LWN.net

The Debian project has announced the eighth update of Debian 9"stretch". As a stable point release, this version mainly adds bugfixes forsecurity issues and other serious problems. Click below for a list of changes.

Regressions are an unavoidable side effect of software development; thekernel is no different in that regard. The 5.0 kernel introduced a changein the handling of the "#!" (or "shebang") lines used to indicatewhich interpreter should handle an executable text file. The problem hasbeen duly fixed, but the incident shows how easy it can be to introduceunexpected problems and highlights some areas where the kernel'sdevelopment process does not work as well as we might like.

Security updates have been issued by Arch Linux (cairo, firefox, flatpak, hiawatha, and webkit2gtk), Debian (gsoap, mosquitto, php5, thunderbird, and tiff), Fedora (elfutils, ghostscript, gsi-openssh, kernel, kernel-headers, kernel-tools, kf5-kauth, mingw-podofo, mingw-poppler, mosquitto, podofo, and python-markdown2), Mageia (firefox, flash-player-plugin, lxc, and thunderbird), openSUSE (avahi, docker, libu2f-host, LibVNCServer, nginx, phpMyAdmin, and pspp, spread-sheet-widget), Red Hat (rhvm-appliance), and SUSE (python-numpy).

The 5.0-rc7 kernel prepatch has beenreleased. Linus says: "Nothing particularly odd stands out, andeverything is pretty small. Just the way I like it."

Version 0.13.0 of the Geary graphical email client is out."This is a major new release, featuring a number of new features — including a new user interface for creating and managing email accounts, integration with GNOME Online Accounts (which also provides OAuth login support for some services), improvements in displaying conversations, composing new messages, interacting with other email apps, reporting problems as they occur, and number of important bug fixes, server compatibility fixes, and security fixes."

The Ubuntu team has announced the release of Ubuntu 18.04.2 LTS for itsDesktop, Server, and Cloud products, as well as other flavors of Ubuntuwith long-term support. Support periods vary for different flavors."Like previous LTS series, 18.04.2 includes hardware enablement stacksfor use on newer hardware. This support is offered on all architecturesand is installed by default when using one of the desktop images."Ubuntu Server installs the GA kernel, however the HWE kernel may beselected from the installer bootloader.

Software interrupts (or "softirqs") are one of the oldestdeferred-execution mechanisms in the kernel, and that age shows at times.Some developers have occasionally been heard to mutter about removing them, butsoftirqs are too deeply embedded into how the kernel works to be easily rippedout; most developers just leave them alone. So the recent per-vectorsoftirq masking patch set from Frederic Weisbecker is noteworthy as anexception to that rule. Weisbecker is not getting rid of softirqs, but heis trying to reduce their impact and improve their latency.

Greg Kroah-Hartman released a set of stable kernels that should *not* beused, including: 4.20.9, 4.19.22, 4.14.100, and 4.9.157. Those kernels caused a regressionthat was reverted in the following kernels: 4.20.10, 4.19.23, 4.14.101, and 4.9.158.

Security updates have been issued by Debian (firefox-esr and unbound), Fedora (docker, libexif, and runc), openSUSE (mozilla-nss, python, rmt-server, and thunderbird), Slackware (mozilla), and SUSE (couchdb, dovecot23, kvm, nodejs6, php53, podofo, python-PyKMIP, rubygem-loofah, util-linux, and velum).

The cynical among us might be tempted to think that an announcement fromthe GNOME project about the removal of a feature — a relatively unusedfeature at that — would be an unremarkableevent. In practice, though, Debarshi Ray's announcement that the GNOME OnlineAccounts (GOA)subsystem would no longer support the "documents" access point touched offa lengthy discussion within the project itself. The resulting discussionrevealed a few significant problems with GOA and, indeed, with the conceptof online-account management in any sort of open-source umbrella projectlike GNOME.

Security updates have been issued by Debian (python-gnupg), Mageia (avahi, dom4j, gvfs, kauth, libwmf, logback, mad, python, python-django, and radvd), openSUSE (curl, haproxy, lua53, python-slixmpp, runc, spice, and uriparser), Red Hat (flash-plugin), Slackware (mozilla), and SUSE (build and docker-runc).

The PostgreSQL project has put out updated releases for all supportedversions. "This release changes the behavior in how PostgreSQLinterfaces with 'fsync()' and includes fixes for partitioning and over70 other bugs that were reported over the past three months."The fsync() issue was covered herein April 2018.

The LWN.net Weekly Edition for February 14, 2019 is available.

