LWN.net

Security updates have been issued by Fedora (xen), openSUSE (libpng12, libpng16, nodejs4, and samba), Scientific Linux (tigervnc), and SUSE (jasper).

The LWN.net Weekly Edition for April 6, 2017 is available.

In the only storage-only LSFMM 2017 session that LWN was able to attend—it wasscheduled opposite the one-and-only filesystemand memory management combined session—Lee Duncan explored some of thequestions and problems he sees in booting from remote storage. He saidthat he wanted to get feedback from the assembled developers to see wheresolutions might lie.

Mark Shuttleworth reportsthat Canonical is ending its investment in Unity8, the phone andconvergence shell. GNOME will be the default desktop for Ubuntu 18.04 LTS."The choice, ultimately, is to invest in the areas which arecontributing to the growth of the company. Those are Ubuntu itself, fordesktops, servers and VMs, our cloud infrastructure products (OpenStack andKubernetes) our cloud operations capabilities (MAAS, LXD, Juju, BootStack),and our IoT story in snaps and Ubuntu Core. All of those have communities,customers, revenue and growth, the ingredients for a great and independentcompany, with scale and momentum. This is the time for us to ensure, acrossthe board, that we have the fitness and rigour for that path."(Thanks to Unnikrishnan Alathady Maloor)

CentOS Linux 6.9 has been released for i386 and x86_64 architectures."CentOS Linux 6.9 is derived from source code released by Red Hat,Inc. for Red Hat Enterprise Linux 6.9. All upstream variants have been placedinto one combined repository to make it easier for end users.Workstation, server, and minimal installs can all be done from ourcombined repository. All of our testing is only done against thiscombined distribution."

In his traditional LSFMM session to "whinge about various things", Darrick Wongmostly discussed his recent work on online filesystem repair for XFS, butalso strayed into some other topics. Online filesystem scrubbing for XFSwas one of those, as was a new ioctl() command to determine blockownership.

Security updates have been issued by Debian (python-django), Fedora (firebird), openSUSE (pidgin and ruby2.2, ruby2.3), Red Hat (v8), Scientific Linux (bash, coreutils, curl, glibc, gnutls, kernel, libguestfs, ocaml, openssh, qemu-kvm, quagga, samba, samba4, subscription-manager, and wireshark), and Ubuntu (lightdm, linux-hwe, linux-lts-trusty, linux-lts-xenial, linux-ti-omap4, and python-django).

In a second-day plenary session at the 2017 Linux Storage, Filesystem, andMemory-Management Summit, Fred Knight updated theattendees on what has happened in the storage standards world over the lastyear. While the transports (e.g. Fibre Channel, Ethernet) and the SCSIprotocol have not seen a tonof changes over the last year, the NVM Express (NVMe) standards have had alot of action.

Matthias Klumpp looks at thefuture of the Debian derivative Tanglu. "So, what actually is the way forward? First, maybe I have the chance to find a few people willing to work on tasks in Tanglu. It’s a fun project, and I learned a lot while working on it. Tanglu also possesses some unique properties few other Debian derivatives have, like being built from source completely (allowing us things like swapping core components or compiling with more hardening flags, switching to newer KDE Plasma and GNOME faster, etc.). Second, if we do not have enough manpower, I think converting Tanglu into a rolling-release distribution might be the only viable way to keep the project running. A rolling release scheme creates much less effort for us than making releases (especially time-based ones!). That way, users will have a constantly updated and secure Tanglu system with machines doing most of the background work."

Error handling during writeback is something of a mess in Linux these days,Jeff Layton said in his plenary session to open the second day of the 2017Linux Storage, Filesystem, and Memory Management Summit. He hasinvestigated the situation and wanted to discuss it with attendees. He alsopresented a proposal for a way to make things better.

As it has evolved over the years, Android has acquired some hacks inhow it handles its filesystems. Ted Ts'o would like to see those hackseliminated, so he led a session at LSFMM 2017 to look at the problem andsee what, if any, upstream-acceptable solution could be found.

The Association for Computing Machinery (ACM) has announcedthat Sir Tim Berners-Lee is the recipient of the 2016 ACM A.M. Turing Award. "Berners-Lee was cited for inventing the World Wide Web, the first web browser, and the fundamental protocols and algorithms allowing the Web to scale. Considered one of the most influential computing innovations in history, the World Wide Web is the primary tool used by billions of people every day to communicate, access information, engage in commerce, and perform many other important activities."

