Security updates have been issued by Arch Linux (chromium), Debian (mariadb-10.1, openjpeg2, systemd, and uriparser), Mageia (389-ds-base, apache, and soundtouch), SUSE (libwpd, py26-compat-salt, salt, and SMS3.1), and Ubuntu (systemd).
The closing event at the 2018 Linux Plumbers Conference (LPC) was apanel ofkernel developers. The participants were Laura Abbott, Anna-MariaGleixner, Shuah Khan, Julia Lawall, and Anna Schumaker; moderation wasprovided by Kate Stewart. This fast-moving discussion covered thechallenges of kernel development, hardware vulnerabilities, scaling thekernel, and more.
The 4.20-rc3 kernel prepatch is out fortesting. "The changes in rc3 are pretty tiny, which means that thestatistics look slightly different from the usual ones - drivers onlyaccount for less than a third of the patch, for example."
Security updates have been issued by Fedora (lldpad, pdns, and php), Mageia (flash-player-plugin, gdal, mutt, patch, php-pear-CAS, postgresql9.4|6, ruby-rack, and teeworlds), SUSE (kernel-rt, postgresql10, and squid), and Ubuntu (openjdk-7).
Android devices are based on the Linux kernel but, since the beginning,those devices have not run mainline kernels. The amount of out-of-treecode shipped on those devices has been seen as a problem for most of this time, and significant resources have been dedicated to reducing it.At the 2018 Linux PlumbersConference, Sandeep Patil talked about this problem and what is beingdone to address it. The dream of running mainline kernels on Androiddevices has not yet been achieved, but it may be closer than many people think.
Red Hat has announcedthe release of RHEL 8 Beta. "Red Hat Enterprise Linux 8 Beta introduces the concept of Application Streams to deliver userspace packages more simply and with greater flexibility. Userspace components can now update more quickly than core operating system packages and without having to wait for the next major version of the operating system. Multiple versions of the same package, for example, an interpreted language or a database, can also be made available for installation via an application stream. This helps to deliver greater agility and user-customized versions of Red Hat Enterprise Linux without impacting the underlying stability of the platform or specific deployments."
In the first session of the Testing& Fuzzing microconference at the 2018 Linux Plumbers Conference (LPC), KevinHilman gave a report on the recently held Automated TestingSummit (ATS). Since the summit was an invitation-only gathering of 35people, there were many at LPC who were not at ATS but had a keeninterest in what was discussed. The summit came out of a realization thatthere is a lot of kernel testing going on in various places, but not a lotof collaboration between those efforts, Hilman said.
Device trees have become ubiquitous in recent years as a way ofdescribing the hardware layout of non-discoverable systems, such as manyARM-based devices. The device-tree bindings define how a particularpiece of hardware is described in a device tree. Drivers then implementthose bindings. The device-tree documentation shows how to use the bindings to describe systems: which properties are available and which valuesthey may have. In theory, the bindings, drivers and documentation should beconsistent with each other. In practice, they are often not consistent and,even when they are, using those bindings correctly in actual device treesis not a trivial task. As a result, developers havebeen considering formal validation for device-tree files for years.Recently, Rob Herring proposeda move to a more structured documentation format for device-tree bindingsusing JSON Schema to allow automatedvalidation.
The results of the 2018 election for members of the Linux Foundation'sTechnical Advisory Board have been posted; the members elected this timearound are Chris Mason, Laura Abbott, Olof Johansson, Dan Williams, andKees Cook. Abbott and Cook are new members to the board this time around.(The other TAB members are Ted Ts'o, Greg Kroah-Hartman, Jonathan Corbet,Tim Bird, and Steve Rostedt).
Stable kernels 4.19.2, 4.18.19, 4.14.81, and 4.9.137 have been released. They all contain arelatively large set of important fixes and users should upgrade.
Security updates have been issued by Arch Linux (powerdns and powerdns-recursor), Debian (ceph and spamassassin), Fedora (feh, flatpak, and xen), Red Hat (kernel, kernel-rt, openstack-cinder, python-cryptography, and Red Hat Single Sign-On 7.2.5), and Ubuntu (python2.7, python3.4, python3.5).
