LWN.net

Security updates have been issued by Debian (openjdk-7), Fedora (cfitsio, firefox, librsvg2, and pdns), openSUSE (firefox), Red Hat (firefox), Scientific Linux (firefox), SUSE (gd, grub2, ImageMagick, kernel, libcaca, libmspack, ntp, ovmf, w3m, and wavpack), and Ubuntu (php7.0, php7.2, qemu, and xmltooling).

The Oregon State University Open SourceLab (OSU OSL) has been a longtime hosting site for a wide variety offree and open-source software (FOSS) projects. At SCALE 17x, OSLdirector Lance Albertson gave an overview of what the lab does, some of its history, and itsrole in mentoring undergraduates at OSU. There are a lot of facets to thelab and its work, most of which flies under the radar, which is why Albertsoncame to Pasadena, CA to fill attendees in.

Security updates have been issued by CentOS (ghostscript), Debian (libssh2 and wireshark), openSUSE (aubio, blueman, and kauth), Red Hat (kernel-rt and openwsman), Scientific Linux (openwsman), Slackware (mozilla), and SUSE (ovmf and ucode-intel).

It has been just over one full year since the WireGuard virtual privatenetwork implementation was reviewed here.WireGuard has advanced in a number of ways since that article was written;it has gained many happy users, has been endorsedby Linus Torvalds, and is now supported by tools like NetworkManager.There is one notable thing that has not happened, though: WireGuardhas not yet been merged into the mainline kernel. After a period ofsilence, WireGuard is back, and it would appear that the long process ofgetting upstream is nearly done.

The Free Software Foundation has announcedthe winners of FSF awards, that were presented at the LibrePlanet 2019conference. OpenStreetMap received the 2018 Free Software Award forProjects of Social Benefit and Deborah Nicholson received the Award for theAdvancement of Free Software.

Security updates have been issued by Arch Linux (firefox, libssh2, and powerdns), Debian (bash, firefox-esr, libapache2-mod-auth-mellon, ntfs-3g, openssh, passenger, rsync, and wireshark), Fedora (filezilla, libarchive, libssh2, mxml, php-twig, php-twig2, qemu, and tcpreplay), Slackware (mozilla), SUSE (ghostscript, kernel, libgxps, libjpeg-turbo, libqt5-qtimageformats, libqt5-qtsvg, openstack-cinder, openstack-horizon-plugin-designate-ui, openstack-neutron, openstack-neutron-lbaas, ucode-intel, and unzip), and Ubuntu (firefox).

The 5.1-rc2 kernel prepatch is out."Well, we're a week away from the merge window close, and here's rc2.Things look fairly normal, but honestly, rc2 is usually too early to tell.People haven't necessarily had time to notice problems yet. Which is justanother way of saying 'please test harder'."

The5.0.4,4.19.31,4.14.108,4.9.165,4.4.177,and 3.18.137stable kernel updates are all available. Each contains a relatively largeset of important fixes.

The team behind the Scribus libre desktop-publishing toolis mourning the passing of Peter Linnell. "It is no understatement to say that without Peter Scribus wouldn’t be what it is today. It was Peter who spotted the potential of Franz Schmid’s initially humble Python program and, as a pre-press consultant at the time, contacted Franz to make him aware of the necessities of PostScript and PDF support, among other things. Peter also wrote the first version of the Scribus online documentation, which resulted in his nickname 'mrdocs' in IRC and elsewhere. Until recently, and despite his detoriating health, Peter continued to be involved in building and releasing new Scribus versions.Scribus was the project he helped to set on track and which marked the beginning of his journey into the world of Free Software development. While it remained at the heart of his commitments to Open Source in general and Libre Graphics software in particular, Peter contributed to Free Software in many other ways as well. For example via contributions to projects related to freedesktop.org, as a package builder of many Free programs for several Linux distributions on the openSUSE Build Service, and later as an openSUSE board member. Peter was also crucial in bringing the Libre Graphics community together by way of sharing his expertise with other graphics-oriented projects and his assistance in organizing the first Libre Graphics Meetings. In the sometimes ego-driven and often emotional world of Open Source development, Peter managed to get along very well with almost everybody and never lost his sense of humour."

