LWN.net

A "joke" in the glibc manual—targeting a topic that is, at best,sensitive—has come up for discussion on the glibc-alpha mailing listagain. When we looked at the controversyin May, Richard Stallman had put his foot down and a patch removing thejoke—though opinions of its amusement value vary—was reverted. Shortlyafter that article was published, a "cool down period" wasrequested(and honored), but that time has expired. Other developments inthe GNU project have given some reason to believe that the time is ripe tofinally purge the joke, but that may not work out any better than the lastattempt.

<p>There is always at least a small risk when installing a package for adistribution. By its very nature, package installation is an invasiveprocess; some packages require the ability to make radical changes to thesystem—changes that users surely would not want other packages to takeadvantage of. Packages that are made available by distributions are vettedfor problems of this sort, though, of course, mistakes can be made.Third-party packages are an even bigger potential problem because they lackthis vetting, as was discussed in early October on the debian-devel mailinglist. Solutions in this area are not particularly easy, however.

Security updates have been issued by Arch Linux (ghostscript), Debian (curl), Fedora (curl, thunderbird, and zchunk), openSUSE (thunderbird), Oracle (389-ds-base, binutils, curl and nss-pem, glusterfs, gnutls, jasper, kernel, krb5, libcdio, libkdcraw, libmspack, libvirt, openssl, ovmf, python, samba, setup, sssd, wget, wpa_supplicant, xerces-c, zsh, and zziplib), Red Hat (xerces-c), SUSE (libarchive and systemd), and Ubuntu (ppp and spamassassin).

We looked atthe WireGuard virtual privatenetwork (VPN)back in August and noted that it is built on top of a newcryptographic API being developed for the kernel, which is calledZinc. There has been some controversy about Zinc and why a brand new API was needed when the kernel already has an extensive crypto API. A recenttalk by lead WireGuard developer Jason Donenfeld at Kernel Recipes 2018 would appear to be a serious attempt to reach out, engagewith that question, and explain the what, how, and why of Zinc.

Security updates have been issued by Debian (glusterfs, gthumb, and mysql-5.5), Red Hat (389-ds-base, kernel, and xerces-c), Slackware (mariadb), SUSE (accountsservice, curl, icinga, kernel, and opensc), and Ubuntu (libxkbcommon, openssh, and ruby1.9.1, ruby2.0, ruby2.3, ruby2.5).

At the end of the 4.20 merge window, 12,125 non-mergechangesets had been pulled into the mainline kernel repository; 6,390 camein since last week's summary was written.As is often the case, the latter part of the merge window contained alarger portion of cleanups and fixes, but there were a number of newfeatures in the mix as well.

Stable kernels 4.19.1, 4.18.17, and 4.14.79 have been released. As usual, there areimportant fixes and users should upgrade.

Security updates have been issued by Debian (curl, icecast2, mupdf, and ruby2.3), Fedora (lldpad, NetworkManager, python-django, roundcubemail, thunderbird, webkit2gtk3, xen, and xorg-x11-server), Mageia (axis, cimg, gmic, dnsmasq, gitolite, gnutls, java-1.8.0-openjdk, lighttpd, mbedtls, mediawiki, perl-Dancer2, python-cryptography, and virtualbox), Red Hat (openvswitch, Red Hat Virtualization, and thunderbird), SUSE (curl, ffmpeg, and soundtouch), and Ubuntu (network-manager and systemd).

Linus has released 4.20-rc1 and closed themerge window for this development cycle. "So I did debate calling it 5.0, but if we all help each other, I'msure we can count to 20. It's a nice round number, and I didn't wantto make a pattern of it. I think 5.0 happens next year, because then I*really* run out of fingers and toes."

The SpamAssassin 3.4.2 release was thefirst from that project in well over three years. At the 2018Open Source Summit Europe, Giovanni Bechis talked about that release and those thatwill be coming in the near future. It would seem that, after an extendedperiod of quiet, the SpamAssassin project is backand has rededicated itself to the task of keeping junk out of our inboxes.

On her blog, Máirín Duffy writes about her experiences helping design the "user experience" (UX) for the ChRIS project, which is an open-source effort aimed at medical imagery processing and distribution for hospitals and other facilities. "One of the driving reasons for ChRIS’ creation was to allow for hospitals to own and control their own data without needing to give it up to the industry. How do you apply the latest cloud-based rapid data processing technology without giving your data to one of the big cloud companies? ChRIS has been built to interface with cloud providers such as the Massachusetts Open Cloud that have consortium-based data governance that allow for users to control their own data.I want to emphasize the cloud-based computing piece here because it’s important – ChRIS allows you [to] run image processing tools at scale in the cloud, so elaborate image processing that typically days, weeks, or months to complete could be completed in minutes. For a patient, this could enable a huge positive shift in their care – rather than have to wait for days to get back results of an imaging procedure (like an MRI), they could be consulted by their doctor and make decisions about their care that day."

