LWN.net

Version 1.9 of the Go languagehas been released. "The most important change to the language is theintroduction of type aliases: a feature created to support gradual coderepair." See the releasenotes for details.

Security updates have been issued by Fedora (taglib), Mageia (augeas, gstreamer1.0, perltidy, thunderbird, unrar, and xmlsec1), openSUSE (GraphicsMagick), and Oracle (kernel and thunderbird).

Greg Kroah-Hartman has announced the release of the 4.12.9, 4.9.45, 4.4.84, and 3.18.67 stable kernels. As usual, theycontain fixes throughout the tree and users should upgrade.

Over at Opensource.com, Heather Meeker, a lawyer who specializes in open-source licensing, published a lengthy FAQ on the GPL enforcement efforts of netfilter developer Patrick McHardy. In it, Meeker looks at how much code McHardy has contributed, specifics of the German legal system that may make it attractive to copyright trolling (or profiteering), and steps that companies and others can take to oppose these kinds of efforts."Copyright ownership in large projects such as the Linux kernel is complicated. It’s like a patchwork quilt. When developers contribute to the kernel, they don’t sign any contribution agreement or assignment of copyright. The GPL covers their contributions, and the recipient of a copy of the software gets a license, under GPL, directly from all the authors. (The kernel project uses a document called a Developer Certificate of Origin, which does not grant any copyright license.) The contributors’ individual rights exist side-by-side with rights in the project as a whole. So, an author like McHardy would generally own the copyright in the contributions he created, but not in the whole kernel."

As of this writing, the 4.13 kernel appears headed toward release onSeptember 3, after a nine-week development cycle. It must, therefore,be about time for a look at the statistics for this development cycle. Thepicture that results shows a fairly typical kernel cycle with, as usual,few surprises.

Security updates have been issued by Arch Linux (salt and thunderbird), Debian (aodh), Fedora (kernel and nginx), Mageia (apache, graphicsmagick, kernel-tmb, and openjpeg2), Red Hat (bind and thunderbird), Scientific Linux (thunderbird), and Ubuntu (python-pysaml2).

SUSE has let itbe known that it plans to continue developing and supporting the Btrfsfilesystem, regardless of what other distributors do. "If one of the rather small contributors to the btrfs filesystem announced to not support btrfs for production systems: should you wonder, whether SUSE, strongest contributor to btrfs today, would stop investing into btrfs?You probably shouldn’t.SUSE is committed to btrfs as the default filesystem for SUSE Linux Enterprise, and beyond."

The LWN.net Weekly Edition for August 24, 2017 is available.

Deficiencies in the startup time forPython, along with the collections.namedtuple()data structurebeing identified as part of the problem, led Guido van Rossum to decree that named tuples should be optimized. That immediately set off amini-storm of thoughts about the data structure and how it might beredesigned in the original python-dev thread, but Van Rossum directedparticipants over to python-ideas, where a number of alternatives were discussed. Theyranged from straightforward tweaks to address the most pressing performanceproblems to elevating named tuples to be a new top-level datastructure—joining regular tuples, lists, sets, dictionaries, and so on.

At DebConf17, John Sullivan, the executive director of the FSF,gave a talk on the supposed decline of the use ofcopyleft licenses in free-software projects. In his presentation, Sullivanquestioned the notion that permissive licenses, like the BSD or MITlicenses, are gaining ground at the expense of the traditionally dominantcopyleft licenses from the FSF. While there does seem to be a rise inthe use of permissive licenses, in general, there are several possibleexplanations for the phenomenon.

The D-Bus Broker Project is an effort to rethink the D-Bus message bus andproduce an implementation that addresses many of its longstanding problems;this project has now made its first public release. "Its aim is toprovide high performance and reliability, while keeping compatibility tothe D-Bus reference implementation. It is exclusively written for linuxsystems, and makes use of many modern features provided by recent linuxkernel releases." See thispost for an introduction to the project, or the GitHub page forsource. This is a purely user-space implementation.

Security updates have been issued by Arch Linux (curl), Debian (libxml2 and smb4k), Fedora (kernel and xen), Red Hat (ansible and java-1.6.0-ibm), and SUSE (firefox, freerdp, GraphicsMagick, postgresql93, and samba).

