LWN.net

The problem of "sustainability" for open-source software is a common topic ofconversation in our community these days. We covered a talk by Bradley Kuhn onsustainability a month ago. Another longtime community member, Luis Villa,gave his take on the problem of making open-source projects sustainable atthe 2019 Legal and Licensing Workshop (LLW) in Barcelona. Villa is one of theco-founders of Tidelift, which is acompany dedicated to helping close the gap so that the maintainers ofopen-source projects get paid in order to continue their work.

Security updates have been issued by CentOS (java-1.7.0-openjdk), Debian (ghostscript and wget), Gentoo (apache, glib, opendkim, and sqlite), Red Hat (kernel, kernel-alt, kernel-rt, ovmf, polkit, and python27-python), Scientific Linux (java-1.7.0-openjdk), and SUSE (php72).

Intel's "Software GuardExtensions" (SGX) feature allows the creation of encrypted "enclaves" that cannot be accessed from the rest of the system.Normal code can call into an enclave, but only code running inside theenclave itself can access the data stored there. SGX is pitched as a wayof protecting data from a hostile kernel; for example, an encryption keystored in an enclave should be secure even if the system as a whole is compromised.Support for SGX has been under development for over three years; LWN covered it in 2016. But, as can be seen fromthe response to thelatest revision of the SGX patch set, all that work has still notanswered an important question: what protects the kernel against a hostileenclave?

Here's an article on the V8 blogdescribing the work that was done to mitigate Spectre vulnerabilities inthe V8 JavaScript engine. "Our research reached the conclusion that,in principle, untrusted code can read a process’s entire address spaceusing Spectre and side channels. Software mitigations reduce theeffectiveness of many potential gadgets, but are not efficient orcomprehensive. The only effective mitigation is to move sensitive data outof the process’s address space."

The Erlang community mourns theloss of Joe Armstrong, known as the father of Erlang. "He was part of the Erlang landscape, always interested in what people had to say. His passion and enjoyment about the craft, even in his 60s, was still high up at levels I don't even know I ever had or will ever have, and I have to say I am envious of him for that. I don't know what it will be like to have this community without him around. He was humble. He was approachable. He was excited. He was creative. His legacy is not just in code, but in the communities in which he instantly became a central part. He will be missed."

Security updates have been issued by CentOS (java-1.8.0-openjdk and java-11-openjdk), Debian (clamav, debian-security-support, and drupal7), Fedora (egl-wayland, elementary-camera, elementary-code, elementary-terminal, ephemeral, geocode-glib, gnome-characters, gnome-shell-extension-gsconnect, group-service, libmodulemd, libxmlb, mate-user-admin, mesa, meson, mpris-scrobbler, reportd, switchboard-plug-display, switchboard-plug-pantheon-shell, wingpanel, and wireshark), openSUSE (blueman and glibc), and Red Hat (java-1.7.0-openjdk).

Fermilab has maintained Scientific Linux, a derivative of Red HatEnterprise Linux, for many years. That era is coming to an end, though:"Toward that end, we will deploy CentOS 8 in our scientific computingenvironments rather than develop Scientific Linux 8. We will collaboratewith CERN and other labs to help make CentOS an even better platform forhigh-energy physics computing." Maintenance of the SL6 and SL7distributions will continue as scheduled.

The election for the Debian project leader has concluded; the leader forthe next year will be Sam Hartman. See this page for thedetails of the vote.

The 5.1-rc6 kernel prepatch is out fortesting. "It's Easter Sunday here, but I don't let little thingslike random major religious holidays interrupt my kernel developmentworkflow. The occasional scuba trip? Sure. But everybody sitting aroundeating traditional foods? No. You have to have priorities."

The5.0.9,4.19.36,4.14.113, and4.9.170stable kernel updates have all been released. These moderately largeupdates contain yet another set of important fixes.