Most of the time, the dreary work of writing protocol standards atorganizations like the IETF and beyond happens in the background, with mostof us being blissfully unaware of what is happening. Recently, though, adisagreement over protocols for congestion notification and latencyreduction has come to a head in a somewhat messy conflict. The outcome ofthis discussion may well affect how well the Internet of the future works —and whether Linux systems can remain first-class citizens of that net.

Security updates have been issued by CentOS (firefox), Debian (cron and ntfs-3g), Fedora (firefox, ghostscript, libzip, python2-django1.11, PyYAML, tcpflow, and xen), Mageia (ansible, firefox, and ImageMagick/GraphicsMagick), Red Hat (ghostscript), Scientific Linux (firefox and ghostscript), SUSE (libxml2, unzip, and wireshark), and Ubuntu (firefox, ghostscript, libsolv, ntfs-3g, p7zip, and snapd).

Kernel developers learn, one way or another, to be careful about memoryuse; any memory taken by the kernel is not available for use by the actualapplications that people keep the computer around to run. So it isunsurprising that eyebrows went up when Joel Fernandes proposed buildingthe source for all of the kernel's headers files into thekernel itself, at a cost of nearly 4MB of unswappable, kernel-space memory.The discussion is ongoing, but it has already highlighted some pain points felt by Androiddevelopers in particular.

Security updates have been issued by Debian (drupal7, firefox-esr, and openjdk-8), Fedora (ghostscript, python2-django1.11, and SDL), Red Hat (firefox), Scientific Linux (firefox), SUSE (nodejs4 and openssl-1_1), and Ubuntu (gdk-pixbuf).

The LWN.net Weekly Edition for March 21, 2019 is available.

In software, we tend to build abstraction layers. But, at times, thoselayers get in the way, so we squash them. In a talk at SCALE 17x inPasadena, CA, Kyle Anderson surveyed some of the layers that we havebuilt and squashed along the way. He also looked at some of the layersthat are being created today with an eye toward where, how, and why they mightget squashed moving forward.

Security updates have been issued by Arch Linux (libelf and wordpress), CentOS (cloud-init, cockpit, openssl, and tomcat), Gentoo (openssh), openSUSE (ovmf), Scientific Linux (cloud-init), and SUSE (go1.11, ldb, lftp, libssh2_org, and openwsman).

Version 8.0.0 of the LLVM compiler suite is out."It's the result of the LLVMcommunity's work over the past six months, including: speculative loadhardening, concurrent compilation in the ORC JIT API, no longerexperimental WebAssembly target, a Clang option to initializeautomatic variables, improved pre-compiled header support in clang-cl,the /Zc:dllexportInlines- flag, RISC-V support in lld."For details one can see separate release notes forLLVM,Clang,ExtraClang Tools,lld, andlibc++.

Bradley Kuhn of the Software FreedomConservancy (SFC) first heard the term "sustainability" being appliedto free and open-source software (FOSS) four or five years ago in the wake of Heartbleed. He wondered what the term meantin that context, so he looked into it some. He came to SCALE 17x inPasadena, CA to give his thoughts on the topic in a talk entitled "If OpenSource Isn't Sustainable, Maybe Software Freedom Is?".

Mozilla has released Firefox 66.0. The releasenotes contain details. New in this release: Firefox now preventswebsites from automatically playing sound, improved search experience,smoother scrolling, improved performance and better user experience forextensions, and more.

Stable kernels 5.0.3, 4.20.17, 4.19.30, 4.14.107, and 4.9.164 have been released with the usual setof important fixes. This is the last 4.20.y kernel and users should upgradeto 5.0.y at this time.

Security updates have been issued by CentOS (kernel), Debian (libjpeg-turbo, liblivemedia, neutron, and otrs2), Fedora (SDL), Gentoo (ntp), openSUSE (java-1_8_0-openjdk), Red Hat (cloud-init), Slackware (libssh2), SUSE (libssh2_org, nodejs10, and nodejs8), and Ubuntu (tiff).

