LWN.net

On his blog, Linux Foundation Director of IT Infrastructure Security Konstantin Ryabitsev has some advice for laptop security when traveling overseas. Some attendees of LinuxCon China in Beijing June 19-20 have asked for his thoughts, so he put together the post, which is good advice, if perhaps overly paranoid for some, no matter what country you might be visiting. "China is not signatory to the "Personal Use Exemption" when it comes to encrypted devices, so bringing a laptop with encrypted hard drive with you is not technically legal. If the border officer does not like you for some reason and has grounds to suspect you are not being truthful about your stated reasons for entering China, you may be asked to decrypt your devices for a search. Failure to do so may result in unpleasantness, and you may be detained or fined merely on the grounds of having an encrypted device when entering the country. (As opposed to, for example, entering a country that is signatory to the personal use exemption, where just having an encrypted device is not grounds for any action. That said, it is never in your interest to make the border officer not like you for some reason. Until you are admitted to the country as a legal alien, the Geneva Convention and the Universal Declaration of Human Rights are pretty much the only legal frameworks protecting you as a person against foreign government action.)It is important to point out that you are extremely unlikely to be penalized for bringing in an encrypted laptop with you to China, as any kind of widespread zealous application of such practice would quickly shut down any business travel to China -- and this is definitely not in the government's interest."

Version 3.0 of thecalibre electronic-book reader has been released. "It has been almost three years since calibre 2.0. In that time lots has happened. The biggest new feature, which was in development for almost that entire period, is a completely re-written calibre Content server.The Content server allows you to wirelessly browse your calibre books onany modern phone/tablet and even read the books right in your phonebrowser." Other additions include support for high-DPI screens andsupport for multiple icon themes.

The early bird registration rate for Linux Plumbers Conference 2017 will end on June 18 (or before if all of the slots are sold). The early bird rate is $400 and that will increase to $550, so those interested may wish to visit the Attend page at the site. Linux Plumbers Conference will be held in Los Angeles, CA, US on13-15 September in conjunction with The Linux Foundation Open SourceSummit North America.

Security updates have been issued by Arch Linux (bind), Debian (request-tracker4, rt-authen-externalauth, and zookeeper), openSUSE (mercurial, otrs, thunderbird, and tor), and Ubuntu (libmwaw and zziplib).

FreeNAS 11.0 has been released. "Thisversion brings new virtualization and object storage features to theWorld’s Most Popular Open Source Storage Operating System. FreeNAS 11.0adds bhyve virtual machines to its popular SAN/NAS, jails, and plugins,letting you use host web-scale VMs on your FreeNAS box. It also gives usersS3-compatible object storage services, which turns your FreeNAS box into anS3-compatible server, letting you avoid reliance on the cloud." LWNlooked at FreeNAS in February 2015.

The Brave web browser is a project froma new company called Brave Software. It was founded by Brendan Eich, who is theinventor of JavaScript and former developer and CTO at Mozilla; hehopes to dramatically re-invent the advertising model of the web whilestrengthening user anonymity and security. Brave's value proposition isthat instead of being served advertisements from web sites that use therevenue to pay their bills, users can opt to directly pay the contentproviders of their choosing with cryptocurrency. Also, there is arecognition of theutility of targeted advertising, so users have an option of saving a local,protected profile that can be used anonymously to obtain targetedadvertisements instead of having their online behavior tracked and sold bya third party.

Security updates have been issued by Arch Linux (flashplugin, kmail, lib32-flashplugin, and messagelib), CentOS (firefox), Debian (firefox-esr and libsndfile), Fedora (ettercap, gajim, libsndfile, poppler, and webkitgtk4), Mageia (catdoc, ettercap, libcryptopp, libytnef, and tor), Oracle (firefox), Scientific Linux (firefox), Slackware (bind and mozilla), SUSE (jakarta-taglibs-standard), and Ubuntu (firefox).

The LWN.net Weekly Edition for June 15, 2017 is available.

The Python core developers, and Victor Stinner in particular, have beenfocusing on improving the performance of Python 3 over the last fewyears. At PyCon 2017, Stinnergave a talk on some of the optimizations that have been added recently andthe effect they have had on various benchmarks. Along the way, he took a detour into some improvements that have been made for benchmarkingPython.

Chuck Lever has announcedthat the fedfs-utils project, which created utilities for the Federated Filesystem, willno longer be developed. The most interesting part, for many, may be thisdiscussion of why this project ground to a halt. (Thanks to Neil Brown).