Like all Unix-like systems, Linux implements the traditional protectionbits controlling who can access files in a filesystem (and what accessthey have). Fewer users, perhaps, are aware of a set of additionalpermission bits hidden away behind the chattrand lsattrcommands. Among other things, these bits can make a file append-only,mark a file to be excluded from backups, cause a file's data to be automaticallyoverwritten on deletion, or make a file immutable. The implementation ofmany of these features is incomplete at best, so perhaps it's notsurprising that immutable files can still be changed in certainlimited circumstances. Darrick Wong has posted apatch set changing this behavior, implementing a user-visiblebehavioral change that he describes as "an extraordinary way todestroy everything".

Security updates have been issued by Fedora (atomic-reactor and osbs-client), openSUSE (libqt5-qtbase, lxc, tar, wget, and xmltooling), Scientific Linux (java-1.8.0-openjdk and java-11-openjdk), SUSE (php5), and Ubuntu (znc).

As has been recently discussed here,developers for the filesystem and memory-management subsystems have beengrappling for years with the problems posed by the get_user_pages()mechanism. This function maps memory into the kernel's address space fordirect access by the kernel or peripheral devices, but that kind of accesscan create confusion in the filesystem layers, which may not be expectingthat memory to be written to at any given time. A new patchset from Jérôme Glisse tries to chip away at a piece of the problem,but a complete solution is not yet in view.

Ubuntu 19.04, code named "Disco Dingo", has been released, along with the following flavors: Ubuntu Budgie, Kubuntu, Lubuntu, Ubuntu Kylin, Ubuntu MATE, Ubuntu Studio, and Xubuntu."The Ubuntu kernel has been updated to the 5.0 based Linux kernel,our default toolchain has moved to gcc 8.3 with glibc 2.29, and we'vealso updated to openssl 1.1.1b and gnutls 3.6.5 with TLS1.3 support.Ubuntu Desktop 19.04 introduces GNOME 3.32 with increased performance,smoother startup animations, quicker icon load times and reduced CPU+GPUload. Fractional scaling for HiDPI screens is now available in Xorgand Wayland.Ubuntu Server 19.04 integrates recent innovations from key openinfrastructure projects like OpenStack Stein, Kubernetes, and Ceph withadvanced life-cycle management for multi-cloud and on-prem operations,from bare metal, VMware and OpenStack to every major public cloud." More information can be found in the release notes.

OpenSSH 8.0 has been released with a bunch of new features and some bug fixes, including one for a security problem:"This release contains mitigation for a weakness in the scp(1) tooland protocol (CVE-2019-6111): when copying files from a remote systemto a local directory, scp(1) did not verify that the filenames thatthe server sent matched those requested by the client. This couldallow a hostile server to create or clobber unexpected local fileswith attacker-controlled content.This release adds client-side checking that the filenames sent fromthe server match the command-line request,The scp protocol is outdated, inflexible and not readily fixed. Werecommend the use of more modern protocols like sftp and rsync forfile transfer instead."

Security updates have been issued by CentOS (polkit), Gentoo (dovecot, libseccomp, and patch), openSUSE (aubio, blktrace, flac, lxc, lxcfs, pspp, SDL, sqlite3, and xen), Red Hat (java-1.8.0-openjdk, java-11-openjdk, and rh-maven35-jackson-databind), Scientific Linux (java-1.8.0-openjdk), Slackware (libpng), SUSE (python, python3, sqlite3, and xerces-c), and Ubuntu (ntfs-3g).

The LWN.net Weekly Edition for April 18, 2019 is available.

<p>One of the more lively sessions that was held at the 2019 Legal andLicensing Workshop (LLW) was Heather Meeker's talk onopen-source business models and alternative licensing. As a lawyer inprivate practice, Meeker worked ona number of the alternative licenses that were drafted andpresented over the last year or so. But she is also part of a venturecapital (VC) firm that is exclusively investing in companies focused onopen source, so shehas experience in thinking about what kinds of models actually work forthose types of businesses.

