LWN.net

We may need Tor, "the onion router",more than we ever imagined. Authoritarian states are blocking more and more websites and snoopingon their populations online—even routine tracking of our onlineactivities can reveal information that can be used to underminedemocracy. Thus, there was strong interest in the "State of the Onion"panel at the 2018 LibrePlanet conference, wherefour contributors to the Tor project presented a progress update covering thepast few years.Subscribers can read on for a report on the panel by guest author Andy Oram.

The Drupal security team has sent out a "highly critical"alert: "A remote code execution vulnerability exists withinmultiple subsystems of Drupal 7.x and 8.x. This potentially allowsattackers to exploit multiple attack vectors on a Drupal site, which couldresult in the site being completely compromised." This seems worthavoiding; updating to the current version is the way to do that. There isan FAQ pagewith a little more information.

Per Bothner has released DomTerm 1.0. Since DomTerm was coveredhere in January 2016, many features have been added or enhanced. (Seethis articleon opensource.com.)DomTerm is a mostly-xterm-compatible terminal emulator, but the output canbe graphics, rich text, and other html, so it is suitable as a REPL for aprogram like gnuplot. Other major features include screen/tmux-style tiling and detachablesessions, readline-style input editing (integrated with mouse andclipboard), and opening an editor when clicking an error message.

The security-focused distribution Qubes OS has releasedversion 4.0. "This release delivers on the features we promised inour announcementof Qubes 4.0-rc1, with some course corrections along the way, such asthe switch from HVM to PVH for most VMs in response to Meltdownand Spectre. For more details, please see the full Release Notes."

Many people have seen music visualizations before, whether in a musicplayer on their computer, at a live concert, or possibly on a home stereosystem. Those visualizations may have been generated using the open-sourcemusic-visualization software library that is part of projectM.Software-based abstract visualizers first appeared along with early MP3 music players as asort of nifty thing to watch along with listening to your MP3s. One ofthe most powerful and innovative of these was a plugin for Winamp known asMilkDrop, which wasdeveloped by a Nullsoft (and later NVIDIA) employee named Ryan Geiss. The plugin wasextensible by using visualizationequation scripts (also known as "presets").Subscribers can read on for a look at projectM by guest author (andprojectM maintainer) Mischa Spiegelmock.

Security updates have been issued by CentOS (slf4j), Debian (firefox-esr, mupdf, net-snmp, and samba), Fedora (apache-commons-compress, calibre, chromium, glpi, kernel, libvncserver, libvorbis, mozjs52, ntp, slurm, sqlite, and wireshark), openSUSE (librelp), SUSE (librelp, LibVNCServer, and qemu), and Ubuntu (firefox and zsh).

Kernel developers go to some lengths to mark read-only data so that it canbe protected by the system's memory-management unit.Memory that cannot be changed cannot be altered by an attacker to corrupt thesystem. But the kernel's mechanisms for managing read-only memory do notwork for memory that must be initialized after the initial system bootstraphas completed. A patch set from Igor Stoppaseeks to change that situation by creating a new API just forlate-initialized read-only data.

Kubernetes 1.10 has been released. "This newest version stabilizes features in 3 key areas, including storage, security, and networking. Notable additions in this release include the introduction of external kubectl credential providers (alpha), the ability to switch DNS service to CoreDNS at install time (beta), and the move of Container Storage Interface (CSI) and persistent local volumes to beta."

Techdirt reportsthat the US Court of Appeals for the Federal Circuit (CAFC) has resurrectedOracle's copyright claim against Google for its use of the Java APIs inAndroid. "Honestly, the most concerning part of the whole thing ishow much of a mess CAFC has made of the whole process. The court ruledcorrectly originally that APIs are not subject to copyright. CAFC threwthat out and ordered the court to have a jury determine the fair usequestion. The jury found it to be fair use, and even though CAFC hadordered the issue be heard by a jury, it now says 'meh, we disagree withthe jury.' That's... bizarre."

Security updates have been issued by Debian (firefox-esr, irssi, and librelp), Gentoo (busybox and plib), Mageia (exempi and jupyter-notebook), openSUSE (clamav, dhcp, nginx, python-Django, python3-Django, and thunderbird), Oracle (slf4j), Red Hat (slf4j), Scientific Linux (slf4j), Slackware (firefox), SUSE (librelp), and Ubuntu (screen-resolution-extra).

The 4.16 development cycle is shaping up to be arelatively straightforward affair with little in the way of known problemsand a probable release after nine weeks of work. In comparison to the wildride that was 4.15, 4.16 looks positively calm. Even so, there is a lotthat has happened this time around; read on for a look at who contributedto this release, with a brief digression into stable kernel updates.

