LWN.net

The 4.13-rc3 kernel prepatch is out fortesting. "Usually rc2 is the really quiet one, but this releasecycle rc2 was fairly busy and it made me worry a bit about whether therewas something bad going on with 4.13. But no, it was just random timing,and people got started sending in fixes early, and this release cycle it'src3 that is small."

Back in 2012, we started a quest to find afree replacement for the QuickBooks Pro package that is used to handleaccounting at LWN. As is the way of such things, that project got boggeddown in the day-to-day struggle of keeping up with the LWN content treadmill,travel, and other obstacles that the world tends to throw into the path ofthose following grand (or not so grand) ambitions. The time has come,however, to restart this quest and, this time, the odds of a successfuloutcome seem reasonably good.

The Document Foundation has announced LibreOffice 5.4, the last majorrelease of the LibreOffice 5.x family. There are some new features inevery module and a number of incremental improvements to Microsoft Officefile compatibility. "Thanks to the efforts of developers, the XMLdescription of a new document written by LibreOffice is 50% smaller in the case of ODF (ODT), and around90% smaller in the case of OOXML (DOCX), in comparison with the samedocument generated by the leading proprietary office suite."

Stable kernels 4.12.4, 4.9.40, 4.4.79, and 3.18.63 have been released. They all containimportant fixes and users should upgrade.

Security updates have been issued by Arch Linux (cacti and chromium), CentOS (tomcat), Debian (roundcube), Fedora (bind99, dhcp, freeradius, golang, mingw-poppler, minicom, php-symfony, and webkitgtk4), openSUSE (GraphicsMagick and the_silver_searcher), Oracle (tomcat), Scientific Linux (tomcat), SUSE (kernel), and Ubuntu (apache2 and freeradius).

Linux.com is carrying an article about email2git by its developer, Alexandre Courouble. Email2git is a way to match up commits and the email thread that discussed them. It currently targets the kernel and threads from the linux-kernel mailing list. There are two separate ways to use it, as an extension to cregit (at https://cregit.linuxsources.org/) that allows browsing changes at the token level or via a search by commit ID interface. "The Linux project's email-based reviewing process is highly effective in filtering open source contributions on their way from mailing list discussions towards Linus Torvalds' Git repository. However, once integrated, it can be difficult to link Git commits back to their review comments in mailing list discussions, especially when considering commits that underwent multiple versions (and hence review rounds), that belong to a multi-patch series, or that were cherry-picked.As an answer to these and other issues, we created email2git, a patch retrieving system built for the Linux kernel. For a given commit, the tool is capable of finding the email patch as well as the email conversation that took place during the review process. We are currently improving the system with support for multi-patch series and cherry-picking." The code for email2git is available on GitHub.

The kernel's CPU scheduler is charged with choosing which task to run next,but also with deciding where in a multi-CPU system that task should run.As is often the case, that choice comes down to heuristics — rules of thumbcodifying the developers' experience of what tends to work best. One keytask-placement heuristic has been in place since 2015, but a recentdiscussion suggests that it may need to be revisited.

Version 4.0 of the Suricata intrusion detection system (IDS) and network security monitor (NSM) has been released. The release has improved detection for threats in HTTP, SSH, and other protocols, improvements to TLS, new support for NFS, additions to the extensible event format (EVE) JSON logging, some parts have been implemented in Rust, and more. "This is the first release in which we’ve implemented parts in the Rustlanguage using the Nom parser framework. This work is inspired by PierreChiffliers’ (ANSSI), talk at SuriCon 2016 (pdf). By compiling with–enable-rust you’ll get a basic NFS parser and a re-implementation ofthe DNS parser. Feedback on this is highly appreciated. The Rust support is still experimental, as we are continuing to explorehow it functions, performs and what it will take to support it in thecommunity. Additionally we included Pierre Chiffliers Rust parsers work.This uses external Rust parser ‘crates’ and is enabled by using–enable-rust-experimental. Initially this adds a NTP parser."

Security updates have been issued by Arch Linux (lib32-expat, webkit2gtk, and wireshark-cli), Debian (resiprocate), Fedora (java-1.8.0-openjdk, kernel, and open-vm-tools), openSUSE (containerd, docker, runc and gnu-efi, pesign, shim), Red Hat (tomcat), and Ubuntu (gdb, libiberty, and openjdk-8).

