LWN.net

Intel has, finally, disclosedtwo more Spectre variants, called 3a and 4. The first ("rogue systemregister read") allows system-configuration registers to be readspeculatively, while the second ("speculative store bypass") could enablespeculative reads to data after a store operation has been speculativelyignored. Some more information on variant 4 can be found in theProject Zero bug tracker. The fix is to install microcode updates,which are not yet available.

At the 2018 Linux Storage, Filesystem, andMemory-Management Summit (LSFMM), Steve French led a discussion of variousproblem areas for network filesystems. Unlike previous sessions (in 2016 and 2017), there was some good news to reportbecause the long-awaited statx()system call was released in Linux 4.11. But thereis still plenty of work to be done to better support network filesystems inLinux.

Parrot 4.0 has been released. Parrotis a security-oriented distribution aimed at penetration tests and digitalforensics analysis, with additional tools to preserve privacy. "OnParrot 4.0 we decided to provide netinstall images too as we would likepeople to use Parrot not only as a pentest distribution, but also as aframework to build their very own working environment with ease."Docker templates are also available.

Security updates have been issued by Arch Linux (lib32-curl, lib32-libcurl-compat, lib32-libcurl-gnutls, libcurl-compat, and libcurl-gnutls), CentOS (firefox), Debian (imagemagick), Fedora (exiv2, LibRaw, and love), Gentoo (chromium), Mageia (kernel, librelp, and miniupnpc), openSUSE (curl, enigmail, ghostscript, libvorbis, lilypond, and thunderbird), Red Hat (Red Hat OpenStack Platform director), and Ubuntu (firefox).

The 4.17-rc6 kernel prepatch is out."So nothing special to report. Go read the shortlog, pull thechanges, build, and test. It should all be good and pretty stable by thispoint."

The4.16.10,4.14.42, and4.9.101stable kernel updates are available; each contains another set of importantfixes.

The Software Freedom Conservancy has put out ablog posting on the history and current status of Tesla's GPLcompliance issues. "We're thus glad that, this week, Tesla has actedpublicly regarding its current GPL violations and has announced thatthey've taken their first steps toward compliance. While Tesla acknowledgesthat they still have more work to do, their recent actions show progresstoward compliance and a commitment to getting all the way there."

At the 2018 Linux Storage, Filesystem, and Memory-Management Summit, AndiryXu presented the NOVA filesystem, which heis trying to get into the upstream kernel. Unlike existing kernelfilesystems, NOVA exclusively targets non-volatile main memory (NVMM)rather than traditional block devices (disks or SSDs). In fact, it does not use thekernel's block layer at all and instead uses persistent memory mappeddirectly into the kernel address space.

Brandon Williams writesabout the new Git remote protocol that will debut in the 2.18 release."We recently rolled out support for protocol version 2 at Google andhave seen a performance improvement of 3x for no-op fetches of a singlebranch on repositories containing 500k references. Protocol v2 has alsoenabled a reduction of 8x of the overhead bytes (non-packfile) sent fromgooglesource.com servers. A majority of this improvement is due tofiltering references advertised by the server to the refs the client hasexpressed interest in."

Version 8.1 of the Vimeditor is available. "The main new feature of Vim 8.1 is supportfor running a terminal in a Vim window. This builds on top of theasynchronous features added in Vim 8.0."

In April, LWN looked at the new API forzero-copy reception of TCP data that had been merged into the net-next treefor the 4.18 development cycle. After that article was written, a coupleof issues came to the fore that required some changes to the API for thisfeature. Those changes have been made and merged; read on for the details.

Security updates have been issued by Arch Linux (curl and zathura-pdf-mupdf), Debian (libmad and vlc), openSUSE (enigmail), Red Hat (collectd, Red Hat OpenStack Platform director, and sensu), and SUSE (firefox, ghostscript, and mysql).

Robert Haas writesabout the sharding capabilities that PostgreSQL will someday have."The capabilities already added are independently useful, but Ibelieve that some time in the next few years we're going to reach a tippingpoint. Indeed, I think in a certain sense we already have. Just a few yearsago, there was serious debate about whether PostgreSQL would ever havebuilt-in sharding. Today, the question is about exactly which features arestill needed."

"Security is hard" is a tautology, especially in the fast-moving worldof container orchestration. We have previously covered various aspects ofLinux containersecurity through, for example, the Clear Containers implementationor the broader question of Kubernetes andsecurity, but those are mostly concerned with container isolation; they do not address thequestion of trusting a container's contents. What is a container running?Who built it and when? Even assuming we have good programmers and solidisolation layers, propagating that good code around a Kubernetes clusterand making strong assertions on the integrity of that supply chain is farfrom trivial. The 2018 KubeCon+ CloudNativeCon Europe event featured some projects that couldeventually solve that problem.