Python versions 3.5.7 and 3.4.10 have been released. Both are in"security fixes only" mode and are source-only releases. This is the finalrelease in the Python 3.4 series. The 3.4 branch has been retired, "nofurther changes to 3.4 will be accepted, and no new releases will be made.

Version 4 of theSolus distribution has been released. "We are proud to announcethe immediate availability of Solus 4 Fortitude, a new major release of theSolus operating system. This release delivers a brand new Budgieexperience, updated sets of default applications and theming, and hardwareenablement."LWN reviewed Solus in 2016.

Security updates have been issued by Debian (ikiwiki, liblivemedia, linux-4.9, rdflib, and sqlalchemy), Fedora (advancecomp, kubernetes, mingw-poppler, and php), Mageia (ikiwiki), openSUSE (chromium, file, and sssd), Red Hat (ansible, openstack-ceilometer, and openstack-octavia), Scientific Linux (kernel), SUSE (galera-3, mariadb, mariadb-connector-c, java-1_8_0-ibm, kernel, nodejs10, openwsman, wireshark, and yast2-rmt), and Ubuntu (file, linux, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon, and linux-lts-xenial, linux-aws).

By the time that 5.1-rc1 was released andthe 5.1 merge window ended, 11,241 non-merge changesets had been pulled into the mainline repository. Of those, just over 5,000 werepulled since the first 5.1 merge-windowsummary. It often happens that the biggest changes are pulledearly, with the emphasis shifting to fixes by the end of the mergewindow; this time, though, some of the most significant features were savedfor last.

Linus has released 5.1-rc1 and closed themerge window for this development cycle. "A somewhat recentdevelopment is how the tools/testing/ updates have been quite noticeablelately. That's not new to the 5.1 merge window, it's been going on for awhile, but it's maybe just worth a mention that we have more new selftestchanges than we have architecture updates, for example. The documentationsubdirectory is also quite noticeable."

Remember the KNOPPIXdistribution? KNOPPIX 8.5.0has been released. It includes a 4.20 kernel, several desktopenvironments, the ADRIANEaudio desktop, UEFI secure boot support, and more.

Your editor has never been a prolific blogger; a hard day in the LWN saltmines tends to reduce the desire to write more material for the net in thescarce free time that remains. But, still, sometimes the desire to postsomething that is not on-topic for LWN arises. Google+ has served as theoutlet for such impulses in recent years, but Google has, in its wisdom,decided to discontinue that service. That leaves a bereft editor searching foralternatives for those times when the world simply has to hear hispolitical opinions or yet another air-travel complaint, preferably one thatwon't vanish at the whim of some corporation. Recently, a simpleblog-hosting system called WriteFreelycame to light; it offers a platform that just might serve as a substitutefor centralized offerings.

Here's aSUSE press release hyping its transition to being "the largestindependent open-source company". "As it has for more than 25 years,SUSE remains committed to an open source development and business model andto actively participating in communities and projects to bring open sourceinnovation to the enterprise as high-quality, reliable and usablesolutions. This truly open, open source model refers to the flexibility andfreedom of choice provided to customers and partners to createbest-of-breed solutions that combine SUSE technologies with other productsand technologies in their IT landscape through open standards and atdifferent levels in their architecture, without forcing a locked-instack."

Thomas Haller writesabout the WireGuard integration in NetworkManager 1.16."NetworkManager provides a de facto standard API for configuringnetworking on the host. This allows different tools to integrate andinteroperate — from cli, tui, GUI, to cockpit. All these differentcomponents may now make use of the API also for configuring WireGuard. Oneadvantage for the end user is that a GUI for WireGuard is now withinreach." (See this article for moreinformation on WireGuard.)

When Leaderless Debian was written, itseemed entirely plausible that there would still be no candidates for theproject leader office even after the extended nomination deadline passed.It is now clear that there will be no need to extend the deadline further,since three candidates (Joerg Jaspert,JonathanCarter, andSam Hartman)have stepped forward. It seems likely that the wider discussion on therole of the Debian project leader will continue but, in the meantime, theoffice will not sit empty.Update: nominations from MartinMichlmayr andSimonRichter also came in before the deadline, so this year's election willbe a five-way race.