Kdenlive is a video editing tool. This statusreport covers what the project has been working on and where they needmore help. "Since the beginning of the year, we have been working on a big refactoring/rewrite of some of the core parts of Kdenlive. Being more than 10 years old, some parts of our code had become messy and impossible to maintain. Not to mention the difficulty in adding new features.Part of the process involves improving the architecture of the code, adding some tests, and switching the timeline code from QGraphicsView to the more recent QML framework. This should hopefuly improve stability, allow further developments and also more flexibility in the display and user interaction of the timeline."

Here's alengthy and detailed description of how the Project Zero team reverseengineered Broadcom's proprietary WiFi processor and developed a remotecode execution exploit. "All that said and done, the introduction ofWi-Fi FullMAC chips does not come without a cost. Introducing these newpieces of hardware, running proprietary and complex code bases, may weakenthe overall security of the devices and introduce vulnerabilities whichcould compromise the entire system."

Security updates have been issued by Debian (collectd, curl, and tryton-server), Fedora (kernel and pcs), Mageia (jhead, munin, mxml, phpmyadmin, pidgin, and wget), openSUSE (geotiff), Red Hat (kernel), SUSE (kernel and ruby19), and Ubuntu (nagios3).

The Linux Foundation has announcedthat the FRRouting project has come under the LF umbrella."FRRouting (FRR) is an IP routing protocol suite for Unix and Linuxplatforms which includes protocol daemons for BGP, IS-IS, LDP, OSPF, PIM,and RIP, and the community is working to make this the best routingprotocol stack available. FRR is rooted in the Quagga project and includesthe fundamentals that made Quagga so popular as well as a ton of recentenhancements that greatly improve on that foundation." It is a forkof Quagga that originally wentunder the name "Cumulus private Quagga".

The AprilAndroid Security Bulletin provides a discouragingly long list ofvulnerabilities fixed in the latest update (for those with devicessufficiently well supported to receive them). "The most severe ofthese issues is a Critical security vulnerability that could enable remotecode execution on an affected device through multiple methods such asemail, web browsing, and MMS when processing media files." There'salso a fix for CVE-2016-10229, which is a remotely exploitablevulnerability in the UDP stack that was fixedin the 4.5 and 4.4.21 kernels. Those kernels were not vulnerable as theresult of other work, but older kernels with backported fixes (Androidkernels, for example) were.

We are getting closer to being able to do unprivileged mounts insidecontainers, but there are still some pieces that do not work well in thatscenario. In particular, the user IDs (and group IDs) that are embeddedinto filesystem images are problematic for this use case. James Bottomleyled a discussion on the problem in a session at the 2017 Linux Storage,Filesystem, and Memory-Management Summit.

Red Hat, CentOS, and Scientific Linux have announced theend-of-life for version 5 of their enterprise Linux offering. As of March31, 2017 there will be no more updates, including security updates.

Security updates have been issued by Fedora (samba) and openSUSE (ceph).

The 4.11-rc5 kernel prepatch has beenreleased for testing. "Ok, things have definitely started to calmdown, let's hope it stays this way and it wasn't just a fluke thisweek."

The mount()system call tries to do too many things, Miklos Szeredi said at the startof a filesystem-only discussion at LSFMM 2017. He has been interested incleaning that up for a long time. So he wanted to discuss some ideas hehad for a new interface to mount filesystems.

Security updates have been issued by Debian (ejabberd, jhead, and samba), Fedora (chromium, drupal8, empathy, erlang, firefox, icoutils, kernel, knot-resolver, libICE, libupnp, libXdmcp, links, mbedtls, moodle, mupdf, ntp, openslp, R, rkward, rpy, sane-backends, sscg, tcpreplay, thunderbird, and webkitgtk4), Mageia (kernel, kernel-linus, and kernel-tmb), openSUSE (apache2, Chromium, kernel, and virglrenderer), Oracle (kernel), and Slackware (samba).

Crunchy Data has announcedthe availability of a "security technical implementation guide" for thePostgreSQL database management system. "While the STIG was authoredfor the benefit of the U.S. Government, the DISA PostgreSQL STIG offerssecurity-conscious enterprises a comprehensive guide for the configurationand operation of open source PostgreSQL. Enterprises can refer to the STIGas for guidance on PostgreSQL security best practices they consider opensource PostgreSQL as an alternative to proprietary, closed source, databasesoftware."

The Scientific Linux project has announced that Scientific Linux 5 has reached its end of life. "After March 31 2017 Scientific Linux 5 will not receive further updates and the files will be archived.The existing files will be moved into http://ftp.scientificlinux.org/linux/scientific/obsolete/ for archival purposes after March 31 2017.This will break existing yum repos and kickstarts using the official distribution servers."

