LWN.net

Security updates have been issued by CentOS (libreoffice), Debian (icedove, icu, and imagemagick), Fedora (bind, bind99, ghostscript, libxml2, ming, ntp, proftpd, and qemu), Oracle (bind and libreoffice), Red Hat (bind, qemu-kvm, and qemu-kvm-rhev), Scientific Linux (bind, libreoffice, and qemu-kvm), Slackware (minicom), and SUSE (xen).

Every conference venue has problems with the mix of room sizes, butI don't recall ever going to a talk that so badly needed to be in abigger room as Jessie Frazelle and Alex Mohr's talkat CloudNativeCon/KubeCon Europe 2017 on securing Kubernetes.The cause of the enthusiasmwas the opportunity to get "best practice" information on securingKubernetes, and how Kubernetes might be evolving to assist with this,directly from the source.

The xda-developers blog looksat Project Halium. "This open-source project is trying to pooldevelopers from Ubuntu Touch ports, Sailfish OS community developers, theopen webOS Lune OS project, and KDE Plasma Mobile contributors, among otherdevelopers (Jolla, we suspect) to put an end to the fragmentation seen intheir respective project’s lower-level base. Currently, Ubuntu Touch,Sailfish OS/Mer, Plasma Mobile, and others use different Android sourcetrees and methods for differently-built stacks. This leads to a lot offragmentation among the most popular non-Android, GNU/Linux-based mobile OSprojects in their use of the Android source tree, how the Android init isstarted, and how images are flashed to the device. Many of these projectsessentially do the same job, but in a different way." The goal ofHalium is to work towards a common Linux base, which can be used byall of these different projects.

The Docker blog introducesthe Moby Project, which aims to advance the software containerizationmovement. "It provides a “Lego set” of dozens of components, a framework for assembling them into custom container-based systems, and a place for all container enthusiasts to experiment and exchange ideas. Think of Moby as the “Lego Club” of container systems."

Security updates have been issued by Debian (feh, freetype, and radare2), Fedora (kernel and libsndfile), openSUSE (audiofile, dracut, gstreamer, gstreamer-plugins-bad, jasper, libpng15, proftpd, and tigervnc), Oracle (qemu-kvm), Red Hat (kernel, libreoffice, and qemu-kvm-rhev), and SUSE (bind and tiff).

The 4.10.11,4.9.23,4.4.62, and3.18.49 stable kernel updates areavailable. For those who are surprised to see a 3.18 update after thatseries was declared end-of-life, Greg Kroah-Hartman explains it this way: "3.18? Wasn't that kernel dead and forgotten and left torot on the side of the road? Yes, it was, but unfortunately, there's afew million or so devices out there in the wild that still rely on thiskernel. Now, some of their manufacturers and SoC vendors might not bekeeping their kernels up to date very well, but some do actually careabout security and their users, so this release is for them. If youhappen to have a vendor that does not care about their users, gocomplain, as odds are, your device is very insecure right now..."

On April 12 Dmitry Bogatov, a mathematician and Debian maintainer, was arrestedin Russia for "incitation to terrorism" because of some messages thatwent through his Tor exit node. "Though, the very nature of Bogatovcase is a controversial one, as it mixes technical and legal arguments, andmakes necessary both strong legal and technical expertise involved. Indeed,as a Tor exit node operator, Dmitry does not have control andresponsibility on the content and traffic that passes through his node: itwould be the same as accusing someone who has a knife stolen from her housefor the murder committed with this knife by a stranger." The DebianProject made a brief statement.

Scientific Linux 6.9 has been released for i386/x86_64 architectures. Seethe releasenotes and the upstreamrelease notes for details.

The 4.11-rc7 kernel prepatch has beenreleased. "We're in the late rc phase, and thismay be the last rc if nothing surprising happens."

