LWN.net

Security updates have been issued by Debian (libav), Gentoo (chromium, firefox, libreoffice, mysql, and ruby), SUSE (kernel), and Ubuntu (bind9).

The Linux kernel currently supports two separate network packet-filteringmechanisms: iptables and nftables. For the last few years, it has beengenerally assumed that nftables would eventually replace the older iptablesimplementation; few people expected that the kernel developers would,instead, add a third packet filter. But that would appear to be what ishappening with the newly announced bpfiltermechanism. Bpfilter may eventually replace both iptables and nftables, butthere are a lot of questions that will need to be answered first.

Security updates have been issued by Arch Linux (irssi), Debian (bind9, gcc-4.9, plasma-workspace, quagga, and tomcat-native), Fedora (p7zip), Mageia (nasm), openSUSE (exim, ffmpeg, irssi, mpv, qpdf, quagga, rrdtool, and rubygem-puppet), and SUSE (p7zip and xen).

SuiteCRM is a fork of the formerlyopen-source SugarCRM customer relationship management system.The 7.10 releasehas been announced. "SuiteCRM 7.10 includes a long list ofenhancements, improving user experience, adding new functionality andproviding a new REST API. This edition of SuiteCRM also assists companiesto be ready for GDPR, including opt-in functionality to track the consentof individuals."

The second 4.16 kernel prepatch is out."Go out and test, it all looks fine."

The4.15.4,4.14.20,4.9.82,4.4.116, and3.18.95stable kernel updates have all been released. These kernels contain arelatively large set of important fixes and updates.

Thefifth version of the patch series addingthe boot-constraint subsystem is under review on the linux-kernel mailing list. The purpose of this subsystem is tohonor the constraints put on devices by thebootloader before those devices arehanded over to the operating system (OS) — Linux in our case. If theseconstraints are violated, devices may fail to work properly once the kernelstarts reconfiguring the hardware; by tracking and enforcing thoseconstraints, instead, we can ensure that hardware continues to workproperly until the kernel is fully operational.

Security updates have been issued by Debian (quagga), Mageia (freetype2, kernel-linus, and kernel-tmb), openSUSE (chromium, GraphicsMagick, mupdf, openssl-steam, and xen), Slackware (irssi), SUSE (glibc and quagga), and Ubuntu (quagga).

For as long as the kernel has included tracepoints, developers have arguedover whether those tracepoints are part of the kernel's ABI. Tracepointchanges have had to be reverted in the past because they broke existinguser-space programs that had come to depend on them; meanwhile, fears ofsetting internal code in stone have made it difficult to add tracepoints toa number of kernel subsystems. Now, a new tracing functionality is beingproposed as a way to circumvent all of those problems.

Linux Journal takes a look at the newly announced LinuxBoot project. LWN covered a related talk back in November. "Modern firmware generally consists of two main parts: hardware initialization (early stages) and OS loading (late stages). These parts may be divided further depending on the implementation, but the overall flow is similar across boot firmware. The late stages have gained many capabilities over the years and often have an environment with drivers, utilities, a shell, a graphical menu (sometimes with 3D animations) and much more. Runtime components may remain resident and active after firmware exits. Firmware, which used to fit in an 8 KiB ROM, now contains an OS used to boot another OS and doesn't always stop running after the OS boots. LinuxBoot replaces the late stages with a Linux kernel and initramfs, which are used to load and execute the next stage, whatever it may be and wherever it may come from. The Linux kernel included in LinuxBoot is called the 'boot kernel' to distinguish it from the 'target kernel' that is to be booted and may be something other than Linux."

Security updates have been issued by Debian (jackson-databind, leptonlib, libvorbis, python-crypto, and xen), Fedora (apache-commons-email, ca-certificates, libreoffice, libxml2, mujs, p7zip, python-django, sox, and torbrowser-launcher), openSUSE (libreoffice), SUSE (libreoffice), and Ubuntu (advancecomp, erlang, and freetype).

