LWN.net

Version5.4 of the RawTherapee image-processing tool is out. New featuresinclude a new histogram-matching tool, a new HDR tone-mapping tool, anumber of user-interface and performance improvements, and quite a bitmore.

Greg Kroah-Hartman has released stable kernels 4.15.12 and 4.14.29. As usual, they contain importantfixes and users of those series should upgrade.

Security updates have been issued by CentOS (firefox), Debian (plexus-utils), Fedora (calibre, cryptopp, curl, dolphin-emu, firefox, golang, jhead, kernel, libcdio, libgit2, libvorbis, ming, net-snmp, patch, samba, xen, and zsh), Red Hat (collectd and rh-mariadb101-mariadb and rh-mariadb101-galera), and Ubuntu (paramiko and tiff).

Daniel Stone beginsa series on how the Linux graphic stack has improved in recent times."This has made mainline Linux much more attractive: the exact samegeneric codebases of GNOME and Weston that I'm using to write this blogpost on an Intel laptop run equally well on AMD workstations, low-power NXPboards destined for in-flight entertainment, and high-end Renesas SoCswhich might well be in your car. Now that the drivers are easy to write,and applications are portable, we've seen over ten new DRM drivers mergedto the upstream kernel since atomic modesetting was merged."

Developers and maintainers of free-software projects are drawn fromthe same pool of people, and maintainers in one project are often developersin another, but there is still a certain amount of friction between thetwo groups. Maintainers depend on developers to contribute changes, butthe two groups have a different set of incentives when it comes to reviewing andaccepting those changes. Two talks at the 2018 Embedded Linux Conferenceshed some light on this relationship and how it can be made to work moresmoothly.

The GStreamer team has announceda major feature release of the GStreamer cross-platform multimediaframework. Highlights include WebRTC support, experimental support for thenext-gen royalty-free AV1 video codec, support for the Secure ReliableTransport (SRT) video streaming protocol, and much more. The release notescontain more details.

Red Hat has announcedthat six more companies (CA Technologies, Cisco, HPE, Microsoft, SAP, andSUSE) have agreed to apply the GPLv3 termination conditions (wherein aviolator's license is automatically restored if the problem is fixed in atimely manner) to GPLv2-licensed code. "GPL version 3 (GPLv3)introduced an approach to termination that offers distributors of the codean opportunity to correct errors and mistakes in license compliance. Thisapproach allows for enforcement of license compliance consistent with acommunity in which heavy-handed approaches to enforcement, including forfinancial gain, are out of place."

Security updates have been issued by Arch Linux (clamav, curl, lib32-curl, lib32-libcurl-compat, lib32-libcurl-gnutls, libcurl-compat, and libcurl-gnutls), openSUSE (various KMPs), Oracle (firefox), Scientific Linux (firefox), SUSE (java-1_7_1-ibm), and Ubuntu (memcached).

In my previous article, I gave an introductionto the open architecture of RISC-V. This articlelooks at howI and a small team of Fedorausers ported a large part of the Fedora package set to RISC-V. It was adaunting task, especially when there is no real hardware or existinginfrastructure, but we were able to get there in a part-time effort over ayear and a half or so.Subscribers can read on for a look at getting Fedora onto RISC-V by guestauthor Richard W.M. Jones.

Some years ago, prominent community leaders doubted that even short-term stable maintenance of kernel releases was feasible. Morerecently, selecting an occasional kernel for a two-year maintenance cyclehas become routine, and some kernels, such as 3.2 under the care of BenHutchings, have received constant maintenance for as much as six years. Buteven that sort of extended maintenance is not enough for some use cases, asYoshitake Kobayashi explained in his Embedded Linux Conference talk. Tomeet those needs, the CivilInfrastructure Platform (CIP) project is setting out to maintain releases for a minimum of 20 years.

Stable kernels 4.15.11 and 4.14.28 have been released. They both containmany fixes throughout the tree and users should upgrade.

Security updates have been issued by Arch Linux (firefox, libvorbis, and ntp), Debian (curl, firefox-esr, gitlab, libvorbis, libvorbisidec, openjdk-8, and uwsgi), Fedora (firefox, ImageMagick, kernel, and mailman), Gentoo (adobe-flash, jabberd2, oracle-jdk-bin, and plasma-workspace), Mageia (bugzilla, kernel, leptonica, libtiff, libvorbis, microcode, python-pycrypto, SDL_image, shadow-utils, sharutils, and xerces-c), openSUSE (exempi, firefox, GraphicsMagick, libid3tag, libraw, mariadb, php5, postgresql95, SDL2, SDL2_image, ucode-intel, and xmltooling), Red Hat (firefox), Slackware (firefox and libvorbis), SUSE (microcode_ctl and ucode-intel), and Ubuntu (firefox and php5, php7.0, php7.1).

