LWN.net

Wired recommendsswitching to F-Droid for Android apps."A polluted ocean of apps is plaguing Android, an operating systembuilt upon Free and Open-Source Software (FOSS) but now barely resemblingthose venerable roots. Today, the average Android device is not onlysusceptible to malware and trackers, it’s also heavily locked down andloaded with proprietary components—characteristics that are hardly thecalling cards of the FOSS movement. Though Android bears the moniker of open-source, the chain of trust between developers, distributors, and end-users is broken."

The OpenSSL project has announceda number of changes to how the project is developed. These includeshutting down the openssl-dev mailing list in favor of discussing allpatches on GitHub and the addition of a new, read-only (for the world)openssl-project list. "We are changing our release schedule so thatunless there are extenuating circumstances, security releases will go outon a Tuesday, with the pre-notification being the previous Tuesday. Wedon’t see a need to have people ready to sacrifice their weekend every timea new CVE comes out."

Here's abrief update from Greg Kroah-Hartman on the kernel's handling of theMeltdown and Spectre vulnerabilities. "This shows that my kernel isproperly mitigating the Meltdown problem by implementing PTI (Page TableIsolation), and that my system is still vulnerable to the Spectre variant1, but is trying really hard to resolve the variant 2, but is not quitethere (because I did not build my kernel with a compiler to properlysupport the retpoline feature)."

Linux’s deadline scheduler is a global early deadline first scheduler forsporadic tasks with constrained deadlines. These terms were defined in the first part of this series. In thisinstallment, the details of the Linux deadline scheduler and how it can beused will be examined.

Security updates have been issued by Arch Linux (bind, irssi, nrpe, perl-xml-libxml, and transmission-cli), CentOS (java-1.8.0-openjdk), Debian (awstats, libgd2, mysql-5.5, rsync, smarty3, and transmission), Fedora (keycloak-httpd-client-install and rootsh), and Red Hat (java-1.7.0-oracle and java-1.8.0-oracle).

Git v2.16.0 is now available. "It is comprised of 509 non-mergecommits since v2.15.0, contributed by 91 people, 26 of which are newfaces." The release notes are included in the link below.

Version 3.0 of theWine Windows emulation layer has been released. "This releaserepresents a year of development effort and over 6,000 individualchanges." Most of the improvements seem to be around Direct3Dgraphics, but it also now possible to package up Wine as an Android app;see the release notes fordetails.

This is the second article of a series discussing various methods ofreducing the size of the Linux kernel to make it suitable for smallenvironments.The first articleprovided a short rationale for this topic, and covered the link-timegarbage collection, also called the ld --gc-sections method. We've seenthat, though it is pretty straightforward, link-time garbage collection hasissues of its own when applied to the kernel, making achieving optimalresults more difficult than it is worth. In this article we'll have a look at what thecompiler itself can do using link-time optimization.

Security updates have been issued by CentOS (linux-firmware and microcode_ctl), Fedora (icecat and transmission), Oracle (java-1.8.0-openjdk and microcode_ctl), Red Hat (java-1.8.0-openjdk), Scientific Linux (java-1.8.0-openjdk), Slackware (bind), SUSE (kernel), and Ubuntu (eglibc).

The LWN.net Weekly Edition for January 18, 2018 is available.

Prometheus is a monitoring toolbuilt from scratch by SoundCloud in 2012. It works by pulling metrics frommonitored services and storing them in a time series database (TSDB). Ithas a powerful query language to inspect that database, create alerts, andplot basic graphs. Those graphs can then be used to detect anomalies ortrends for (possibly automated) resource provisioning. Prometheus also hasextensive service discovery features and supports high availabilityconfigurations.That's what the brochure says, anyway; let's see how it works in the handsof an old grumpy system administrator. I'll be drawing comparisonswith Munin and Nagios frequently because those are the tools I haveused for over a decade in monitoring Unix clusters.

Greg Kroah-Hartman has released stable kernels 4.14.14, 4.9.77, 4.4.112, and 3.18.92. All of them contain important fixesand users should upgrade.

Security updates have been issued by Debian (bind9, wordpress, and xbmc), Fedora (awstats, docker, gifsicle, irssi, microcode_ctl, mupdf, nasm, osc, osc-source_validator, and php), Gentoo (newsbeuter, poppler, and rsync), Mageia (gifsicle), Red Hat (linux-firmware and microcode_ctl), Scientific Linux (linux-firmware and microcode_ctl), SUSE (kernel and openssl), and Ubuntu (bind9, eglibc, glibc, and transmission).

