LWN.net

Greg Kroah-Hartman has announced the release of the 4.13.4, 4.9.52, 4.4.89, and 3.18.72 stable kernels. As usual, there arefixes throughout the tree and users of those series should upgrade.

Security updates have been issued by CentOS (kernel), Debian (chromium-browser and poppler), Oracle (kernel), and Slackware (gegl).

The LWN.net Weekly Edition for September 28, 2017 is available.

At lastyear's X.Org Developers Conference (XDC), James Jones began the process of coming up with an API forallocating memory so that it is accessible to multiple different graphicsdevices in a system (e.g. GPUs, hardware compositors, video decoders, displayhardware, cameras, etc.). At XDC 2017 in MountainView, CA, he was back to update attendees on the progress that has beenmade. He has a prototype in progress, but there is plenty more to do,including working out some of the problems he has encountered along the way.

The Open Source Initiative (OSI) has announced that Microsoft hasjoined the organization as a Premium Sponsor."Microsoft's history with the OSI dates back to 2005 with the submission of the Microsoft Community License, then again in August of 2007 with the submission of the Microsoft Permissive License. For many in the open source software community, it was Microsoft's release of .NET in 2014 under an open source license that may have first caught their attention. Microsoft has increasingly participated in open source projects and communities as users, contributors, and creators, and has released even more open source products like Visual Studio Code and Typescript."

Oath, parent company of Yahoo, has announcedthat it has released Vespa as an open sourceproject on GitHub."Building applications increasingly means dealing with huge amounts of data. While developers can use the the Hadoop stack to store and batch process big data, and Storm to stream-process data, these technologies do not help with serving results to end users. Serving is challenging at large scale, especially when it is necessary to make computations quickly over data while a user is waiting, as with applications that feature search, recommendation, and personalization.By releasing Vespa, we are making it easy for anyone to build applicationsthat can compute responses to user requests, over large datasets, at realtime and at internet scale – capabilities that up until now, have beenwithin reach of only a few large companies." (Thanks to Paul Wise)

<p>In the refereed track at the 2017 Linux Plumbers Conference (LPC), Jiri Kosinagave an update on the status and plans for the live kernel patchingfeature. It is a feature that has a long history—pre-dating Linuxitself—and has had a multi-year path into the kernel. Kosina reviewed thathistory, while also looking at some of the limitations and missingfeatures for live patching.

Security updates have been issued by Arch Linux (weechat), Debian (debsecan, git, ruby1.8, ruby1.9.1, rubygems, and weechat), Fedora (kernel, libbson, and oniguruma), Gentoo (tiff), openSUSE (tor), Oracle (augeas, samba, and samba4), Red Hat (kernel), and Scientific Linux (kernel).

The Fedora project's four "foundations" arenamed "Freedom", "Friends", "Features", and "First". Among other things,they commit the project to being firmly within the free-software camp("we believe that advancing software and content freedom is a centralgoal for the Fedora Project, and that we should accomplish that goalthrough the use of the software and content we promote") and toproviding leading-edge software, including current kernels. Given that thekernel project, too, is focused on free software, it is interesting to seea call within the Fedora community to hold back on kernel updates in orderto be able to support a proprietary driver.

Ars technica takesa look at the Firefox 57 developer edition. "More important, but less immediately visible, is that Firefox 57 has received a ton of performance enhancement. Project Quantum has several strands to it: Mozilla has developed a new CSS engine, Stylo, that parses CSS files, applies the styling rules to elements on the page, and calculates object sizes and positions. There is also a new rendering engine, WebRender, that uses the GPU to draw the (styled) elements of the page. Compositor combines the individual rendered elements and builds them into a complete page, while Quantum DOM changes how JavaScript runs, especially in background tabs. As well as this new development, there's a final part, Quantum Flow, which has focused on fixing bugs and adding optimizations to those parts of the browser that aren't being redeveloped.WebRender is due to arrive in Firefox 59, but the rest of Quantum is part of Firefox 57."

