LWN.net

On April 29, Al Viro posted apatch on the linux-api mailing list adding a new flag to be used inconjunction with the ...at() family of system calls. The flag is forcontaining pathname resolution to the same filesystem and subtree asthe given starting point. This is a useful feature to have forimplementing file I/O in programs that accept pathnames as untrusted userinput. The ensuing discussion made it clear that there were multiple usecases for such a feature, especially if the granularity of its restrictionscould be increased.

In November 2016, a new networking feature, IPv6 segmentrouting (also known as "IPv6 SR" or "SRv6"), was merged into net-next andsubsequently included in Linux 4.10. Inthis article, we explain this new feature, describe key elements of itsimplementation, and present a few performance measurements.

A virulent ransomware worm attacked a wide swath of Windowsmachines worldwide in mid-May. The malware, known as Wcry, Wanna, orWannaCry, infected a number of systems at high-profile organizations aswell as striking at critical pieces of the infrastructure—like hospitals, banks,and train stations. While the threat seems to have largely abated—fornow—the origin of some of its code, which is apparently the US National SecurityAgency (NSA), should give one pause.

SUSE sponsored maintenance of openSUSE Leap 42.1 has ended. "Thecurrently maintained stable release is openSUSE Leap 42.2, which will bemaintained until the Q2/2018."

Security updates have been issued by Arch Linux (libplist), Debian (mysql-connector-java), Fedora (jasper, kdelibs, lxterminal, menu-cache, pcmanfm, and postgresql), openSUSE (qemu), Slackware (freetype and kdelibs), SUSE (ghostscript-library, libtirpc, and mariadb), and Ubuntu (ghostscript, kernel, linux, linux-raspi2, linux-hwe, openjdk-7, qemu, shadow, and thunderbird).

For some years now, your editor has heard glowing reviews of Mosh — the "mobile shell" — as a replacementfor SSH. The Mosh developers make a number of claims about itsreconnection ability, performance, and security; at least some of those arerelatively easily testable. After a bit of moshing, a few clearconclusions have come to the fore.

The Linux Test Project test-suite stable release for May 2017 is available.Several new tests have been added and many tests have been cleaned up andfixed. The latest version of the test-suite contains 3000+ tests.

It seems that system administrators will never shake the need for backups,even when they shove everything into the cloud. At the OpenStack Summitin Boston last week, a sessionby Ghanshyam Mann and Abhinav Agrawal of NEC laid out the requirements forbacking up data and metadata in OpenStack—with principles that apply to anyvirtualization or cloud deployment.

Greg Kroah-Hartman has released stable kernel 3.18.53with important fixes. Users should upgrade.

Security updates have been issued by CentOS (ghostscript and jasper), Debian (deluge, jbig2dec, and openvpn), Fedora (kf5-kauth), openSUSE (graphite2, kauth, kdelibs4, roundcubemail, rzip, thunderbird, and tomcat), Oracle (kernel), Red Hat (kernel), SUSE (kernel), and Ubuntu (libytnef).

The GNOME project has, after a period of contemplation, put forward aproposal to move to a GitLab installation on GNOME's infrastructure."We are confident that GitLab is a good choice for GNOME, and wecan’t wait for GNOME to modernise our developer experience with it. It willprovide us with vastly more effective tools, an easier landing fornewcomers, and lots of opportunities to improve the way that we work. We'reready to start working on the migration." Thiswiki page describes the idea in detail.

The OMG! Ubuntu! site reportsthat the "guest session" functionality enabled by default on Ubuntudesktops fails to actually confine the guest account. "If you’rerunning a fully up-to-date system you do not need to panic. Canonical hasalready pushed out a update that temporarily disables Ubuntu guest sessionlogins (so if you noticed it was missing, that’s why)." See thebug report for details on this issue, which was reported in February.

