LWN.net

Security updates have been issued by Arch Linux (msmtp and python-mysql-connector), Debian (freedink-dfarc, rssh, sox, and waagent), Fedora (docker-latest, java-1.8.0-openjdk, koji, pagure, poppler, and spice), openSUSE (ansible, GraphicsMagick, mosquitto, pspp, spread-sheet-widget, and python-python-gnupg), Red Hat (chromium-browser), Slackware (file), SUSE (kernel, python-Django, qemu, and thunderbird), and Ubuntu (bind9).

Anybody expecting the 5.0 kernel to come out today will have beendisappointed; Linus released 5.0-rc8instead. "This may be totally unnecessary, but we actually had morepatches come in this last week than we had for rc7, which just didn't makeme feel the warm and fuzzies. And while none of the patches looked all thatscary, some of them were to pretty core files, so it wasn't all just randomrare drivers (although those kinds also existed)."

The latest updates from the stable kernel machine are4.20.12,4.19.25,4.14.103,4.9.160,4.4.176, and3.18.136.Each contains a relatively small set of important fixes.

Linus Torvalds once famously saidthat there is no design behind the Linux kernel. That may be true, butthere are still some guiding principles behind the evolution of the kernel;one of those, to date, has been that the kernel does not recognize"containers" as objects in their own right. Instead, the kernel providesthe necessary low-level features, such as namespaces and control groups, toallow user space to create its own container abstraction. This refusal todictate the nature of containers has led to a diverse variety of containermodels and a lot of experimentation. But that doesn't stop those who wouldstill like to see the kernel recognize containers as first-classkernel-supported objects.

Security updates have been issued by Mageia (libreoffice, libtiff, spice, and spice-gtk), openSUSE (build, mosquitto, and nodejs6), Red Hat (firefox, flatpak, and systemd), Scientific Linux (firefox, flatpak, and systemd), SUSE (kernel-firmware and texlive), and Ubuntu (bind9 and ghostscript).

The Linux Foundation has announced the formation of the Enabling Linux in Safety Applications (ELISA) project to create tools and processes for companies to use to build and certify safety-critical Linux applications. "Building off the work being done by SIL2LinuxMP project and Real-Time Linux project, ELISA will make it easier for companies to build safety-critical systems such as robotic devices, medical devices, smart factories, transportation systems and autonomous driving using Linux. Founding members of ELISA include Arm, BMW Car IT GmbH, KUKA, Linutronix, and Toyota.To be trusted, safety-critical systems must meet functional safety objectives for the overall safety of the system, including how it responds to actions such as user errors, hardware failures, and environmental changes. Companies must demonstrate that their software meets strict demands for reliability, quality assurance, risk management, development process, and documentation. Because there is no clear method for certifying Linux, it can be difficult for a company to demonstrate that their Linux-based system meets these safety objectives."

The announcement of the 5.0-rc7 kernelprepatch on February 17 signaled the imminent release of the final 5.0kernel and the end of this development cycle. 5.0, as it turns out,brought in fewer changesets than its immediate predecessors, but it wasstill a busy cycle with a lot of developers participating. Read on for anoverview of where the work came from in this release cycle.

Security updates have been issued by CentOS (firefox, flatpak, and systemd), Fedora (createrepo_c, dnf, dnf-plugins-core, dnf-plugins-extras, docker, libcomps, libdnf, and runc), Mageia (giflib, irssi, kernel, kernel-linus, libexif, poppler, tcpreplay, and zziplib), and SUSE (php5, procps, and qemu).

The LWN.net Weekly Edition for February 21, 2019 is available.

On his blog, Karim Yaghmour writes about an experimental social network that he and a colleague cobbled together using Git. While it is simply a proof of concept at this point, he is looking for feedback and, perhaps, collaborators to take it further. "It turns out that git has practically everything that's needed to act both as storage and protocol for a social network. Not only that, but it's very well-known within and used, deployed and maintained in the circles I navigate, it scales very well (see github), it's used for critical infrastructure (see kernel.org), it provides history, it's distributed by nature, etc. It's got *almost* everything, but not quite everything needed.So what's missing from git? A few basic things that it turns out aren't very hard to take care of: ability to 'follow', getting followee notifications, 'commenting' and an interface for viewing feeds. And instead of writing a whole online treatise of how this could be done, I asked my colleague Francois-Denis Gonthier to implement a proof and concept of this that we called 'gitgeist' and just published on github [https://github.com/opersys/gitgeist-poc]."

