LWN.net

Red Hat, CentOS, and Scientific Linux have announced theend-of-life for version 5 of their enterprise Linux offering. As of March31, 2017 there will be no more updates, including security updates.

Security updates have been issued by Fedora (samba) and openSUSE (ceph).

The 4.11-rc5 kernel prepatch has beenreleased for testing. "Ok, things have definitely started to calmdown, let's hope it stays this way and it wasn't just a fluke thisweek."

The mount()system call tries to do too many things, Miklos Szeredi said at the startof a filesystem-only discussion at LSFMM 2017. He has been interested incleaning that up for a long time. So he wanted to discuss some ideas hehad for a new interface to mount filesystems.

Security updates have been issued by Debian (ejabberd, jhead, and samba), Fedora (chromium, drupal8, empathy, erlang, firefox, icoutils, kernel, knot-resolver, libICE, libupnp, libXdmcp, links, mbedtls, moodle, mupdf, ntp, openslp, R, rkward, rpy, sane-backends, sscg, tcpreplay, thunderbird, and webkitgtk4), Mageia (kernel, kernel-linus, and kernel-tmb), openSUSE (apache2, Chromium, kernel, and virglrenderer), Oracle (kernel), and Slackware (samba).

Crunchy Data has announcedthe availability of a "security technical implementation guide" for thePostgreSQL database management system. "While the STIG was authoredfor the benefit of the U.S. Government, the DISA PostgreSQL STIG offerssecurity-conscious enterprises a comprehensive guide for the configurationand operation of open source PostgreSQL. Enterprises can refer to the STIGas for guidance on PostgreSQL security best practices they consider opensource PostgreSQL as an alternative to proprietary, closed source, databasesoftware."

The Scientific Linux project has announced that Scientific Linux 5 has reached its end of life. "After March 31 2017 Scientific Linux 5 will not receive further updates and the files will be archived.The existing files will be moved into http://ftp.scientificlinux.org/linux/scientific/obsolete/ for archival purposes after March 31 2017.This will break existing yum repos and kickstarts using the official distribution servers."

When Andreas Dilger proposed the statx() topic for the 2017 LinuxStorage, Filesystem, and Memory-Management Summit, the system call hadstill not been merged. But that all changed in the 4.11 development cycle when Al Viro merged thesystem call to provide additional file information. So, unlikeprevious years, the discussion was not about how to merge such a system call but,instead, how to extend statx() for additional file information.

The 4.10.8, 4.9.20, and 4.4.59 stable kernels have been released.Users of those kernel series should upgrade.[Update: It appears that the urgency for getting these stable kernels out comes from a fix for CVE-2017-7184, which is a local privilege-escalation vulnerability.]

Security updates have been issued by Arch Linux (chromium), Debian (tiff3), Fedora (erlang), Mageia (deluge and mariadb), openSUSE (GraphicsMagick, pidgin, and wget), Red Hat (chromium-browser), and Ubuntu (firefox and samba).

Version2.3 of the OpenShot video editor has been released. "This is oneof the biggest updates ever to OpenShot, and is filled with new features,performance improvements, and tons of bug fixes". This release addsa new transform tool, better zooming, better title editing, and more; therazor tool has also made a comeback.

Videos from the LibrePlanet 2017 keynotes and sessions are becoming available at media.libreplanet.org; many are already posted and others will be filled in over the next few days. "LibrePlanet 2017 closed Sunday, March 26th with a keynote bySumana Harihareswara, bringing to an end two days ofpresentations, workshops, hacking, conversations, and fun. Morethan 400 people interested in free software joined the FreeSoftware Foundation (FSF) and MIT's Student Information ProcessingBoard (SIPB) in Cambridge, MA for the 9th annual LibrePlanet." LWN was there for the conference, so you can expect more coverage coming soon (our first article on Conor Schaefer's SecureDrop talk appeared in the March 30 weekly edition).

Greg Kroah-Hartman has announced the release of the 4.10.7, 4.9.19, and 4.4.58 stable kernels. They contain fixesthroughout the tree and users of those series should upgrade. The nextround of stable kernels is also in the review process at this point and those kernelscan be expected on April 1.

Security updates have been issued by Debian (firebird2.5), openSUSE (gstreamer-0_10-plugins-good and php5), Oracle (curl), SUSE (kernel and samba), and Ubuntu (kernel, linux, linux-aws, linux-gke, linux-raspi2, linux-snapdragon, linux, linux-raspi2, linux, linux-ti-omap4, linux-hwe, linux-lts-trusty, linux-lts-xenial, and oxide-qt).