Security updates have been issued by Fedora (mingw-poppler and php), Mageia (apache, gnome-keyring, gnupg2, hiawatha, and rsyslog), openSUSE (libcomps and obs-service-tar_scm), and Ubuntu (libvirt and linux-lts-trusty).

The GNOME project has released GNOME 3.32, which is code named "Taipei"."This release brings a refreshed visual style, new icons, the demise of the'application menu' and a new on-screen keyboard, among other things.Improvements to core GNOME applications include a shell extension fordesktop icons, improved automation and reader mode in GNOME Web,an 'Application Permissions' panel, and many more." In addition,there is an experimental option for fractional scaling, improvements toGNOME Software, and more. See the release notesfor more information.

Greg Kroah-Hartman has announced the release of the 5.0.2, 4.20.16, 4.19.29, 4.14.106, and 4.9.163 stable kernels. All contain the usualpile of important fixes; users of those series should upgrade.

Sharing a disk between users in Linux is awful. Different applicationshave different I/O patterns, they have different latency requirements, andthey are never consistent. Throttling can help ensure that users get theirfair share of the available bandwidth but, since most I/O is in thewriteback path, it's often too late to throttle without putting pressureelsewhere on the system. Disks are all different as well. You havespinning rust, solid-state devices (SSDs), awful SSDs, and barely usableSSDs. Each class of device has its own performance characteristics and,even in a single class, they'll perform differently based on the workload.Trying to address all of these issues with a single I/O controller wastricky, but we at Facebook think that we have come up with a reasonablesolution.

Security updates have been issued by Arch Linux (chromium), Debian (libsdl1.2 and libsdl2), Fedora (firefox), Gentoo (bind, glibc, openssl, oracle-jdk-bin, webkit-gtk, and xrootd), Mageia (kernel), openSUSE (freerdp, mariadb, and obs-service-tar_scm), Oracle (openssl), Red Hat (kernel, kernel-rt, openstack-ceilometer, openstack-octavia, and tomcat), Scientific Linux (cockpit, openssl, and tomcat), and SUSE (java-1_7_1-ibm and mariadb).

The LWN.net Weekly Edition for March 14, 2019 is available.

The Czech Republic top-level domain registrar, CZ.NIC, wondered about the safety of homerouters, so it set out to gather some information on the prevalence ofattacks against them. It turns out that one good way to do that is tocreate a home router that logs statistics and other information.Michal Hrušecký from CZ.NIC came to the 2019 Southern CaliforniaLinux Expo (SCALE 17x) in Pasadena, CA to describe the experiment and how it grew intoa larger project that makes and sells open-source routers.

A proposal to add a new dictionary operator for Python has spawned a PEPand two large threads on the python-ideas mailing list. To a certainextent, it is starting to look a bit like the "PEP 572 mess"; there are plenty of opinions onwhether the feature should be implemented and how it should be spelled, forexample. As yet, there has been no formal decision made on how the new steering council will be handling PEPpronouncements, though a reviewof open PEPs is the council's "highest priority". This PEP will presumably be added intothe process; it is likely too late to be included in Python 3.8 evenif it were accepted soon,so there is plenty of time to figure it all out before 3.9 is releasedsometime in 2021.

Security updates have been issued by Debian (libsndfile, systemd, waagent, and xmltooling), Fedora (guacamole-server, postgresql-jdbc, and xen), Oracle (cockpit and kernel), Red Hat (cockpit, docker, kernel-alt, and openssl), SUSE (ceph, java-1_7_0-ibm, java-1_7_1-ibm, openssl-1_0_0, python-azure-agent, python-numpy, and supportutils), and Ubuntu (kernel, php5, and walinuxagent).

