LWN.net

The bpfilter proposal posted in Februaryincluded a new type of kernel module that would run as a user-spaceprogram; its purpose is to parse and translate iptables rules under thekernel's control but in a contained, non-kernel setting. These "ELFmodules" were reposted for review as a standalonepatch set in early March. That review has happened; it is agood example of how community involvement can improve a special-purposepatch and turn it into a more generally useful feature.

Anybody running Samba 4 servers probably wants to take a look at thisalert and upgrade their systems. "CVE-2018-1057: On a Samba 4 AD DC the LDAP server in all versions of Samba from 4.0.0 onwards incorrectly validates permissions to modify passwords over LDAP allowing authenticated users to change any other users' passwords, including administrative users."

A company called CTS has disclosed a longseries of vulnerabilities in AMD processors. "The chipset is acentral component on Ryzen and Ryzen Pro workstations: it links theprocessor with hardware devices such as WiFi and network cards, making itan ideal target for malicious actors. The Ryzen chipset is currently beingshipped with exploitable backdoors that could let attackers injectmalicious code into the chip, providing them with a safe haven to operatefrom." See the associatedwhite paper for more details.Update: there are a lot of questions circulating about the actualseverity of these vulnerabilities and the motivations of the peoplereporting them. It may not be time to panic quite yet.

Mozilla has released Firefox 59, the next iteration of Firefox Quantum.From the releasenotes: "On Firefox for desktop, we’ve improved page load times, added tools to annotate and crop your Firefox Screenshots, and made it easier to arrange your Top Sites on the Firefox Home page. On Firefox for Android, we’ve added support for sites that stream video using the HLS protocol."

In the recentarticle about Jupyter and itsnotebooks, we mentioned that a new interface, called JupyterLab, existed in what its developersdescribed as an "early preview" stage. About two weeks after thatarticle appeared, Project Jupyter made a significant announcement: JupyterLab is "ready for users". Users will find a moreintegrated environment for scientific computation that is also more easilyextended. JupyterLab takes the Jupyter Notebook to a level of functionalitythat will propel it well into the next decade—and beyond.

Security updates have been issued by Debian (samba), Fedora (tor), openSUSE (glibc, mysql-connector-java, and shadow), Oracle (dhcp), Red Hat (bind, chromium-browser, and dhcp), Scientific Linux (dhcp), and SUSE (java-1_7_0-openjdk, java-1_8_0-ibm, and java-1_8_0-openjdk).

Variable-length arrays (VLAs) have a non-constant size that is determined (andwhich can vary) at run time; they are supported by the ISO C99standard. Use of VLAs in thekernel has long been discouraged but not prohibited, so there are naturallynumerous VLA instances to be found. A recent push to remove VLAs from thekernel entirely has gained momentum, but it ran into an interesting snag onthe way.

Here is theRust community's plan for the rest of this year. "This year, wewill deliver Rust 2018, marking the first major new edition of Rust since1.0 (aka Rust 2015). We will continue to publish releases every six weeksas usual. But we will designate a release in the latter third of the year(Rust 1.29 - 1.31) as Rust 2018. This new 'edition' of Rust will be theculmination of feature stabilization throughout the year, and will shipwith polished documentation, tooling, and libraries that tie in to thosefeatures."

The Debian Project has released the fourth update to Debian 9 "stretch".As usual, this update mainly adds corrections for security issues, alongwith a few adjustments for serious problems. "Those who frequentlyinstall updates from security.debian.org won't have to update manypackages, and most such updates are included in the point release."

Security updates have been issued by CentOS (389-ds-base, dhcp, kernel, libreoffice, php, quagga, and ruby), Debian (ming, util-linux, vips, and zsh), Fedora (community-mysql, php, ruby, and transmission), Gentoo (newsbeuter), Mageia (libraw and mbedtls), openSUSE (php7 and python-Django), Red Hat (MRG Realtime 2.5), and SUSE (kernel).

The 4.16-rc5 kernel prepatch is out, righton schedule. "This continues to be pretty normal - this rc isslightly larger than rc4 was, but that looks like one of the normalfluctuations due to timing of pull requests, not due to anythingdistressing."

The 4.15.9,4.14.26,4.9.87,4.4.121, and3.18.99 stable kernel updates have all beenreleased. Each contains a relatively small set of important fixes andupdates.

On his blog, Peter Robinson announced the acceptance of a new edition of Fedora for the Internet of Things (IoT). He had proposed it as a Fedora "spin", but the Fedora Council decided to make it a full-fledged edition with its own working group. "So what will be happening over the coming weeks (and months)? We’ll be getting the working group in place, getting an initial monthly release process in place so that people can start to have something to kick the tires with and provide feedback and drive discussion. With those two big pieces in place we can start to grow the Fedora IoT community and work out the bits that work and bits that don’t work."

