LWN.net

Security updates have been issued by Arch Linux (curl, lib32-curl, lib32-libcurl-compat, lib32-libcurl-gnutls, libcurl-compat, libcurl-gnutls, libmupdf, mupdf, mupdf-gl, mupdf-tools, and zathura-pdf-mupdf), CentOS (liblouis), Debian (graphicsmagick, imagemagick, irssi, openssl, openssl1.0, redis, and wordpress), Mageia (lucene, poppler, and x11-server), SUSE (libwpd and webkit2gtk3), and Ubuntu (liblouis).

The tracking of kernel regressions was discussed at the 2017 Kernel Summit; the topicmade a second appearance at the first-ever Maintainers Summit two dayslater. This session was partly a repeat of what came before for thebenefit of those (including Linus Torvalds) who weren't at the firstdiscussion, but some new ground was covered as well.

The 4.14-rc8 kernel prepatch is out fortesting. "But to actually have decided that we don't need an rc8 this release,it would have had to be really totally quiet, and it wasn't. Nothinglooks scary, but we did have a few reverts in here still, and I'lljust feel happier giving 4.14 another final week... and I really hope that _will_ be the final week, and we don't findanything new scary." Along with the various fixes, this prepatchalso adds SPDX license tags to a lot of kernel source files.

Willy Tarreau reflectson his experience maintaining the 3.10 long-term kernel on the occasionof the release of the final update, 3.10.108."First, there's no such notion of 'important fixes'. Even seriousvendors employing several kernel developers got caught missing someapparently unimportant fixes and remaining vulnerable for more than twoyears after LTS was fixed. So you can imagine the level of quality you mayexpect from a $60 WiFi router vendor claiming to apply the samepractices... The reality is that a bug is a bug, and until it's exploitedit's not considered a vulnerability."

The GitLab open-source (and open-core) project hosting site has announced that it is moving away from its Contributor License Agreement (CLA) to a Developers Certificate of Origin (DCO), which is what is used by the Linux kernel, for example, to cover contributions made to its code base. "A Contributor License Agreement (CLA) is the industry standard for open source contributions to other projects, but it's unpopular with developers, who don't want to enter into legal terms and are put off by having to review a lengthy contract and potentially give up some of their rights. Contributors find the agreement unnecessarily restrictive, and it's deterring developers of open source projects from using GitLab. We were approached by Debian developers to consider dropping the CLA, and that's what we're doing." LWN looked at some of the background of this issue back in June.

The Software Freedom Conservancy (SFC) blog reveals a recent action taken by the Software Freedom Law Center (SFLC) to try to cancel the trademark for SFC. On September 22, SFLC filed a complaint with the US Patent and Trademark Office asking that the trademark be canceled because there is a likelihood of confusion between the trademarks:"Registrant's SOFTWARE FREEDOM CONSERVANCY Mark is confusingly similar toPetitioner's SOFTWARE FREEDOM LAW CENTER Mark." On November 2, SFC filed a response that lists the defenses it plans to use. From the blog post: "We are surprised and sad that our former attorneys, who kindly helped our organization start in our earliest days and later excitedly endorsed us when we moved from a volunteer organization to a staffed one, would seek to invalidate our trademark. Conservancy and SFLC are very different organizations and sometimes publicly disagree about detailed policy issues. Yet, both non-profits are charities organized to promote the public's interest. Thus, we are especially disappointed that SFLC would waste the precious resources of both organizations in this frivolous action."

Security updates have been issued by Debian (bchunk and openjdk-8), Fedora (kernel and seamonkey), Mageia (ansible, sdl2, sdl2_image, mingw, and tomcat), Oracle (kernel and liblouis), Red Hat (liblouis and samba), Scientific Linux (liblouis), Slackware (mariadb and openssl), and SUSE (ceph, kernel, and qemu).

Shuah Khan is the maintainer of the kernel's self-test subsystem. At the2017 Kernel Summit, she presented an update on the recent developments inkernel testing and led a related discussion. Much work has happened aroundself-testing in the kernel, but there remains a lot to be done.

The 4.13.11, 4.9.60, 4.4.96, and 3.18.79 stable kernels have been released byGreg Kroah-Hartman. There are, as usual, important fixes throughout thetree in these updates and users of those kernel series should upgrade.

