LWN.net

The Fedora 29release is available. "This release is particularly excitingbecause it’s the first to include the Fedora Modularity feature across allour different variants. Modularity lets us ship different versions ofpackages on the same Fedora base. This means you no longer need to makeyour whole OS upgrade decisions based on individual packageversions."

People searching for a hardened Linux distribution have a widerange to choose from: they can use one of the security-focused offerings, orthey can, with sufficient expertise, simply apply hardening patches andbuild everything to their taste. Suchsystems, of which Qubes OS is agood example, usually concentrate on the user's privacy. Recently, the French cybersecurity agency(ANSSI) released the source code for CLIP OS, its hardened operatingsystem based on Linux. CLIP OS has been in development for more than tenyears and, while sharing many elements with other hardened Linuxdistributions, this one is targeted to different needs: the focus is onproviding maximum isolation between confidentiality levels anddifferent users of the same system. As an illustration: theadministrator is not able to access other users' data.

Security updates have been issued by Arch Linux (xorg-server), Debian (graphicsmagick, libmspack, paramiko, ruby2.1, teeworlds, and tiff), Fedora (lldpad), Mageia (bitcoin, blueman, busybox, dhcp, exempi, firefox, kernel, kernel-linus, kernel-tmb, lilypond, ruby, and x11-server), openSUSE (audiofile, clamav, hostapd, ImageMagick, lcms2, libgit2, mercurial, net-snmp, and wpa_supplicant), SUSE (audiofile, binutils, kdelibs3, lcms2, mysql, openssh, and xen), and Ubuntu (mysql-5.5 and xorg-server, xorg-server-hwe-16.04).

Bloomberg is reportingthat IBM has agreed to acquire Red Hat for over $33 billion."International Business Machines Corp. will pay $190 a share in cashfor Raleigh, North Carolina-based Red Hat, according to a statement fromthe companies Sunday, confirming an earlier Bloomberg News report. That’s a63 percent premium over Red Hat’s closing price of $116.68 per share onFriday."

The kernel, in theory, puts strict limits on which functions and datastructures are available to loadable kernel modules; only those that havebeen explicitly exported with EXPORT_SYMBOL() orEXPORT_SYMBOL_GPL() are accessible. In the case ofEXPORT_SYMBOL_GPL(), only modules that declare a GPL-compatiblelicense will be able to see the symbol. There have been questions aboutwhen EXPORT_SYMBOL_GPL() should be used for almost as long as ithas existed. The latest attempt to answer those questions was a sessionrun by Greg Kroah-Hartman at the 2018 Kernel Maintainers Summit; thatsession offered little in the way of general guidance, but it did addressone specific case.

The kernel supports a wide range of hardware. Or, at least, the kernelcontains drivers for a lot of hardware, but the hardware for which many ofthose drivers was written is old and, perhaps, no longer in actual use.Some of those drivers would certainly no longer work even if the hardwarecould be found. These drivers provide no value, but they are still an ongoingmaintenance burden; it would be better to simply remove them from thekernel. But identifying which drivers can go is not as easy as one mightthink. Arnd Bergmann led an inconclusive session on this topic at the 2018Kernel Maintainers Summit.

Linus Torvalds has returned as the keeper of the mainline kernelrepository, and the merge window for the next release which, depending onhis mood, could becalled either 4.20 or 5.0, is well underway. As of this writing, 5,735non-merge changesets have been pulled for this release; experience suggeststhat we are thus at roughly the halfway point.

Security updates have been issued by Arch Linux (firefox), CentOS (firefox), Debian (389-ds-base, openjdk-8, thunderbird, and xorg-server), Fedora (firefox), openSUSE (GraphicsMagick, jhead, mysql-community-server, ntp, postgresql96, python-cryptography, rust, tomcat, webkit2gtk3, and zziplib), Scientific Linux (firefox), and SUSE (clamav, firefox, ImageMagick, libgit2, net-snmp, smt, wpa_supplicant, and xorg-x11-server).

It turn out that the X.org server, versions 1.19.0 and after, contain aneasily exploitable privilege escalation vulnerability. Anybody who isrunning a system that has X installed setuid root, and which has untrustedusers on it, will want to install the update. "X.Org recommends theuse of a display manager to start X sessions, which does not require Xorgto be installed setuid."