Security updates have been issued by Arch Linux (kernel and linux-lts), Debian (chromium-browser and mono), Oracle (firefox), and Ubuntu (curl).

Richard Fontana has a long history working with open-source licenses incommercial environments. He came to the 2018Open Source Summit Europe with a talk that, he said, had never beforebeen presented outside of "secret assemblies of lawyers"; it gave aninteresting view of licenses as resources that are shared within thecommunity and the risks that this shared nature may present. While ourlicenses have many good properties, including a de factostandardization role, those properties come with some unique and increasingrisks when it comes to litigation.

Over at the Collabora blog, Erik Faye-Lund writes about Zink, which is an effort to create an OpenGL driver on top of Vulkan that he has been working on with Dave Airlie. "One problem is that OpenGL is a big API with a lot of legacy stuff that has accumulated since its initial release in 1992. OpenGL is well-established as a requirement for applications and desktop compositors.But since the very successful release of Vulkan, we now have two main-stream APIs for essentially the same hardware functionality.It's not looking like neither OpenGL nor Vulkan is going away, and the software-world is now hard at work implementing Vulkan support everywhere, which is great. But this leads to complexity. So my hope is that we can simplify things here, by only require things like desktop compositors to support one API down the road. We're not there yet, though; not all hardware has a Vulkan-driver, and some older hardware can't even support it. But at some point in the not too far future, we'll probably get there.This means there might be a future where OpenGL's role could purely be one of legacy application compatibility. Perhaps Zink can help making that future a bit closer?"

Security updates have been issued by Debian (phpldapadmin, poppler, and tzdata), Fedora (firefox, java-11-openjdk, libarchive, sos-collector, and teeworlds), Scientific Linux (java-1.7.0-openjdk, python-paramiko, and thunderbird), Slackware (curl), and SUSE (kernel, MozillaFirefox, MozillaFirefox-branding-SLE, llvm4, mozilla-nspr, mozilla-nss, apache2-mod_nss, and wireshark).

The LWN.net Weekly Edition for November 1, 2018 is available.

The "systemd question" has roiled Debianmultiple times over the years, but things had mostly been quiet on thatfront of late. The Devuan distributionis a Debian derivative that has removed systemd; many of the vocalanti-systemd Debian developers have switched, which helps reduce thefriction on the Debian mailing lists. But that seems to have led tosupport for init system alternatives (and System V init in particular) tobitrot in Debian. There are signs that a bit of reconciliation betweenDebian and Devuan will help fix that problem.

The development of the web was a huge "sea change" in thehistory of the internet. The web is what brought the masses to thishuge worldwide network—for good or ill. It is unlikely that TimBerners-Lee foresaw all of that when he came up with HTTP and HTML as partof his work at CERN, but he has been in a prime spot to watch the webunfold since 1989. His latest project, Solid, is meant to allow users toclaim authority over the personal data that they provide to various internet giants.

Security updates have been issued by Arch Linux (gitlab), Debian (gnutls28), Fedora (audiofile, coreutils, firefox, hesiod, kernel, kernel-headers, kernel-tools, libssh, lighttpd, mosquitto, opencc, patch, php-horde-nag, sos-collector, strongswan, and thunderbird), Gentoo (libxkbcommon, mutt-1.10, postgresql, systemd, xen, and xorg-server), Mageia (curl, libtiff, samba, spamassassin, and unzip), Oracle (java-1.7.0-openjdk and python-paramiko), Red Hat (git, glusterfs, java-1.7.0-openjdk, libvirt, python-paramiko, qemu-kvm, thunderbird, and xorg-x11-server), SUSE (apache2, apache2-mod_nss, audiofile, libarchive, and ntfs-3g_ntfsprogs), and Ubuntu (curl, ghostscript, and openjdk-8, openjdk-lts).

Version 3.2 of the Bison parser generator is out. "Massive improvements were brought to the deterministic C++ skeleton,lalr1.cc. When variants are enabled and the compiler supports C++11 orbetter, move-only types can now be used for semantic values. C++98 supportis not deprecated."

