LWN.net

High-bandwidthDigital Content Protection (or HDCP) is an Intel-designedcopy-protection mechanism for video and audio streams. It is a digitalrights management (DRM)system of the type disliked by many in the Linux community. But doesthat antipathy mean that Linux should not support HDCP? That question isbeing answered — probably in favor of support — in a conversation underwayon the kernel mailing lists.

At Opensource.com, Mike Bursell looks at blockchain security from the angle of trust. Unlike cryptocurrencies, which are pseudonymous typically, other kinds of blockchains will require mapping users to real-life identities; that raises the trust issue. "What's really interesting is that, if you're thinking about moving to a permissioned blockchain or distributed ledger with permissioned actors, then you're going to have to spend some time thinking about trust. You're unlikely to be using a proof-of-work system for making blocks—there's little point in a permissioned system—so who decides what comprises a "valid" block that the rest of the system should agree on? Well, you can rotate around some (or all) of the entities, or you can have a random choice, or you can elect a small number of über-trusted entities. Combinations of these schemes may also work.If these entities all exist within one trust domain, which you control, then fine, but what if they're distributors, or customers, or partners, or other banks, or manufacturers, or semi-autonomous drones, or vehicles in a commercial fleet? You really need to ensure that the trust relationships that you're encoding into your implementation/deployment truly reflect the legal and IRL [in real life] trust relationships that you have with the entities that are being represented in your system.And the problem is that, once you've deployed that system, it's likely to be very difficult to backtrack, adjust, or reset the trust relationships that you've designed."

Security updates have been issued by CentOS (firefox, java-1.7.0-openjdk, kernel, liblouis, qemu-kvm, sssd, and thunderbird), Debian (heimdal and nova), openSUSE (shibboleth-sp), Oracle (java-1.7.0-openjdk), Red Hat (Red Hat OpenShift Enterprise), Scientific Linux (openafs), SUSE (kernel), and Ubuntu (rsync).

The LWN.net Weekly Edition for December 7, 2017 is available.

Voice computing has long been a staple of science fiction, but it hasonly relatively recently made its way into fairly common mainstream use.Gadgets like mobile phones and "smart" home assistant devices (e.g. Amazon Echo, Google Home)have brought voice-based user interfaces to the masses. The voiceprocessing for those gadgets relies on various proprietary services "in thecloud", which generally leaves the free-software world out in the cold.There have been FOSS speech-recognition efforts overthe years, but Mozilla's recentannouncement of the release of its voice-recognition code and voicedata set should help further the goal of FOSS voice interfaces.

As all Python developers discover sooner or later, Python is a rapidlyevolving language whose community occasionally makes changes that can breakexisting programs. The switch to Python 3 is the most prominentexample, but minor releases can include significant changes as well. TheCPython interpreter can emit warnings for upcoming incompatible changes,giving developers time to prepare their code, but those warnings aresuppressed and invisible by default. Work is afoot to make them visible,but doing so is not as straightforward as it might seem.

Linux containers are something of an amorphous beast, at least withrespect to the kernel. There are lots of facilities that the kernelprovides (namespaces, control groups, seccomp, and so on) that can becomposed by user-space tools into containers of various shapes andcolors; the kernel is blissfully unaware of how user space views thatcomposition. But there is interest in having the kernel be more aware ofcontainers and for it to be able to distinguish what user space considersto be a single container. One particular use case for the kernel managingcontainer identifiers is the auditsubsystem, which needs unforgeable IDs for containers that can beassociated with audit trails.

The Debian project has announced the launch of sources.debian.org, a site thatenables browsing of the source code for every package shipped with theDebian distribution. "You may already know this service aspreviously hosted at sources.debian.net . We took the move to Debianhardware as the opportunity to officially announce it here."

Security updates have been issued by CentOS (samba4), Mageia (libxcursor and libxfont/libxfont2), openSUSE (exim, GraphicsMagick, graphviz, pdns, and pdns-recursor), Oracle (firefox and liblouis), Red Hat (java-1.7.0-openjdk), Scientific Linux (java-1.7.0-openjdk), SUSE (firefox, shibboleth-sp, and xen), and Ubuntu (linux-firmware).

