LWN.net

Security updates have been issued by Arch Linux (expat and poppler), Debian (unrar-nonfree and vlc), Fedora (chromium and mercurial), Gentoo (freeradius, kauth, and libreoffice), Mageia (glibc, irssi, kernel, kernel-linus, kernel-tmb, and rpcbind/libtirpc), openSUSE (libgcrypt, netpbm, and sudo), Oracle (sudo), Scientific Linux (mercurial), Slackware (kernel), SUSE (jakarta-taglibs-standard, kernel, and kernel-source), and Ubuntu (apache2).

Persistent memory promises high-speed, byte-addressable access to storage,with consequent benefits for all kinds of applications. But realizing thosebenefits has turned out to present a number of challenges for the Linuxkernel community. Persistent memory is neither ordinary memory norordinary storage, so traditional approaches to memory and storage are not always well suitedto this new world. A proposal for a new daxctl() system call,along with the ensuing discussion, shows how hard it can be to get the mostout of persistent memory.

Henrique de Moraes Holschuh has posted an advisory about a processor/microcodedefect recently identified on Intel Skylake and Intel Kaby Lake processorswith hyper-threading enabled. "TL;DR: unfixed Skylake and Kaby Lakeprocessors could, in some situations, dangerously misbehave whenhyper-threading is enabled. Disable hyper-threading immediately inBIOS/UEFI to work around the problem. Read this advisory for instructionsabout an Intel-provided fix."

Greg Kroah-Hartman has released stable kernels 4.4.74 and 3.18.58. Both contain the usual set ofimportant fixes and users should upgrade.

Security updates have been issued by Arch Linux (kernel, linux-zen, and tcpreplay), Debian (drupal7, exim4, expat, imagemagick, and smb4k), Fedora (chromium, firefox, glibc, kernel, openvpn, and wireshark), Mageia (mercurial and roundcubemail), openSUSE (kernel, libmicrohttpd, libqt5-qtbase, libqt5-qtdeclarative, openvpn, and python-tablib), Scientific Linux (sudo), and SUSE (firefox).

The 4.12-rc7 kernel prepatch is out."It's fairly small, and there were no huge surprises, so if nothinguntoward happens this upcoming week, this will be the final rc. But asusual, I reserve the right to just drag things out if I end up feelinguncomfortable about things for any reason including just random gutfeelings, so we'll see."

The4.11.7 and4.9.34 stable kernel updates have beenreleased. Among other things, they contain the fixes for the recentlydisclosed "Stack Clash" vulnerability.The 4.4.74, and3.18.58 updates are still in the reviewprocess but should be out in the near future.

The default apps on a mobile platform like Android are familiar targets forreplacement, especially for developers concerned about security. But whilemessaging and voice apps (which can be replaced by Signal and Ostel, forinstance) may be the best known examples, the non-profit Guardian Project has taken up thecause of improving the security features of the camera app. Its latestsuch project is ProofMode, an appto let users take photos and videos that can be verified as authentic bythird parties.

Security updates have been issued by Arch Linux (linux-hardened), CentOS (sudo), Debian (apache2, c-ares, flatpak, graphite2, and openvpn), Fedora (glibc and thunderbird), Gentoo (graphite2, jbig2dec, libksba, nettle, urbanterror, and vim), openSUSE (go and unrar), Oracle (sudo), SUSE (tomcat), and Ubuntu (openvpn).

The digiKam Team has releasedversion 5.6.0 of the digiKam Software Collection for photo management. "With this version the HTML gallery and the video slideshow tools are back, database shrinking (e.g. purging stale thumbnails) is also supported on MySQL, grouping items feature has been improved, the support for custom sidecars type-mime have been added, the geolocation bookmarks introduce fixes to be fully functional with bundles, the support for custom sidecars, and of course a lots of bug has been fixed."

Security updates have been issued by Arch Linux (lxterminal, lxterminal-gtk3, openvpn, and pcmanfm), CentOS (thunderbird), Debian (jython, spip, tomcat7, and tomcat8), openSUSE (openvpn), Oracle (thunderbird), Slackware (openvpn), SUSE (openvpn), and Ubuntu (kernel, linux-lts-trusty, nss, and valgrind).