The io_uring mechanism that was described here inJanuary has been through a number of revisions since then; those changes havegenerally been fixing implementation issues rather than changing theuser-space API. In particular, this patch set seems to have received morethan the usual amount of security-related review, which can only be a goodthing. Security concerns became a bit of an obstacle for io_uring, though,when virtual filesystem (VFS) maintainer Al Viro threatenedto veto the merging of the whole thing. It turns out that there weresome reference-counting issues that required his unique experience tostraighten out.

Security updates have been issued by Arch Linux (aubio, curl, lib32-curl, lib32-libcurl-compat, lib32-libcurl-gnutls, libcurl-gnutls, libu2f-host, python-django, python2-django, rdesktop, and runc), Debian (flatpak), Fedora (flatpak, pdns-recursor, rdesktop, tomcat, and xerces-c27), Mageia (cinnamon, docker, dovecot, golang, java-1.8.0-openjdk, jruby, libarchive, libgd, libtiff, libvncserver, opencontainers-runc, openssh, python-marshmallow, thunderbird, and transfig), openSUSE (python-slixmpp), Oracle (kernel), Red Hat (redhat-virtualization-host), Slackware (lxc), SUSE (curl, firefox, LibVNCServer, nginx, php7, python-numpy, runc, SMS3.2, and thunderbird), and Ubuntu (gvfs, python-django, snapd, and webkit2gtk).

Stable kernels 4.20.8, 4.19.21, 4.14.99, and 4.9.156 have been released. They all contain arelatively large number of fixes and users should upgrade.

KDE has announcedthe release of Plasma 5.15. "Plasma 5.15 brings a number of changesto the configuration interfaces, including more options for complex networkconfigurations. Many icons have been added or redesigned to make themclearer. Integration with third-party technologies like GTK and Firefox hasbeen improved substantially." This release also featuresimprovements to the Discover software manager. Many other tweaks andimprovements are covered in the changelog.

Bradley Kuhn works for the Software Freedom Conservancy (SFC)and part of what that organization does is to think about the problems thatsoftware freedom may encounter in the future. SFC worries about what will happenwith the fourfreedoms as things change in the world. One of those changes is already upon us: the Internet of Things (IoT) hasbecome quite popular, but it has many dangers, he said. Copyleftcan help; his talk is meant to show how.

Anybody running containerized workloads with runc (used by Docker,cri-o, containerd, and Kubernetes, among others) will want to make note ofa newly disclosed vulnerability known as CVE-2019-5736. "The vulnerability allows a malicious container to (with minimal userinteraction) overwrite the host runc binary and thus gain root-levelcode execution on the host." LXC is also evidently vulnerable to avariant of the exploit.

Security updates have been issued by Arch Linux (chromium, dovecot, firefox, and spice), Debian (curl, php5, rssh, and wordpress), Fedora (curl, ghostscript, mingw-libconfuse, and radvd), openSUSE (java-11-openjdk and python-urllib3), Red Hat (chromium-browser and kernel), and SUSE (etcd and kernel).

The Free Software Foundation has announcedthat its annual report for fiscal year 2017 is available. "The Annual Report reviews the FSF's activities, accomplishments, and financial picture from October 1, 2016 to September 30, 2017. It is the result of a full external financial audit, along with a focused study of program results. It examines the impact of the FSF's events, programs, and activities, including the annual LibrePlanet conference, the Respects Your Freedom (RYF) hardware certification program, and the fight against Digital Restrictions Management (DRM)."

Matrix is an open platformfor secure, decentralized, realtime communication. Matthew Hodgson,the Matrix project leader, came to FOSDEM to describe Matrix and report on its progress. Attendees learned that it was within daysof having a 1.0 release and found out how it got there. He also shed some light onwhat happened when the French reached out to them to see if Matrix couldmeet the internal messaging requirements of an entire national government.

Security updates have been issued by CentOS (ghostscript, spice, spice-server, and thunderbird), Debian (coturn, freerdp, ghostscript, libreoffice, libu2f-host, mosquitto, and openssh), Fedora (buildbot, java-1.8.0-openjdk, java-11-openjdk, phpMyAdmin, slurm, and spice), openSUSE (python3 and rsyslog), Red Hat (docker and runc), SUSE (avahi, fuse, and LibVNCServer), and Ubuntu (poppler).

Version 7.0.0 of the PyPy Python interpreter is out. This release supportsno less than three upstream Python versions: 2.7, 3.5, and 3.6 (as an alpharelease). "All the interpreters are based on much the same codebase, thus the triplerelease."

The 5.0-rc6 kernel prepatch is out."So while I would have wished for less at this point, nothing in therelooks all that odd or scary. I think we're still solidly on track fora normal release."