The Ardour audio editor project has announced the 5.9release. "Ardour 5.9 is now available, representing several months of development that spans some new features and many improvements and fixes.Among other things, some significant optimizations were made to redrawperformance on OS X/macOS that may be apparent if you are using Ardour onthat platform. There were further improvements to tempo and MIDI relatedfeatures and lots of small improvements to state serialization. Support forthe Presonus Faderport 8 control surface was added"

Richard Brown follows up on openSUSE's securitybreach that caused service shutdowns last Friday. "We're pleased to be able to report that after an extensive review andaudit of the systems involved we are confident that nothing wascompromised and all of our code and personal information housed withinwas adequately protected throughout.Therefore all of the systems that were shut down are now back online."

Quartz looksat recent developments in the Artifex v. Hancom case. Artifex makesGhostscript, an open-source (GPL) PDF interpreter. Hancom used Ghostscript inits Hancom Office product and did not abide by the license, so Artifex suedHancom. "The enforceability of open source licenses like the GNU GPL has long been an open legal question. The Federal Circuit Court of Appeals held in a 2006 case, Jacobsen v. Katzer, that violations of open source licenses could be treated like copyright claims. But whether they could legally considered breaches of contract had yet to be determined, until the issue came up in Artifex v. Hancom.That happened when Hancom issued a motion to dismiss the case on thegrounds that the company didn’t sign anything, so the license wasn’t a realcontract." Judge Jacqueline Scott Corley disagreed with Hancom andsaid: "These allegations sufficiently plead the existence of acontract." (Thanks to Paul Wise)

OpenHatch is a project that has been running education events and maintainingfree learning tools to help people get involved in collaborative softwaredevelopment since 2009. Now Asheesh Laroia, President of the organization,has announcedthat the organization is winding down. "OpenHatch was one part of abroader movement around improving diversity and inclusion in free software and software generally. As Mike [Linksvayer], Deb [Nicholson], and I winddown this one organization, we’re heartened by those who push the movementforward." Donations have been canceled and the remaining money willbe used to gracefully shut down the organization. Anything left after thatwill be donated to Outreachy. OpenHatch softwareand websites will be moved to static website hosting.

Security updates have been issued by Arch Linux (git, lxc, openvpn, and zziplib), Debian (bind9, bitlbee, postgresql-9.4, rtmpdump, sane-backends, and squirrelmail), Fedora (ghostscript, git, kdelibs, kf5-kauth, libplist, libreoffice, openvpn, php-horde-ingo, qemu, radicale, rpcbind, and xen), and Ubuntu (git and kde4libs).

Linus Torvalds released the 4.12-rc1prepatch and closed the merge window on May 13 — a move that may havesurprised maintainers who were waiting until the last day to get theirfinal pull requests in. Let that be a lesson to all: one should not expectto have pull requests honored on Mother's Day. Below is a summary of thechanges merged since the May 10 merge-windowsummary.

The first 4.11 stable update — 4.11.1 — hasbeen released, along with4.10.16,4.9.28, and4.4.68.Each contains a fair number of important fixes.

Linus has released the 4.12-rc1 prepatchand closed the merge window one day earlier than some might have expected."Despite it being fairly large, it has (so far) been pretty smooth. Idon't think I personally saw any breakage at all, which is alwaysnice. Usually I end up having something break, or trigger some sillybuild failure that really should have been noticed before it even gotto me, but so far things are looking good.Famous last words."

The Android Developers Blog carries anannouncement for an upcoming feature called "Treble", which looks likea separate, guaranteed stable interface for device drivers. "Thecore concept is to separate the vendor implementation - thedevice-specific, lower-level software written in large part by the siliconmanufacturers - from the Android OS Framework. This is achieved by theintroduction of a new vendor interface between the Android OS framework andthe vendor implementation." Details are scarce, and there is noinformation on how this might fit into the part of the "Android OSframework" that many of us think of as "the Linux kernel".