The LWN.net Weekly Edition for February 15, 2018 is available.

A scientist with a rather unusual name, Meow-Ludo Meow-Meow, gave a talk atlinux.conf.au 2018about the current trends in "do it yourself" (DIY) biology or"biohacking". He is perhaps most famous for beingprosecuted for implanting an Opal card RFID chip into his hand; theOpal card is used for public transportation fares in Sydney. He gave moredetails about his implant as well as describing some other biohackingprojects in an engaging presentation.

Mark Wielaard writesabout the recently discovered relicensing of the dtrace dynamic tracingsubsystem under the GPL. "Thank you Oracle for making everyone’slife easier by waving your magic relicensing wand!Now there is lots of hard work to do to actually properly integrate this. And I am sure there are a lot of technical hurdles when trying to get this upstreamed into the mainline kernel. But that is just hard work. Which we can now start collaborating on in earnest."

The 2018 USENIXEnigma conference was held for the third time in January. Among many interesting talks, three presentations dealing with human securitybehaviors stood out. This article covers the key messages of these talks,namely the finding that humans are social in their securitybehaviors: their decision to adopt a good security practice is hardly everan isolated decision.Subscribers can read on for the report by guest author ChristianFolini.

Volker Lendecke is one of the first contributors to Samba,having submitted his first patches in 1994. In addition to developingother important file-sharing tools, he's heavily involved in development ofthe winbind service, which is implemented in winbindd. Although the core Active Directory (AD) domain controller(DC) code was written by his colleague Stefan Metzmacher, winbind is acrucial component of Samba's AD functionality. In his information-packed talk at FOSDEM2018, Lendecke said he aimed to give a high-level overview of what AD and Samba authentication is, and in particular thecommunication pathways and trust relationships between the parts ofSamba that authenticate a Samba user in an AD environment.

Security updates have been issued by Arch Linux (exim and mpv), Debian (advancecomp and graphicsmagick), Red Hat (collectd, erlang, httpd24-apr, openstack-aodh, and openstack-nova), SUSE (kernel and xen), and Ubuntu (libvorbis).

Much as some of us would love never to have to deal with Windows,it exists. It wants to authenticate its users and shareresources like files and printers over the network. Although manyenterprises use Microsoft tools to do this, there is a free alternative,in the form of Samba. While Samba 3 has been happily providingauthentication along with file and print sharing to Windows clients formany years, the Microsoft world has been slowly moving toward Active Directory (AD).Meanwhile, Samba 4, which adds a free reimplementation of AD on Linux, hasbeen increasingly ready for deployment. Three short talks at FOSDEM 2018provided three different views of Samba 4, also known as Samba-AD,and left behind a pretty clear picture that Samba 4 is trulyready for use.Subscribers can read on for a report from guest author Tom Yates on the first two of those talks; stay tuned for another on the third soon.

Stable kernels 4.15.3, 4.14.19, and 4.9.81 have been released. They all containimportant fixes and users should upgrade.

Security updates have been issued by Arch Linux (sthttpd), Debian (clamav, libreoffice, and pound), openSUSE (ipsec-tools and leptonica), SUSE (libreoffice), and Ubuntu (exim4, firefox, php5, puppet, and wavpack).

While there is a lot of software distributed under the terms of the GNUGeneral Public License, there is relatively little enforcement of the termsof that license and, it seems, even less discussion of enforcement ingeneral. Theorganizers of linux.conf.au have never shied away from such topics, though,so Karen Sandler's enforcement update during the linux.conf.au 2018 KernelMiniconf fit right in. The picture she painted includes a number of challenges forthe GPL and the communities based on it, but there are some bright spots aswell.