The 4.16-rc6 kernel prepatch is out."Go test, things are stable and there's no reason to worry, but allthe usual reasons to just do a quick build and verification that everythingworks for everybody. Ok?"

Greg Kroah-Hartman has released the 4.9.88,4.4.122, and 3.18.100 stable kernels. As usual, theycontain fixes throughout the tree and users of those series should upgrade.

Security updates have been issued by CentOS (firefox), Debian (clamav and firefox-esr), openSUSE (Chromium and kernel-firmware), Oracle (firefox), Red Hat (ceph), Scientific Linux (firefox), Slackware (curl), and SUSE (java-1_7_1-ibm and mariadb).

Over on the Red Hat Developer Program blog, David Malcolm describes a number of usability improvements that he has made for the upcoming GCC 8 release. Malcolm has made a number of the C/C++ compiler error messages much more helpful, including adding hints for integrated development environments (IDEs) and other tools to suggest fixes for syntax and other kinds of errors. "[...] the code is fine, but, as is common with fragments of code seen on random websites, it’s missing #include directives. If you simply copy this into a new file and try to compile it as-is, it fails.This can be frustrating when copying and pasting examples – off the top of your head, which header files are needed by the above? – so for gcc 8 I’ve added hints telling you which header files are missing (for the most common cases)." He has various examples showing what the new error messages and hints look like in the blog post.

Alex Shi's posting of a patch seriesbackporting a set of Meltdown fixes for the arm64 architecture to the4.9 kernel might seem like a normal exercise in making important securityfixes available on older kernels. But this case raised a couple ofinteresting questions about why this backport should be accepted into thelong-term-support kernels — and a couple of equally interesting answers,one of which was rather better received than the other.

Greg Kroah-Hartman has announced the release of the 4.15.10 and 4.14.27 stable kernels. Each contains a largenumber of patches throughout the kernel tree; users should upgrade.

Security updates have been issued by Arch Linux (samba), CentOS (389-ds-base, kernel, libreoffice, mailman, and qemu-kvm), Debian (curl, libvirt, and mbedtls), Fedora (advancecomp, ceph, firefox, libldb, postgresql, python-django, and samba), Mageia (clamav, memcached, php, python-django, and zsh), openSUSE (adminer, firefox, java-1_7_0-openjdk, java-1_8_0-openjdk, and postgresql94), Oracle (kernel and libreoffice), Red Hat (erlang, firefox, flash-plugin, and java-1.7.1-ibm), Scientific Linux (389-ds-base, kernel, libreoffice, and qemu-kvm), SUSE (xen), and Ubuntu (curl, firefox, linux, linux-raspi2, and linux-hwe).

The LWN.net Weekly Edition for March 15, 2018 is available.

<p>As is often the case, the python-ideas mailing list hosted a discussionabout a Python Enhancement Proposal (PEP) recently. In some sense, thisparticular PEPwas created to try to gather together the pros and cons of afeature idea that regularly crops up: statement-local bindings for variablenames. But the discussion of the PEP went in enough different directionsthat it led to calls for an entirely different type of medium in which tohave those kinds of discussions.

Let's Encrypt has announcedthat ACMEv2 (Automated Certificate Management Environment) and wildcardcertificate support is live. ACMEv2 is an updatedversion of the ACME protocol that has gone through the IETF standardsprocess. Wildcardcertificates allow you to secure all subdomains of a domain with asingle certificate. (Thanks to Alphonse Ogulla)

GNOME 3.28 has been released. "This release brings a more beautifulfont, an improved on-screen keyboard and a new 'Usage' application.Improvements to core GNOME applications include support for favorites inFiles and the file chooser, a better month view in the Calendar, supportfor importing pictures from devices in Photos, and many more." Seethe releasenotes for details.

Security updates have been issued by Arch Linux (calibre, dovecot, and postgresql), CentOS (dhcp and mailman), Fedora (freetype, kernel, leptonica, mariadb, mingw-leptonica, net-snmp, nx-libs, util-linux, wavpack, x2goserver, and zsh), Gentoo (chromium), Oracle (389-ds-base, mailman, and qemu-kvm), Red Hat (389-ds-base, kernel, kernel-alt, libreoffice, mailman, and qemu-kvm), Scientific Linux (mailman), Slackware (firefox and samba), and Ubuntu (samba).

LWN has covered the open RISC-V ("risk five") processor architecture before, most recently inthis article. As the ecosystem and tools around RISC-V have started comingtogether, a more detailed look is in order. In a seriesof two articles, guest author Richard W.M. Jones will look atwhat RISC-V is and follow up with an article on how we can nowport Linux distributions to run on it.