Security updates have been issued by Arch Linux (chromium and libraw), Gentoo (chromium, libsoup, and rar), openSUSE (openjpeg and openjpeg2), Scientific Linux (samba), and Ubuntu (libplist).

Doing realtime processing with a general-purpose operating-system likeLinux can be a challenge by itself, but safety-critical realtime processingups the ante considerably. During a session at Open Source Summit NorthAmerica, Wolfgang Maurer discussed the difficulties involved in this kindof work and what Linux has to offer.

Security updates have been issued by Debian (bzr, clamav, libgd2, libraw, samba, and tomcat7), Fedora (drupal7-views, gnome-shell, httpd, krb5, libmspack, LibRaw, mingw-LibRaw, mpg123, pkgconf, python-jwt, and samba), Gentoo (adobe-flash, chromium, cvs, exim, mercurial, oracle-jdk-bin, php, postfix, and tcpdump), openSUSE (Chromium and libraw), Red Hat (chromium-browser), and Slackware (libxml2 and python).

The 4.14-rc2 kernel prepatch is out."Nothing stands out, although hopefully we've gotten over all the x86ASID issues. Knock wood."

GitLab 10.0 has been released. "With every monthly release of GitLab, we introduce new capabilities and improve our existing features. GitLab 10.0 is no exception and includes numerous new additions, such as the ability to automatically resolve outdated merge request discussions, improvements to subgroups, and an API for Wiki thanks to a contribution from our open source community."

The Clear Containers team at Intel has announcedthe release of Clear Containers 3.0. "Completely rewritten and refactored, Clear Containers 3.0 uses Go language instead of C and introduces many new components and features. The 3.0 release of Clear Containers brings better integration into the container ecosystem and an ability to leverage code used for namespace based containers."

Facebook has announcedthat the React, Jest, Flow, and Immutable.js projects will be moving to theMIT license. This is, of course, a somewhat delayed reaction to the controversy over the "BSD+patent" licensepreviously applied to those projects. "This decision comes afterseveral weeks of disappointment and uncertainty for our community. Althoughwe still believe our BSD + Patents license provides some benefits to usersof our projects, we acknowledge that we failed to decisively convince thiscommunity."

The Samba 4.7.0 release is out. New features include whole DB read locks(a reliability improvement), support for running Active Directory domain controllers using MIT Kerberos,detailed audit trails for authentication and authorization activities, amulti-process LDAP server, better read-only domain controller support, andmore. See the releasenotes for details.

Security updates have been issued by CentOS (augeas, samba, and samba4), Debian (apache2, bluez, emacs23, and newsbeuter), Fedora (kernel and mingw-LibRaw), openSUSE (apache2 and libzip), Oracle (kernel), SUSE (kernel, spice, and xen), and Ubuntu (emacs24, emacs25, and samba).

The "tracing and BPF" microconference was held on the final day of the 2017Linux Plumbers Conference; it covered a number of topics relevant to heavyusers of kernel and user-space tracing. Read on for a summary of a numberof those discussions on topics like BPF introspection, stack traces,kprobes, uprobes, and the Common Trace Format.

Security updates have been issued by Arch Linux (tomcat7), Debian (kernel and perl), Fedora (libwmf and mpg123), Mageia (bluez, ffmpeg, gstreamer0.10-plugins-good, gstreamer1.0-plugins-good, libwmf, tomcat, and tor), openSUSE (emacs, fossil, freexl, php5, and xen), Red Hat (augeas, rh-mysql56-mysql, samba, and samba4), Scientific Linux (augeas, samba, and samba4), Slackware (samba), SUSE (emacs and kernel), and Ubuntu (qemu).

Red Hat has announced anupdate to itspatent promise, wherein the company says it will not enforce itspatents against anybody who might be infringing them with open-sourcesoftware. The new version expands the promise to all software covered byan OSI-approved license, including permissive licenses. The attached FAQnotes that Red Hat now possesses over 2,000 patents.

The LWN.net Weekly Edition for September 21, 2017 is available.

