LWN.net

Two members of the CacophonyProject came to linux.conf.au2019 to give an overview of what the project is doing to increase theamount of bird life in New Zealand. The idea is to use computer vision and machinelearning to identify and eventually eliminate predators in order to helpbird populations; one measure of success will be the volume and variety ofbird song throughout the islands. The endemic avian species in New Zealand evolved without thepresence of predatory mammals, so many of them have been decimated bythe predation of birds and their eggs. The Cacophony Project is looking atways to reverse that.

Security updates have been issued by Debian (dovecot and libav), openSUSE (kernel and krb5), Scientific Linux (thunderbird), SUSE (curl, lua53, python3, and spice), and Ubuntu (dovecot).

Jack Moffitt started off his 2019linux.conf.au talk by calling attention to Facebook's "Portal" device. It is,he said, a cool product, but raises an important question: why wouldanybody in their right mind put a surveillance device made by Facebook intheir kitchen?There are a lot of devices out there — including the Portal — usingdeep-learning techniques; theyoffer useful functionality, but also bring a lot of problems. We as acommunity need to figure out a way to solve those problems; he was there tohighlight a set of Mozilla projects working toward that goal.

The kernel's page cache, which holds copies of data stored in filesystems,is crucial to the performance of the system as a whole. But, as hasrecently been demonstrated, it can also be exploited to learn about what other usersin the system are doing and extract information that should be keptsecret. In January, the behavior of the mincore()system call waschanged in an attempt to close this vulnerability, but that solution was shown to break existing applications while notfully solving the problem. A better solution will have to wait for the5.1 development cycle, but the shape of the proposed changes has started tocome into focus.

Security updates have been issued by Debian (libgd2), Fedora (java-11-openjdk, kernel, and kernel-headers), openSUSE (firefox, mysql-community-server, and pdns-recursor), Oracle (thunderbird), Red Hat (rh-haproxy18-haproxy, systemd, and thunderbird), SUSE (haproxy, spice, and uriparser), and Ubuntu (dovecot, kernel, linux, linux-aws, linux-gcp, linux-kvm, linux-raspi2, linux, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon, linux-aws, linux-gcp, linux-kvm, linux-oem, linux-raspi2, linux-hwe, linux-aws-hwe, linux-gcp, linux-lts-trusty, and linux-lts-xenial, linux-aws).

After a two-week voting period, which followed a two-week nominationwindow, Python now has its governanceback in place—with a familiar name in the mix.As specified in PEP 13 ("PythonLanguage Governance"), five nominees were elected to the steering council,which will govern the language moving forward.It may come as a surprise to some that Guido vanRossum, whose resignation as benevolent dictator for life (BDFL)led to the need for a new governance model and, ultimately, tothe vote for a council, was one of the 17 candidates. It is perhaps muchless surprising that he was electedto share the duties he once wielded solo.

The governance model adopted by the Pythoncommunity after Guido van Rossum stepped down included the election of aSteering Council. The first such election has just concluded; the councilwill be made up of Barry Warsaw, Brett Cannon, Carol Willing, Guido vanRossum, and Nick Coghlan.

Security updates have been issued by CentOS (bind, firefox, GNOME, kernel, systemd, and thunderbird), Debian (debian-security-support, drupal7, libreoffice, libvncserver, phpmyadmin, and rssh), Fedora (binutils and firefox), Mageia (firefox and netatalk), openSUSE (avahi and python-paramiko), Red Hat (Red Hat Gluster Storage Web Administration), Slackware (mariadb), and SUSE (java-11-openjdk, kernel, and python).

The 5.0-rc5 kernel prepatch is out."Nothing looks particularly worrisome, so assuming the trend holds, welook to be on track for a fairly normal release cycle despite theearly hiccups due to the holidays."

Rusty Russell was one of the first developers paid to work on the Linuxkernel and the founder of the conference now known as linux.conf.au (LCA); he isone of the most highly respected figures in the Australian free-softwarecommunity. The 2019 LCA was the20th edition of this long-lived event; the organizers felt that it was anappropriate time to invite Russell to deliver the closing keynote talk.He used the opportunity to review his path into free software and thecreation of LCA, but first a change of clothing was required.

Version 2.29 of the GNU Clibrary (glibc) is now available. It includes a wrapper for the getcpu()system call, optimized generic versions of multiple math functions(e.g. exp(), log2(), sinf()), new functions toallow posix_spawn() to run the new process in a differentdirectory, and more.

