LWN.net

Intel has respondedto reports of security issues in its processors:Recent reports that these exploits are caused by a “bug” or a“flaw” and are unique to Intel products are incorrect. Based on theanalysis to date, many types of computing devices — with manydifferent vendors’ processors and operating systems — aresusceptible to these exploits.Intel is committed to product and customer security and is workingclosely with many other technology companies, including AMD, ARMHoldings and several operating system vendors, to develop anindustry-wide approach to resolve this issue promptly andconstructively. Intel has begun providing software and firmwareupdates to mitigate these exploits. Contrary to some reports, anyperformance impacts are workload-dependent, and, for the averagecomputer user, should not be significant and will be mitigated overtime.Stay tuned, there is certainly more to come.

The 4.15 kernel is likely to require a relatively long development cycle asa result of the post-rc5 merge of the kernelpage-table isolation patches. That said, it should be in somethingclose to its final form, modulo some inevitable bug fixes. The developmentstatistics for this kernel release look fairly normal, but they do reveal anunexpectedly busy cycle overall.

The OpenWrt and LEDE projects have announcedtheir unification under the OpenWrt name. The old OpenWrt CC 15.05release series will receive a limited amount of security and bug fixes, butthe current LEDE 17.01 series is the most up-to-date. "The mergedproject will use the code base of the former LEDE project. OpenWrt specificpatches not present in the LEDE repository but meeting LEDEs code qualityrequirements got integrated into the new tree. The source code will behosted at git.openwrt.org with acontinuously synchronized mirror hosted at Github. The original OpenWrtcodebase has been archived onGithub for future reference."

Back in October, LWN reported on a talkabout thestate of the GNU Privacy Guard (GnuPG)project, an asymmetric public-key encryption and signing tool that had been almost abandoned by its lead developer due to lackof resources before receiving a significant infusion of funding and communityattention. GnuPG 2 has brought about a number of changes andimprovements but, at the same time, several efforts are underway to significantly change the wayGnuPG and OpenPGP are used. This article will look at the currentstate of GnuPG and the OpenPGP web of trust, as compared to new implementationsof the OpenPGP standard and other trust systems.

Security updates have been issued by Debian (poppler), Fedora (glibc, phpMyAdmin, python33, and xen), Mageia (awstats, binutils, connman, elfutils, fontforge, fossil, gdb, gimp, jbig2dec, libextractor, libical, libplist, mbedtls, mercurial, OpenEXR, openldap, perl-DBD-mysql, podofo, python-werkzeug, raptor2, rkhunter, samba, w3m, and wayland), and Ubuntu (firefox).

The4.14.11,4.9.74,4.4.109, and3.18.91stable kernel updates have been released with another set of significantfixes and updates. Note that 4.14.11 also includes the remainder of thekernel page-table isolation patches.

Welcome to the first LWN.net feature article for 2018. The holidays areover and it's time to get back to work. One of the first orders ofbusiness here at LWN is keeping up with our ill-advised tradition of makingunlikely predictions for the coming year. There can be no doubt that 2018will be an eventful and interesting year; here's our attempt at guessinghow it will play out.

Linux Journal isback. "Talk about a Happy New Year. The reason: it turns out we're not dead. In fact, we're more alive than ever, thanks to a rescue by readers—specifically, by the hackers who run Private Internet Access (PIA) VPN, a London Trust Media company. PIA are avid supporters of freenode and the larger FOSS community. They’re also all about Linux and the rest of the modern portfolio of allied concerns: privacy, crypto, freedom, personal agency, rewriting the rules of business and government around all of those, and having fun with constructive hacking of all kinds. We couldn’t have asked for a better rescue ship to come along for us."

It turns out that Linux Journal isn'tshutting down after all. "In fact, we're more alive than ever,thanks to a rescue by readers—specifically, by the hackers who run PrivateInternet Access (PIA) VPN, a London Trust Media company. PIA are avidsupporters of freenode and the larger FOSS community."

Security updates have been issued by Debian (imagemagick), Fedora (chromium), and Mageia (iceape, libzip, and mad).

