LWN.net

The4.15.2,4.14.18, and3.18.94stable kernels have been released; each contains the usual set of importantfixes and updates. There are no 4.9.x or 4.4.x updates coming in thisparticular set.

Eric Brown takesa look at the SiFive "HiFive Unleashed" SBC that runs Linux on itsRISC-V based, quad-core, 1.5GHz U540 SoC. "The open spec HiFive Unleashed board integrates a U540 SoC, 8GB of DDR4 RAM, and 32MB quad SPI flash. The only other major features include a microSD slot, a Gigabit Ethernet port, and an FMC connector for future expansion. A SiFive rep confirmed to Linux.com that the board will be open source hardware, with freely available schematics and layout files."

Karen Sandler has been giving conference talks about free software and openmedical devices for the better part of a decade at this point. LWN briefly covered a 2010 LinuxCon talk and a 2012 linux.conf.au (LCA) talk; her talk atLCA 2012 was her first full-length keynote, she said. In this year'sedition, she reviewed her history (including her love for LCA based in part on that 2012visit) and gave an update on the status of the source code for the device shehas implanted on her heart.

Security updates have been issued by Debian (mpv), Fedora (jackson-databind), Mageia (flash-player-plugin), Slackware (kernel), and Ubuntu (python-django).

Version5.0.0 of the KMyMoney personal finance manager is out. "Thelargest amount of work has gone towards basing this version on KDEFrameworks. Many of the underlying libraries used by the application havebeen reorganized and improved, but most of that is behind the scenes, andnot directly visible to the end user. Some of the general look and feel mayhave changed, but the basic functionality of the program remains the same,aside from intentional improvements and additions." Enhancementsinclude improved reports and better multiple-currency support.

An apparent linux.conf.au tradition is to dedicate a keynote slot tosomebody who is applying open-source principles to make the world better inan area other than software development. LCA 2018 was no exception;professor Matthew Todd took the stage to present his work on open-sourcedrug discovery. The market for pharmaceuticals has failed in a number ofways to come up with necessary drugs at reasonable prices;perhaps some of those failures can be addressed through a community effort.

KDE has releasedPlasma 5.12.0. "Plasma 5.12 LTS is the second long-term support release from the Plasma 5 team. We have been working hard, focusing on speed and stability for this release. Boot time to desktop has been improved by reviewing the code for anything which blocks execution. The team has been triaging and fixing bugs in every aspect of the codebase, tidying up artwork, removing corner cases, and ensuring cross-desktop integration. For the first time, we offer our Wayland integration on long-term support, so you can be sure we will continue to provide bug fixes and improvements to the Wayland experience."

Nextcloud 13 has been released. "This release brings improvements to the core File Sync and Share like easier moving of files and a tech preview of our end-to-end encryption for the ultimate protection of your data. It also introduces collaboration and communication capabilities, like auto-complete of comments and integrated real-time chat and video communication. Last but not least, Nextcloud was optimized and tuned to deliver up to 80% faster LDAP, much faster object storage and Windows Network Drive performance and a smoother user interface."

The popular interpreted language Python shares a mode of interactionwith many other languages, from Lisp to APL to Julia: the REPL (read-eval-print-loop) allows the user to experiment with and explore their code, while maintaining aworkspace of global variables and functions. This is in contrast withlanguages such as Fortran and C, which must be compiled and run as completeprograms (a mode of operation available to the REPL-enabled languages aswell). But using a REPL is a solitary task; one can write a program toshare based on their explorations, but the REPL session itself not easilyshareable. So REPLs have gotten more sophisticated over time, evolvinginto shareable notebooks, such as what IPython, and its more recentdescendant, Jupyter, have. Here we look at Jupyter: its history,notebooks, and how it enables better collaboration in languages well beyondits Python roots.

Security updates have been issued by Debian (xen), Fedora (clamav, community-mysql, dnsmasq, flatpak, libtasn1, mupdf, p7zip, rsync, squid, thunderbird, tomcat, unbound, and zziplib), Mageia (clamav, curl, dovecot, ffmpeg, gcab, kernel, libtiff, libvpx, php-smarty, pure-ftpd, redis, and thunderbird), openSUSE (apache-commons-email), Red Hat (rh-mariadb100-mariadb), SUSE (firefox), and Ubuntu (clamav, squid3, and systemd).