Many techniques in software security are complicated and require a deepunderstanding of the internal workings of the computer and the software undertest. Some techniques, though, are conceptually simple and do not rely onknowledge of the underlying software. Fuzzing is a useful example: running aprogram with a wide variety of junk input and seeing if it does anythingabnormal or interesting, like crashing. Though it might seem unsophisticated,fuzzing is extremely helpful in finding the parsing and input processingproblems that are often the beginning of a security vulnerability.

Alison Chaiken looksin detail at how the kernel boots on opensource.com."Besides starting buggy spyware, what function does early bootfirmware serve? The job of a bootloader is to make available to a newlypowered processor the resources it needs to run a general-purpose operatingsystem like Linux. At power-on, there not only is no virtual memory, but noDRAM until its controller is brought up."

The deadline scheduler enables the user to specify a realtime task'srequirements using well-defined realtime abstractions, allowing the system to makethe best scheduling decisions, guaranteeing the scheduling of realtimetasks even in higher-load systems.This article, the first in a series of two, provides an introduction torealtime scheduling (deadline scheduling in particular) and some of the theory behind it.

Security updates have been issued by Debian (ca-certificates, gdk-pixbuf, and graphicsmagick), Fedora (qtpass), openSUSE (python-openpyxl and syncthing), Slackware (kernel), and Ubuntu (gdk-pixbuf).

The 2018 Linux Storage, Filesystem, and Memory-Management Summit will beheld April 23-25 in Park City, Utah. The call for proposals has just goneout with a tight deadline: they need to be received by January 31."LSF/MM is an invitation-only technicalworkshop to map out improvements to the Linux storage, filesystem andmemory management subsystems that will make their way into themainline kernel within the coming years."

While some aspects of the kernel's defenses against the Meltdown andSpectre vulnerabilities were more-or-less in place when the problems weredisclosed on January 3, others were less fully formed. Additionally,many of the mitigations (especially for the two Spectre variants) had notbeen seen in public prior to the disclosure, meaning that there was a lotof scope for discussion once they came out. Many of those discussions areslowing down, and the kernel's initial response has mostly come intofocus. The 4.15 kernel will include a broad set of mitigations, while someothers will have to wait for later; read onfor details on where things stand.

The Linux kernel's generic power domain (genpd) subsystem has beenextended to support active state management of the power domains in the 4.15 development cycle. Power domains weretraditionally used to enable or disable power to a region of a system onchip (SoC) but, with the recent updates, they can control the clock rate oramount of power supplied to that region as well.These changes improve the kernel's ability to run the system's hardware atthe optimal power level for the current workload.<p>Click below (subscribers only) for the full article contributed by VireshKumar.

Security updates have been issued by Arch Linux (qtpass), Debian (libkohana2-php, libxml2, transmission, and xmltooling), Fedora (kernel and qpid-cpp), Gentoo (PolarSSL and xen), Mageia (flash-player-plugin, irssi, kernel, kernel-linus, kernel-tmb, libvorbis, microcode, nvidia-current, php & libgd, poppler, webkit2, and wireshark), openSUSE (gifsicle, glibc, GraphicsMagick, gwenhywfar, ImageMagick, libetpan, mariadb, pngcrush, postgresql94, rsync, tiff, and wireshark), and Oracle (kernel).

The 4.15-rc8 kernel prepatch is out fortesting. Among other things, it includes the "retpoline" mechanismintended to mitigate variant 2 of the Spectre vulnerability. Testingof this change will be hard, though, since it requires a version of GCCthat almost nobody has — watch LWN for a full article in the near future."I'm still hoping that this will be the last rc, despite all the Meltdown and Spectre hoopla. But we will just have tosee, it obviously requires this upcoming week to not come with any hugesurprises."

GnuBee is the brand namefor a line of open hardware boards designed to provideLinux-based network-attached storage. Given the success of thecrowdfunding campaigns for the first two products, the GB-PC1 andGB-PC2(which support 2.5 and 3.5 inch drives respectively), there appears to be amarket for these devices. Given that Linux is quite good at attachingstorage to a network, it seems likely they will perform their core functionmore than adequately. My initial focus when exploring my GB-PC1 is not theperformance but the openness: just how open is it really? The best analogyI can come up with is that of a door with rusty hinges: it can be opened,but doing so requires determination.