The bpfilter proposal posted in Februaryincluded a new type of kernel module that would run as a user-spaceprogram; its purpose is to parse and translate iptables rules under thekernel's control but in a contained, non-kernel setting. These "ELFmodules" were reposted for review as a standalonepatch set in early March. That review has happened; it is agood example of how community involvement can improve a special-purposepatch and turn it into a more generally useful feature.

Anybody running Samba 4 servers probably wants to take a look at thisalert and upgrade their systems. "CVE-2018-1057: On a Samba 4 AD DC the LDAP server in all versions of Samba from 4.0.0 onwards incorrectly validates permissions to modify passwords over LDAP allowing authenticated users to change any other users' passwords, including administrative users."

A company called CTS has disclosed a longseries of vulnerabilities in AMD processors. "The chipset is acentral component on Ryzen and Ryzen Pro workstations: it links theprocessor with hardware devices such as WiFi and network cards, making itan ideal target for malicious actors. The Ryzen chipset is currently beingshipped with exploitable backdoors that could let attackers injectmalicious code into the chip, providing them with a safe haven to operatefrom." See the associatedwhite paper for more details.Update: there are a lot of questions circulating about the actualseverity of these vulnerabilities and the motivations of the peoplereporting them. It may not be time to panic quite yet.

Mozilla has released Firefox 59, the next iteration of Firefox Quantum.From the releasenotes: "On Firefox for desktop, we’ve improved page load times, added tools to annotate and crop your Firefox Screenshots, and made it easier to arrange your Top Sites on the Firefox Home page. On Firefox for Android, we’ve added support for sites that stream video using the HLS protocol."

In the recentarticle about Jupyter and itsnotebooks, we mentioned that a new interface, called JupyterLab, existed in what its developersdescribed as an "early preview" stage. About two weeks after thatarticle appeared, Project Jupyter made a significant announcement: JupyterLab is "ready for users". Users will find a moreintegrated environment for scientific computation that is also more easilyextended. JupyterLab takes the Jupyter Notebook to a level of functionalitythat will propel it well into the next decade—and beyond.

Security updates have been issued by Debian (samba), Fedora (tor), openSUSE (glibc, mysql-connector-java, and shadow), Oracle (dhcp), Red Hat (bind, chromium-browser, and dhcp), Scientific Linux (dhcp), and SUSE (java-1_7_0-openjdk, java-1_8_0-ibm, and java-1_8_0-openjdk).

Variable-length arrays (VLAs) have a non-constant size that is determined (andwhich can vary) at run time; they are supported by the ISO C99standard. Use of VLAs in thekernel has long been discouraged but not prohibited, so there are naturallynumerous VLA instances to be found. A recent push to remove VLAs from thekernel entirely has gained momentum, but it ran into an interesting snag onthe way.

Here is theRust community's plan for the rest of this year. "This year, wewill deliver Rust 2018, marking the first major new edition of Rust since1.0 (aka Rust 2015). We will continue to publish releases every six weeksas usual. But we will designate a release in the latter third of the year(Rust 1.29 - 1.31) as Rust 2018. This new 'edition' of Rust will be theculmination of feature stabilization throughout the year, and will shipwith polished documentation, tooling, and libraries that tie in to thosefeatures."

The Debian Project has released the fourth update to Debian 9 "stretch".As usual, this update mainly adds corrections for security issues, alongwith a few adjustments for serious problems. "Those who frequentlyinstall updates from security.debian.org won't have to update manypackages, and most such updates are included in the point release."

Security updates have been issued by CentOS (389-ds-base, dhcp, kernel, libreoffice, php, quagga, and ruby), Debian (ming, util-linux, vips, and zsh), Fedora (community-mysql, php, ruby, and transmission), Gentoo (newsbeuter), Mageia (libraw and mbedtls), openSUSE (php7 and python-Django), Red Hat (MRG Realtime 2.5), and SUSE (kernel).

The 4.16-rc5 kernel prepatch is out, righton schedule. "This continues to be pretty normal - this rc isslightly larger than rc4 was, but that looks like one of the normalfluctuations due to timing of pull requests, not due to anythingdistressing."

The 4.15.9,4.14.26,4.9.87,4.4.121, and3.18.99 stable kernel updates have all beenreleased. Each contains a relatively small set of important fixes andupdates.

On his blog, Peter Robinson announced the acceptance of a new edition of Fedora for the Internet of Things (IoT). He had proposed it as a Fedora "spin", but the Fedora Council decided to make it a full-fledged edition with its own working group. "So what will be happening over the coming weeks (and months)? We’ll be getting the working group in place, getting an initial monthly release process in place so that people can start to have something to kick the tires with and provide feedback and drive discussion. With those two big pieces in place we can start to grow the Fedora IoT community and work out the bits that work and bits that don’t work."