The Free Software Foundation (FSF) announcedthe winners of the 2017 Free Software Awards during LibrePlanet."Public Lab is a community and non-profit organization with the goalof democratizing science to address environmental issues. Theircommunity-created tools and techniques utilize free software and low-costdevices to enable people at any level of technical skill to investigateenvironmental concerns." The organization received the Award forProjects of Social Benefit. Karen Sandler, the Executive Director of theSoftware Freedom Conservancy, received the Award for the Advancement ofFree Software.

Security updates have been issued by Arch Linux (bchunk, thunderbird, and xerces-c), Debian (freeplane, icu, libvirt, and net-snmp), Fedora (monitorix, php-simplesamlphp-saml2, php-simplesamlphp-saml2_1, php-simplesamlphp-saml2_3, puppet, and qt5-qtwebengine), openSUSE (curl, libmodplug, libvorbis, mailman, nginx, opera, python-paramiko, and samba, talloc, tevent), Red Hat (python-paramiko, rh-maven35-slf4j, rh-mysql56-mysql, rh-mysql57-mysql, rh-ruby22-ruby, rh-ruby23-ruby, and rh-ruby24-ruby), Slackware (thunderbird), SUSE (clamav, kernel, memcached, and php53), and Ubuntu (samba and tiff).

The 4.16-rc7 prepatch is out; it'sprobably the last one. "I'm still not *planning*on an rc8 this release, because while rc7 is bigger than usual,nothing in here makes me go 'Hmm, maybe we should delay the release'.But let's see what happens this upcoming week - if next Sunday comesaround, and there's lots of new stuff, I'll reconsider then."

The4.15.13,4.14.30,4.9.90,4.4.124,and 3.18.102have all been released; each contains a relatively large set of importantfixes and updates.

Here's thesecond part of Daniel Stone's series on recent improvements inlow-level graphics support. "The end result of all this work is thatwe have been able to eliminate the magic side channels which used toproliferate, and lay the groundwork for properly communicating thisinformation across multiple devices as well. Devices supporting ARM's AFBCcompression format are just beginning to hit the market, which share asingle compression format between video decoder, GPU, and displaycontroller. We are also beginning to see GPUs from different vendors sharetiling formats, in order to squeeze the most performance possible fromhybrid GPU systems."

Security updates have been issued by Debian (adminer, isc-dhcp, kamailio, libvorbisidec, plexus-utils2, and simplesamlphp), Fedora (exim and glibc-arm-linux-gnu), Mageia (sqlite3), openSUSE (Chromium, kernel, and qemu), SUSE (memcached), and Ubuntu (sharutils).

Energy-aware scheduling — running a system's workload in a way thatminimizes the amount of energy consumed — has been a topic of activediscussion and development for some time; LWN first covered the issue at the beginning of 2012.Many approaches have been tried during the intervening years, but little inthe way of generalized energy-aware scheduling work has made it into themainline. Recently, a new patch set wasposted by Dietmar Eggemann that only tries to address one aspect of the problem; perhaps the problem domainhas now been simplified enough that this support can finally be merged.

Yet another new crop of stable kernels has been released: 4.9.89, 4.4.123, and 3.18.101. Each contains a rather large set ofchanges all over the kernel tree; users of those series should upgrade.

Version 4.0of the Krita drawing tool has been released; see thisarticle for a summary of the new features in this release."Krita 4.0 will use SVG on vector layers by default, instead of theprior reliance on ODG. SVG is the most widely used open format for vectorgraphics out there. Used by 'pure' vector design applications, SVG on Kritacurrently supports gradients and transparencies, with more effects comingsoon."

Security updates have been issued by Arch Linux (lib32-libvorbis), Debian (exempi and polarssl), Gentoo (collectd and webkit-gtk), openSUSE (postgresql96), SUSE (qemu), and Ubuntu (libvorbis).

The LWN.net Weekly Edition for March 22, 2018 is available.

"Syzbot" is an automated system that runs the syzkaller fuzzer on thekernel and reports the resulting crashes. Dmitry Vyukov has announced theavailability of a web sitedisplaying the outstanding reports. "The dashboard shows info about active bugs reported by syzbot. Thereare ~130 active bugs and I think ~2/3 of them are actionable (stillhappen and have a reproducer or are simple enough to debug)."

While updating kernels frequently is generally considered a security bestpractice, there are many installations that are unable to do so for avariety of reasons. That means running with some number of knownvulnerabilities (along with an unknown number of unknown vulnerabilities, ofcourse), so some way to detect and stop exploits for those flaws may bedesired. That is exactly what the Linux Kernel Runtime Guard (LKRG)is meant to do.

It is an increasingly poorly kept secret that, underneath the hood ofthe components that most of us view as "hardware", there is a great deal ofproprietary software. This code, written by anonymous developers, rarelysees the light of day; as a result, it tends to have all of the pathologiesassociated with software that nobody can either review or fix. The 2018Embedded Linux Conference saw an announcement for a new project that, with luck, will change thatsituation, at least for one variety of hardware: audio devices.