Kees Cook reviewssome of the security-related enhancements in the 5.0 kernel."While the C language has a statement to indicate the end of a switchcase ('break'), it doesn’t have a statement to indicate that executionshould fall through to the next case statement (just the lack of a 'break'is used to indicate it should fall through — but this is not always thecase), and such 'implicit fall-through' may lead to bugs. Gustavo Silva hasbeen the driving force behind fixing these since at least v4.14, with wellover 300 patches on the topic alone (and over 20 missing break statementsfound and fixed as a result of the work). The goal is to be able to add-Wimplicit-fallthrough to the build so that the kernel will stay entirelyfree of this class of bug going forward. From roughly 2300 warnings, thekernel is now down to about 200. It’s also worth noting that with StephenRothwell’s help, this bug has been kept out of linux-next by him sendingwarning emails to any tree maintainers where a new instance is introduced(for example, here’s a bug introduced on Feb 20th and fixed on Feb21st)."

The Linux Foundation has announceda new initiative called CommunityBridge; its purpose is tohelp with funding and support for open-source developers. It includes somesecurity-related services and a means for connecting developers withmentors. The program is in an "early access" mode for now.The Linux Foundation is not the first to provide such services, of course;see thisstatement from the Software Freedom Conservancy for its take on thisnew initiative.

One of the bigger developments of the last year has beenthe introduction of licenses that purport to address perceivedshortcomings in existing free and open-source software licenses. Much hasbeen said and written about them, some of it here, and they are clearlymuch on the community's mind. At FOSDEM2019, Michael Cheng gave his view on the motivations for the introduction of these licenses,whether they've been effective in addressing those motivations, whatunintended consequences they may also have had, and the need for thecommunity to develop some ground rules about them going forward.

Security updates have been issued by Arch Linux (pacman), CentOS (java-1.7.0-openjdk), Debian (zabbix), Fedora (kernel-headers), openSUSE (libcomps), Oracle (kernel), Red Hat (chromium-browser), SUSE (ovmf and qemu), and Ubuntu (tiff).

One of the traditional rites of the (northern hemisphere) spring is theelection for the Debian project leader. Over a six-week period, interestedcandidates put their names forward, describe their vision for the projectas a whole, answer questions from Debian developers, then wait and watchwhile the votes come in. But what would happen if Debian were to hold anelection and no candidates stepped forward? The Debian project has justfound itself in that situation and is trying to figure out what will happennext.

Drew DeVault has announcedthe first stable release of sway, an i3-compatible Wayland desktop forLinux and FreeBSD. "Sway 1.0 adds a huge variety of features which were sorely missed on 0.x, improves performance in every respect, offers a more faithful implementation of Wayland, and exists as a positive political force in the Wayland ecosystem pushing for standardization and cooperation among Wayland projects."

Google Open Source has announcedSeason of Docs. "During Season of Docs, technical writers will spend a few months working closely with open source communities. Each writer works with their chosen open source project. The writers bring their expertise to the projects’ documentation while at the same time learning about open source and new technologies.Mentors from participating open source organizations share knowledge oftheir communities’ processes and tools. Together the technical writers andmentors build a new doc set, improve the structure of the existing docs,develop a much-needed tutorial, or improve contribution processes andguides." Open source organizations may apply to take part in Seasonof Docs starting April 2.

Software in the Public Interest has released its annualreport [PDF] for 2018. "During the current board term SPIcontinues to strive for self-improvement and renewal. Treasuryteamsprints, bank visits, and legal consultations during in-person meetingshave helped keep the wheels turning. An overhaul of our corporate bylawsthat better meets our needs is being presented to the members for theirapproval. And we have improved our reimbursement workflow with a viewtoward speedier and smoother processing."

Security updates have been issued by CentOS (polkit), Debian (chromium, openjpeg2, php7.0, poppler, and symfony), Fedora (evolution, kernel, and kernel-headers), Gentoo (curl, firefox, keepalived, rdesktop, systemd, tar, wget, and zsh), openSUSE (gdm and hiawatha), Slackware (ntp), SUSE (audit, containerd, docker, docker-runc, golang-github-docker-libnetwork, runc, file, java-1_8_0-openjdk, mariadb, openssl-1_0_0, and sssd), and Ubuntu (poppler).

The 5.0.1,4.20.15,and 4.19.28stable kernel updates have been released; each contains the usual set ofimportant fixes.