LWN.net

The long-awaited end of Flash has come a little closer with thisannouncement from Adobe. "Given this progress, and incollaboration with several of our technology partners – including Apple,Facebook, Google, Microsoft and Mozilla – Adobe is planning to end-of-lifeFlash. Specifically, we will stop updating and distributing the FlashPlayer at the end of 2020 and encourage content creators to migrate anyexisting Flash content to these new open formats."

Security updates have been issued by Debian (catdoc, gsoap, and libtasn1-3), Fedora (GraphicsMagick, java-1.8.0-openjdk, krb5, librsvg2, nodejs, phpldapadmin, rubygem-rack-cors, and yara), Mageia (irssi), openSUSE (rubygem-puppet), Red Hat (kernel), Slackware (tcpdump), and Ubuntu (imagemagick, linux, linux-raspi2, linux-snapdragon, linux-lts-xenial, mysql-5.5, samba, and xorg-server, xorg-server-hwe-16.04, xorg-server-lts-xenial).

Savoir-faire Linux has announcedthe release of Ring 1.0. "Ring is a free/libre and universalcommunication platform that preserves the users’ privacy and freedoms. Itis a GNU package. It runs on multiple platforms; and, it can be used fortexting, calls, and video chats more privately, more securely, and morereliably."

Improving the security of a system often involves tradeoffs, with the costsmeasured in terms of convenience and performance, among others. To theirfrustration, security-oriented developers often discover that the tolerancefor these costs is quite low. Defenses against reference-count overflowshave run into that sort of barrier, slowing their adoption considerably.Now, though, it would appear that a solution has been found to theperformance cost imposed by reference-count hardening, clearing the waytoward its adoption throughout the kernel.

Here is alengthy and detailed look from Google's Project Zero at the trustedexecution environments that, one hopes, protect devices from compromise."In this blog post we’ll explore the security properties of the twomajor TEEs present on Android devices. We’ll see how, despite their highlysensitive vantage point, these operating systems currently lag behindmodern operating systems in terms of security mitigations andpractices. Additionally, we’ll discover and exploit a major design issuewhich affects the security of most devices utilising bothplatforms. Lastly, we’ll see why the integrity of TEEs is crucial to theoverall security of the device, making a case for the need to increasetheir defences."

Debian has released updates to its stable and old stable distributions. Debian 9.1 is the first update to "stretch"and Debian 8.9 is the ninth update to"jessie". These updates do not constitute a new versions of Debian, theyonly update some of the packages included. "Those who frequentlyinstall updates from security.debian.org won't have to update manypackages, and most such updates are included in the point release."

Security updates have been issued by CentOS (graphite2 and java-1.8.0-openjdk), Debian (atril, bind9, catdoc, and qemu), Fedora (glpi, GraphicsMagick, heimdal, kernel, nodejs, perl-XML-LibXML, and qt5-qtwebengine), Gentoo (adobe-flash), Mageia (c-ares, expat, flash-player-plugin, gnutls, libgcrypt, libtiff, sane, and tnef), openSUSE (evince and xorg-x11-server), Scientific Linux (graphite2), Slackware (seamonkey), and Ubuntu (heimdal and linux-lts-trusty).

Debian's reproducible builds project has posted an update of what it hasaccomplished over the last few years. "On our website thereare nice colourful graphs showing our progress in numerical terms. Inparticular, let us point to thestretch/amd64 graph: since our slow start ~3 years ago we have been steadily improving the reproducibility ofour archive, reaching a staggering 94% at the time of writing!"

The 4.13-rc2 kernel prepatch is out fortesting. "Changes all over, although the diffstat is dominated bythe new vboxvideo staging driver. I shouldn't have let it through, butGreg, as we all know, is 'special'. Also, Quod licet Iovi, and all thatjazz - Greg gets to occasionally break some rules."

The Document Foundation has put out anextensive annual report [PDF] describing its activities in 2016."According to Google Trends, LibreOffice surpassed all other freeoffice suites in early 2016 in terms of user interest, winning a race thatstarted in early 2011. At the end of the year, Datamation confirmed theleading position, with the first article about alternatives toLibreOffice" The report is also availablein German [PDF].

