LWN.net

Lennart Poettering announcescasync, a tool for distributing system images."casync takes inspiration from the popular rsync file synchronizationtool as well as the probably even more popular git revision controlsystem. It combines the idea of the rsync algorithm with the idea ofgit-style content-addressable file systems, and creates a new system forefficiently storing and delivering file system images, optimized forhigh-frequency update cycles over the Internet. Its current focus is ondelivering IoT, container, VM, application, portable service or OS images,but I hope to extend it later in a generic fashion to become useful forbackups and home directory synchronization as well."

The kernel's command line allows the specification of many operatingparameters at boot time. A silly bug in command-line parsing was reportedby Ilya Matveychikov on May 22; it can be exploited to force a stackbuffer overflow with a controlled payload that can overwrite memory. Thebug itself stems from a bounds-checking error that, while simple, has stillbeen in the Linux kernel source since version 2.6.20. The subsequentdisclosure post byMatveychikov in the oss-security list spawned a discussion on whatconstitutes a vulnerability, and what is, instead, merely a bug.

Christian Schaller has posted anextensive look forward at the changes coming to the Fedora desktop."Another major project we been working on for a long time in FleetCommander. Fleet Commander is a tool to allow you to manage Fedora and RHELdesktops centrally. This is a tool targeted at for instance Universities orcompanies with tens, hundreds or thousands of workstation installation. Itgives you a graphical browser based UI (accessible through Cockpit) tocreate configuration profiles and deploy across your organization."

Security updates have been issued by Arch Linux (glibc and lib32-glibc), CentOS (glibc and kernel), Debian (eglibc, kernel, and libffi), openSUSE (exim, freeradius-server, libxml2, Mozilla based packages, and xorg-x11-server), Oracle (glibc and kernel), Scientific Linux (glibc and kernel), SUSE (glibc, kernel, and openvpn), and Ubuntu (eglibc, glibc, exim4, libnl3, linux, linux-meta, linux-aws, linux-meta-aws, linux-gke, linux-meta-gke, linux-hwe, linux-meta-hwe, linux-lts-xenial, linux-meta-lts-xenial, linux-meta-raspi2, linux-raspi2, and linux-meta-snapdragon, linux-snapdragon).

Normally, the -rc6 kernel testing release is not the place where one wouldexpect to find a 900-line memory-management change. As it happens, though,such a change was quietly merged immediately prior to the 4.12-rc6 release; indeed, it may have been thereal reason behind 4.12-rc6 coming out some hours later than would havebeen expected. This change is important, though, in that it addresses anewly publicized security threat that, it seems, is being activelyexploited.

Windows Management Instrumentation (WMI) is a vaguely defined mechanism forthe control of platform-specific devices; laptop functions like specialbuttons, LEDs, and the backlight are often controlled through WMIinterfaces. On Linux, access to WMI functions is restricted to the kernel,while Windows allows user space to use them as well. A recent proposal tomake WMI functions available to user space in Linux as well spawned aslow-moving conversation that turned on a couple of interesting questions —only one of which was anticipated in the proposal itself.

Debian Edu, also known as Skolelinux, is a Debian derivative aimed atmaking it easy to administrate a computer lab or a whole school network.Version 9 "Stretch" has been released. "Would you like to installservers, workstations and laptops which will then work together? Do you want thestability of Debian with network services already preconfigured? Do youwish to have a web-based tool to manage systems and several hundred or evenmore user accounts? Have you asked yourself if and how older computerscould be used? Then Debian Edu is for you."

Security updates have been issued by Arch Linux (chromium, firefox, and thunderbird), Debian (exim4, expat, firefox-esr, glibc, gnutls28, irssi, jython, and kernel), Fedora (dolphin-emu, firefox, golang, mariadb, perl-File-Path, redis, and yara), Mageia (firefox, kodi, and thunderbird), openSUSE (chromium and lynis), and SUSE (mercurial).

The 4.12-rc6 kernel prepatch is out fortesting. "The good news is that rc6 is smaller than rc5 was, and I think we'reback on track and rc5 really was big just due to random timing. We'llsee. Next weekend when I'm back home and do rc7, I'll see how I feelabout things. I'm still hopeful that this would be a normal releasecycle where rc7 is the last rc."