Greg Kroah-Hartman has announced the release of the 4.15.8 and 4.14.25 stable kernels. Both contain a largecollection of fixes throughout the tree; users of those kernel seriesshould upgrade.

Security updates have been issued by openSUSE (rsync, shotwell, and squid), Oracle (dhcp), Red Hat (dhcp), Scientific Linux (dhcp), SUSE (java-1_7_0-ibm and xen), and Ubuntu (clamav, kernel, and zsh).

Normally, when an application sends data over the network, it wants thatdata to be transmitted as quickly as possible; the kernel's network stacktries to oblige. But there are applications that need their packets to betransmitted within specific time windows. This behavior can beapproximated in user space now, but a better solution is in the works inthe form of the time-based packettransmission patch set.

Version 6.0.0 of the LLVM compiler suite is out."This release is the result of the community's work over the past sixmonths, including: retpoline Spectre variant 2 mitigation,significantly improved CodeView debug info for Windows, GlobalISel bydefault for AArch64 at -O0, improved scheduling on several x86micro-architectures, Clang defaults to -std=gnu++14 instead of-std=gnu++98, support for some upcoming C++2a features, improvedoptimizations, new compiler warnings, many bug fixes, and more."

Security updates have been issued by Debian (isc-dhcp and python-django), Gentoo (go and util-linux), Mageia (389-ds-base, dovecot, and tor), openSUSE (python-Django), Oracle (389-ds-base, kernel, libreoffice, and php), Scientific Linux (389-ds-base, kernel, libreoffice, and php), and Ubuntu (clamav and libreoffice).

The LWN.net Weekly Edition for March 8, 2018 is available.

<p>At linux.conf.au (LCA) 2017 in Hobart, Tasmania, Keith Packard talked withkernel graphics maintainer Dave Airlie about how virtual reality devices should be hooked up toLinux. They both thought it would be pretty straightforward to do, so itwould "only take a few weeks", but Packard knew"in reality it would take a lot longer". In atalk at LCA 2018 in Sydney, Packard reported back on the progress he hasmade; most of it is now in the upstream kernel.

Harald Welte attended a hearing in one of the Patrick McHardy GPL cases andwrote upwhat he saw.I'm not arguing for a "too soft" approach. It'salmost 15 years since the first court cases on license violations on(embedded) Linux, and the fact that the problem still exists today clearlyshows the industry is very far from having solved a seemingly rather simpleproblem.On the other hand, such activities must always be oriented to compliance,and compliance only. Collecting huge amounts of contractual penalties isquestionable. And if it was necessary to collect such huge amounts tomotivate large corporations to be compliant, then this must be done in theopen, with the community knowing about it, and the proceeds of suchcontractual penalties must be donated to free software related entities toprove that personal financial gain is not a motivation.

Both the free-software and security communities have recently beenfocusing on the elements of our computers that run belowthe operating system. These proprietary firmware components are usuallydifficult or impossible to extend and it has long been suspected (andproven in several cases) that there are significant security concerns withthem. The LinuxBoot Project is working toreplace this complex, proprietary, and largely unknown firmware with aLinux kernel. That has the added benefit of replacing the existing driversin the firmware with well-tested drivers from Linux.

The Khronos Group has announcedthe release of the Vulkan GPU API version 1.1 and SPIR-V 1.3 specifications. "Version 1.1 expands Vulkan’s core functionality with developer-requested features, such as subgroup operations, while integrating a wide range of proven extensions from Vulkan 1.0. Khronos will also release full Vulkan 1.1 conformance tests into open source and AMD, Arm, Imagination, Intel Corporation, NVIDIA and Qualcomm have implemented conformant Vulkan 1.1 drivers."

The kernel stack is a small, frequently reused region of memory in eachthread's address space. That reuse allows for efficient memory use andgood performance as a result of cache locality, but it also presents aproblem: data left on the stack can also end up being reused in ways thatwere not intended. The PaX patch set contains a mechanism designed toclear that data from the stack and prevent leaks, but an attempt to mergethat code into the kernel has run into a snag.

Security updates have been issued by Arch Linux (python-django and python2-django), Debian (leptonlib), Fedora (bugzilla, cryptopp, electrum, firefox, freexl, glibc, jhead, libcdio, libsamplerate, libXcursor, libXfont, libXfont2, mingw-wavpack, nx-libs, php, python-crypto, quagga, sharutils, unzip, x2goserver, and xen), Gentoo (exim), openSUSE (cups, go1.8, ImageMagick, jgraphx, leptonica, openexr, tor, and wavpack), Red Hat (389-ds-base, java-1.7.1-ibm, kernel, kernel-rt, libreoffice, and php), SUSE (java-1_7_1-ibm), and Ubuntu (python-django).