Five new stable kernels were announced by Greg Kroah-Hartman onJuly 21: 4.12.3, 4.11.12, 4.9.39, 4.4.78, and 3.18.62. As usual, they contain important fixes throughout the tree and users shouldupgrade. Note that this is the last release in the 4.11 series, users should move to4.12.x.

Security updates have been issued by Debian (php5 and ruby-mixlib-archive), Fedora (knot, knot-resolver, and spice), Oracle (graphite2 and java-1.8.0-openjdk), Red Hat (graphite2, java-1.6.0-sun, java-1.7.0-oracle, java-1.8.0-openjdk, and java-1.8.0-oracle), Scientific Linux (java-1.8.0-openjdk), and Ubuntu (kernel, linux, linux-raspi2, linux-hwe, and mysql-5.5, mysql-5.7).

There are a few reasons for wanting the ability to get proper stack tracesout of the kernel, including profiling, tracing, and debugging kernelcrashes. Historically, the kernel's tracebacks have been unreliable for anumber of reasons, most of which have been fixed in recent years. Now itseems likely that the 4.14 kernel will include a new mechanism thatshould put our traceback problems behind us — for now.

Security updates have been issued by CentOS (freeradius), Debian (memcached), Fedora (irssi and putty), openSUSE (catdoc), Red Hat (collectd), and Ubuntu (expat, openldap, spice, and tiff).

The LWN.net Weekly Edition for July 20, 2017 is available.

<p>A short sub-thread on the python-ideas mailing list provides some "food forthought" about the purpose and scope of that list, but also some things toperhaps be considered more widely. When discussing new features and ideas,it is common for the conversation to be somewhat hypothetical, but honingin on something that could be implemented takes a fair amount of work forthose participating. If the feature is proposed and championed by someonewho has no intention of actually implementing it, should the thread comewith some kind of warning?

<p>An under-the-radar proposal to stop building i686 kernels for Fedora led toa discussion about dropping support for 32-bit x86 hardware. Any of thehardware that needs these kernels is quite old, but participants in athread on the Fedora devel mailing list noted that those systems stillexist—some run Fedora. As the discussion progressed, though, it becameclear that the Fedora i686 kernel has been in rough shape for some time now.

<p>CPython is the reference implementation of Python, so it is,unsurprisingly, the target for various language-extension modules. But theAPI and ABI it provides to those extensions ends up limiting whatalternative Python implementations—and even CPython itself—can do, sincethose interfaces must continue to be supported. Beyond that, though, theinterfaces are not clearly delineated, so changes can unexpectedly affect extensionsthat have come to depend on them. A recent thread on the python-ideasmailing list looks at how to clean that situation up.

The GnuPG Project has announced the availability of Libgcrypt 1.8.0."This is a new stable version of Libgcrypt with full API and ABI compatibility to the 1.7 series. Its main features are supportBlake-2, XTS mode, an improved RNG, and performance improvements for theARM architecture."

Security updates have been issued by Arch Linux (c-ares, freeradius, gvim, lib32-libtiff, libtiff, pcre, rkhunter, and vim), Debian (apache2, evince, imagemagick, unattended-upgrades, and vim), Fedora (openldap, php, and poppler), Oracle (freeradius), SUSE (evince and systemd, dracut), and Ubuntu (apport, icu, and libtasn1-3).

Software patents may not have brought about the free-software apocalypsethat some have feared over the years, but they remain a minefield for thesoftware industry as a whole. A small-scale example of this can be seen inthe recent decision by the Apache Software Foundation (ASF) to move alicense with patent-related terms to its "Category-X"list of licenses that cannot be used by ASF projects. A number ofprojects will be scrambling to replace software dependencies on a shorttimeline, all because Facebook wanted to clarify its patent-licensingterms.

Linux.com takesa look at Google's OSS-Fuzz threat detection tool. "Google alsoannounced that it is expanding its existing PatchRewards program to include rewards for the integration of fuzztargets into OSS-Fuzz. To qualify for these rewards, a project needs tohave a large user base and/or be critical to global ITinfrastructure. Eligible projects will receive $1,000 for initialintegration, and up to $20,000 for ideal integration (the final amount isat Google’s discretion). Project leaders have the option of donating theserewards to charity instead, and Google will double the amount."LWN covered OSS-Fuzz last January.