Security updates have been issued by Debian (libosip2, openoffice.org-dictionaries, and qbittorrent), Fedora (kernel, libpng12, libsndfile, libtiff, mediawiki, mupdf, qt5-qtwebengine, samba, xen, xorgxrdp, and xrdp), Mageia (mediawiki, ming, python-django, unshield, and webkit2), and openSUSE (postgresql93).

The 2017 Debian project leader (DPL) election has completed; Chris Lamb won, over incumbent DPL Mehdi Dogguy. Details of the voting can be found on the election web page. Dogguy posted his last "bits from the DPL" congratulating Lamb, filling the project in on what he has been up to over the last month plus, and more: "Serving as DPL for the past year has been a real honour and afantastic experience for me. It also helped me to have a differentperspective on the project and my future involvement.Last but not least, I wanted to confirm to other fellow DebianDevelopers that serving as DPL is not a traumatic experience and I amstill as sane as I was one year ago :-) If you have ideas on how tomake Debian a better place, project, OS, community, FOSS citizen, …please nominate yourself for DPL elections next year! Worst casescenario, you would contribute to the debate about Debian's future."

Registration for the 2017 Linux Plumbers Conference is now open. "Registrationprices and cutoff dates are published in the ATTEND page of theweb site. A reminder that we are following a quota system to releaseregistration slots. Therefore the early registration rate will remainin effect until early registration closes on June 18 2017, or the quotalimit (150) is reached, whatever comes earlier." LPC will be held in Los Angeles, CA, US on 13-15 September inconjunction with The Linux Foundation Open Source Summit.

Security updates have been issued by Oracle (kernel) and Slackware (bind).

The Fedora Project has come up with a new mission statement:"Fedora creates an innovative platform that lights up hardware, clouds, and containers for software developers and community members to build tailored solutions for their users." See the full text for a description of what it means and how they arrived at it.

With the speed of network hardware now reaching 100 Gbpsand distributed denial-of-service (DDoS) attacks going in theTbpsrange, Linux kernel developers are scrambling tooptimize key network paths in the kernel to keep up. Many efforts areactually gearedtoward getting traffic out of the costly Linux TCP stack. We havealready covered the XDP (eXpressData Path) patch set, but two new ideas surfaced during theNetconf and Netdev conferences held in Toronto and Montreal in earlyApril 2017.

The most recent version of the Ubuntu Linux distribution, 17.04 or Zesty Zapus, has been released with multiple flavors (Kubuntu, Lubuntu, Ubuntu GNOME, Ubuntu Kylin, Ubuntu MATE,Ubuntu Studio, Xubuntu, and the most recent addition, Ubuntu Budgie) and several editions (server, desktop, cloud). "Under the hood, there have been updates to many core packages, includinga new 4.10-based kernel, and much more.Ubuntu Desktop has seen incremental improvements, with newer versions ofGTK and Qt, updates to major packages like Firefox and LibreOffice, andstability improvements to Unity.Ubuntu Server 17.04 includes the Ocata release of OpenStack, alongsidedeployment and management tools that save devops teams time whendeploying distributed applications - whether on private clouds, publicclouds, x86, ARM, or POWER servers, z System mainframes, or on developerlaptops. Several key server technologies, from MAAS to juju, have beenupdated to new upstream versions with a variety of new features." See the release notes for more information.

Security updates have been issued by CentOS (389-ds-base, httpd, kernel, libreoffice, tomcat, and util-linux), Fedora (libpng15, php-horde-Horde-Crypt, and python-sleekxmpp), openSUSE (gimp, lxc, and phpMyAdmin), Oracle (389-ds-base, httpd, kernel, libreoffice, tomcat, and util-linux), Red Hat (389-ds-base, flash-plugin, httpd, libreoffice, python-defusedxml and python-pysaml2, tomcat, and util-linux), Scientific Linux (389-ds-base, httpd, kernel, libreoffice, tomcat, and util-linux), and SUSE (bind and flash-player).

The LWN.net Weekly Edition for April 13, 2017 is available.