The ups and downs of patching the kernel to wedge Linux into tiny systems has beendebated numerous times over the years, most recently in the context ofNicolas Pitre's alternative TTY layerpatches posted in April. Pitre is driving the debate again, this time by trying to shrink the kernel's CPU scheduler.In the process, he has exposed a couple of areas of fundamentaldisagreement on the value of this kind of work.

Since 2003, the Debian project has been running a servercalled Alioth to host source codeversion control systems. The server will hit the end of life of the DebianLTS release (Wheezy) next year; that deadline raised some questionsregarding the plans for the server over the coming years. Naturally, thatled to a discussion regarding possible replacements.

The Kernel Summit is undergoing some changes this year; the coredevelopers' gathering from previous events will be replaced by a half-day"maintainers summit" consisting of about 30 people. The process ofselecting those people, and of selecting topics for the open technicalsession, is underway now; interested developers are encouraged to submittheir topic ideas.

The moment when an antique operating system that has not run in decadesboots and presents a command prompt is thrilling for Warren Toomey, whofounded the Unix Heritage Society toreconstruct the early history of the Unix operating system. Recently thishistorical code has become much more accessible: we can now browse it in aninstant on GitHub, thanks to the efforts of a computer scienceprofessor at the Athens University of Economics and Business named DiomidisSpinellis.Click below (subscribers only) for a look at the Unix Heritage Society andwhat it has accomplished.

Stable kernels 4.11.5, 4.9.32, 4.4.72, and 3.18.57 have been released. All of themcontain important fixes and users should upgrade.

Security updates have been issued by Arch Linux (gnutls and tor), CentOS (qemu-kvm), Debian (libgcrypt20 and libosip2), Fedora (kernel), Mageia (flash-player-plugin, libosip2, and smb4k), openSUSE (ImageMagick), SUSE (mercurial), and Ubuntu (gnutls26, gnutls28).

Many benchmarks have been used by kernel developers over the years totest the performance of the scheduler. But recent kernel commit messageshave shown a particular pattern of tools being used (some relatively new),all of which were created specifically for developing scheduler patches.While each benchmark is different, having its own unique genesis story andintended testing scenario, there is a unifying attribute; they were allwritten to scratch a developer's itch.

Tails 3.0 has been released.Tails, the amnesic incognito live system, is a Debian-based live systemaimed at preserving privacy and anonymity. Version 3.0 is based on Debian9 (stretch). "It brings a completely new startup and shutdown experience, a lot of polishing to the desktop, security improvements in depth, and major upgrades to a lot of the included software."

Free electrons has released the initialversion of the ElixirCross-Referencer, a Linux source code cross-referencing online tool.Elixir uses a new engine written in Python that replaces LXR, theengine used in free electron's previous online tool. "Another reason that motivated a complete rewrite was that we wanted to provide an up-to-date reference (including the latest revisions) while keeping it immutable, so that external links to the source code wouldn’t get broken in the future. As a direct consequence, we would need to index many different revisions for each project, with potentially a lot of redundant information between them. That’s when we realized we could leverage the data model of Git to deal with this redundancy in an efficient manner, by indexing Git blobs, which are shared between revisions. In order to make sure queries under this strategy would be fast enough, we wrote a proof-of-concept in Python, and thus Elixir was born."

Firefox 54.0 has been released. The releasenotes are somewhat sparse, however thisblog post contains more information about some changes under-the-hood."To make Firefox run even complex sites faster, we’ve been changing it to run using multiple operating system processes. Translation? The old Firefox used a single process to run all the tabs in a browser. Modern browsers split the load into several independent processes. We named our project to split Firefox into multiple processes ‘Electrolysis (E10S)’ after the chemical process that divides water into its core elements. E10S is the largest change to Firefox code in our history. And today we’re launching our next big phase of the E10S initiative."

Fedora Magazine announcedthe release of Fedora 26 Beta. A final release is expected in July.The beta is available for Workstation, Server, Atomic Host, Spins, Labs,and ARM products. Fedora 26 brings many changes which can be seen in thechange set.

Security updates have been issued by Debian (tiff, tiff3, and zziplib), Fedora (libsndfile, log4j12, and postgresql), Oracle (qemu-kvm), and Scientific Linux (qemu-kvm).

The 4.12-rc5 prepatch is out; it is ratherlarger than others in this cycle, Linus Torvalds said. "It's not like rc5 is *huge*, but it definitely isn't the nice andsmall one I was hoping for. There's nothing in [particular] that looksvery worrisome, and it may well just be random timing - the rc sizesdo fluctuate a lot depending on just which subsystem gets synced upthat particular rc, and we may just have hit that "everybody happenedto sync up this week" case."

