LWN.net

Earlier this month we reported that theKrita Foundation was having some financial difficulties. The KritaFoundation has an update with thanks toall who donated. "So, even though we’re going to get another accountant’s bill of about 4500 euros, we’ve still got quite a surplus! As of this moment, we have €29,657.44 in our savings account!That means that we don’t need to do a fund raiser in September. Like we said, we’ve still got some features to finish."

The startup time for the Python interpreter has been discussed by the coredevelopers and others numerous times over the years; optimization effortsare made periodically as well.Startup time can dominate the execution time of command-line programswritten in Python,especially if they import a lot of other modules. Python startup time isworse than some other scripting languages and more recent versions of thelanguage are taking more than twice as long to start up when compared toearlier versions (e.g. 3.7 versus 2.7).The most recent iteration of the startup timediscussion has played out in the python-dev and python-ideas mailing listssince mid-July. This time, the focus has been on the collections.namedtuple()data structure that is used in multiple places throughout the standardlibrary and in other Python modules, but the discussion has been morewide-ranging than simply that.

Security updates have been issued by CentOS (firefox, httpd, and java-1.7.0-openjdk), Fedora (cups-filters, potrace, and qpdf), Mageia (libsoup and mingw32-nsis), openSUSE (kernel), Oracle (httpd, kernel, spice, and subversion), Red Hat (httpd, java-1.7.1-ibm, and subversion), Scientific Linux (httpd), Slackware (xorg), SUSE (java-1_8_0-openjdk), and Ubuntu (firefox, linux, linux-aws, linux-gke, linux-raspi2, linux-snapdragon, linux-lts-xenial, postgresql-9.3, postgresql-9.5, postgresql-9.6, and ubufox).

The Solus distribution project has announcedthe availability of Solus 3. "This is the third iteration ofSolus since our move to become a rolling release operating system. Unlikethe previous iterations, however, this is a release and not asnapshot. We’ve now moved away from the 'regular snapshot' model toaccommodate the best hybrid approach possible - feature rich releases withexplicit goals and technology enabling, along with the benefits of acurated rolling release operating system." Headline featuresinclude support for the Snap packaging format, a lot of desktop changes,and numerous software updates. (LWN looked atSolus in 2016).

The GNOME project was founded by Miguel de Icaza and Federico Mena Quinteroon August 15, 1997, so today the project celebratesits 20th birthday. "There have been 33 stable releases since the initial release of GNOME 1.0 in 1999. The latest stable release, GNOME 3.24 “Portland,” was well-received. “Portland” included exciting new features like the GNOME Recipes application and Night Light, which helps users avoid eyestrain. The upcoming version of GNOME 3.26 “Manchester,” is scheduled for release in September of this year. With over 6,000 contributors, and 8 million lines of code, the GNOME Project continues to thrive in its twentieth year."

Distributions like Debian have a clear policy on the software they ship; asa general rule, only free software can be considered for inclusion. Howthat policy should be applied to software that interactswith proprietary systems is not entirely clear, though. A recentdiscussion on a package that interfaces with a proprietary network service seems unlikely to lead to anychanges in policy, but it does highlight a fault line within the Debiancommunity.

Security updates have been issued by Arch Linux (audiofile, git, jdk7-openjdk, libytnef, mercurial, spice, strongswan, subversion, and xorg-server), Debian (gajim, krb5, and libraw), Fedora (kernel, postgresql, sscep, subversion, and varnish), Mageia (firefox, phpldapadmin, and x11-server), Red Hat (kernel and spice), SUSE (subversion), and Ubuntu (libgd2).

Lars Wirzenius announcesthat he is ending development of the Obnam backup system. "Aftersome careful thought, I fear that the maintainability problems of Obnam canrealistically only be solved by a complete rewrite from scratch, and I'mnot up to doing that. If you use Obnam, you should migrate to some otherbackup solution. Don't worry, you have until the end of the year. I will bearound and I intend to fix any serious bugs in Obnam; in particular,security flaws. But you should start looking for a replacement soonerrather than later." LWN looked atObnam in 2012.