Security updates have been issued by Debian (agg, golang-1.7, golang-1.8, mariadb-10.0, and postgis), Fedora (kernel, kernel-headers, and kernel-tools), Mageia (gitolite and libvorbis), openSUSE (pdns-recursor and webkit2gtk3), Oracle (firefox, ghostscript, kernel, polkit, spice, and spice-server), Red Hat (etcd, ghostscript, polkit, spice, and spice-server), Scientific Linux (ghostscript, polkit, spice, and spice-server), SUSE (python3), and Ubuntu (libvncserver).

Greg Kroah-Hartman has released the 4.20.6,4.19.19, 4.14.97, and 4.9.154. These kernels contain importantfixes throughout the kernel tree; users should upgrade.

Security updates have been issued by Arch Linux (ghostscript), Debian (firefox-esr, libgd2, libvncserver, php-pear, rssh, and spice), Fedora (docker, docker-latest, firefox, moodle, and wireshark), Mageia (bluez, ghostscript, php-tcpdf, phpmyadmin, virtualbox, and zeromq), openSUSE (ghostscript), Red Hat (firefox), Scientific Linux (firefox), Slackware (kernel), and Ubuntu (avahi, firefox, and openjdk-8, openjdk-lts).

The LWN.net Weekly Edition for January 31, 2019 is available.

Serena Chen began her talk in the Security,Identity & Privacy miniconf at linux.conf.au 2019 with a plan todispel a pervasive myth that "usability and security are mutuallyexclusive". She hoped that by the end of her talk, she could convince theaudience that the opposite is true: good user experience design and goodsecurity cannot exist without each other. It makes sense, she said,because a secure system must be reliable and controllable, which means itmust be usable, while a usable system must be less confusing, thus it is moresecure.

Alpine Linux 3.9 has been released.This version features support for armv7, a switch from LibreSSL to OpenSSL,improved GRUB support, and more.

Dana Lewis said that her keynote at linux.conf.au 2019 would be abouther journey of learning about open source and how it could be applied inthe healthcare world. She hoped it might lead some attendees to usetheir talents on solutions for healthcare. Her efforts and those of othersin the community have led to a much better quality of life for a number ofthose who suffer from a chronic, time-consuming disease.

Security updates have been issued by Arch Linux (subversion), Debian (apache2, firefox-esr, qemu, rssh, and spice), Fedora (lua, mingw-python-qt5, mingw-qt5-qt3d, mingw-qt5-qtactiveqt, mingw-qt5-qtbase, mingw-qt5-qtcharts, mingw-qt5-qtdeclarative, mingw-qt5-qtgraphicaleffects, mingw-qt5-qtimageformats, mingw-qt5-qtlocation, mingw-qt5-qtmultimedia, mingw-qt5-qtquickcontrols, mingw-qt5-qtscript, mingw-qt5-qtsensors, mingw-qt5-qtserialport, mingw-qt5-qtsvg, mingw-qt5-qttools, mingw-qt5-qttranslations, mingw-qt5-qtwebkit, mingw-qt5-qtwebsockets, mingw-qt5-qtwinextras, mingw-qt5-qtxmlpatterns, mingw-sip, nagios, and radvd), Oracle (bind, kernel, and systemd), Red Hat (bind, kernel, kernel-alt, kernel-rt, and systemd), Scientific Linux (bind, kernel, and systemd), Slackware (mozilla), SUSE (kernel, openssl-1_1, and subversion), and Ubuntu (openvswitch).

The Kodi team has announced therelease of Kodi 18.0 "Leia". "One of the big features of this release: support for gaming emulators, ROMs and controls. This is a significant topic in its own right, so look out for future posts on this, but suffice it to say at this time that you now have a whole world of retro gaming at your fingertips, all from the same interface as your movies, music and TV shows. For the genuine experience as well, we've also introduced support for joysticks, gamepads, and other platform-specific controls, so the games will work just as was intended."

Firefox 65.0 is out. The releasenotes list a few new features, including: "Enhanced tracking protection: Simplified content blocking settings give users standard, strict, and custom options to control online trackers. A redesigned content blocking section in the site information panel (viewed by expanding the small “i” icon in the address bar) shows what Firefox detects and blocks on each website you visit."

Security updates have been issued by Arch Linux (go-pie), Debian (wireshark), openSUSE (freerdp, libraw, openssh, pdns-recursor, singularity, and systemd), and Ubuntu (kernel, linux-hwe, and spice).

Tragedy, according toWikipedia, is "a form of drama based on human suffering thatinvokes an accompanying catharsis or pleasure in audiences". Benno Rice tookhis inspiration from that definition for his 2019 linux.conf.au talk on the story ofsystemd which, he said, involves no shortage of suffering. His attempt tocast that story for the pleasure of his audience resulted in a sympatheticand nuanced look at a turbulent chapter in the history of the Linux system.