Stable kernels 5.0.8, 4.19.35, 4.14.112, and 4.9.169 have been released. They all containimportant fixes and users should upgrade.

Security updates have been issued by CentOS (mod_auth_mellon), Debian (ghostscript and ruby2.3), openSUSE (dovecot22, gnuplot, and openwsman), Scientific Linux (mod_auth_mellon), SUSE (krb5, openexr, python3, and wget), and Ubuntu (firefox and openjdk-lts).

The inability to determine the contents of container images is a topicthat annoys Dirk Hohndel. At lastyear's Legal and Licensing Workshop (LLW), he gave a presentation that highlighted the problem andsome work he had been doing to combat it. At this year's LLW, he updatedattendees on the progress that has been made and where he hopes things willgo from here.

Security updates have been issued by Debian (cacti and libxslt), Fedora (pcsc-lite and samba), Gentoo (gnutls, phpmyadmin, and tiff), openSUSE (apache2, clamav, dovecot23, nodejs10, SDL, and webkit2gtk3), Red Hat (mod_auth_mellon and rh-python36-python), SUSE (firefox, nspr, nss and python), and Ubuntu (libxslt and webkit2gtk).

The 5.1-rc5 announcement mentioned"changes all over" and highlighted a number of the areas thathad been touched. One thing that was not mentioned there was theaddition of four patches fixing a security-related issue in the corememory-management subsystem. The vulnerability is sufficiently difficultto exploit that almost nobody should feel the need to rush out a kernelupdate, but it is still interesting to look at as a demonstration of howthings can go wrong.

Adrian Ratiu is posting a series of articles on the Collabora blog digginginto the kernel's eBPF subsystem. The first two parts are available now:anintroduction and alook at the virtual machine. "eBPF is a RISC register machinewith a total of 11 64-bit registers, a program counter and a 512 bytefixed-size stack. 9 registers are general purpouse read-write, one is aread-only stack pointer and the program counter is implicit, i.e. we canonly jump to a certain offset from it. The VM registers are always 64-bitwide (even when running inside a 32-bit ARM processor kernel!) and support32-bit subregister addressing if the most significant 32 bits are zeroed -this will be very useful in part 4 when cross-compiling and running eBPFprograms on embedded devices."

Stable kernels 5.0.7, 4.19.34, 4.14.111, and 4.9.168 were actually released last week, butthe email wasn't sent. As usual they all contain important fixes and usersshould upgrade.

Security updates have been issued by Debian (graphicsmagick, jasper, and libssh2), Fedora (kernel, kernel-headers, kernel-tools, nodejs-simple-markdown, and php), openSUSE (netpbm and xen), and SUSE (audiofile, firefox, java-1_7_0-openjdk, libvirt, openssh, and systemd).

The 5.1-rc5 kernel prepatch is out fortesting. "Nothing in here makes me feel uncomfortable about thisrelease cycle so far. Knock wood."

Running out of memory puts a Linux system into a difficult situation; inthe worst cases, there is often no way out other than killing one or moreprocesses to reclaim their memory. This killing may be done by the kernelitself or, on systems like Android, by a user-space out-of-memory (OOM)killer process. Killing a process is almost certain to make somebody unhappy;the kernel should at least try to use that process's memory expeditiouslyso that, with luck, no other processes must die. That does not alwayshappen, though, in current kernels. Thispatch set from Suren Baghdasaryan aims to improve the situation, butthe solution that results in the end may take a different form.

Version 26.2 of the Emacs editor is out. The headline features include theability to build modules outside of the source tree, Unicode 11 compliance,and the long-awaited ability to compress an entire directory full of fileswith a single keystroke.

Security updates have been issued by CentOS (freerdp, kernel, openssh, and python), Fedora (checkstyle), openSUSE (bluez, file, kernel, and libarchive), SUSE (apache2, curl, ghostscript, libvirt, openssh, and systemd), and Ubuntu (rssh).