Security updates have been issued by Debian (asterisk, gimp, thunderbird, and wireshark), Fedora (global, python-mistune, and thunderbird-enigmail), Mageia (apache, bind, emacs, ffmpeg, freerdp, gdk-pixbuf2.0, gstreamer0.10-plugins-bad/gstreamer1.0-plugins-bad, gstreamer0.10-plugins-ugly, gstreamer0.10-plugins-ugly/gstreamer1.0-plugins-ugly, gstreamer1.0-plugins-bad, heimdal, icu, ipsec-tools, jasper, kdebase4-runtime, ldns, libvirt, mupdf, ncurses, openjpeg2, openssh, python/python3, ruby, ruby-RubyGems, shotwell, thunderbird, webkit2, and X11 client libraries), openSUSE (gdk-pixbuf and phpMyAdmin), and SUSE (java-1_7_1-ibm).

The 4.15-rc6 kernel prepatch has beenreleased for testing. "This would have been a very quiet week, if itwasn't for the final x86 PTI stuff - and that shows in the diffstattoo. About half the rc6 work is x86 updates. The timing for this isn'twonderful, but it all looks nice and clean."

Linus has mergedthe kernel page-table isolation patch setinto the mainline just ahead of the 4.15-rc6 release. This is afundamental change that was added quite late in the development cycle; itseems a fair guess that 4.15 will have to go to -rc8, at least, before it'sready for release.

Greg Kroah-Hartman has announced the release of the 4.14.10 and 4.9.73 stable kernels. Both have fixesacross the tree, though 4.14.10 is rather larger and contains more of thekernel page-table isolation work.

Security updates have been issued by Debian (imagemagick, mercurial, and thunderbird), Fedora (asterisk, libexif, python-mistune, sensible-utils, shellinabox, and webkitgtk4), Mageia (glibc, kernel-firmware, and phpmyadmin), and openSUSE (global).

Security updates have been issued by Fedora (asterisk, evince, lynx, ruby, sensible-utils, and shellinabox) and SUSE (GraphicsMagick and java-1_7_1-ibm).

The Debian Project has been working on replacing git.debian.org with aGitLab based service at https://salsa.debian.org. ActiveDebian Developers already have accounts. "External users are invitedto create an account on salsa. To avoid clashes with future DebianDevelopers, we are enforcing a '-guest' suffix for any guest username. Therefore we developed a self-service portal which allows non-DebianDevelopers to sign up, available at https://signup.salsa.debian.org.Please keep in mind that your username will have '-guest' appended."

Security updates have been issued by Debian (enigmail, gimp, irssi, kernel, rsync, ruby1.8, and ruby1.9.1), Fedora (json-c and kernel), Mageia (libraw and transfig), openSUSE (enigmail, evince, ImageMagick, postgresql96, python-PyJWT, and thunderbird), Slackware (mozilla), and SUSE (evince).

The4.14.9,4.9.72,4.4.108, and3.18.90stable kernel updates have been released with a large set of importantfixes. The 4.14.9 update includes thekernel page-table isolation precursorpatches that also just landed in 4.15-rc5.

The 4.15-rc5 kernel prepatch is out."This (shortened) week ended up being fairly normal for rc5, with theexception of the ongoing merging of the x86 low-level prep for kernelpage table isolation that continues and is noticeable. In fact, abouta third of the rc5 patch is x86 updates due to that."

Jann Horn has reported eight bugs in theeBPF verifier, one for the 4.9 kernel and seven introduced in 4.14, to theoss-security mailing list. Someof these bugs result in eBPF programs being able to read and write arbitrarykernel memory, thus can be used for a variety of ill effects, includingprivilege escalation. As Ben Hutchings notes,one mitigation would be to disable unprivileged access to BPF using thefollowing sysctl:kernel.unprivileged_bpf_disabled=1. More information can also be foundin this ProjectZero bug entry. The fixes are not yet in the mainline tree, but are inthe netdev tree. Hutchings goes on to say: "There is a publicexploit that uses several of these bugs to get root privileges. It doesn'twork as-is on stretch [Debian 9] with the Linux 4.9 kernel, but is easy to adapt. Irecommend applying the above mitigation as soon as possible to all systemsrunning Linux 4.4 or later."

