LWN.net

It is well understood that old and unmaintained software tends to be abreeding ground for security problems. These problems are never welcome, but theyare particularly worrying when the software in question is a net-facingtool like a web browser. Standalone browsers are (hopefully) reasonablywell maintained, but those are not the only web browsers out there; theycan also be embedded into applications. The effort to do away with oneunmaintained embedded browser is finally approaching its conclusion, butthe change appears to have caught some projects unaware.

Firefox 55.0 has been released. From the releasenotes: "Today's release brings innovative functionality, improvements to core browser performance, and more proof that we’re committed to making Firefox better than ever. New features include support for WebVR, making Firefox the first Windows desktop browser to support VR experiences. Performance changes include significantly faster startup times when restoring lots of tabs and settings that let users take greater control of our new multi-process architecture. We’ve also upgraded the address bar to make finding what you want easier, with search suggestions and the integration of our one-click search feature, and safer, by prioritizing the secure - https - version of sites when possible."

Daniel Vetter describeshow the kernel community scales and why he feels that the GitHub model tends not towork for the largest projects. "Unfortunately github doesn’t supportthis workflow, at least not natively in the github UI. It can of course bedone with just plain git tooling, but then you’re back to patches onmailing lists and pull requests over email, applied manually. In my opinionthat’s the single one reason why the kernel community cannot benefit frommoving to github. There’s also the minor issue of a few top maintainersbeing extremely outspoken against github in general, but that’s a notreally a technical issue. And it’s not just the linux kernel, it’s all hugeprojects on github in general which struggle with scaling, because githubdoesn’t really give them the option to scale to multiple repositories,while sticking to with a monotree."

Security updates have been issued by Fedora (cacti, freerdp, remmina, subversion, supervisor, webkitgtk4, and wireshark), Mageia (gdm, librsvg, php, libgd, and swftools), openSUSE (cacti, cacti-spine), Red Hat (java-1.7.0-openjdk and kernel), SUSE (kernel), and Ubuntu (freerdp, kernel, linux-lts-trusty, and shotwell).

When a small business contemplates getting away from a proprietaryaccounting tool like QuickBooks in favor of free software like GnuCash, thefirst order of business is usually finding a way to liberate thatbusiness's accounting data for input into a new system. Strangely enough,Intuit, the creator of QuickBooks, never quite got around to making thateasy to do. But it turns out that, with a bit of effort, this move can be made. Getting there involveswandering through an undocumented wilderness; this article is at attempt tomake things easier for the next people to come along.

Stable kernels 4.12.5, 4.9.41, and 4.4.80 have been released. All of themcontain important fixes and users should upgrade.

Security updates have been issued by Debian (chromium-browser, kernel, libsndfile, and qemu), Fedora (php-PHPMailer, qpdf, qt5-qtwebengine, qt5-qtwebkit, and ruby), Mageia (evince), openSUSE (icoutils and poppler), Red Hat (log4j), SUSE (kernel), and Ubuntu (openvpn and tiff).

The 4.13-rc4 kernel prepatch is out fortesting."Anyway, nothing really stands out, and while I really hope that we'llsee things calm down further, everything looks pretty much on trackfor a normal release.So go test things out. By now it should really be pretty safe."

Nonvolatile memory offers the promise of fast, byte-addressable storagethat persists over power cycles. Taking advantage of that promiserequires the imposition of some sort of directory structure so that thepersistent data can be found. There are a few approaches to theimplementation of such structures, but the usual answer is to employ afilesystem, since managing access to persistent data is what filesystemswere created to do. But traditional filesystems are not a perfect match tononvolatile memory, so there is a natural interest in new filesystems thatwere designed for this media from the beginning. The recently posted NOVA filesystem is a new entry in this race.

Git v2.14.0 has been released with several notable changes, many updates,and plenty of bug fixes. The release notes (below) contain the details.

Security updates have been issued by Fedora (evince and rt), Mageia (catdoc, freerdp, kernel, qpdf, R-base, spice, sqlite3, and tcpdump), SUSE (kernel and libzypp, zypper), and Ubuntu (linux, linux-aws, linux-gke, linux-raspi2, linux-snapdragon, linux, linux-raspi2, linux-hwe, and linux-lts-xenial).