These days applications are generally moving away from the desktop andtoward the mobile space. But taking a multi-platform desktop application and addingtwo mobile platforms into the mix is difficult to do, as Dirk Hohndeldescribed in his linux.conf.au2019 talk. Hohndel maintains the Subsurface dive log application,which has added mobile support over the past few years; he wanted to explain the processthat the project went through to support all of those platforms.As the subtitle of the talk, "Developing for multiple platforms withoutlosing your mind", indicates, it is a hard problem to solve sanely.

Stable kernels 4.20.11, 4.19.24, 4.14.102, 4.9.159, 4.4.175, and 3.18.135 have been released. They all containimportant fixes and users should upgrade.

Security updates have been issued by Debian (ansible, drupal7, and systemd), Fedora (botan2, ceph, and firefox), Oracle (firefox, flatpak, and systemd), Red Hat (firefox), SUSE (gvfs, kernel, libqt5-qtbase, python-numpy, and qemu), and Ubuntu (gdm3).

The digiKam team has announcedthe release of digiKam 6.0.0. New features include full support ofvideo files management working as photos; an integration of allimport/export web-service tools in LightTable, Image editor, and Showfoto;raw file decoding engine supporting new cameras; similarity data is nowstored in a separate file; simplified web-service authentication usingOAuth protocol; and more.

When patents and free software crop up together, theusual question is about patent licensing. Patent exhaustion —the principle that patent rights don't reach past the firstsale of a product — is muchless frequently discussed. At FOSDEM 2019,US lawyer Van Lindberg argued that several US courtdecisions related to exhaustion, most of them recent but some less so,could come togetherto have surprising beneficial effects for free software. He was clear that theargument applied only in the US but, since court systems tend tolook to each other for consistency's sake, and because Lindberg is anengaging speaker, the talk was of great interest even in Brussels.

Security updates have been issued by Debian (chromium, rdesktop, rssh, systemd, and uriparser), Fedora (bouncycastle, eclipse-jgit, eclipse-linuxtools, jackson-annotations, jackson-bom, jackson-core, jackson-databind, jackson-dataformat-xml, jackson-dataformats-binary, jackson-dataformats-text, jackson-datatype-jdk8, jackson-datatype-joda, jackson-datatypes-collections, jackson-jaxrs-providers, jackson-module-jsonSchema, jackson-modules-base, jackson-parent, moby-engine, and subversion), openSUSE (chromium, docker-runc, firefox, GraphicsMagick, kernel, LibVNCServer, php7, pspp, spread-sheet-widget, and runc), SUSE (kernel-firmware, qemu, and systemd), and Ubuntu (nss and systemd).

The Debian project has announced the eighth update of Debian 9"stretch". As a stable point release, this version mainly adds bugfixes forsecurity issues and other serious problems. Click below for a list of changes.

Regressions are an unavoidable side effect of software development; thekernel is no different in that regard. The 5.0 kernel introduced a changein the handling of the "#!" (or "shebang") lines used to indicatewhich interpreter should handle an executable text file. The problem hasbeen duly fixed, but the incident shows how easy it can be to introduceunexpected problems and highlights some areas where the kernel'sdevelopment process does not work as well as we might like.

Security updates have been issued by Arch Linux (cairo, firefox, flatpak, hiawatha, and webkit2gtk), Debian (gsoap, mosquitto, php5, thunderbird, and tiff), Fedora (elfutils, ghostscript, gsi-openssh, kernel, kernel-headers, kernel-tools, kf5-kauth, mingw-podofo, mingw-poppler, mosquitto, podofo, and python-markdown2), Mageia (firefox, flash-player-plugin, lxc, and thunderbird), openSUSE (avahi, docker, libu2f-host, LibVNCServer, nginx, phpMyAdmin, and pspp, spread-sheet-widget), Red Hat (rhvm-appliance), and SUSE (python-numpy).

