LWN.net

The LWN.net Weekly Edition for May 25, 2017 is available.

At the 2016 Python Language Summit, Larry Hastings introduced Gilectomy, his project to removethe global interpreter lock (GIL) from CPython. The GIL serializes accessto the Python interpreter, so it severely limits the performance ofmulti-threaded Python programs. At the 2017 summit, Hastings was back toupdate attendees on the progress he has made and where Gilectomy is headed.

In a brief session at the 2017 Python Language Summit, Maciej Szulik gavean update on the state and plans for bugs.python.org (bpo). It is the Roundup-based bug tracker forPython; moving to GitHub has not changed that. He described the work thattwo Google Summer of Code (GSoC) students have done to improve the bugtracker.

As part of a discussion in 2014 about where to host some ofthe Python repositories, Brett Cannon was delegated the task of determining where they should endup. In early 2016, he decided that Python'scode and other repositories (e.g. PEPs) should land at GitHub;at last year's language summit, he gave an overview of where thingsstood with a few repositories that had made the conversion. Since thattime, the CPython repository has made the switch and he wanted to discuss some of theworkflow issues surrounding that move at this year's summit.

The Samba Team has issued anadvisory regarding CVE-2017-7494: "All versions of Samba from3.5.0 onwards are vulnerable to a remote code execution vulnerability,allowing a malicious client to upload a shared library to a writable share,and then cause the server to load and execute it." Distributors arealready shipping the fix; there's also a workaround in the advisory forthose who cannot update immediately.

Your operating system generates a lot of run-time data and statistics thatare useful for monitoring system security and performance. How you get thisinformation depends on the operating system you're running. It could be afrom report in a fancy GUI, or obtained via a specialized API, or simply textvalues read from the filesystem in the case of Linux and/proc. However, imagine if you could get this data viaan SQL query, and obtain the output as a database table or JSONobject. This is exactly what osquery letsyou do on Linux, macOS, and Windows.

Check Point has issued anadvisory that a number of video-player applications can be compromisedvia specially crafted subtitles. "By crafting malicious subtitlefiles, which are then downloaded by a victim’s media player, attackers cantake complete control over any type of device via vulnerabilities found inmany popular streaming platforms, including VLC, Kodi (XBMC), Popcorn-Timeand strem.io. We estimate there are approximately 200 million video playersand streamers that currently run the vulnerable software, making this oneof the most widespread, easily accessed and zero-resistance vulnerabilityreported in recent years."

Ned Deily, release manager for the Python 3.6 and 3.7 series, openedup the 2017edition of the Python Language Summit with a look at the releaseprocess and where things stand. It was an "abbreviated update" to his talk at last year's summit, he said. He looked to the future for 3.6 and 3.7, but also looked a bit beyond those two.This is the start of LWN's coverage of the language summit; look for more articles over the next week or so.

Security updates have been issued by CentOS (libtirpc and rpcbind), Debian (libtasn1-3, libtasn1-6, and samba), Fedora (FlightGear, openvpn, and python-fedora), openSUSE (libtirpc and libxslt), Oracle (libtirpc and rpcbind), Red Hat (samba, samba3x, and samba4), Scientific Linux (samba and samba4), SUSE (java-1_7_0-ibm, java-1_7_1-ibm, java-1_8_0-ibm, samba, and tomcat), and Ubuntu (jbig2dec, miniupnpc, rtmpdump, and samba).

The kernel has, over the years, gained comprehensive support forcontainers; that, in turn, has helped to drive the rapid growth of a numberof containerization systems. Interestingly, though, the kernel itself hasno concept of what a container is; it just provides a number of facilitiesthat can be used in the creation of containers in user space. DavidHowells is trying to change that state of affairs with a patch set adding containers as a first-classkernel object, but the idea is proving to be a hard sell in the kernelcommunity.

The Document Foundation looks at the progress made in improving the qualityand reliability of LibreOffice's source code by using Google's OSS-Fuzz."Developers have used the continuous andautomated fuzzing process, which often catches issues just hours after theyappear in the upstream code repository, to solve bugs - and potentialsecurity issues - before the next binary release.LibreOffice is the first free office suite in the marketplace to leverageGoogle's OSS-Fuzz. The service, which is associated with other source codescanning tools such as Coverity, has been integrated into LibreOffice'ssecurity processes - under Red Hat's leadership - to significantly improvethe quality of the source code."

Security updates have been issued by Arch Linux (lynis), CentOS (kdelibs, libtirpc, rpcbind, and samba), Debian (miniupnpc), Fedora (chromium, chromium-native_client, and kernel), Oracle (kdelibs and samba), Red Hat (libtirpc and rpcbind), and Scientific Linux (kdelibs, libtirpc, rpcbind, and samba).