Here's a lookat what's coming on the desktop in Libre Graphics World. "Afteralmost 6 years of work, the GIMP team is finalizing the next bigupdate. The plan is to cut a beta of v2.10 once the amount of critical bugsfalls further down: it's currently stuck at 20, as new bugs get promoted toblockers, while old blockers get fixed. It's a bit of an uphillbattle."

The initial panic over the Meltdown and Spectre processor vulnerabilitieshas faded, and work on mitigations in the kernel has slowed since our mid-January report. That work has notstopped, though. Fully equipping the kernel to protect systems from thesevulnerabilities is a task that may well require years. Read on for anupdate on the current status of that work.

Greg Kroah-Hartman has released stable kernels 4.15.1, 4.14.17, 4.9.80, and 4.4.115. They all contain important fixes andusers should upgrade.

Security updates have been issued by Debian (dokuwiki and p7zip), Fedora (kernel, pdns, rsync, and webkitgtk4), openSUSE (chromium and translate-toolkit), Red Hat (jboss-ec2-eap and Red Hat Satellite 6), Slackware (php), and SUSE (bind and firefox).

The Factor Daily site has alook at work to increase the diversity of open-source contributors inIndia. "Over past two months, we interviewed at least two dozenpeople from within and outside the open source community to identify a setof women open source contributors from India. While the list is notconclusive by any measure, it’s a good starting point in identifying thewomen who are quietly shaping the future of open source from this part ofthe world and how they dealt with gender biases."

As of this writing, just over 6,700 non-merge changesets have been pulledinto the mainline repository for the 4.16 development cycle. Given thatthere are a number of significant trees yet to be pulled, the earlyindications are that 4.16 will be yet another busy development cycle. Whatfollows is a summary of the significant changes merged in the first half ofthis merge window.

Longtime embedded Linux development company Free Electrons has just changed its name to Bootlin due to a trademark dispute (with "FREE SAS, a French telecom operator, known as the owner of the free.fr website"). It is possible that Free Electrons may lose access to its "free-electrons.com" domain name as part of the dispute, so links to the many resources that Free Electrons hosts (including documentation and conference videos) should be updated to use "bootlin.com". "The services we offer are different, we target a different audience (professionals instead of individuals), and most of our communication efforts are in English, to reach an international audience. Therefore Michael Opdenacker and Free Electrons’ management believe that there is no risk of confusion between Free Electrons and FREE SAS.However, FREE SAS has filed in excess of 100 oppositions and District Court actions against trademarks or name containing “free”. In view of the resources needed to fight this case, Free Electrons has decided to change name without waiting for the decision of the District Court.This will allow us to stay focused on our projects rather than exhausting ourselves fighting a long legal battle."

Version 2.27 of the GNU C Library is out. This release includes supportfor static PIE executables, a number of security-oriented improvements (andfixes for several CVE numbers), support for memory protection keys, and much more.

Security updates have been issued by CentOS (systemd and thunderbird), Debian (squid and squid3), Fedora (firefox), Mageia (java-1.8.0-openjdk and sox), openSUSE (ecryptfs-utils and libXfont), Oracle (systemd and thunderbird), Scientific Linux (thunderbird), and Ubuntu (dovecot and w3m).

Over at Opensource.com, Christine Peterson has published her account of coining the term "open source". Originally written in 2006, her story on the origin of the term has now been published for the first time. The 20 year anniversary of the adoption of "open source" is being celebrated this year by the Open Source Initiative at various conferences (recently at linux.conf.au, at FOSDEM on February 3, and others). "Between meetings that week, I was still focused on the need for a better name and came up with the term "open source software." While not ideal, it struck me as good enough. I ran it by at least four others: Eric Drexler, Mark Miller, and Todd Anderson liked it, while a friend in marketing and public relations felt the term "open" had been overused and abused and believed we could do better. He was right in theory; however, I didn't have a better idea, so I thought I would try to go ahead and introduce it. In hindsight, I should have simply proposed it to Eric Raymond, but I didn't know him well at the time, so I took an indirect strategy instead.Todd had agreed strongly about the need for a new term and offered to assist in getting the term introduced. This was helpful because, as a non-programmer, my influence within the free software community was weak. My work in nanotechnology education at Foresight was a plus, but not enough for me to be taken very seriously on free software questions. As a Linux programmer, Todd would be listened to more closely."

