LWN.net

The fears of vulnerabilities lurking in Intel's "management engine"technology have just shown some validity: Intel has announceda remotely exploitable vulnerability in it's "active management technology"engine. "There is an escalation of privilege vulnerability in IntelActive Management Technology (AMT), Intel Standard Manageability (ISM),and Intel Small Business Technology versions firmware versions 6.x, 7.x,8.x 9.x, 10.x, 11.0, 11.5, and 11.6 that can allow an unprivileged attackerto gain control of the manageability features provided by these products.This vulnerability does not exist on Intel-based consumer PCs."See Matthew Garrett'swriteup for a more comprehensible summary of what is known at this time.

Support for Ubuntu 12.04 (Precise Pangolin) is at an end. There will be nomore updates as of April 28, 2017. "The supported upgrade path fromUbuntu 12.04 is via Ubuntu 14.04. Users are encouraged to evaluate andupgrade to our latest 16.04 LTS release via 14.04."

Stable kernels 4.4.65 and 3.18.51 have been released. Both of themcontain important fixes and users should upgrade.

Security updates have been issued by Arch Linux (bind, curl, and dovecot), Debian (batik, fop, freetype, kedpm, libpodofo, libsndfile, libxstream-java, partclone, and tomcat7), Fedora (ansible, community-mysql, java-1.8.0-openjdk, and yara), Mageia (java-1.8.0-openjdk and xstream), openSUSE (libosip2 and ruby2.1), Oracle (kernel and nss), and SUSE (ghostscript, kvm, and mysql).

Rockbox is a replacement firmware for anumber of digital audio players. The project seemed to have faded awayalong with much of the audio-player market in general, but Rockbox is nowback with the release of version3.14. "Over 4 years have passed since the last release, and inthat time we've been busy adding features and fixing bugs to give you thebest Rockbox experience yet on the widest range of targets ever."Support for a number of devices has been added, performance and batterylife has been improved, and a number of features have been added; see theannouncement for details.

The 4.11 kernel has been released."So after that extra week with an rc8, things were pretty calm, and I'mmuch happier releasing a final 4.11 now."Some headline features in 4.11 include:a new perf ftrace commandrestarting the work of better integrating the perf and ftrace subsystems,I/O scheduling support for the multiqueue block subsystem,journaling for device-mapper RAID 4/5/6 volumes,SipHash support,some swapping scalability improvements,a new LZ4 compression implementation,the new statx() system call,and more. As always, see the KernelNewbies 4.11 pagefor lots of details.

Xda developers looksat improvements coming to the F-Droid repository of free/open sourceapps for Android. The next version of F-Droid will have screenshot andfeature graphics, bulk download and install, improved notifications fordownloads and pending updates, and the ability to translate apps metadata."F-Droid is conducting further field tests to ensure that usabilityissues with the new design are identified and resolved before the alphareleases for v0.103 is rolled out to the public. The team is also inviting feedback and suggestions to further improve the client. Additionally, the team mentions that this is one of the many improvements happening to the broader F-Droid ecosystem in 2017, and there’s more to come."

Security updates have been issued by Arch Linux (jenkins, libtiff, and webkit2gtk), Debian (ghostscript, kernel, and libreoffice), Fedora (dovecot, kernel, and tomcat), Mageia (firefox and tomcat), openSUSE (backintime and ffmpeg), and Ubuntu (ghostscript, libxslt, and nss).

The Debian release team has a few words about the upcoming Debian 9"stretch" release. "At a recent team meeting, we decided thatsupport for Secure Boot in the forthcoming Debian 9 "stretch" would nolonger be a blocker to release. The likely, although not certain outcome isthat stretch will not have Secure Boot support." If stretch doesnot release with Secure Boot support, it is possible that it will beintroduced later. Other than that, the number of Release Critical bugscontinues to drop and the team is considering the arrangements for thestretch release.

Tor 0.3.0.6, the first stable release of the Tor 0.3.0 series, is available. "With the 0.3.0 series, clients and relays now use Ed25519 keys to authenticate their link connections to relays, rather than the old RSA1024 keys that they used before. (Circuit crypto has been Curve25519-authenticated since 0.2.4.8-alpha.) We have also replaced the guard selection and replacement algorithm to behave more robustly in the presence of unreliable networks, and to resist guard- capture attacks."

The Linux kernel is highly scalable but, while it runs nicely on theworld's largest computers, it is not an entirely comfortable fit on thesmallest. The difficulties involved in running Linux on machines with 1MBor less of memory have left an opening for other operating systems, such asZephyr, with lower memoryneeds. Some developers have not given up on scaling Linux to the smallestcomputers, but the approaches they have to take have always been a bit of ahard sell with the rest of the development community. Nicolas Pitre's minitty patch set is a case in point.