The persistent-memory arrays we're told we'll all be able to get somedaypromise high-speed, byte-addressable storage in massive quantities. TheLinux kernel community has been working to support thistechnology fully for a few years now, but there is one problem lacking a propersolution: allowing direct writes to persistent memory that is managed by afilesystem. None of the proposed solutions have yet madeit into the mainline, but that hasn't stopped developers from trying; nowtwo new patch sets addressing this issue are under consideration.

The release of the 2017 version of TeX Live had plenty of incrementalimprovements for the TeXcomputer typesetting system and the myriad of tools that go with it. Oneof the more significant changes, though, was the release of the 1.0.4version of LuaTeX, which allows users to embed Lua programs into their TeXdocuments. That ability allows creating non-standard and unusualtypesetting effects much more easily than it would be with TeX itself.Guest author Lee Phillips gives an overview of LuaTeX and shows some of thethings that can be accomplished using it.

Version 3.6.0 of the GnuTls TLS library is out. For details on thisrelease, see this overview."In short, this release introduces a new lock-free random generatorand adds new TLS extensions shared by both TLS 1.2 and 1.3, such as FiniteField Diffie Hellman negotiation, Ed25519 and RSA-PSS signatures. Theseadditions modernize the current TLS 1.2 support and pave the way for TLS1.3 support in the library. Furthermore, tlsfuzzer is introduced in ourcontinuous integration test suite. Tlsfuzzer, is a meticulous TLS testsuite, which tests the behavior of the implementation on various corner(and not) cases, and acts complementary to the internal GnuTLS test suiteand its unit testing."

Security updates have been issued by Debian (extplorer and libraw), Fedora (mingw-libsoup, python-tablib, ruby, and subversion), Mageia (avidemux, clamav, nasm, php-pear-CAS, and shutter), Oracle (xmlsec1), Red Hat (openssl tomcat), Scientific Linux (authconfig, bash, curl, evince, firefox, freeradius, gdm gnome-session, ghostscript, git, glibc, gnutls, groovy, GStreamer, gtk-vnc, httpd, java-1.7.0-openjdk, kernel, libreoffice, libsoup, libtasn1, log4j, mariadb, mercurial, NetworkManager, openldap, openssh, pidgin, pki-core, postgresql, python, qemu-kvm, samba, spice, subversion, tcpdump, tigervnc fltk, tomcat, X.org, and xmlsec1), SUSE (git), and Ubuntu (augeas, cvs, and texlive-base).

Oracle has announcedthat it is considering stepping back from management of the Java EnterpriseEdition. "We are discussing how we can improve the Java EEdevelopment process following the delivery of Java EE 8. We believe thatmoving Java EE technologies including reference implementations and testcompatibility kit to an open source foundation may be the right next step,in order to adopt more agile processes, implement more flexible licensing,and change the governance process. We plan on exploring this possibilitywith the community, our licensees and several candidate foundations to seeif we can move Java EE forward in this direction."

The first stop in the search for a free accounting system that can replaceQuickBooks is a familiar waypoint: the GnuCash application. GnuCash has beenaround for many years and is known primarily as a personal-finance tool,but it has acquired some business features as well. The question is: arethose business features solid enough to allow the program to serve as areplacement for QuickBooks?

The registration for the NetDev 2.2 networking conference is now open. It will be held in Seoul, Korea November 8-10. As usual, it will be preceded by the invitation-only Netconf for core kernel networking hackers. "Netdev 2.2 is a community-driven conference geared towards Linux netheads. Linux kernel networking and user space utilization of the interfaces to the Linux kernel networking subsystem are the focus. If you are using Linux as a boot system for proprietary networking, then this conference _may not be for you_." LWN covered these conferences in 2016 and earlier this year; with luck, we will cover these upcoming conferences as well.