When Andreas Dilger proposed the statx() topic for the 2017 LinuxStorage, Filesystem, and Memory-Management Summit, the system call hadstill not been merged. But that all changed in the 4.11 development cycle when Al Viro merged thesystem call to provide additional file information. So, unlikeprevious years, the discussion was not about how to merge such a system call but,instead, how to extend statx() for additional file information.

The 4.10.8, 4.9.20, and 4.4.59 stable kernels have been released.Users of those kernel series should upgrade.[Update: It appears that the urgency for getting these stable kernels out comes from a fix for CVE-2017-7184, which is a local privilege-escalation vulnerability.]

Security updates have been issued by Arch Linux (chromium), Debian (tiff3), Fedora (erlang), Mageia (deluge and mariadb), openSUSE (GraphicsMagick, pidgin, and wget), Red Hat (chromium-browser), and Ubuntu (firefox and samba).

Version2.3 of the OpenShot video editor has been released. "This is oneof the biggest updates ever to OpenShot, and is filled with new features,performance improvements, and tons of bug fixes". This release addsa new transform tool, better zooming, better title editing, and more; therazor tool has also made a comeback.

Videos from the LibrePlanet 2017 keynotes and sessions are becoming available at media.libreplanet.org; many are already posted and others will be filled in over the next few days. "LibrePlanet 2017 closed Sunday, March 26th with a keynote bySumana Harihareswara, bringing to an end two days ofpresentations, workshops, hacking, conversations, and fun. Morethan 400 people interested in free software joined the FreeSoftware Foundation (FSF) and MIT's Student Information ProcessingBoard (SIPB) in Cambridge, MA for the 9th annual LibrePlanet." LWN was there for the conference, so you can expect more coverage coming soon (our first article on Conor Schaefer's SecureDrop talk appeared in the March 30 weekly edition).

Greg Kroah-Hartman has announced the release of the 4.10.7, 4.9.19, and 4.4.58 stable kernels. They contain fixesthroughout the tree and users of those series should upgrade. The nextround of stable kernels is also in the review process at this point and those kernelscan be expected on April 1.

Security updates have been issued by Debian (firebird2.5), openSUSE (gstreamer-0_10-plugins-good and php5), Oracle (curl), SUSE (kernel and samba), and Ubuntu (kernel, linux, linux-aws, linux-gke, linux-raspi2, linux-snapdragon, linux, linux-raspi2, linux, linux-ti-omap4, linux-hwe, linux-lts-trusty, linux-lts-xenial, and oxide-qt).

The LWN.net Weekly Edition for March 30, 2017 is available.

The overlayfs filesystem is being used moreand more these days, especially in conjunction with containers. Amir Goldstein and Miklos Szerediled a discussion about recent and upcoming features for the filesystem atLSFMM 2017.

The latest version of the Vivaldi web browser highlights a new Historyfeature that "lets users explore their browsing patterns, backedby statistics and visual clues". There are a number of new ways tofind old URLs in your history. "The latest releasealso includes more options for taking notes in the browser, powerful soundcontrol for tabs and other improvements." While you have access toyour browsing history, Vivaldi does not collect your history data.

Memory-management (MM) patches are notoriously difficult to get merged into themainline kernel. They are subjected to a high degree of review becausethis is an area where it is easy to get things wrong. Or, at least, thatis how it used to be. The final memory-management session at the 2017Linux Storage, Filesystem, and Memory-Management Summit was concerned withpatch review in the MM subsystem — or the lack of it.

Security updates have been issued by CentOS (icoutils and openjpeg), Debian (eject, graphicsmagick, libytnef, and tnef), Fedora (drupal8, firefox, kernel, ntp, qbittorrent, texlive, and webkitgtk4), Oracle (bash, coreutils, glibc, gnutls, kernel, libguestfs, ocaml, openssh, qemu-kvm, quagga, samba, samba4, tigervnc, and wireshark), Red Hat (curl), Slackware (mariadb), SUSE (samba), and Ubuntu (apparmor).

David Malcolm has put together thebeginnings of an unofficial guide to GCC for developers who are gettingstarted with the compiler. "I’m a relative newcomer to GCC, so Ithought it was worth documenting some of the hurdles I ran into when Istarted working on GCC, to try to make it easier for others to starthacking on GCC. Hence this guide."