Version 1.11.0 of the Subversion source-code management system is out.Changes include improvements to the shelving feature,better resolution of merge conflicts,an experimental checkpointing feature, and more; see therelease notes for details.

Red Hat has announcedthe release of Red Hat Enterprise Linux 7.6, "a consistent hybridcloud foundation for enterprise IT built on open source innovation. Red HatEnterprise Linux 7.6 is designed to enable organizations to better keeppace with emerging cloud-native technologies while still supporting stableIT operations across enterprise IT’s four footprints."

Security updates have been issued by CentOS (xorg-x11-server), Debian (xen), Red Hat (389-ds-base, binutils, curl and nss-pem, fuse, glibc, glusterfs, GNOME, gnutls, jasper, java-1.7.0-openjdk, kernel, kernel-alt, kernel-rt, krb5, libcdio, libkdcraw, libmspack, libreoffice, libvirt, openssl, ovmf, python, python-paramiko, qemu-kvm, qemu-kvm-ma, samba, setup, sssd, wget, wpa_supplicant, X.org X11, xerces-c, zsh, and zziplib), and SUSE (ardana-monasca, ardana-spark, kafka, kafka-kit, openstack-monasca-api, python, python-base, python-cryptography, python-Django, and qemu).

The Fedora 29release is available. "This release is particularly excitingbecause it’s the first to include the Fedora Modularity feature across allour different variants. Modularity lets us ship different versions ofpackages on the same Fedora base. This means you no longer need to makeyour whole OS upgrade decisions based on individual packageversions."

People searching for a hardened Linux distribution have a widerange to choose from: they can use one of the security-focused offerings, orthey can, with sufficient expertise, simply apply hardening patches andbuild everything to their taste. Suchsystems, of which Qubes OS is agood example, usually concentrate on the user's privacy. Recently, the French cybersecurity agency(ANSSI) released the source code for CLIP OS, its hardened operatingsystem based on Linux. CLIP OS has been in development for more than tenyears and, while sharing many elements with other hardened Linuxdistributions, this one is targeted to different needs: the focus is onproviding maximum isolation between confidentiality levels anddifferent users of the same system. As an illustration: theadministrator is not able to access other users' data.

Security updates have been issued by Arch Linux (xorg-server), Debian (graphicsmagick, libmspack, paramiko, ruby2.1, teeworlds, and tiff), Fedora (lldpad), Mageia (bitcoin, blueman, busybox, dhcp, exempi, firefox, kernel, kernel-linus, kernel-tmb, lilypond, ruby, and x11-server), openSUSE (audiofile, clamav, hostapd, ImageMagick, lcms2, libgit2, mercurial, net-snmp, and wpa_supplicant), SUSE (audiofile, binutils, kdelibs3, lcms2, mysql, openssh, and xen), and Ubuntu (mysql-5.5 and xorg-server, xorg-server-hwe-16.04).

Bloomberg is reportingthat IBM has agreed to acquire Red Hat for over $33 billion."International Business Machines Corp. will pay $190 a share in cashfor Raleigh, North Carolina-based Red Hat, according to a statement fromthe companies Sunday, confirming an earlier Bloomberg News report. That’s a63 percent premium over Red Hat’s closing price of $116.68 per share onFriday."

The kernel, in theory, puts strict limits on which functions and datastructures are available to loadable kernel modules; only those that havebeen explicitly exported with EXPORT_SYMBOL() orEXPORT_SYMBOL_GPL() are accessible. In the case ofEXPORT_SYMBOL_GPL(), only modules that declare a GPL-compatiblelicense will be able to see the symbol. There have been questions aboutwhen EXPORT_SYMBOL_GPL() should be used for almost as long as ithas existed. The latest attempt to answer those questions was a sessionrun by Greg Kroah-Hartman at the 2018 Kernel Maintainers Summit; thatsession offered little in the way of general guidance, but it did addressone specific case.

The kernel supports a wide range of hardware. Or, at least, the kernelcontains drivers for a lot of hardware, but the hardware for which many ofthose drivers was written is old and, perhaps, no longer in actual use.Some of those drivers would certainly no longer work even if the hardwarecould be found. These drivers provide no value, but they are still an ongoingmaintenance burden; it would be better to simply remove them from thekernel. But identifying which drivers can go is not as easy as one mightthink. Arnd Bergmann led an inconclusive session on this topic at the 2018Kernel Maintainers Summit.