Sigal is a "simple static gallery generator" with a straightforwarddesign, a nice feature set, and great themes. It was started as a toyproject, but has nevertheless grown into a sizable and friendlycommunity. After struggling withmaintenance using half a dozen photo gallery projects along the way,guest author Antoine Beaupré has found a nice little gem that he would liketo share with LWN readers.

Nathan Willis looksbeyond open web fonts on opensource.com. "For starters, it's critical to understand that Google Fonts and Open Font Library offer a specialized service—delivering fonts in web pages—and they don't implement solutions for other use cases. That is not a shortcoming on the services' side; it simply means that we have to develop other solutions.There are a number of problems to solve. Probably the most obvious example is the awkwardness of installing fonts on a desktop Linux machine for use in other applications. You can download any of the web fonts offered by either service, but all you will get is a generic ZIP file with some TTF or OTF binaries inside and a plaintext license file. What happens next is up to you to guess."

Security updates have been issued by Arch Linux (dhclient and dhcp), Debian (tomcat7 and xen), Fedora (dhcp), Mageia (glibc and xerces-c), SUSE (xen), and Ubuntu (irssi, memcached, postgresql-9.3, postgresql-9.5, postgresql-9.6, and twisted).

Virtual private networks (VPNs) offer a lot in the way of increasedsecurity and privacy. They have also tended to offer less desirablefeatures like administrative complexity and reduced performance, though; asa result, many potential VPN users decide not to bother. A relatively newproject called WireGuard hopes toaddress both of those problems with an in-kernel solution that is bothsimple and fast.

Greg Kroah-Hartman has released stable kernels 4.14.24, 4.9.86, 4.4.120, and 3.18.98. They all contain important fixes andusers should upgrade.

Security updates have been issued by Arch Linux (busybox and mkinitcpio-busybox), Debian (dovecot, freexl, kernel, libjgraphx-java, libvpx, trafficserver, and xen), Fedora (ruby), Mageia (phpmyadmin and xv), openSUSE (go), SUSE (ansible, cups, and xen), and Ubuntu (dovecot and qemu).

The 4.16-rc4 kernel prepatch is out fortesting. "Hmm. A reasonably calm week".

Linux Journal has a look at Qubes 4, which is due to be released in the next month or so. It has undergone a refactoring of sorts. "Another major change in Qubes 4 relates to the GUI VM manager. In past releases, this program provided a graphical way for you to start, stop and pause VMs. It also allowed you to change all your VM settings, firewall rules and even which applications appeared in the VM's menu. It also provided a GUI way to back up and restore VMs. With Qubes 4, a lot has changed. The ultimate goal with Qubes 4 is to replace the VM manager with standalone tools that replicate most of the original functionality."

The fourth update to the Ubuntu 16.04 long-term support distribution has been released; it is available from the "Get Ubuntu" web page. "As usual, this point release includes many updates, and updatedinstallation media has been provided so that fewer updates will need tobe downloaded after installation. These include security updates andcorrections for other high-impact bugs, with a focus on maintainingstability and compatibility with Ubuntu 16.04 LTS.Kubuntu 16.04.4 LTS, Xubuntu 16.04.4 LTS, Mythbuntu 16.04.4 LTS,Ubuntu GNOME 16.04.4 LTS, Lubuntu 16.04.4 LTS, Ubuntu Kylin 16.04.4 LTS,Ubuntu MATE 16.04.4 LTS and Ubuntu Studio 16.04.4 LTS are also nowavailable." Information about what has changed can be found in the overall release notes and in the release notes for the various Ubuntu flavors.

Security updates have been issued by Debian (freexl and simplesamlphp), Fedora (krb5, libvirt, php-phpmyadmin-motranslator, php-phpmyadmin-sql-parser, and phpMyAdmin), Mageia (krb5, leptonica, and libvirt), Slackware (dhcp and ntp), and Ubuntu (isc-dhcp).

This is the fourth article of a seriesdiscussing various methods of reducing the size of the Linux kernel to make it suitable for smallenvironments. Reducing the kernel binary has its limits and we have pushedthem as far as possible at this point. Still, our goal, which is to be ableto run Linux entirely from the on-chip resources of a microcontroller, hasnot been reached yet. This article will conclude this series by looking atthe problem from the perspective of making the kerneland user space fit into a resource-limited system.

As leading-edge rolling distributions go, OpenSUSE Tumbleweed is relativelystable, but it is still true that some snapshots are better than others.Jimmy Berry has announced the creation of a web site trackingthe quality of each day's snapshot. "By utilizing a variety ofsources of feedback pertaining to snapshots a stability score isestimated. The goal is to err on the side of caution and to allow users toavoid troublesome releases."