In a talk in the refereed track of the 2017 Linux Plumbers Conference,Alexandre Courouble presented the email2git tool thatlinks kernel commits to their review discussion on the mailing lists. Email2gitis a plugin for cregit, which implements token-level history for a Git repository; we covered a talk on cregit just over one yearago. Email2git combines cregit with Patchwork to linkthe commit to a patch and its discussion threads from any of the mailinglists that are scanned by patchwork.kernel.org. The resultis a way to easily find the discussion that led to a piece of code—or evenjust a token—changing in the kernel source tree.

Last week KDE announced that they wereworking with Purism on the Librem 5 smartphone. The GNOME Foundation hasalso providedits endorsement and support of Purism’s efforts to build the Librem 5."As part of the collaboration, if the campaign is successful the GNOME Foundation plans to enhance GNOME shell and general performance of the system with Purism to enable features on the Librem 5.Various GNOME technologies are used extensively in embedded devices today, and GNOME developers have experienced some of the challenges that face mobile computing specifically with the Nokia 770, N800 and N900, the One Laptop Per Child project’s XO laptop and FIC’s Neo1973 mobile phone."

Ulrich Drepper, once again an engineer at Red Hat, writesabout machine learning on opensource.com."Machine learning and artificial intelligence (ML/AI) mean differentthings to different people, but the newest approaches have one thing incommon: They are based on the idea that a program's output should becreated mostly automatically from a high-dimensional and possibly hugedataset, with minimal or no intervention or guidance from a human. Opensource tools are used in a variety of machine learning and artificialintelligence projects. In this article, I'll provide an overview of thestate of machine learning today."

Security updates have been issued by CentOS (emacs), Debian (apache2, gdk-pixbuf, and pyjwt), Fedora (autotrace, converseen, dmtx-utils, drawtiming, emacs, gtatool, imageinfo, ImageMagick, inkscape, jasper, k3d, kxstitch, libwpd, mingw-libzip, perl-Image-SubImageFind, pfstools, php-pecl-imagick, psiconv, q, rawtherapee, ripright, rss-glx, rubygem-rmagick, synfig, synfigstudio, techne, vdr-scraper2vdr, vips, and WindowMaker), Oracle (emacs and kernel), Red Hat (emacs and kernel), Scientific Linux (emacs), SUSE (emacs), and Ubuntu (apache2).

The 4.13.3,4.12.14, and4.9.51 stable kernels have been released;each contains another set of important fixes. Note that this is the finalupdate for the 4.12.x series.

Over the years, there has been a persistent effort to build the Linuxkernel using the Clang C compiler that is part of the LLVM project. Welast looked in on the effort in a report fromthe LLVM microconference at the 2015 Linux Plumbers Conference (LPC), but wehave followed it before that aswell. At this year's LPC, two Google kernel engineers, Greg Hackmann andNick Desaulniers, came to the Androidmicroconference to update the status; at this point, it is possible tobuild two long-term support kernels (4.4 and 4.9) with Clang.

Paul Moore has posted hisnotes from the 2017 Linux Security Summit, held September 14and 15 in Los Angeles. "LinuxKit was designed to make it easyfor people to create their own Linux distribution, with a strong focus onminimal OS installs such as one would use in a container hostingenvironment. LinuxKit has several features that make it interesting from asecurity perspective, the most notable being the read-only rootfs which ismanaged using external tooling. Applications are installed via signedcontainer images."

Security updates have been issued by Arch Linux (apache and ettercap), Debian (gdk-pixbuf and newsbeuter), Red Hat (kernel), Slackware (httpd, libgcrypt, and ruby), SUSE (kernel), and Ubuntu (bind9, kernel, libidn2-0, libxml2, linux, linux-aws, linux-gke, linux-kvm, linux-raspi2, linux-snapdragon, linux, linux-raspi2, linux-hwe, linux-lts-trusty, and linux-lts-xenial).

