LWN.net

The LWN.net Weekly Edition for July 13, 2017 is available.

A less than two-month-old project for OpenBSD, kernel address spacerandomized link (KARL), has turned the kernel into anobject that is randomized on every boot. Instead of the code being storedin the same location for every boot of a given kernel, each boot will be unique. Unlike Linux's kernel addressspace layout randomization (KASLR), which randomizes the base addressfor all of the kernel code on each boot, KARL individually randomizes theobject files that get linked into the binary. That means that a single information leakof a function address from the kernel does not leak information aboutthe location of all other functions.

The much anticipated release of Fedora 26 was made onJuly 11. As usual, it came with a wide array of updated packages,everything from the kernel through programming languages to desktops, butthere are also internal tools and installation mechanisms that have changedas well. Beyond that, the new Python ClassroomLab is aimed at teachers and instructors to make it easier to get afull-featured Python (of various flavors and with lots of extras) inseveral different easily installable forms. Though it was delayed by morethan a month from its original planned release date—something the project embraces at some level—Fedora 26looks like it was worth waiting for.

<p>Validating user input is a long-established security best practice, butthere can be differences of opinion about what should be done when thatvalidation fails. A recently reported bug in systemd has fostered adiscussion on that topic; along the way there has also been discussionabout how much validation systemd should actually be doing and how much should be left upto the underlying distribution. The controversy all revolves aroundusernames that systemd does not accept, but that some distributions (andPOSIX) find to be perfectly acceptable.

Stable kernels 4.12.1, 4.11.10, and 4.9.37 have been released. They all containimportant fixes and users should upgrade.

Security updates have been issued by Arch Linux (flashplugin, lib32-flashplugin, lib32-gnutls, libdwarf, nginx, nginx-mainline, and tor), Debian (spice and undertow), Fedora (bind, bind-dyndb-ldap, chromium-native_client, dnsperf, expat, flatpak, GraphicsMagick, httpd, jetty, libdb, libsndfile, mingw-LibRaw, mosquitto, php-horde-Horde-Image, qt5-qtwebengine, xen, and yara), Oracle (httpd and kernel), Red Hat (flash-plugin, httpd, and kernel), Scientific Linux (httpd and kernel), and SUSE (spice).

The Git source-code management system is widely known for its flexibilityand for the distributed development model that it supports. Its reputationfor ease of use is ... less well established. There should, thus, bean opening for front-end systems that can make Git easier to use. One ofthe most comprehensive Git front ends, Magit, works within the Emacs editor and has awide following. But Magit has run into some turbulence within the Emacsdevelopment community that is blocking its wider distribution.

The Power Management and Energy-awareness microconference has beenaccepted for this year's Linux Plumber's Conference, which runs September13-15 in Los Angeles, CA. "The agenda this year will focus on arange of topics including CPUfreq core improvements and schedutil governor extensions, how to best usescheduler signals to balance energy consumption and performance anduser space interfaces to control capacity and utilization estimates.We'll also discuss selective throttling in thermally constrainedsystems, runtime PM for ACPI, CPU cluster idling and the possibility toimplement resume from hibernation in a bootloader."

Security updates have been issued by Debian (jetty8, tiff, and tiff3) and Slackware (libtirpc and rpcbind).

The Fedora 26release is out. "First, of course, we have thousandsimprovements from the various upstream software we integrate, including newdevelopment tools like GCC 7, Golang 1.8, and Python 3.6. We’ve added a newpartitioning tool to Anaconda (the Fedora installer) — the existingworkflow is great for non-experts, but this option will be appreciated byenthusiasts and sysadmins who like to build up their storage scheme frombasic building blocks. F26 also has many under-the-hood improvements, likebetter caching of user and group info and better handling of debuginformation. And the DNF package manager is at a new major version (2.5),bringing many new features." More details can be found in therelease notes.

The 4.13 merge window is in progress, and, as usual, LWN is watching thecommit stream. Click below (subscribers only) for the first report on whathas been merged for the 4.13 release. It appears that this will be anotherbusy development cycle.