Greg Kroah-Hartman has released stable kernels 4.10.13, 4.9.25, and 4.4.64. They all contain important fixes andusers should upgrade.

Security updates have been issued by Debian (freetype, jasper, python-django, slurm-llnl, and weechat), Fedora (dovecot and pcre2), Gentoo (adobe-flash), openSUSE (curl, gstreamer-plugins-base, libsndfile, and tiff), and Ubuntu (mysql-5.5, mysql-5.7).

The LWN.net Weekly Edition for April 27, 2017 is available.

Sayre's lawstates: "In any dispute the intensity of feeling is inverselyproportional to the value of the issues at stake". In that context,it is perhaps easy to understand why the discussion around the versionnumber for the next major openSUSE Leap release has gone on for hundreds ofsometimes vitriolic messages. While this change is controversial, theopenSUSE board hopes that itwill lead to more rational versioning in the long term — but the world has away of interfering with such plans.

Security updates have been issued by Debian (botan1.10, mysql-5.5, and rtmpdump), Fedora (collectd, firefox, java-1.8.0-openjdk, libdwarf, nss-softokn, nss-util, and tigervnc), Red Hat (httpd24-httpd and python27), and SUSE (kernel).

The grsecurity project has announced that itskernel-hardening patches will now be an entirely private affair."Today we are handing over future maintenance of grsecurity testpatches to the community. This makes grsecurity for Linux 4.9 the lastversion Open Source Security Inc. will release to non-subscribers."

An email client was once a mandatory offering for any operating system, butthat may be changing. A discussion on the ubuntu-desktop mailing listexplores the choices for a default email client for Ubuntu 17.10, which isdue in October. One of the possibilities being considered is to not have adefault email client at all.

The Kali Linux 2017.1 rolling release is available.Kali is a Debian derivative aimed at penetration testing and relatedtasks. This release includes support for RTL8812AU wireless cardinjection, streamlined support for CUDA GPU cracking, OpenVAS 9 packaged inKali repositories, and more.

The linkerd1.0 release is available. "Linkerd a service mesh for cloudnative applications. As part of this release, we wanted to define what thisactually meant." Support for per-service router configuration hasbeen added, along with new plugin interfaces for policy control. (LWN looked at linkerd in early April).

InfoWorld playswith the Bash Bunny, a USB device for attacking computers."It can run anything a regular Debian Linux distro can run, such asPython scripts or common Linux commands. To infiltrate other computingdevices, Bash Bunny can fake its identity as a trusted media device,networking device, keyboard, or other serial device. For example, it canload itself as a keyboard device and mimic keystrokes. You can downloaddozens of existing payload scripts, create your own, or ask questions in afairly active user forum."

The Drupal content management system(CMS) has been an open-source tool of choice for many web site owners forwell over a decade now. Over that time, it has been overseen by itsoriginal developer, Dries Buytaert, who is often referred to as thebenevolent dictator for life (BDFL) for the project. Some recent eventshave led a sizable contingent in the Drupal community to question hisleadership, however. A request that a prominent developer leave the Drupalcommunity, apparently over elements of his private life rather than anyDrupal-related misstep, has led to something of an outcry in thatcommunity—it may well lead to a change in the governance of the project.

Security updates have been issued by Debian (activemq, libav, minicom, mysql-5.5, tiff3, and xen), Fedora (ansible, collectd, icu, and pcre), openSUSE (chromium and firefox), Red Hat (chromium-browser and kernel), Slackware (firefox), and Ubuntu (kernel, linux, linux-aws, linux-gke, linux-raspi2, linux-snapdragon, linux, linux-raspi2, linux-hwe, linux-lts-trusty, linux-lts-xenial, qemu, and samba).

If you're one of the few people still using FTP to access the Debianrepositories, the time has come to move on: FTP service will be shut downat the beginning of November.

Collabora Office 5.3 has been releasedwith all the fixes and several backported features from the upstreamLibreOffice 5.3 release. "The biggest change in this release is the inclusion of a long list of new features, combined with many User Interface improvements, making Collabora Office more powerful and at the same time faster and more comfortable to work with."

The multiqueue block layer subsystem,introduced in 2013, was a necessary step for the kernel to scale to the fasteststorage devices on large systems. The implementation in current kernels isincomplete, though, in that it lacks an I/O scheduler designed to work withmultiqueue devices. That gap iscurrently set to be closed in the 4.12 development cycle when the kernelwill probably get not just one, but two new multiqueue I/O schedulers.

Stable kernel 3.18.50 has been releasedwith many important fixes. Users should upgrade.