The LWN.net Weekly Edition for June 22, 2017 is available.

At OpenSource Summit Japan (OSSJ)—OSS is the new name for LinuxCon,ContainerCon, and CloudOpen—Sasha Levin gave a talk on the kernel'sapplication binary interface (ABI). There is an effort to create a kernelABI specification that has its genesis in a discussion about fuzzers at the 2016 Linux Plumbers Conference. Sincethat time, some progress on it has been made, so Levin described what the ABI is and thebenefits that would come from having a specification. He also coveredwhat has been done so far—and thethe extensive work remaining to be done.

Guido Vranken describeshis efforts to fuzz-test OpenVPN and the bug reports that resulted."Most of this issues were found through fuzzing. I hate admitting it,but my chops in the arcane art of reviewing code manually, acquired throughgrueling practice, are dwarfed by the fuzzer in one fell swoop; themortal’s mind can only retain and comprehend so much information at a time,and for programs that perform long cycles of complex, deeply nestedoperations it is simply not feasible to expect a human to perform anencompassing and reliable verification."

At PyCon 2017, Kavya Joshi lookedat some of the differences between the Python reference implementation(known as "CPython") andthat of MicroPython. In particular,she described the differences in memory use and handling between the two.Those differences are part of what allows MicroPython to run on the severely memory-constrainedmicrocontrollers it targets—an environment that could never support CPython.

For those who are curious about how the community deals with a seriousvulnerability, Solar Designer's description of the embargo process aroundthe "Stack Clash" issue (and his unhappiness with it) is wortha read. "Qualys first informed the distros list about this upcoming set of issueson May 3. This initial notification didn't say Stack Clash nor anythinglike that, but merely expressed intent to disclose the issues andconcern that the list's maximum embargo duration of 14 to 19 days mightnot be sufficient in this case. In the resulting discussion, I agreedto consider extending the embargo beyond list policy should there beconvincing reasons for that. In retrospect, I think I shouldn't haveagreed to that."

Version 1.2 of the Opus audio codec has been released. "For music encoding Opus has already been shown to out-perform other audio codecs at both 64 kb/s and 96 kb/s. We originally thought that 64 kb/s was near the lowest bitrate at which Opus could be useful for streaming stereo music. However, with variable bitrate (VBR) improvements in Opus 1.1, suddenly 48 kb/s became a realistic target. Opus 1.2 continues on the path to lowering the bitrate limit. Music at 48 kb/s is now quite usable and while the artefacts are generally audible, they are rarely annoying. Even more, we've actually been pushing all the way to fullband stereo at just 32 kb/s!Most of the music encoding quality improvements in 1.2 don't come from big new features (like tonality analysis that got added to version 1.1), but from many small changes that all add up."

In a brief note to the GCC list, David Edelson announces: "I ampleased to announce that the GCC Steering Committee has accepted the DLanguage front-end and runtime for inclusion in GCC and appointed IainBuclaw as maintainer."

Security updates have been issued by CentOS (kernel), Debian (libffi, swftools, tomcat7, and zziplib), Gentoo (chromium, glibc, kodi, mbedtls, and wget), openSUSE (glibc and kernel), Oracle (kernel), Scientific Linux (thunderbird), and SUSE (kernel, sudo, and tomcat6).

Simon Raffeiner describesin detail the reasons he sees for the failure of the Ubuntu phoneproject. "I understand there weren’t enough developers to fix everything atonce, but instead of deciding to either make a good phone OR a good tabletwith Convergence, we had devices which couldn’t really do anythingright. The whole project also always always had this 'these are developerdevices, it’s not important to do it fast, we will win in the long run' airaround it – until the management quite obviously realised that this was allway too expensive and too much time had already been lost."

Free Electrons has announceda new service to the embedded Linux community: toolchains.free-electrons.com."This web site provides a large number of cross-compilationtoolchains, available for a wide range of architectures, in multiplevariants. The toolchains are based on the classical combination of gcc,binutils and gdb, plus a C library." There are over 100 toolchainscovering many architectures.