The quest to find a free-softwarereplacement for the QuickBooks accounting tool continues. In this episode,your editor does his best to put Tryton through its paces. Running Trytonproved to be a trying experience, though; this would not appear to be theaccounting tool we are searching for.

Stable kernels 4.14.4, 4.9.67, 4.4.104, and 3.18.86 have been released. They all containimportant fixes and users should upgrade.

Security updates have been issued by Debian (libextractor), Fedora (java-9-openjdk, kernel, python, and qt5-qtwebengine), Oracle (sssd and thunderbird), Red Hat (firefox, liblouis, and sssd), Scientific Linux (firefox, liblouis, and sssd), and Ubuntu (libxml2).

Stephen Diehl looks backat what happened in Haskell during the past year."Haskell has had a great year and 2017 was defined by vast quantities of new code, including 14,000 new Haskell projects on Github . The amount of writing this year was voluminous and my list of interesting work is eight times as large as last year. At least seven new companies came into existence and many existing firms unexpectedly dropped large open source Haskell projects into the public sphere. Driven by a lot of software catastrophes, the intersection of security, software correctness and formal methods have been become quite an active area of investment and research across both industry and academia. It’s really never been an easier and more exciting time to be programming professionally in the world’s most advanced (yet usable) statically typed language."

Mozilla has announcedthe initial releases from its "Project DeepSpeech" and "Project CommonVoice" efforts. "I’m excited to announce the initial release ofMozilla’s open source speech recognition model that has an accuracyapproaching what humans can perceive when listening to the samerecordings. We are also releasing the world’s second largest publiclyavailable voice dataset, which was contributed to by nearly 20,000 peopleglobally."

The kernel's module mechanism allows the building of a kernel with a widerange of hardware and software support without requiring that all of thatcode actually be loaded into any given running system. The availability of all ofthose modules in a typical distributor kernel means that a lot of featuresare available — but also, potentially, a lot of exploitable bugs. Therehave been numerous cases where the kernel's automatic module loader hasbeen used to bring buggy code into a running system. An attempt to reducethe kernel's exposure to buggy modules shows how difficult some kinds ofhardening work can be.

Security updates have been issued by Arch Linux (cacti, curl, exim, lib32-curl, lib32-libcurl-compat, lib32-libcurl-gnutls, lib32-libxcursor, libcurl-compat, libcurl-gnutls, libofx, libxcursor, procmail, samba, shadowsocks-libev, and thunderbird), Debian (tor), Fedora (kernel, moodle, mupdf, python-sanic, qbittorrent, qpid-cpp, and rb_libtorrent), Mageia (git, lame, memcached, nagios, perl-Catalyst-Plugin-Static-Simple, php-phpmailer, shadowsocks-libev, and varnish), openSUSE (binutils, libressl, lynx, openssl, tor, wireshark, and xen), Red Hat (thunderbird), Scientific Linux (kernel, qemu-kvm, and thunderbird), SUSE (kernel, ncurses, openvpn-openssl1, and xen), and Ubuntu (curl, evince, and firefox).

The second 4.15 kernel prepatch is out fortesting. "One thing I'll point out is that I'm trying to get some kernel ASLRleaks plugged, and as part of that we now hash any pointers printed by'%p' by default. That won't affect a lot of people, but where it is adebugging problem (rather than leaking interesting kernel pointers),we will have to fix things up."

Version 2.0of the Django web framework has been released. This version dropssupport for Python 2.x, and adds a long list of new features; see theannouncement for details.

In his linux.conf.au2017 talk [YouTube] on the eBPF in-kernel virtual machine, Brendan Greggproclaimed that "super powers have finally come to Linux". GettingeBPF to that point has been a long road of evolution and design. WhileeBPF was originally used for network packet filtering, it turns outthat running user-space code inside a sanity-checking virtual machineis a powerful tool for kernel developers and production engineers.Over time, new eBPF users have appeared to take advantage of itsperformance and convenience. This article explains how eBPF evolvedhow it works, and how it is used in the kernel.