The LWN.net Weekly Edition for July 27, 2017 is available.

On July 21, Savoir-faireLinux (SFL) announcedthe release of version 1.0 of its Ringcommunication tool. It is a cross-platform (Linux, Android, macOS,and Windows) program for secure text, audio, and video communication.Beyond that, though, it is part of the GNUproject and is licensed under the GPLv3. Given the announcement, itseemed like a quick trial was in order. While it looks like it has greatpromise, Ring 1.0 falls a bit short of expectations.

A proposalto add Flatpak as an option fordistributing desktop applications in Fedora 27 has recently made anappearance. It is meant as an experimentof sorts to see how well Flatpak and RPM will play together—and to fix anyproblems found.There is a view that containers are the future, on the desktop as well asthe server; Flatpaks would provide Fedora one possible path toward that future.The proposal sparked a huge thread on the Fedora develmailing list; while the proposal itself doesn't really change much forthose uninterested in Flatpaks, some are concerned with where Fedorapackaging might be headed once the experiment ends.

The membarrier()system call is arguably one of the strangest offered by the Linux kernel. It expensively emulates an operation that can beperformed by a single unprivileged barrier instruction, using an invocationof the kernel's read-copy-update (RCU) machinery — all in the name ofperformance. But, it would seem, membarrier() is not fast enough,causing users to fall back to complex and brittle tricks. An attempt tofix the problem is now under discussion, but not everybody is convincedthat the cure is better than the disease.

Security updates have been issued by Debian (bind9, icedove, openjdk-8, qemu, and rkhunter), Fedora (krb5, libmwaw, perl-XML-LibXML, qemu, subversion, and webkitgtk4), Mageia (cinnamon-settings-daemon, graphite2, gsoap, libquicktime, and wireshark), openSUSE (catdoc, gsoap, jasper, and Wireshark), and Ubuntu (linux-aws, linux-gke and ruby1.9.1, ruby2.0, ruby2.3).

OpenSUSELeap 42.3 is now available. "After basing openSUSE Leap on SLE(SUSE Linux Enterprise) and adding more source code to Leap 42.2 from SLE12, Leap 42.3 adds even more packages from SLE 12 SP 3 and synchronizesseveral common packages. The shared codebase allows for openSUSE Leap 42.3to receive enhanced maintenance and bug fixes from both the openSUSEcommunity and SUSE engineers." There is quite a bit of new stuff inthis release; see thispage for some details.

Is it truly an efficient use of cloud computing resources to runtraditional operating systems inside virtual machines? In many cases, itisn't. An interesting alternative is to bundle a program into a unikernel,which is a single-tasking library operating system made specifically forrunning a single application in the cloud.A unikernel packs everything needed to run an application intoa tiny bundle and, in theory, this approach would save disk space,memory, and processor time compared to running a full traditional operatingsystem.IncludeOS is such a unikernel; it wascreated to support C++ applications. Like other unikernels, it is designed forresource-efficiency on shared infrastructure, and is primarily meant to run ona hypervisor.

LinuxGizmos reportsthat Intel is discontinuing its Curie wearables module and itsCurie-enabled Arduino 101 SBC. "Intel will no longer update the Curie’s Open Developer Kit, and will continue forum support only through Sep. 15. After that, “Intel will make its online resources available for review only and maintain availability to the Intel Curie community until June 15, 2020,” according to the July 18 Intel forum post.Intel says it is “actively working with alternative manufacturers to continue to make the Arduino 101 development board available to the market.” The chipmaker will support orders of the Arduino 101 through Sep. 17, and will fulfill those orders through Dec. 17. Arduino.cc will continue to offer Arduino IDE support for the 101."

The long-awaited end of Flash has come a little closer with thisannouncement from Adobe. "Given this progress, and incollaboration with several of our technology partners – including Apple,Facebook, Google, Microsoft and Mozilla – Adobe is planning to end-of-lifeFlash. Specifically, we will stop updating and distributing the FlashPlayer at the end of 2020 and encourage content creators to migrate anyexisting Flash content to these new open formats."