The 5.0-rc7 kernel prepatch has beenreleased. Linus says: "Nothing particularly odd stands out, andeverything is pretty small. Just the way I like it."

Version 0.13.0 of the Geary graphical email client is out."This is a major new release, featuring a number of new features — including a new user interface for creating and managing email accounts, integration with GNOME Online Accounts (which also provides OAuth login support for some services), improvements in displaying conversations, composing new messages, interacting with other email apps, reporting problems as they occur, and number of important bug fixes, server compatibility fixes, and security fixes."

The Ubuntu team has announced the release of Ubuntu 18.04.2 LTS for itsDesktop, Server, and Cloud products, as well as other flavors of Ubuntuwith long-term support. Support periods vary for different flavors."Like previous LTS series, 18.04.2 includes hardware enablement stacksfor use on newer hardware. This support is offered on all architecturesand is installed by default when using one of the desktop images."Ubuntu Server installs the GA kernel, however the HWE kernel may beselected from the installer bootloader.

Software interrupts (or "softirqs") are one of the oldestdeferred-execution mechanisms in the kernel, and that age shows at times.Some developers have occasionally been heard to mutter about removing them, butsoftirqs are too deeply embedded into how the kernel works to be easily rippedout; most developers just leave them alone. So the recent per-vectorsoftirq masking patch set from Frederic Weisbecker is noteworthy as anexception to that rule. Weisbecker is not getting rid of softirqs, but heis trying to reduce their impact and improve their latency.

Greg Kroah-Hartman released a set of stable kernels that should *not* beused, including: 4.20.9, 4.19.22, 4.14.100, and 4.9.157. Those kernels caused a regressionthat was reverted in the following kernels: 4.20.10, 4.19.23, 4.14.101, and 4.9.158.

Security updates have been issued by Debian (firefox-esr and unbound), Fedora (docker, libexif, and runc), openSUSE (mozilla-nss, python, rmt-server, and thunderbird), Slackware (mozilla), and SUSE (couchdb, dovecot23, kvm, nodejs6, php53, podofo, python-PyKMIP, rubygem-loofah, util-linux, and velum).

The cynical among us might be tempted to think that an announcement fromthe GNOME project about the removal of a feature — a relatively unusedfeature at that — would be an unremarkableevent. In practice, though, Debarshi Ray's announcement that the GNOME OnlineAccounts (GOA)subsystem would no longer support the "documents" access point touched offa lengthy discussion within the project itself. The resulting discussionrevealed a few significant problems with GOA and, indeed, with the conceptof online-account management in any sort of open-source umbrella projectlike GNOME.

Security updates have been issued by Debian (python-gnupg), Mageia (avahi, dom4j, gvfs, kauth, libwmf, logback, mad, python, python-django, and radvd), openSUSE (curl, haproxy, lua53, python-slixmpp, runc, spice, and uriparser), Red Hat (flash-plugin), Slackware (mozilla), and SUSE (build and docker-runc).

The PostgreSQL project has put out updated releases for all supportedversions. "This release changes the behavior in how PostgreSQLinterfaces with 'fsync()' and includes fixes for partitioning and over70 other bugs that were reported over the past three months."The fsync() issue was covered herein April 2018.

The LWN.net Weekly Edition for February 14, 2019 is available.

The io_uring mechanism that was described here inJanuary has been through a number of revisions since then; those changes havegenerally been fixing implementation issues rather than changing theuser-space API. In particular, this patch set seems to have received morethan the usual amount of security-related review, which can only be a goodthing. Security concerns became a bit of an obstacle for io_uring, though,when virtual filesystem (VFS) maintainer Al Viro threatenedto veto the merging of the whole thing. It turns out that there weresome reference-counting issues that required his unique experience tostraighten out.