Security updates have been issued by Debian (thunderbird), Fedora (glusterfs, gnome-shell, java-1.8.0-openjdk, lucene, openvpn, poppler, and xen), openSUSE (xen), and Ubuntu (libreoffice and samba).

The LWN.net Weekly Edition for November 2, 2017 is available.

On the Ubuntu Insights blog, Canonical has announced that it has joined the GNOME Foundation advisory board. "We hope to share the results of our many years of user research, testing plus the needs of our large and diverse user base to help map out the best way for the entire GNOME ecosystem to benefit from our membership.The GNOME community have been very welcoming to Ubuntu, and we are already seeing the fruits of their labour in 17.10. Night Light, Captive Portal detection, the new Control Center, and a host of new features are now available to Ubuntu Desktop users by default by way of the GNOME desktop.We look forward to working closely with the GNOME Foundation, and to many years of happy collaboration."

Much software that uses the Linux kernel does so at comparativearms-length: when it needs the kernel, perhaps for a read or write, itperforms a system call, then (at least from its point of view) continuesoperation later, with whatever the kernel chooses to give it in reply. Somesoftware, however, gets pretty intimately involved with the kernel as partof its normal operation, for example by using eBPF for low-level packetprocessing. Suricata is such a program; Eric Leblondspoke about it at Kernel Recipes 2017 in a talk entitled "eBPF and XDPseen from the eyes of a meerkat".

Security updates have been issued by Debian (graphicsmagick, libdatetime-timezone-perl, openjpeg2, thunderbird, and tzdata), Fedora (curl, glusterfs, java-1.8.0-openjdk, lame, lucene, SDL2, systemd, and xen), Red Hat (python-django), and Ubuntu (linux-lts-trusty and quagga).

When a kernel developer wants to communicate a message to user space, be itfor debugging or to report a serious problem with the system, the venerableprintk() function is usually the tool of choice. But, as SteveRostedt (accompanied by Petr Mladek and Sergey Senozhatsky) noted during abrief session at the 2017 Kernel Summit, printk() has not aged well. In particular, it can affect theperformance of the system as a whole; the roots of that problem and apossible solution were discussed, but a real solution will have to wait forthe appearance of the code.

On his blog, Sebastian Kügler sets out a roadmap for Plasma Mobile, which is a project that "aims to become a complete and open software system for mobile devices". There is already a prototype version available, the next step is the "feature phone" milestone (which will be followed by the "basic smartphone" and "featured smartphone" milestones). "The feature phone milestone is what we’re working on right now. This involves taking the prototype and fixing all the basic things to turn it into something usable. Usable doesn’t mean 'usable for everyone', but it should at least be workable for a subset of people that only rely on basic features — 'simple' things.Core features should work flawlessly once this milestone is achieved. With core features, we’re thinking along the lines of making phone calls, using the address book, manage hardware functions such as network connectivity, volume, screen, time, language, etc.. Aside from these very core things for a phone, we want to provide decent integration with a webbrowser (or provide our own), app store integration likely using store.kde.org, so you can get apps on and off the device, taking photos, recording videos and watching these media. Finally, we want to settle for an SDK which allows third party developers to build apps to run on Plasma Mobile devices.Getting this to work is no small feat, but it allows us to receive real-world feedback and provide a stable base for third-party products. It makes Plasma Mobile a viable target for future product development."

The kernel development community has run for some years without anybodytracking regressions; that changed one year ago when Thorsten Leemhuisstepped up to the task. Two conversations were held on the topic at the2017 Kernel and Maintainers summits in Prague; this article covers thefirst of those, held during the open Kernel-Summit track.

Security updates have been issued by Debian (libav, quagga, wordpress, and wpa), Mageia (exiv2, irssi, opensc_etc, procmail, rpm, and wget), SUSE (kernel), and Ubuntu (kernel, linux, linux-raspi2, linux-gcp, linux-hwe, and linux-lts-xenial).

Some technologies find their way into the kernel almost immediately; othersneed to go through multiple iterations over a number of years first.Restartable sequences, a mechanism for lockless concurrency control in user space, fallinto the latter category. At the 2017 Kernel Summit, Mathieu Desnoyersdiscussed yet another implementation of this concept — but this one may notbe the last word either.