Security updates have been issued by Debian (xmltooling), Fedora (mbedtls), openSUSE (freexl), Oracle (quagga and ruby), Red Hat (.NET Core, quagga, and ruby), Scientific Linux (quagga and ruby), SUSE (glibc), and Ubuntu (libreoffice).

The LWN.net Weekly Edition for March 1, 2018 is available.

The Free Software Foundation has announcedthe availability of its 2016 annual report. "The Annual Reportreviews the Foundation's activities, accomplishments, and financial picturefrom October 1, 2015 to September 30, 2016. It is the result of a fullexternal financial audit, along with a focused study of programresults." It may lack punctuality, but it makes up for it inglitz.

Should we host in the cloud or on our own servers? This question wasat the center of Dmytro Dyachuk's talk, givenduring KubeCon + CloudNativeCon last November. While many servicessimply launch in the cloud without the organizations behind themconsidering other options, large content-hosting services have actually moved back to their own data centers: Dropboxmigrated in 2016 and Instagramin 2014. Because such transitions can be expensive and risky, understanding the economics of hosting is a critical partof launching a new service. Actual hosting costs are oftenmisunderstood, or secret, so it is sometimes difficult to get thenumbers right. In this article, we'll use Dyachuk's talk to try toanswer the "million dollar question": "buy or rent?"

Security updates have been issued by Arch Linux (mbedtls), CentOS (gcab and java-1.7.0-openjdk), Debian (drupal7, lucene-solr, wavpack, and xmltooling), Fedora (dnsmasq, gcab, gimp, golang, knot-resolver, ldns, libsamplerate, mingw-OpenEXR, mingw-poppler, python-crypto, qt5-qtwebengine, sblim-sfcb, systemd, unbound, and wavpack), Mageia (ioquake3, TiMidity++, tomcat, tomcat-native, and wireshark), openSUSE (systemd and zziplib), Red Hat (erlang and openstack-nova and python-novaclient), and SUSE (kernel).

Stable kernels 4.15.7, 4.14.23, 4.9.85, 4.4.119, and 3.18.97 have been released. They all containimportant fixes and users should upgrade.

Keeping up with the free-software development community requires followinga lot of mailing lists. For many years, the Gmane email archive has helped your editor todo that without going any crazier than he already is, but Gmane is becomingan increasingly unreliable resource. A recent incident increased thepriority of a longstanding goal to find (or create) an alternative toGmane. That, in turn, led to the discovery of public-inbox.

License violations are generally not done by malice, but simply bymistake. But correcting those mistakes can be messy, so it would be betterfor large (and small) organizations not to make them in the first place. Totry to head off license problems, Andreas Schreiber and his colleagues at Germany's aeronautics and space research center, DLR, haveput together educational materials and worked on training. Schreiber spokeabout this work at FOSDEM 2018.<p>Subscribers can read on for a report on the talk by guest author Tom Yates.

Security updates have been issued by Fedora (exim, irssi, php-phpmyadmin-motranslator, php-phpmyadmin-sql-parser, phpMyAdmin, and seamonkey), Mageia (cups, flatpak, golang, jhead, and qpdf), Oracle (gcab, java-1.7.0-openjdk, and kernel), Red Hat (gcab, java-1.7.0-openjdk, and java-1.8.0-ibm), Scientific Linux (gcab and java-1.7.0-openjdk), and Ubuntu (sensible-utils).

What if real-life chores could gain you fake internet points like in anonline role-playing game? That's the premise of Habitica, a productivity applicationdisguised as a game. It's a self-improvement application where players canlist their daily tasks or to-do items in the game; every time one ischecked-off, the game rewards the player with points or game items.

The kernel development process tends to be focused on addition: each newrelease supports more drivers, more features, and often new processorarchitectures. As a result, almost every kernel release has been larger than itspredecessor. But occasionally even the kernel needs to slim down a bit.Upcoming kernel releases are likely to see the removal of support for anumber of unloved architectures and, in an unrelated move, the removal ofsupport for some older compilers.

Security updates have been issued by Arch Linux (lib32-wavpack, phpmyadmin, unixodbc, and wavpack), Debian (drupal7, golang, imagemagick, libdatetime-timezone-perl, libvpx, and tzdata), Fedora (exim, irssi, kernel, milkytracker, qt5-qtwebengine, seamonkey, and suricata), Mageia (advancecomp, apache-commons-email, freetype2, ghostscript, glpi, jackson-databind, kernel, mariadb, and postgresql), openSUSE (dhcp, GraphicsMagick, lame, php5, phpMyAdmin, timidity, and wireshark), and Oracle (kernel).

The 4.16-rc3 kernel prepatch is out fortesting. Linus says: "rc3 is larger than rc2 was, but as mentionedlast week, that's expected - rc2 really was tiny. People have startedfinding things to fix, but there's nothing that really stands out asparticularly scary here."