Norbert Preining reportsthe sad news that Staszek Wawrykiewicz has died. "Staszek was anactive member of the Polish TeX community, and an incredibly valuable TeXLive Team member. His insistence and perseverance have saved TeX Live frommany disasters and bugs. Although I have been in contact with Staszek overthe TeX Live mailing lists since some years, I met him in person for thefirst time on my first ever BachoTeX, the EuroBachoTeX 2007. Hisfriendliness, openness to all new things, his inquisitiveness, all took agreat place in my heart." (Thanks to Paul Wise)

At the close of the 4.16 merge window,11,746non-merge changesets had been merged; that is 5,000 since last week's summary. This merge window isthus a busy one, though not out of line with its predecessors — 4.14 had11,500 changesets during its merge window, while 4.15 had 12,599. Quite abit of that work is of the boring internal variety; over 600 of thosechangesets weredevice-tree updates, for example. But there was still a fair amount ofinteresting work merged in the second half of the 4.16 merge window; readon for the highlights.

Security updates have been issued by Arch Linux (go, go-pie, and plasma-workspace), Debian (audacity, exim4, libreoffice, librsvg, ruby-omniauth, tomcat-native, and uwsgi), Fedora (tomcat-native), Gentoo (virtualbox), Mageia (kernel), openSUSE (freetype2, ghostscript, jhead, and libxml2), and SUSE (freetype2 and kernel).

Jim Gettys providesan extensive look at the FQ_CoDel queue-management algorithm as a bigpiece of the solution to bufferbloat problems. "Simple'request/response' or time based protocols are preferentially scheduledrelative to bulk data transport. This means that your VOIP packets, yourTCP handshakes, cryptographic associations, your button press in your game,your DHCP or other basic network protocols all get preferential servicewithout the complexity of extensive packet classification, even under veryheavy load of other ongoing flows. Your phone call can work well despitelarge downloads or video use."

Linus has released 4.16-rc1 and closed themerge window for this development cycle. "I don't want to jinxanything, but things certainly look a lot better than with 4.15. We have no(known) nasty surprises pending, and there were no huge issues during themerge window. Fingers crossed that this stays fairly calm and sane."

Linux networking maintainer David Miller has put out a call for proposals for a two-day networking track at this year's Linux Plumbers Conference (LPC). "We are seeking talks of 40 minutes in length, accompanied by papersof 2 to 10 pages in length." The deadline for proposals is July 11. LPC will be held November 13-15 in Vancouver and the networking track will be held the first two days.

In ACMQueue magazine, Bridget Kromhout writes about containers and why they are not the solution to every problem. The article is subtitled:"Complex socio-technical systems are hard;film at 11.""Don't get me wrong—containers are delightful! But let's be real: we're unlikely to solve the vast majority of problems in a given organization via the judicious application of kernel features. If you have contention between your ops team and your dev team(s)—and maybe they're all facing off with some ill-considered DevOps silo inexplicably stuck between them—then cgroups and namespaces won't have a prayer of solving that.Development teams love the idea of shipping their dependencies bundled with their apps, imagining limitless portability. Someone in security is weeping for the unpatched CVEs, but feature velocity is so desirable that security's pleas go unheard. Platform operators are happy (well, less surly) knowing they can upgrade the underlying infrastructure without affecting the dependencies for any applications, until they realize the heavyweight app containers shipping a full operating system aren't being maintained at all."

On his blog, Tom Tromey looks at just-in-time (JIT) compilation for Emacs and what he has done differently in his implementation from what was done in earlier efforts. He also looks at potential enhancements to his JIT: "Calling a function in Emacs Lisp is quite expensive. A call from the JIT requires marshalling the arguments into an array, then calling Ffuncall; which then might dispatch to a C function (a “subr”), the bytecode interpreter, or the ordinary interpreter. In some cases this may require allocation.This overhead applies to nearly every call — but the C implementation of Emacs is free to call various primitive functions directly, without using Ffuncall to indirect through some Lisp symbol.Now, these direct calls aren’t without a cost: they prevent the modification of some functions from Lisp. Sometimes this is a pain (it might be handy to hack on load from Lisp), but in many cases it is unimportant.So, one idea for the JIT is to keep a list of such functions and then emit direct calls rather than indirect ones."