The annual GStreamerconference took place October 21-22 in Prague, (unofficially)co-located with the EmbeddedLinux Conference Europe. The GStreamer project is alibrary for connecting media elements such as sources, encoders and decoders, filters,streaming endpoints, and output sinks of all sorts into a fullycustomizable pipeline. It offers cross-platform support, a large set ofplugins, modernstreaming and codec formats, and hardware acceleration as some of its features. Kickingoff this year's conference was Tim-Philipp Müller with his report on thelast 12 months of development and what we can look forward to next.

Security updates have been issued by Arch Linux (apr, apr-util, chromium, and wget), CentOS (tomcat and tomcat6), Debian (curl, git-annex, golang, shadowsocks-libev, and wget), Fedora (libextractor and sssd), Gentoo (apache, asterisk, jython, oracle-jdk-bin, and xorg-server), openSUSE (chromium, curl, gcc48, GraphicsMagick, hostapd, kernel, libjpeg-turbo, libvirt, mysql-community-server, openvpn, SDL2, tcpdump, and wget), Oracle (tomcat and tomcat6), Red Hat (chromium-browser, tomcat, and tomcat6), Scientific Linux (tomcat and tomcat6), Slackware (php and wget), SUSE (firefox, mozilla-nss, kernel, wget, and xen), and Ubuntu (mysql-5.5, poppler, and wget).

The 4.14-rc7 kernel prepatch is out fortesting. "Still, considering the issues we've had, I likely will doan rc8 unless this upcoming week ends up being _so_ quiet that there's nopoint. Which while unlikely would be lovely..."

Tracepoints provide a great deal of visibility into the inner workings ofthe kernel, which is both a blessing and a curse. The advantages ofknowing what the kernel is doing are obvious; the disadvantage is thattracepoints risk becoming a part of the kernel's ABI if applications startto depend on them. The need to maintain tracepoints could impede theongoing development of the kernel. Ways of avoiding this problem have beendiscussed for years; at the 2017 Kernel Summit, Steve Rostedt talked aboutyet another scheme.

Security updates have been issued by CentOS (ntp and wget), Debian (exiv2, mosquitto, and zoneminder), Mageia (upx and virtualbox), Oracle (ntp and wget), Red Hat (wget), Scientific Linux (wget), SUSE (xen), and Ubuntu (irssi, systemd, and wget).

The4.13.10,4.9.59,4.4.95, and3.18.78 stable kernel updates have beenreleased; each contains the usual set of important fixes and updates.

The 2017Realtime Summit was held October 21 at Czech Technical Universityin Prague to discuss all manner of topics related to realtime Linux.Nearly two years ago, a collaborativeproject was formed with the goal of mainlining the realtime patch set. At thesummit, projectlead Thomas Gleixner reported on the progress that has been made and theplans for the future.

Security updates have been issued by Fedora (cacti, glibc, kernel, libXfont, libXfont2, mingw-poppler, nodejs-forwarded, procmail, SDL2, thunderbird, and tnef), openSUSE (freeradius-server, kernel, and libraw), Oracle (kernel), Red Hat (ntp), Scientific Linux (ntp), Slackware (irssi), SUSE (kernel), and Ubuntu (python-werkzeug).

The LWN.net Weekly Edition for October 26, 2017 is available.

The Linux Foundation has announcedthe availability of its roughly annual report on kernel development."This is the eighth such report that is released on a roughly annualbasis to help illustrate the Linux kernel development process and the workthat defines the largest collaborative project in the history ofcomputing. This year’s paper covers work completed through Linux kernel4.13, with an emphasis on releases 4.8 to 4.13.". This report,written by LWN editor Jonathan Corbet and Greg Kroah-Hartman, will havelittle that's new to regular LWN readers, but there is a set of nicedeveloper profiles.

<p>Academics generate enormous amounts of software, some of which inspirescommercial innovations in networking and other areas. But little academicsoftware gets released to the public and even less enters common use. Issome vast "dark matter" being overlooked in the academic community? Wouldthe world benefit from academics turning more of their software into freeand open projects?