The LWN.net Weekly Edition for March 30, 2017 is available.

The overlayfs filesystem is being used moreand more these days, especially in conjunction with containers. Amir Goldstein and Miklos Szerediled a discussion about recent and upcoming features for the filesystem atLSFMM 2017.

The latest version of the Vivaldi web browser highlights a new Historyfeature that "lets users explore their browsing patterns, backedby statistics and visual clues". There are a number of new ways tofind old URLs in your history. "The latest releasealso includes more options for taking notes in the browser, powerful soundcontrol for tabs and other improvements." While you have access toyour browsing history, Vivaldi does not collect your history data.

Memory-management (MM) patches are notoriously difficult to get merged into themainline kernel. They are subjected to a high degree of review becausethis is an area where it is easy to get things wrong. Or, at least, thatis how it used to be. The final memory-management session at the 2017Linux Storage, Filesystem, and Memory-Management Summit was concerned withpatch review in the MM subsystem — or the lack of it.

Security updates have been issued by CentOS (icoutils and openjpeg), Debian (eject, graphicsmagick, libytnef, and tnef), Fedora (drupal8, firefox, kernel, ntp, qbittorrent, texlive, and webkitgtk4), Oracle (bash, coreutils, glibc, gnutls, kernel, libguestfs, ocaml, openssh, qemu-kvm, quagga, samba, samba4, tigervnc, and wireshark), Red Hat (curl), Slackware (mariadb), SUSE (samba), and Ubuntu (apparmor).

David Malcolm has put together thebeginnings of an unofficial guide to GCC for developers who are gettingstarted with the compiler. "I’m a relative newcomer to GCC, so Ithought it was worth documenting some of the hurdles I ran into when Istarted working on GCC, to try to make it easier for others to starthacking on GCC. Hence this guide."

The userfaultfd() system callallows user space to intervene in the handling of page faults. As AndreaArcangeli and Mike Rapaport described in a 2017 Linux Storage, Filesystem,and Memory-Management Summit session dedicated to the subject,userfaultfd() was originally created to help with the livemigration of virtual machines between physical hosts. It allows pages tobe copied to the new host on demand, after the machine itself has beenmoved, leading to faster, more predictable migrations. Work onuserfaultfd() is not finished, though; there are a number of otherfeatures that developers would like to add.

A processor's translation lookaside buffer (TLB) caches the mappings fromvirtual to physical addresses. Looking up virtual addresses is expensive,so good performance often depends on making the best use of the TLB. Inthe memory-management track of the 2017 Linux Storage, Filesystem, andMemory-Management Summit, Mike Kravetz described a SPARC processor featurethat can improve TLB performance and explored ways in which that featurecould be supported.

Version1.6 of the Kubernetes orchestration system is available. "Inthis release the community’s focus is on scale and automation, to help youdeploy multiple workloads to multiple users on a cluster. We are announcingthat 5,000 node clusters are supported. We moved dynamic storageprovisioning to stable. Role-based access control (RBAC), kubefed, kubeadm,and several scheduling features are moving to beta. We have also addedintelligent defaults throughout to enable greater automation out of thebox."

Google has announcedthe launch of opensource.google.com. "Today, we’re launching opensource.google.com, a new website for Google Open Source that ties together all of our initiatives with information on how we use, release, and support open source.This new site showcases the breadth and depth of our love for open source. It will contain the expected things: our programs, organizations we support, and a comprehensive list of open source projects we've released. But it also contains something unexpected: a look under the hood at how we "do" open source."

When the transparent huge page feature was added to the kernel, it onlysupported anonymous (non-file-backed) memory. In 2016, support for huge pages in the page cache wasadded, but only the tmpfs filesystem was supported. There is interest inexpanding support to other filesystems, since, for some workloads, theperformance improvement can be significant. Kirill Shutemov led the onlysession that combined just the filesystem and memory-management tracks atthe 2017 Linux Storage, Filesystem, and Memory-Management Summit in adiscussion of adding huge-page support to the ext4 filesystem.

Security updates have been issued by Debian (eject, gst-plugins-bad1.0, gst-plugins-base1.0, gst-plugins-good1.0, gst-plugins-ugly1.0, gstreamer1.0, php5, and tiff), Fedora (kernel), Gentoo (curl, deluge, libtasn1, and xen-tools), Mageia (mbedtls, putty, and roundcubemail), openSUSE (dbus-1, gegl, mxml, open-vm-tools, partclone, qbittorrent, tcpreplay, and xtrabackup), and Ubuntu (eject, gst-plugins-base0.10, gst-plugins-base1.0, and gst-plugins-good0.10, gst-plugins-good1.0).