Security updates have been issued by Arch Linux (apache, go, haproxy, matrix-synapse, nasm, and powerdns-recursor), Debian (coturn, ghostscript, krb5, policykit-1, and qtbase-opensource-src), Fedora (wireshark), openSUSE (nodejs4, nodejs8, openssh, PackageKit, and wireshark), Oracle (qemu and thunderbird), Scientific Linux (thunderbird), and SUSE (avahi, krb5, and python-paramiko).

The 5.0-rc4 kernel prepatch is out."Go test and report any oddities you can find, but I think we'redoing fine."

Version 3.3 of the Bison parser generator is out."The new option --update replaces deprecated features with their modernspelling, but also applies fixes such as eliminating duplicate directives,etc. It is now possible to annotate rules with their number of expectedconflicts. Bison can be made relocatable. The symbol declaration syntaxwas overhauled, and in particular, %nterm, that exists since the origins ofBison, is now an officially supported (and documented!) feature. C++parsers now feature genuine symbol constructors, and use noexcept/constexpr.The GLR parsers in C++ now support the syntax_error exceptions. There arealso many smaller improvements, including a fix for a bug which is at least31 years old."

Stable kernels 4.20.5, 4.19.18, 4.14.96, 4.9.153, 4.4.172, and 3.18.133 have been released. They all containimportant fixes and users should upgrade.

Many projects use continuous-integration (CI) testing to improve thequality of the software they produce. By running a set of tests afterevery commit, CI systems can identify problems quickly, before they findtheir way into a releaseand bite unsuspecting users. The Linux kernel project lags many others inits use of CI testing for a number of reasons, including a fundamentalmismatch with how kernel developers tend to manage their workflows. At linux.conf.au 2019, Russell Curreydescribed a CI system called Snowpatch that, he hopes,will bridge the gap and bring better testing to the kernel developmentprocess.

The MythTV Team has announced therelease of MythTV 30.0. The release notescontain more information. This version includes support for mythfrontend running oncertain Android TV devices. "Over 500 commits made significant improvements to the infrastructure. For the most part, these are invisible to end users."

Security updates have been issued by Debian (mxml, postgresql-9.4, and tmpreaper), Fedora (haproxy and runc), openSUSE (krb5, soundtouch, virtualbox, and zeromq), Oracle (thunderbird), Red Hat (thunderbird), and Ubuntu (subversion and thunderbird).

Rory Aronson started his 2019 linux.conf.au keynote with astatement that gardening just isn't his passion; an early attempt degenerated into aweed-choked mess when he couldn't be bothered to keep it up. But he turnedout to be passionate indeed about building a machine that would do the gardening for him. That led to the FarmBot project, a successful exercise inthe creation of open hardware, open software, and an open business. A bigpart of that success, it turns out, lies in the project's documentation.

The Debian Project has announced an update toDebian 9 "stretch". "This point release incorporates the recent security update for APT, in order to help ensure that new installations of stretch are not vulnerable. No other updates are included."

Security updates have been issued by CentOS (perl), Fedora (anaconda, curl, and poppler), openSUSE (ntpsec), SUSE (ghostscript, kernel, rubygem-activejob-4_2, and webkit2gtk3), and Ubuntu (ghostscript and mysql-5.7).

The LWN.net Weekly Edition for January 24, 2019 is available.

Here is an extensive look athandling software dependencies from Russ Cox. "Dependencymanagers have scaled this open-source code reuse model down: now,developers can share code at the granularity of individual functions oftens of lines. This is a major technical accomplishment. There are myriadavailable packages, and writing code can involve such a large number ofthem, but the commercial, legal, and reputational support mechanisms fortrusting the code have not carried over. We are trusting more code withless justification for doing so."

A flag day for DNS is coming onFebruary 1; it may have escaped notice even though it has beenplanned for nearlya year. Some DNSservers will simply be marked as "dead" by much of the rest of the interneton or after that day, which means that domain owners need to ensure theirDNS records will still be available after that point. A longstandingworkaround for non-compliant servers will be dropped—mostly for better performancebut also in support of DNS extensions, some of which can help alleviatesecurity problems.

Read-copy update (RCU) is a synchronization mechanism that was added tothe Linux kernel in October 2002.RCU is most frequently described as a replacement for reader-writer locking,but has also been used in a number of other ways.RCU is notable in that readers do not directly synchronize with updaters,which makes RCU read paths extremely fast; that alsopermits RCU readers to accomplish useful work evenwhen running concurrently with updaters.Although the basic idea behind RCU has not changed indecades following its introduction into DYNIX/ptx, the API hasevolved significantly over the five years since the2014 edition of the RCU API,to say nothing of the nine years since the2010 edition of the RCU API.