Security updates have been issued by Arch Linux (firefox and weechat), Debian (chicken, firefox-esr, libcroco, libreoffice, and tiff), Fedora (backintime, bind, firefox, libarchive, libnl3, pcre2, php-pear-CAS, and python-django), Mageia (icu and proftpd), openSUSE (mozilla-nss and wireshark), Red Hat (java-1.6.0-sun, java-1.7.0-oracle, and java-1.8.0-oracle), Scientific Linux (firefox and java-1.8.0-openjdk), Slackware (mozilla, ntp, and proftpd), and Ubuntu (firefox).

The openSUSE project has announced that the release following openSUSE Leap42 will be called openSUSE Leap 15. "SUSE have decided that their next version of SLE will be 15, not 13.Upon learning of SUSE's plans the Board and Leap release team havebeen considering our options.This included ignoring the changes to SLE and releasing Leap 43 asplanned, at the cost of the link between SLE versions and Leapversions.45 was also considered, as were some frankly hilarious ideas that mademe worry about my own sanity and that of my fellow contributors.After considering the pros and cons of all the options however, thedecision has been that Leap 15 will be our next version."

Linus has released 4.11-rc8 instead of theexpected 4.11 final. "So originally I was just planning on releasing the final 4.11 today,but while we didn't have a *lot* of changes the last week, we had acouple of really annoying ones, so I'm doing another rc releaseinstead. I did get fixes for the issues that popped up, so I couldhave released 4.11 as-is, but it just doesn't feel right."

Over at Opensource.com, Rich Bowen looks at some of the new features in OpenStack Ocata, which was released back in February."First, it's important to remember that the Ocata cycle was very short. We usually do a release every six months, but with the rescheduling of the OpenStack Summit and OpenStack PTG (Project Team Gathering) events, Ocata was squeezed into 4 months to realign the releases with these events. So, while some projects squeezed a surprising amount of work into that time, most projects spent the time on smaller features and finishing up tasks leftover from the previous release.At a high level, the Ocata release was all about upgrades and containers, themes that I heard from almost every team I interviewed. Developers spoke of how we can make upgrades smoother, and how we can deploy bits of the infrastructure in containers. These two things are closely related, and there seems to be more cross-project collaboration this time around than I've noticed in the past."

The 4.10.12, 4.9.24, and 4.4.63 stable kernels have been released.Users of those series should upgrade.

Security updates have been issued by CentOS (bind, firefox, java-1.8.0-openjdk, and nss and nss-util), Debian (icedove), Fedora (jenkins-xstream and xstream), Mageia (chromium-browser-stable, flash-player-plugin, gimp, and wireshark), openSUSE (gstreamer-0_10-plugins-base), Oracle (bind, firefox, java-1.8.0-openjdk, and nss and nss-util), Red Hat (firefox and java-1.8.0-openjdk), Scientific Linux (bind, firefox, nss and nss-util, and nss-util), SUSE (xen), and Ubuntu (bind9, curl, freetype, and qemu).

Here's anopensource.com article describing how the Python global interpreterlock works and some nuances of writing threaded Python code."Although the GIL does not excuse us from the need for locks, it doesmean there is no need for fine-grained locking. In a free-threaded languagelike Java, programmers make an effort to lock shared data for the shortesttime possible, to reduce thread contention and allow maximumparallelism. Because threads cannot run Python in parallel, however,there's no advantage to fine-grained locking. So long as no thread holds alock while it sleeps, does I/O, or some other GIL-dropping operation, youshould use the coarsest, simplest locks possible."

The scheduler is a topic of keen interest for the desktop user;the scheduling algorithm partially determines the responsiveness ofthe Linux desktop as a whole. Con Kolivas maintains a series of scheduler patch setsthat he has tuned considerably over the years for his own use, focusingprimarily on latency reduction for a better desktop experience. Inearly October 2016, Kolivas updated the design of his popular desktopscheduler patch set, which he renamed MuQSS. It is an update (and a namechange) from his previous scheduler, BFS, and it is designed to addressscalability concerns that BFS had with an increasing number of CPUs.

Security updates have been issued by Arch Linux (chromium and nss), CentOS (bind and qemu-kvm), Debian (firefox-esr, ghostscript, hunspell-en-us, and uzbek-wordlist), Fedora (php-onelogin-php-saml), openSUSE (bind, gstreamer-plugins-good, and xen), Red Hat (bind, firefox, nss, nss and nss-util, and nss-util), and SUSE (ruby2.1).

The LWN.net Weekly Edition for April 20, 2017 is available.

Linux usage in networking hardware has been on the rise for sometime. During the latest Netdevconference held in Montreal this April, people talked seriously aboutLinux running on high end, "top of rack" (TOR) networking equipment. Thosedevices have long been the realm of proprietary hardware and softwarecompanies like Cisco or Juniper, but Linux seems to be making somesignificant headway into the domain. Are we really seeingthe rise of Linux in high-end networking hardware?

