LWN.net

The LWN.net Weekly Edition for March 23, 2017 is available.

GitLab 9.0 has been releasedwith many new features and improvements. "In the last several releases, GitLab has transformed how development teams get from idea to production. In just a few minutes, you can deploy GitLab to a container scheduler, add CI/CD with auto deployed review apps, utilize ChatOps, and analyze your cycle time. With 9.0 you can now watch your deploys with deploy boards and monitor application performance with Prometheus."

The NTPsec Project has announced the 0.9.7 release of NTPsec, withassistance from the Mozilla Foundation's "Secure Open Source" initiative.NTPsec is an implementation of the Network Time Protocol (NTP)."NTPsec 0.9.7 incorporates significant improvements in security, accuracy,precision, visualization, and usability, with assistance, contributions,and audits provided by infosec researchers and other technical contributors.For this release, the NTPsec Project worked particularly closely with theMozilla Foundation's "Secure Open Source" initiative, who funded an infosecaudit, and with Cure53.de, who provided the audit."

The GNOME Project has announced the release of GNOME 3.24, "Portland"."This release is the result of 6 months’ hard work by the GNOME community.It contains major new features such as night light, as well as many smallerimprovements and bug fixes. GNOME's existing applications have beenimproved and there is also a new Recipes app. Improvements to our platforminclude refined notifications and several revamped settings panels."

Greg Kroah-Hartman has released stable kernels 4.10.5, 4.9.17, and 4.4.56. All of them contain important fixesand users should upgrade.

Security updates have been issued by Arch Linux (irssi), Fedora (qemu), openSUSE (mbedtls), and Ubuntu (eglibc, glibc).

In a morning plenary session on the first day of the 2017 Linux Storage,Filesystem, and Memory-Management Summit, Jérôme Glisse led a discussion onmemory that cannot be addressed by the CPU because it lives in devices likeGPUs or FPGAs. There is often a substantial pile of memory on thesedevices and it can be accessed much more quickly by the devices than thesystem RAM can be. Making it easier for user-space programmers to use thatmemory transparently is the goal of the heterogeneous memory management (HMM) patchesthat Glisse has been working on.

Matthew Garrett announces a new,hopefully more efficient process for reviewing bootloaders to be used withShim in UEFI secure bootsystems. "To that end, we're adopting a new model. A mailing listhas been created at shim-review@lists.freedesktop.org, and members of thislist will review submissions and provide a recommendation to Microsoft onwhether these should be signed or not."

The Android Developers Blog introducesthe first developer preview of Android O. This version includesbackground limits, notification channels, autofill APIs, PIP for handsets,font resources in XML, adaptive icons, and much more. "Building on the work we began in Nougat, Android O puts a big priority on improving a user's battery life and the device's interactive performance. To make this possible, we've put additional automatic limits on what apps can do in the background, in three main areas: implicit broadcasts, background services, and location updates. These changes will make it easier to create apps that have minimal impact on a user's device and battery. Background limits represent a significant change in Android, so we want every developer to get familiar with them."

KDevelop is KDE's Integrated Development Environment (IDE). Version 5.1has been releasedwith LLDB support, Analyzer run mode, initial OpenCL language support,improved Python language support, and more.

Red Hat has announcedthe release of Red Hat Enterprise Linux 6.9. "Red Hat Enterprise Linux 6.9 delivers new hardware support developed in collaboration with Red Hat partners which helps to provide a smooth transition of Red Hat Enterprise Linux 6 production deployments to Red Hat Enterprise Linux 7 environments. Additionally, Red Hat Enterprise Linux 6.9 adds updates to TLS 1.2 to further enhance secure communications and provide broader support for the latest PCI-DSS standards, better equipping enterprises to offer more secure online transactions."

Security updates have been issued by Debian (sitesummary), Fedora (jasper, knot-resolver, R, rkward, rpm-ostree, rpy, w3m, and xen), openSUSE (firefox), Red Hat (bash, coreutils, glibc, gnutls, kernel, libguestfs, ocaml, openssh, qemu-kvm, quagga, samba, samba4, subscription-manager, tigervnc, and wireshark), and Ubuntu (eglibc, glibc, firefox, freetype, gnutls26, NVIDIA graphics, and nvidia-graphics-drivers-375).