Richard Hughes describeshis work to address the MouseJackvulnerability in Logitech (and other) receivers. This vulnerability allows anattacker to pair new devices with the receiver with no user interaction orawareness, and, thus, take over the machine. "This makessitting in a café quite a dangerous thing to do when any affected hardwareis inserted, which for the unifying dongle is quite likely as it’sexplicitly designed to remain in an empty USB socket."Logitech has provided firmware updates, but not for "unsupported" platformslike Linux. Hughes has filled that gap by getting documentation and afixed firmware image from Logitech and adding support for these devices tofwupd. He is now looking for testers to ensure that the whole thing worksacross all devices. This is important work that is well worth supporting.

GNU Guix and GuixSD 0.13.0 have been released. GNU Guix is a transactionalpackage manager for the GNU system and the Guix System Distribution,GuixSD, is an advanced distribution of the GNU system. A couple ofhighlights in this version: Guix can now be used on aarch64 systems, andGuixSD now supports Btrfs and adds the LXDE desktop as an option. See theannouncement for more information.

FreeBSD has releasedits status report for the first quarter of 2017. As usual there arereports from the FreeBSD Core Team, the FreeBSD Foundation, the FreeBSDPorts Collection, and the FreeBSD Release Engineering Team, followed bymore information about ongoing projects, and more.

Security updates have been issued by Arch Linux (fop), Debian (dropbear, icu, and openjdk-7), Fedora (chicken, cinnamon-settings-daemon, jbig2dec, libtirpc, sane-backends, and smb4k), Mageia (flash-player-plugin, vlc, and webmin), Oracle (libtirpc and rpcbind), Red Hat (kdelibs, libtirpc, rpcbind, and samba), and SUSE (kernel).

The Debian-based Parsixdistribution has announcedthat it will be shutting down six months after the Debian "Stretch"release. "Parsix GNU/Linux 8.15 (Nev) will be fully supported duringthis time and users should be able to upgrade their installations to DebianStretch without any significant issues. We will make all necessary changes,and updates to ensure a smooth transition to Debian Stretch."

The 4.12-rc2 kernel prepatch is out."I'm back on the usual Sunday schedule, and everything else looksfairly normal too. This rc2 is maybe a bit bigger than usual, but thewhole merge window was bigger than most, so maybe it's just that. Andit's not like it's huge".

The4.11.2,4.10.17,4.9.29,4.4.69, and3.18.54stable kernel updates have all been released with the usual set ofimportant fixes. Note that this is the final update for the 4.10 kernel.

Back in 2014, the revelation that thekernel'smemory-management subsystem would not allow relatively small allocationrequests to fail created a bit of a stir. The discussion has settled downsince then, but the "too small to fail" rule still clearly creates acertain amount of confusion in the kernel community, as is evidenced by arecent discussion inspired by the 4.12 merge window. It would appear thatthe rule remains in effect, but developers are asked to act as if it did not.

The CoreOS Blog introduces the firstbeta release, v0.0.1, of zetcd. "Distributed systems commonly relyon a distributed consensus to coordinate work. Usually the systemsproviding distributed consensus guarantee information is delivered in orderand never suffer split-brain conflicts. The usefulness, but rich designspace, of such systems is evident by the proliferation of implementations;projects such as chubby, ZooKeeper, etcd, and consul, despite differing in philosophyand protocol, all focus on serving similar basic key-value primitives fordistributed consensus. As part of making etcd the most appealing foundationfor distributed systems, the etcd team developed a new proxy, zetcd, toserve ZooKeeper requests with an unmodified etcd cluster."

Security updates have been issued by Debian (deluge, jbig2dec, mysql-connector-java, and nss), Fedora (jasper), Mageia (mhonarc and radicale), openSUSE (smb4k), SUSE (kdelibs4 and rpcbind), and Ubuntu (jasper and openjdk-7).

Among the many features merged for the 4.11kernel was the "shared memory communications over RDMA" (SMC-R)protocol from IBM. SMC-R is ahigh-speed data-center communications protocol that is claimed to be muchmore efficient than basic TCP sockets. As it turns out, though, the merging of this code was a surprise — and an unpleasantone at that — to a relevant segment of the kernel development community.This issue and the difficulties in resolving it are an indicator of how theincreasingly fast-paced kernel development community can go off track.

Security updates have been issued by Debian (shadow), Fedora (rpcbind), Gentoo (gst-plugins-bad and tomcat), Red Hat (ansible and openshift-ansible, openstack-heat, and Red Hat OpenStack Platform director), and Ubuntu (bash, FreeType, linux-aws, linux-gke, linux-raspi2, linux-snapdragon, and linux-lts-xenial).