Some things simply take time. When your editor restarted the search for a free accountingsystem, he had truly hoped to be done by now. But life gets busy, andaccounting systems are remarkably prone to falling off the list of thingsone wants to deal with in any given day. On the other hand, accounting canreturn to that list quickly whenever LWN's proprietary accounting softwaredoes something particularly obnoxious. This turns out to be one of thosetimes, so your editor set out to determine whether beancount could do the job.

Security updates have been issued by Arch Linux (apache, evolution, gnutls, and thunderbird), Debian (wpa), Gentoo (git), Mageia (dovecot, flash-player-plugin, gpac, gpsd, imagemagick, koji, libssh2, libvirt, mariadb, ming, mumble, ntp, python, python3, squirrelmail, and wget), openSUSE (apache2), Red Hat (httpd24-httpd and httpd24-mod_auth_mellon), SUSE (libqt5-qtbase, openldap2, tar, and xmltooling), and Ubuntu (ruby1.9.1, ruby2.0, ruby2.3, ruby2.5 and wpa).

The LWN.net Weekly Edition for April 11, 2019 is available.

Finding ways to put backdoors into various programming-language packagerepositories (e.g. npm, PyPI, and now RubyGems) seems like it is becoming a new Olympicsport or something. Every time you turn around, there is areport of a new backdoor. It is now apparently Ruby's turn, with anew report of aremote-execution backdoor being inserted, briefly, into a popular gem thatis installed by some sites using the Ruby onRails web-application framework.

Security updates have been issued by Debian (samba and spip), openSUSE (samba), Red Hat (flash-plugin), Scientific Linux (kernel and openssh), SUSE (clamav and xen), and Ubuntu (apache2).

Here's aresearch paper from Andrew Baumann, Jonathan Appavoo, Orran Krieger, andTimothy Roscoe, published on the Microsoft Research site, arguing that thefork() system call is a fundamental design mistake. "As the designers andimplementers of operating systems, we should acknowledge that fork’scontinued existence as a first-class OS primitive holds back systemsresearch, and deprecate it. As educators, we should teach fork as ahistorical artifact, and not the first process creation mechanism studentsencounter." The discussion of better alternatives is limited,though.

Arguments can be passed to Python functions by position or bykeyword—generally both. There are times when API designers may wish torestrict some function parameters to only be passed by position, which isharder than some think it should be in pure Python. That has led to a PEPthat is meant to make the situation better, but opponents say it doesn't really do that;it simply replaces one obscure mechanism with another. The PEP wasassigned a fairly well-known "BDFL delegate" (former BDFL Guido van Rossum), who hasaccepted it, presumably for Python 3.8.

"Sysctl" is the kernel's mechanism for exposing tunable parameters to userspace. Every sysctl knob is presented as a virtual file in a hierarchyunder /proc/sys; current values can be queried by reading thosefiles, and a suitably privileged user can change a value by writing to itsassociated file. What happens, though, when a system administrator wouldlike to limit access to sysctl, even for privileged users? Currently thereis no solution to this problem other than blocking access to /procentirely. That may change, though, if this patchset from Andrey Ignatov makes its way into the mainline.

Security updates have been issued by Debian (poppler, proftpd-dfsg, suricata, and systemd), Fedora (kernel, kernel-headers, kernel-tools, and wget), Gentoo (clamav, emerge-delta-webrsync, and mailman), openSUSE (bash), Red Hat (kernel and openssh), Scientific Linux (python), SUSE (gnuplot, libtcnative-1-0, and sqlite3), and Ubuntu (clamav, lua5.3, openjdk-7, samba, systemd, and wget).

Memory fragmentation is a constant problem for memory-managementsubsystems. Over the years, considerable effort has been put intoreducing fragmentation in the Linux kernel, but almost all of that work hasbeen focused on memory management at the page level. The slab allocators,which (mostly) manage memory in chunks of less than the page size, haveseen less attention, but fragmentation at this level can create problems throughout the system. The slabmovable objects patch set posted by Tobin Harding is an attempt toimprove this situation by making it possible for the kernel to activelydefragment slab pages by moving objects around.