For those wondering what the Cloud Native Computing Foundation is up to,its 2018 annualreport [PDF] is now out. "KubeCon + CloudNativeCon has expandedfrom its start with 500 attendees in 2015 to become one of the largest andmost successful open source conferences ever. The KubeCon + CloudNativeConNorth America event in Seattle, held December 10-13, 2018, was our biggestyet and was sold out several weeks ahead of time with 8,000attendees."

The LibreOffice 6.2 release is out. The headline feature this time aroundappears to be "NotebookBar": "a radical new approach to the userinterface - based on the MUFFINconcept". Other changes include a reworking of the contextmenus, better change-tracking performance, better interoperability withproprietary file formats, and more.

The Linux kernel supports a wide variety of filesystem types, many of whichhave not seen significant use — or maintenance — in many years. Developersin the openSUSE project have concluded that many of these filesystem types are,at this point, more useful to attackers than to openSUSE users and areproposing to blacklist many of them by default. Such changes can becontroversial, but it's probably still fair to say that few people expectedthe massivediscussion that resulted, covering everything from the number of OS/2users to how openSUSE fits into the distribution marketplace.

Greg Kroah-Hartman has announced the release of the 4.4.174 stable kernel. The patches went outfor review on February 7; the kernel contains a backport of a fixfor the FragmentSmack denial-of-service vulnerability. "Many thanks to Ben Hutchings for this release, it's pretty much just hiswork here in doing the backporting of networking fixes to help resolve"FragmentSmack" (i.e. CVE-2018-5391)." As usual, users of thekernel series should upgrade.

The OpenStack Foundation has issued its2018 annual report. "2018 was a productive year for theOpenStack community. A total of 1,972 contributors approved more than65,000 changes and published two major releases of all components, codenamed Queens and Rocky. The component project teams completed work onthemes related to integrating with other OpenStack components, otherOpenStack Foundation Open Infrastructure Projects, and projects fromadjacent communities. They also worked on stability, performance, andusability improvements. In addition to that component-specific work, thecommunity continued to expand our OpenStack-wide goals process, using a fewsmaller topics to refine the goal selection process and understand how bestto complete initiatives on such a large scale."

The GTK+ toolkit project has, after extensive deliberation, decided toremove the "+" from its name. "Over the years, we had discussionsabout removing the '+' from the project name. The 'plus' was added to 'GTK'once it was moved out of the GIMP sources tree and the project gainedutilities like GLib and the GTK type system, in order to distinguish itfrom the previous, in-tree version. Very few people are aware of thishistory, and it's kind of confusing from the perspective of both newcomersand even expert users; people join the wrong IRC channel, the URLs on wikisare fairly ugly, etc."

Security updates have been issued by Debian (dovecot and libarchive), Fedora (gvfs and poppler), openSUSE (openssl-1_1 and subversion), Oracle (kernel), Slackware (php), SUSE (avahi, docker, libunwind, LibVNCServer, and spice), and Ubuntu (linux-azure and openssh).

Google has announcedthe release of its ClusterFuzz fuzz-testing system as free software."ClusterFuzz has found more than 16,000 bugs in Chrome and more than11,000 bugs in over 160 open source projects integrated with OSS-Fuzz. Itis an integral part of the development process of Chrome and many otheropen source projects. ClusterFuzz is often able to detect bugs hours afterthey are introduced and verify the fix within a day."

In the beginning, programs run on the in-kernel BPF virtual machine had nopersistent internal state and no data that was shared with any other partof the system. The arrival of eBPF and, in particular, its mapsfunctionality, has changed that situation, though, since a map can beshared between two or more BPF programs as well as with processes runningin user space. That sharing naturally leads to concurrency problems, sothe BPF developers have found themselves needing to addprimitives to manage concurrency (the "exchange and add" or XADDinstruction, for example). The next step is the addition of aspinlock mechanism to protect data structures, which has also led to some wider discussions on what theBPF memory model should look like.

The call for proposals for the 2019 Linux Storage, Filesystem, andMemory-Management Summit has been updated with an important addition: thisyear's event (April 30 to May 2, San Juan, Puerto Rico) willinclude a BPF track. The submission deadline has been extended toFebruary 22 to allow BPF developers to put together their proposals.

Security updates have been issued by Debian (curl, golang, libthrift-java, mumble, netmask, python3.4, and rssh), openSUSE (python-python-gnupg), Oracle (kernel), Scientific Linux (thunderbird), Slackware (curl), SUSE (firefox, python, and rmt-server), and Ubuntu (curl, libarchive, and libreoffice).

The LWN.net Weekly Edition for February 7, 2019 is available.

At the start of his linux.conf.au2019 talk, Kristoffer Grönlund said that he would be taking attendeesback 60 years or more. That is not quite to the dawn of computing history,but it is close—farther back than most of us were alive to remember. Heencountered John McCarthy's famous Lisppaper [PDF] via Papers We Loveand it led him to dig deeply into the Lisp world; he brought back a report forthe LCA crowd.