Security updates have been issued by Arch Linux (newsbeuter), Debian (augeas, curl, ioquake3, libxml2, newsbeuter, and strongswan), Fedora (bodhi, chicken, chromium, cryptlib, cups-filters, cyrus-imapd, glibc, mingw-openjpeg2, mingw-postgresql, qpdf, and torbrowser-launcher), Gentoo (bzip2, evilvte, ghostscript-gpl, Ked Password Manager, and rar), Mageia (curl, cvs, fossil, jetty, kernel, kernel-linus, kernel-tmb, libmspack, mariadb, mercurial, potrace, ruby, and taglib), Oracle (kernel), Red Hat (xmlsec1), and Ubuntu (graphite2 and strongswan).

Gentoo has long provided a hardened kernel package, but that iscoming to an end. "As you may know the core ofsys-kernel/hardened-sources has been the grsecurity patches. Recently thegrsecurity developers have decided to limit access to these patches. As aresult, the Gentoo Hardened team is unable to ensure a regular patchingschedule and therefore the security of the users of these kernelsources. Thus, we will be masking hardened-sources on the 27th of Augustand will proceed to remove them from the package repository by the end ofSeptember."

The 4.13-rc6 kernel prepatch is out."So everything still looks on target for a normal release schedule,which would imply rc7 next weekend, and then the final 4.13 the weekafter that.Unless something happens, of course. Tomorrow is the solar eclipse,and maybe it brings doom and gloom even beyond the expected Oregontrafficalypse. You never know."

Power-efficient workqueues were first introduced in the 3.11 kernel release; since then, fifty or sosubsystems and drivers have been updated to use them. These workqueuescan be especially useful on handheld devices (like tablets andsmartphones), where power is at a premium.ARM platforms with power-efficient workqueues enabled on Ubuntu andAndroid have shown significant improvements in energy consumption (up to15% for some use cases).

Security updates have been issued by Debian (kernel and libmspack), Fedora (groovy18 and nasm), openSUSE (curl, java-1_8_0-openjdk, libplist, shutter, and thunderbird), Oracle (git, groovy, kernel, and mercurial), Red Hat (rh-git29-git), SUSE (openvswitch), and Ubuntu (c-ares, clamav, firefox, libmspack, and openjdk-7).

Security updates have been issued by CentOS (git), Debian (firefox-esr and mariadb-10.0), Gentoo (bind and tnef), Mageia (kauth, kdelibs4, poppler, subversion, and vim), openSUSE (fossil, git, libheimdal, libxml2, minicom, nodejs4, nodejs6, openjpeg2, openldap2, potrace, subversion, and taglib), Oracle (git and kernel), Red Hat (git, groovy, httpd24-httpd, and mercurial), Scientific Linux (git), and SUSE (freeradius-server, ImageMagick, and subversion).

The LWN.net Weekly Edition for August 17, 2017 is available.

Stable kernels 4.12.8, 4.9.44, 4.4.83, and 3.18.66 have been released. Each contains important fixes throughout the tree and users should upgrade.

<p>A bug that allows an attacker to overwrite a function pointer in the kernelopens up a relativelyeasy way to compromise the kernel—doubly so, if an attacker simplyneeds to wait for the kernel use the compromised pointer. There are varioustechniques that can be used to protect kernel function pointers that areset at either compile or initialization time, but there are some pointersthat are routinely set as the kernel runs; timer completion functions are agood example. An RFC patch posted to the kernel-hardening mailing listwould add a way to detect that those function pointers have been changedin an unexpected way and to stop the kernel from executing that code.

Earlier this month we reported that theKrita Foundation was having some financial difficulties. The KritaFoundation has an update with thanks toall who donated. "So, even though we’re going to get another accountant’s bill of about 4500 euros, we’ve still got quite a surplus! As of this moment, we have €29,657.44 in our savings account!That means that we don’t need to do a fund raiser in September. Like we said, we’ve still got some features to finish."

The startup time for the Python interpreter has been discussed by the coredevelopers and others numerous times over the years; optimization effortsare made periodically as well.Startup time can dominate the execution time of command-line programswritten in Python,especially if they import a lot of other modules. Python startup time isworse than some other scripting languages and more recent versions of thelanguage are taking more than twice as long to start up when compared toearlier versions (e.g. 3.7 versus 2.7).The most recent iteration of the startup timediscussion has played out in the python-dev and python-ideas mailing listssince mid-July. This time, the focus has been on the collections.namedtuple()data structure that is used in multiple places throughout the standardlibrary and in other Python modules, but the discussion has been morewide-ranging than simply that.