The SciPy project has announced the release of SciPy 1.0. The "Python-based ecosystem of open-source software for mathematics, science, and engineering" has been around for 16 years since version 0.1 and, in reality, the 1.0 designation is overdue. "Some key project goals, both technical (e.g. Windows wheels and continuousintegration) and organisational (a governance structure, code of conductand aroadmap), have been achieved recently.Many of us are a bit perfectionist, and therefore are reluctant to callsomething '1.0' because it may imply that it's 'finished' or 'we are 100%happywith it'. This is normal for many open source projects, however thatdoesn'tmake it right. We acknowledge to ourselves that it's not perfect, and thereare some dusty corners left (that will probably always be the case).Despitethat, SciPy is extremely useful to its users, on average has high qualitycodeand documentation, and gives the stability and backwards compatibilityguarantees that a 1.0 label imply." Beyond the Windows wheels (a binary distribution format) mentioned above, there are some other new features in the release: continuous-integration coverage for macOS and Windows, a set of new ordinary differential equation solvers and a unified interface to them, two new trust region optimizers and a new linear programming method,many new BLAS and LAPACK functions were wrapped, and more.

Security updates have been issued by Debian (curl and mupdf), Fedora (glibc, SDL2, and sssd), Mageia (kernel, kernel-linus, and kernel-tmb), and Ubuntu (apache2 and subversion).

One of the key values provided by an operating system like Linux isthat it provides abstract interfaces to concrete devices. Though theoriginal "character device" and "block device" abstractions have beensupplemented with various others including "network device" and"bitmap display", the original two have not lost their importance. Theblock device interface, in particular, is still central to managingpersistent storage and, even with the growth of persistent memory, thiscentral role is likely to remain for some time. Unpacking andexplaining some of that role is the goal of this pair of articles.

Security updates have been issued by CentOS (kernel), Fedora (check-mk and dnsmasq), Mageia (kernel-linus, kernel-tmb, mysql-connector-java, and recode), openSUSE (irssi and jq), Red Hat (httpd24, java-1.6.0-sun, and java-1.7.0-oracle), Slackware (curl), SUSE (openvpn), and Ubuntu (bzr, curl, icu, libffi, libidn, mysql-5.5, mysql-5.7, nvidia-graphics-drivers-384, pacemaker, and webkit2gtk).

There is a lot of information buried in the kernel's Git repositories that,if one looks closely enough, can yield insights into how the developmentcommunity works in the real world. It can show how theidealized hierarchical model of the kernel development community matcheswhat actually happens and provide a picture of how the community's web oftrust is used to verify contributions. Read on for an analysis of themerge operations that went into the 4.14 development cycle.

<p>Refactoring the kernel means taking some part of the kernel thatis showing its age and rewriting it so it works better.Thomas Gleixner has done a lot of this over the past decade; he spokeat Kernel Recipes about the details of some of that work and the lessonsthat he learned. By way of foreshadowing how much fun this canbe, he subtitled the talk "Digging in Dust".

The 4.14-rc6 kernel prepatch is out. "rc6 is a bit larger than I was hoping for, and I'm not sure whetherthat is a sign that we _will_ need an rc8 after all this release(which wouldn't be horribly surprising), or whether it's simply due totiming. I'm going to leave that open for now, so just know that rc8_may_ happen."

The Linux Foundation has announced a pair of licenses for data that are modeled on the two broad categories of free-software licenses: permissive and copyleft. The Community Data License Agreement (CDLA) comes in two flavors: Sharing that "encourages contributions of data back to the data community" and Permissive that allows the data to be used without any further requirements."Inspired by the collaborative software development models of open source software, the CDLA licenses are designed to enable individuals and organizations of all types to share data as easily as they currently share open source software code. Soundly drafted licensing models can help people form communities to assemble, curate and maintain vast amounts of data, measured in petabytes and exabytes, to bring new value to communities of all types, to build new business opportunities and to power new applications that promise to enhance safety and services.The growth of big data analytics, machine learning and artificial intelligence (AI) technologies has allowed people to extract unprecedented levels of insight from data. Now the challenge is to assemble the critical mass of data for those tools to analyze. The CDLA licenses are designed to help governments, academic institutions, businesses and other organizations open up and share data, with the goal of creating communities that curate and share data openly."

Greg Kroah-Hartman has announced the release of four new stable kernels: 4.13.9, 4.9.58, 4.4.94, and 3.18.77. There are fixes throughout the treein them, so users of those series should upgrade.