Security updates have been issued by Arch Linux (aubio, curl, lib32-curl, lib32-libcurl-compat, lib32-libcurl-gnutls, libcurl-gnutls, libu2f-host, python-django, python2-django, rdesktop, and runc), Debian (flatpak), Fedora (flatpak, pdns-recursor, rdesktop, tomcat, and xerces-c27), Mageia (cinnamon, docker, dovecot, golang, java-1.8.0-openjdk, jruby, libarchive, libgd, libtiff, libvncserver, opencontainers-runc, openssh, python-marshmallow, thunderbird, and transfig), openSUSE (python-slixmpp), Oracle (kernel), Red Hat (redhat-virtualization-host), Slackware (lxc), SUSE (curl, firefox, LibVNCServer, nginx, php7, python-numpy, runc, SMS3.2, and thunderbird), and Ubuntu (gvfs, python-django, snapd, and webkit2gtk).

Stable kernels 4.20.8, 4.19.21, 4.14.99, and 4.9.156 have been released. They all contain arelatively large number of fixes and users should upgrade.

KDE has announcedthe release of Plasma 5.15. "Plasma 5.15 brings a number of changesto the configuration interfaces, including more options for complex networkconfigurations. Many icons have been added or redesigned to make themclearer. Integration with third-party technologies like GTK and Firefox hasbeen improved substantially." This release also featuresimprovements to the Discover software manager. Many other tweaks andimprovements are covered in the changelog.

Bradley Kuhn works for the Software Freedom Conservancy (SFC)and part of what that organization does is to think about the problems thatsoftware freedom may encounter in the future. SFC worries about what will happenwith the fourfreedoms as things change in the world. One of those changes is already upon us: the Internet of Things (IoT) hasbecome quite popular, but it has many dangers, he said. Copyleftcan help; his talk is meant to show how.

Anybody running containerized workloads with runc (used by Docker,cri-o, containerd, and Kubernetes, among others) will want to make note ofa newly disclosed vulnerability known as CVE-2019-5736. "The vulnerability allows a malicious container to (with minimal userinteraction) overwrite the host runc binary and thus gain root-levelcode execution on the host." LXC is also evidently vulnerable to avariant of the exploit.

Security updates have been issued by Arch Linux (chromium, dovecot, firefox, and spice), Debian (curl, php5, rssh, and wordpress), Fedora (curl, ghostscript, mingw-libconfuse, and radvd), openSUSE (java-11-openjdk and python-urllib3), Red Hat (chromium-browser and kernel), and SUSE (etcd and kernel).

The Free Software Foundation has announcedthat its annual report for fiscal year 2017 is available. "The Annual Report reviews the FSF's activities, accomplishments, and financial picture from October 1, 2016 to September 30, 2017. It is the result of a full external financial audit, along with a focused study of program results. It examines the impact of the FSF's events, programs, and activities, including the annual LibrePlanet conference, the Respects Your Freedom (RYF) hardware certification program, and the fight against Digital Restrictions Management (DRM)."

Matrix is an open platformfor secure, decentralized, realtime communication. Matthew Hodgson,the Matrix project leader, came to FOSDEM to describe Matrix and report on its progress. Attendees learned that it was within daysof having a 1.0 release and found out how it got there. He also shed some light onwhat happened when the French reached out to them to see if Matrix couldmeet the internal messaging requirements of an entire national government.

Security updates have been issued by CentOS (ghostscript, spice, spice-server, and thunderbird), Debian (coturn, freerdp, ghostscript, libreoffice, libu2f-host, mosquitto, and openssh), Fedora (buildbot, java-1.8.0-openjdk, java-11-openjdk, phpMyAdmin, slurm, and spice), openSUSE (python3 and rsyslog), Red Hat (docker and runc), SUSE (avahi, fuse, and LibVNCServer), and Ubuntu (poppler).

Version 7.0.0 of the PyPy Python interpreter is out. This release supportsno less than three upstream Python versions: 2.7, 3.5, and 3.6 (as an alpharelease). "All the interpreters are based on much the same codebase, thus the triplerelease."