Linux tries to be useful for a wide variety of use cases, but there aresome situations where it may not be appropriate; safety-criticaldeployments with tight timing constraints would be near the top of the listfor many people. On the other hand, systems that can run safety-criticalcode in a provably correct manner tend to be restricted in functionalityand often have to be dedicated to a single task. In a linux.conf.au 2018talk, Gernot Heiser presented work that is being done with the seL4 microkernel system to safely supportcomplex systems in a provably safe manner.

Here's a blog postfrom "bunnie" Huang on the tension between transparency and productliability around hardware flaws. "The open source community coulduse the Spectre/Meltdown crisis as an opportunity to reform the statusquo. Instead of suing Intel for money, what if we sue Intel fordocumentation? If documentation and transparency have real value, then thisis a chance to finally put that value in economic terms that Intelshareholders can understand. I propose a bargain somewhere along theselines: if Intel releases comprehensive microarchitectural hardware designspecifications, microcode, firmware, and all software source code (e.g. forAMT/ME) so that the community can band together to hammer out any othersecurity bugs hiding in their hardware, then Intel is absolved of anypayouts related to the Spectre/Meltdown exploits."

Security updates have been issued by Debian (chromium-browser, krb5, and smarty3), Fedora (firefox, GraphicsMagick, and moodle), Mageia (rsync), openSUSE (bind, chromium, freeimage, gd, GraphicsMagick, libtasn1, libvirt, nodejs6, php7, systemd, and webkit2gtk3), Red Hat (chromium-browser, systemd, and thunderbird), Scientific Linux (systemd), and Ubuntu (curl, firefox, and ruby2.3).

The LWN.net Weekly Edition for February 1, 2018 is available.

For anyone who has followed Daniel Vetter's talks over the last year ortwo, it is fairly clear that he is not happy with the kerneldevelopment process and the role played by kernel maintainers. In astrongly worded talk at linux.conf.au (LCA) 2018 in Sydney, he further exploredthe topic (that he also raised atLCA 2017) in a talk entitled "Burning down the castle". In his view,kernel development is broken and it is unlikely to improve anytime soon.

Christian Schaller providesus with an update on the state of the new PipeWire multimedia system."So as you probably noticed one thing we didn’t mention above is howto deal with PulseAudio applications. Handling this usecase is still on thetodo list and the plan is to at least initially just keep PulseAudiorunning on the system outputting its sound through PipeWire. That said weare a bit unsure how many applications would actually be using this pathbecause as mentioned above all GStreamer applications for instance would bePipeWire native automatically through the PipeWire GStreamerplugins."

In a linux.conf.au 2018 keynote called "Containers from user space" — anexplicit reference to the cult film "Plan 9 from Outer Space" — JessieFrazelle took the audience on a fast-moving tour of the past, present, andpossible future of container technology. Describing the container craze as"amazing", she covered topics like the definition of a container, security,runtimes, container concepts in programming languages, multi-tenancy, andmore.

The latest stable kernel updates are:4.14.16,4.9.79,4.4.114, and3.18.93.Each contains a relatively large set of important fixes and updates.

A late-breaking development in the computing world led to a somewhathastily arranged panel discussion at this year's linux.conf.au in Sydney.The embargo for the Meltdown and Spectrevulnerabilities broke on January 4; three weeks later, Jonathan Corbet convenedrepresentatives from five separate parts of our community, from cloud tokernel to the BSDs and beyond. As Corbet noted in the opening, the panelitself was organized much like the response to the vulnerabilitiesthemselves, which is why it didn't even make it onto the conference scheduleuntil a few hours earlier.

Version 8.1 of the GDB debugger is out. Changes include better supportfor the Rust language and various other improvements to make debuggingeasier; see the announcement and thenews file for the full list.

The LibreOffice 6.0 release is available. Changes include a new helpsystem, a better spelling checker, OpenPGP support, better documentinteroperability, improvements to LibreOffice Online, and more."LibreOffice 6.0 represents the bleeding edge in term of features foropen source office suites, and as such is targeted at technologyenthusiasts, early adopters and power users."

Security updates have been issued by Arch Linux (dnsmasq, libmupdf, mupdf, mupdf-gl, mupdf-tools, and zathura-pdf-mupdf), CentOS (kernel), Debian (smarty3, thunderbird, and unbound), Fedora (bind, bind-dyndb-ldap, coreutils, curl, dnsmasq, dnsperf, gcab, java-1.8.0-openjdk, libxml2, mongodb, poco, rubygem-rack-protection, transmission, unbound, and wireshark), Red Hat (collectd, erlang, and openstack-nova), SUSE (bind), and Ubuntu (clamav and webkit2gtk).