Simon Fels introduceshis Anbox (Android in a Box) project, which uses LXC containers to bringAndroid applications to your desktop. "Anbox uses Linux namespaces(user, network, cgroup, pid, ..) to isolate the Android operating systemfrom the host. For Open GL ES support Anbox takes code parts from theAndroid emulator implementation to serialize the command stream and send itover to the host where it is mapped on existing Open GL or Open GL ESimplementations." Anbox is still pre-alpha so expect crashes andinstability.

We have seen that a microservicearchitecture is intimately tied to the use of a TCP/IP network as theinterconnecting fabric, so when Bernard Van De Walle from Aporeto gave a talk at CloudNativeConand KubeCon Europe 2017 on why we shouldn't bother securing thatnetwork, it seemed a pretty provocative idea.

The Nginx web server version 1.12 has beenreleased, "incorporating new features and bug fixes from the 1.11.xmainline branch - including variables support and other improvements in thestreammodule, HTTP/2fixes, support for multipleSSL certificates of different types, improved dynamic modules support,and more." The changelog has more details.

Jane Silber announcesthe end of her tenure as CEO of Canonical. "Over the next threemonths I will remain CEO but begin to formally transfer knowledge andresponsibility to others in the executive team. In July, Mark[Shuttleworth] will retake the CEO role and I will move to the Canonical Board of Directors. In termsof a full-time role, I will take some time to recharge and then seek newchallenges."

This article covers the second day of the informal Netconf discussions,held on on April 4, 2017. Topics discussed this day included thebinding of sockets in VRF, identification of eBPF programs, inconsistenciesbetween IPv4 and IPv6, changes to data-center hardware, and more.

Greg KH has released stable kernels 4.10.10, 4.9.22, and 4.4.61. All of them contain important fixesand users should upgrade.

Security updates have been issued by Debian (bouncycastle), Fedora (flatpak), openSUSE (php7 and slrn), Oracle (389-ds-base and kernel), Red Hat (kernel and kernel-rt), Scientific Linux (389-ds-base and kernel), SUSE (xen), and Ubuntu (dovecot).

Here's thesecond part in the detailed Google Project Zero series on using the BroadcomWiFi stack to compromise the host system. "In this post, we’llexplore two distinct avenues for attacking the host operating system. Inthe first part, we’ll discover and exploit vulnerabilities in thecommunication protocols between the Wi-Fi firmware and the host, resultingin code execution within the kernel. Along the way, we’ll also observe acurious vulnerability which persisted until quite recently, using whichattackers were able to directly attack the internal communication protocolswithout having to exploit the Wi-Fi SoC in the first place! In the secondpart, we’ll explore hardware design choices allowing the Wi-Fi SoC in itscurrent configuration to fully control the host without requiring avulnerability in the first place."

OpenBSD 6.1 has been released.This version adds the arm64 platform, using clang as the base systemcompiler. The loongson platform supports systems with Loongson 3A CPU andRS780E chipset. The armish, sparc, and zaurus platforms have been retired.

Pocl aims to become a performance portable open source (MIT-licensed)implementation of the OpenCL standard. Version0.14 adds support for LLVM/Clang 4.0 and 3.9 and a new binary formatthat enables running OpenCL programs on hosts without online compilersupport. There is also initial support for out-of-order command queue taskscheduling and plenty of bug fixes.

As is becoming traditional, two times a year the kernel networkingcommunity meets in a two-stage conference: an invite-only, informal, two-dayplenary session called Netconf,held in Toronto this year, and a moreconventional one-track conference open to the public called Netdev. This article covers the first day of the conference which consisted ofaround 25 Linux developers meeting under the direction of David Miller, thekernel's networking subsystem maintainer.

Security updates have been issued by Debian (bouncycastle, dovecot, libnl, libnl3, and samba), Fedora (libtiff), Gentoo (chromium, qemu, and xorg-server), openSUSE (pidgin), Red Hat (389-ds-base and kernel), Slackware (vim), and Ubuntu (dovecot and webkit2gtk).