Encrypted Media Extensions (EME) have been under review by the W3C AdvisoryCommittee since last March. This reportfrom the committee addresses comments and objections to EME."After consideration of the issues, the Director reached a decisionthat the EME specification should move to W3C Recommendation. The EncryptedMedia Extensions specification remains a better alternative for users thanother platforms, including for reasons of security, privacy, andaccessibility, by taking advantage of the Web platform. While additionalwork in some areas may be beneficial for the future of the Web Platform, itremains appropriate for the W3C to make the EME specification a W3CRecommendation. Formal publication of the W3C Recommendation will happen ata later date. We encourage W3C Members and the community to work in bothtechnical and policy areas to find better solutions in this space."The Free Software Foundation's Defective by Design campaign opposesEME arguing that it infringes on Web users' control of their owncomputers, and weakens their security and privacy. "Opponents' last opportunity to stop EME is an appeal by the Advisory Committee of the World Wide Web Consortium (W3C), the body which Tim Berners-Lee heads. Requiring 5% of the Committee's 475 members (corporate, nonprofit, and educational institutions) to sign on within a two-week period, the appeal would then trigger a vote from the whole Committee to make a final decision to ratify or reject EME."

Software in the Public Interest (SPI) has announced the availability of its2016 AnnualReport [PDF], covering the 2016 calendar year. "We’ve seen a lotof change this year. Several long-term board members retired from theboard, including Bdale Garbee who served as SPI’s President for many years.There was a lot of interest in SPI’s board election and severalnew contributors joined the board. The board met in person in February todiscuss outstanding issues and work on long-term plans."

Security updates have been issued by Debian (bind9, jetty, mpg123, phpldapadmin, sqlite3, and xorg-server), Fedora (bind, bind99, dhcp, drupal7, GraphicsMagick, httpd, irssi, jetty, jetty-alpn, jetty-test-helper, libdb, libgcrypt, mosquitto, ocaml, pius, qt5-qtwebkit, tomcat, xen, and zabbix), Gentoo (feh, gajim, game-music-emu, jasper, libcroco, libsndfile, man-db, nm-applet, openslp, phpmyadmin, roundcube, virglrenderer, and vlc), openSUSE (irssi, kernel, libgcrypt, and xen), Slackware (irssi and php), and Ubuntu (poppler).

The Qubes OS project has announced a program for the certification of"reasonably secure" laptops, but users will have to wait to get such amachine: "So far, no third-party manufacturers have produced a computerthat satisfies these requirements. However, ITL has entered initial talks witha promising partner with whom we can foresee creating a true Reasonably SecureLaptop."

On his blog, Richard WM Jones describes work he has done on an automated patch testing system that is similar to the kernel 0-day test service. "Today I thought I’d write something like this, partly to reinvent the wheel, but mostly to learn more about the RabbitMQ message broker.You see, if you have to receive emails, run large tests, and send more emails, then at least two and possibly more machines and going to be involved, and as soon as you are using two or more machines, you are writing a distributed system and you need to use the right tools. Message brokers and RabbitMQ in particular make writing distributed systems easy — trust me, I’ll show you how!"

In what seems to be an acknowledgment of the status quo, rather than a big change, GNU C library (glibc) founder and maintainer Roland McGrath has stepped down from the project. This is not caused by any "big news with me", he said, just a recognition that he has drifted away from the project. "This summer marks 30 years since I began writing the GNU C Library.(That's two thirds of my lifespan so far.) It's long enough.So, I'm hereby declaring myself maintainer emeritus and withdrawing fromdirect involvement in the project. These past several months, if notthe last few years, have proven that you don't need me any more.You'll make good decisions, as you've already made good decisions.You'll actually get around to implementing some of the things I've beensuggesting or meaning to do (or saying I would do) for years, as you'vealready made progress on some of those ideas in recent months. If Istayed around to give advice, you'd ignore my advice to be more paranoidand more cautious, plow ahead anyway, ship it, and then have to redressthe problem when the practical issues manifested, as you've already doneand had to do. :-) All in all, I have no doubt at all that the jobyou're doing now and will do in the future maintaining glibc is betterthan I ever did that job myself and at least as good as my presence inthe project might ever make it." As several responses to the post have already indicated, McGrath will be missed.

There are many ways to attempt to subvert an operating-system kernel. Oneparticularly effective way, if it can be arranged, is to attack theoperations that copy data between user-space and kernel-space memory. Ifthe kernel can be fooled into copying too much data back to user space, theresult can be an information-disclosure vulnerability. Errors in the otherdirection can be even worse, overwriting kernel memory withattacker-controlled data. The kernel has gained some defenses against thissort of attack in recent development cycles, but there is more work yet tobe merged.