Security updates have been issued by Debian (roundup, samba, tryton-server, and wget), Fedora (evolution-data-server, evolution-ews, glpi, ntp, poppler, pspp, and wget), Mageia (advancecomp, cfitsio, firefox, ghostscript, gnutls, libjpeg, libpng, ocaml, python-yaml, ruby-ox, SDL12, and thunderbird), openSUSE (adcli, sssd, go1.11, liblouis, nodejs6, openssl, ovmf, sqlite3, sysstat, thunderbird, tiff, and znc), Red Hat (chromium-browser and python), Slackware (httpd, openjpeg, and wget), SUSE (bash, clamav, dovecot22, kernel, php53, SDL, and xen), and Ubuntu (clamav and samba).

BleepingComputer reportsthat browser developers are removing the ability to disable "ping="click tracking. "Google Chrome also enables this tracking feature bydefault, but in the current Chrome 73 version it includes a 'Hyperlinkauditing' flag that can be used to disable it from the chrome://flags URL.In the Chrome 74 Beta and Chrome 75 Canary builds, though, this flag hasbeen removed and there is no way to disable hyperlink auditing."Firefox still allows this "feature" to be disabled (and disables it bydefault).

The fourth 5.1 kernel prepatch is out fortesting. "Smaller than rc3, I'm happy to say. Nothingparticularly big in here, just a number of small things all over."

Security updates have been issued by Debian (pdns), Fedora (firefox, freerdp, ghostscript, gnome-boxes, gnutls, libarchive, libssh2, pidgin-sipe, poppler, and remmina), openSUSE (gd, ImageMagick, ldb, libcaca, ntp, openssl-1_1, ovmf, thunderbird, w3m, and wavpack), SUSE (apache2, firefox, and libvirt), and Ubuntu (advancecomp and apache2).

One of the new features in the 5.1 kernel is thepidfd_send_signal() system call. Combined with the (also new)ability to create a file descriptor referringto a process (a "pidfd") byopening its directory in /proc, this system call allows forthe sending of signals to processes in a race-free manner. An extension tothis feature proposed for 5.2 has, however, sparked a discussion that hasbrought the whole concept into question. It may yet be that the pidfdfeature will be put on hold before the final 5.1 release while the API aroundit is rethought.

Christian Schaller describesa long list of desktop improvements coming in the Fedora 30release. "Screen sharing support for Chrome and Firefox underWayland. The Wayland security model doesn’t allow any applicationto freely grab images or streams of the whole desktop like you could underX. This is of course a huge improvement in security, but it did cause somedisruption for valid usecases like screen sharing with things likeBlueJeans and Google Hangouts. We been working on resolving that with thehelp of PipeWire. We been at it for some time and things are now comingtogether. Chrome 73 ships with everything needed to make this work withChrome."

Security updates have been issued by Debian (apache2, golang, and putty), Gentoo (xen), and SUSE (clamav, SM3.1, and SMS3.1).

The LWN.net Weekly Edition for April 4, 2019 is available.

<p>A pair of flaws in the web interface for two small-business Cisco routersmake for a prime example of the wrong way to go about security fixes.These kinds of flaws are, sadly, fairly common, but the comedy of errorsthat resulted here is, thankfully, rather rare. Among other things, itshows thatvendors may wish to await areal fix rather than to release a small, ineffective band-aid to try to closea gaping hole.

It's been a year since we looked in on thekernel lockdown patches; that's because things have been fairly quiet onthat front since there was a loud anddiscordant dispute about them back then. But Matthew Garrett has beenposting new versions over the last two months; it would seem that thechanges that have been made might be enough to tamp down the flames and,perhaps, even allow them to be merged into the mainline.