The userfaultfd() system callallows user space to intervene in the handling of page faults. As AndreaArcangeli and Mike Rapaport described in a 2017 Linux Storage, Filesystem,and Memory-Management Summit session dedicated to the subject,userfaultfd() was originally created to help with the livemigration of virtual machines between physical hosts. It allows pages tobe copied to the new host on demand, after the machine itself has beenmoved, leading to faster, more predictable migrations. Work onuserfaultfd() is not finished, though; there are a number of otherfeatures that developers would like to add.

A processor's translation lookaside buffer (TLB) caches the mappings fromvirtual to physical addresses. Looking up virtual addresses is expensive,so good performance often depends on making the best use of the TLB. Inthe memory-management track of the 2017 Linux Storage, Filesystem, andMemory-Management Summit, Mike Kravetz described a SPARC processor featurethat can improve TLB performance and explored ways in which that featurecould be supported.

Version1.6 of the Kubernetes orchestration system is available. "Inthis release the community’s focus is on scale and automation, to help youdeploy multiple workloads to multiple users on a cluster. We are announcingthat 5,000 node clusters are supported. We moved dynamic storageprovisioning to stable. Role-based access control (RBAC), kubefed, kubeadm,and several scheduling features are moving to beta. We have also addedintelligent defaults throughout to enable greater automation out of thebox."

Google has announcedthe launch of opensource.google.com. "Today, we’re launching opensource.google.com, a new website for Google Open Source that ties together all of our initiatives with information on how we use, release, and support open source.This new site showcases the breadth and depth of our love for open source. It will contain the expected things: our programs, organizations we support, and a comprehensive list of open source projects we've released. But it also contains something unexpected: a look under the hood at how we "do" open source."

When the transparent huge page feature was added to the kernel, it onlysupported anonymous (non-file-backed) memory. In 2016, support for huge pages in the page cache wasadded, but only the tmpfs filesystem was supported. There is interest inexpanding support to other filesystems, since, for some workloads, theperformance improvement can be significant. Kirill Shutemov led the onlysession that combined just the filesystem and memory-management tracks atthe 2017 Linux Storage, Filesystem, and Memory-Management Summit in adiscussion of adding huge-page support to the ext4 filesystem.

Security updates have been issued by Debian (eject, gst-plugins-bad1.0, gst-plugins-base1.0, gst-plugins-good1.0, gst-plugins-ugly1.0, gstreamer1.0, php5, and tiff), Fedora (kernel), Gentoo (curl, deluge, libtasn1, and xen-tools), Mageia (mbedtls, putty, and roundcubemail), openSUSE (dbus-1, gegl, mxml, open-vm-tools, partclone, qbittorrent, tcpreplay, and xtrabackup), and Ubuntu (eject, gst-plugins-base0.10, gst-plugins-base1.0, and gst-plugins-good0.10, gst-plugins-good1.0).

DAX is the mechanism that enables direct access to files stored inpersistent memory arrays without the need to copy the data through the pagecache. At the 2017 Linux Storage, Filesystem, and Memory-ManagementSummit, Ross Zwisler led a plenary session on the future of DAX. Development inthis area offers a number of interesting trade-offs between data safety andenabling the highest performance.

DragonFly BSD 4.8 has been released. "DragonFlyversion 4.8 brings EFI boot support in the installer, further speedimprovements in the kernel, a new NVMe driver, a new eMMC driver, and Intelvideo driver updates." DragonFly is an independent BSD variant,perhaps best known for the HAMMER filesystem.

The Free Software Foundation has announcedthe winners of the 2016 Free Software Awards. The Award for Projectsof Social Benefit went to SecureDropand the Award for the Advancement of Free Software went to Alexandre Oliva. "SecureDrop is an anonymous whistleblowing platform used by major news organizations and maintained by Freedom of the Press Foundation. Originally written by the late Aaron Swartz with assistance from Kevin Poulsen and James Dolan, the free software platform was designed to facilitate private and anonymous conversations and secure document transfer between journalists and sensitive sources."

Stable kernels 4.10.6, 4.9.18, and 4.4.57 have been released. All of themcontain important fixes and users should upgrade.

Security updates have been issued by Debian (apt-cacher, jbig2dec, libplist, python3.2, tnef, and xrdp), Fedora (firefox, mbedtls, and sane-backends), Mageia (flash-player-plugin, freetype2, glibc, kernel, kernel-linus, kernel-tmb, libquicktime, libwmf, and tnef), and Ubuntu (thunderbird).

The 4.11-rc4 kernel prepatch is out fortesting. "So on the whole things look fine. There's changes allover, and in mostly the usual proportions. Some core kernel code shows upin the diffstat slightly more than it usually does - we had an audit fixand a bpf hashmap fix, but on the whole it all looks very regular."