DAX is the mechanism that enables direct access to files stored inpersistent memory arrays without the need to copy the data through the pagecache. At the 2017 Linux Storage, Filesystem, and Memory-ManagementSummit, Ross Zwisler led a plenary session on the future of DAX. Development inthis area offers a number of interesting trade-offs between data safety andenabling the highest performance.

DragonFly BSD 4.8 has been released. "DragonFlyversion 4.8 brings EFI boot support in the installer, further speedimprovements in the kernel, a new NVMe driver, a new eMMC driver, and Intelvideo driver updates." DragonFly is an independent BSD variant,perhaps best known for the HAMMER filesystem.

The Free Software Foundation has announcedthe winners of the 2016 Free Software Awards. The Award for Projectsof Social Benefit went to SecureDropand the Award for the Advancement of Free Software went to Alexandre Oliva. "SecureDrop is an anonymous whistleblowing platform used by major news organizations and maintained by Freedom of the Press Foundation. Originally written by the late Aaron Swartz with assistance from Kevin Poulsen and James Dolan, the free software platform was designed to facilitate private and anonymous conversations and secure document transfer between journalists and sensitive sources."

Stable kernels 4.10.6, 4.9.18, and 4.4.57 have been released. All of themcontain important fixes and users should upgrade.

Security updates have been issued by Debian (apt-cacher, jbig2dec, libplist, python3.2, tnef, and xrdp), Fedora (firefox, mbedtls, and sane-backends), Mageia (flash-player-plugin, freetype2, glibc, kernel, kernel-linus, kernel-tmb, libquicktime, libwmf, and tnef), and Ubuntu (thunderbird).

The 4.11-rc4 kernel prepatch is out fortesting. "So on the whole things look fine. There's changes allover, and in mostly the usual proportions. Some core kernel code shows upin the diffstat slightly more than it usually does - we had an audit fixand a bpf hashmap fix, but on the whole it all looks very regular."

In the memory-management subsystem, the term "mapping" refers to theconnection between pages in memory and their backing store — the file thatrepresents them on disk. One of the fundamental assumptions in thekernel is that a given page in the page cache belongs to exactly one mapping.But, as Miklos Szeredi explained in a plenary session at the 2017 LinuxStorage, Filesystem, and Memory-Management Summit, there are situationswhere it would be desirable to associate the same page with multiplemappings. Achieving this goal may not be easy, though.<p>Click below (subscribers only) for continuing coverage from LSFMM 2017

The Eudyptula Challenge is aseries of programming exercises for the Linux kernel. It starts from avery basic "Hello world" kernel module, moves up in complexity to gettingpatches accepted into the main kernel. The challengewill be closed to new participants in a few months, when 20,000 people havesigned up. LWN covered the Eudyptula Challenge in May 2014,when it was fairly new. At this time over 19,000 people have signed up andonly 149 have finished.

Security updates have been issued by Arch Linux (libpurple), Debian (audiofile, cgiemail, and imagemagick), Fedora (cloud-init, empathy, and mupdf), Mageia (firefox and thunderbird), Scientific Linux (icoutils and openjpeg), Slackware (mcabber and samba), and Ubuntu (eglibc).

Back in 2015, the OpenSSL project announced itsintent to move away from its rather quirky license. Now it has announcedthat thechange is moving forward. "After careful review, consultationwith other projects, and input from the Core Infrastructure Initiative andlegal counsel from the SFLC, the OpenSSL team decided to relicense the codeunder the widely-used ASLv2." It is worth noting that this changeand the way it is being pursued are not universally popular, in the OpenBSD camp, at least.

Laszlo Agocs takesa look at improvements to the basic OpenGL enablers that form thefoundation of Qt Quick and the optional OpenGL-based rendering path ofQPainter in Qt 5.9. "Asexplained here, such shader programs will attempt to cache the programbinaries on disk using GL_ARB_get_program_binaryor the standard equivalents in OpenGL ES 3.0. When no support is providedby the driver, the behavior is equivalent to the non-cached case. The filesare stored in the global or per-process cache location, whichever is writable. The result is a nice boost in performance when a program is created with the same shader sources next time."