Security updates have been issued by Arch Linux (intel-ucode), Debian (gifsicle), Fedora (awstats and kernel), Gentoo (icoutils, pysaml2, and tigervnc), Mageia (dokuwiki and poppler), Oracle (kernel), SUSE (glibc, kernel, microcode_ctl, tiff, and ucode-intel), and Ubuntu (intel-microcode).

Nextcloud has announcedNextcloud Talk, a fully open source video meeting software that is on-premisehosted and end-to-end encrypted. "Nextcloud Talk makes it easier thanever to host a privacy-respecting audio/video communication service forhome users and enterprises. Business users have optional access to theSpreed High Performance Back-end offering enterprise-class scalability,reliability, and features through a Nextcloud subscription. With theeasy-to-use interface, users can engage colleagues, friends, partners orcustomers, working in real time through High Definition (H265 based) audioand video in web meetings and webinars."

Security updates have been issued by Arch Linux (glibc and lib32-glibc), Debian (ming and poco), Fedora (electron-cash, electrum, firefox, heketi, microcode_ctl, and python-jsonrpclib), openSUSE (clamav-database and ucode-intel), Red Hat (flash-plugin), SUSE (OBS toolchain), and Ubuntu (webkit2gtk).

The LWN.net Weekly Edition for January 11, 2018 is available.

A focus on privacy is a key feature being touted by a number of differentprojects these days—from KDE to Tails to Nextcloud. One of thebiggest privacy leaks for most people is their phone, so it is no surprisethat there are projects looking to address that as well. A new entrant inthat category is eelo, which is a non-profitproject aimed at producing not only a phone, but also a suite of webservices. All of that could potentially replace the Google or Apple mothership,which tend to collect as much personal data as possible.

Freedom of the Press Foundation has atribute to James Dolan, who died over the holidays at the age of 36. James worked with Aaron Swartz and journalistKevin Poulsen to build the original prototype of SecureDrop, an open-source whistleblowersubmission system. "He was our first full-time employee at Freedom ofthe Press Foundation, and quickly set out to teach other developers,contributors, and anyone interested in how the system worked. He poured hisheart and soul into the work, traveling to newsrooms around North Americato teach IT staffs and journalists in person how to install and useSecureDrop. He completely reworked the installation process, he pushed usto get independent security audits of the system, and he helped us hire theinitial team that would take over SecureDrop once he was gone." LWN covered a LibrePlanet talk on SecureDrop back in March 2017.(Thanks to Paul Wise)

Greg Kroah-Hartman has released stable kernels 4.14.13, 4.9.76, and 4.4.111. As usual, they all contain importantfixes and users should update.

Security updates have been issued by Debian (awstats, gdk-pixbuf, plexus-utils, and plexus-utils2), Fedora (asterisk, gimp, heimdal, libexif, linux-firmware, mupdf, poppler, thunderbird, webkitgtk4, wireshark, and xrdp), openSUSE (diffoscope, irssi, and qemu), SUSE (java-1_7_0-ibm, kernel-firmware, and qemu), and Ubuntu (irssi, kernel, linux, linux-aws, linux-euclid, linux-kvm, linux-hwe, linux-azure, linux-gcp, linux-oem, linux-lts-trusty, linux-lts-xenial, linux-lts-xenial, linux-aws, linux-raspi2, ruby1.9.1, ruby2.3, and sssd).

Version 0.26 of the notmuch email client/indexer is available with a longlist of new features. "It's now possible to include the cleartext of encrypted e-mails in the notmuch index. This makes it possible to search your encrypted e-mails with the same ease as searching cleartext."

Robert O'Callahan notesan important development in the fight for media codecs without patentissues. "Apple joining the Alliance for Open Media is a really bigdeal. Now all the most powerful tech companies — Google, Microsoft, Apple,Mozilla, Facebook, Amazon, Intel, AMD, ARM, Nvidia — plus content providerslike Netflix and Hulu are on board. I guess there's still no guaranteeApple products will support AV1, but it would seem pointless for Apple tojoin AOM if they're not going to use it: apparently AOM membership obligesApple to provide a royalty-free license to any 'essential patents' it holdsfor AV1 usage."