Remix OS was an effort to bring Android to the PC, which included akickstarter campaign to build products using Remix OS. Now Jide Technology, makers of Remix OS, hasannounced a change in focus that leaves Remix OS out of the picture. "We’ll be restructuring our approach to Remix OS and transitioning away from the consumer space. As a result, development on all existing products such as Remix OS for PC as well as products in our pipeline such as Remix IO and IO+ will be discontinued. Full refunds will be issued to ALL BACKERS via Kickstarter for both Remix IO and Remix IO+. In addition any purchases made via our online store that has remained unfulfilled will also be fully refunded. This requires no action from you as we will begin issuing refunds starting August 15th."

Security updates have been issued by Debian (libmtp), Fedora (kernel), Red Hat (freeradius and kernel), Scientific Linux (freeradius), and Ubuntu (libgcrypt11).

Security updates have been issued by Arch Linux (apache, evince, and mosquitto), Debian (apache2, evince, heimdal, and knot), Fedora (c-ares, cacti, evince, GraphicsMagick, httpd, jabberd, libgcrypt, openvas-cli, openvas-gsa, openvas-libraries, openvas-manager, openvas-scanner, poppler, qt5-qtwebengine, qt5-qtwebkit, spatialite-tools, and sqlite), openSUSE (gnutls, ncurses, qemu, and xorg-x11-server), Slackware (mariadb and samba), SUSE (cryptctl), and Ubuntu (heimdal and samba).

Version6 of the Mageia distribution is available. "Though Mageia 6’sdevelopment was much longer than anticipated, we took the time to polish itand ensure that it will be our greatest release so far." Highlightsinclude KDE Plasma 5, the DNF package manager as an alternative tourpmi, and an experimental ARM port. Details can be found inthe releasenotes.

By the end of the 4.13 merge window, 11,258 non-merge changesets hadbeen pulled into the mainline repository — about 3,600 since the first half of this series was written.That is nowhere near the 12,920 changesets that landed during the 4.12merge window, but it still makes for a typically busy development cycle.What follows is a summary of the more interesting changes found in thoselast 3,600+ changesets.

Linus has released 4.13-rc1 and closed themerge window for this cycle. "Once again, the diffstat is absolutelydominated by some AMD gpu header files, but if you ignore that, things lookpretty regular, with about two thirds drivers and one third "rest"(architecture, core kernel, core networking, tooling)."

Greg Kroah-Hartman has announced the release of five new stable kernels: 4.12.2, 4.11.11. 4.9.38, 4.4.77, and 3.18.61. As usual, they contain importantfixes and users should upgrade.

The Drupal Association has issued alengthy statement on why Larry Garfield has been removed from hismanagement roles in the Drupal project. "Larry's subsequent blogposts harmed the community and had a material impact on the DrupalAssociation, including membership cancellations from those who believed wedoxed, bullied, and discriminated against Larry as well as significantstaff disruption. Due to the harm caused, the Drupal Association isremoving Larry Garfield from leadership roles that we are responsible for,effective today." See this articlefor background information.

Security updates have been issued by Debian (bind9, heimdal, samba, and xorg-server), Fedora (cacti, evince, expat, globus-ftp-client, globus-gass-cache-program, globus-gass-copy, globus-gram-client, globus-gram-job-manager, globus-gram-job-manager-condor, globus-gridftp-server, globus-gssapi-gsi, globus-io, globus-net-manager, globus-xio, globus-xio-gsi-driver, globus-xio-pipe-driver, globus-xio-udt-driver, jabberd, myproxy, perl-DBD-MySQL, and php), openSUSE (libcares2), SUSE (xorg-x11-server), and Ubuntu (evince and nginx).

It has been nearly one month since the StackClash vulnerability was disclosed and some hardening measures wererushed into the 4.12 kernel release. Since then, a fair amount of work hasgone into fixing problems caused by those measures and porting the result backto stable kernel releases. Now, it seems, the kernel developers areconsidering taking a different approach entirely.

Security updates have been issued by Arch Linux (irssi), CentOS (httpd and kernel), Debian (nginx), Fedora (perl-DBD-MySQL and qt5-qtwebengine), Mageia (apache-mod_fcgid, cairo, jbig2dec, nodejs, and sudo), openSUSE (libreoffice, spice, and systemd), Red Hat (python-django-horizon), and SUSE (kernel and xorg-x11-server).

