LWN.net

Security updates have been issued by Debian (asterisk and curl), Fedora (kernel), Red Hat (postgresql and samba), Scientific Linux (postgresql), and Ubuntu (firefox and git).

PyPy is a Python interpreter with a focus on performance; the project hasjust announcedits 5.9 release. This version has full support for NumPy and Pandas inPython 2.7, along with many other improvements. The Python 3.5interpreter is still described as "beta quality".

Version 10 of thePostgreSQL database management system has been released. "A criticalfeature of modern workloads is the ability to distribute data across manynodes for faster access, management, and analysis, which is also known as a'divide and conquer' strategy. The PostgreSQL 10 release includessignificant enhancements to effectively implement the divide and conquerstrategy, including native logical replication, declarative tablepartitioning, and improved query parallelism." See therelease notes and this LWN article fromJune for details.

The LWN.net Weekly Edition for October 5, 2017 is available.

A lot was discussed and presented in the three hours allotted to the Testingand Fuzzing microconference at this year's Linux Plumbers Conference(LPC), but some spilled out of that slot. We have already looked at some discussions on kernel testing that occurred both before and during themicroconference. Much of the rest of the discussion is summarized in thearticle from this week's edition, which subscribers can access from thelink below.

Security updates have been issued by Debian (asterisk and qemu), openSUSE (liblouis, libraw, nextcloud, and tiff), and Ubuntu (ocaml).

The LEDE project has announced a "service release" of its routerdistribution. "LEDE 17.01.3 'Reboot' incorporates a fair number offixes back ported from the development branch during the last sixteenweeks." Included therein is a pile of security updates, includingfixes for the recently disclosed dnsmasq vulnerabilities.

Odoo is, according to Wikipedia,"the most popular open source ERP system." Thus, any survey of open-source accounting systems must certainly take alook in that direction. This episode in theongoing search for a suitable accounting system for LWN examines theaccounting features of Odoo; unfortunately, it comes up a bit short.

The Evergreen community has announced therelease of Evergreen 3.0.0, software for libraries. This releaseincludes community support of the web staff client for production use,serials and offline circulation modules for the web staff client,improvements to the display of headings in the public catalog browse list,and more.

Fedora Magazine has announcedthe release of Fedora 27 beta, including Fedora Workstation and FedoraAtomic Host. For those wondering about the server edition, thisarticle has the answer. "The Modularity project was designed to allow shipping different parts of the projects on different timelines. So, the Server team is starting that now — expect a Fedora 27 Server beta powered by Modularity in a few weeks. The general Fedora 27 release will come in early November, and then Fedora 27 Server will arrive in final form about a month later."

FreeBSD 10.4 has been released.This release features full support for eMMC storage, as well as manyupdates and improvements. The releasenotes contain more details.

Jens Axboe is themaintainer of the block layer of the kernel. In this capacity,he spoke at Kernel Recipes2017 on what's new in the storage world for Linux, with a particular focus on the new block-multiqueue subsystem:the degree to which it's been adopted, a number of optimizations thathave recently been made, and a bit of speculation abouthow it will further improve in the future.Subscribers can click below for a report from the Kernel Recipes talk byguest author Tom Yates.

Security updates have been issued by CentOS (dnsmasq), Debian (dnsmasq and git), Fedora (ejabberd, firefox, mingw-LibRaw, openvpn, and perl), openSUSE (dnsmasq, git, Mozilla Firefox and NSS, and otrs), Oracle (dnsmasq), Red Hat (dnsmasq), Scientific Linux (dnsmasq), Slackware (dnsmasq), SUSE (dnsmasq), and Ubuntu (dnsmasq, firefox, libidn, and poppler).

While the adoption of OpenPGP by the general population is marginal atbest, it is a critical component for the security community andparticularly for Linux distributions. For example, every packageuploaded into Debian is verified by the central repository using themaintainer's OpenPGP keys and therepository itself is, in turn, signed using a separate key. If upstream packages also use such signatures, thiscreates a complete trust path from the original upstream developer tousers.Beyond that, pull requests for the Linux kernel are verified using signatures as well.Therefore, the stakes are high: a compromise of the release key, oreven of a single maintainer's key, could enable devastatingattacks against many machines.

Security updates have been issued by Arch Linux (dnsmasq), CentOS (firefox and nss), Debian (firefox-esr, ghostscript, libidn2-0, opencv, and otrs2), Fedora (moodle, php-horde-nag, php-horde-passwd, php-horde-wicked, php-symfony-security-acl, pkgconf, and xen), openSUSE (spice and weechat), Scientific Linux (firefox and nss), Slackware (openexr), SUSE (xen), and Ubuntu (ca-certificates, dnsmasq, and nss).