Jiri Kosina kicked off a session on hardware vulnerabilities at the 2018Kernel Maintainers Summit by noting that there are few complaints about howthe kernel community deals with security issues in general. That does nothold for Meltdown and Spectre which, he said, had been "completelymishandled". The subsequent handling of the L1TF vulnerability suggests that some lessonshave been learned, but there is still plenty of room for improvement in howhardware vulnerabilities are handled in general.

Cosmin Truta reportsthe death of Glenn Randers-Pehrson. "Glenn is one of the original designers of the PNG format, and aco-founder of the PNG Development Group, back in the mid-90's. He tookgood care of the PNG Specification, as a contributing author for PNGversion 1.0, and as the main editor for all of the subsequent editionsthrough PNG 1.1 and 1.2, until the current W3C/ISO/IEC standard PNGSpecification, Second Edition. In addition, all of the relatedSpecifications, i.e., the registered PNG extensions, and the companionMNG Specification version 1.0 and JNG Specification version 1.0, hadGlenn at the front as the main editor and moderator-in-chief."(Thanks to Paul Wise)

Security updates have been issued by Debian (389-ds-base, clamav, firefox-esr, and mosquitto), openSUSE (Chromium and firefox), Oracle (firefox and kernel), Red Hat (chromium-browser, firefox, java-1.6.0-sun, java-1.7.0-oracle, and java-1.8.0-oracle), SUSE (dom4j, exempi, mercurial, ntp, python-cryptography, tiff, tomcat, and webkit2gtk3), and Ubuntu (audiofile and firefox).

The LWN.net Weekly Edition for October 25, 2018 is available.

The Python language project has been officially "leaderless" since themid-July announcement that Guido van Rossumwas stepping down. He is, of course, the founder of the language and hadserved for more than two decades as its Benevolent Dictator for Life(BDFL). But he did not appoint a successor and left it up to the project's core developers tocome up with a new governance structure. In the three months since, agreat deal of work has gone into that effort, which has to bootstrap itselfsince there was not even any mechanism to choose how to select a newgovernance model.

The kernel community tries to never change the user-space API in ways thatwill break applications, but it explicitly allows any internal API to bechanged at any time if a solid technical reason to do so exists. But thatdoesn't mean that such changes are easy to do. At the 2018 KernelMaintainers Summit, Kees Cook led a discussion on the challenges he hasencountered when trying to effect large-scale API changes and what might bedone to make such changes go more smoothly.

Security updates have been issued by Fedora (hesiod, lighttpd, and opencc), openSUSE (apache-pdfbox, net-snmp, pam_pkcs11, rpm, tiff, udisks2, and wireshark), SUSE (dhcp, ghostscript-library, ImageMagick, libraw, net-snmp, ntp, postgresql96, rust, tiff, xen, and zziplib), and Ubuntu (mysql-5.5, mysql-5.7).

Improving the quality of stable kernel releases is a perennial subject atthe Kernel and Maintainers Summit events, and this year was no exception.This session, led by Fedora kernel maintainer Laura Abbott, discussed arange of ideas but found no silver bullets. There is, it seems, not much that can be done to createbetter stable kernels except to perform more and better testing.

Ars technica takesa look at the Enhanced Tracking Protection (ETP) feature in Firefox 63. "Firefox has long had the ability to block all third-party cookies, but this is a crude solution, and many sites will break if all third-party cookies are prohibited. The new EPT option works as a more selective block on tracking cookies; third-party cookies still work in general, but those that are known to belong to tracking companies are blocked. For the most part, sites will retain their full functionality, just without undermining privacy at the same time.At least for now, however, Mozilla is defaulting this feature to off, sothe company can get a better idea of the impact it has on the Web. Intesting, the company has found the occasional site that breaks whentracking cookies are blocked. Over the next few months, Firefox developerswill get a better picture of just how much breaks, and, if it's not toosevere, the plan is to block trackers by default starting in early2019." The article also mentions a second privacy-related feature;the offer of a subscription to the ProtonVPN service.The Firefox 63 releasenotes contain other details.

Security updates have been issued by CentOS (java-1.8.0-openjdk), Fedora (mosquitto), openSUSE (binutils, clamav, exiv2, fuse, haproxy, singularity, and zziplib), Slackware (firefox), SUSE (apache-pdfbox, net-snmp, pam_pkcs11, postgresql94, rpm, tiff, and wireshark), and Ubuntu (kernel, libssh, linux, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon, linux-azure, linux-lts-trusty, linux-lts-xenial, linux-aws, net-snmp, paramiko, requests, and texlive-bin).