Security updates have been issued by Arch Linux (irssi, musl, and xorg-server), CentOS (httpd and java-1.8.0-openjdk), Debian (libav, ming, and openjfx), Fedora (ImageMagick, libwpd, rubygem-rmagick, and sssd), Gentoo (adobe-flash, chromium, dnsmasq, go, kodi, libpcre, and openjpeg), openSUSE (bluez, exiv2, python3-PyJWT, salt, xen, xerces-j2, and xorg-x11-server), Oracle (java-1.8.0-openjdk and kernel), Red Hat (java-1.8.0-oracle and rh-nodejs4-nodejs), and Scientific Linux (java-1.8.0-openjdk).

Christian Schaller has posted alist of the Fedora Workstation project's accomplishments since itsinception. "Wayland – We been the biggest contributor since wejoined the effort and have taken the lead on putting in place all thepieces needed for actually using it on a desktop, including starting toship it as our primary offering in Fedora Workstation 25. This includesputting a lot of effort into ensuring that XWayland works smoothly toensure full legacy application support."The list as a whole is quite long.

The 4.14 kernel, due in the first half of November, is moving into therelatively slow part of the development cycle as of this writing. The timeis thus ripe for a look at the changes that went into this kernel cycle andhow they got there. While 4.14 is a fairly typical kernel developmentcycle, there are a couple of aspects that stand out this time around.

The upcoming Firefox 57 release presents a challenge to distributors, whohave to decide when and how to ship a major update that will break a bunchof older extensions. ThisFedora Magazine article describes the plan that Fedora has come up withfor this transition. "Users probably shouldn’t 'hold back at FF56 asmy favorite extensions don’t work.' Recall that security fixes only comefrom new versions, and they’ll all be WebExtension only. The ExtendedSupport Release version will also switch to WebExtensions only at the nextrelease. This date, June 2018, marks the deadline for ESR users to migratetheir extensions."

Security updates have been issued by Arch Linux (chromium), Debian (jackson-databind, libvirt, and mysql-5.5), Fedora (SDL2_image), Mageia (db53, kernel, poppler, and wpa_supplicant, hostapd), Oracle (httpd), Red Hat (ansible, chromium-browser, httpd, java-1.8.0-openjdk, kernel, and kernel-rt), and Scientific Linux (httpd and kernel).

Version 17.01.4 of the LEDE router distribution is available with a numberof important fixes."While this release includes fixes for the bugs in the WPA Protocoldisclosed earlier this week, these fixes do not fix the problem on theclient-side. You still need to update all your client devices. As someclient devices might never receive an update, an optional AP-sideworkaround was introduced in hostapd to complicate these attacks,slowing them down."

The OpenOffice4.1.4 release is finally available; see this article for some background on thisrelease. The announcement is all bright and sunny, but a look at theAugust 16 Apache board minutes shows concern about the state ofthe project. Indeed, the OpenOffice project management committee was,according to these minutes, supposed to post an announcement about thestate of the project; it would appear that has not yet happened.

Here's aSamsung press release describing the company's move into the "run Linuxon your phone" space. "Installed as an app, Linux on Galaxy givessmartphones the capability to run multiple operating systems, enablingdevelopers to work with their preferred Linux-based distributions on theirmobile devices. Whenever they need to use a function that is not availableon the smartphone OS, users can simply switch to the app and run anyprogram they need to in a Linux OS environment."

The Ubuntu 17.10 release is out. "Under the hood, there have been updates to many core packages, includinga new 4.13-based kernel, glibc 2.26, gcc 7.2, and much more.Ubuntu Desktop has had a major overhaul, with the switch from Unity asour default desktop to GNOME3 and gnome-shell. Along with that, thereare the usual incremental improvements, with newer versions of GTK andQt, and updates to major packages like Firefox and LibreOffice."See therelease notes for more information.

Security updates have been issued by CentOS (wpa_supplicant), Debian (db, db4.7, db4.8, graphicsmagick, imagemagick, nss, and yadifa), Fedora (ImageMagick, rubygem-rmagick, and upx), Mageia (flash-player-plugin, libxfont, openvpn, ruby, webmin, and wireshark), openSUSE (cacti, git, and upx), Oracle (wpa_supplicant), Red Hat (kernel-rt, rh-nodejs4-nodejs-tough-cookie, rh-nodejs6-nodejs-tough-cookie, and wpa_supplicant), Scientific Linux (wpa_supplicant), and Slackware (libXres, wpa_supplicant, and xorg).

The LWN.net Weekly Edition for October 19, 2017 is available.