The Register reportsthat the developers of the grsecurity patch set have filed a defamationsuit against Bruce Perens. "A legal complaint filed on behalf ofGrsecurity in San Francisco, California, insists the company's softwarecomplies with the GPLv2. Grsecurity's agreement, the lawsuit states, onlyapplies to future patches, which have yet to be developed. 'There is noexplicit or implicit term, section, or clause in the GPLv2 that isapplicable over future versions or updates of the Patches that have not yetbeen developed, created, or released by [Grsecurity],' the complaintcontends."

The kernel is a huge program; among other things, that means that manyproblems encountered by a kernel developer have already been solvedsomewhere else in the tree. But those solutions are not always well knownor documented. Recently, a seasoned developer confessed to having never encountered the"genpool" memory allocator. This little subsystem does not appear in thekernel documentation, and is likely to be unknown to others as well. Inthe interest of fixing both of those problems, here is an overview ofgenpool (or "genalloc") and what it does.

Version 2.26 of the GNU C Library is out. Changes include a per-threadcache to speed up malloc() calls, Unicode 10.0.0 support, DNS stubresolver improvements, support for the preadv2() and pwritev2() systemcalls, and a handful of security fixes.

Security updates have been issued by Fedora (glpi, open-vm-tools, and seamonkey), Mageia (gnupg), Red Hat (CloudForms and openvswitch), and SUSE (mariadb).

The LWN.net Weekly Edition for August 3, 2017 is available.

The Electronic Frontier Foundation reportsthat Bassel Khartabil, Syrian open source developer, blogger,entrepreneur, hackerspace founder, and free culture advocate, was executedby the Syrian authorities. "Bassel was a central figure in theglobal free culture movement, connecting it and promoting it to Syria'semerging tech community as it existed before the country was ransacked bycivil war. He co-founded Aiki Lab, Syria's first hackerspace, in Damascusin 2010. He was a contributor to Mozilla's Firefox browser and the Syrianlead for Creative Commons. His influence went beyond Syria, however: he wasa key attendee at the Middle East's bloggers' conferences, and played avital role in the negotiations in Doha in 2010 that led to a commonlanguage for discussing fair use and copyright across the Arab-speakingworld." (Thanks to Paul Wise)

Eleven months ago, Dennis Hamilton, the chair of the Apache OpenOffice(AOO) project's project management committee at the time, raised the idea of winding the project down.He worried that AOO lacked a critical mass of developers to keep thingsgoing, and that no new developers were coming in to help. At the time,various defenders came forward and theproject decided try to get back on track. Nearly a year later, areview of how that has gone is appropriate; it doesnot appear that the situation has gotten any better.

Security updates have been issued by Debian (varnish), Fedora (gcc, gcc-python-plugin, libtool, mingw-c-ares, and php-PHPMailer), Red Hat (bash, curl, evince, freeradius, gdm and gnome-session, ghostscript, git, glibc, golang, GStreamer, gtk-vnc, kernel, kernel-rt, libtasn1, mariadb, openldap, openssh, pidgin, postgresql, python, qemu-kvm, qemu-kvm-rhev, samba, tigervnc and fltk, tomcat, and X.org X11 libraries), Slackware (gnupg), and Ubuntu (apache2, lxc, and webkit2gtk).

Red Hat has releasedthe fourth update to Red Hat Enterprise Linux 7. "Red Hat EnterpriseLinux 7.4 offers new automation capabilities designed to limit ITcomplexity while enhancing workload security and performance fortraditional and cloud-native applications. This provides a powerful,flexible operating system backbone to address enterprise IT needs acrossphysical servers, virtual machines and hybrid, public and multi-cloudfootprints." See the releasenotes for more details.

Deadlines have a way of sneaking up on people. For example, not everybodyis ready for the fact that, sometime in 2020, supportfor the Python 2 language will come to an end. This deadline is notexactly news; it was established in 2014 (having been moved back five yearsfrom its original 2015 date). Even so, some developers may not appreciatehow close that date is. Work that is being done in the Python communityand the Fedora distribution shows that even the developers behind thechange haven't entirely figured out how the transition will play out.

Security updates have been issued by Debian (freerdp and ghostscript), Fedora (freerdp, jackson-databind, moodle, remmina, and runc), Red Hat (authconfig, devtoolset-4-jackson-databind, gnutls, libreoffice, NetworkManager and libnl3, pki-core, rh-eclipse46-jackson-databind, samba, and tcpdump), and Ubuntu (apache2, bash, imagemagick, openjdk-8, and rabbitmq-server).