Lennart Poettering announcescasync, a tool for distributing system images."casync takes inspiration from the popular rsync file synchronizationtool as well as the probably even more popular git revision controlsystem. It combines the idea of the rsync algorithm with the idea ofgit-style content-addressable file systems, and creates a new system forefficiently storing and delivering file system images, optimized forhigh-frequency update cycles over the Internet. Its current focus is ondelivering IoT, container, VM, application, portable service or OS images,but I hope to extend it later in a generic fashion to become useful forbackups and home directory synchronization as well."

The kernel's command line allows the specification of many operatingparameters at boot time. A silly bug in command-line parsing was reportedby Ilya Matveychikov on May 22; it can be exploited to force a stackbuffer overflow with a controlled payload that can overwrite memory. Thebug itself stems from a bounds-checking error that, while simple, has stillbeen in the Linux kernel source since version 2.6.20. The subsequentdisclosure post byMatveychikov in the oss-security list spawned a discussion on whatconstitutes a vulnerability, and what is, instead, merely a bug.

Christian Schaller has posted anextensive look forward at the changes coming to the Fedora desktop."Another major project we been working on for a long time in FleetCommander. Fleet Commander is a tool to allow you to manage Fedora and RHELdesktops centrally. This is a tool targeted at for instance Universities orcompanies with tens, hundreds or thousands of workstation installation. Itgives you a graphical browser based UI (accessible through Cockpit) tocreate configuration profiles and deploy across your organization."

Security updates have been issued by Arch Linux (glibc and lib32-glibc), CentOS (glibc and kernel), Debian (eglibc, kernel, and libffi), openSUSE (exim, freeradius-server, libxml2, Mozilla based packages, and xorg-x11-server), Oracle (glibc and kernel), Scientific Linux (glibc and kernel), SUSE (glibc, kernel, and openvpn), and Ubuntu (eglibc, glibc, exim4, libnl3, linux, linux-meta, linux-aws, linux-meta-aws, linux-gke, linux-meta-gke, linux-hwe, linux-meta-hwe, linux-lts-xenial, linux-meta-lts-xenial, linux-meta-raspi2, linux-raspi2, and linux-meta-snapdragon, linux-snapdragon).

Normally, the -rc6 kernel testing release is not the place where one wouldexpect to find a 900-line memory-management change. As it happens, though,such a change was quietly merged immediately prior to the 4.12-rc6 release; indeed, it may have been thereal reason behind 4.12-rc6 coming out some hours later than would havebeen expected. This change is important, though, in that it addresses anewly publicized security threat that, it seems, is being activelyexploited.

Windows Management Instrumentation (WMI) is a vaguely defined mechanism forthe control of platform-specific devices; laptop functions like specialbuttons, LEDs, and the backlight are often controlled through WMIinterfaces. On Linux, access to WMI functions is restricted to the kernel,while Windows allows user space to use them as well. A recent proposal tomake WMI functions available to user space in Linux as well spawned aslow-moving conversation that turned on a couple of interesting questions —only one of which was anticipated in the proposal itself.

Debian Edu, also known as Skolelinux, is a Debian derivative aimed atmaking it easy to administrate a computer lab or a whole school network.Version 9 "Stretch" has been released. "Would you like to installservers, workstations and laptops which will then work together? Do you want thestability of Debian with network services already preconfigured? Do youwish to have a web-based tool to manage systems and several hundred or evenmore user accounts? Have you asked yourself if and how older computerscould be used? Then Debian Edu is for you."

Security updates have been issued by Arch Linux (chromium, firefox, and thunderbird), Debian (exim4, expat, firefox-esr, glibc, gnutls28, irssi, jython, and kernel), Fedora (dolphin-emu, firefox, golang, mariadb, perl-File-Path, redis, and yara), Mageia (firefox, kodi, and thunderbird), openSUSE (chromium and lynis), and SUSE (mercurial).

The 4.12-rc6 kernel prepatch is out fortesting. "The good news is that rc6 is smaller than rc5 was, and I think we'reback on track and rc5 really was big just due to random timing. We'llsee. Next weekend when I'm back home and do rc7, I'll see how I feelabout things. I'm still hopeful that this would be a normal releasecycle where rc7 is the last rc."