Linus Torvalds has returned as the keeper of the mainline kernelrepository, and the merge window for the next release which, depending onhis mood, could becalled either 4.20 or 5.0, is well underway. As of this writing, 5,735non-merge changesets have been pulled for this release; experience suggeststhat we are thus at roughly the halfway point.

Security updates have been issued by Arch Linux (firefox), CentOS (firefox), Debian (389-ds-base, openjdk-8, thunderbird, and xorg-server), Fedora (firefox), openSUSE (GraphicsMagick, jhead, mysql-community-server, ntp, postgresql96, python-cryptography, rust, tomcat, webkit2gtk3, and zziplib), Scientific Linux (firefox), and SUSE (clamav, firefox, ImageMagick, libgit2, net-snmp, smt, wpa_supplicant, and xorg-x11-server).

It turn out that the X.org server, versions 1.19.0 and after, contain aneasily exploitable privilege escalation vulnerability. Anybody who isrunning a system that has X installed setuid root, and which has untrustedusers on it, will want to install the update. "X.Org recommends theuse of a display manager to start X sessions, which does not require Xorgto be installed setuid."

Jiri Kosina kicked off a session on hardware vulnerabilities at the 2018Kernel Maintainers Summit by noting that there are few complaints about howthe kernel community deals with security issues in general. That does nothold for Meltdown and Spectre which, he said, had been "completelymishandled". The subsequent handling of the L1TF vulnerability suggests that some lessonshave been learned, but there is still plenty of room for improvement in howhardware vulnerabilities are handled in general.

Cosmin Truta reportsthe death of Glenn Randers-Pehrson. "Glenn is one of the original designers of the PNG format, and aco-founder of the PNG Development Group, back in the mid-90's. He tookgood care of the PNG Specification, as a contributing author for PNGversion 1.0, and as the main editor for all of the subsequent editionsthrough PNG 1.1 and 1.2, until the current W3C/ISO/IEC standard PNGSpecification, Second Edition. In addition, all of the relatedSpecifications, i.e., the registered PNG extensions, and the companionMNG Specification version 1.0 and JNG Specification version 1.0, hadGlenn at the front as the main editor and moderator-in-chief."(Thanks to Paul Wise)

Security updates have been issued by Debian (389-ds-base, clamav, firefox-esr, and mosquitto), openSUSE (Chromium and firefox), Oracle (firefox and kernel), Red Hat (chromium-browser, firefox, java-1.6.0-sun, java-1.7.0-oracle, and java-1.8.0-oracle), SUSE (dom4j, exempi, mercurial, ntp, python-cryptography, tiff, tomcat, and webkit2gtk3), and Ubuntu (audiofile and firefox).

The LWN.net Weekly Edition for October 25, 2018 is available.

The Python language project has been officially "leaderless" since themid-July announcement that Guido van Rossumwas stepping down. He is, of course, the founder of the language and hadserved for more than two decades as its Benevolent Dictator for Life(BDFL). But he did not appoint a successor and left it up to the project's core developers tocome up with a new governance structure. In the three months since, agreat deal of work has gone into that effort, which has to bootstrap itselfsince there was not even any mechanism to choose how to select a newgovernance model.

The kernel community tries to never change the user-space API in ways thatwill break applications, but it explicitly allows any internal API to bechanged at any time if a solid technical reason to do so exists. But thatdoesn't mean that such changes are easy to do. At the 2018 KernelMaintainers Summit, Kees Cook led a discussion on the challenges he hasencountered when trying to effect large-scale API changes and what might bedone to make such changes go more smoothly.

Security updates have been issued by Fedora (hesiod, lighttpd, and opencc), openSUSE (apache-pdfbox, net-snmp, pam_pkcs11, rpm, tiff, udisks2, and wireshark), SUSE (dhcp, ghostscript-library, ImageMagick, libraw, net-snmp, ntp, postgresql96, rust, tiff, xen, and zziplib), and Ubuntu (mysql-5.5, mysql-5.7).

Improving the quality of stable kernel releases is a perennial subject atthe Kernel and Maintainers Summit events, and this year was no exception.This session, led by Fedora kernel maintainer Laura Abbott, discussed arange of ideas but found no silver bullets. There is, it seems, not much that can be done to createbetter stable kernels except to perform more and better testing.