Security updates have been issued by Arch Linux (clamav), Debian (mailman, mpv, and simplesamlphp), Fedora (tomcat-native), openSUSE (docker, docker-runc, containerd,, kernel, mupdf, and python-mistune), Red Hat (kernel), and Ubuntu (mailman and postgresql-9.3, postgresql-9.5, postgresql-9.6).

This is the third article of a series discussing various methods ofreducing the size of the Linux kernel to make it suitable for smallenvironments. The first articleprovided a short rationale for this topic, and covered link-timegarbage collection. Thesecond article covered link-timeoptimization (LTO) and compared its results to link-time garbagecollection. In this article we'll explore ways to make LTO moreeffective at optimizing kernel code away, as well as more assertivestrategies to achieve our goal.

Security updates have been issued by Debian (django-anymail, libtasn1-6, and postgresql-9.1), Fedora (w3m), Mageia (389-ds-base, gcc, libtasn1, and p7zip), openSUSE (flatpak, ImageMagick, libjpeg-turbo, libsndfile, mariadb, plasma5-workspace, pound, and spice-vdagent), Oracle (kernel), Red Hat (flash-plugin), SUSE (docker, docker-runc, containerd, golang-github-docker-libnetwork and kernel), and Ubuntu (libvirt, miniupnpc, and QEMU).

The LWN.net Weekly Edition for February 8, 2018 is available.

The Electronic Frontier Foundation mournsthe loss of John Perry Barlow, one of its founders. "It is noexaggeration to say that major parts of the Internet we all know and lovetoday exist and thrive because of Barlow’s vision and leadership. He alwayssaw the Internet as a fundamental place of freedom, where voices longsilenced can find an audience and people can connect with others regardlessof physical distance."

The4.15.2,4.14.18, and3.18.94stable kernels have been released; each contains the usual set of importantfixes and updates. There are no 4.9.x or 4.4.x updates coming in thisparticular set.

Eric Brown takesa look at the SiFive "HiFive Unleashed" SBC that runs Linux on itsRISC-V based, quad-core, 1.5GHz U540 SoC. "The open spec HiFive Unleashed board integrates a U540 SoC, 8GB of DDR4 RAM, and 32MB quad SPI flash. The only other major features include a microSD slot, a Gigabit Ethernet port, and an FMC connector for future expansion. A SiFive rep confirmed to Linux.com that the board will be open source hardware, with freely available schematics and layout files."

Karen Sandler has been giving conference talks about free software and openmedical devices for the better part of a decade at this point. LWN briefly covered a 2010 LinuxCon talk and a 2012 linux.conf.au (LCA) talk; her talk atLCA 2012 was her first full-length keynote, she said. In this year'sedition, she reviewed her history (including her love for LCA based in part on that 2012visit) and gave an update on the status of the source code for the device shehas implanted on her heart.

Security updates have been issued by Debian (mpv), Fedora (jackson-databind), Mageia (flash-player-plugin), Slackware (kernel), and Ubuntu (python-django).

Version5.0.0 of the KMyMoney personal finance manager is out. "Thelargest amount of work has gone towards basing this version on KDEFrameworks. Many of the underlying libraries used by the application havebeen reorganized and improved, but most of that is behind the scenes, andnot directly visible to the end user. Some of the general look and feel mayhave changed, but the basic functionality of the program remains the same,aside from intentional improvements and additions." Enhancementsinclude improved reports and better multiple-currency support.

An apparent linux.conf.au tradition is to dedicate a keynote slot tosomebody who is applying open-source principles to make the world better inan area other than software development. LCA 2018 was no exception;professor Matthew Todd took the stage to present his work on open-sourcedrug discovery. The market for pharmaceuticals has failed in a number ofways to come up with necessary drugs at reasonable prices;perhaps some of those failures can be addressed through a community effort.