The opening session of the 2017 Linux Storage, Filesystem, andMemory-Management Summit covered a familiartopic: how to represent (possibly massive) persistent-memory arraysto various subsystems in the kernel. This session, led by Dan Williams,focused in particular on the ZONE_DEVICE abstraction and whetherthe kernel should use page structures to represent persistent memory ornot.

Linux.com takesa look at the Intel Edison."The Intel Edison is a physically tiny computer that draws a small amount of power and breaks out plenty of connections to allow it to interact with other electronics. It begs to be the brain of your next electronics tinkering project, with all the basics in a tiny package and an easy way to connect other things you might need."

Security updates have been issued by Arch Linux (firefox, mbedtls, and wordpress), CentOS (firefox, openjpeg, and tomcat6), Debian (deluge, ioquake3, r-base, and wireshark), Fedora (qemu, rabbitmq-server, and sscg), Gentoo (adobe-flash, openoffice-bin, and putty), openSUSE (Chromium, irssi, putty, and roundcubemail), Oracle (firefox and openjpeg), Red Hat (firefox and openjpeg), Scientific Linux (firefox and openjpeg), and SUSE (firefox).

OpenSSH 7.5 is out. This is primarily a bug-fix release, but it alsomakes the use of privilege separation mandatory and removes support forbuilding against old, unsupported OpenSSL releases.

The 4.11-rc3 kernel prepatch is out."As is our usual pattern after the merge window, rc3 is larger thanrc2, but this is hopefully the point where things start to shrink andcalm down."

The4.10.4,4.9.16, and4.4.55 stable kernels are out with anotherset of important fixes.

Ubuntu has discontinued support for the 32-bit powerpc architecture inZesty Zappus (17.04)."We are well into Feature Freeze at this point, so an update is overdue. Asof Feature Freeze in February, the status is that powerpc packages are nolonger considered for proposed-migration, and we have discontinued all CDimage builds for powerpc in zesty.For the moment, uploads continue to be built for powerpc in Launchpad, andpackages are still published in the archive. You should expect both to bediscontinued before the 17.04 release."

Brendan Gregg showshow to do scheduler profiling with the perf sched command."perf sched timehist was added in Linux 4.10, and shows the schedulerlatency by event, including the time the task was waiting to be woken up(wait time) and the scheduler latency after wakeup to running (schdelay). It's the scheduler latency that we're more interested intuning."

Security updates have been issued by Arch Linux (linux-zen), Debian (calibre, libdatetime-timezone-perl, tzdata, wireshark, and wordpress), Fedora (icoutils and tcpreplay), Mageia (wavpack), openSUSE (dracut and qemu), and SUSE (firefox and xen).

The remaining users of RHEL 5 (and derivatives) will want to know that maintenanceof the EPEL-5 repository is coming to an end. "In the end,EPEL-5 went live sometime in April of 2007 and over the next 10 years grewto a repository of over 5000 source packages and 200,000 unique ipaddresses checking in per day at its peak of 240,000 in early 2013. Whileevery package built for EPEL is done with the RHEL packages, all of thesepackages have been useful for the various community rebuilds (CentOS,Scientific Linux, Amazon Linux) of RHEL. This meant that growth in thoseeco-systems brought more users into using EPEL and helping on packaging aslater RHEL releases came out. However as these newer releases and rebuildsgrew in usage, the number of EPEL-5 users has gradually fallen to around160,000 unique ip addresses per day. Also over that time, the number ofpackages supported by developers has fallen and the repository has shrunkin size to 2000 source packages."