The Meltdown/Spectre debacle has,deservedly, reached the mainstream press and, likely, most of the public that has even a remote interest in computersand security. It only took a day or so from the accelerated disclosuredate of January 3—it was originally scheduled forJanuary 9—before the bugs were making big headlines. But Spectre has been known for at least sixmonths and Meltdown for nearly as long—at least to some in the industry.Others that were affected were completely blindsided by theannouncements and have joined the scramble to mitigate these hardware bugsbefore they bite users. Whatever else can be said about Meltdown and Spectre,the handling (or, in truth, mishandling) of this whole incident has been ahorrific failure.

The privacy focused Tails distribution has releasedversion 3.4. This released updates the kernel to 4.14.12 to include thelatest Meltdown and Spectre patches. Many other security issues have beenfixed in this release, and users should upgrade.

Polling a set of file descriptors to see which ones can perform I/O withoutblocking is a useful thing to do — so useful that the kernel provides threedifferent system calls (select(),poll(),and epoll_wait()— plus some variants) to perform it. But sometimes three is not enough;there is now a proposal circulating for a fourth kernel polling interface.As is usually the case, the motivation for this change is performance.

Security updates have been issued by Arch Linux (graphicsmagick and linux-lts), CentOS (thunderbird), Debian (kernel, opencv, php5, and php7.0), Fedora (electrum), Gentoo (libXfont), openSUSE (gimp, java-1_7_0-openjdk, and libvorbis), Oracle (thunderbird), Slackware (irssi), SUSE (kernel, kernel-firmware, and kvm), and Ubuntu (awstats, nvidia-graphics-drivers-384, python-pysaml2, and tomcat7, tomcat8).

The disclosure of the Meltdown and Spectrevulnerabilities has brought anew level of attention to the security bugs that can lurk at the hardwarelevel. Massive amounts of work have gone into improving the (still poor)security of our software, but all of that is in vain if the hardware givesaway the game. The CPUs that we run in our systems are highly proprietaryand have been shown to contain unpleasant surprises (the Intel managementengine, for example). It is thus natural to wonder whether it is time tomake a move to open-source hardware, much like we have done with oursoftware. Such a move may well be possible, and it would certainly offersome benefits, but it would be no panacea.

Three years after the last stable release, version 3.0 of the MusEMIDI/Audio sequencer is now available. As you might expect there manychanges since the last release including a switch to Qt5, a new Plugin Patheditor in Global Settings, a mixer makeover with lots of fixes, asystem-wide move to double precision of all audio paths, and much more.

Security updates have been issued by Arch Linux (linux-hardened, linux-lts, linux-zen, and mongodb), Debian (gdk-pixbuf, gifsicle, graphicsmagick, kernel, and poppler), Fedora (dracut, electron-cash, and firefox), Gentoo (backintime, binutils, chromium, emacs, libXcursor, miniupnpc, openssh, optipng, and webkit-gtk), Mageia (kernel, kernel-linus, kernel-tmb, openafs, and python-mistune), openSUSE (clamav-database, ImageMagick, kernel-firmware, nodejs4, and qemu), Red Hat (linux-firmware, ovirt-guest-agent-docker, qemu-kvm-rhev, redhat-virtualization-host, rhev-hypervisor7, rhvm-appliance, thunderbird, and vdsm), Scientific Linux (thunderbird), SUSE (kernel and qemu), and Ubuntu (firefox and poppler).

Linus has released the 4.15-rc7 kernelprepatch. "Ok, we had an interesting week, and by now everybody knows why we weremerging all those odd x86 page table isolation patches withoutfollowing all of the normal release timing rules.But rc7 itself is actually pretty calm. "

Here's anupdate from Greg Kroah-Hartman on the kernel's response to Meltdown andSpectre. "If you rely on any other kernel tree other than 4.4, 4.9, or 4.14 right now, and you do not have a distribution supporting you, you are out of luck. The lack of patches to resolve the Meltdown problem is so minor compared to the hundreds of other known exploits and bugs that your kernel version currently contains. You need to worry about that more than anything else at this moment, and get your systems up to date first.Also, go yell at the people who forced you to run an obsoleted and insecurekernel version, they are the ones that need to learn that doing so is atotally reckless act."