The LWN.net Weekly Edition for July 13, 2017 is available.

A less than two-month-old project for OpenBSD, kernel address spacerandomized link (KARL), has turned the kernel into anobject that is randomized on every boot. Instead of the code being storedin the same location for every boot of a given kernel, each boot will be unique. Unlike Linux's kernel addressspace layout randomization (KASLR), which randomizes the base addressfor all of the kernel code on each boot, KARL individually randomizes theobject files that get linked into the binary. That means that a single information leakof a function address from the kernel does not leak information aboutthe location of all other functions.

The much anticipated release of Fedora 26 was made onJuly 11. As usual, it came with a wide array of updated packages,everything from the kernel through programming languages to desktops, butthere are also internal tools and installation mechanisms that have changedas well. Beyond that, the new Python ClassroomLab is aimed at teachers and instructors to make it easier to get afull-featured Python (of various flavors and with lots of extras) inseveral different easily installable forms. Though it was delayed by morethan a month from its original planned release date—something the project embraces at some level—Fedora 26looks like it was worth waiting for.

<p>Validating user input is a long-established security best practice, butthere can be differences of opinion about what should be done when thatvalidation fails. A recently reported bug in systemd has fostered adiscussion on that topic; along the way there has also been discussionabout how much validation systemd should actually be doing and how much should be left upto the underlying distribution. The controversy all revolves aroundusernames that systemd does not accept, but that some distributions (andPOSIX) find to be perfectly acceptable.

Stable kernels 4.12.1, 4.11.10, and 4.9.37 have been released. They all containimportant fixes and users should upgrade.

Security updates have been issued by Arch Linux (flashplugin, lib32-flashplugin, lib32-gnutls, libdwarf, nginx, nginx-mainline, and tor), Debian (spice and undertow), Fedora (bind, bind-dyndb-ldap, chromium-native_client, dnsperf, expat, flatpak, GraphicsMagick, httpd, jetty, libdb, libsndfile, mingw-LibRaw, mosquitto, php-horde-Horde-Image, qt5-qtwebengine, xen, and yara), Oracle (httpd and kernel), Red Hat (flash-plugin, httpd, and kernel), Scientific Linux (httpd and kernel), and SUSE (spice).

The Git source-code management system is widely known for its flexibilityand for the distributed development model that it supports. Its reputationfor ease of use is ... less well established. There should, thus, bean opening for front-end systems that can make Git easier to use. One ofthe most comprehensive Git front ends, Magit, works within the Emacs editor and has awide following. But Magit has run into some turbulence within the Emacsdevelopment community that is blocking its wider distribution.

The Power Management and Energy-awareness microconference has beenaccepted for this year's Linux Plumber's Conference, which runs September13-15 in Los Angeles, CA. "The agenda this year will focus on arange of topics including CPUfreq core improvements and schedutil governor extensions, how to best usescheduler signals to balance energy consumption and performance anduser space interfaces to control capacity and utilization estimates.We'll also discuss selective throttling in thermally constrainedsystems, runtime PM for ACPI, CPU cluster idling and the possibility toimplement resume from hibernation in a bootloader."

Security updates have been issued by Debian (jetty8, tiff, and tiff3) and Slackware (libtirpc and rpcbind).

The Fedora 26release is out. "First, of course, we have thousandsimprovements from the various upstream software we integrate, including newdevelopment tools like GCC 7, Golang 1.8, and Python 3.6. We’ve added a newpartitioning tool to Anaconda (the Fedora installer) — the existingworkflow is great for non-experts, but this option will be appreciated byenthusiasts and sysadmins who like to build up their storage scheme frombasic building blocks. F26 also has many under-the-hood improvements, likebetter caching of user and group info and better handling of debuginformation. And the DNF package manager is at a new major version (2.5),bringing many new features." More details can be found in therelease notes.

The 4.13 merge window is in progress, and, as usual, LWN is watching thecommit stream. Click below (subscribers only) for the first report on whathas been merged for the 4.13 release. It appears that this will be anotherbusy development cycle.