The AIMS desktop is aDebian-derived distribution aimed at mathematical and scientific use. Thisproject's first public release, based on Debian 9, is now available.It is a GNOME-based distribution with a bunch of add-on software."It is maintained by AIMS (The African Institute for MathematicalSciences), a pan-African network of centres of excellence enabling Africa’stalented students to become innovators driving the continent’s scientific,educational and economic self-sufficiency."

The Debian 9 "Stretch" release is now available. "Debian 9 isdedicated to the project's founder Ian Murdock, who passed away on 28December 2015." There are a lot of changes in this release,including a switch to MariaDB, the return of Firefox and Thunderbird underthose names, 90% reproducible-build coverage, a rootless X server, andmore.

The 4.11.6,4.9.33, and4.4.73 stable kernel updates are out with arelatively large set of important fixes. Greg Kroah-Hartman has also let itbe known that the next long-term stable kernel series will be 4.14.

On his blog, Jiri Konecny writes about plans for modularizing Anaconda, which is the installer for Fedora and other Linux distributions. Anaconda is written in Python 3, but is all contained in one monolithic program."The current Anaconda has one significant problem: all of the code is in one place--the monolith. It is more difficult to trace bugs and to a have a stable API. Implementing new features or modifying existing code in Anaconda is also more challenging. Modularisation should help with these things mainly because of isolation between the modules. It will be much easier to create tests for modules or to add new functionality.Modularisation also opens up new possibilities to developers. They should be able to create a new user interface easily. Since developers can rely on the existing API documentation, it should not be necessary to browse the source code tree very often. Another benefit is that an addon is like another module, communicating with other modules, so it has the same capabilities. Developers can use the public API to write their addons in their favourite programming language which supports DBus."

On his blog, Linux Foundation Director of IT Infrastructure Security Konstantin Ryabitsev has some advice for laptop security when traveling overseas. Some attendees of LinuxCon China in Beijing June 19-20 have asked for his thoughts, so he put together the post, which is good advice, if perhaps overly paranoid for some, no matter what country you might be visiting. "China is not signatory to the "Personal Use Exemption" when it comes to encrypted devices, so bringing a laptop with encrypted hard drive with you is not technically legal. If the border officer does not like you for some reason and has grounds to suspect you are not being truthful about your stated reasons for entering China, you may be asked to decrypt your devices for a search. Failure to do so may result in unpleasantness, and you may be detained or fined merely on the grounds of having an encrypted device when entering the country. (As opposed to, for example, entering a country that is signatory to the personal use exemption, where just having an encrypted device is not grounds for any action. That said, it is never in your interest to make the border officer not like you for some reason. Until you are admitted to the country as a legal alien, the Geneva Convention and the Universal Declaration of Human Rights are pretty much the only legal frameworks protecting you as a person against foreign government action.)It is important to point out that you are extremely unlikely to be penalized for bringing in an encrypted laptop with you to China, as any kind of widespread zealous application of such practice would quickly shut down any business travel to China -- and this is definitely not in the government's interest."

Version 3.0 of thecalibre electronic-book reader has been released. "It has been almost three years since calibre 2.0. In that time lots has happened. The biggest new feature, which was in development for almost that entire period, is a completely re-written calibre Content server.The Content server allows you to wirelessly browse your calibre books onany modern phone/tablet and even read the books right in your phonebrowser." Other additions include support for high-DPI screens andsupport for multiple icon themes.

The early bird registration rate for Linux Plumbers Conference 2017 will end on June 18 (or before if all of the slots are sold). The early bird rate is $400 and that will increase to $550, so those interested may wish to visit the Attend page at the site. Linux Plumbers Conference will be held in Los Angeles, CA, US on13-15 September in conjunction with The Linux Foundation Open SourceSummit North America.

Security updates have been issued by Arch Linux (bind), Debian (request-tracker4, rt-authen-externalauth, and zookeeper), openSUSE (mercurial, otrs, thunderbird, and tor), and Ubuntu (libmwaw and zziplib).