Ars technica takesa look at the Enhanced Tracking Protection (ETP) feature in Firefox 63. "Firefox has long had the ability to block all third-party cookies, but this is a crude solution, and many sites will break if all third-party cookies are prohibited. The new EPT option works as a more selective block on tracking cookies; third-party cookies still work in general, but those that are known to belong to tracking companies are blocked. For the most part, sites will retain their full functionality, just without undermining privacy at the same time.At least for now, however, Mozilla is defaulting this feature to off, sothe company can get a better idea of the impact it has on the Web. Intesting, the company has found the occasional site that breaks whentracking cookies are blocked. Over the next few months, Firefox developerswill get a better picture of just how much breaks, and, if it's not toosevere, the plan is to block trackers by default starting in early2019." The article also mentions a second privacy-related feature;the offer of a subscription to the ProtonVPN service.The Firefox 63 releasenotes contain other details.

Security updates have been issued by CentOS (java-1.8.0-openjdk), Fedora (mosquitto), openSUSE (binutils, clamav, exiv2, fuse, haproxy, singularity, and zziplib), Slackware (firefox), SUSE (apache-pdfbox, net-snmp, pam_pkcs11, postgresql94, rpm, tiff, and wireshark), and Ubuntu (kernel, libssh, linux, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon, linux-azure, linux-lts-trusty, linux-lts-xenial, linux-aws, net-snmp, paramiko, requests, and texlive-bin).

The Linux Foundation's Technical Advisory Board is chosen by a vote at theKernel Summit each year; this year, that will happen during the LinuxPlumbers Conference in November. The call for nominations to the board hasgone out; it remains open until the voting happens. "The TAB advises the Foundation on kernel-related matters, helps member companies learn to work with the community, and works to resolve community-related problems before they get out of hand. We're also working with kernel maintainers to help refine the new code of conduct, and serving as the initial point of contact for code of conduct issues."

The 2018 Kernel Maintainers Summit convened in Edinburgh, UK onOctober 22 with a number of things to discuss, but the top subject onmost minds was the recently (and hastily)adopted code of conduct. LinusTorvalds made his reentry into the kernel community with a discussion ofhow we got to the current state of affairs, and the assembled maintainershad a relatively good-natured discussion on how this situation came aboutand where things can be expected to go from here.

The Samba team has announceda set ofguidelines for the project. "Please note this is not a "Code ofConduct" as such, but a set of advisory guidelines we'd like people tofollow, with a way for people (privately if they prefer) to raise issues ifthey see them. I hope everyone will find this document acceptable as a wayfor us to agree on how we want our community to be a welcoming one forall members."

Richard Stallman has released an initial version of the GNU KindCommunications Guidelines, and asks all GNU contributors to make theirbest efforts to follow these guidelines in GNU Project discussions. "The idea of the GNU Kind Communication Guidelines is to start guidingpeople towards kinder communication at a point well before one wouldeven think of saying, "You are breaking the rules." The way we dothis, rather than ordering people to be kind or else, is try to helppeople learn to make their communication more kind.I hope that kind communication guidelines will provide a kinderand less strict way of leading a project's discussions to be calmer,more welcoming to all participants of good will, and more effective."

Security updates have been issued by Arch Linux (thunderbird), Debian (drupal7, exiv2, and ghostscript), Fedora (apache-commons-compress, git, libssh, and patch), Mageia (389-ds-base, calibre, clamav, docker, ghostscript, glib2.0, libtiff, mgetty, php-smarty, rust, tcpflow, and vlc), openSUSE (Chromium, icinga, and libssh), and SUSE (clamav, fuse, GraphicsMagick, haproxy, libssh, thunderbird, tomcat, udisks2, and Xerces-c).

Greg Kroah-Hartman has released the 4.19kernel. Headline features in this release include the new AIO-basedpolling interface, L1TF vulnerabilitymitigations, the block I/O latencycontroller, time-based packettransmission, the CAKE queuingdiscipline, and much more. "And with that, Linus, I'm handingthe kernel tree back to you. You can have the joy of dealing with themerge window".

Greg Kroah-Hartman has posted a series ofpatches making some changes around the newly adopted code of conduct.In particular, it adds a newdocument describing how the code is to be interpreted in the kernelcommunity. "I originally sent the first two patches in this series to a lot ofkernel developers privately, to get their review and comments and see ifthey wanted to ack them. This is the traditional way we have alwaysdone for policy documents or other 'contentious' issues like the GPLv3statement or the 'closed kernel modules are bad' statement. Due to thevery unexpected way that the original Code of Conduct file was added tothe tree, a number of developers asked if this series could also beposted publicly before they were merged, and so, here they are."

A new set of stable kernels is now available: 4.18.16, 4.14.78, 4.9.135, and 4.4.162. As usual, there are important fixescontained therein; users should upgrade.