While the best way to avoid performance problems associated with pagefaults is usually to avoid faulting altogether, that is not always anoption. Thus, it is important that the kernel handle page faults with aminimum of overhead. One particular pain point in current kernels comesabout in multi-threaded workloads that are all incurring faults in thesame address space. Speculative page-fault handling is an old idea forimproving the scalability of such workloads that may finally be approachinga point where it can be considered for inclusion.

Security updates have been issued by Debian (botan1.10, cvs, firefox-esr, iortcw, libgd2, libgxps, supervisor, and zabbix), Fedora (curl, firefox, git, jackson-databind, libgxps, libsoup, openjpeg2, potrace, python-dbusmock, spatialite-tools, and sqlite), Mageia (cacti, ffmpeg, git, heimdal, jackson-databind, kernel-linus, kernel-tmb, krb5, php-phpmailer, ruby-rubyzip, and supervisor), openSUSE (firefox, librsvg, libsoup, ncurses, and tcmu-runner), Oracle (firefox), Red Hat (java-1.8.0-ibm), Slackware (git, libsoup, mercurial, and subversion), and SUSE (kernel).

The 4.13-rc5 kernel prepatch is available,right on schedule. "Go forth and test, and everything says thatwe'll get 4.13 out in our usual timely manner."

The 4.12.7,4.9.43,4.4.82, and3.18.65 stable kernel updates are out; eachcontains a relatively small set of important fixes.

Greg Kroah-Hartman has released stable kernels 4.12.6, 4.9.42, 4.4.81, and 3.18.64. All of them contain important fixesand users should upgrade.

Emmanuele Bassi writes about themismatch between the traditional distribution packaging model and whatthe world seems to actually want. "The more I think about it, the less I understand how that ever worked in the first place. It is not a mystery, though, why it’s a dying model.When I say that 'nobody develops applications like the Linux distributionsencourages and prefers' I’m not kidding around: Windows, macOS, iOS,Electron, and Android application developers are heavily based on theconcept of a core set of OS services; a parallel installable blocks ofsystem dependencies shipped and retired by the OS vendor; and a bundlingsystem that allows application developers to provide their owndependencies, and control them."

Security updates have been issued by Arch Linux (firefox, flashplugin, lib32-flashplugin, libsoup, and varnish), Debian (freeradius, git, libsoup2.4, pjproject, postgresql-9.1, postgresql-9.4, postgresql-9.6, subversion, and xchat), Fedora (gsoap, irssi, knot-resolver, php-horde-horde, php-horde-Horde-Core, php-horde-Horde-Form, php-horde-Horde-Url, php-horde-kronolith, php-horde-nag, and php-horde-turba), Mageia (perl-XML-LibXML), Oracle (libsoup), Red Hat (firefox and libsoup), SUSE (kernel and libsoup), and Ubuntu (git, kernel, libsoup2.4, linux, linux-aws, linux-gke, linux-raspi2, linux-snapdragon, linux, linux-raspi2, linux-hwe, linux-lts-trusty, linux-lts-xenial, php5, php7.0, and subversion).

It turns out that even rather different source-code management systems canhave similar vulnerabilities. This can be seen in the Git v2.14.1,Mercurial 4.3, andSubversion 1.9.7 releases (plus updates ofolder releases). In each case, it's possible to provide a maliciousrepository URLthat ends up executing code; these URLs can be buried outof sight in existing repositories. Updating would be a good idea,regardless of which system you use.

The kernel's development community is large, to the point that it is oftenfar from obvious who a given patch should be sent to. As the community hasgrown, it has developed mechanisms for tracking that information centeredon a text file called MAINTAINERS. But now it would appear thatthis scalability mechanism has scalability problems of its own.

Security updates have been issued by Debian (firefox-esr), Fedora (cacti, community-mysql, and pspp), Mageia (varnish), openSUSE (mariadb, nasm, pspp, and rubygem-rubyzip), Oracle (evince, freeradius, golang, java-1.7.0-openjdk, log4j, NetworkManager and libnl3, pki-core, qemu-kvm, and X.org), Red Hat (flash-plugin), and Slackware (curl and mozilla).

The LWN.net Weekly Edition for August 10, 2017 is available.