We were sad to encounter theannouncement that Linux Journal will be shutting down."The simple fact is that we’ve run out of money, and options alongwith it. We never had a wealthy corporate parent or deep pockets of ourown, and that made us an anomaly among publishers, from start tofinish. While we got to be good at flying close to the ground for a longtime, we lost what little elevation we had in November, when the scalefinally tipped irrevocably to the negative." Linux Journal was out there tracking what was happening in ourcommunity long before anybody else; it will be missed.

Security updates have been issued by Debian (curl, libxml2, optipng, and sox), Fedora (kernel, mediawiki, moodle, nodejs-balanced-match, nodejs-brace-expansion, and python-werkzeug), openSUSE (optipng), Oracle (kernel and qemu-kvm), Red Hat (kernel, kernel-rt, qemu-kvm, and qemu-kvm-rhev), SUSE (kernel), and Ubuntu (thunderbird).

Version 7.2.0 of the PHP language is out. It includes a number of newfeatures, including "counting of non-countable objects" (which turns out tobe issuing a warning when such a count is attempted) and the integration of the libsodiumcrypto library.

Amazon has announced the release of FreeRTOS kernel version 10, with a new license: "FreeRTOS was created in 2003 by Richard Barry. It rapidly became popular, consistently ranking very high in EETimes surveys on embedded operating systems. After 15 years of maintaining this critical piece of software infrastructure with very limited human resources, last year Richard joined Amazon.Today we are releasing the core open source code as FreeRTOS kernel version 10, now under the MIT license (instead of its previous modified GPLv2 license). Simplified licensing has long been requested by the FreeRTOS community. The specific choice of the MIT license was based on the needs of the embedded systems community: the MIT license is commonly used in open hardware projects, and is generally whitelisted for enterprise use." While the modified GPLv2 was removed, it was replaced with a slightly modified MIT license that adds: "If you wish to use our Amazon FreeRTOS name, please do so in afair use way that does not cause confusion." There is concern that change makes it a different license; the Open Source Initiative and Amazon open-source folks are working on clarifying that.

KDE.news covers thegoals that the KDE project has set for itself in the coming year."In synch with KDE's vision, Sebastian Kugler says that 'KDE is in aunique position to offer users a complete software environment that helpsthem to protect their privacy'. Being in that position, Sebastian explains,KDE as a FLOSS community is morally obliged to do its utmost to provide themost privacy-protecting environment for users. This is especially truesince KDE has been developing not only for desktop devices, but also formobile - an area where the respect for users' privacy is nearlynon-existent."

Greg Kroah-Hartman has announced the release of the 4.14.3, 4.9.66, 4.4.103, and 3.18.85 stable kernels. As usual, theycontain fixes throughout the tree; users of those series should upgrade.

Security updates have been issued by Debian (bzr and exim4), Mageia (ghostscript, libtiff, mediawiki, postgresql, thunderbird, and vlc), openSUSE (kernel-firmware and samba), Oracle (samba4), SUSE (xen), and Ubuntu (exim4, libxcursor, and libxfont, libxfont1, libxfont2).

The LWN.net Weekly Edition for November 30, 2017 is available.

The reminder that the feature freeze forPython 3.7 is coming up fairly soon (January 29) was met with aflurry of activity on the python-dev mailing list. Numerous Pythonenhancement proposals (PEPs) were updated or newly proposed; other featuresor changes have been discussed as well. One of the updated PEPs is proposing anew type of class, a"data class", to be added to the standard library. Data classes wouldserve much the same purpose as structures or records in other languages andwould use the relatively new type annotationsfeature to support static type checking of the use of the classes.

Diligent developers do their best to anticipate things that can go wrongand write appropriate error-handling code. Unfortunately, error-handlingcode is especially hard to test and, as a result, often goes untested; thecode meant to deal with errors, in other words, is likely to contain errorsitself. One way of finding those bugs is to inject errors into a runningsystem and watching how it responds; the kernel may soon have a newmechanism for doing this sort of injection.