Debian supportsmany architectures and, even for those it does not officially support,there are Debian ports that tryto fill in the gap. For most user applications, it is mostly a matter ofgetting GCC up and running for the architecture in question, then buildingall of the different packages that Debian provides. But for packagesthat need to be built with LLVM—applications or libraries that use Rust,for example—that simple recipe becomes more complicated. How much the lackof Rust support for an unofficial architecture should hold back the rest of the distribution was the subject of a somewhatacrimonious discussion recently.
Security updates have been issued by Debian (firmware-nonfree and imagemagick), Fedora (cabextract, icecast, and libmspack), openSUSE (icecast), Red Hat (httpd24), Slackware (libtiff), SUSE (apache-pdfbox, firefox, ImageMagick, and kernel), and Ubuntu (clamav, spamassassin, and systemd).
User-space developers may be accustomed to thinking of system calls as directcalls into the kernel. Indeed, the first edition of The C ProgrammingLanguage described read() and write() as "adirect entry into the operating system". In truth, user-level"system calls" are just functions in the C library like any other. But whathappens when the developers of the C library refuse to provide access to system calls they don't like? The result is anongoing conflict that has recently flared up again; it shows some of thedifficulties that can arise when the system as a whole has no ultimatedesigner and the developers are not talking to each other.
The4.18.18,4.14.80,4.9.136,4.4.163, and3.18.125stable kernel updates have all been released; each contains a relativelylarge set of important fixes.The 3.18.x updates may be about to come to an end, since it is not clearthat anybody is using them. "And from what I cansee in the 'real world', no one is actually updating devices that relyon 3.18.y to the newer kernel releases. So I think I'm going to stopmaintaining this tree soon unless someone speaks up and says 'I am usingit!''
Since the beginning, one part of the kernel-development task has beenwatching the mainline to see whether one's work had been merged. That isabout to change with the advent of the pull-request trackerbot, which will inform maintainers when one of their pull requests hasmade it into the mainline. Konstantin Ryabitsev, who put this servicetogether, plans to expand it to other trees once things have settled down.
As a general rule, the kernel is supposed to use the least amount of CPUtime possible; any time taken by the kernel is not available for theapplications the user actually wants to run. As a result, not a lot ofthought has gone into optimizing the execution of kernel-side work requiring largeamounts of CPU. But the kernel does occasionally have to take onCPU-intensive tasks, such as the initialization of the large amounts ofmemory found on current systems. The ktasksubsystem posted by Daniel Jordan is an attempt to improve how thekernel handles such jobs.
Security updates have been issued by Debian (nginx), Fedora (icu, java-1.8.0-openjdk-aarch32, libgit2, php-pear-CAS, roundcubemail, and ruby), Gentoo (firefox, libX11, openssl, and python), openSUSE (thunderbird), Oracle (java-11-openjdk, kernel, and spice-server), Red Hat (java-1.8.0-ibm and thunderbird), Scientific Linux (spice-server), SUSE (curl, libepubgen, liblangtag, libmwaw, libnumbertext, libreoffice, libstaroffice, libwps, myspell-dictionaries, xmlsec1, libxkbcommon, openssh, and xorg-x11-server), and Ubuntu (pyopenssl).
It has been nearly 13 years since Jeff Garzik proclaimed that Linux was "proving itssuperiority in the area of crappy wireless (WiFi) support".Happily, the situation has improved somewhat since then, but that doesn'tmean that things can't get better yet. During the Embedded LinuxConference portion of the 2018Open Source Summit Europe, Marcel Holtmann described the work beingdone to create iwd, a new systemfor configuring and managing WiFi connections. If this project has its way, future users will have little roomfor complaint about how WiFi works on Linux systems.
There is a whole new set of PostgreSQL releases out there, the main purposeof which is to include an important security fix."Using a purpose-crafted trigger definition, an attacker can runarbitrary SQL statements with superuser privileges when a superuser runs`pg_upgrade` on the database or during a pg_dump dump/restore cycle.This attack requires a `CREATE` privilege on some non-temporary schemaor a `TRIGGER` privilege on a table. This is exploitable in the defaultPostgreSQL configuration, where all users have `CREATE` privilege on`public` schema." Note that this is the final update for the 9.3series; users on that version should be planning an upgrade in the nearfuture.