KDE has releasedPlasma 5.12.0. "Plasma 5.12 LTS is the second long-term support release from the Plasma 5 team. We have been working hard, focusing on speed and stability for this release. Boot time to desktop has been improved by reviewing the code for anything which blocks execution. The team has been triaging and fixing bugs in every aspect of the codebase, tidying up artwork, removing corner cases, and ensuring cross-desktop integration. For the first time, we offer our Wayland integration on long-term support, so you can be sure we will continue to provide bug fixes and improvements to the Wayland experience."

Nextcloud 13 has been released. "This release brings improvements to the core File Sync and Share like easier moving of files and a tech preview of our end-to-end encryption for the ultimate protection of your data. It also introduces collaboration and communication capabilities, like auto-complete of comments and integrated real-time chat and video communication. Last but not least, Nextcloud was optimized and tuned to deliver up to 80% faster LDAP, much faster object storage and Windows Network Drive performance and a smoother user interface."

The popular interpreted language Python shares a mode of interactionwith many other languages, from Lisp to APL to Julia: the REPL (read-eval-print-loop) allows the user to experiment with and explore their code, while maintaining aworkspace of global variables and functions. This is in contrast withlanguages such as Fortran and C, which must be compiled and run as completeprograms (a mode of operation available to the REPL-enabled languages aswell). But using a REPL is a solitary task; one can write a program toshare based on their explorations, but the REPL session itself not easilyshareable. So REPLs have gotten more sophisticated over time, evolvinginto shareable notebooks, such as what IPython, and its more recentdescendant, Jupyter, have. Here we look at Jupyter: its history,notebooks, and how it enables better collaboration in languages well beyondits Python roots.

Security updates have been issued by Debian (xen), Fedora (clamav, community-mysql, dnsmasq, flatpak, libtasn1, mupdf, p7zip, rsync, squid, thunderbird, tomcat, unbound, and zziplib), Mageia (clamav, curl, dovecot, ffmpeg, gcab, kernel, libtiff, libvpx, php-smarty, pure-ftpd, redis, and thunderbird), openSUSE (apache-commons-email), Red Hat (rh-mariadb100-mariadb), SUSE (firefox), and Ubuntu (clamav, squid3, and systemd).

Here's a lookat what's coming on the desktop in Libre Graphics World. "Afteralmost 6 years of work, the GIMP team is finalizing the next bigupdate. The plan is to cut a beta of v2.10 once the amount of critical bugsfalls further down: it's currently stuck at 20, as new bugs get promoted toblockers, while old blockers get fixed. It's a bit of an uphillbattle."

The initial panic over the Meltdown and Spectre processor vulnerabilitieshas faded, and work on mitigations in the kernel has slowed since our mid-January report. That work has notstopped, though. Fully equipping the kernel to protect systems from thesevulnerabilities is a task that may well require years. Read on for anupdate on the current status of that work.

Greg Kroah-Hartman has released stable kernels 4.15.1, 4.14.17, 4.9.80, and 4.4.115. They all contain important fixes andusers should upgrade.

Security updates have been issued by Debian (dokuwiki and p7zip), Fedora (kernel, pdns, rsync, and webkitgtk4), openSUSE (chromium and translate-toolkit), Red Hat (jboss-ec2-eap and Red Hat Satellite 6), Slackware (php), and SUSE (bind and firefox).

The Factor Daily site has alook at work to increase the diversity of open-source contributors inIndia. "Over past two months, we interviewed at least two dozenpeople from within and outside the open source community to identify a setof women open source contributors from India. While the list is notconclusive by any measure, it’s a good starting point in identifying thewomen who are quietly shaping the future of open source from this part ofthe world and how they dealt with gender biases."

As of this writing, just over 6,700 non-merge changesets have been pulledinto the mainline repository for the 4.16 development cycle. Given thatthere are a number of significant trees yet to be pulled, the earlyindications are that 4.16 will be yet another busy development cycle. Whatfollows is a summary of the significant changes merged in the first half ofthis merge window.