The Krita Foundation is having someunexpected financial difficulties and is looking for help. "Evenwhile we’re working on a new beta for Krita 3.2 and a new development buildfor 4.0 (with Python, on Windows!), we have to release some bad news aswell. The Krita Foundation is having trouble with the Dutch taxauthorities."

The release of MythTV 29.0 has been announced.MythTV is a Digital Video Recorder and home media center hub. According tothe releasenotes, the backend now listens on all addresses and there is a newMythTV startup page. Also mythtv-setup now uses MythUI, support has beenadded for IPV6 link-local addresses, handling of Bluray overlays has beenimproved, and more. LWN looked at MythTV inApril 2016.

Changes to core-kernel subsystems take time but, even so, one can onlyimagine that Tejun Heo never expected the process of fixing thecontrol-group interface to take more than five years. Disagreements overthe design of the new control-group interface have delayed its adoption;even though most of the code has been in the kernel for some time, not allcontrollers work with it. It would now appear, however, that agreement hasbeen reached on an important final piece, which is currently on track to bemerged for the 4.14 development cycle.

For those who are curious about what the next release of the Qubes OSdistribution will bring (and want to help make it better): the firstQubes OS 4.0 release candidate is available."This new Core Stack allows to easily extend the Qubes Architecturein new directions, allowing us to finally build (in a clean way) lots ofthings we’ve wanted for years, but which would have been too complex tobuild on the 'old' Qubes infrastructure. The new Qubes Admin API, which weintroduced in a recent post, is a prime example of one suchfeature."

Security updates have been issued by Debian (apache2, enigmail, graphicsmagick, ipsec-tools, libquicktime, lucene-solr, mysql-5.5, nasm, and supervisor), Fedora (mingw-librsvg2, php-PHPMailer, and webkitgtk4), Mageia (freeradius, gdk-pixbuf2.0, graphicsmagick, java-1.8.0-openjdk, kernel, libmtp, libgphoto, libraw, nginx, openvpn, postgresql9.4, valgrind, webkit2, and wireshark), openSUSE (apache2, chromium, libical, mysql-community-server, and nginx), Oracle (kernel), Red Hat (chromium-browser and eap7-jboss-ec2-eap), Slackware (squashfs), and Ubuntu (linux-hwe and nss).

The 4.13-rc3 kernel prepatch is out fortesting. "Usually rc2 is the really quiet one, but this releasecycle rc2 was fairly busy and it made me worry a bit about whether therewas something bad going on with 4.13. But no, it was just random timing,and people got started sending in fixes early, and this release cycle it'src3 that is small."

Back in 2012, we started a quest to find afree replacement for the QuickBooks Pro package that is used to handleaccounting at LWN. As is the way of such things, that project got boggeddown in the day-to-day struggle of keeping up with the LWN content treadmill,travel, and other obstacles that the world tends to throw into the path ofthose following grand (or not so grand) ambitions. The time has come,however, to restart this quest and, this time, the odds of a successfuloutcome seem reasonably good.

The Document Foundation has announced LibreOffice 5.4, the last majorrelease of the LibreOffice 5.x family. There are some new features inevery module and a number of incremental improvements to Microsoft Officefile compatibility. "Thanks to the efforts of developers, the XMLdescription of a new document written by LibreOffice is 50% smaller in the case of ODF (ODT), and around90% smaller in the case of OOXML (DOCX), in comparison with the samedocument generated by the leading proprietary office suite."

Stable kernels 4.12.4, 4.9.40, 4.4.79, and 3.18.63 have been released. They all containimportant fixes and users should upgrade.

Security updates have been issued by Arch Linux (cacti and chromium), CentOS (tomcat), Debian (roundcube), Fedora (bind99, dhcp, freeradius, golang, mingw-poppler, minicom, php-symfony, and webkitgtk4), openSUSE (GraphicsMagick and the_silver_searcher), Oracle (tomcat), Scientific Linux (tomcat), SUSE (kernel), and Ubuntu (apache2 and freeradius).