Mozilla has released Firefox 53.0. From the releasenotes: "Today's Firefox release makes Firefox faster and morestable with a separate process for graphics compositing (the QuantumCompositor). Compact themes and tabs save screen real estate, and theredesigned permissions notification improves usability. Learn more on the Mozilla Blog."

Linus Torvalds recently let it be knownthat the 4.11-rc7 kernel prepatch had a good chance of being the last forthis development series. So the time has come to look at this developmentcycle and the contributors who made it happen.

Security updates have been issued by CentOS (libreoffice), Debian (icedove, icu, and imagemagick), Fedora (bind, bind99, ghostscript, libxml2, ming, ntp, proftpd, and qemu), Oracle (bind and libreoffice), Red Hat (bind, qemu-kvm, and qemu-kvm-rhev), Scientific Linux (bind, libreoffice, and qemu-kvm), Slackware (minicom), and SUSE (xen).

Every conference venue has problems with the mix of room sizes, butI don't recall ever going to a talk that so badly needed to be in abigger room as Jessie Frazelle and Alex Mohr's talkat CloudNativeCon/KubeCon Europe 2017 on securing Kubernetes.The cause of the enthusiasmwas the opportunity to get "best practice" information on securingKubernetes, and how Kubernetes might be evolving to assist with this,directly from the source.

The xda-developers blog looksat Project Halium. "This open-source project is trying to pooldevelopers from Ubuntu Touch ports, Sailfish OS community developers, theopen webOS Lune OS project, and KDE Plasma Mobile contributors, among otherdevelopers (Jolla, we suspect) to put an end to the fragmentation seen intheir respective project’s lower-level base. Currently, Ubuntu Touch,Sailfish OS/Mer, Plasma Mobile, and others use different Android sourcetrees and methods for differently-built stacks. This leads to a lot offragmentation among the most popular non-Android, GNU/Linux-based mobile OSprojects in their use of the Android source tree, how the Android init isstarted, and how images are flashed to the device. Many of these projectsessentially do the same job, but in a different way." The goal ofHalium is to work towards a common Linux base, which can be used byall of these different projects.

The Docker blog introducesthe Moby Project, which aims to advance the software containerizationmovement. "It provides a “Lego set” of dozens of components, a framework for assembling them into custom container-based systems, and a place for all container enthusiasts to experiment and exchange ideas. Think of Moby as the “Lego Club” of container systems."

Security updates have been issued by Debian (feh, freetype, and radare2), Fedora (kernel and libsndfile), openSUSE (audiofile, dracut, gstreamer, gstreamer-plugins-bad, jasper, libpng15, proftpd, and tigervnc), Oracle (qemu-kvm), Red Hat (kernel, libreoffice, and qemu-kvm-rhev), and SUSE (bind and tiff).

The 4.10.11,4.9.23,4.4.62, and3.18.49 stable kernel updates areavailable. For those who are surprised to see a 3.18 update after thatseries was declared end-of-life, Greg Kroah-Hartman explains it this way: "3.18? Wasn't that kernel dead and forgotten and left torot on the side of the road? Yes, it was, but unfortunately, there's afew million or so devices out there in the wild that still rely on thiskernel. Now, some of their manufacturers and SoC vendors might not bekeeping their kernels up to date very well, but some do actually careabout security and their users, so this release is for them. If youhappen to have a vendor that does not care about their users, gocomplain, as odds are, your device is very insecure right now..."

On April 12 Dmitry Bogatov, a mathematician and Debian maintainer, was arrestedin Russia for "incitation to terrorism" because of some messages thatwent through his Tor exit node. "Though, the very nature of Bogatovcase is a controversial one, as it mixes technical and legal arguments, andmakes necessary both strong legal and technical expertise involved. Indeed,as a Tor exit node operator, Dmitry does not have control andresponsibility on the content and traffic that passes through his node: itwould be the same as accusing someone who has a knife stolen from her housefor the murder committed with this knife by a stranger." The DebianProject made a brief statement.

Scientific Linux 6.9 has been released for i386/x86_64 architectures. Seethe releasenotes and the upstreamrelease notes for details.

The 4.11-rc7 kernel prepatch has beenreleased. "We're in the late rc phase, and thismay be the last rc if nothing surprising happens."

Security updates have been issued by Debian (libosip2, openoffice.org-dictionaries, and qbittorrent), Fedora (kernel, libpng12, libsndfile, libtiff, mediawiki, mupdf, qt5-qtwebengine, samba, xen, xorgxrdp, and xrdp), Mageia (mediawiki, ming, python-django, unshield, and webkit2), and openSUSE (postgresql93).