FreeNAS 11.0 has been released. "Thisversion brings new virtualization and object storage features to theWorld’s Most Popular Open Source Storage Operating System. FreeNAS 11.0adds bhyve virtual machines to its popular SAN/NAS, jails, and plugins,letting you use host web-scale VMs on your FreeNAS box. It also gives usersS3-compatible object storage services, which turns your FreeNAS box into anS3-compatible server, letting you avoid reliance on the cloud." LWNlooked at FreeNAS in February 2015.

The Brave web browser is a project froma new company called Brave Software. It was founded by Brendan Eich, who is theinventor of JavaScript and former developer and CTO at Mozilla; hehopes to dramatically re-invent the advertising model of the web whilestrengthening user anonymity and security. Brave's value proposition isthat instead of being served advertisements from web sites that use therevenue to pay their bills, users can opt to directly pay the contentproviders of their choosing with cryptocurrency. Also, there is arecognition of theutility of targeted advertising, so users have an option of saving a local,protected profile that can be used anonymously to obtain targetedadvertisements instead of having their online behavior tracked and sold bya third party.

Security updates have been issued by Arch Linux (flashplugin, kmail, lib32-flashplugin, and messagelib), CentOS (firefox), Debian (firefox-esr and libsndfile), Fedora (ettercap, gajim, libsndfile, poppler, and webkitgtk4), Mageia (catdoc, ettercap, libcryptopp, libytnef, and tor), Oracle (firefox), Scientific Linux (firefox), Slackware (bind and mozilla), SUSE (jakarta-taglibs-standard), and Ubuntu (firefox).

The LWN.net Weekly Edition for June 15, 2017 is available.

The Python core developers, and Victor Stinner in particular, have beenfocusing on improving the performance of Python 3 over the last fewyears. At PyCon 2017, Stinnergave a talk on some of the optimizations that have been added recently andthe effect they have had on various benchmarks. Along the way, he took a detour into some improvements that have been made for benchmarkingPython.

Chuck Lever has announcedthat the fedfs-utils project, which created utilities for the Federated Filesystem, willno longer be developed. The most interesting part, for many, may be thisdiscussion of why this project ground to a halt. (Thanks to Neil Brown).

The ups and downs of patching the kernel to wedge Linux into tiny systems has beendebated numerous times over the years, most recently in the context ofNicolas Pitre's alternative TTY layerpatches posted in April. Pitre is driving the debate again, this time by trying to shrink the kernel's CPU scheduler.In the process, he has exposed a couple of areas of fundamentaldisagreement on the value of this kind of work.

Since 2003, the Debian project has been running a servercalled Alioth to host source codeversion control systems. The server will hit the end of life of the DebianLTS release (Wheezy) next year; that deadline raised some questionsregarding the plans for the server over the coming years. Naturally, thatled to a discussion regarding possible replacements.

The Kernel Summit is undergoing some changes this year; the coredevelopers' gathering from previous events will be replaced by a half-day"maintainers summit" consisting of about 30 people. The process ofselecting those people, and of selecting topics for the open technicalsession, is underway now; interested developers are encouraged to submittheir topic ideas.

The moment when an antique operating system that has not run in decadesboots and presents a command prompt is thrilling for Warren Toomey, whofounded the Unix Heritage Society toreconstruct the early history of the Unix operating system. Recently thishistorical code has become much more accessible: we can now browse it in aninstant on GitHub, thanks to the efforts of a computer scienceprofessor at the Athens University of Economics and Business named DiomidisSpinellis.Click below (subscribers only) for a look at the Unix Heritage Society andwhat it has accomplished.

Stable kernels 4.11.5, 4.9.32, 4.4.72, and 3.18.57 have been released. All of themcontain important fixes and users should upgrade.

Security updates have been issued by Arch Linux (gnutls and tor), CentOS (qemu-kvm), Debian (libgcrypt20 and libosip2), Fedora (kernel), Mageia (flash-player-plugin, libosip2, and smb4k), openSUSE (ImageMagick), SUSE (mercurial), and Ubuntu (gnutls26, gnutls28).