In the previous article of this series, I discussed how to use eBPF to safely run code supplied byuser space inside of the kernel. Yet one of eBPF's biggest challengesfor newcomers is that writing programs requires compiling and linking tothe eBPF library from the kernel source. Kernel developers might alwayshave a copy of the kernel source within reach, but that's not so forengineers working on production or customer machines.

The Register reportsthat the grsecurity defamation suit filed against Bruce Perens has beentossed out of court. "On Thursday, the judge hearing the case, SanFrancisco magistrate judge Laurel Beeler, granted Peren's motion to dismissthe complaint while also denying – for now – his effort to invokeCalifornia's anti-SLAPP law."

The Free Software Foundation (FSF) has announced that it added PureOS to its list of endorsed Linux distributions. "'PureOS is a GNU operating system that embodies privacy, security, and convenience strictly with free software throughout. Working with the Free Software Foundation in this multi-year endorsement effort solidifies our longstanding belief that free software is the nucleus for all things ethical for users. Using PureOS ensures you are using an ethical operating system, committed to providing the best in privacy, security, and freedom,' said Todd Weaver, Founder & CEO of Purism."

Here's thelatest from Eben Moglen on the Software Freedom Law Center's trademarkattack against the Software Freedom Conservancy. "We propose ageneral peace, releasing all claims that the parties have against oneanother, in return for an iron-clad agreement for mutual non-disparagement,binding all the organizations and individuals involved, with strongsafeguards against breach. SFLC will offer, as part of such an overallagreement, a perpetual, royalty-free trademark license for the SoftwareFreedom Conservancy to keep and use its present name, subject to agreedmeasures to prevent confusion, and continued observance of thenon-disparagement agreement."In the spirit of non-disparagement,it also says: "In view of this evidence and the sworn pleadingsubmitted by the Conservancy, we have now moved to amend our petition, tostate as a second ground for the cancellation that the trademark wasobtained by fraud."

Security updates have been issued by Debian (bouncycastle, enigmail, and sensible-utils), Fedora (kernel), Mageia (dhcp, flash-player-plugin, glibc, graphicsmagick, java-1.8.0-openjdk, kernel, kernel-linus, kernel-tmb, mariadb, pcre, rootcerts, rsync, shadow-utils, and xrdp), and SUSE (java-1_8_0-ibm and kernel).

Security updates have been issued by Debian (libreoffice, openafs, and otrs2) and SUSE (ImageMagick).

The LWN.net Weekly Edition for December 21, 2017 is available.

The Docker (now Moby) project hasdone a lot to popularize containers in recent years. Along the way,though, it has generated concerns about its concentration of functionalityinto a single, monolithic system under the control of a single daemonrunning with root privileges: dockerd. Those concerns werereflected in a talkby Dan Walsh, head of the container team at Red Hat, at KubeCon +CloudNativeCon. Walsh spoke about the work the container team is doingto replace Docker with a set of smaller, interoperable components. His rallying cry is "no big fatdaemons" as he finds them to be contrary to the venerated Unix philosophy.

As we briefly mentioned in our overview article aboutKubeCon + CloudNativeCon, there are multiple container "runtimes", which areprograms that can create and execute containers that are typically fetchedfrom online images. That space is slowly reaching maturity both in termsof standards and implementation: Docker's containerd 1.0 was releasedduring KubeCon, CRI-O 1.0 was released a few months ago, and rkt isalso still in the game. With all of those runtimes, it may be a confusingtime for those looking at deploying their own container-based systemor Kubernetes cluster fromscratch. This article will try to explain what container runtimes are, what they do, how they compare with each other, andhow to choose the right one. It also provides a primer on containerspecifications and standards.

The December 21 LWN Weekly Edition will be the final one for 2017; asusual, we will take the last week of the year off and return onJanuary 4. It's that time of year where one is moved to look backover the last twelve months and ruminate on what happened; at LWN, we alsoget the opportunity to mock the predictions wemade back in January. Read on for the scorecard and a year-end notefrom LWN.

Four stable kernels have been released; 4.14.8, 4.9.71, 4.4.107, and 3.18.89. They all contain important fixes andusers should upgrade.