The openSUSE project has announced that its authentication system has beenbreached and a number of services have been shut down or put into read-onlymode. "This includes the openSUSE OBS, wiki, and forums.The scope and impact of the breach is not yet fully clear. Thedisabling of authentication is to ensure the protection of our systemsand user data while the situation is fully investigated.Based on the information available at this time, there is apossibility that the breach is limited to users of non-openSUSEinfrastructure that shares the same authentication system." Theredoes not appear to be reason to worry that the download infrastructure hasbeen compromised.

Security updates have been issued by Debian (kde4libs), Fedora (elfutils, libplist, mediawiki, and xen), Red Hat (chromium-browser and ghostscript), Scientific Linux (ghostscript), SUSE (kernel and MozillaFirefox, mozilla-nss, mozilla-nspr, java-1_8_0-openjdk), and Ubuntu (firefox, lightdm, openjdk-8, and openvpn).

On his blog, Mahmoud Hashemi has an in-depth look at Python packaging, but much of it is applicable to packaging software in any language. "Python was designed to be cross-platform and runs in countless environments. But don't take this to mean that Python's built-in tools will carry you anywhere you want to go. I can write a mobile app in Python, does it make sense to install it on my phone with pip? As you'll see, a language's built-in tools only scratch the surface.So, one by one, I'm going to describe some code you want to ship, followed by the simplest acceptable packaging process that provides that repeatable deployment process we crave." (Thanks to Paul Wise.)

Kees Cook is working on a series of patchesfor C structure randomization to improve security in the Linuxkernel. This is an important part of obfuscating the internal binary layoutof a running kernel, making kernel exploits harder. The randstructplugin is a new GCC add-on that lets the compiler randomize the layout of Cstructures. Whenenabled, the plugin will scramble the layout of the kernel structures thatare specifically designated for randomization.

Security updates have been issued by Arch Linux (flashplugin, freetype2, ghostscript, kauth, kdelibs, lib32-flashplugin, lib32-freetype2, lib32-libtirpc, libtirpc, rpcbind, and smb4k), Debian (git, qemu-kvm, and tomcat7), Mageia (feh, kernel, lxterminal, and thunderbird), openSUSE (swftools), and SUSE (flash-player, qemu, and tomcat).

The LWN.net Weekly Edition for May 11, 2017 is available.

GNU Artanis is a web application framework (WAF) written in Guile Schemeand v0.2 is its first stable release. "It is designed to support the development of dynamic websites, web applications, web services and web resources. Artanis provides several tools for web development: database access, templating frameworks, session management, URL-remapping for RESTful, page caching, and so on."

CockroachDB 1.0 has been released. "CockroachDB is a cloud-native SQL database for building global, scalable cloud services that survive disasters. But what does “cloud-native” actually mean? We believe the term implies horizontal scalability, no single points of failure, survivability, automatable operations, and no platform-specific encumbrances.To realize these product goals, development over the past year has focused on three critical areas: distributed SQL to support small and large use cases alike and scale seamlessly between them; multi-active availability for always-consistent high availability; and flexible deployment for automatable operations in virtually any environment."

As of this writing, nearly 12,000 non-merge changesets have been pulledinto the mainline repository for the 4.12 development cycle. About 7,500of these have been pulled since the first 4.12merge-window summary. Read on for an overview of what has been mergedin the last week.

At the 2017 FreeSoftware Legal and Licensing Workshop (LLW), Max Mehl presented someconcerns about EUradio equipment directive (RED) that was issued in 2014. The worry isthat the directive will lead device makers to lock down their hardware,which will preclude users from installing alternative free software onit. The problem is reminiscent of a similarsituation in the US, but that one has seemingly been resolved in favor of users—at least for now.

The latest feature release Git v2.13.0 is now available. "It iscomprised of 729 non-merge commits since v2.12.0, contributed by 65 people,15 of which are new faces. This release also contains the security patch in v2.12.3 andothers to fix CVE-2017-8386." The release notes are in theannouncement.Maintenance releases Git 2.4.12, 2.5.6, 2.6.7, 2.7.5, 2.8.5, 2.9.4, 2.10.3,2.11.2, and 2.12.3 are also available.