The Linux Foundation's Technical Advisory Board is chosen by a vote at theKernel Summit each year; this year, that will happen during the LinuxPlumbers Conference in November. The call for nominations to the board hasgone out; it remains open until the voting happens. "The TAB advises the Foundation on kernel-related matters, helps member companies learn to work with the community, and works to resolve community-related problems before they get out of hand. We're also working with kernel maintainers to help refine the new code of conduct, and serving as the initial point of contact for code of conduct issues."

The 2018 Kernel Maintainers Summit convened in Edinburgh, UK onOctober 22 with a number of things to discuss, but the top subject onmost minds was the recently (and hastily)adopted code of conduct. LinusTorvalds made his reentry into the kernel community with a discussion ofhow we got to the current state of affairs, and the assembled maintainershad a relatively good-natured discussion on how this situation came aboutand where things can be expected to go from here.

The Samba team has announceda set ofguidelines for the project. "Please note this is not a "Code ofConduct" as such, but a set of advisory guidelines we'd like people tofollow, with a way for people (privately if they prefer) to raise issues ifthey see them. I hope everyone will find this document acceptable as a wayfor us to agree on how we want our community to be a welcoming one forall members."

Richard Stallman has released an initial version of the GNU KindCommunications Guidelines, and asks all GNU contributors to make theirbest efforts to follow these guidelines in GNU Project discussions. "The idea of the GNU Kind Communication Guidelines is to start guidingpeople towards kinder communication at a point well before one wouldeven think of saying, "You are breaking the rules." The way we dothis, rather than ordering people to be kind or else, is try to helppeople learn to make their communication more kind.I hope that kind communication guidelines will provide a kinderand less strict way of leading a project's discussions to be calmer,more welcoming to all participants of good will, and more effective."

Security updates have been issued by Arch Linux (thunderbird), Debian (drupal7, exiv2, and ghostscript), Fedora (apache-commons-compress, git, libssh, and patch), Mageia (389-ds-base, calibre, clamav, docker, ghostscript, glib2.0, libtiff, mgetty, php-smarty, rust, tcpflow, and vlc), openSUSE (Chromium, icinga, and libssh), and SUSE (clamav, fuse, GraphicsMagick, haproxy, libssh, thunderbird, tomcat, udisks2, and Xerces-c).

Greg Kroah-Hartman has released the 4.19kernel. Headline features in this release include the new AIO-basedpolling interface, L1TF vulnerabilitymitigations, the block I/O latencycontroller, time-based packettransmission, the CAKE queuingdiscipline, and much more. "And with that, Linus, I'm handingthe kernel tree back to you. You can have the joy of dealing with themerge window".

Greg Kroah-Hartman has posted a series ofpatches making some changes around the newly adopted code of conduct.In particular, it adds a newdocument describing how the code is to be interpreted in the kernelcommunity. "I originally sent the first two patches in this series to a lot ofkernel developers privately, to get their review and comments and see ifthey wanted to ack them. This is the traditional way we have alwaysdone for policy documents or other 'contentious' issues like the GPLv3statement or the 'closed kernel modules are bad' statement. Due to thevery unexpected way that the original Code of Conduct file was added tothe tree, a number of developers asked if this series could also beposted publicly before they were merged, and so, here they are."

A new set of stable kernels is now available: 4.18.16, 4.14.78, 4.9.135, and 4.4.162. As usual, there are important fixescontained therein; users should upgrade.

After four years of development since 1.14.0, version 1.16.0 of the cairo 2D graphics library has been released. "Of particular note is a wealth of work by Adrian Johnson to enhance PDFfunctionality, including restoring support for MacOSX 10.4, metadata,hyperlinks, and more.Much attention also went into fonts, including new colored emoji glyphsupport, variable fonts, and fixes for various font idiosyncrasies.Other noteworthy changes include GLESv3 support for the cairo_glbackend, tracking of SVG units in generated SVG documents, and cleanupsfor numerous test failures and related issues in the PDF and Postscriptbackends." More information can be found in the change log.

The OpenSSH 7.9 release is out. It (finally) allows the use of symbolicservice names rather than port numbers, adds support for sending signalsover the SSH protocol, bans the use of DSA keys for certificateauthorities, and more.