Security updates have been issued by CentOS (apr and procmail), Debian (curl and xen), Fedora (cacti, git, jbig2dec, lucene4, mupdf, openssh, openssl, quagga, rpm, slurm, webkitgtk4, and xen), Oracle (apr and procmail), Red Hat (apr, java-1.7.1-ibm, java-1.8.0-ibm, procmail, samba4, and tcmu-runner), Scientific Linux (apr, procmail, and samba4), and Ubuntu (curl, openjdk-7, python2.7, and python3.4, python3.5).

Despite the warnings that the 4.15 merge window could be either longer orshorter than usual, the 4.15-rc1 prepatchcame out right on schedule on November 26. Anybody who was expectinga quiet development cycle this time around is in for a surprise, though; 12,599non-merge changesets were pulled into the mainline during the 4.15 mergewindow, 1,000 more than were seen in the 4.14 merge window. The first8,800 of those changes were covered in this summary; what follows is a look at whatcame after.

Security updates have been issued by Arch Linux (powerdns and powerdns-recursor), CentOS (curl and samba), Debian (ffmpeg and roundcube), Fedora (cacti and samba), openSUSE (thunderbird), Oracle (curl), Red Hat (java-1.8.0-ibm and rh-mysql56-mysql), Scientific Linux (curl), Slackware (samba), SUSE (kernel-firmware and samba), and Ubuntu (exim4, firefox, libxml-libxml-perl, optipng, and postgresql-common).

Ars technica reviewsthe Ubuntu 17.10 release. "In light of the GNOME switch, thisrelease seems like more of a homecoming than an entirely new voyage. Butthat said, Ubuntu 17.10 simultaneously feels very much like the start of anew voyage for Ubuntu. The last few Ubuntu desktop releases have been aboutas exciting as OpenSSH releases—you know you need to update, but beyondthat, no one really cares."

Out-of-tree drivers are a maintenance headache, since customers may want touse them in newer kernels.But even those drivers that getmerged into the mainline may need to be backported at times. Coccinelle developer Julia Lawallintroduced the audience at Open Source Summit Europe to some new toolsthat can help make both forward-porting and backporting drivers easier.

Linux Mint has released 18.3 "Sylvia" in Cinnamon and MATE editions. Linux Mint18.3 is a long term support release which will be supported until 2021.Both editions feature a revamped Software Manager with support forflatpaks. See more about what's new in the Cinnamonand MATEeditions or check out the release notes for Cinnamon andMATE.

The newly announced openSUSE "Tumbleweed snapshots" feature is an attempt to makerolling distributions a little easier for those who don't want to stay onthe leading edge all the time. In essence, it keeps a snapshot of thestate of the distribution at regular intervals and enables users to installapplications from their particular snapshot. That allows the installationof new applications without the need to drag in everything else that mayhave changed since the system as a whole was updated."Tumbleweed Snapshotsprovides the best of both worlds, the latest packages when you want them and theone package you need in the middle of working on a project."

Security updates have been issued by Arch Linux (varnish), Debian (libofx and python-werkzeug), Fedora (fedpkg, mediawiki, qt5-qtwebengine, and rpkg), Mageia (apr-util, bchunk, chromium-browser-stable, vlc, and webkit2), openSUSE (backintime, konversation, perl, tboot, and tnef), Oracle (samba), Red Hat (curl and samba), Scientific Linux (samba), and SUSE (kvm and samba).

Here is apress release from Red Hat on GPL enforcement: "To providegreater predictability to users of open source software, Red Hat, Facebook,Google and IBM today each committed to extending the GPLv3 approach forlicense compliance errors to the software code that each licenses underGPLv2 and LGPLv2.1 and v2." This is, in effect, a reiteration ofthe approach to enforcement recentlyadopted by many kernel developers, but it extends to all GPLv2-licensedsoftware contributed by those companies.

The 4.15-rc1 kernel prepatch is out."So it's been the usual two weeks of merge window, and rc1 is out.And that normal time length is about the only thing usual about thismerge window. Because of the indiscriminate mass slaughter of turkeysin the US last week, lots of people - including me - were on vacation.That meant that I had asked for people to try to make the merge windowfront-heavy, but it also meant that then during the second week I wasrather more strict than usual in what I pulled."