Open-source software has an inclusiveness problem that will take someinnovative approaches to fix. But, Andrew "bunnie" Huang said in hisfast-movinglinux.conf.au 2018 talk, if we don't fix it we may find we have biggerproblems in the near future. His approach to improving the situation is tomake technology more accessible — by enabling people to create electroniccircuits on paper and write code for them.

Shawn Pearce, a longtime contributor to the Git community (and beyond), haspassed away. The thread on the Git mailing list makes it clear that hewill be missed by many people.

PostgreSQL developer Robert Haas describesa new storage module that is under development. "We are workingto build a new table storage format for PostgreSQL, which we’re callingzheap. In a zheap, whenever possible, we handle an UPDATE by moving the oldrow version to an undo log, and putting the new row version in the placepreviously occupied by the old one. If the transaction aborts, we retrievethe old row version from undo and put it back in the original location; ifa concurrent transaction needs to see the old row version, it can find itin undo. [...] This means that there is no need for VACUUM, or any similarprocess, to scan the table looking for dead rows."

Worth a read: this blogposting from Leonardo Chiariglione, the founder and chair of MPEG, onhow (in his view) the group is being destroyed by free codecs and patent trolls."Good stories have an end, so the MPEG business model could not lastforever. Over the years proprietary and 'royalty free' products haveemerged but have not been able to dent the success of MPEG standards. Moreimportantly IP holders – often companies not interested in exploiting MPEGstandards, so called Non Practicing Entities (NPE) – have become more andmore aggressive in extracting value from their IP." (Thanks to Paul Wise).

Security updates have been issued by Arch Linux (curl, lib32-curl, lib32-libcurl-compat, lib32-libcurl-gnutls, libcurl-compat, libcurl-gnutls, and rsync), Debian (curl), Fedora (clamav and java-1.8.0-openjdk), openSUSE (apache2), Oracle (kernel), and Ubuntu (linux-kvm and thunderbird).

On his blog, embedded developer Karim Yaghmour has written about his ten-day trip to Shenzen, China, which is known as the "Silicon Valley of hardware". His lengthy trip report covers much that would be of use to others who are thinking of making the trip, but also serves as an interesting travelogue even for those who are likely to never go. "The map didn't disappoint and I was able to find a large number of kiosks selling some of the items I was interested in. Obviously many kiosks also had items that I had seen on Amazon or elsewhere as well. I was mostly focusing on things I hadn't seen before. After a few hours of walking floors upon floors of shops, I was ready to start focusing on other aspects of my research: hard to source and/or evaluate components, tools and expanding my knowledge of what was available in the hardware space. Hint: TEGES' [The Essential Guide to Electronics in Shenzhen] advice about having comfortable shoes and comfortable clothing is completely warranted.Finding tools was relatively easy. TEGES indicates the building and floor to go to, and you'll find most anything you can think of from rework stations, to pick-and-place machines, and including things like oscilloscopes, stereo microscopes, multimeters, screwdrivers, etc. In the process I saw some tools which I couldn't immediately figure out the purpose for, but later found out their uses on some other visits. Satisfied with a first glance at the tools, I set out to look for one specific component I was having a hard time with. That proved a lot more difficult than anticipated. Actually I should qualify that. It was trivial to find tons of it, just not something that matched exactly what I needed. I used TEGES to identify one part of the market that seemed most likely to have what I was looking for, but again, I could find lots of it, just not what I needed."

The TCP protocol has become so ubiquitous that, to many people, the terms"TCP/IP" and "networking" are nearly synonymous. The fact that introducingnew protocols (or even modifying existing protocols) has become nearly impossible tends toreinforce that situation. That is not stopping people from trying, though.At linux.conf.au 2018, Jana Iyengar, a developer at Google, discussed thecurrent state of the QUIC protocol which, he said, is now used for about 7% of the traffic on theInternet as a whole.

Security updates have been issued by Arch Linux (glibc, lib32-glibc, and zziplib), Debian (clamav, ffmpeg, thunderbird, tiff, tiff3, and wireshark), Fedora (firefox, mingw-libtasn1, and webkitgtk4), Gentoo (fossil), Mageia (webkit2), openSUSE (chromium, clamav, and thunderbird), and SUSE (clamav and kernel).