James Morris has posted asummary of the recently concluded Linux Security Summit."I was particularly interested in the topic of better integrating LSMwith containers, as there is an increasingly common requirement for nestingof security policies, where each container may run its own apparentlyindependent security policy, and also a potentially independent securitymodel. I proposed the approach of introducing a security namespace, whereall security interfaces within the kernel are namespaced, including LSM.It would potentially solve the container use-cases, and also the full LSMstacking case championed by Casey Schaufler (which would allow entirelyarbitrary stacking of security modules)."

The Google Security Blog disclosesthe results of a security audit of the Dnsmasq name resolver."We discovered seven distinct issues (listed below) over the courseof our regular internal security assessments. Once we determined theseverity of these issues, we worked to investigate their impact andexploitability and then produced internal proofs of concept for each ofthem. We also worked with the maintainer of Dnsmasq, Simon Kelley, toproduce appropriate patches and mitigate the issue."Version 2.78 contains the fixes. Anybody running an OpenWRT/LEDE routerlikely has a vulnerable version of Dnsmasq and will want to look into updating.

The 4.14-rc3 kernel prepatch is out fortesting. "So 4.14 continues to be a somewhat painful release, andI'm starting to at least partly blame the fact that it's meant to be an LTSrelease."

The Core Infrastructure Initiative commissioned security audits of threenetwork time protocol (NTP) implementations (ntpd, NTPSec, and Chrony) andhas releasedthe results. "From a security standpoint (and here at the CII weare security people), Chrony was the clear winner between these three NTPimplementations. Chrony does not have all of the bells and whistles thatntpd does, and it doesn’t implement every single option listed in the NTPspecification, but for the vast majority of users this will not matter. Ifall you need is an NTP client or server (with or without reference clock),which is all that most people need, then its security benefits most likelyoutweigh any missing features."

Ars technica reportson an announcement that the kernel's long-term support releases will now bemaintained for six years instead of two. "A six-year support windowwill give Google, SoC Vendors, and OEMs plenty of time to develop a deviceand get it to market, while still leaving about four years for end-userownership. Google currently provides two years of major OS updates on itsphones and three years of security updates, but if it wanted to extendthat, an announcement like this would seem like an important firststep." The kernel.org releasespage now shows 4.4 being maintained through February 2022.

Free-software raw photo editor RawTherapee released a major newrevision earlier this year, followed by a string of incrementalupdates. The 5.x series, released at a rapid pace, marks asignificant improvement in the RawTherapee's development tempo — theproject's preceding update had landed in 2014. Regardless of the speed ofthe releases themselves, however, the improved RawTherapee offers users alot of added functionality and may shake up the raw-photo-processingworkflow for many photographers.

The EFF highlightsa number of attacks against distributors of add-ons for the Kodi streaming media system."These lawsuits by big TV incumbents seem to have a few goals: toexpand the scope of secondary copyright infringement yet again, to forcemajor Kodi add-on distributors off of the Internet, and to smear anddiscourage open source, freely configurable media players by focusing onthe few bad actors in that ecosystem. The courts should reject theseexpansions of copyright liability, and TV networks should not targetneutral platforms and technologies for abusive lawsuits."

Allison Randal has sent out a message to the community saying that she ismoving on from the presidency of the Open Source Initiative."I'm incredibly proud of what the organization has accomplished in thattime, continuing stewardship of the open source license list, and growingour individual membership and affiliate programs which provide a path forthe entire open source community to have a say in the governance of theOSI." Her replacement will be Simon Phipps.

Security updates have been issued by Arch Linux (ffmpeg2.8, nvidia, and openvpn), Fedora (git, mercurial, moodle, php-horde-Horde-Image, poppler, and pure-ftpd), openSUSE (fmpeg and vlc), Oracle (firefox, kernel, and nss), Red Hat (firefox and nss), Slackware (mozilla), and SUSE (firefox).

<p>As the Internet of Things (IoT) becomesever more populous, there is no shortage of people warning us that thecontinual infusion into our lives of hard-to-patch proprietary devices running hard-to-maintain proprietary code is a bitof a problem. It is an act of faith for some, myself included,that open devices running free software (whether IoT devices or not) areeasier to maintain than proprietary, closed ones. So it's always of interest when freedom (orsomething close to it) makesits way into a class of devices that were not previously so blessed.<p>Subscribers can click below for a look at the NumWorks graphing calculatorby guest author Tom Yates.