Security updates have been issued by CentOS (firefox, httpd, and java-1.7.0-openjdk), Fedora (cups-filters, potrace, and qpdf), Mageia (libsoup and mingw32-nsis), openSUSE (kernel), Oracle (httpd, kernel, spice, and subversion), Red Hat (httpd, java-1.7.1-ibm, and subversion), Scientific Linux (httpd), Slackware (xorg), SUSE (java-1_8_0-openjdk), and Ubuntu (firefox, linux, linux-aws, linux-gke, linux-raspi2, linux-snapdragon, linux-lts-xenial, postgresql-9.3, postgresql-9.5, postgresql-9.6, and ubufox).

The Solus distribution project has announcedthe availability of Solus 3. "This is the third iteration ofSolus since our move to become a rolling release operating system. Unlikethe previous iterations, however, this is a release and not asnapshot. We’ve now moved away from the 'regular snapshot' model toaccommodate the best hybrid approach possible - feature rich releases withexplicit goals and technology enabling, along with the benefits of acurated rolling release operating system." Headline featuresinclude support for the Snap packaging format, a lot of desktop changes,and numerous software updates. (LWN looked atSolus in 2016).

The GNOME project was founded by Miguel de Icaza and Federico Mena Quinteroon August 15, 1997, so today the project celebratesits 20th birthday. "There have been 33 stable releases since the initial release of GNOME 1.0 in 1999. The latest stable release, GNOME 3.24 “Portland,” was well-received. “Portland” included exciting new features like the GNOME Recipes application and Night Light, which helps users avoid eyestrain. The upcoming version of GNOME 3.26 “Manchester,” is scheduled for release in September of this year. With over 6,000 contributors, and 8 million lines of code, the GNOME Project continues to thrive in its twentieth year."

Distributions like Debian have a clear policy on the software they ship; asa general rule, only free software can be considered for inclusion. Howthat policy should be applied to software that interactswith proprietary systems is not entirely clear, though. A recentdiscussion on a package that interfaces with a proprietary network service seems unlikely to lead to anychanges in policy, but it does highlight a fault line within the Debiancommunity.

Security updates have been issued by Arch Linux (audiofile, git, jdk7-openjdk, libytnef, mercurial, spice, strongswan, subversion, and xorg-server), Debian (gajim, krb5, and libraw), Fedora (kernel, postgresql, sscep, subversion, and varnish), Mageia (firefox, phpldapadmin, and x11-server), Red Hat (kernel and spice), SUSE (subversion), and Ubuntu (libgd2).

Lars Wirzenius announcesthat he is ending development of the Obnam backup system. "Aftersome careful thought, I fear that the maintainability problems of Obnam canrealistically only be solved by a complete rewrite from scratch, and I'mnot up to doing that. If you use Obnam, you should migrate to some otherbackup solution. Don't worry, you have until the end of the year. I will bearound and I intend to fix any serious bugs in Obnam; in particular,security flaws. But you should start looking for a replacement soonerrather than later." LWN looked atObnam in 2012.

While the best way to avoid performance problems associated with pagefaults is usually to avoid faulting altogether, that is not always anoption. Thus, it is important that the kernel handle page faults with aminimum of overhead. One particular pain point in current kernels comesabout in multi-threaded workloads that are all incurring faults in thesame address space. Speculative page-fault handling is an old idea forimproving the scalability of such workloads that may finally be approachinga point where it can be considered for inclusion.

Security updates have been issued by Debian (botan1.10, cvs, firefox-esr, iortcw, libgd2, libgxps, supervisor, and zabbix), Fedora (curl, firefox, git, jackson-databind, libgxps, libsoup, openjpeg2, potrace, python-dbusmock, spatialite-tools, and sqlite), Mageia (cacti, ffmpeg, git, heimdal, jackson-databind, kernel-linus, kernel-tmb, krb5, php-phpmailer, ruby-rubyzip, and supervisor), openSUSE (firefox, librsvg, libsoup, ncurses, and tcmu-runner), Oracle (firefox), Red Hat (java-1.8.0-ibm), Slackware (git, libsoup, mercurial, and subversion), and SUSE (kernel).