Security updates have been issued by Arch Linux (runc), Debian (curl), Fedora (xdg-utils), Mageia (firefox), openSUSE (libreoffice, librsvg, and php5), Slackware (curl and php), SUSE (curl, firefox, kernel, kvm, libapr1, libvorbis, and memcached), and Ubuntu (curl, dpdk, php5, and qemu).

The LWN.net Weekly Edition for May 17, 2018 is available.

In a rather short session at the 2018 Python Language Summit, LarryHastings updated attendees on the status of his Gilectomy project. The aim of that effort isto remove the global interpreter lock (GIL) from CPython. Since his status report at last year's summit, littlehas happened, which is part of why the session was so short. He hasn'tgiven up on the overall idea, but it needs a new approach.

Stable kernels 4.16.9, 4.14.41, 4.9.100, 4.4.132, and 3.18.109 have been released. As usual, theyall contain important fixes and users should upgrade.

In a filesystem track session at the 2018 Linux Storage, Filesystem, andMemory-Management Summit (LSFMM), Darrick Wong talked about the onlinescrubbing and repair features he has been working on. His target has mostly beenXFS, but he has concurrently been working on scrubbing for ext4.Part of what he wanted to discuss was the possibility of standardizing someof these interfaces across different filesystem types.

At KubeCon+ CloudNativeCon Europe 2018, several talks explored the topic ofcontainer isolation and security. The last year saw the release of Kata Containers which, combined withthe CRI-O project, provided strong isolationguarantees for containers using a hypervisor. During the conference, Googlereleased its own hypervisor called gVisor, adding yet anotherpossible solution for this problem. Those new developments prompted thecommunity to work on integrating the concept of "secure containers"(or "sandboxed containers") deeperinto Kubernetes. This work is now coming to fruition; it prompts us to lookagain at how Kubernetes tries to keep the bad guys from wreaking havoc oncethey break into a container.

Security updates have been issued by CentOS (dhcp), Debian (xen), Fedora (dhcp, flac, kubernetes, leptonica, libgxps, LibRaw, matrix-synapse, mingw-LibRaw, mysql-mmm, patch, seamonkey, webkitgtk4, and xen), Mageia (389-ds-base, exempi, golang, graphite2, libpam4j, libraw, libsndfile, libtiff, perl, quassel, spring-ldap, util-linux, and wget), Oracle (dhcp and kernel), Red Hat (389-ds-base, chromium-browser, dhcp, docker-latest, firefox, kernel-alt, libvirt, qemu-kvm, redhat-virtualization-host, rh-haproxy18-haproxy, and rhvm-appliance), Scientific Linux (389-ds-base, dhcp, firefox, libvirt, and qemu-kvm), and Ubuntu (poppler).

At the 2018 Python Language Summit, Carl Shapiro described some ofthe experiments that he and others at Instagram did to look at ways toimprove the performance of the CPython interpreter.The talk was somewhat academic in tone and built on what has been learnedin other dynamic languages over the years. By modifying the Python objectmodel fairly substantially, they were able to roughly double the performanceof the "classic" Richards benchmark.

In a combined filesystem and storage session at the 2018 Linux Storage,Filesystem, and Memory-Management Summit (LSFMM), Tim Walker asked for helpin designing the interface to some new storage hardware. He wanted somefeedback on how a multi-actuatordrive should present itself to the system. These drives have two (or, eventually, more) sets of read/write heads andother hardware that can all operate in parallel.

Eric Snow kicked off the 2018 edition ofthe Python Language Summit with a look at getting a better story formulticore Python by way of subinterpreters. Back in 2015, we looked at his efforts at that point; thingshave been progressing since. There is more to do, of course, so he ishoping to attract more developers to work on the project.This is the start of the Python Language Summit coverage for this year; articles are being collected on a dedicated summit page as they are finished.

Here's aposting from Canonical concerning the cryptocurrency-mining app thatwas discovered in its Snap Store. "Several years ago when we startedthe work on snap packages, we understood that we could not instantlyimplement an alternative that was completely safe from all perspectives. Inaddition to being safe, it had to be useful. So the challenge we gaveourselves was to significantly improve the situation immediately, and thenpave the road for incremental improvements that could be rolled outgradually."

Security updates have been issued by Arch Linux (firefox, llpp, and webkit2gtk), Debian (kwallet-pam), Fedora (kernel and pam-kwallet), Gentoo (mpv), Oracle (389-ds-base, firefox, libvirt, and qemu-kvm), and Ubuntu (php5 and php5, php7.0, php7.1, php7.2).