Christian Schaller announcesPipewire, a media system that is meant to eventually replace PulseAudioand handle video as well. "Anyway as work progressed Wim decided toalso take a look at Jack, as supporting the pro-audio usecase was an areaPulseAudio had never tried to do, yet we felt that if we could ensurePipewire supported the pro-audio usecase in addition to consumer levelaudio and video it would improve our multimedia infrastructuresignificantly and ensure pro-audio became a first class citizen on theLinux desktop." A video-only version will be shipping inFedora 27.

New kernels are released regularly, but it is not entirelyclear how much in-depth testing they are actually getting. Even themainline kernel may not be getting enough of the right kind of testing. That was thetopic for a "birds of a feather" (BoF) meeting at this year's Linux PlumbersConference (LPC) held in mid-September in Los Angeles, CA. Dhaval Giani and Sasha Levin organized the BoF as a prelude to the Testingand Fuzzing microconference they were leading the next day.

The schedulerworkloads microconference at the 2017 Linux Plumbers Conference coveredseveral aspects of the kernel's CPU scheduler. While workloads were on theagenda, so were a rework of the realtime scheduler's push/pull mechanism, adistinctly different approach to multi-core scheduling, and the use oftracing for workload simulation and analysis. As the following summaryshows, CPU scheduling has not yet reached a point where all of theimportant questions have been answered.

The World Wide Web Consortium has put out apress release trumpeting its publication of the "Encrypted MediaExtensions" as an official recommendation and enshrining DRM into what waspreviously a standard for open communication. See theEFF's open letter for a less rosy view of this development."Today, the W3C bequeaths an legally unauditable attack-surface tobrowsers used by billions of people. They give media companies the power tosue or intimidate away those who might re-purpose video for people withdisabilities. They side against the archivists who are scrambling topreserve the public record of our era. The W3C process has been abused bycompanies that made their fortunes by upsetting the established order, andnow, thanks to EME, they’ll be able to ensure no one ever subjects them tothe same innovative pressures."

Peter Robinson looksat the state of open source accelerated graphics on ARM devices."Despite the two bad examples above there’s actually been a lot of good change in the last five years. We now have a number of options for fully accelerated 2D/3D graphics on ARM SoCs and I run GNOME Shell on Wayland, yes the full open source shiny, on a number of different devices regularly."

Security updates have been issued by Arch Linux (ffmpeg, lib32-libgcrypt, libgcrypt, linux-zen, and newsbeuter), Debian (emacs25, freexl, and tomcat8), Fedora (cyrus-imapd, FlightGear, freexl, gdm, kernel, LibRaw, ruby, and xen), Gentoo (binutils, chkrootkit, curl, gdk-pixbuf, gimps, git, kpathsea, mod_gnutls, perl, squirrelmail, subversion, supervisor, and webkit-gtk), Mageia (389-ds-base, kernel, kernel-linus, kernel-tmb, and mpg123), openSUSE (ffmpeg, ffmpeg2, qemu, and xen), Slackware (kernel), SUSE (xen), and Ubuntu (gdk-pixbuf).

As is sometimes his way, Linus Torvalds released 4.14-rc1 and closed the merge windowone day earlier than some might have expected. By the time, though, 11,556non-merge changesets had found their way into the mainline repository, sothere is no shortage of material for this release. Around 3,500 of thosechanges were pulled after the previous 4.14merge-window summary; read on for an overview of what was in that lastset.

The 4.14-rc1 kernel prepatch is out, andthe merge window is closed for this development cycle. "Yes, I realize this is a day early, and yes, I realize that if I hadwaited until tomorrow, I would also have hit the 26th anniversary ofthe Linux-0.01 release, but neither of those undeniable facts made mewant to wait with closing the merge window." In the end, 11,556non-merge changesets were pulled into the mainline for this release.

Processors based on the 64-bit ARM architecture have been finding their wayinto various types of systems, including mobile handsets and servers.There is adistinct gap in the middle of the range, though: there are no ARM64laptops. Bernhard Rosenkränzer and a group of colleagues set out to changethat situation by building such a laptop from available components. Heshowed up at the 2017 Open Source Summit North America to present theresult.