Encrypted Media Extensions (EME) have been under review by the W3C AdvisoryCommittee since last March. This reportfrom the committee addresses comments and objections to EME."After consideration of the issues, the Director reached a decisionthat the EME specification should move to W3C Recommendation. The EncryptedMedia Extensions specification remains a better alternative for users thanother platforms, including for reasons of security, privacy, andaccessibility, by taking advantage of the Web platform. While additionalwork in some areas may be beneficial for the future of the Web Platform, itremains appropriate for the W3C to make the EME specification a W3CRecommendation. Formal publication of the W3C Recommendation will happen ata later date. We encourage W3C Members and the community to work in bothtechnical and policy areas to find better solutions in this space."The Free Software Foundation's Defective by Design campaign opposesEME arguing that it infringes on Web users' control of their owncomputers, and weakens their security and privacy. "Opponents' last opportunity to stop EME is an appeal by the Advisory Committee of the World Wide Web Consortium (W3C), the body which Tim Berners-Lee heads. Requiring 5% of the Committee's 475 members (corporate, nonprofit, and educational institutions) to sign on within a two-week period, the appeal would then trigger a vote from the whole Committee to make a final decision to ratify or reject EME."

Software in the Public Interest (SPI) has announced the availability of its2016 AnnualReport [PDF], covering the 2016 calendar year. "We’ve seen a lotof change this year. Several long-term board members retired from theboard, including Bdale Garbee who served as SPI’s President for many years.There was a lot of interest in SPI’s board election and severalnew contributors joined the board. The board met in person in February todiscuss outstanding issues and work on long-term plans."

Security updates have been issued by Debian (bind9, jetty, mpg123, phpldapadmin, sqlite3, and xorg-server), Fedora (bind, bind99, dhcp, drupal7, GraphicsMagick, httpd, irssi, jetty, jetty-alpn, jetty-test-helper, libdb, libgcrypt, mosquitto, ocaml, pius, qt5-qtwebkit, tomcat, xen, and zabbix), Gentoo (feh, gajim, game-music-emu, jasper, libcroco, libsndfile, man-db, nm-applet, openslp, phpmyadmin, roundcube, virglrenderer, and vlc), openSUSE (irssi, kernel, libgcrypt, and xen), Slackware (irssi and php), and Ubuntu (poppler).

The Qubes OS project has announced a program for the certification of"reasonably secure" laptops, but users will have to wait to get such amachine: "So far, no third-party manufacturers have produced a computerthat satisfies these requirements. However, ITL has entered initial talks witha promising partner with whom we can foresee creating a true Reasonably SecureLaptop."

On his blog, Richard WM Jones describes work he has done on an automated patch testing system that is similar to the kernel 0-day test service. "Today I thought I’d write something like this, partly to reinvent the wheel, but mostly to learn more about the RabbitMQ message broker.You see, if you have to receive emails, run large tests, and send more emails, then at least two and possibly more machines and going to be involved, and as soon as you are using two or more machines, you are writing a distributed system and you need to use the right tools. Message brokers and RabbitMQ in particular make writing distributed systems easy — trust me, I’ll show you how!"

In what seems to be an acknowledgment of the status quo, rather than a big change, GNU C library (glibc) founder and maintainer Roland McGrath has stepped down from the project. This is not caused by any "big news with me", he said, just a recognition that he has drifted away from the project. "This summer marks 30 years since I began writing the GNU C Library.(That's two thirds of my lifespan so far.) It's long enough.So, I'm hereby declaring myself maintainer emeritus and withdrawing fromdirect involvement in the project. These past several months, if notthe last few years, have proven that you don't need me any more.You'll make good decisions, as you've already made good decisions.You'll actually get around to implementing some of the things I've beensuggesting or meaning to do (or saying I would do) for years, as you'vealready made progress on some of those ideas in recent months. If Istayed around to give advice, you'd ignore my advice to be more paranoidand more cautious, plow ahead anyway, ship it, and then have to redressthe problem when the practical issues manifested, as you've already doneand had to do. :-) All in all, I have no doubt at all that the jobyou're doing now and will do in the future maintaining glibc is betterthan I ever did that job myself and at least as good as my presence inthe project might ever make it." As several responses to the post have already indicated, McGrath will be missed.