Security updates have been issued by Debian (tiff and tiff3), Fedora (glusterfs, kernel, libgxps, LibRaw, postgresql, seamonkey, webkit2gtk3, wget, and xen), Mageia (afflib, flash-player-plugin, imagemagick, qpdf, and transmission), openSUSE (Chromium, opencv, and xen), SUSE (kernel), and Ubuntu (firefox).

Technologies like containers, clusters, and Kubernetes offer the prospectof rapidly scaling the available computing resources to match variable demandsplaced on the system. Actually implementing that scaling can be achallenge, though.During KubeCon+ CloudNativeCon Europe 2018, Frederic Branczyk from CoreOS (nowpart of Red Hat) held a packed sessionto introduce a standard and officially recommended way to scale workloadsautomatically in Kubernetesclusters.

The efail.de site describes a set ofvulnerabilities in the implementation of PGP and MIME that can cause thedisclosure of encrypted communications, including old messages. "In anutshell, EFAIL abuses active content of HTML emails, for exampleexternally loaded images or styles, to exfiltrate plaintext throughrequested URLs."The EFF recommendsuninstalling email-encryption tools that automaticallydecrypt email entirely. "Until the flawsdescribed in the paper are more widely understood and fixed, users shouldarrange for the use of alternative end-to-end secure channels, such asSignal, and temporarily stop sending and especially reading PGP-encryptedemail."

The 4.17-rc5 kernel prepatch has beenreleased. "So I think we're in pretty good shape. Please go keeptesting, though, to make sure we're not missing anything."

Gian-Carlo Pascutto postsabout the sandboxing improvements in the Firefox 60 release."The most important change is that content processes — which renderWeb pages and execute JavaScript — are no longer allowed to directlyconnect to the Internet, or connect to most local services accessed withUnix-domain sockets (for example, PulseAudio)."

Much has been written on LWN about dynamically instrumenting kernelcode. These features are also available to user-space code with aspecial kind of probe known as a User Statically-Defined Tracing(USDT) probe. These probes provide a low-overhead way of instrumenting user-space code and provide a convenient way to debug applicationsrunning in production. In this final article of the BPF and BCC serieswe'll look at where USDT probes come from and how you can use them tounderstand the behavior of your own applications.

Security updates have been issued by Arch Linux (libmupdf, mupdf, mupdf-gl, and mupdf-tools), Debian (firebird2.5, firefox-esr, and wget), Fedora (ckeditor, drupal7, firefox, kubernetes, papi, perl-Dancer2, and quassel), openSUSE (cairo, firefox, ImageMagick, libapr1, nodejs6, php7, and tiff), Red Hat (qemu-kvm-rhev), Slackware (mariadb), SUSE (xen), and Ubuntu (openjdk-8).

The Rust team has announcedthe release of version 1.26.0 of the Rust programming language. "The past few releases have had a steady stream of relatively minor additions. We’ve been working on a lot of stuff, however, and it’s all starting to land in stable. 1.26 is possibly the most feature-packed release since Rust 1.0."

I was sure that somewhere there must bephysically-lightweight sensors with simple power, simple networking, anda lightweight protocol that allowed them to squirt their data down thenetwork with a minimum of overhead. So my interest was piqued when Jan-Piet Mens spoke at FLOSSUK's Spring Conference on "Small Things for Monitoring". Once he started passingworking demonstration systems around the room without interrupting thedemonstration, it was clear that MQTT was what I'd been looking for.

Security updates have been issued by Arch Linux (freetype2, libraw, and powerdns), CentOS (389-ds-base and kernel), Debian (php5, prosody, and wavpack), Fedora (ckeditor, fftw, flac, knot-resolver, patch, perl, and perl-Dancer2), Mageia (cups, flac, graphicsmagick, libcdio, libid3tag, and nextcloud), openSUSE (apache2), Oracle (389-ds-base and kernel), Red Hat (389-ds-base and flash-plugin), Scientific Linux (389-ds-base), Slackware (firefox and wget), SUSE (xen), and Ubuntu (wget).

For those who are curious about the rather complex way in which X serverpointer acceleration works, Peter Hutterer has put together a four-partseries on the topic:part 1,part 2,part 3,andpart 4."The input for the acceleration profile is a speed in mickeys, a threshold (in mickeys) and a max accel factor (unitless). Mickeys are a bit tricky. This means the acceleration is device-specific, the deltas for a mouse at 1000 dpi are 20% larger than the deltas for a mouse at 800 dpi (assuming same physical distance and speed)".

The LWN.net Weekly Edition for May 10, 2018 is available.