Version5.4 of the RawTherapee image-processing tool is out. New featuresinclude a new histogram-matching tool, a new HDR tone-mapping tool, anumber of user-interface and performance improvements, and quite a bitmore.

Greg Kroah-Hartman has released stable kernels 4.15.12 and 4.14.29. As usual, they contain importantfixes and users of those series should upgrade.

Security updates have been issued by CentOS (firefox), Debian (plexus-utils), Fedora (calibre, cryptopp, curl, dolphin-emu, firefox, golang, jhead, kernel, libcdio, libgit2, libvorbis, ming, net-snmp, patch, samba, xen, and zsh), Red Hat (collectd and rh-mariadb101-mariadb and rh-mariadb101-galera), and Ubuntu (paramiko and tiff).

Daniel Stone beginsa series on how the Linux graphic stack has improved in recent times."This has made mainline Linux much more attractive: the exact samegeneric codebases of GNOME and Weston that I'm using to write this blogpost on an Intel laptop run equally well on AMD workstations, low-power NXPboards destined for in-flight entertainment, and high-end Renesas SoCswhich might well be in your car. Now that the drivers are easy to write,and applications are portable, we've seen over ten new DRM drivers mergedto the upstream kernel since atomic modesetting was merged."

Developers and maintainers of free-software projects are drawn fromthe same pool of people, and maintainers in one project are often developersin another, but there is still a certain amount of friction between thetwo groups. Maintainers depend on developers to contribute changes, butthe two groups have a different set of incentives when it comes to reviewing andaccepting those changes. Two talks at the 2018 Embedded Linux Conferenceshed some light on this relationship and how it can be made to work moresmoothly.

The GStreamer team has announceda major feature release of the GStreamer cross-platform multimediaframework. Highlights include WebRTC support, experimental support for thenext-gen royalty-free AV1 video codec, support for the Secure ReliableTransport (SRT) video streaming protocol, and much more. The release notescontain more details.

Red Hat has announcedthat six more companies (CA Technologies, Cisco, HPE, Microsoft, SAP, andSUSE) have agreed to apply the GPLv3 termination conditions (wherein aviolator's license is automatically restored if the problem is fixed in atimely manner) to GPLv2-licensed code. "GPL version 3 (GPLv3)introduced an approach to termination that offers distributors of the codean opportunity to correct errors and mistakes in license compliance. Thisapproach allows for enforcement of license compliance consistent with acommunity in which heavy-handed approaches to enforcement, including forfinancial gain, are out of place."

Security updates have been issued by Arch Linux (clamav, curl, lib32-curl, lib32-libcurl-compat, lib32-libcurl-gnutls, libcurl-compat, and libcurl-gnutls), openSUSE (various KMPs), Oracle (firefox), Scientific Linux (firefox), SUSE (java-1_7_1-ibm), and Ubuntu (memcached).

In my previous article, I gave an introductionto the open architecture of RISC-V. This articlelooks at howI and a small team of Fedorausers ported a large part of the Fedora package set to RISC-V. It was adaunting task, especially when there is no real hardware or existinginfrastructure, but we were able to get there in a part-time effort over ayear and a half or so.Subscribers can read on for a look at getting Fedora onto RISC-V by guestauthor Richard W.M. Jones.

Some years ago, prominent community leaders doubted that even short-term stable maintenance of kernel releases was feasible. Morerecently, selecting an occasional kernel for a two-year maintenance cyclehas become routine, and some kernels, such as 3.2 under the care of BenHutchings, have received constant maintenance for as much as six years. Buteven that sort of extended maintenance is not enough for some use cases, asYoshitake Kobayashi explained in his Embedded Linux Conference talk. Tomeet those needs, the CivilInfrastructure Platform (CIP) project is setting out to maintain releases for a minimum of 20 years.

Stable kernels 4.15.11 and 4.14.28 have been released. They both containmany fixes throughout the tree and users should upgrade.

Security updates have been issued by Arch Linux (firefox, libvorbis, and ntp), Debian (curl, firefox-esr, gitlab, libvorbis, libvorbisidec, openjdk-8, and uwsgi), Fedora (firefox, ImageMagick, kernel, and mailman), Gentoo (adobe-flash, jabberd2, oracle-jdk-bin, and plasma-workspace), Mageia (bugzilla, kernel, leptonica, libtiff, libvorbis, microcode, python-pycrypto, SDL_image, shadow-utils, sharutils, and xerces-c), openSUSE (exempi, firefox, GraphicsMagick, libid3tag, libraw, mariadb, php5, postgresql95, SDL2, SDL2_image, ucode-intel, and xmltooling), Red Hat (firefox), Slackware (firefox and libvorbis), SUSE (microcode_ctl and ucode-intel), and Ubuntu (firefox and php5, php7.0, php7.1).