The AIMS desktop is aDebian-derived distribution aimed at mathematical and scientific use. Thisproject's first public release, based on Debian 9, is now available.It is a GNOME-based distribution with a bunch of add-on software."It is maintained by AIMS (The African Institute for MathematicalSciences), a pan-African network of centres of excellence enabling Africa’stalented students to become innovators driving the continent’s scientific,educational and economic self-sufficiency."

The Debian 9 "Stretch" release is now available. "Debian 9 isdedicated to the project's founder Ian Murdock, who passed away on 28December 2015." There are a lot of changes in this release,including a switch to MariaDB, the return of Firefox and Thunderbird underthose names, 90% reproducible-build coverage, a rootless X server, andmore.

The 4.11.6,4.9.33, and4.4.73 stable kernel updates are out with arelatively large set of important fixes. Greg Kroah-Hartman has also let itbe known that the next long-term stable kernel series will be 4.14.

On his blog, Jiri Konecny writes about plans for modularizing Anaconda, which is the installer for Fedora and other Linux distributions. Anaconda is written in Python 3, but is all contained in one monolithic program."The current Anaconda has one significant problem: all of the code is in one place--the monolith. It is more difficult to trace bugs and to a have a stable API. Implementing new features or modifying existing code in Anaconda is also more challenging. Modularisation should help with these things mainly because of isolation between the modules. It will be much easier to create tests for modules or to add new functionality.Modularisation also opens up new possibilities to developers. They should be able to create a new user interface easily. Since developers can rely on the existing API documentation, it should not be necessary to browse the source code tree very often. Another benefit is that an addon is like another module, communicating with other modules, so it has the same capabilities. Developers can use the public API to write their addons in their favourite programming language which supports DBus."

On his blog, Linux Foundation Director of IT Infrastructure Security Konstantin Ryabitsev has some advice for laptop security when traveling overseas. Some attendees of LinuxCon China in Beijing June 19-20 have asked for his thoughts, so he put together the post, which is good advice, if perhaps overly paranoid for some, no matter what country you might be visiting. "China is not signatory to the "Personal Use Exemption" when it comes to encrypted devices, so bringing a laptop with encrypted hard drive with you is not technically legal. If the border officer does not like you for some reason and has grounds to suspect you are not being truthful about your stated reasons for entering China, you may be asked to decrypt your devices for a search. Failure to do so may result in unpleasantness, and you may be detained or fined merely on the grounds of having an encrypted device when entering the country. (As opposed to, for example, entering a country that is signatory to the personal use exemption, where just having an encrypted device is not grounds for any action. That said, it is never in your interest to make the border officer not like you for some reason. Until you are admitted to the country as a legal alien, the Geneva Convention and the Universal Declaration of Human Rights are pretty much the only legal frameworks protecting you as a person against foreign government action.)It is important to point out that you are extremely unlikely to be penalized for bringing in an encrypted laptop with you to China, as any kind of widespread zealous application of such practice would quickly shut down any business travel to China -- and this is definitely not in the government's interest."

Version 3.0 of thecalibre electronic-book reader has been released. "It has been almost three years since calibre 2.0. In that time lots has happened. The biggest new feature, which was in development for almost that entire period, is a completely re-written calibre Content server.The Content server allows you to wirelessly browse your calibre books onany modern phone/tablet and even read the books right in your phonebrowser." Other additions include support for high-DPI screens andsupport for multiple icon themes.

The early bird registration rate for Linux Plumbers Conference 2017 will end on June 18 (or before if all of the slots are sold). The early bird rate is $400 and that will increase to $550, so those interested may wish to visit the Attend page at the site. Linux Plumbers Conference will be held in Los Angeles, CA, US on13-15 September in conjunction with The Linux Foundation Open SourceSummit North America.

Security updates have been issued by Arch Linux (bind), Debian (request-tracker4, rt-authen-externalauth, and zookeeper), openSUSE (mercurial, otrs, thunderbird, and tor), and Ubuntu (libmwaw and zziplib).