Security updates have been issued by Debian (audiofile, jhead, libxslt, samba, suricata, and wordpress), Fedora (openslp), Mageia (icoutils, kdelibs4, and virtualbox), Oracle (icoutils and openjpeg), Red Hat (icoutils and openjpeg), and Ubuntu (audiofile, git, and samba).

The LWN.net Weekly Edition for March 23, 2017 is available.

GitLab 9.0 has been releasedwith many new features and improvements. "In the last several releases, GitLab has transformed how development teams get from idea to production. In just a few minutes, you can deploy GitLab to a container scheduler, add CI/CD with auto deployed review apps, utilize ChatOps, and analyze your cycle time. With 9.0 you can now watch your deploys with deploy boards and monitor application performance with Prometheus."

The NTPsec Project has announced the 0.9.7 release of NTPsec, withassistance from the Mozilla Foundation's "Secure Open Source" initiative.NTPsec is an implementation of the Network Time Protocol (NTP)."NTPsec 0.9.7 incorporates significant improvements in security, accuracy,precision, visualization, and usability, with assistance, contributions,and audits provided by infosec researchers and other technical contributors.For this release, the NTPsec Project worked particularly closely with theMozilla Foundation's "Secure Open Source" initiative, who funded an infosecaudit, and with Cure53.de, who provided the audit."

The GNOME Project has announced the release of GNOME 3.24, "Portland"."This release is the result of 6 months’ hard work by the GNOME community.It contains major new features such as night light, as well as many smallerimprovements and bug fixes. GNOME's existing applications have beenimproved and there is also a new Recipes app. Improvements to our platforminclude refined notifications and several revamped settings panels."

Greg Kroah-Hartman has released stable kernels 4.10.5, 4.9.17, and 4.4.56. All of them contain important fixesand users should upgrade.

Security updates have been issued by Arch Linux (irssi), Fedora (qemu), openSUSE (mbedtls), and Ubuntu (eglibc, glibc).

In a morning plenary session on the first day of the 2017 Linux Storage,Filesystem, and Memory-Management Summit, Jérôme Glisse led a discussion onmemory that cannot be addressed by the CPU because it lives in devices likeGPUs or FPGAs. There is often a substantial pile of memory on thesedevices and it can be accessed much more quickly by the devices than thesystem RAM can be. Making it easier for user-space programmers to use thatmemory transparently is the goal of the heterogeneous memory management (HMM) patchesthat Glisse has been working on.

Matthew Garrett announces a new,hopefully more efficient process for reviewing bootloaders to be used withShim in UEFI secure bootsystems. "To that end, we're adopting a new model. A mailing listhas been created at shim-review@lists.freedesktop.org, and members of thislist will review submissions and provide a recommendation to Microsoft onwhether these should be signed or not."

The Android Developers Blog introducesthe first developer preview of Android O. This version includesbackground limits, notification channels, autofill APIs, PIP for handsets,font resources in XML, adaptive icons, and much more. "Building on the work we began in Nougat, Android O puts a big priority on improving a user's battery life and the device's interactive performance. To make this possible, we've put additional automatic limits on what apps can do in the background, in three main areas: implicit broadcasts, background services, and location updates. These changes will make it easier to create apps that have minimal impact on a user's device and battery. Background limits represent a significant change in Android, so we want every developer to get familiar with them."

KDevelop is KDE's Integrated Development Environment (IDE). Version 5.1has been releasedwith LLDB support, Analyzer run mode, initial OpenCL language support,improved Python language support, and more.

Red Hat has announcedthe release of Red Hat Enterprise Linux 6.9. "Red Hat Enterprise Linux 6.9 delivers new hardware support developed in collaboration with Red Hat partners which helps to provide a smooth transition of Red Hat Enterprise Linux 6 production deployments to Red Hat Enterprise Linux 7 environments. Additionally, Red Hat Enterprise Linux 6.9 adds updates to TLS 1.2 to further enhance secure communications and provide broader support for the latest PCI-DSS standards, better equipping enterprises to offer more secure online transactions."

Security updates have been issued by Debian (sitesummary), Fedora (jasper, knot-resolver, R, rkward, rpm-ostree, rpy, w3m, and xen), openSUSE (firefox), Red Hat (bash, coreutils, glibc, gnutls, kernel, libguestfs, ocaml, openssh, qemu-kvm, quagga, samba, samba4, subscription-manager, tigervnc, and wireshark), and Ubuntu (eglibc, glibc, firefox, freetype, gnutls26, NVIDIA graphics, and nvidia-graphics-drivers-375).