An advisoryfrom the National Security Authority of Slovakia warns that they have foundfake packages in PyPI, posing as well known libraries. "Copies ofseveral well known Python packages were published under slightly modified names in the official Python packagerepository PyPI (prominent example includes urllib vs. urrlib3, bzipvs. bzip2, etc.). These packages contain the exact same code as theirupstream package thus their functionality is the same, but the installationscript, setup.py, is modified to include a malicious (but relativelybenign) code." The administrators of PyPI were informed and thefake packages are gone now, however they were available from June 2017 toSeptember 2017. (Thanks to Paul Wise)

Security updates have been issued by Arch Linux (flashplugin, kernel, lib32-flashplugin, and linux-lts), CentOS (postgresql), Debian (tcpdump and wordpress-shibboleth), Fedora (lightdm, python-django, and tomcat), Mageia (flash-player-plugin and libsndfile), openSUSE (chromium, cvs, kernel, and libreoffice), Oracle (postgresql), and Ubuntu (libgcrypt20 and thunderbird).

Purism and KDE are workingtogether to adapt Plasma Mobile to Purism's Librem 5 smartphone."The shared vision of freedom, openness and personal control for end users has brought KDE and Purism together in a common venture. Both organisations agree that cooperating will help bring a truly free and open source smartphone to the market. KDE and Purism will work together to make this happen."

The stable-kernel update train continues with the release of4.13.2,4.12.13,4.9.50,4.4.88, and3.18.71.Among other things, these updates contain the fix for the recentlydisclosed Bluetooth vulnerability.

Security updates have been issued by Arch Linux (tcpdump), CentOS (bluez and kernel), Debian (wordpress-shibboleth), Fedora (augeas, bluez, emacs, and libwmf), Oracle (kernel), Red Hat (instack-undercloud, kernel, openvswitch, and postgresql), Scientific Linux (postgresql), SUSE (kernel and xen), and Ubuntu (tcpdump).

The Mozilla Security Blog announcesthat Firefox 57 will benefit from the addition of a formally verifiedcrypto package."The first result of this collaboration, an implementation of theCurve25519 key establishment algorithm (RFC7748), has just landed inFirefox Nightly. Curve25519 is widely used for key-exchange in TLS, and wasrecently standardized by the IETF. As an additional bonus, besides beingformally verified, the HACL* Curve25519 implementation is also almost 20%faster on 64 bit platforms than the existing NSS implementation (19500scalar multiplications per second instead of 15100) which represents animprovement in both security and performance to our users."

The LWN.net Weekly Edition for September 14, 2017 is available.

<p>Security for Internet of Things (IoT) devices is something of a hot topicover the last year or more. Marti Bolivar presented an overview of some ofthe antipatterns that are leading to the lack of security forthese devices at a session at the 2017 Open Source Summit North America inLos Angeles. He also had some specific recommendations for IoT developerson how to think about these problems and where to turn for help in makingsecurity a part of the normal development process.

The Free Software Foundation Europe has joined severalorganizations in publishing an open letter urging lawmakersto advance legislation requiring publicly financed software developed forthe public sector be made available under a Free and Open Source Softwarelicense. "The initial signatories include CCC, EDRi, Free SoftwareFoundation Europe, KDE, Open Knowledge Foundation Germany, openSUSE, OpenSource Business Alliance, Open Source Initiative, The Document Foundation,Wikimedia Deutschland, as well as several others; they ask individuals andother organisation to sign the open letter. The open letter will be sent to candidates for the German Parliament election and, during the coming months, until the 2019 EU parliament elections, to other representatives of the EU and EU member states."

The GNOME Project has announced the release of GNOME 3.26 "Manchester"."This release brings refinements to the system search, animations formaximizing and unmaximizing windows and support for color Emoji.Improvements to core GNOME applications include a redesigned Settingsapplication, a new display settings panel, Firefox sync in the Web browser,and many more." There are openSUSE nightly live images that includeGNOME 3.26.