Linux.com is carrying an article about email2git by its developer, Alexandre Courouble. Email2git is a way to match up commits and the email thread that discussed them. It currently targets the kernel and threads from the linux-kernel mailing list. There are two separate ways to use it, as an extension to cregit (at https://cregit.linuxsources.org/) that allows browsing changes at the token level or via a search by commit ID interface. "The Linux project's email-based reviewing process is highly effective in filtering open source contributions on their way from mailing list discussions towards Linus Torvalds' Git repository. However, once integrated, it can be difficult to link Git commits back to their review comments in mailing list discussions, especially when considering commits that underwent multiple versions (and hence review rounds), that belong to a multi-patch series, or that were cherry-picked.As an answer to these and other issues, we created email2git, a patch retrieving system built for the Linux kernel. For a given commit, the tool is capable of finding the email patch as well as the email conversation that took place during the review process. We are currently improving the system with support for multi-patch series and cherry-picking." The code for email2git is available on GitHub.

The kernel's CPU scheduler is charged with choosing which task to run next,but also with deciding where in a multi-CPU system that task should run.As is often the case, that choice comes down to heuristics — rules of thumbcodifying the developers' experience of what tends to work best. One keytask-placement heuristic has been in place since 2015, but a recentdiscussion suggests that it may need to be revisited.

Version 4.0 of the Suricata intrusion detection system (IDS) and network security monitor (NSM) has been released. The release has improved detection for threats in HTTP, SSH, and other protocols, improvements to TLS, new support for NFS, additions to the extensible event format (EVE) JSON logging, some parts have been implemented in Rust, and more. "This is the first release in which we’ve implemented parts in the Rustlanguage using the Nom parser framework. This work is inspired by PierreChiffliers’ (ANSSI), talk at SuriCon 2016 (pdf). By compiling with–enable-rust you’ll get a basic NFS parser and a re-implementation ofthe DNS parser. Feedback on this is highly appreciated. The Rust support is still experimental, as we are continuing to explorehow it functions, performs and what it will take to support it in thecommunity. Additionally we included Pierre Chiffliers Rust parsers work.This uses external Rust parser ‘crates’ and is enabled by using–enable-rust-experimental. Initially this adds a NTP parser."

Security updates have been issued by Arch Linux (lib32-expat, webkit2gtk, and wireshark-cli), Debian (resiprocate), Fedora (java-1.8.0-openjdk, kernel, and open-vm-tools), openSUSE (containerd, docker, runc and gnu-efi, pesign, shim), Red Hat (tomcat), and Ubuntu (gdb, libiberty, and openjdk-8).

The LWN.net Weekly Edition for July 27, 2017 is available.

On July 21, Savoir-faireLinux (SFL) announcedthe release of version 1.0 of its Ringcommunication tool. It is a cross-platform (Linux, Android, macOS,and Windows) program for secure text, audio, and video communication.Beyond that, though, it is part of the GNUproject and is licensed under the GPLv3. Given the announcement, itseemed like a quick trial was in order. While it looks like it has greatpromise, Ring 1.0 falls a bit short of expectations.

A proposalto add Flatpak as an option fordistributing desktop applications in Fedora 27 has recently made anappearance. It is meant as an experimentof sorts to see how well Flatpak and RPM will play together—and to fix anyproblems found.There is a view that containers are the future, on the desktop as well asthe server; Flatpaks would provide Fedora one possible path toward that future.The proposal sparked a huge thread on the Fedora develmailing list; while the proposal itself doesn't really change much forthose uninterested in Flatpaks, some are concerned with where Fedorapackaging might be headed once the experiment ends.

The membarrier()system call is arguably one of the strangest offered by the Linux kernel. It expensively emulates an operation that can beperformed by a single unprivileged barrier instruction, using an invocationof the kernel's read-copy-update (RCU) machinery — all in the name ofperformance. But, it would seem, membarrier() is not fast enough,causing users to fall back to complex and brittle tricks. An attempt tofix the problem is now under discussion, but not everybody is convincedthat the cure is better than the disease.

Security updates have been issued by Debian (bind9, icedove, openjdk-8, qemu, and rkhunter), Fedora (krb5, libmwaw, perl-XML-LibXML, qemu, subversion, and webkitgtk4), Mageia (cinnamon-settings-daemon, graphite2, gsoap, libquicktime, and wireshark), openSUSE (catdoc, gsoap, jasper, and Wireshark), and Ubuntu (linux-aws, linux-gke and ruby1.9.1, ruby2.0, ruby2.3).