Security updates have been issued by Debian (catdoc, gsoap, and libtasn1-3), Fedora (GraphicsMagick, java-1.8.0-openjdk, krb5, librsvg2, nodejs, phpldapadmin, rubygem-rack-cors, and yara), Mageia (irssi), openSUSE (rubygem-puppet), Red Hat (kernel), Slackware (tcpdump), and Ubuntu (imagemagick, linux, linux-raspi2, linux-snapdragon, linux-lts-xenial, mysql-5.5, samba, and xorg-server, xorg-server-hwe-16.04, xorg-server-lts-xenial).

Savoir-faire Linux has announcedthe release of Ring 1.0. "Ring is a free/libre and universalcommunication platform that preserves the users’ privacy and freedoms. Itis a GNU package. It runs on multiple platforms; and, it can be used fortexting, calls, and video chats more privately, more securely, and morereliably."

Improving the security of a system often involves tradeoffs, with the costsmeasured in terms of convenience and performance, among others. To theirfrustration, security-oriented developers often discover that the tolerancefor these costs is quite low. Defenses against reference-count overflowshave run into that sort of barrier, slowing their adoption considerably.Now, though, it would appear that a solution has been found to theperformance cost imposed by reference-count hardening, clearing the waytoward its adoption throughout the kernel.

Here is alengthy and detailed look from Google's Project Zero at the trustedexecution environments that, one hopes, protect devices from compromise."In this blog post we’ll explore the security properties of the twomajor TEEs present on Android devices. We’ll see how, despite their highlysensitive vantage point, these operating systems currently lag behindmodern operating systems in terms of security mitigations andpractices. Additionally, we’ll discover and exploit a major design issuewhich affects the security of most devices utilising bothplatforms. Lastly, we’ll see why the integrity of TEEs is crucial to theoverall security of the device, making a case for the need to increasetheir defences."

Debian has released updates to its stable and old stable distributions. Debian 9.1 is the first update to "stretch"and Debian 8.9 is the ninth update to"jessie". These updates do not constitute a new versions of Debian, theyonly update some of the packages included. "Those who frequentlyinstall updates from security.debian.org won't have to update manypackages, and most such updates are included in the point release."

Security updates have been issued by CentOS (graphite2 and java-1.8.0-openjdk), Debian (atril, bind9, catdoc, and qemu), Fedora (glpi, GraphicsMagick, heimdal, kernel, nodejs, perl-XML-LibXML, and qt5-qtwebengine), Gentoo (adobe-flash), Mageia (c-ares, expat, flash-player-plugin, gnutls, libgcrypt, libtiff, sane, and tnef), openSUSE (evince and xorg-x11-server), Scientific Linux (graphite2), Slackware (seamonkey), and Ubuntu (heimdal and linux-lts-trusty).

Debian's reproducible builds project has posted an update of what it hasaccomplished over the last few years. "On our website thereare nice colourful graphs showing our progress in numerical terms. Inparticular, let us point to thestretch/amd64 graph: since our slow start ~3 years ago we have been steadily improving the reproducibility ofour archive, reaching a staggering 94% at the time of writing!"

The 4.13-rc2 kernel prepatch is out fortesting. "Changes all over, although the diffstat is dominated bythe new vboxvideo staging driver. I shouldn't have let it through, butGreg, as we all know, is 'special'. Also, Quod licet Iovi, and all thatjazz - Greg gets to occasionally break some rules."

The Document Foundation has put out anextensive annual report [PDF] describing its activities in 2016."According to Google Trends, LibreOffice surpassed all other freeoffice suites in early 2016 in terms of user interest, winning a race thatstarted in early 2011. At the end of the year, Datamation confirmed theleading position, with the first article about alternatives toLibreOffice" The report is also availablein German [PDF].

Five new stable kernels were announced by Greg Kroah-Hartman onJuly 21: 4.12.3, 4.11.12, 4.9.39, 4.4.78, and 3.18.62. As usual, they contain important fixes throughout the tree and users shouldupgrade. Note that this is the last release in the 4.11 series, users should move to4.12.x.