Security updates have been issued by Debian (drupal7 and libssh), openSUSE (binutils, ImageMagick, and java-11-openjdk), Oracle (java-1.8.0-openjdk), Scientific Linux (java-1.8.0-openjdk), and SUSE (apache2, bash, binutils, clamav, curl, dovecot22, firefox, ghostscript, git, glibc, gnutls, gpg2, icu, java-1_7_0-openjdk, java-1_7_1-ibm, java-1_8_0-ibm, java-1_8_0-openjdk, kernel, kernel-firmware, libvirt, libzypp, zypper, mariadb, nagios, ntp, openslp, openssh, openssl, perl, postgresql10, qemu, qpdf, samba, shadow, smt, yast2-smt, ucode-intel, wireshark, xen, yast2-smt, and zziplib).

OpenBSD 6.4 has been released. This release featuresimproved hardware support, adding a number of new drivers. Notable securityimprovements include the new unveil() systemcall to restrict file system access.

Ubuntu has announced the release of its latest version, 18.10 (or "Cosmic Cuttlefish"). It has lots of updated packages and such, and is available in both a desktop and server version; there are also multiple flavors that were released as well. More information can be found in the release notes. "The Ubuntu kernel has been updated to the 4.18 based Linux kernel,our default toolchain has moved to gcc 8.2 with glibc 2.28, and we'vealso updated to openssl 1.1.1 and gnutls 3.6.4 with TLS1.3 support.Ubuntu Desktop 18.04 LTS brings a fresh look with the community-drivenYaru theme replacing our long-serving Ambiance and Radiance themes. Weare shipping the latest GNOME 3.30, Firefox 63, LibreOffice 6.1.2, andmany others.Ubuntu Server 18.10 includes the Rocky release of OpenStack includingthe clustering enabled LXD 3.0, new network configuration via netplan.io,and iteration on the next-generation fast server installer. Ubuntu Serverbrings major updates to industry standard packages available on privateclouds, public clouds, containers or bare metal in your datacentre."

The PostgreSQL 11 release is out. "PostgreSQL 11 provides users with improvements to overall performance ofthe database system, with specific enhancements associated with verylarge databases and high computational workloads. Further, PostgreSQL 11makes significant improvements to the table partitioning system, addssupport for stored procedures capable of transaction management,improves query parallelism and adds parallelized data definitioncapabilities, and introduces just-in-time (JIT) compilation foraccelerating the execution of expressions in queries." See this article for a detailed overview of whatis in this release.

For some years now, one has not had to look far to find articlesproclaiming the demise of the GNU General Public License. That license, weare told, is too frightening for many businesses, which prefer to usesoftware under the far weaker permissive class of license. But there is abusiness model that is based on the allegedly scary nature ofthe GPL, and there are those who would like to make it more lucrative; theonly problem is that the GPL isn't quite scary enough yet.

Greg Kroah-Hartman has announced the release of the 4.18.15, 4.14.77, and 4.9.134 stable kernels. As usual, there areimportant fixes throughout the tree and users should upgrade.

Security updates have been issued by Arch Linux (chromium, libssh, and net-snmp), Debian (libssh and xen), Fedora (audiofile), openSUSE (axis, GraphicsMagick, ImageMagick, kernel, libssh, samba, and texlive), Oracle (java-1.8.0-openjdk), Red Hat (java-1.8.0-openjdk, rh-nodejs6-nodejs, and rh-nodejs8-nodejs), SUSE (binutils and fuse), and Ubuntu (paramiko).

The LWN.net Weekly Edition for October 18, 2018 is available.

Graphical applications are always pushing the limits of what the hardwarecan do and recent developments in the graphics world have caused Intel to rethink its3D graphics driver. In particular, the lower CPU overhead that the Vulkandriver on Intel hardware canprovide is becoming more attractive for OpenGL as well. At the 2018 X.Org Developers Conference KennethGraunke talked about an experimental re-architecting of the i965 driver using Gallium3D—adevelopment that came as something of a surprise to many, including him.

ABC News has thestory on why YouTube went down; it's a good example of just how robustthe Internet is (or isn't) anymore. "An Internet expert explained that Sunday's problems arose when a Pakistani telecommunications company accidentally identified itself to Internet computers as the world's fastest route to YouTube. But instead of serving up videos of skateboarding dogs, it sent the traffic into oblivion.On Friday, the Pakistan Telecommunication Authority ordered 70 Internet service providers to block access to YouTube.com, because of anti-Islamic movies on the video-sharing site, which is owned by Google."