Many benchmarks have been used by kernel developers over the years totest the performance of the scheduler. But recent kernel commit messageshave shown a particular pattern of tools being used (some relatively new),all of which were created specifically for developing scheduler patches.While each benchmark is different, having its own unique genesis story andintended testing scenario, there is a unifying attribute; they were allwritten to scratch a developer's itch.

Tails 3.0 has been released.Tails, the amnesic incognito live system, is a Debian-based live systemaimed at preserving privacy and anonymity. Version 3.0 is based on Debian9 (stretch). "It brings a completely new startup and shutdown experience, a lot of polishing to the desktop, security improvements in depth, and major upgrades to a lot of the included software."

Free electrons has released the initialversion of the ElixirCross-Referencer, a Linux source code cross-referencing online tool.Elixir uses a new engine written in Python that replaces LXR, theengine used in free electron's previous online tool. "Another reason that motivated a complete rewrite was that we wanted to provide an up-to-date reference (including the latest revisions) while keeping it immutable, so that external links to the source code wouldn’t get broken in the future. As a direct consequence, we would need to index many different revisions for each project, with potentially a lot of redundant information between them. That’s when we realized we could leverage the data model of Git to deal with this redundancy in an efficient manner, by indexing Git blobs, which are shared between revisions. In order to make sure queries under this strategy would be fast enough, we wrote a proof-of-concept in Python, and thus Elixir was born."

Firefox 54.0 has been released. The releasenotes are somewhat sparse, however thisblog post contains more information about some changes under-the-hood."To make Firefox run even complex sites faster, we’ve been changing it to run using multiple operating system processes. Translation? The old Firefox used a single process to run all the tabs in a browser. Modern browsers split the load into several independent processes. We named our project to split Firefox into multiple processes ‘Electrolysis (E10S)’ after the chemical process that divides water into its core elements. E10S is the largest change to Firefox code in our history. And today we’re launching our next big phase of the E10S initiative."

Fedora Magazine announcedthe release of Fedora 26 Beta. A final release is expected in July.The beta is available for Workstation, Server, Atomic Host, Spins, Labs,and ARM products. Fedora 26 brings many changes which can be seen in thechange set.

Security updates have been issued by Debian (tiff, tiff3, and zziplib), Fedora (libsndfile, log4j12, and postgresql), Oracle (qemu-kvm), and Scientific Linux (qemu-kvm).

The 4.12-rc5 prepatch is out; it is ratherlarger than others in this cycle, Linus Torvalds said. "It's not like rc5 is *huge*, but it definitely isn't the nice andsmall one I was hoping for. There's nothing in [particular] that looksvery worrisome, and it may well just be random timing - the rc sizesdo fluctuate a lot depending on just which subsystem gets synced upthat particular rc, and we may just have hit that "everybody happenedto sync up this week" case."

Security updates have been issued by Arch Linux (irssi, lib32-libtasn1, and wireshark-cli), Debian (libmwaw, otrs2, and tor), Fedora (ansible, freeradius, gnutls, mingw-poppler, mosquitto, oniguruma, perltidy, picocom, systemd, and wget), Mageia (ansible, dropbear, gajim, libsndfile, libxslt, lxc, zoneminder, and zziplib), openSUSE (ffmpeg, libnettle, mysql-connector-cpp, mysql-workbench, and wireshark), and Ubuntu (irssi).

PostgreSQL version 10 had its first beta release on May18, just in time for the annual PGCon developerconference. The latest annual release comes with a host of majorfeatures, including new versions of replication and partitioning, andenhanced parallel query. Version 10 includes 451 commits, nearly half amillion lines of code and documentation, and over 150 new or changedfeatures since version 9.6. The PostgreSQLcommunity will find a lot to get excited about in this release, as the project has delivered a long list of enhancements toexisting functionality. There's also a few features aimed at fulfillingnew use cases, particularly in the "big data" industry sector.

Security updates have been issued by Debian (ettercap), Fedora (mingw-poppler), Mageia (gc, libnl3, libtasn1, nss, puppet, and wireshark), and openSUSE (catdoc, gajim, GraphicsMagick, irssi, java-1_8_0-openjdk, kernel, libxml2, rxvt-unicode, and yodl).