Device trees have become, in a relatively short time, the preferred way toinform the kernel of the available hardware on systems where that hardwareis not discoverable — most ARM systems, among others. In short, adevice tree is a textual description of a system's hardware that iscompiled to a simple binary format and passed to the kernel by thebootloader. The source format for device trees has been established for along time — longer than Linux has been using it. Perhaps it's time for achange, but a proposal for a newdevice-tree source format has generated a fair amount of controversy in thesmall corner of the community that concerns itself with such things.

Fedora 24 reached its end of life on August 8. There will be no moreupdates, including security updates. Please refer to thispage for information about upgrades.

OSGeo-Live is a live DVD/USB/VM distribution that includes a variety ofopen-source geospatial software. Version 11.0 is "a majorreboot, with a refocus on leading applications and emphasis on quality overquantity. Less mature parts of the projects have been dropped with atargeted focus placed on upgrading and improving documentation."

Security updates have been issued by Mageia (atril, mpg123, perl-SOAP-Lite, and virtualbox), openSUSE (kernel and libzypp, zypper), Oracle (authconfig, bash, curl, gdm and gnome-session, ghostscript, git, glibc, gnutls, gtk-vnc, kernel, libreoffice, libtasn1, mariadb, openldap, openssh, pidgin, postgresql, python, qemu-kvm, samba, tcpdump, tigervnc and fltk, and tomcat), Red Hat (kernel, kernel-rt, openstack-neutron, and qemu-kvm), and SUSE (puppet and tcmu-runner).

It is well understood that old and unmaintained software tends to be abreeding ground for security problems. These problems are never welcome, but theyare particularly worrying when the software in question is a net-facingtool like a web browser. Standalone browsers are (hopefully) reasonablywell maintained, but those are not the only web browsers out there; theycan also be embedded into applications. The effort to do away with oneunmaintained embedded browser is finally approaching its conclusion, butthe change appears to have caught some projects unaware.

Firefox 55.0 has been released. From the releasenotes: "Today's release brings innovative functionality, improvements to core browser performance, and more proof that we’re committed to making Firefox better than ever. New features include support for WebVR, making Firefox the first Windows desktop browser to support VR experiences. Performance changes include significantly faster startup times when restoring lots of tabs and settings that let users take greater control of our new multi-process architecture. We’ve also upgraded the address bar to make finding what you want easier, with search suggestions and the integration of our one-click search feature, and safer, by prioritizing the secure - https - version of sites when possible."

Daniel Vetter describeshow the kernel community scales and why he feels that the GitHub model tends not towork for the largest projects. "Unfortunately github doesn’t supportthis workflow, at least not natively in the github UI. It can of course bedone with just plain git tooling, but then you’re back to patches onmailing lists and pull requests over email, applied manually. In my opinionthat’s the single one reason why the kernel community cannot benefit frommoving to github. There’s also the minor issue of a few top maintainersbeing extremely outspoken against github in general, but that’s a notreally a technical issue. And it’s not just the linux kernel, it’s all hugeprojects on github in general which struggle with scaling, because githubdoesn’t really give them the option to scale to multiple repositories,while sticking to with a monotree."

Security updates have been issued by Fedora (cacti, freerdp, remmina, subversion, supervisor, webkitgtk4, and wireshark), Mageia (gdm, librsvg, php, libgd, and swftools), openSUSE (cacti, cacti-spine), Red Hat (java-1.7.0-openjdk and kernel), SUSE (kernel), and Ubuntu (freerdp, kernel, linux-lts-trusty, and shotwell).

When a small business contemplates getting away from a proprietaryaccounting tool like QuickBooks in favor of free software like GnuCash, thefirst order of business is usually finding a way to liberate thatbusiness's accounting data for input into a new system. Strangely enough,Intuit, the creator of QuickBooks, never quite got around to making thateasy to do. But it turns out that, with a bit of effort, this move can be made. Getting there involveswandering through an undocumented wilderness; this article is at attempt tomake things easier for the next people to come along.

Stable kernels 4.12.5, 4.9.41, and 4.4.80 have been released. All of themcontain important fixes and users should upgrade.