Security updates have been issued by Debian (php5 and ruby-mixlib-archive), Fedora (knot, knot-resolver, and spice), Oracle (graphite2 and java-1.8.0-openjdk), Red Hat (graphite2, java-1.6.0-sun, java-1.7.0-oracle, java-1.8.0-openjdk, and java-1.8.0-oracle), Scientific Linux (java-1.8.0-openjdk), and Ubuntu (kernel, linux, linux-raspi2, linux-hwe, and mysql-5.5, mysql-5.7).

There are a few reasons for wanting the ability to get proper stack tracesout of the kernel, including profiling, tracing, and debugging kernelcrashes. Historically, the kernel's tracebacks have been unreliable for anumber of reasons, most of which have been fixed in recent years. Now itseems likely that the 4.14 kernel will include a new mechanism thatshould put our traceback problems behind us — for now.

Security updates have been issued by CentOS (freeradius), Debian (memcached), Fedora (irssi and putty), openSUSE (catdoc), Red Hat (collectd), and Ubuntu (expat, openldap, spice, and tiff).

The LWN.net Weekly Edition for July 20, 2017 is available.

<p>A short sub-thread on the python-ideas mailing list provides some "food forthought" about the purpose and scope of that list, but also some things toperhaps be considered more widely. When discussing new features and ideas,it is common for the conversation to be somewhat hypothetical, but honingin on something that could be implemented takes a fair amount of work forthose participating. If the feature is proposed and championed by someonewho has no intention of actually implementing it, should the thread comewith some kind of warning?

<p>An under-the-radar proposal to stop building i686 kernels for Fedora led toa discussion about dropping support for 32-bit x86 hardware. Any of thehardware that needs these kernels is quite old, but participants in athread on the Fedora devel mailing list noted that those systems stillexist—some run Fedora. As the discussion progressed, though, it becameclear that the Fedora i686 kernel has been in rough shape for some time now.

<p>CPython is the reference implementation of Python, so it is,unsurprisingly, the target for various language-extension modules. But theAPI and ABI it provides to those extensions ends up limiting whatalternative Python implementations—and even CPython itself—can do, sincethose interfaces must continue to be supported. Beyond that, though, theinterfaces are not clearly delineated, so changes can unexpectedly affect extensionsthat have come to depend on them. A recent thread on the python-ideasmailing list looks at how to clean that situation up.

The GnuPG Project has announced the availability of Libgcrypt 1.8.0."This is a new stable version of Libgcrypt with full API and ABI compatibility to the 1.7 series. Its main features are supportBlake-2, XTS mode, an improved RNG, and performance improvements for theARM architecture."

Security updates have been issued by Arch Linux (c-ares, freeradius, gvim, lib32-libtiff, libtiff, pcre, rkhunter, and vim), Debian (apache2, evince, imagemagick, unattended-upgrades, and vim), Fedora (openldap, php, and poppler), Oracle (freeradius), SUSE (evince and systemd, dracut), and Ubuntu (apport, icu, and libtasn1-3).

Software patents may not have brought about the free-software apocalypsethat some have feared over the years, but they remain a minefield for thesoftware industry as a whole. A small-scale example of this can be seen inthe recent decision by the Apache Software Foundation (ASF) to move alicense with patent-related terms to its "Category-X"list of licenses that cannot be used by ASF projects. A number ofprojects will be scrambling to replace software dependencies on a shorttimeline, all because Facebook wanted to clarify its patent-licensingterms.

Linux.com takesa look at Google's OSS-Fuzz threat detection tool. "Google alsoannounced that it is expanding its existing PatchRewards program to include rewards for the integration of fuzztargets into OSS-Fuzz. To qualify for these rewards, a project needs tohave a large user base and/or be critical to global ITinfrastructure. Eligible projects will receive $1,000 for initialintegration, and up to $20,000 for ideal integration (the final amount isat Google’s discretion). Project leaders have the option of donating theserewards to charity instead, and Google will double the amount."LWN covered OSS-Fuzz last January.