Greg Kroah-Hartman has released stable kernels 4.14.2, 4.13.16, 4.9.65, 4.4.101, 4.4.102, and 3.18.84. This is the last 4.13.y kernel andusers should upgrade to 4.14 now. For the two 4.4 updates Greg says:"[4.4.102] is a bugfix for an issue if PAGE_POISONING is enabled inthe kernel configuration. If you do not run your kernel with that option,no need to upgrade, just stick with 4.4.101."

Security updates have been issued by Debian (libxml2, openjdk-7, otrs2, python2.6, and python2.7), Fedora (fedpkg and rpkg), openSUSE (file, mupdf, otrs, and tomcat), and SUSE (tomcat).

Security updates have been issued by Arch Linux (jbig2dec), Debian (libspring-ldap-java, sam2p, and xorg-server), Fedora (postgresql), openSUSE (cacti, cacti-spine), and Ubuntu (ldns and libraw).

Brendan Gregg introduces aset of BPF-based tracing tools on opensource.com."Traditional analysis of filesystem performance focuses on block I/Ostatistics—what you commonly see printed by the iostat(1) tool and plottedby many performance-monitoring GUIs. Those statistics show how the disksare performing, but not really the filesystem. Often you care more aboutthe filesystem's performance than the disks, since it's the filesystem thatapplications make requests to and wait for. And the performance offilesystems can be quite different from that of disks! Filesystems mayserve reads entirely from memory cache and also populate that cache via aread-ahead algorithm and for write-back caching. xfsslower shows filesystemperformance—what the applications directly experience."

Security updates have been issued by Arch Linux (roundcubemail), Debian (optipng, samba, and vlc), Fedora (compat-openssl10, fedpkg, git, jbig2dec, ldns, memcached, openssl, perl-Net-Ping-External, python-copr, python-XStatic-jquery-ui, rpkg, thunderbird, and xen), SUSE (tomcat), and Ubuntu (db, db4.8, db5.3, linux, linux-raspi2, linux-aws, linux-azure, linux-gcp, and samba).

Stable kernels 4.14.1, 4.13.15, 4.9.64, 4.4.100, and 3.18.83 have been released. They all containimportant fixes and users should upgrade.

Security updates have been issued by Debian (ldns and swauth), Fedora (kernel and postgresql), Mageia (botan, krb5, and sssd), and Ubuntu (apport, linux, linux-aws, linux-gke, linux-kvm, linux-raspi2, linux-snapdragon, linux, linux-raspi2, linux-hwe, linux-lts-xenial, procmail, and samba).

The IntelManagement Engine (ME), which is a separate processor and operatingsystem running outside of user control on most x86 systems, has long beenof concern to users who are security and privacy conscious. Google andothers have been working on ways to eliminate as much of that functionality as possible(while still being able to boot and run the system). Ronald Minnich fromGoogle came to Prague to talk about those efforts at the 2017 EmbeddedLinux Conference Europe.

Security updates have been issued by Arch Linux (icu and lib32-icu), CentOS (firefox), Debian (imagemagick, konversation, libspring-ldap-java, libxml-libxml-perl, lynx-cur, ming, opensaml2, poppler, procmail, shibboleth-sp2, and xen), Fedora (firefox, java-9-openjdk, jbig2dec, kernel, knot, knot-resolver, qt5-qtwebengine, and roundcubemail), Gentoo (adobe-flash, couchdb, icedtea-bin, and phpunit), Mageia (apr, bluez, firefox, jq, konversation, libextractor, and quagga), Oracle (firefox), Red Hat (firefox), and Scientific Linux (firefox).

The latest stable kernel updates are4.13.14,4.9.63,4.4.99, and3.18.82.Each contains the usual set of important fixes and updates.

When he released 4.14, Linus Torvaldswarned that the 4.15 merge window might be shorter than usual due to the USThanksgiving holiday. Subsystem maintainers would appear to have heardhim; as of this writing, over 8,800 non-merge changesets have been pulledinto the mainline since the opening of the 4.15 merge window. Read on fora summary of the most interesting changes found in that first set ofpatches.