Security updates have been issued by Fedora (webkitgtk4), Mageia (ffcall,clisp and libffi), openSUSE (apache2, bind, clamav, dovecot22, GraphicsMagick, libICE, libquicktime, libXdmcp, libxml2, php7, and vim), Red Hat (ansible), and SUSE (ncurses and xen).

Over at Opensource.com, Pratyush Anand looks at dynamic tracing for both user space programs and the kernel. He gives an introduction to using uprobes and kprobes directly as well as using them via the perf tool. "We can insert kprobe within most of the symbols in /proc/kallsyms; other symbols have been blacklisted in the kernel. A kprobe insertion into the kprobe_events file for the symbols that aren't compatible with a kprobe insertion should result in a write error. A probe can be inserted at some offset from the symbol base, as well. Like uprobe, we can also trace the return of a function using kretprobe. The value of a local variable can also be printed in trace output."

Security updates have been issued by CentOS (bind and qemu-kvm), Debian (jabberd2, libclamunrar, libgcrypt11, radare2, and tiff), Fedora (bind, bind-dyndb-ldap, dnsperf, kdepim4, kf5-messagelib, kmail, and php-horde-Horde-Image), Oracle (bind and qemu-kvm), SUSE (ncurses), and Ubuntu (ntp, samba, and thunderbird).

The LWN.net Weekly Edition for July 6, 2017 is available.

A recent paper [PDF] bya group of eight cryptography researchers shows, once again, howcryptographic breakthroughs are made. They often start small, with just areduction in the strength of a cipher or key search space, say, but then growover time to reach the point of a full-on breaking of a cipher or theimplementation of one. In this case, the RSAimplementation in Libgcryptfor 1024-bit keys has been fully broken using a side-channelattack against the operation of the library—2048-bit keys are alsosusceptible, but not with the same reliability, at least using this exacttechnique.

Here is a detailed summaryof undefined behavior in C and C++ programs — and the tools that can beused to detect such behavior — by Pascal Cuoq and John Regehr."The state of the art in debugging tools for strict aliasingviolations is weak. Compilers warn about some easy cases, but thesewarnings are extremely fragile. libcrunch warns that a pointer is beingconverted to a type “pointer to thing” when the pointed object is not, infact, a 'thing.' This allows polymorphism though void pointers, but catchesmisuses of pointer conversions that are also strict aliasingviolations."

At the end of June, Zachary Fouts noticed something on his Ubuntu systemthat surprised him a bit: an entry in the "message of the day" (motd) thatlooked, at least to some, like an advertisement. That is, of course, notwhat anyone expects from their free-software system; it turns out that it wasn't an ad at all,though it was worded ambiguously and could be (and was) interpreted thatway. As the discussion in the bugFouts filed shows, the "ad" came about from a useful feature that mayor not have been somewhat abused—that determination depends on the observer.

Stable kernels 4.11.9, 4.9.36, 4.4.76, and 3.18.60 have been released. All of themcontain important fixes and users should upgrade.

Security updates have been issued by Debian (graphite2), Gentoo (icedtea-bin), openSUSE (postgresql94), Red Hat (bind, qemu-kvm, qemu-kvm-rhev, rh-postgresql94-postgresql, and rh-postgresql95-postgresql), Scientific Linux (bind and qemu-kvm), and SUSE (qemu, sudo, and xen).

Version 0.2.0 of the Oryx Linux distribution is out."Oryx Linux is an embedded Linux distribution based around the Yocto Projectand OpenEmbedded. It incorporates a lightweight container runtime engine tobring the benefits of containerisation to the embedded sector withoutdisrupting existing developer workflows."

On his blog, Bradley Kuhn remembers Bob Chassell, who was an early contributor to free software, after his passing in early July. "I regularly credit Bob as the first Executive Director of the FSF. While he technically never held that title, he served as Treasurer for many years and was the de-facto non-technical manager at the FSF for its first decade of existence. One need only read the earliest issues of the GNU's Bulletin to see just a sampling of the plethora of contributions that Bob made to the FSF and Free Software generally.Bob's primary forte was as a writer and he came to Free Software as a technical writer. Having focused his career on documenting software and how it worked to help users make the most of it, software freedom — the right to improve and modify not only the software, but its documentation as well — was a moral belief that he held strongly. Bob was an early member of the privileged group that now encompasses most people in industrialized society: a non-developer who sees the value in computing and the improvement it can bring to life. However, Bob's realization that users like him (and not just developers) faced detrimental impact from proprietary software remains somewhat rare, even today. Thus, Bob died in a world where he was still unique among non-developers: fighting for software freedom as an essential right for all who use computers."