The4.20.7,4.19.20,4.14.98,4.9.155,4.4.173, and3.18.134stable kernels have all been released. The usual drill applies: eachcontains a number of important fixes and upgrading is recommended.

Two members of the CacophonyProject came to linux.conf.au2019 to give an overview of what the project is doing to increase theamount of bird life in New Zealand. The idea is to use computer vision and machinelearning to identify and eventually eliminate predators in order to helpbird populations; one measure of success will be the volume and variety ofbird song throughout the islands. The endemic avian species in New Zealand evolved without thepresence of predatory mammals, so many of them have been decimated bythe predation of birds and their eggs. The Cacophony Project is looking atways to reverse that.

Security updates have been issued by Debian (dovecot and libav), openSUSE (kernel and krb5), Scientific Linux (thunderbird), SUSE (curl, lua53, python3, and spice), and Ubuntu (dovecot).

Jack Moffitt started off his 2019linux.conf.au talk by calling attention to Facebook's "Portal" device. It is,he said, a cool product, but raises an important question: why wouldanybody in their right mind put a surveillance device made by Facebook intheir kitchen?There are a lot of devices out there — including the Portal — usingdeep-learning techniques; theyoffer useful functionality, but also bring a lot of problems. We as acommunity need to figure out a way to solve those problems; he was there tohighlight a set of Mozilla projects working toward that goal.

The kernel's page cache, which holds copies of data stored in filesystems,is crucial to the performance of the system as a whole. But, as hasrecently been demonstrated, it can also be exploited to learn about what other usersin the system are doing and extract information that should be keptsecret. In January, the behavior of the mincore()system call waschanged in an attempt to close this vulnerability, but that solution was shown to break existing applications while notfully solving the problem. A better solution will have to wait for the5.1 development cycle, but the shape of the proposed changes has started tocome into focus.

Security updates have been issued by Debian (libgd2), Fedora (java-11-openjdk, kernel, and kernel-headers), openSUSE (firefox, mysql-community-server, and pdns-recursor), Oracle (thunderbird), Red Hat (rh-haproxy18-haproxy, systemd, and thunderbird), SUSE (haproxy, spice, and uriparser), and Ubuntu (dovecot, kernel, linux, linux-aws, linux-gcp, linux-kvm, linux-raspi2, linux, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon, linux-aws, linux-gcp, linux-kvm, linux-oem, linux-raspi2, linux-hwe, linux-aws-hwe, linux-gcp, linux-lts-trusty, and linux-lts-xenial, linux-aws).

After a two-week voting period, which followed a two-week nominationwindow, Python now has its governanceback in place—with a familiar name in the mix.As specified in PEP 13 ("PythonLanguage Governance"), five nominees were elected to the steering council,which will govern the language moving forward.It may come as a surprise to some that Guido vanRossum, whose resignation as benevolent dictator for life (BDFL)led to the need for a new governance model and, ultimately, tothe vote for a council, was one of the 17 candidates. It is perhaps muchless surprising that he was electedto share the duties he once wielded solo.

The governance model adopted by the Pythoncommunity after Guido van Rossum stepped down included the election of aSteering Council. The first such election has just concluded; the councilwill be made up of Barry Warsaw, Brett Cannon, Carol Willing, Guido vanRossum, and Nick Coghlan.

Security updates have been issued by CentOS (bind, firefox, GNOME, kernel, systemd, and thunderbird), Debian (debian-security-support, drupal7, libreoffice, libvncserver, phpmyadmin, and rssh), Fedora (binutils and firefox), Mageia (firefox and netatalk), openSUSE (avahi and python-paramiko), Red Hat (Red Hat Gluster Storage Web Administration), Slackware (mariadb), and SUSE (java-11-openjdk, kernel, and python).

The 5.0-rc5 kernel prepatch is out."Nothing looks particularly worrisome, so assuming the trend holds, welook to be on track for a fairly normal release cycle despite theearly hiccups due to the holidays."

Rusty Russell was one of the first developers paid to work on the Linuxkernel and the founder of the conference now known as linux.conf.au (LCA); he isone of the most highly respected figures in the Australian free-softwarecommunity. The 2019 LCA was the20th edition of this long-lived event; the organizers felt that it was anappropriate time to invite Russell to deliver the closing keynote talk.He used the opportunity to review his path into free software and thecreation of LCA, but first a change of clothing was required.

Version 2.29 of the GNU Clibrary (glibc) is now available. It includes a wrapper for the getcpu()system call, optimized generic versions of multiple math functions(e.g. exp(), log2(), sinf()), new functions toallow posix_spawn() to run the new process in a differentdirectory, and more.