Security updates have been issued by Debian (otrs2), Fedora (glibc, kernel, libextractor, LibRaw, nodejs, optipng, python34, python35, qt5-qtbase, wayland, and xen), and Slackware (ruby).

At the end of October, the KAISER patch setwas unveiled; this work separates the page tables used by the kernel fromthose belonging to user space in an attempt to address x86 processor bugsthat can disclose the layout of the kernel to an attacker. Those patcheshave seen significant work in the weeks since their debut, but they appearto be approaching a final state. It seems like an appropriate time foranother look.

Downloads of Ubuntu 17.10 have been disabled due to anissue that can cause it to corrupt the firmware on some laptops.Lenovo laptops appear to be the most affected, but the problem isapparently not limited to them. The intel-spi driver has been named as thesource of the problem; it's not clear whether other distributions may alsobe affected. If you downloaded 17.10, you might want to hold off oninstalling it.

The Mozilla Thunderbird Blog looksat recent releases of the Thunderbird email client, including a fifthpoint release for version 52 ESR and 58 beta. "Thunderbird 57 betawas also very successful. While Thunderbird 58 is equally stable and offersfurther cutting-edge improvements to Thunderbird users, the user communityis starting to feel the impact of Mozilla platform changes which arephasing out so-called legacy add-ons. The Thunderbird technical leadershipis working closely with add-on authors who face the challenge of updatingtheir add-ons to work with the Mozilla interface changes. With a fewusually simple changes most add-ons can be made to work in Thunderbird 58beta. https://wiki.mozilla.org/Thunderbird/Add-ons_Guide_57explains what needs to be done, and Thunderbird developers are happy tolend a hand to add-on authors." The project has also added four newstaff members.

The Fedora Project has announceda number of changes to its modularity initiative afterfailing to meet its initial set of goals."From an end-user’s perspective, Fedora will ship with two sets ofrepositories. One will be the traditional Fedora repositories (fedora,updates, and updates-testing) and the other will be a new set ofrepositories providing alternative and supplementary modules. We haven’tdecided on a final name for these yet, so we will use the placeholder termsmodular, modular-updates, and modular-updates-testing."

Security updates have been issued by Debian (libxml2), Fedora (kernel, perl-DBD-MySQL, and python26), openSUSE (389-ds and pdns-recursor), Red Hat (heketi and rh-ruby24-ruby), Scientific Linux (postgresql), and SUSE (java-1_6_0-ibm).

Robert Haas gets intothe details of how PostgreSQL concurrency works and why an occasionalVACUUM is necessary. "The second approach to providing transactionswith atomicity and isolation is multi-version concurrency control(MVCC). The basic idea is simple: instead of locking a row that we want toupdate, let’s just create a new version of it which, initially, is visibleonly to the transaction which created it. Once the updating transactioncommits, we’ll make the new row visible to all new transactions that startafter that point, while existing transactions continue to see the oldrow."

By their nature, low-level libraries go mostly unnoticed by users andeven some programmers. Usually, they are only noticed when something goeswrong. However, HarfBuzzdeserves to be an exception. Not only does the adoption of HarfBuzz meanthat free software's ability to convert Unicodecharacters to a font's specific glyphs is as advanced as any proprietaryequivalent, but its increasing use means that professional typography cannow be done from the Linux desktop as easily as at a print shop.

Parrot 3.10, the latest version of the security oriented GNU/Linuxdistribution, has been released. "The first big news is the introduction of a full firejail+apparmor sandboxing system to proactively protect the OS by isolating its components with the combination of different tecniques. The first experiments were already introduced in Parrot 3.9 with the inclusion of firejail, but we took almost a month of hard work to make it even better with the improvement of many profiles, the introduction of the apparmor support and enough time to make all the tests."

Stable kernels 4.14.7, 4.9.70, 4.4.106, and 3.18.88 have been released. They all containimportant fixes and users should upgrade.

Security updates have been issued by Arch Linux (chromium, lib32-openssl-1.0, openssl-1.0, and tor), Debian (kildclient, openafs, openssl1.0, otrs2, reportbug, rsync, and sensible-utils), Fedora (tor), Mageia (deluge, evince, lynx, openssl, and rsync), openSUSE (chromium, GraphicsMagick, kernel, mercurial, and openssl), Red Hat (chromium-browser), SUSE (openssl), and Ubuntu (php5).