The LWN.net Weekly Edition for May 18, 2017 is available.

The Android Developers blog looksat the latest Android O Developer Preview, which is now in publicbeta. The developer preview also contains an early version of a projectcalled Android Go which is built specifically for Android devices that have1GB or less of memory.

On April 29, Al Viro posted apatch on the linux-api mailing list adding a new flag to be used inconjunction with the ...at() family of system calls. The flag is forcontaining pathname resolution to the same filesystem and subtree asthe given starting point. This is a useful feature to have forimplementing file I/O in programs that accept pathnames as untrusted userinput. The ensuing discussion made it clear that there were multiple usecases for such a feature, especially if the granularity of its restrictionscould be increased.

In November 2016, a new networking feature, IPv6 segmentrouting (also known as "IPv6 SR" or "SRv6"), was merged into net-next andsubsequently included in Linux 4.10. Inthis article, we explain this new feature, describe key elements of itsimplementation, and present a few performance measurements.

A virulent ransomware worm attacked a wide swath of Windowsmachines worldwide in mid-May. The malware, known as Wcry, Wanna, orWannaCry, infected a number of systems at high-profile organizations aswell as striking at critical pieces of the infrastructure—like hospitals, banks,and train stations. While the threat seems to have largely abated—fornow—the origin of some of its code, which is apparently the US National SecurityAgency (NSA), should give one pause.

SUSE sponsored maintenance of openSUSE Leap 42.1 has ended. "Thecurrently maintained stable release is openSUSE Leap 42.2, which will bemaintained until the Q2/2018."

Security updates have been issued by Arch Linux (libplist), Debian (mysql-connector-java), Fedora (jasper, kdelibs, lxterminal, menu-cache, pcmanfm, and postgresql), openSUSE (qemu), Slackware (freetype and kdelibs), SUSE (ghostscript-library, libtirpc, and mariadb), and Ubuntu (ghostscript, kernel, linux, linux-raspi2, linux-hwe, openjdk-7, qemu, shadow, and thunderbird).

For some years now, your editor has heard glowing reviews of Mosh — the "mobile shell" — as a replacementfor SSH. The Mosh developers make a number of claims about itsreconnection ability, performance, and security; at least some of those arerelatively easily testable. After a bit of moshing, a few clearconclusions have come to the fore.

The Linux Test Project test-suite stable release for May 2017 is available.Several new tests have been added and many tests have been cleaned up andfixed. The latest version of the test-suite contains 3000+ tests.

It seems that system administrators will never shake the need for backups,even when they shove everything into the cloud. At the OpenStack Summitin Boston last week, a sessionby Ghanshyam Mann and Abhinav Agrawal of NEC laid out the requirements forbacking up data and metadata in OpenStack—with principles that apply to anyvirtualization or cloud deployment.

Greg Kroah-Hartman has released stable kernel 3.18.53with important fixes. Users should upgrade.

Security updates have been issued by CentOS (ghostscript and jasper), Debian (deluge, jbig2dec, and openvpn), Fedora (kf5-kauth), openSUSE (graphite2, kauth, kdelibs4, roundcubemail, rzip, thunderbird, and tomcat), Oracle (kernel), Red Hat (kernel), SUSE (kernel), and Ubuntu (libytnef).

The GNOME project has, after a period of contemplation, put forward aproposal to move to a GitLab installation on GNOME's infrastructure."We are confident that GitLab is a good choice for GNOME, and wecan’t wait for GNOME to modernise our developer experience with it. It willprovide us with vastly more effective tools, an easier landing fornewcomers, and lots of opportunities to improve the way that we work. We'reready to start working on the migration." Thiswiki page describes the idea in detail.

The OMG! Ubuntu! site reportsthat the "guest session" functionality enabled by default on Ubuntudesktops fails to actually confine the guest account. "If you’rerunning a fully up-to-date system you do not need to panic. Canonical hasalready pushed out a update that temporarily disables Ubuntu guest sessionlogins (so if you noticed it was missing, that’s why)." See thebug report for details on this issue, which was reported in February.

The Ardour audio editor project has announced the 5.9release. "Ardour 5.9 is now available, representing several months of development that spans some new features and many improvements and fixes.Among other things, some significant optimizations were made to redrawperformance on OS X/macOS that may be apparent if you are using Ardour onthat platform. There were further improvements to tempo and MIDI relatedfeatures and lots of small improvements to state serialization. Support forthe Presonus Faderport 8 control surface was added"

Richard Brown follows up on openSUSE's securitybreach that caused service shutdowns last Friday. "We're pleased to be able to report that after an extensive review andaudit of the systems involved we are confident that nothing wascompromised and all of our code and personal information housed withinwas adequately protected throughout.Therefore all of the systems that were shut down are now back online."