The CoreOS blog is carrying anarticle describing the path forward now that CoreOS is owned by RedHat. "Since Red Hat’s acquisition of CoreOS was announced, wereceived questions on the fate of Container Linux. CoreOS’s first project,and initially its namesake, pioneered the lightweight, 'over-the-air'automatically updated container native operating system that fast rose inpopularity running the world’s containers. With the acquisition, ContainerLinux will be reborn as Red Hat CoreOS, a new entry into the Red Hatecosystem. Red Hat CoreOS will be based on Fedora and Red Hat EnterpriseLinux sources and is expected to ultimately supersede Atomic Host as RedHat’s immutable, container-centric operating system." Someinformation can also be found in thisRed Hat press release.

The amount of available data is growing larger these days, to the pointthat some data sets are far larger than any one company or organization can create and maintain. So companies andothers want to share data in ways that are similar to how they share code. Some of thosecompanies are members of the Linux Foundation (LF), which is part of why thatorganization got involved in the process of creating licenses for thisdata. LF VP of Strategic Programs Mike Dolan came to the 2018 Legal andLicensing Workshop (LLW) to describe how the Community Data LicenseAgreement (CDLA) came about.

Mozilla has released Firefox 60. From the releasenotes: "Firefox 60 offers something for everyone and a littlesomething extra for everyone who deploys Firefox in an enterprise environment. This release includes changes that give you more content and more ways to customize your New Tab/Firefox Home. It also introduces support for the Web Authentication API, which means you can log in to websites in Firefox with USB tokens like YubiKey.Firefox 60 also brings a new policy engine and Group Policy support forenterprise deployments. For more info about why and how to use Firefox inthe enterprise, see this blog post."

Stable kernels 4.16.8, 4.14.40, and 4.9.99 have been released. They all containimportant fixes and users should upgrade.

Security updates have been issued by Debian (kernel), Gentoo (rsync), openSUSE (Chromium), Oracle (kernel), Red Hat (kernel and kernel-rt), Scientific Linux (kernel), SUSE (kernel and php7), and Ubuntu (dpdk, libraw, linux, linux-lts-trusty, linux-snapdragon, and webkit2gtk).

Version 1.14 of theBattle for Wesnoth role-playing strategy game — the first release in over threeyears — is available. "Along with the long-awaited debut on Steam,this new release series brings forth a vast number of additions and changesin all areas: a new single-player campaign, a visual and functional refreshof the multiplayer lobby and add-ons manager, a refurbished display engine,new unit graphics and animations, and much more."

<p>In a plenary session on the second day of the Linux Storage, Filesystem,and Memory-Management Summit (LSFMM), Dave Chinner described his ideas fora virtual block address-space layer. It would allow "space accounting to beshared and managed at various layers in the storage stack". One of thetargets for this work is for filesystems on thin-provisioned devices, wherethe filesystem is larger than the storage devices holding it (and administrators areexpected to add storage as needed); in current systems, running out ofspace causes huge problems for filesystems and users because the filesystemcannot communicate that error in a usable fashion.

Security updates have been issued by Debian (wget), SUSE (patch), and Ubuntu (qpdf).

In a short filesystem-only discussion at the 2018 Linux Storage,Filesystem, and Memory-Management Summit (LSFMM), Jérôme Glisse wanted totalk about some (more) changes to support GPUs, FPGAs, and RDMA devices.In other talks at LSFMM, he discussedchanges to struct page in support of these kinds of devices, but here he was looking to discussother changes to support mapping a device's memory into multiple processes. It should benoted that I had a hard time following the discussion in this session, sothere may be significant gaps in the article.

The removal of an old joke from the GNU C Library manual might not seemlike the sort of topic that would inspire a heated debate. At times,though, a small action can serve as an inadvertent proxy for a moresignificant question, one which is relevant to both the developers and theusers of the project. In this case, that question would be: how is the project governed and whomakes decisions about which patches are applied?

At the 2018 Linux Storage, Filesystem, and Memory-Management Summit(LSFMM), Allison Henderson led a session to discuss an XFS feature she has beenworking on: parent pointers. These wouldbe pointers stored in extended attributes (xattrs) that would allow various tools toreconstruct the path for a file from its inode.In XFS repair scenarios, that path will help with reconstruction as well asprovide users with better information about where the problems lie.

Security updates have been issued by Debian (libdatetime-timezone-perl, libmad, lucene-solr, tzdata, and wordpress), Fedora (drupal7, scummvm, scummvm-tools, and zsh), Mageia (boost, ghostscript, gsoap, java-1.8.0-openjdk, links, and php), openSUSE (pam_kwallet), and Slackware (python).