The Project Zero site has adetailed exploration of how to exploit CVE-2017-7308, a vulnerabilityin the kernel's packet socket implementation."Let’s see how we can exploit this vulnerability. I’m going to betargeting x86-64 Ubuntu 16.04.2 with 4.8.0-41-generic kernel version withKASLR, SMEP and SMAP enabled. Ubuntu kernel has user namespaces availableto unprivileged users (CONFIG_USER_NS=y and no restrictions on [its] usage),so the bug can be exploited to gain root privileges by an unprivilegeduser. All of the exploitation steps below are performed from within a usernamespace."

Security updates have been issued by CentOS (bind, java-1.7.0-openjdk, qemu-kvm, and thunderbird), Debian (git, libtirpc, lxterminal, radicale, rpcbind, and xen), Fedora (batik, java-1.8.0-openjdk-aarch32, kernel, pcre, and weechat), Gentoo (ffmpeg, firefox, libav, and thunderbird), Red Hat (flash-plugin, jasper, java-1.6.0-ibm, java-1.7.1-ibm, java-1.8.0-ibm, and qemu-kvm), Scientific Linux (jasper and qemu-kvm), and Ubuntu (apache2, batik, fop, freetype, and rtmpdump).

Brendan Gregg assertsthat CPU utilization is the wrong metric to be looking at when tuning asystem. Much of the time when the CPU appears to be busy, it's actually just waiting formemory. "The key metric here is instructions per cycle (insns per cycle:IPC), which shows on average how many instructions we were completed foreach CPU clock cycle. The higher, the better (a simplification). The aboveexample of 0.78 sounds not bad (78% busy?) until you realize that thisprocessor's top speed is an IPC of 4.0. This is also known as 4-wide,referring to the instruction fetch/decode path. Which means, the CPU canretire (complete) four instructions with every clock cycle. So an IPC of0.78 on a 4-wide system, means the CPUs are running at 19.5% their topspeed. The new Intel Skylake processors are 5-wide."

The archaeological evidence is murky, but it would appear that the kernel'sset_fs() function was added in November 1991 by a certain TedTs'o; it was in the 0.10 release. It is, thus, one of the oldest APIsfound within the kernel itself. Careless use of set_fs() hasalways been an easy way to create security bugs; a recent attempt to makethese bugs harder to exploit may instead result in this function being removedaltogether.

Cinnamon 3.4 has been released.This version includes support for mozjs38, support for additional Wacomdevices, a multi-process Settings Daemon, a cleaner session EXIT phase,separate processes for Nemo and desktop handling, and more. "On the spices side of things, the maintenance was moved to Github and the Cinnamon team is now actively involved in the debugging of applets, desklets, extensions and themes. Support for Cinnamon 3.4 changes is added by the team itself."

LWN recently covered a conference sessionon the OpenChain project and its recently released v1.1specification [PDF]. The talk, however, was remarkably short ondetails on what is actually in that specification. Perhaps most LWNreaders were content with that state of affairs, but your editor decided totake a closer look.

The Amnesic Incognito Live System (Tails) has adopteda SocialContract, based on the Debian Social Contract and the Tor SocialContract. "We believe that privacy, the free exchange of ideas, and equal access to information are essential to free and open societies. Through our community standards and the tools we create, we provide means that empower all people to protect and advance these ideals."

Security updates have been issued by Debian (libtirpc and libytnef), Fedora (python-fedora, roundcubemail, and tnef), Mageia (ntp and virtualbox), openSUSE (dpkg, ghostscript, kernel, libressl, mysql-community-server, quagga, tcpdump, libpcap, xen, and zziplib), Red Hat (java-1.7.0-openjdk), Scientific Linux (java-1.7.0-openjdk), and SUSE (samba).