Here's anopensource.com article on the virtues of CopperheadOS."Unlike other custom ROMs that strive to add lots of newfunctionality, Copperhead runs a pretty vanilla version of AOSP. Also,while the first thing you usually do when playing with a custom ROM is toadd root access to the device, not only does Copperhead prevent that, italso requires that you have a device that has verified boot, so there's nounlocking the bootloader. This is to prevent malicious code from gettingaccess to the handset."

Linus has released the 4.15 kernel."After a release cycle that was unusual in so many (bad) ways, thislast week was really pleasant. Quiet and small, and no last-minutepanics, just small fixes for various issues. I never got a feelingthat I'd need to extend things by yet another week, and 4.15 looksfine to me."Some of the more significant features in this release include:the long-awaited CPU controller for theversion-2 control-group interface,significant live-patching improvements,initial support for the RISC-V architecture,support for AMD's secure encrypted virtualization feature, andthe MAP_SYNC mechanism for workingwith nonvolatile memory.This release also, of course, includes mitigations for the Meltdown and Spectre variant-2vulnerabilities though, as Linus points out in the announcement, thework of dealing with these issues is not yet done.

The Linux Foundation has announced a new project, called LinuxBoot, that is working on replacements for much of the firmware used to boot our systems. The project is based on work by Google and others to use Linux (and Go programs) to replace most of the UEFI boot firmware. "Firmware has always had a simple purpose: to boot the OS. Achieving that has become much more difficult due to increasing complexity of both hardware and deployment. Firmware often must set up many components in the system, interface with more varieties of boot media, including high-speed storage and networking interfaces, and support advanced protocols and security features.LinuxBoot addresses the often slow, often error-prone, obscured code that executes these steps with a Linux kernel. The result is a system that boots in a fraction of the time of a typical system, and with greater reliability."

Security updates have been issued by CentOS (389-ds-base, dhcp, kernel, and nautilus), Debian (curl, openssh, and wireshark), Fedora (clamav, firefox, java-9-openjdk, and poco), Gentoo (clamav), openSUSE (curl, libevent, mupdf, mysql-community-server, newsbeuter, php5, redis, and tre), Oracle (389-ds-base, dhcp, kernel, and nautilus), Slackware (mozilla), and Ubuntu (kernel and linux-hwe, linux-azure, linux-gcp, linux-oem).

GCC 7.3 is out. This is mainly a bug-fix release, but it does also containthe "retpoline" support needed to build the kernel (and perhaps other code)with resistance to the Spectre variant-2 vulnerability.

Here's a34c3 conference report in CSO suggesting that the BSDs are losingdevelopers. "von Sprundel says he easily found around 115 kernel bugs across thethree BSDs, including 30 for FreeBSD, 25 for OpenBSD, and 60 forNetBSD. Many of these bugs he called 'low-hanging fruit.' He promptlyreported all the bugs, but six months later, at the time of his talk, manyremained unpatched.'By and large, most security flaws in the Linux kernel don't have a longlifetime. They get found pretty fast,' von Sprundel says. 'On the BSD side,that isn't always true. I found a bunch of bugs that have been around avery long time.' Many of them have been present in code for a decade ormore."

Security updates have been issued by CentOS (firefox), Debian (firefox-esr, gcab, and poppler), Fedora (clamav and firefox), Mageia (bind, firefox, glibc, graphicsmagick, squid, systemd, and virtualbox), openSUSE (firefox, GraphicsMagick, libexif, and libvpx), Red Hat (389-ds-base, dhcp, kernel, kernel-alt, kernel-rt, and nautilus), Scientific Linux (389-ds-base, dhcp, kernel, and nautilus), Slackware (curl), SUSE (kernel and webkit2gtk3), and Ubuntu (firefox, libtasn1-6, and mysql-5.5).

The LWN.net Weekly Edition for January 25, 2018 is available.

2017 was a big year for the Prometheus project, as it publishedits 2.0 release in November. The new release ships numerousbug fixes, new features, and, notably, a new storage engine that brings majorperformance improvements. This comes at the cost of incompatible changes tothe storage and configuration-file formats. An overview ofPrometheus and its new release was presented to the Kubernetes community in a talkheld during KubeCon+ CloudNativeCon. This article covers what changed in this new releaseand what is brewing next in the Prometheus community; it is a companion tothis article, which provided a generalintroduction to monitoring with Prometheus.