Greg Kroah-Hartman has announced the release of the 4.15.8 and 4.14.25 stable kernels. Both contain a largecollection of fixes throughout the tree; users of those kernel seriesshould upgrade.

Security updates have been issued by openSUSE (rsync, shotwell, and squid), Oracle (dhcp), Red Hat (dhcp), Scientific Linux (dhcp), SUSE (java-1_7_0-ibm and xen), and Ubuntu (clamav, kernel, and zsh).

Normally, when an application sends data over the network, it wants thatdata to be transmitted as quickly as possible; the kernel's network stacktries to oblige. But there are applications that need their packets to betransmitted within specific time windows. This behavior can beapproximated in user space now, but a better solution is in the works inthe form of the time-based packettransmission patch set.

Version 6.0.0 of the LLVM compiler suite is out."This release is the result of the community's work over the past sixmonths, including: retpoline Spectre variant 2 mitigation,significantly improved CodeView debug info for Windows, GlobalISel bydefault for AArch64 at -O0, improved scheduling on several x86micro-architectures, Clang defaults to -std=gnu++14 instead of-std=gnu++98, support for some upcoming C++2a features, improvedoptimizations, new compiler warnings, many bug fixes, and more."

Security updates have been issued by Debian (isc-dhcp and python-django), Gentoo (go and util-linux), Mageia (389-ds-base, dovecot, and tor), openSUSE (python-Django), Oracle (389-ds-base, kernel, libreoffice, and php), Scientific Linux (389-ds-base, kernel, libreoffice, and php), and Ubuntu (clamav and libreoffice).

The LWN.net Weekly Edition for March 8, 2018 is available.

<p>At linux.conf.au (LCA) 2017 in Hobart, Tasmania, Keith Packard talked withkernel graphics maintainer Dave Airlie about how virtual reality devices should be hooked up toLinux. They both thought it would be pretty straightforward to do, so itwould "only take a few weeks", but Packard knew"in reality it would take a lot longer". In atalk at LCA 2018 in Sydney, Packard reported back on the progress he hasmade; most of it is now in the upstream kernel.

Harald Welte attended a hearing in one of the Patrick McHardy GPL cases andwrote upwhat he saw.I'm not arguing for a "too soft" approach. It'salmost 15 years since the first court cases on license violations on(embedded) Linux, and the fact that the problem still exists today clearlyshows the industry is very far from having solved a seemingly rather simpleproblem.On the other hand, such activities must always be oriented to compliance,and compliance only. Collecting huge amounts of contractual penalties isquestionable. And if it was necessary to collect such huge amounts tomotivate large corporations to be compliant, then this must be done in theopen, with the community knowing about it, and the proceeds of suchcontractual penalties must be donated to free software related entities toprove that personal financial gain is not a motivation.

Both the free-software and security communities have recently beenfocusing on the elements of our computers that run belowthe operating system. These proprietary firmware components are usuallydifficult or impossible to extend and it has long been suspected (andproven in several cases) that there are significant security concerns withthem. The LinuxBoot Project is working toreplace this complex, proprietary, and largely unknown firmware with aLinux kernel. That has the added benefit of replacing the existing driversin the firmware with well-tested drivers from Linux.

The Khronos Group has announcedthe release of the Vulkan GPU API version 1.1 and SPIR-V 1.3 specifications. "Version 1.1 expands Vulkan’s core functionality with developer-requested features, such as subgroup operations, while integrating a wide range of proven extensions from Vulkan 1.0. Khronos will also release full Vulkan 1.1 conformance tests into open source and AMD, Arm, Imagination, Intel Corporation, NVIDIA and Qualcomm have implemented conformant Vulkan 1.1 drivers."

The kernel stack is a small, frequently reused region of memory in eachthread's address space. That reuse allows for efficient memory use andgood performance as a result of cache locality, but it also presents aproblem: data left on the stack can also end up being reused in ways thatwere not intended. The PaX patch set contains a mechanism designed toclear that data from the stack and prevent leaks, but an attempt to mergethat code into the kernel has run into a snag.

Security updates have been issued by Arch Linux (python-django and python2-django), Debian (leptonlib), Fedora (bugzilla, cryptopp, electrum, firefox, freexl, glibc, jhead, libcdio, libsamplerate, libXcursor, libXfont, libXfont2, mingw-wavpack, nx-libs, php, python-crypto, quagga, sharutils, unzip, x2goserver, and xen), Gentoo (exim), openSUSE (cups, go1.8, ImageMagick, jgraphx, leptonica, openexr, tor, and wavpack), Red Hat (389-ds-base, java-1.7.1-ibm, kernel, kernel-rt, libreoffice, and php), SUSE (java-1_7_1-ibm), and Ubuntu (python-django).