Security updates have been issued by CentOS (python-paramiko and thunderbird), Debian (firefox-esr, libdatetime-timezone-perl, and mariadb-10.0), Fedora (curl, NetworkManager, and xorg-x11-server), openSUSE (kernel), Oracle (java-1.7.0-openjdk, python-paramiko, thunderbird, and xorg-x11-server), Red Hat (java-11-openjdk and spice-server), SUSE (firefox, kernel, and SDL_image), and Ubuntu (nginx).
A "joke" in the glibc manual—targeting a topic that is, at best,sensitive—has come up for discussion on the glibc-alpha mailing listagain. When we looked at the controversyin May, Richard Stallman had put his foot down and a patch removing thejoke—though opinions of its amusement value vary—was reverted. Shortlyafter that article was published, a "cool down period" wasrequested(and honored), but that time has expired. Other developments inthe GNU project have given some reason to believe that the time is ripe tofinally purge the joke, but that may not work out any better than the lastattempt.
<p>There is always at least a small risk when installing a package for adistribution. By its very nature, package installation is an invasiveprocess; some packages require the ability to make radical changes to thesystem—changes that users surely would not want other packages to takeadvantage of. Packages that are made available by distributions are vettedfor problems of this sort, though, of course, mistakes can be made.Third-party packages are an even bigger potential problem because they lackthis vetting, as was discussed in early October on the debian-devel mailinglist. Solutions in this area are not particularly easy, however.
Security updates have been issued by Arch Linux (ghostscript), Debian (curl), Fedora (curl, thunderbird, and zchunk), openSUSE (thunderbird), Oracle (389-ds-base, binutils, curl and nss-pem, glusterfs, gnutls, jasper, kernel, krb5, libcdio, libkdcraw, libmspack, libvirt, openssl, ovmf, python, samba, setup, sssd, wget, wpa_supplicant, xerces-c, zsh, and zziplib), Red Hat (xerces-c), SUSE (libarchive and systemd), and Ubuntu (ppp and spamassassin).
We looked atthe WireGuard virtual privatenetwork (VPN)back in August and noted that it is built on top of a newcryptographic API being developed for the kernel, which is calledZinc. There has been some controversy about Zinc and why a brand new API was needed when the kernel already has an extensive crypto API. A recenttalk by lead WireGuard developer Jason Donenfeld at Kernel Recipes 2018 would appear to be a serious attempt to reach out, engagewith that question, and explain the what, how, and why of Zinc.
Security updates have been issued by Debian (glusterfs, gthumb, and mysql-5.5), Red Hat (389-ds-base, kernel, and xerces-c), Slackware (mariadb), SUSE (accountsservice, curl, icinga, kernel, and opensc), and Ubuntu (libxkbcommon, openssh, and ruby1.9.1, ruby2.0, ruby2.3, ruby2.5).
At the end of the 4.20 merge window, 12,125 non-mergechangesets had been pulled into the mainline kernel repository; 6,390 camein since last week's summary was written.As is often the case, the latter part of the merge window contained alarger portion of cleanups and fixes, but there were a number of newfeatures in the mix as well.
Security updates have been issued by Debian (curl, icecast2, mupdf, and ruby2.3), Fedora (lldpad, NetworkManager, python-django, roundcubemail, thunderbird, webkit2gtk3, xen, and xorg-x11-server), Mageia (axis, cimg, gmic, dnsmasq, gitolite, gnutls, java-1.8.0-openjdk, lighttpd, mbedtls, mediawiki, perl-Dancer2, python-cryptography, and virtualbox), Red Hat (openvswitch, Red Hat Virtualization, and thunderbird), SUSE (curl, ffmpeg, and soundtouch), and Ubuntu (network-manager and systemd).
Linus has released 4.20-rc1 and closed themerge window for this development cycle. "So I did debate calling it 5.0, but if we all help each other, I'msure we can count to 20. It's a nice round number, and I didn't wantto make a pattern of it. I think 5.0 happens next year, because then I*really* run out of fingers and toes."
The SpamAssassin 3.4.2 release was thefirst from that project in well over three years. At the 2018Open Source Summit Europe, Giovanni Bechis talked about that release and those thatwill be coming in the near future. It would seem that, after an extendedperiod of quiet, the SpamAssassin project is backand has rededicated itself to the task of keeping junk out of our inboxes.