The Thunderbird email client project has announcedthe results of its long deliberation on its future. The project willremain with Mozilla administratively, but will move to its owninfrastructure. "Thus, much has changed since 2015 – we were able toestablish a financial home at the Mozilla Foundation, we are successfullycollecting donations from our users, and the first steps of migratinginfrastructure have been taken. We started questioning the usefulness ofmoving elsewhere, organizationally. While Mozilla wants to be laser-focusedon the success of Firefox, in recent discussions it was clear that theycontinue to have a strong desire to see Thunderbird succeed. In many ways,there is more need for independent and secure email than ever. As long asThunderbird doesn’t slow down the progress of Firefox, there seems to be nosignificant obstacles for continued co-existence."

Google Open Source Blog takesa look at the progress made by the OSS-Fuzz project. "OSS-Fuzzhas found numerous security vulnerabilities in several critical open sourceprojects: 10 in FreeType2, 17 in FFmpeg, 33 in LibreOffice, 8 in SQLite 3,10 in GnuTLS, 25 in PCRE2, 9 in gRPC, and 7 in Wireshark, etc. We’ve alsohad at least one bug collision with another independent security researcher(CVE-2017-2801). (Some of the bugs are still view restricted so links mayshow smaller numbers.)" LWN coveredOSS-Fuzz last January.

The supply chain in the open-source world is lengthy and global; it alsosuffers from compliance problems with the GPL and other licenses. The OpenChain project was createdto help the companies in the supply chain with their compliance. At the2017 FreeSoftware Legal and Licensing Workshop (LLW), OpenChain program managerShane Coughlan described the project, some of its history, the releaseof version 1.1 of its specification, and more.

The deadline for submitting refereed track proposals for the 2017Linux Plumbers Conference (LPC) has been extended until May 13."The refereed track will have 50-minutepresentations on a specific aspect of Linux "plumbing" (e.g. corelibraries, media creation/playback, display managers, init systems,kernel APIs/ABIs, etc.) that are chosen by the LPC committee to begiven during all three days of the conference." LPC will be heldSeptember 13-15 in Los Angeles, CA.

The Debian Project has announced the release of Debian 8.8, the eighthupdate to its stable release Debian 8 "jessie". "This update mainlyadds corrections for security problems to the stable release, along witha few adjustments for serious problems. Security advisories were alreadypublished separately and are referenced where available."

Stable kernels 4.10.15, 4.9.27, 4.4.67, and 3.18.52 have been released. All of themcontain important fixes and users should upgrade.

Security updates have been issued by Debian (freetype, ghostscript, and roundcube), Fedora (bind99, freetype, ghostscript, icu, thunderbird, and wireshark), Gentoo (chromium, libevent, nss, and oracle-jre-bin), Mageia (audiofile, ettercap, ghostscript, libarchive, and libsamplerate), openSUSE (Chromium and thunderbird), Red Hat (bind and thunderbird), and Scientific Linux (bind and thunderbird).

It appears that the OpenWRT and LEDE communities are about to vote on aproposal covering many of the details behind merging the two projects(which forked one year ago) backtogether. The plan appears to be to go forward with the OpenWRT name, butwith the LEDE repository; domain names would be transferred to SPI.

The Android/Mobile microconference has been accepted for this year's Linux Plumbers Conference (LPC), which will be held in Los Angeles, CA, US on 13-15 September inconjunction with The Linux Foundation Open Source Summit. "Android continues to find interesting new applications and problemsto solve, both within and outside the mobile arena. Mainliningcontinues to be an area of focus, as do a number of areas of coreAndroid functionality, including the kernel. Other areas where thereis ongoing work include eBPF, Lowmemory alternatives, the Androidemulator, and SDCardFS."

Security updates have been issued by Fedora (kernel, libnl3, and log4j), openSUSE (GraphicsMagick), SUSE (kernel), and Ubuntu (shadow).