Security updates have been issued by Debian (chromium-browser, kernel, libsndfile, and qemu), Fedora (php-PHPMailer, qpdf, qt5-qtwebengine, qt5-qtwebkit, and ruby), Mageia (evince), openSUSE (icoutils and poppler), Red Hat (log4j), SUSE (kernel), and Ubuntu (openvpn and tiff).

The 4.13-rc4 kernel prepatch is out fortesting."Anyway, nothing really stands out, and while I really hope that we'llsee things calm down further, everything looks pretty much on trackfor a normal release.So go test things out. By now it should really be pretty safe."

Nonvolatile memory offers the promise of fast, byte-addressable storagethat persists over power cycles. Taking advantage of that promiserequires the imposition of some sort of directory structure so that thepersistent data can be found. There are a few approaches to theimplementation of such structures, but the usual answer is to employ afilesystem, since managing access to persistent data is what filesystemswere created to do. But traditional filesystems are not a perfect match tononvolatile memory, so there is a natural interest in new filesystems thatwere designed for this media from the beginning. The recently posted NOVA filesystem is a new entry in this race.

Git v2.14.0 has been released with several notable changes, many updates,and plenty of bug fixes. The release notes (below) contain the details.

Security updates have been issued by Fedora (evince and rt), Mageia (catdoc, freerdp, kernel, qpdf, R-base, spice, sqlite3, and tcpdump), SUSE (kernel and libzypp, zypper), and Ubuntu (linux, linux-aws, linux-gke, linux-raspi2, linux-snapdragon, linux, linux-raspi2, linux-hwe, and linux-lts-xenial).

The Register reportsthat the developers of the grsecurity patch set have filed a defamationsuit against Bruce Perens. "A legal complaint filed on behalf ofGrsecurity in San Francisco, California, insists the company's softwarecomplies with the GPLv2. Grsecurity's agreement, the lawsuit states, onlyapplies to future patches, which have yet to be developed. 'There is noexplicit or implicit term, section, or clause in the GPLv2 that isapplicable over future versions or updates of the Patches that have not yetbeen developed, created, or released by [Grsecurity],' the complaintcontends."

The kernel is a huge program; among other things, that means that manyproblems encountered by a kernel developer have already been solvedsomewhere else in the tree. But those solutions are not always well knownor documented. Recently, a seasoned developer confessed to having never encountered the"genpool" memory allocator. This little subsystem does not appear in thekernel documentation, and is likely to be unknown to others as well. Inthe interest of fixing both of those problems, here is an overview ofgenpool (or "genalloc") and what it does.

Version 2.26 of the GNU C Library is out. Changes include a per-threadcache to speed up malloc() calls, Unicode 10.0.0 support, DNS stubresolver improvements, support for the preadv2() and pwritev2() systemcalls, and a handful of security fixes.

Security updates have been issued by Fedora (glpi, open-vm-tools, and seamonkey), Mageia (gnupg), Red Hat (CloudForms and openvswitch), and SUSE (mariadb).

The LWN.net Weekly Edition for August 3, 2017 is available.

The Electronic Frontier Foundation reportsthat Bassel Khartabil, Syrian open source developer, blogger,entrepreneur, hackerspace founder, and free culture advocate, was executedby the Syrian authorities. "Bassel was a central figure in theglobal free culture movement, connecting it and promoting it to Syria'semerging tech community as it existed before the country was ransacked bycivil war. He co-founded Aiki Lab, Syria's first hackerspace, in Damascusin 2010. He was a contributor to Mozilla's Firefox browser and the Syrianlead for Creative Commons. His influence went beyond Syria, however: he wasa key attendee at the Middle East's bloggers' conferences, and played avital role in the negotiations in Doha in 2010 that led to a commonlanguage for discussing fair use and copyright across the Arab-speakingworld." (Thanks to Paul Wise)

Eleven months ago, Dennis Hamilton, the chair of the Apache OpenOffice(AOO) project's project management committee at the time, raised the idea of winding the project down.He worried that AOO lacked a critical mass of developers to keep thingsgoing, and that no new developers were coming in to help. At the time,various defenders came forward and theproject decided try to get back on track. Nearly a year later, areview of how that has gone is appropriate; it doesnot appear that the situation has gotten any better.