Greg Kroah-Hartman has announced the release of the 4.13.4, 4.9.52, 4.4.89, and 3.18.72 stable kernels. As usual, there arefixes throughout the tree and users of those series should upgrade.

Security updates have been issued by CentOS (kernel), Debian (chromium-browser and poppler), Oracle (kernel), and Slackware (gegl).

The LWN.net Weekly Edition for September 28, 2017 is available.

At lastyear's X.Org Developers Conference (XDC), James Jones began the process of coming up with an API forallocating memory so that it is accessible to multiple different graphicsdevices in a system (e.g. GPUs, hardware compositors, video decoders, displayhardware, cameras, etc.). At XDC 2017 in MountainView, CA, he was back to update attendees on the progress that has beenmade. He has a prototype in progress, but there is plenty more to do,including working out some of the problems he has encountered along the way.

The Open Source Initiative (OSI) has announced that Microsoft hasjoined the organization as a Premium Sponsor."Microsoft's history with the OSI dates back to 2005 with the submission of the Microsoft Community License, then again in August of 2007 with the submission of the Microsoft Permissive License. For many in the open source software community, it was Microsoft's release of .NET in 2014 under an open source license that may have first caught their attention. Microsoft has increasingly participated in open source projects and communities as users, contributors, and creators, and has released even more open source products like Visual Studio Code and Typescript."

Oath, parent company of Yahoo, has announcedthat it has released Vespa as an open sourceproject on GitHub."Building applications increasingly means dealing with huge amounts of data. While developers can use the the Hadoop stack to store and batch process big data, and Storm to stream-process data, these technologies do not help with serving results to end users. Serving is challenging at large scale, especially when it is necessary to make computations quickly over data while a user is waiting, as with applications that feature search, recommendation, and personalization.By releasing Vespa, we are making it easy for anyone to build applicationsthat can compute responses to user requests, over large datasets, at realtime and at internet scale – capabilities that up until now, have beenwithin reach of only a few large companies." (Thanks to Paul Wise)

<p>In the refereed track at the 2017 Linux Plumbers Conference (LPC), Jiri Kosinagave an update on the status and plans for the live kernel patchingfeature. It is a feature that has a long history—pre-dating Linuxitself—and has had a multi-year path into the kernel. Kosina reviewed thathistory, while also looking at some of the limitations and missingfeatures for live patching.

Security updates have been issued by Arch Linux (weechat), Debian (debsecan, git, ruby1.8, ruby1.9.1, rubygems, and weechat), Fedora (kernel, libbson, and oniguruma), Gentoo (tiff), openSUSE (tor), Oracle (augeas, samba, and samba4), Red Hat (kernel), and Scientific Linux (kernel).

The Fedora project's four "foundations" arenamed "Freedom", "Friends", "Features", and "First". Among other things,they commit the project to being firmly within the free-software camp("we believe that advancing software and content freedom is a centralgoal for the Fedora Project, and that we should accomplish that goalthrough the use of the software and content we promote") and toproviding leading-edge software, including current kernels. Given that thekernel project, too, is focused on free software, it is interesting to seea call within the Fedora community to hold back on kernel updates in orderto be able to support a proprietary driver.

Ars technica takesa look at the Firefox 57 developer edition. "More important, but less immediately visible, is that Firefox 57 has received a ton of performance enhancement. Project Quantum has several strands to it: Mozilla has developed a new CSS engine, Stylo, that parses CSS files, applies the styling rules to elements on the page, and calculates object sizes and positions. There is also a new rendering engine, WebRender, that uses the GPU to draw the (styled) elements of the page. Compositor combines the individual rendered elements and builds them into a complete page, while Quantum DOM changes how JavaScript runs, especially in background tabs. As well as this new development, there's a final part, Quantum Flow, which has focused on fixing bugs and adding optimizations to those parts of the browser that aren't being redeveloped.WebRender is due to arrive in Firefox 59, but the rest of Quantum is part of Firefox 57."

Security updates have been issued by Arch Linux (chromium and libraw), Gentoo (chromium, libsoup, and rar), openSUSE (openjpeg and openjpeg2), Scientific Linux (samba), and Ubuntu (libplist).

Doing realtime processing with a general-purpose operating-system likeLinux can be a challenge by itself, but safety-critical realtime processingups the ante considerably. During a session at Open Source Summit NorthAmerica, Wolfgang Maurer discussed the difficulties involved in this kindof work and what Linux has to offer.