The 4.16-rc6 kernel prepatch is out."Go test, things are stable and there's no reason to worry, but allthe usual reasons to just do a quick build and verification that everythingworks for everybody. Ok?"

Greg Kroah-Hartman has released the 4.9.88,4.4.122, and 3.18.100 stable kernels. As usual, theycontain fixes throughout the tree and users of those series should upgrade.

Security updates have been issued by CentOS (firefox), Debian (clamav and firefox-esr), openSUSE (Chromium and kernel-firmware), Oracle (firefox), Red Hat (ceph), Scientific Linux (firefox), Slackware (curl), and SUSE (java-1_7_1-ibm and mariadb).

Over on the Red Hat Developer Program blog, David Malcolm describes a number of usability improvements that he has made for the upcoming GCC 8 release. Malcolm has made a number of the C/C++ compiler error messages much more helpful, including adding hints for integrated development environments (IDEs) and other tools to suggest fixes for syntax and other kinds of errors. "[...] the code is fine, but, as is common with fragments of code seen on random websites, it’s missing #include directives. If you simply copy this into a new file and try to compile it as-is, it fails.This can be frustrating when copying and pasting examples – off the top of your head, which header files are needed by the above? – so for gcc 8 I’ve added hints telling you which header files are missing (for the most common cases)." He has various examples showing what the new error messages and hints look like in the blog post.

Alex Shi's posting of a patch seriesbackporting a set of Meltdown fixes for the arm64 architecture to the4.9 kernel might seem like a normal exercise in making important securityfixes available on older kernels. But this case raised a couple ofinteresting questions about why this backport should be accepted into thelong-term-support kernels — and a couple of equally interesting answers,one of which was rather better received than the other.

Greg Kroah-Hartman has announced the release of the 4.15.10 and 4.14.27 stable kernels. Each contains a largenumber of patches throughout the kernel tree; users should upgrade.

Security updates have been issued by Arch Linux (samba), CentOS (389-ds-base, kernel, libreoffice, mailman, and qemu-kvm), Debian (curl, libvirt, and mbedtls), Fedora (advancecomp, ceph, firefox, libldb, postgresql, python-django, and samba), Mageia (clamav, memcached, php, python-django, and zsh), openSUSE (adminer, firefox, java-1_7_0-openjdk, java-1_8_0-openjdk, and postgresql94), Oracle (kernel and libreoffice), Red Hat (erlang, firefox, flash-plugin, and java-1.7.1-ibm), Scientific Linux (389-ds-base, kernel, libreoffice, and qemu-kvm), SUSE (xen), and Ubuntu (curl, firefox, linux, linux-raspi2, and linux-hwe).

The LWN.net Weekly Edition for March 15, 2018 is available.

<p>As is often the case, the python-ideas mailing list hosted a discussionabout a Python Enhancement Proposal (PEP) recently. In some sense, thisparticular PEPwas created to try to gather together the pros and cons of afeature idea that regularly crops up: statement-local bindings for variablenames. But the discussion of the PEP went in enough different directionsthat it led to calls for an entirely different type of medium in which tohave those kinds of discussions.

Let's Encrypt has announcedthat ACMEv2 (Automated Certificate Management Environment) and wildcardcertificate support is live. ACMEv2 is an updatedversion of the ACME protocol that has gone through the IETF standardsprocess. Wildcardcertificates allow you to secure all subdomains of a domain with asingle certificate. (Thanks to Alphonse Ogulla)

GNOME 3.28 has been released. "This release brings a more beautifulfont, an improved on-screen keyboard and a new 'Usage' application.Improvements to core GNOME applications include support for favorites inFiles and the file chooser, a better month view in the Calendar, supportfor importing pictures from devices in Photos, and many more." Seethe releasenotes for details.

Security updates have been issued by Arch Linux (calibre, dovecot, and postgresql), CentOS (dhcp and mailman), Fedora (freetype, kernel, leptonica, mariadb, mingw-leptonica, net-snmp, nx-libs, util-linux, wavpack, x2goserver, and zsh), Gentoo (chromium), Oracle (389-ds-base, mailman, and qemu-kvm), Red Hat (389-ds-base, kernel, kernel-alt, libreoffice, mailman, and qemu-kvm), Scientific Linux (mailman), Slackware (firefox and samba), and Ubuntu (samba).

LWN has covered the open RISC-V ("risk five") processor architecture before, most recently inthis article. As the ecosystem and tools around RISC-V have started comingtogether, a more detailed look is in order. In a seriesof two articles, guest author Richard W.M. Jones will look atwhat RISC-V is and follow up with an article on how we can nowport Linux distributions to run on it.