Remix OS was an effort to bring Android to the PC, which included akickstarter campaign to build products using Remix OS. Now Jide Technology, makers of Remix OS, hasannounced a change in focus that leaves Remix OS out of the picture. "We’ll be restructuring our approach to Remix OS and transitioning away from the consumer space. As a result, development on all existing products such as Remix OS for PC as well as products in our pipeline such as Remix IO and IO+ will be discontinued. Full refunds will be issued to ALL BACKERS via Kickstarter for both Remix IO and Remix IO+. In addition any purchases made via our online store that has remained unfulfilled will also be fully refunded. This requires no action from you as we will begin issuing refunds starting August 15th."

Security updates have been issued by Debian (libmtp), Fedora (kernel), Red Hat (freeradius and kernel), Scientific Linux (freeradius), and Ubuntu (libgcrypt11).

Security updates have been issued by Arch Linux (apache, evince, and mosquitto), Debian (apache2, evince, heimdal, and knot), Fedora (c-ares, cacti, evince, GraphicsMagick, httpd, jabberd, libgcrypt, openvas-cli, openvas-gsa, openvas-libraries, openvas-manager, openvas-scanner, poppler, qt5-qtwebengine, qt5-qtwebkit, spatialite-tools, and sqlite), openSUSE (gnutls, ncurses, qemu, and xorg-x11-server), Slackware (mariadb and samba), SUSE (cryptctl), and Ubuntu (heimdal and samba).

Version6 of the Mageia distribution is available. "Though Mageia 6’sdevelopment was much longer than anticipated, we took the time to polish itand ensure that it will be our greatest release so far." Highlightsinclude KDE Plasma 5, the DNF package manager as an alternative tourpmi, and an experimental ARM port. Details can be found inthe releasenotes.

By the end of the 4.13 merge window, 11,258 non-merge changesets hadbeen pulled into the mainline repository — about 3,600 since the first half of this series was written.That is nowhere near the 12,920 changesets that landed during the 4.12merge window, but it still makes for a typically busy development cycle.What follows is a summary of the more interesting changes found in thoselast 3,600+ changesets.

Linus has released 4.13-rc1 and closed themerge window for this cycle. "Once again, the diffstat is absolutelydominated by some AMD gpu header files, but if you ignore that, things lookpretty regular, with about two thirds drivers and one third "rest"(architecture, core kernel, core networking, tooling)."

Greg Kroah-Hartman has announced the release of five new stable kernels: 4.12.2, 4.11.11. 4.9.38, 4.4.77, and 3.18.61. As usual, they contain importantfixes and users should upgrade.

The Drupal Association has issued alengthy statement on why Larry Garfield has been removed from hismanagement roles in the Drupal project. "Larry's subsequent blogposts harmed the community and had a material impact on the DrupalAssociation, including membership cancellations from those who believed wedoxed, bullied, and discriminated against Larry as well as significantstaff disruption. Due to the harm caused, the Drupal Association isremoving Larry Garfield from leadership roles that we are responsible for,effective today." See this articlefor background information.

Security updates have been issued by Debian (bind9, heimdal, samba, and xorg-server), Fedora (cacti, evince, expat, globus-ftp-client, globus-gass-cache-program, globus-gass-copy, globus-gram-client, globus-gram-job-manager, globus-gram-job-manager-condor, globus-gridftp-server, globus-gssapi-gsi, globus-io, globus-net-manager, globus-xio, globus-xio-gsi-driver, globus-xio-pipe-driver, globus-xio-udt-driver, jabberd, myproxy, perl-DBD-MySQL, and php), openSUSE (libcares2), SUSE (xorg-x11-server), and Ubuntu (evince and nginx).

It has been nearly one month since the StackClash vulnerability was disclosed and some hardening measures wererushed into the 4.12 kernel release. Since then, a fair amount of work hasgone into fixing problems caused by those measures and porting the result backto stable kernel releases. Now, it seems, the kernel developers areconsidering taking a different approach entirely.

Security updates have been issued by Arch Linux (irssi), CentOS (httpd and kernel), Debian (nginx), Fedora (perl-DBD-MySQL and qt5-qtwebengine), Mageia (apache-mod_fcgid, cairo, jbig2dec, nodejs, and sudo), openSUSE (libreoffice, spice, and systemd), Red Hat (python-django-horizon), and SUSE (kernel and xorg-x11-server).