Linus has released the 4.15-rc4 kernelprepatch. "I would like to say that I hope things will continue tocalm down, but I already know I have more stuff pending. That, togetherwith the holidays, makes me strongly suspect that this will be one of those'we'll do an rc8' releases, but we'll see."

The dreaded UnicodeDecodeError exception is one of the signature"features" of Python 3. It is raised when the language encounters a byte sequencethat it cannot decode into a string; strictly treating stringsdifferently from arrays of byte values was something that came withPython 3. Two Python Enhancement Proposals (PEPs) bound forPython 3.7 look toward reducing those errors (and the related UnicodeEncodeError) forenvironments where they are prevalent—and often unexpected.

One of the keys to fitting the Linux kernel into a small system is toremove any code that is not needed. The kernel's configuration systemallows that to be done on a large scale, but it still results in thebuilding of a kernel containing many smaller chunks of unused code anddata. With a bit of work, though, the compiler and linker can be made towork together to garbage-collect much of that unused code and recover thewasted space for more important uses.<p>Click below (subscribers only) for a detailed article from Nicolas Pitre onhow to use link-time garbage collection to create a smaller kernel image.

Security updates have been issued by Debian (erlang), Fedora (python-dulwich), Gentoo (curl, opencv, openssl, and webkit-gtk), openSUSE (libapr-util1 and php5), Red Hat (qemu-kvm-rhev), and Ubuntu (linux, linux-aws, linux-kvm, linux-raspi2 and linux-lts-xenial, linux-aws).

In a vote that was not any kind of surprise, the US Federal Communications Commission (FCC) voted to end the "net neutrality" rules that stop internet service providers (ISPs) and others from blocking or throttling certain kinds of traffic to try to force consumers and content providers to pay more for "fast lanes". Ars Technica covers the vote and the reaction to it, including the fact that the fight is not yet over: "Plenty of organizations might appeal, said consumer advocate Gigi Sohn, who was a top counselor to then-FCC Chairman Tom Wheeler when the commission imposed its rules.'I think you'll see public interest groups, trade associations, and small and mid-sized tech companies filing the petitions for review,' Sohn told Ars. One or two 'big companies' could also challenge the repeal, she thinks.Lawsuit filers can challenge the repeal on numerous respects, she said. They can argue that the public record doesn't support the FCC's claim that broadband isn't a telecommunications service, that 'throwing away all protections for consumers and innovators for the first time since this issue has been debated is arbitrary and capricious,' and that the FCC cannot preempt state net neutrality laws, she said."

Linux Foundation Director of IT infrastructure security, Konstantin Ryabitsev, has put together a lengthy guide to using Git and PGP to protect the integrity of source code. In a Google+ post, he called it "beta quality" and asked for help with corrections and fixes. "PGP incorporates a trust delegation mechanism known as the 'Web of Trust.' At its core, this is an attempt to replace the need for centralized Certification Authorities of the HTTPS/TLS world. Instead of various software makers dictating who should be your trusted certifying entity, PGP leaves this responsibility to each user.Unfortunately, very few people understand how the Web of Trust works, and even fewer bother to keep it going. It remains an important aspect of the OpenPGP specification, but recent versions of GnuPG (2.2 and above) have implemented an alternative mechanism called 'Trust on First Use' (TOFU).You can think of TOFU as 'the SSH-like approach to trust.' With SSH, the first time you connect to a remote system, its key fingerprint is recorded and remembered. If the key changes in the future, the SSH client will alert you and refuse to connect, forcing you to make a decision on whether you choose to trust the changed key or not.Similarly, the first time you import someone's PGP key, it is assumed to be trusted. If at any point in the future GnuPG comes across another key with the same identity, both the previously imported key and the new key will be marked as invalid and you will need to manually figure out which one to keep.In this guide, we will be using the TOFU trust model."

Two new stable kernels have been released by Greg Kroah-Hartman: 4.14.6 and 4.9.69. As usual, they contain fixes all overthe kernel tree; users of those series should upgrade.