Security updates have been issued by Arch Linux (irssi, lib32-libtasn1, and wireshark-cli), Debian (libmwaw, otrs2, and tor), Fedora (ansible, freeradius, gnutls, mingw-poppler, mosquitto, oniguruma, perltidy, picocom, systemd, and wget), Mageia (ansible, dropbear, gajim, libsndfile, libxslt, lxc, zoneminder, and zziplib), openSUSE (ffmpeg, libnettle, mysql-connector-cpp, mysql-workbench, and wireshark), and Ubuntu (irssi).

PostgreSQL version 10 had its first beta release on May18, just in time for the annual PGCon developerconference. The latest annual release comes with a host of majorfeatures, including new versions of replication and partitioning, andenhanced parallel query. Version 10 includes 451 commits, nearly half amillion lines of code and documentation, and over 150 new or changedfeatures since version 9.6. The PostgreSQLcommunity will find a lot to get excited about in this release, as the project has delivered a long list of enhancements toexisting functionality. There's also a few features aimed at fulfillingnew use cases, particularly in the "big data" industry sector.

Security updates have been issued by Debian (ettercap), Fedora (mingw-poppler), Mageia (gc, libnl3, libtasn1, nss, puppet, and wireshark), and openSUSE (catdoc, gajim, GraphicsMagick, irssi, java-1_8_0-openjdk, kernel, libxml2, rxvt-unicode, and yodl).

Version 1.18 of the Rust programming language has been released."One of the largest changes is a long time coming: core team membersCarol Nichols and Steve Klabnik have been writing a new edition of “TheRust Programming Language”, the official book about Rust. It’s being written openly on GitHub, andhas over a hundred contributors in total. This release includes the first draft ofthe second edition in our online documentation. 19 out of 20 chaptershave a draft; the draft of chapter 20 will land in Rust 1.19."

G'MIC is a generic, extensible framework for image processing, often usedas a plug-in for GIMP. Version 2.0 has been released. "Oneof the major new features of this version 2.0 is the re-implementation ofthe plug-in code, from scratch. The repository G’MIC-Qt developed by Sébastien (an experienced memberof the team) is a Qt-based version of the plug-in interface, being asindependent as possible of the widget API provided by GIMP." Theannouncement has much more details about G'MIC and how it can be used. LWNlooked at G'MIC in August 2014.

Security updates have been issued by Debian (dropping support for some packages), Fedora (sudo), openSUSE (chromium), Slackware (irssi), and Ubuntu (freeradius and nagios3).

The LWN.net Weekly Edition for June 8, 2017 is available.

Over the course of the day, the 2017 Python Language Summit hosted ahandful of lightning talks, several of which were worked into the dynamicschedule when an opportunity presented itself. They ranged from thetraditional "less than five minutes" format to some that strayed welloutside of that time frame—some generated a fair amount of discussion aswell. Topics were all over the map: board elections, beta releases,Python as a security vulnerability, Jython, and more.

In his 2017 Python Language Summit session, Jukka Lehtosalo updatedattendees on the status of type checking for the language, in general, andfor the mypy static type checker.There are new features in the typing module and in mypy, as wellas work in progress and planned features for both. For a feature, typehints, that is really only around three yearsold, there has been a lot of progress made—but, of course, there isstill more to come.

There is no viable way to prevent data from being collected about us in thecurrent age of computing. But if institutions insist on knowing ourfinancial status, purchasing habits, health information,political preferences, and so on, they have a responsibility to keep thisdata—known as personally identifiable information (PII)—from leaking tounauthorized recipients. At the 2017 Strata dataconference in London, Steve Touw presented a sessionon privacy-enhancing technologies. In a fast-paced 40 minutes hecovered the EU regulations about privacy, the most popular technicalmeasures used to protect PII, and some pointed opinions about what worksand what should be thrown into the dustbin.

The Tor Browser Team has announced the first stable release in the 7.0 series. "This release brings us up to date with Firefox 52 ESR which contains progress in a number of areas:Most notably we hope having Mozilla's multiprocess mode (e10s) and content sandbox enabled will be one of the major new features in the Tor Browser 7.0 series, both security- and performance-wise. While we are still working on the sandboxing part for Windows (the e10s part is ready), both Linux and macOS have e10s and content sandboxing enabled by default in Tor Browser 7.0. In addition to that, Linux and macOS users have the option to further harden their Tor Browser setup by using only Unix Domain sockets for communication with tor."

Greg Kroah-Hartman has released stable kernels 4.11.4, 4.9.31, 4.4.71, and 3.18.56. All of them contain important fixesand users should upgrade.