Trusted Computing has not had the bestreputation over the years — Richard Stallman dubbing it "TreacherousComputing" probably hasn't helped — though those fears of taking awayusers' control of their computers have not proven to be founded, at least yet.But the TrustedPlatform Module, or TPM, inside your computer can do more than justpotentially enable lockdown. In our second report from Kernel Recipes 2018, we look at a talk from James Bottomley about how the TPM works,how to talk to it, and how he's using it to improve his key handling.

Security updates have been issued by CentOS (tomcat), Debian (asterisk, graphicsmagick, and libpdfbox-java), openSUSE (apache2 and git), Oracle (tomcat), Red Hat (kernel and Satellite 6.4), Slackware (libssh), SUSE (binutils, ImageMagick, and libssh), and Ubuntu (clamav, libssh, moin, and paramiko).

The free-software community was built on email, a distributed technologythat allows people worldwide to communicate regardless of their particularsoftware environment. While email remains at the core of many projects'workflow, others are increasingly trying to move away from it. A couple ofrecent examples show what is driving this move and where it may be headed.

The Bro network security monitoring project has announceda name change to "Zeek". "On the Leadership Team of the Bro Project,we heard clear concerns from the Bro community that the name 'Bro' hastaken on strongly negative connotations, such as 'Bro culture'. These senda sharp, anti-inclusive - and wholly unintended and undesirable - messageto those who might use Bro. The problems were significant enough thatduring BroCon community sessions, several people have mentioned substantialdifficulties in getting their upper management to even consider usingopen-source software with such a seemingly ill-chosen, off-puttingname."

The Software Freedom Law Center has announcedthe availability of awhitepaper [PDF] about automotive software and copyleft, written byMark Shuttleworth and Eben Moglen. At its core, it's an advertisement forUbuntu and Snap, but it does look at some of the issues involved.The fine grain of interface access rights provided by the snapdgovernance agent can thus provide further isolation and security when itis running user-modified code, guaranteed under the snap packagingparadigm to cause no other program code to be modified, to break, or toperform differently because of the presence of the user-modifiedprogram. Such a structure of modification permission can be operated by the OEM consistent with the requirements of GPLv3. The OEM can publish anauthenticated record of the installation permission issued, indexed by theVehicle Identification Number—without publishing the car owner’spersonal information—so that public and private parties can be assured thatno surreptitious modification of vehicle software occurs.

Security updates have been issued by CentOS (ghostscript and spamassassin), Debian (moin, spice, and tomcat8), Fedora (kernel-headers, kernel-tools, and libgit2), Oracle (ghostscript and tomcat), Red Hat (ghostscript and tomcat), Scientific Linux (ghostscript and tomcat), SUSE (git, kernel, python, and samba), and Ubuntu (net-snmp and thunderbird).

One of the more difficult aspects of the Spectre hardware vulnerability isfinding all of the locations in the code that might be exploitable. Thereare many locations that look vulnerable that aren't, and others that areexploitable without being obvious. It has long been clear that finding allof the exploitable spots is a long-term task, and keeping new ones frombeing introduced will not be easy. But there may be a simple technique thatcan block a large subset of the possible exploits with a minimal cost.

Security updates have been issued by Arch Linux (wireshark-cli), Debian (imagemagick, otrs2, tomcat7, and wireshark), Fedora (ca-certificates, dislocker, dolphin-emu, kernel-headers, kernel-tools, libgit2, mbedtls, mingw-openjpeg2, nekovm, openjpeg2, patch, strongswan, and thunderbird), Mageia (firefox, git, nextcloud, and texlive), Oracle (kernel and openssl), Scientific Linux (spamassassin), SUSE (libtirpc), and Ubuntu (requests).

As expected, the 4.19 development cycle has gone to 4.19-rc8. "Please go and test andensure that all works well for you. Hopefully this should be the last -rcrelease."

The4.18.14,4.14.76,4.9.133,4.4.161, and3.18.124stable kernels have all been released; each contains another pile ofimportant fixes and updates.

Block I/O performance can be one of the determining factors for theperformance of a system as a whole, especially on systems with slowerdrives. The need to optimize I/O patterns has led to the development of along series of I/O schedulers over the years; one of the most recent ofthose is BFQ, which was merged during the4.12 development cycle. BFQ incorporates an impressive set of heuristicsdesigned to improve interactive performance, but it has, thus far, seenrelatively little uptake in deployed systems. An attempt to make BFQ thedefault I/O scheduler for some types of storage devices has raised someinteresting questions, though, on how such decisions should be made.