Security updates have been issued by Debian (bzr, clamav, libgd2, libraw, samba, and tomcat7), Fedora (drupal7-views, gnome-shell, httpd, krb5, libmspack, LibRaw, mingw-LibRaw, mpg123, pkgconf, python-jwt, and samba), Gentoo (adobe-flash, chromium, cvs, exim, mercurial, oracle-jdk-bin, php, postfix, and tcpdump), openSUSE (Chromium and libraw), Red Hat (chromium-browser), and Slackware (libxml2 and python).

The 4.14-rc2 kernel prepatch is out."Nothing stands out, although hopefully we've gotten over all the x86ASID issues. Knock wood."

GitLab 10.0 has been released. "With every monthly release of GitLab, we introduce new capabilities and improve our existing features. GitLab 10.0 is no exception and includes numerous new additions, such as the ability to automatically resolve outdated merge request discussions, improvements to subgroups, and an API for Wiki thanks to a contribution from our open source community."

The Clear Containers team at Intel has announcedthe release of Clear Containers 3.0. "Completely rewritten and refactored, Clear Containers 3.0 uses Go language instead of C and introduces many new components and features. The 3.0 release of Clear Containers brings better integration into the container ecosystem and an ability to leverage code used for namespace based containers."

Facebook has announcedthat the React, Jest, Flow, and Immutable.js projects will be moving to theMIT license. This is, of course, a somewhat delayed reaction to the controversy over the "BSD+patent" licensepreviously applied to those projects. "This decision comes afterseveral weeks of disappointment and uncertainty for our community. Althoughwe still believe our BSD + Patents license provides some benefits to usersof our projects, we acknowledge that we failed to decisively convince thiscommunity."

The Samba 4.7.0 release is out. New features include whole DB read locks(a reliability improvement), support for running Active Directory domain controllers using MIT Kerberos,detailed audit trails for authentication and authorization activities, amulti-process LDAP server, better read-only domain controller support, andmore. See the releasenotes for details.

Security updates have been issued by CentOS (augeas, samba, and samba4), Debian (apache2, bluez, emacs23, and newsbeuter), Fedora (kernel and mingw-LibRaw), openSUSE (apache2 and libzip), Oracle (kernel), SUSE (kernel, spice, and xen), and Ubuntu (emacs24, emacs25, and samba).

The "tracing and BPF" microconference was held on the final day of the 2017Linux Plumbers Conference; it covered a number of topics relevant to heavyusers of kernel and user-space tracing. Read on for a summary of a numberof those discussions on topics like BPF introspection, stack traces,kprobes, uprobes, and the Common Trace Format.

Security updates have been issued by Arch Linux (tomcat7), Debian (kernel and perl), Fedora (libwmf and mpg123), Mageia (bluez, ffmpeg, gstreamer0.10-plugins-good, gstreamer1.0-plugins-good, libwmf, tomcat, and tor), openSUSE (emacs, fossil, freexl, php5, and xen), Red Hat (augeas, rh-mysql56-mysql, samba, and samba4), Scientific Linux (augeas, samba, and samba4), Slackware (samba), SUSE (emacs and kernel), and Ubuntu (qemu).

Red Hat has announced anupdate to itspatent promise, wherein the company says it will not enforce itspatents against anybody who might be infringing them with open-sourcesoftware. The new version expands the promise to all software covered byan OSI-approved license, including permissive licenses. The attached FAQnotes that Red Hat now possesses over 2,000 patents.

The LWN.net Weekly Edition for September 21, 2017 is available.

In a talk in the refereed track of the 2017 Linux Plumbers Conference,Alexandre Courouble presented the email2git tool thatlinks kernel commits to their review discussion on the mailing lists. Email2gitis a plugin for cregit, which implements token-level history for a Git repository; we covered a talk on cregit just over one yearago. Email2git combines cregit with Patchwork to linkthe commit to a patch and its discussion threads from any of the mailinglists that are scanned by patchwork.kernel.org. The resultis a way to easily find the discussion that led to a piece of code—or evenjust a token—changing in the kernel source tree.

Last week KDE announced that they wereworking with Purism on the Librem 5 smartphone. The GNOME Foundation hasalso providedits endorsement and support of Purism’s efforts to build the Librem 5."As part of the collaboration, if the campaign is successful the GNOME Foundation plans to enhance GNOME shell and general performance of the system with Purism to enable features on the Librem 5.Various GNOME technologies are used extensively in embedded devices today, and GNOME developers have experienced some of the challenges that face mobile computing specifically with the Nokia 770, N800 and N900, the One Laptop Per Child project’s XO laptop and FIC’s Neo1973 mobile phone."