Version 1.18 of the Rust programming language has been released."One of the largest changes is a long time coming: core team membersCarol Nichols and Steve Klabnik have been writing a new edition of “TheRust Programming Language”, the official book about Rust. It’s being written openly on GitHub, andhas over a hundred contributors in total. This release includes the first draft ofthe second edition in our online documentation. 19 out of 20 chaptershave a draft; the draft of chapter 20 will land in Rust 1.19."

G'MIC is a generic, extensible framework for image processing, often usedas a plug-in for GIMP. Version 2.0 has been released. "Oneof the major new features of this version 2.0 is the re-implementation ofthe plug-in code, from scratch. The repository G’MIC-Qt developed by Sébastien (an experienced memberof the team) is a Qt-based version of the plug-in interface, being asindependent as possible of the widget API provided by GIMP." Theannouncement has much more details about G'MIC and how it can be used. LWNlooked at G'MIC in August 2014.

Security updates have been issued by Debian (dropping support for some packages), Fedora (sudo), openSUSE (chromium), Slackware (irssi), and Ubuntu (freeradius and nagios3).

The LWN.net Weekly Edition for June 8, 2017 is available.

Over the course of the day, the 2017 Python Language Summit hosted ahandful of lightning talks, several of which were worked into the dynamicschedule when an opportunity presented itself. They ranged from thetraditional "less than five minutes" format to some that strayed welloutside of that time frame—some generated a fair amount of discussion aswell. Topics were all over the map: board elections, beta releases,Python as a security vulnerability, Jython, and more.

In his 2017 Python Language Summit session, Jukka Lehtosalo updatedattendees on the status of type checking for the language, in general, andfor the mypy static type checker.There are new features in the typing module and in mypy, as wellas work in progress and planned features for both. For a feature, typehints, that is really only around three yearsold, there has been a lot of progress made—but, of course, there isstill more to come.

There is no viable way to prevent data from being collected about us in thecurrent age of computing. But if institutions insist on knowing ourfinancial status, purchasing habits, health information,political preferences, and so on, they have a responsibility to keep thisdata—known as personally identifiable information (PII)—from leaking tounauthorized recipients. At the 2017 Strata dataconference in London, Steve Touw presented a sessionon privacy-enhancing technologies. In a fast-paced 40 minutes hecovered the EU regulations about privacy, the most popular technicalmeasures used to protect PII, and some pointed opinions about what worksand what should be thrown into the dustbin.

The Tor Browser Team has announced the first stable release in the 7.0 series. "This release brings us up to date with Firefox 52 ESR which contains progress in a number of areas:Most notably we hope having Mozilla's multiprocess mode (e10s) and content sandbox enabled will be one of the major new features in the Tor Browser 7.0 series, both security- and performance-wise. While we are still working on the sandboxing part for Windows (the e10s part is ready), both Linux and macOS have e10s and content sandboxing enabled by default in Tor Browser 7.0. In addition to that, Linux and macOS users have the option to further harden their Tor Browser setup by using only Unix Domain sockets for communication with tor."

Greg Kroah-Hartman has released stable kernels 4.11.4, 4.9.31, 4.4.71, and 3.18.56. All of them contain important fixesand users should upgrade.

Security updates have been issued by Arch Linux (chromium), Debian (apng2gif and ming), Gentoo (freetype, libpcre, minicom, pidgin, webkit-gtk, and wireshark), openSUSE (deluge and postgresql93), and Ubuntu (libnl3, lintian, linux, linux-aws, linux-gke, linux-raspi2, linux-snapdragon, linux, linux-raspi2, linux-hwe, and linux-lts-xenial).

Mark Shannon is concerned that the Python core developers may be replayinga mistake: treating two distinct things as being thesame. Treating byte strings and Unicode text-strings interchangeably ispart of what led to Python 3, so he would rather not see that happenagain with types and classes. The Python typingmodule, which is meant to support type hints, currentlyimplements types as classes. That leads to several kinds of problems, asShannon described in his session at the 2017 Python Language Summit.