The 4.13-rc5 kernel prepatch is available,right on schedule. "Go forth and test, and everything says thatwe'll get 4.13 out in our usual timely manner."

The 4.12.7,4.9.43,4.4.82, and3.18.65 stable kernel updates are out; eachcontains a relatively small set of important fixes.

Greg Kroah-Hartman has released stable kernels 4.12.6, 4.9.42, 4.4.81, and 3.18.64. All of them contain important fixesand users should upgrade.

Emmanuele Bassi writes about themismatch between the traditional distribution packaging model and whatthe world seems to actually want. "The more I think about it, the less I understand how that ever worked in the first place. It is not a mystery, though, why it’s a dying model.When I say that 'nobody develops applications like the Linux distributionsencourages and prefers' I’m not kidding around: Windows, macOS, iOS,Electron, and Android application developers are heavily based on theconcept of a core set of OS services; a parallel installable blocks ofsystem dependencies shipped and retired by the OS vendor; and a bundlingsystem that allows application developers to provide their owndependencies, and control them."

Security updates have been issued by Arch Linux (firefox, flashplugin, lib32-flashplugin, libsoup, and varnish), Debian (freeradius, git, libsoup2.4, pjproject, postgresql-9.1, postgresql-9.4, postgresql-9.6, subversion, and xchat), Fedora (gsoap, irssi, knot-resolver, php-horde-horde, php-horde-Horde-Core, php-horde-Horde-Form, php-horde-Horde-Url, php-horde-kronolith, php-horde-nag, and php-horde-turba), Mageia (perl-XML-LibXML), Oracle (libsoup), Red Hat (firefox and libsoup), SUSE (kernel and libsoup), and Ubuntu (git, kernel, libsoup2.4, linux, linux-aws, linux-gke, linux-raspi2, linux-snapdragon, linux, linux-raspi2, linux-hwe, linux-lts-trusty, linux-lts-xenial, php5, php7.0, and subversion).

It turns out that even rather different source-code management systems canhave similar vulnerabilities. This can be seen in the Git v2.14.1,Mercurial 4.3, andSubversion 1.9.7 releases (plus updates ofolder releases). In each case, it's possible to provide a maliciousrepository URLthat ends up executing code; these URLs can be buried outof sight in existing repositories. Updating would be a good idea,regardless of which system you use.

The kernel's development community is large, to the point that it is oftenfar from obvious who a given patch should be sent to. As the community hasgrown, it has developed mechanisms for tracking that information centeredon a text file called MAINTAINERS. But now it would appear thatthis scalability mechanism has scalability problems of its own.

Security updates have been issued by Debian (firefox-esr), Fedora (cacti, community-mysql, and pspp), Mageia (varnish), openSUSE (mariadb, nasm, pspp, and rubygem-rubyzip), Oracle (evince, freeradius, golang, java-1.7.0-openjdk, log4j, NetworkManager and libnl3, pki-core, qemu-kvm, and X.org), Red Hat (flash-plugin), and Slackware (curl and mozilla).

The LWN.net Weekly Edition for August 10, 2017 is available.

Device trees have become, in a relatively short time, the preferred way toinform the kernel of the available hardware on systems where that hardwareis not discoverable — most ARM systems, among others. In short, adevice tree is a textual description of a system's hardware that iscompiled to a simple binary format and passed to the kernel by thebootloader. The source format for device trees has been established for along time — longer than Linux has been using it. Perhaps it's time for achange, but a proposal for a newdevice-tree source format has generated a fair amount of controversy in thesmall corner of the community that concerns itself with such things.

Fedora 24 reached its end of life on August 8. There will be no moreupdates, including security updates. Please refer to thispage for information about upgrades.

OSGeo-Live is a live DVD/USB/VM distribution that includes a variety ofopen-source geospatial software. Version 11.0 is "a majorreboot, with a refocus on leading applications and emphasis on quality overquantity. Less mature parts of the projects have been dropped with atargeted focus placed on upgrading and improving documentation."