Linus Torvalds released the 4.12 kernel onJuly 2, marking the end of one of the busiest development cycles in the kernel project'shistory. Tradition requires that LWN publish a look at this kernel releaseand who contributed to it. 4.12 was, in many ways, a fairly normal cycle,but it shows the development community's continued growth.

Security updates have been issued by Arch Linux (bind, qt5-webengine, and systemd), Debian (puppet and sudo), Fedora (drupal7, globus-ftp-client, globus-gass-cache-program, globus-gass-copy, globus-gram-job-manager, globus-gridftp-server, globus-gssapi-gsi, globus-io, globus-net-manager, globus-xio, globus-xio-gsi-driver, globus-xio-pipe-driver, globus-xio-udt-driver, libgcrypt, and myproxy), openSUSE (ffmpeg), Slackware (kernel), SUSE (unrar), and Ubuntu (libgcrypt11, libgcrypt20).

In many performance-oriented settings, the number of times that data iscopied puts an upper limit on how fast things can go. As a result,zero-copy algorithms have long been of interest, even though the benefitsachieved in practice tend to be disappointing. Networking is often performance-sensitive and is definitely dominated bythe copying of data, so an interest in zero-copy algorithms in networkingcomes naturally. A set of patches under review makes that capabilityavailable, in some settings at least.

Security updates have been issued by Arch Linux (libgcrypt and systemd), Debian (apache2, icedove, libgcrypt20, libxml2, and vorbis-tools), Fedora (openvpn, systemd, xen, and zabbix), Mageia (bitlbee and libtiff), openSUSE (kdepim, messagelib, kdepim4, libxml2, and php5), Oracle (kernel), Slackware (glibc and kernel), and SUSE (python-pycrypto, unrar, and xen).

The call for presentations for the 2018 linux.conf.au event is now open."linux.conf.au is one of the best-known community driven Free and Open Source Software conferences in the world. In 2018 we welcome you to join us in Sydney, New South Wales on Monday 22 January through to Friday 26 January." The submission deadline is August 6.

Linus has released the 4.12 kernel.Some of the headline features in 4.12 includethe BFQ and Kyber block I/O schedulers,busy-polling of network sockets in epoll_wait(),the hybridconsistency model for live patching,the trusted execution environmentframework,and more.The KernelNewbies 4.12page is still under construction, but should be filled out in the nearfuture.

The kernel's file capabilities mechanism is a bit of an awkward fit withuser namespaces, in that all namespaces have the same view of thecapabilities associated with a given executable file. There is a patch set under consideration that addsawareness of user namespaces to file capabilities, but it has brought forthsome disagreement on how such a mechanism should work. The question is, inbrief: how should a set of file capabilities be picked for any given usernamespace?

Version1.7 of the Kubernetes orchestration system is out."At-a-glance, security enhancements in this release include encrypted secrets, network policy for pod-to-pod communication, node authorizer to limit kubelet access and client / server TLS certificate rotation. For those of you running scale-out databases on Kubernetes, this release has a major feature that adds automated updates to StatefulSets and enhances updates for DaemonSets. We are also announcing alpha support for local storage and a burst mode for scaling StatefulSets faster."

Security updates have been issued by CentOS (freeradius, kernel, and mercurial), Debian (libarchive and mercurial), Fedora (chromium-native_client, systemd, and tomcat), Mageia (drupal, golang, libmwaw, libsndfile, rxvt-unicode, and tomcat), Oracle (kernel), Slackware (bind, httpd, kernel, and libgcrypt), SUSE (bind, clamav, kernel, and openvpn-openssl1), and Ubuntu (bind9, eglibc, and linux-hwe).

In honor of the 23rd anniversary of FreeDOS, project founder Jim Hall has written about the project over at Opensource.com. The free MS-DOS replacement has been in around for longer than MS-DOS was and is still under active development. "DOS is an old system and the original didn't support networking out of the box. Typically, you had to install device drivers for your hardware to connect to a network, which was usually a simple network like IPX. Few systems supported TCP/IP.With FreeDOS, not only do we include a TCP/IP networking stack, we include tools and programs that let you browse the web. Use Dillo for a graphical web browser experience, or Lynx to view the web as formatted plain text. If you just want to grab the HTML code and manipulate it yourself, use Wget or Curl."