When the Meltdown and Spectre vulnerabilities were disclosed onJanuary 3, attention quickly turned to mitigations. There was alreadya clear defense against Meltdown in the form of kernel page-table isolation (KPTI), but thedefenses against the two Spectre variants had not been developed in public and stilldo not exist in the mainline kernel. Initial versions of proposeddefenses have now been disclosed. The resulting picture shows what hasbeen done to fend off Spectre-based attacks in the near future, but thesituation remains chaotic, to put it lightly.

Robert Haas continues his series on the PostgreSQL VACUUM operation with thissurvey of recent work and unsolved problems. "What is left to bedone? The PostgreSQL development community has made great progress inreducing the degree to which VACUUM performs unnecessary scans of tablepages, but basically no progress at all in avoiding unnecessary scanning ofindex pages. For instance, even a VACUUM which finds no dead row versionswill still scan btree indexes to recycle empty pages."

One of the main concerns about the mitigations for the Meltdown/Spectre speculative execution bugs has been performance. The Google Security Blog is reporting negligible performance impact on Google systems for two of the mitigations (kernel page-table isolation and Retpoline): "In response to the vulnerabilities that were discovered we developed a novel mitigation called “Retpoline” -- a binary modification technique that protects against “branch target injection” attacks. We shared Retpoline with our industry partners and have deployed it on Google’s systems, where we have observed negligible impact on performance.In addition, we have deployed Kernel Page Table Isolation (KPTI) -- a general purpose technique for better protecting sensitive information in memory from other software running on a machine -- to the entire fleet of Google Linux production servers that support all of our products, including Search, Gmail, YouTube, and Google Cloud Platform.There has been speculation that the deployment of KPTI causes significant performance slowdowns. Performance can vary, as the impact of the KPTI mitigations depends on the rate of system calls made by an application. On most of our workloads, including our cloud infrastructure, we see negligible impact on performance."

Greg Kroah-Hartman has announced the release of the 4.14.12, 4.9.75, and 4.4.110 stable kernels. The bulk of thechanges are either to fix the mitigations for Meltdown/Spectre (in 4.14.12) or to backportthose mitigations (in the two older kernels). There are apparently known (orsuspected) problems with each of the releases, which Kroah-Hartman is hoping to get shaken out inthe near term. For example, the 4.4.110 announcement warns: "But becareful, there have been some reports of problems with this release during the -rc review cycle. Hopefully all of those issues arenow resolved.So please test, as of right now, it should be 'bug compatible' with the'enterprise' kernel releases with regards to the Meltdown bug and propersupport on all virtual platforms (meaning there is still a vdso issuethat might trip up some old binaries, again, please test!)"

Security updates have been issued by Arch Linux (kernel), CentOS (kernel, libvirt, microcode_ctl, and qemu-kvm), Debian (kernel and xen), Fedora (kernel), Mageia (backintime, erlang, and wildmidi), openSUSE (kernel and ucode-intel), Oracle (kernel, libvirt, microcode_ctl, and qemu-kvm), Red Hat (kernel, kernel-rt, libvirt, microcode_ctl, qemu-kvm, and qemu-kvm-rhev), Scientific Linux (libvirt and qemu-kvm), SUSE (kvm and qemu), and Ubuntu (ruby1.9.1, ruby2.0, ruby2.3).

There's lots of material out on the net regarding the just-disclosedprocessor vulnerabilities and their impact on users. Here is a list ofworthwhile stuff we have found.

As might be guessed, a fair number of these updates are for the kernel and microcode changes to mitigate Meltdown and Spectre. More undoubtedly coming over the next weeks.Security updates have been issued by CentOS (kernel, linux-firmware, and microcode_ctl), Debian (imagemagick), Fedora (kernel, libvirt, and python33), Mageia (curl, gdm, gnome-shell, libexif, libxml2, libxml2, perl-XML-LibXML, perl, swftools, and systemd), openSUSE (kernel-firmware), Oracle (kernel), Red Hat (kernel, kernel-rt, linux-firmware, and microcode_ctl), Scientific Linux (kernel, linux-firmware, and microcode_ctl), SUSE (ImageMagick, java-1_7_0-openjdk, kernel, kernel-firmware, microcode_ctl, qemu, and ucode-intel), and Ubuntu (apport, dnsmasq, and webkit2gtk).

The LWN.net Weekly Edition for January 4, 2018 is available.