. Chances are, if you've implemented support for one, you can get support for the other with very little extra effort! We've worked hard to make ActivityPub easy to understand."

Stable kernels 4.14.15, 4.9.78, and 4.4.113 have been released. They all containimportant fixes and users should upgrade.

Security updates have been issued by Debian (smarty3), Fedora (bind, bind-dyndb-ldap, dnsperf, glibc, kernel, libtasn1, libvpx, mariadb, python-bottle, ruby, and sox), Red Hat (rh-eclipse46-jackson-databind), SUSE (kernel), and Ubuntu (kernel, linux, linux-aws, linux-euclid, linux-hwe, linux-azure, linux-gcp, linux-oem, linux-lts-trusty, linux-lts-xenial, linux-aws, and rsync).

The Qubes project has described anew, not-yet-implemented design intended to address a number of problemsthat this high-security distribution project has encountered."One possible solution to these problems is actually to 'move Qubesto the cloud.' Readers who are allergic to the notion of having theirprivate computations running in the (untrusted) cloud should not give upreading just yet. Rest assured that we will also discuss other solutionsnot involving the cloud. The beauty of Qubes Air, we believe, lies in thefact that all these solutions are largely isomorphic, from both anarchitecture and code point of view."

By now, almost everybody has probably seen the press coverage of Linus Torvalds's remarks about one of thepatches addressing Spectre variant 2. Less noted, but much moreinformative, is David Woodhouse's responseon why those patches are the way they are. "That's why my initialidea, as implemented in this RFC patchset, was to stick with IBRS onSkylake, and use retpoline everywhere else. I'll give you 'garbagepatches', but they weren't being 'just mindlessly sent around'. If we'regoing to drop IBRS support and accept the caveats, then let's do it as aconscious decision having seen what it would look like, not just drop itquietly because poor Davey is too scared that Linus might shout at himagain."

BPF is an increasingly capable tool for instrumenting and tracing theoperation of the kernel; it has enabled the creation of the growing set ofBCC tools. Unfortunately, BCC has no support for a cross-developmentworkflow where the development machine and the target machine running thedeveloped code are different. Cross-development is favored byembedded-systems kernel developers who tend to develop on an x86 host andthen flash and test their code on SoCs (System on Chips) based on the ARMarchitecture. In this article, I introduce BPFd, a project to enable crossdevelopment using BPF and BCC.

The minor release of openSUSE Leap 42.2 will reachits end-of-life (EOL) on January 26. "The major release of the Leap 42 series has so far provided a support life cycle of 27 months and is expected to last until early 2019; when openSUSE Leap 42.3 will reach its EOL. That gives the major version of Leap 42 more than 36 months of life-cycle support. However, the EOL for the Leap 42 series is dependent on the release of the next major version, which will be openSUSE Leap 15 and it’s expected to be released later this Spring."

The Document Liberation Project has announced five new or improvedlibraries to export EPUB3 and import AbiWord, MS Publisher, PageMaker andQuarkXPress files. "The libraries have been originallydeveloped for the LibreOffice 6.0 major release, but can be used by anyother software thanks to the OSI (Open Source Initiative) compliantlicense."