A microconference on containers will be featured at this year's Linux Plumbers Conference, which will be held in Los Angeles, CA, US on13-15 September in conjunction with The Linux Foundation Open SourceSummit. "The agenda for this year will focus on unsolved issues and otherproblem areas in the Linux kernel container interfaces with the goal ofallowing all container runtimes and orchestration systems to provideenhanced services. Of particular interest is the unprivileged use ofcontainer APIs in which we can use both to enable self-containerisingapplications as well as to deprivilege (make more secure) containerorchestration systems. In addition we will be discussing the potentialaddition of new namespaces: (LSM for per-container security modules;IMA for per-container integrity and appraisal, file capabilities toallow setcap binaries to run within unprivileged containers)."

Greg Kroah-Hartman has announced the release of the 4.11.8, 4.9.35, 4.4.75, and 3.18.59 stable kernels. As usual, theycontain important fixes and users of those kernel series should upgrade.

Security updates have been issued by Arch Linux (apache and libnl), CentOS (mercurial), Debian (drupal7), Fedora (c-ares), Oracle (freeradius and kernel), Scientific Linux (kernel), SUSE (php53 and xen), and Ubuntu (kernel, linux, linux-aws, linux-gke, linux-raspi2, linux-snapdragon, linux, linux-raspi2, linux-lts-trusty, and linux-lts-xenial).

The LWN.net Weekly Edition for June 29, 2017 is available.

Recently, Lennart Poettering announceda new tool called casync for efficiently distributing filesystem and diskimages. Deployment of virtual machines or containers often requires suchan image to be distributed for them. These images typically contain mostor all of an entire operating system and its requisite data files; they canbe quite large. The images also often need updates, which can take upconsiderable bandwidth depending on how efficient the update mechanismis. Poettering developed casync as an efficient tool for distributing suchfilesystem images, as well as for their updates.

In his PyCon 2017 talk, MiguelGrinberg wanted to introduce asynchronous programming with Python tocomplete beginners. There is a lot of talk about asynchronous Python,especially with the advent of theasyncio module, but there are multiple ways to createasynchronous Python programs, many of which have been available for quitesome time. In the talk, Grinberg took something of a step back from theintricacies of those solutions to look at what asynchronous processingmeans at a higher level.

Last week Lennart Poettering introducedcasync, a tool for distributing system images. This week he introducesmkosi, a tool for making OS images. "mkosi is definitely a tool with a focus on developer's needs for building OS images, for testing and debugging, but also for generating production images with cryptographic protection. A typical use-case would be to add a mkosi.default file to an existing project (for example, one written in C or Python), and thus making it easy to generate an OS image for it. mkosi will put together the image with development headers and tools, compile your code in it, run your test suite, then throw away the image again, and build a new one, this time without development headers and tools, and install your build artifacts in it. This final image is then "production-ready", and only contains your built program and the minimal set of packages you configured otherwise. Such an image could then be deployed with casync (or any other tool of course) to be delivered to your set of servers, or IoT devices or whatever you are building."

In one sense, the Stack Clash vulnerabilitythat was announced on June 19 has not had a huge impact: thus far, atleast, there have been few (if any) stories of active exploits in thewild. At other levels, though, this would appear to be an importantvulnerability, in that it has raised a number of questions about how thecommunity handles security issues and what can be expected in the future.The indications, unfortunately, are not all positive.

Security updates have been issued by Debian (kernel and openvpn), Mageia (docker, libetpan, weechat, and yodl), Oracle (mercurial), Scientific Linux (freeradius), SUSE (kernel), and Ubuntu (systemd).

The CentOS distribution has long beena boon to those who want an enterprise-level operating system without anenterprise-level support contract—and the costs that go with it. Inkeeping with its server orientation, CentOS has been largely focused onx86 systems, but that has been changing over the last fewyears. Jim Perrin has been with the project since 2004 and his talk at OpenSource Summit Japan (OSSJ) described the process of making CentOSavailable for the ARM server market; he also discussed the status of thatproject and some plans for the future.

GitHub has announceda new program that aims to make it easier for people to contribute to opensource projects. "Open Source Friday isn't limited toindividuals. Your team, department, or company can take part,too. Contributing to the software you already use isn't altruistic—it's aninvestment in the tools your company relies on. And you can always startsmall: spend two hours every Friday working on an open source projectrelevant to your business. Whether you're an aspiring contributor or activemaintainer of open source software, we help you track and share your Fridaycontributions. We also provide a framework for regular contribution, alongwith resources to help you convince your employers to join in."