On her blog, MáirÃn Duffy writes about her experiences helping design the "user experience" (UX) for the ChRIS project, which is an open-source effort aimed at medical imagery processing and distribution for hospitals and other facilities. "One of the driving reasons for ChRIS’ creation was to allow for hospitals to own and control their own data without needing to give it up to the industry. How do you apply the latest cloud-based rapid data processing technology without giving your data to one of the big cloud companies? ChRIS has been built to interface with cloud providers such as the Massachusetts Open Cloud that have consortium-based data governance that allow for users to control their own data.I want to emphasize the cloud-based computing piece here because it’s important – ChRIS allows you [to] run image processing tools at scale in the cloud, so elaborate image processing that typically days, weeks, or months to complete could be completed in minutes. For a patient, this could enable a huge positive shift in their care – rather than have to wait for days to get back results of an imaging procedure (like an MRI), they could be consulted by their doctor and make decisions about their care that day."
Richard Fontana has a long history working with open-source licenses incommercial environments. He came to the 2018Open Source Summit Europe with a talk that, he said, had never beforebeen presented outside of "secret assemblies of lawyers"; it gave aninteresting view of licenses as resources that are shared within thecommunity and the risks that this shared nature may present. While ourlicenses have many good properties, including a de factostandardization role, those properties come with some unique and increasingrisks when it comes to litigation.
Over at the Collabora blog, Erik Faye-Lund writes about Zink, which is an effort to create an OpenGL driver on top of Vulkan that he has been working on with Dave Airlie. "One problem is that OpenGL is a big API with a lot of legacy stuff that has accumulated since its initial release in 1992. OpenGL is well-established as a requirement for applications and desktop compositors.But since the very successful release of Vulkan, we now have two main-stream APIs for essentially the same hardware functionality.It's not looking like neither OpenGL nor Vulkan is going away, and the software-world is now hard at work implementing Vulkan support everywhere, which is great. But this leads to complexity. So my hope is that we can simplify things here, by only require things like desktop compositors to support one API down the road. We're not there yet, though; not all hardware has a Vulkan-driver, and some older hardware can't even support it. But at some point in the not too far future, we'll probably get there.This means there might be a future where OpenGL's role could purely be one of legacy application compatibility. Perhaps Zink can help making that future a bit closer?"
Security updates have been issued by Debian (phpldapadmin, poppler, and tzdata), Fedora (firefox, java-11-openjdk, libarchive, sos-collector, and teeworlds), Scientific Linux (java-1.7.0-openjdk, python-paramiko, and thunderbird), Slackware (curl), and SUSE (kernel, MozillaFirefox, MozillaFirefox-branding-SLE, llvm4, mozilla-nspr, mozilla-nss, apache2-mod_nss, and wireshark).
The "systemd question" has roiled Debianmultiple times over the years, but things had mostly been quiet on thatfront of late. The Devuan distributionis a Debian derivative that has removed systemd; many of the vocalanti-systemd Debian developers have switched, which helps reduce thefriction on the Debian mailing lists. But that seems to have led tosupport for init system alternatives (and System V init in particular) tobitrot in Debian. There are signs that a bit of reconciliation betweenDebian and Devuan will help fix that problem.
The development of the web was a huge "sea change" in thehistory of the internet. The web is what brought the masses to thishuge worldwide network—for good or ill. It is unlikely that TimBerners-Lee foresaw all of that when he came up with HTTP and HTML as partof his work at CERN, but he has been in a prime spot to watch the webunfold since 1989. His latest project, Solid, is meant to allow users toclaim authority over the personal data that they provide to various internet giants.
Version 3.2 of the Bison parser generator is out. "Massive improvements were brought to the deterministic C++ skeleton,lalr1.cc. When variants are enabled and the compiler supports C++11 orbetter, move-only types can now be used for semantic values. C++98 supportis not deprecated."
Version 1.11.0 of the Subversion source-code management system is out.Changes include improvements to the shelving feature,better resolution of merge conflicts,an experimental checkpointing feature, and more; see therelease notes for details.
Red Hat has announcedthe release of Red Hat Enterprise Linux 7.6, "a consistent hybridcloud foundation for enterprise IT built on open source innovation. Red HatEnterprise Linux 7.6 is designed to enable organizations to better keeppace with emerging cloud-native technologies while still supporting stableIT operations across enterprise IT’s four footprints."
LWN.net