The Mozilla Open Source Support (MOSS) program awards grants to projects"that contribute to our work and to the health of theInternet." Recentrecipients include SecureDrop, libjpeg-turbo, LLVM, LEAP EncryptionAccess Project, and Tokio. There have also been MOSS supported audits ofntp, ntpsec, curl, and more. "We ran a major joint audit on two codebases, one of which is a fork of the other – ntp and ntpsec. ntp is a server implementation of the Network Time Protocol, whose codebase has been under development for 35 years. The ntpsec team forked ntp to pursue a different development methodology, and both versions are widely used. As the name implies, the ntpsec team suggest that their version is or will be more secure. Our auditors did find fewer security flaws in ntpsec than in ntp, but the results were not totally clear-cut."

Daniel Vetter discusses how to getpeople to review code. "The take away from these two articlesseems to be that review is hard, there’s a constant lack of capable andwilling reviewers, and this has been the state of review since forever. I’dlike to counter pose this with our experiences in the graphics subsystem,where we’ve rolled out a well-working review process for the Intel driver,core subsystem and now the co-maintained small driver efforts with success,and not all that much pain."

When a monolithic application is divided up into microservices, one new problem that must be solved is how to connect all those microservicesto provide the old application's functionality. Linkerd, which is now officially a Cloud-Native Computing Foundation project, is a transparent proxy which solves this problem bysitting between those microservices and routing their requests.Two separate CNC/KubeCon events — a talk by Oliver Gould briefly joined by Oliver Beattie, and a salon hosted by Gould — provided a view of linkerd and what it can offer.

Security updates have been issued by Arch Linux (mediawiki, python-django, and python2-django), Debian (jasper, libdatetime-timezone-perl, logback, ming, potrace, and tzdata), Fedora (curl, ghostscript, icecat, and xen), openSUSE (apparmor), and Slackware (libtiff).

The 4.11-rc6 kernel prepatch is out."Things are looking fairly normal, so here's the regular weekly rc.It's a bit bigger than rc5, but not alarmingly so, and nothing looksparticularly worrisome."

Here's anextensive summary of new features in the upcoming PostgreSQL 10 releasefrom Robert Haas. "PostgreSQL has had physical replication -- oftencalled streaming replication -- since version 9.0, but this requiresreplicating the entire database, cannot tolerate writes in any form on thestandby server, and is useless for replicating across versions or databasesystems. PostgreSQL has had logical decoding -- basically change capture-- since version 9.4, which has been embraced with enthusiasm, but it couldnot be used for replication without an add-on of some sort. PostgreSQL 10adds logical replication which is very easy to configure and which works attable granularity, clearly a huge step forward. It will copy the initialdata for you and then keep it up to date after that."

The 4.10.9,4.9.21, and4.4.60 stable kernel updates have beenreleased. Each contains a relatively large set of important fixes.

Open Build Service 2.8 has been released. "We’vebeen hard at work to bring you many new features to the UI, the API and thebackend. The UI has undergone several handy improvements including thefiltering of the projects list based on a configurable regular expressionand the ability to download a project’s gpg key and ssl certificate (alsoavailable via the API). The API has been fine-tuned to allow more controlover users including locking or deleting them from projects as well asdeclaring users to be sub-accounts of other users. The backend now includesnew features such as mulibuild - the ability to build multiple jobs from asingle source package without needing to create local links. Workertracking and management has also been enhanced along with the newobsservicedispatch service which handles sources in an asynchronousqueue. Published packages can now be removed using the osc unpublishcommand." The reference server http://build.opensuse.org is availablefor all developers to build packages for the most popular distributions.