FreeNAS 11.0 has been released. "Thisversion brings new virtualization and object storage features to theWorld’s Most Popular Open Source Storage Operating System. FreeNAS 11.0adds bhyve virtual machines to its popular SAN/NAS, jails, and plugins,letting you use host web-scale VMs on your FreeNAS box. It also gives usersS3-compatible object storage services, which turns your FreeNAS box into anS3-compatible server, letting you avoid reliance on the cloud." LWNlooked at FreeNAS in February 2015.

The Brave web browser is a project froma new company called Brave Software. It was founded by Brendan Eich, who is theinventor of JavaScript and former developer and CTO at Mozilla; hehopes to dramatically re-invent the advertising model of the web whilestrengthening user anonymity and security. Brave's value proposition isthat instead of being served advertisements from web sites that use therevenue to pay their bills, users can opt to directly pay the contentproviders of their choosing with cryptocurrency. Also, there is arecognition of theutility of targeted advertising, so users have an option of saving a local,protected profile that can be used anonymously to obtain targetedadvertisements instead of having their online behavior tracked and sold bya third party.

Security updates have been issued by Arch Linux (flashplugin, kmail, lib32-flashplugin, and messagelib), CentOS (firefox), Debian (firefox-esr and libsndfile), Fedora (ettercap, gajim, libsndfile, poppler, and webkitgtk4), Mageia (catdoc, ettercap, libcryptopp, libytnef, and tor), Oracle (firefox), Scientific Linux (firefox), Slackware (bind and mozilla), SUSE (jakarta-taglibs-standard), and Ubuntu (firefox).

The LWN.net Weekly Edition for June 15, 2017 is available.

The Python core developers, and Victor Stinner in particular, have beenfocusing on improving the performance of Python 3 over the last fewyears. At PyCon 2017, Stinnergave a talk on some of the optimizations that have been added recently andthe effect they have had on various benchmarks. Along the way, he took a detour into some improvements that have been made for benchmarkingPython.

Chuck Lever has announcedthat the fedfs-utils project, which created utilities for the Federated Filesystem, willno longer be developed. The most interesting part, for many, may be thisdiscussion of why this project ground to a halt. (Thanks to Neil Brown).

The ups and downs of patching the kernel to wedge Linux into tiny systems has beendebated numerous times over the years, most recently in the context ofNicolas Pitre's alternative TTY layerpatches posted in April. Pitre is driving the debate again, this time by trying to shrink the kernel's CPU scheduler.In the process, he has exposed a couple of areas of fundamentaldisagreement on the value of this kind of work.

Since 2003, the Debian project has been running a servercalled Alioth to host source codeversion control systems. The server will hit the end of life of the DebianLTS release (Wheezy) next year; that deadline raised some questionsregarding the plans for the server over the coming years. Naturally, thatled to a discussion regarding possible replacements.

The Kernel Summit is undergoing some changes this year; the coredevelopers' gathering from previous events will be replaced by a half-day"maintainers summit" consisting of about 30 people. The process ofselecting those people, and of selecting topics for the open technicalsession, is underway now; interested developers are encouraged to submittheir topic ideas.

The moment when an antique operating system that has not run in decadesboots and presents a command prompt is thrilling for Warren Toomey, whofounded the Unix Heritage Society toreconstruct the early history of the Unix operating system. Recently thishistorical code has become much more accessible: we can now browse it in aninstant on GitHub, thanks to the efforts of a computer scienceprofessor at the Athens University of Economics and Business named DiomidisSpinellis.Click below (subscribers only) for a look at the Unix Heritage Society andwhat it has accomplished.

Stable kernels 4.11.5, 4.9.32, 4.4.72, and 3.18.57 have been released. All of themcontain important fixes and users should upgrade.

Security updates have been issued by Arch Linux (gnutls and tor), CentOS (qemu-kvm), Debian (libgcrypt20 and libosip2), Fedora (kernel), Mageia (flash-player-plugin, libosip2, and smb4k), openSUSE (ImageMagick), SUSE (mercurial), and Ubuntu (gnutls26, gnutls28).