The 5.0-rc6 kernel prepatch is out."So while I would have wished for less at this point, nothing in therelooks all that odd or scary. I think we're still solidly on track fora normal release."

For those wondering what the Cloud Native Computing Foundation is up to,its 2018 annualreport [PDF] is now out. "KubeCon + CloudNativeCon has expandedfrom its start with 500 attendees in 2015 to become one of the largest andmost successful open source conferences ever. The KubeCon + CloudNativeConNorth America event in Seattle, held December 10-13, 2018, was our biggestyet and was sold out several weeks ahead of time with 8,000attendees."

The LibreOffice 6.2 release is out. The headline feature this time aroundappears to be "NotebookBar": "a radical new approach to the userinterface - based on the MUFFINconcept". Other changes include a reworking of the contextmenus, better change-tracking performance, better interoperability withproprietary file formats, and more.

The Linux kernel supports a wide variety of filesystem types, many of whichhave not seen significant use — or maintenance — in many years. Developersin the openSUSE project have concluded that many of these filesystem types are,at this point, more useful to attackers than to openSUSE users and areproposing to blacklist many of them by default. Such changes can becontroversial, but it's probably still fair to say that few people expectedthe massivediscussion that resulted, covering everything from the number of OS/2users to how openSUSE fits into the distribution marketplace.

Greg Kroah-Hartman has announced the release of the 4.4.174 stable kernel. The patches went outfor review on February 7; the kernel contains a backport of a fixfor the FragmentSmack denial-of-service vulnerability. "Many thanks to Ben Hutchings for this release, it's pretty much just hiswork here in doing the backporting of networking fixes to help resolve"FragmentSmack" (i.e. CVE-2018-5391)." As usual, users of thekernel series should upgrade.

The OpenStack Foundation has issued its2018 annual report. "2018 was a productive year for theOpenStack community. A total of 1,972 contributors approved more than65,000 changes and published two major releases of all components, codenamed Queens and Rocky. The component project teams completed work onthemes related to integrating with other OpenStack components, otherOpenStack Foundation Open Infrastructure Projects, and projects fromadjacent communities. They also worked on stability, performance, andusability improvements. In addition to that component-specific work, thecommunity continued to expand our OpenStack-wide goals process, using a fewsmaller topics to refine the goal selection process and understand how bestto complete initiatives on such a large scale."

The GTK+ toolkit project has, after extensive deliberation, decided toremove the "+" from its name. "Over the years, we had discussionsabout removing the '+' from the project name. The 'plus' was added to 'GTK'once it was moved out of the GIMP sources tree and the project gainedutilities like GLib and the GTK type system, in order to distinguish itfrom the previous, in-tree version. Very few people are aware of thishistory, and it's kind of confusing from the perspective of both newcomersand even expert users; people join the wrong IRC channel, the URLs on wikisare fairly ugly, etc."

Security updates have been issued by Debian (dovecot and libarchive), Fedora (gvfs and poppler), openSUSE (openssl-1_1 and subversion), Oracle (kernel), Slackware (php), SUSE (avahi, docker, libunwind, LibVNCServer, and spice), and Ubuntu (linux-azure and openssh).

Google has announcedthe release of its ClusterFuzz fuzz-testing system as free software."ClusterFuzz has found more than 16,000 bugs in Chrome and more than11,000 bugs in over 160 open source projects integrated with OSS-Fuzz. Itis an integral part of the development process of Chrome and many otheropen source projects. ClusterFuzz is often able to detect bugs hours afterthey are introduced and verify the fix within a day."

In the beginning, programs run on the in-kernel BPF virtual machine had nopersistent internal state and no data that was shared with any other partof the system. The arrival of eBPF and, in particular, its mapsfunctionality, has changed that situation, though, since a map can beshared between two or more BPF programs as well as with processes runningin user space. That sharing naturally leads to concurrency problems, sothe BPF developers have found themselves needing to addprimitives to manage concurrency (the "exchange and add" or XADDinstruction, for example). The next step is the addition of aspinlock mechanism to protect data structures, which has also led to some wider discussions on what theBPF memory model should look like.