Security updates have been issued by Arch Linux (chromium), Debian (apng2gif and ming), Gentoo (freetype, libpcre, minicom, pidgin, webkit-gtk, and wireshark), openSUSE (deluge and postgresql93), and Ubuntu (libnl3, lintian, linux, linux-aws, linux-gke, linux-raspi2, linux-snapdragon, linux, linux-raspi2, linux-hwe, and linux-lts-xenial).

Mark Shannon is concerned that the Python core developers may be replayinga mistake: treating two distinct things as being thesame. Treating byte strings and Unicode text-strings interchangeably ispart of what led to Python 3, so he would rather not see that happenagain with types and classes. The Python typingmodule, which is meant to support type hints, currentlyimplements types as classes. That leads to several kinds of problems, asShannon described in his session at the 2017 Python Language Summit.

The GnuPG Project has announced the launch of a funding campaign to furthersupport and improve its mail and data encryption software, GnuPG."The 6 person development team is currently financed from asuccessful campaign in early 2015, regular donations from the LinuxFoundation, Stripe, Facebook, and a few paid development projects. Toensure long-term stability the new campaign focuses on recurring donationsand not one-time donations."

Last month LWN pointed to an article aboutthe Artifex v. Hancom case, in which Hancom used Artifex's Ghostscript inits office product. The Free Software Foundation looks at the caseand the recent ruling. "On the latter, the judge found that thebusiness model of Artifex indicated a loss of revenue, but also noted thatharm could be found even where money isn't involved. The judge, quoting a prior case,noted that there are 'substantial benefits, including economicbenefits, to the creation and distribution of copyrighted works underpublic licenses that range far beyond traditional license royalties.'While not [dispositive], this last note is particularly interesting formany free software developers, who generally share their work at nocost."

Many bytes have been expended over the years discussing the virtues of thekernel's random number generation subsystem. One of the biggest recurringconcerns has to do with systems that are unable to obtain sufficiententropy during the boot process to meet early demands for random data. Thelatest discussion on this topic got off to a bit of a rough start, but itmay lead to an incremental improvement in this area.

The Gentoo security team has announced that the SPARC architecture will nolonger be supported by the security team. "This decision follows thecouncil decision on 2016-12-11, 'The council defers to the security team,but is supportive of dropping security support for sparc if it is unable togenerally meet the security team timelines.'"

Security updates have been issued by Arch Linux (tomcat7 and tomcat8), Debian (freeradius, perl, and yodl), Fedora (libtasn1 and poppler), Gentoo (dbus, filezilla, git, imageworsener, munge, mupdf, qemu, rpcbind, and shadow), and Ubuntu (libtasn1-6 and puppet).

The kernel uses a variety of lock types internally, but they all share onefeature in common: they are a simple either/or proposition. When a lock isobtained for a resource, the entire resource is locked, even ifexclusive access is only needed to a part of that resource. Many resourcesmanaged by the kernel are complex entities for which it may make sense toonly lock a smaller part; files (consisting of a range of bytes) or aprocess's address space are examples of this type of resource. For years,kernel developers have talked about adding "range locks" — locks that wouldonly apply to a portion of a given resource — as a way of increasingconcurrency. Work has progressed in thatarea, and range locks may soon be added to the kernel's locking toolkit.

Rivendell 2.16.0 has been released. Rivendell is a radio automation systemtargeted for use in professional broadcast environments. This versionincludes audio store hashing, kernel GPIO, Modbus TCP support, and more.

Security updates have been issued by Arch Linux (gajim and libusbmuxd), Debian (perl), Fedora (chromium, chromium-native_client, dropbear, squirrelmail, sudo, and wget), Mageia (git, menu-cache, and pcmanfm), and openSUSE (libupnp).

Version 8.0 of the GDB debugger is out. Changes in this release includesome Python scripting enhancements, DWARF version 5 support, some newtargets, and more.

The 4.12-rc4 kernel prepatch has beenreleased. "Things remain fairly calm for 4.12, although not quite as calm as itappeared earlier in the week. I think two thirds of the commits camein on Friday or the weekend.But timing aside, it all looks fairly normal."

The kernel's filesystem and block layers are places where a lot of thingscan go wrong, often with unpleasant consequences. To make things worse, whenthings do go wrong, informing user space about the problem can be difficultas a consequence of how block I/O works. That can result in user-spaceapplications being unaware of trouble at the I/O level, leading to lost data and enragedusers. There are now two separate (and complementary) proposals underdiscussion that aim to improve how error reporting is handled in the blocklayer.

Security updates have been issued by Arch Linux (freeradius and libtasn1), Debian (nss, openldap, picocom, strongswan, wordpress, and zookeeper), Mageia (openvpn), openSUSE (mariadb), Oracle (kernel and sudo), and SUSE (strongswan).

The LWN.net Weekly Edition for June 2, 2017 is available.