The GNOME Project has announced astreamlined contribution system built around a Flatpak-based buildsystem. "No specific distribution required. No specific versionrequired. No dependencies hell. Reproducible, if it builds for me it willbuild for you. All with an UI and integrated, no terminal required. Lessthan five minutes of downloading plus building and you arecontributing."

The latest installmentfrom Google's Project Zero covers the development of an exploit for this unpleasant Xenvulnerability. "To demonstrate the impact of the issue, Icreated an exploit that, when executed in one 64-bit PV guest with rootprivileges, will execute a shell command as root in all other 64-bit PVguests (including dom0) on the same physical machine."

Security updates have been issued by Fedora (tigervnc) and openSUSE (clamav-database and ffmpeg).

Daniel Stone considersthe future of the Linux desktop in the light of Ubuntu's return toGNOME. "The world in 2017, however, is a very different place. KMSprovides us truly device-independent display control, Vulkan and EGLprovide us GPU acceleration independent of window system, xkbcommonprovides shared keyboard mechanics, and logind lets us do all these thingswithout ever being root. GBM allocates our buffers, and the universalallocator, borne out of discussions with the whole community includingNVIDIA, will soon join the family.Mir leans heavily on all these technologies, so the change is a bit lessseismic than you might think."

Security updates have been issued by Fedora (xen), openSUSE (libpng12, libpng16, nodejs4, and samba), Scientific Linux (tigervnc), and SUSE (jasper).

The LWN.net Weekly Edition for April 6, 2017 is available.

In the only storage-only LSFMM 2017 session that LWN was able to attend—it wasscheduled opposite the one-and-only filesystemand memory management combined session—Lee Duncan explored some of thequestions and problems he sees in booting from remote storage. He saidthat he wanted to get feedback from the assembled developers to see wheresolutions might lie.

Mark Shuttleworth reportsthat Canonical is ending its investment in Unity8, the phone andconvergence shell. GNOME will be the default desktop for Ubuntu 18.04 LTS."The choice, ultimately, is to invest in the areas which arecontributing to the growth of the company. Those are Ubuntu itself, fordesktops, servers and VMs, our cloud infrastructure products (OpenStack andKubernetes) our cloud operations capabilities (MAAS, LXD, Juju, BootStack),and our IoT story in snaps and Ubuntu Core. All of those have communities,customers, revenue and growth, the ingredients for a great and independentcompany, with scale and momentum. This is the time for us to ensure, acrossthe board, that we have the fitness and rigour for that path."(Thanks to Unnikrishnan Alathady Maloor)

CentOS Linux 6.9 has been released for i386 and x86_64 architectures."CentOS Linux 6.9 is derived from source code released by Red Hat,Inc. for Red Hat Enterprise Linux 6.9. All upstream variants have been placedinto one combined repository to make it easier for end users.Workstation, server, and minimal installs can all be done from ourcombined repository. All of our testing is only done against thiscombined distribution."

In his traditional LSFMM session to "whinge about various things", Darrick Wongmostly discussed his recent work on online filesystem repair for XFS, butalso strayed into some other topics. Online filesystem scrubbing for XFSwas one of those, as was a new ioctl() command to determine blockownership.

Security updates have been issued by Debian (python-django), Fedora (firebird), openSUSE (pidgin and ruby2.2, ruby2.3), Red Hat (v8), Scientific Linux (bash, coreutils, curl, glibc, gnutls, kernel, libguestfs, ocaml, openssh, qemu-kvm, quagga, samba, samba4, subscription-manager, and wireshark), and Ubuntu (lightdm, linux-hwe, linux-lts-trusty, linux-lts-xenial, linux-ti-omap4, and python-django).

In a second-day plenary session at the 2017 Linux Storage, Filesystem, andMemory-Management Summit, Fred Knight updated theattendees on what has happened in the storage standards world over the lastyear. While the transports (e.g. Fibre Channel, Ethernet) and the SCSIprotocol have not seen a tonof changes over the last year, the NVM Express (NVMe) standards have had alot of action.