OpenSUSELeap 42.3 is now available. "After basing openSUSE Leap on SLE(SUSE Linux Enterprise) and adding more source code to Leap 42.2 from SLE12, Leap 42.3 adds even more packages from SLE 12 SP 3 and synchronizesseveral common packages. The shared codebase allows for openSUSE Leap 42.3to receive enhanced maintenance and bug fixes from both the openSUSEcommunity and SUSE engineers." There is quite a bit of new stuff inthis release; see thispage for some details.

Is it truly an efficient use of cloud computing resources to runtraditional operating systems inside virtual machines? In many cases, itisn't. An interesting alternative is to bundle a program into a unikernel,which is a single-tasking library operating system made specifically forrunning a single application in the cloud.A unikernel packs everything needed to run an application intoa tiny bundle and, in theory, this approach would save disk space,memory, and processor time compared to running a full traditional operatingsystem.IncludeOS is such a unikernel; it wascreated to support C++ applications. Like other unikernels, it is designed forresource-efficiency on shared infrastructure, and is primarily meant to run ona hypervisor.

LinuxGizmos reportsthat Intel is discontinuing its Curie wearables module and itsCurie-enabled Arduino 101 SBC. "Intel will no longer update the Curie’s Open Developer Kit, and will continue forum support only through Sep. 15. After that, “Intel will make its online resources available for review only and maintain availability to the Intel Curie community until June 15, 2020,” according to the July 18 Intel forum post.Intel says it is “actively working with alternative manufacturers to continue to make the Arduino 101 development board available to the market.” The chipmaker will support orders of the Arduino 101 through Sep. 17, and will fulfill those orders through Dec. 17. Arduino.cc will continue to offer Arduino IDE support for the 101."

The long-awaited end of Flash has come a little closer with thisannouncement from Adobe. "Given this progress, and incollaboration with several of our technology partners – including Apple,Facebook, Google, Microsoft and Mozilla – Adobe is planning to end-of-lifeFlash. Specifically, we will stop updating and distributing the FlashPlayer at the end of 2020 and encourage content creators to migrate anyexisting Flash content to these new open formats."

Security updates have been issued by Debian (catdoc, gsoap, and libtasn1-3), Fedora (GraphicsMagick, java-1.8.0-openjdk, krb5, librsvg2, nodejs, phpldapadmin, rubygem-rack-cors, and yara), Mageia (irssi), openSUSE (rubygem-puppet), Red Hat (kernel), Slackware (tcpdump), and Ubuntu (imagemagick, linux, linux-raspi2, linux-snapdragon, linux-lts-xenial, mysql-5.5, samba, and xorg-server, xorg-server-hwe-16.04, xorg-server-lts-xenial).

Savoir-faire Linux has announcedthe release of Ring 1.0. "Ring is a free/libre and universalcommunication platform that preserves the users’ privacy and freedoms. Itis a GNU package. It runs on multiple platforms; and, it can be used fortexting, calls, and video chats more privately, more securely, and morereliably."

Improving the security of a system often involves tradeoffs, with the costsmeasured in terms of convenience and performance, among others. To theirfrustration, security-oriented developers often discover that the tolerancefor these costs is quite low. Defenses against reference-count overflowshave run into that sort of barrier, slowing their adoption considerably.Now, though, it would appear that a solution has been found to theperformance cost imposed by reference-count hardening, clearing the waytoward its adoption throughout the kernel.

Here is alengthy and detailed look from Google's Project Zero at the trustedexecution environments that, one hopes, protect devices from compromise."In this blog post we’ll explore the security properties of the twomajor TEEs present on Android devices. We’ll see how, despite their highlysensitive vantage point, these operating systems currently lag behindmodern operating systems in terms of security mitigations andpractices. Additionally, we’ll discover and exploit a major design issuewhich affects the security of most devices utilising bothplatforms. Lastly, we’ll see why the integrity of TEEs is crucial to theoverall security of the device, making a case for the need to increasetheir defences."

Debian has released updates to its stable and old stable distributions. Debian 9.1 is the first update to "stretch"and Debian 8.9 is the ninth update to"jessie". These updates do not constitute a new versions of Debian, theyonly update some of the packages included. "Those who frequentlyinstall updates from security.debian.org won't have to update manypackages, and most such updates are included in the point release."