Max Justicz describes avulnerability in apt-get and how to prevent it. "I found avulnerability in apt that allows a network man-in-the-middle (or amalicious package mirror) to execute arbitrary code as root on a machineinstalling any package. The bug has been fixed in the latest versions ofapt. If you’re worried about being exploited during the update process, youcan protect yourself by disabling HTTP redirects while you update."

Version 4.0 of theWine Windows compatibility layer is out."This release represents a year of development effort and over 6,000individual changes" New features include initialDirect3D 12 support, a Vulkan graphics driver, support forhigh-DPI displays (but only on Android) and more; see the release notes fordetails.

Stable kernels 4.20.4, 4.19.17, 4.14.95, and 4.9.152 have been released. They all containimportant fixes and users should upgrade.

Security updates have been issued by Debian (libjpeg-turbo and systemd), Fedora (matrix-synapse, mingw-libjpeg-turbo, and mingw-libvorbis), Mageia (libcaca, libmp4v2, libxml2, pdns-recursor, perl-Email-Address, php-pear-HTML_QuickForm, podofo, and wavpack), openSUSE (webkit2gtk3), Red Hat (qemu-kvm-rhev), Scientific Linux (perl), Slackware (httpd), and Ubuntu (ntp).

Security updates have been issued by Debian (apt and aria2), Fedora (kernel-headers, kernel-tools, and openssh), openSUSE (webkit2gtk3), Oracle (perl), Red Hat (perl), SUSE (freerdp, python-urllib3, systemd, and wireshark), and Ubuntu (apt, poppler, and tiff).

Arguably, the most notable characteristic of persistent memory is that itis persistent: it retains its contents over power cycles. One otherimportant aspect of these persistent-memory arrays that, we are told, willsoon be everywhere, is their sheer size and low cost; persistent memory isa relatively inexpensive way to attach large amounts of memory to a system. Large,cheap memory arrays seem likely to be attractive to users who may not careabout persistence and who can live with slower access speeds. Supportingsuch users is the objective of a pair of patch sets that have been circulating in recent months.

The 5.0-rc3 kernel prepatch has beenreleased. "This rc is a bit bigger than usual. Partly because I missed anetworking pull request for rc2, and as a result rc3 now contains_two_ networking pull updates. But part of it may also just be that ittook a while for people to find and then fix bugs after the holidayseason."

Security updates have been issued by Fedora (gitolite3, gvfs, php, radare2, and syslog-ng), Mageia (libssh, php, python-django16, and rdesktop), openSUSE (podofo), and SUSE (libraw, openssh, PackageKit, and wireshark).

Hardware memory encryption is, or will soon be, available on multiplegeneric CPUs. In its absence, data is stored — and passes between thememory chips and the processor — in the clear. Attackers may be able toaccess it by using hardware probes or by directly accessing the chips, which isespecially problematic with persistent memory. One new memory-encryptionoffering is Intel's Multi-KeyTotal Memory Encryption (MKTME) [PDF]; AMD's equivalent is called Secure Encrypted Virtualization(SEV). The implementation of support for thisfeature is in progress for the Linux kernel. Recently, Alison Schofield proposed a user-space API for MKTME, provokinga long discussion on how memory encryption should beexposed to the user, if at all.

Security updates have been issued by Debian (drupal7), Fedora (electrum and perl-Email-Address), Mageia (gthumb), openSUSE (gitolite, kernel, krb5, libunwind, LibVNCServer, live555, mutt, wget, and zeromq), SUSE (krb5, mariadb, nodejs4, nodejs8, soundtouch, and zeromq), and Ubuntu (irssi).

The kernel's page cache works to improve performance by minimizing disk I/Oand increasing the sharing of physical memory. But, like otherperformance-enhancing techniques that involve resources shared acrosssecurity boundaries, the page cache can be abused as a way to extractinformation that should be kept secret. A recent paper [PDF] by Daniel Grussand colleagues showed how the page cache can be targeted for a number ofdifferent attacks, leading to an abrupt change in how themincore() system call works at the endof the 5.0 merge window. But subsequent discussion has made it clearthat mincore() is just the tip of the iceberg; it is unclear whatwill really need to be done to protect a system against page-cache attacksor what the performance cost might be.

Stable kernels 4.20.3, 4.19.16, 4.14.94, 4.9.151, and 4.4.171 have been released. They all containimportant fixes and users should upgrade.

Security updates have been issued by CentOS (libvncserver), Debian (sssd), Fedora (kernel and kernel-headers), Red Hat (ansible, openvswitch, pyOpenSSL, python-django, and redis), and Ubuntu (policykit-1).