Quartz looksat recent developments in the Artifex v. Hancom case. Artifex makesGhostscript, an open-source (GPL) PDF interpreter. Hancom used Ghostscript inits Hancom Office product and did not abide by the license, so Artifex suedHancom. "The enforceability of open source licenses like the GNU GPL has long been an open legal question. The Federal Circuit Court of Appeals held in a 2006 case, Jacobsen v. Katzer, that violations of open source licenses could be treated like copyright claims. But whether they could legally considered breaches of contract had yet to be determined, until the issue came up in Artifex v. Hancom.That happened when Hancom issued a motion to dismiss the case on thegrounds that the company didn’t sign anything, so the license wasn’t a realcontract." Judge Jacqueline Scott Corley disagreed with Hancom andsaid: "These allegations sufficiently plead the existence of acontract." (Thanks to Paul Wise)

OpenHatch is a project that has been running education events and maintainingfree learning tools to help people get involved in collaborative softwaredevelopment since 2009. Now Asheesh Laroia, President of the organization,has announcedthat the organization is winding down. "OpenHatch was one part of abroader movement around improving diversity and inclusion in free software and software generally. As Mike [Linksvayer], Deb [Nicholson], and I winddown this one organization, we’re heartened by those who push the movementforward." Donations have been canceled and the remaining money willbe used to gracefully shut down the organization. Anything left after thatwill be donated to Outreachy. OpenHatch softwareand websites will be moved to static website hosting.

Security updates have been issued by Arch Linux (git, lxc, openvpn, and zziplib), Debian (bind9, bitlbee, postgresql-9.4, rtmpdump, sane-backends, and squirrelmail), Fedora (ghostscript, git, kdelibs, kf5-kauth, libplist, libreoffice, openvpn, php-horde-ingo, qemu, radicale, rpcbind, and xen), and Ubuntu (git and kde4libs).

Linus Torvalds released the 4.12-rc1prepatch and closed the merge window on May 13 — a move that may havesurprised maintainers who were waiting until the last day to get theirfinal pull requests in. Let that be a lesson to all: one should not expectto have pull requests honored on Mother's Day. Below is a summary of thechanges merged since the May 10 merge-windowsummary.

The first 4.11 stable update — 4.11.1 — hasbeen released, along with4.10.16,4.9.28, and4.4.68.Each contains a fair number of important fixes.

Linus has released the 4.12-rc1 prepatchand closed the merge window one day earlier than some might have expected."Despite it being fairly large, it has (so far) been pretty smooth. Idon't think I personally saw any breakage at all, which is alwaysnice. Usually I end up having something break, or trigger some sillybuild failure that really should have been noticed before it even gotto me, but so far things are looking good.Famous last words."

The Android Developers Blog carries anannouncement for an upcoming feature called "Treble", which looks likea separate, guaranteed stable interface for device drivers. "Thecore concept is to separate the vendor implementation - thedevice-specific, lower-level software written in large part by the siliconmanufacturers - from the Android OS Framework. This is achieved by theintroduction of a new vendor interface between the Android OS framework andthe vendor implementation." Details are scarce, and there is noinformation on how this might fit into the part of the "Android OSframework" that many of us think of as "the Linux kernel".

The openSUSE project has announced that its authentication system has beenbreached and a number of services have been shut down or put into read-onlymode. "This includes the openSUSE OBS, wiki, and forums.The scope and impact of the breach is not yet fully clear. Thedisabling of authentication is to ensure the protection of our systemsand user data while the situation is fully investigated.Based on the information available at this time, there is apossibility that the breach is limited to users of non-openSUSEinfrastructure that shares the same authentication system." Theredoes not appear to be reason to worry that the download infrastructure hasbeen compromised.

Security updates have been issued by Debian (kde4libs), Fedora (elfutils, libplist, mediawiki, and xen), Red Hat (chromium-browser and ghostscript), Scientific Linux (ghostscript), SUSE (kernel and MozillaFirefox, mozilla-nss, mozilla-nspr, java-1_8_0-openjdk), and Ubuntu (firefox, lightdm, openjdk-8, and openvpn).

On his blog, Mahmoud Hashemi has an in-depth look at Python packaging, but much of it is applicable to packaging software in any language. "Python was designed to be cross-platform and runs in countless environments. But don't take this to mean that Python's built-in tools will carry you anywhere you want to go. I can write a mobile app in Python, does it make sense to install it on my phone with pip? As you'll see, a language's built-in tools only scratch the surface.So, one by one, I'm going to describe some code you want to ship, followed by the simplest acceptable packaging process that provides that repeatable deployment process we crave." (Thanks to Paul Wise.)