Security updates have been issued by Debian (varnish), Fedora (gcc, gcc-python-plugin, libtool, mingw-c-ares, and php-PHPMailer), Red Hat (bash, curl, evince, freeradius, gdm and gnome-session, ghostscript, git, glibc, golang, GStreamer, gtk-vnc, kernel, kernel-rt, libtasn1, mariadb, openldap, openssh, pidgin, postgresql, python, qemu-kvm, qemu-kvm-rhev, samba, tigervnc and fltk, tomcat, and X.org X11 libraries), Slackware (gnupg), and Ubuntu (apache2, lxc, and webkit2gtk).

Red Hat has releasedthe fourth update to Red Hat Enterprise Linux 7. "Red Hat EnterpriseLinux 7.4 offers new automation capabilities designed to limit ITcomplexity while enhancing workload security and performance fortraditional and cloud-native applications. This provides a powerful,flexible operating system backbone to address enterprise IT needs acrossphysical servers, virtual machines and hybrid, public and multi-cloudfootprints." See the releasenotes for more details.

Deadlines have a way of sneaking up on people. For example, not everybodyis ready for the fact that, sometime in 2020, supportfor the Python 2 language will come to an end. This deadline is notexactly news; it was established in 2014 (having been moved back five yearsfrom its original 2015 date). Even so, some developers may not appreciatehow close that date is. Work that is being done in the Python communityand the Fedora distribution shows that even the developers behind thechange haven't entirely figured out how the transition will play out.

Security updates have been issued by Debian (freerdp and ghostscript), Fedora (freerdp, jackson-databind, moodle, remmina, and runc), Red Hat (authconfig, devtoolset-4-jackson-databind, gnutls, libreoffice, NetworkManager and libnl3, pki-core, rh-eclipse46-jackson-databind, samba, and tcpdump), and Ubuntu (apache2, bash, imagemagick, openjdk-8, and rabbitmq-server).

The Krita Foundation is having someunexpected financial difficulties and is looking for help. "Evenwhile we’re working on a new beta for Krita 3.2 and a new development buildfor 4.0 (with Python, on Windows!), we have to release some bad news aswell. The Krita Foundation is having trouble with the Dutch taxauthorities."

The release of MythTV 29.0 has been announced.MythTV is a Digital Video Recorder and home media center hub. According tothe releasenotes, the backend now listens on all addresses and there is a newMythTV startup page. Also mythtv-setup now uses MythUI, support has beenadded for IPV6 link-local addresses, handling of Bluray overlays has beenimproved, and more. LWN looked at MythTV inApril 2016.

Changes to core-kernel subsystems take time but, even so, one can onlyimagine that Tejun Heo never expected the process of fixing thecontrol-group interface to take more than five years. Disagreements overthe design of the new control-group interface have delayed its adoption;even though most of the code has been in the kernel for some time, not allcontrollers work with it. It would now appear, however, that agreement hasbeen reached on an important final piece, which is currently on track to bemerged for the 4.14 development cycle.

For those who are curious about what the next release of the Qubes OSdistribution will bring (and want to help make it better): the firstQubes OS 4.0 release candidate is available."This new Core Stack allows to easily extend the Qubes Architecturein new directions, allowing us to finally build (in a clean way) lots ofthings we’ve wanted for years, but which would have been too complex tobuild on the 'old' Qubes infrastructure. The new Qubes Admin API, which weintroduced in a recent post, is a prime example of one suchfeature."

Security updates have been issued by Debian (apache2, enigmail, graphicsmagick, ipsec-tools, libquicktime, lucene-solr, mysql-5.5, nasm, and supervisor), Fedora (mingw-librsvg2, php-PHPMailer, and webkitgtk4), Mageia (freeradius, gdk-pixbuf2.0, graphicsmagick, java-1.8.0-openjdk, kernel, libmtp, libgphoto, libraw, nginx, openvpn, postgresql9.4, valgrind, webkit2, and wireshark), openSUSE (apache2, chromium, libical, mysql-community-server, and nginx), Oracle (kernel), Red Hat (chromium-browser and eap7-jboss-ec2-eap), Slackware (squashfs), and Ubuntu (linux-hwe and nss).