The 2017 Linux Plumbers Conference (LPC) has announced its call for refereed presentations. "Refereed Presentations are 45 minutes in length and should focus on aspecific aspect of the 'plumbing' in the Linux system. Examples ofLinux plumbing include core kernel subsystems, core libraries,windowing systems, management tools, device support, mediacreation/playback, and so on. The best presentations are not aboutfinished work, but rather problems, proposals, or proof-of-conceptsolutions that require face-to-face discussions and debate." Proposals are due by May 6 and LPC will be held in Los Angeles, CA, US on September 13-15 in conjunctionwith The Linux Foundation Open Source Summit North America.

The GNU Guile project hasannounced the release of Guile 2.2.0, which is an implementation of the Scheme Lisp dialect. "More than 6 years in the making, Guile 2.2 includes a new optimizingcompiler and high-performance register virtual machine. Compared tothe old 2.0 series, real-world programs often show a speedup of 30% ormore with Guile 2.2.Besides the compiler upgrade, Guile 2.2 removes limitations on userprograms by lowering memory usage, speeding up the "eval" interpreter,providing better support for multi-core programming, and last but notleast, removing any fixed limit on recursive function calls.Not only does Guile 2.2 run fast, it also supports the creation ofuser-space concurrency facilities that multiplex millions ofconcurrent lightweight "fibers". Seehttps://www.gnu.org/software/guile/news/gnu-guile-220-released.htmlfor pointers to promising experiments."

Kent Overstreet has announced a new majorrelease of his bcachefs filesystem.Changes in this release includewhole-filesystem encryption, backup superblocks, better multiple-devicesupport, a user-space filesystem checker, and more. "We can also nowmigrate filesystems to bcachefs in place! The bcache migrate command takesan existing filesystem, fallocates a big file in it, creates a newfilesystem (in userspace) on the block device but using only the spacereserved by that file it fallocated - and then walks the contents of theoriginal filesystem creating pointers to all your existing data."There is an on-disk format change, but there's a chance it's the last one.

Security updates have been issued by CentOS (thunderbird), Fedora (ettercap, jasper, qbittorrent, and tcpreplay), Oracle (tomcat6), Red Hat (rabbitmq-server), Slackware (pidgin), SUSE (flash-player), and Ubuntu (libxml2, linux, linux-aws, linux-gke, linux-raspi2, linux-snapdragon, and linux-lts-xenial).

The LWN.net Weekly Edition for March 16, 2017 is available.

Sometimes it seems that things have gone relatively quiet on the year-2038front. But time keeps moving forward, and the point in early 2038 when32-bit time_t values can no longer represent times correctly isnow less than 21 years away. That may seem like a long time, but therelatively long life cycle of many embedded systems means that some systems deployed today will still be inservice when that deadline hits. One of the developers leading the effortto address this problem is Arnd Bergmann; at Linaro Connect 2017 he gave anupdate on where that work stands.

Stable kernels 4.10.3, 4.9.15, and 4.4.54 have been released. All of themcontain the usual set of important fixes.

Security updates have been issued by Arch Linux (flashplugin, jasper, kernel, lib32-flashplugin, and roundcubemail), Debian (chromium-browser and mariadb-10.0), Fedora (ettercap), openSUSE (firefox, mozilla-nss and thunderbird), Oracle (thunderbird), Red Hat (flash-plugin, kernel, policycoreutils, rabbitmq-server, and tomcat6), Scientific Linux (tomcat6), and Ubuntu (imagemagick).

Version1.18 of the MATE desktop has been released. "The release isfocused on completing the migration to GTK3+ and adopting new technologiesto replace some of deprecated components MATE Desktop 1.16 still reliedon."

Robert Haas describesthe many parallelism enhancements in the upcoming PostgreSQL 10release. "The Gather node introduced in PostgreSQL 9.6 gathersresults from all workers in an arbitrary order. That's fine if the datathat the workers were producing had no particular ordering anyway, but ifeach worker is producing sorted output, then it would be nice to gatherthose results in a way that preserves the sort order. This is what GatherMerge does. It can speed up queries where it's useful for the results ofthe parallel portion of the plan to have a particular sort order, and wherethe parallel portion of the plan produces enough rows that performing anordinary Gather followed by a Sort would be expensive."

Red Hat has released its annualreport on the vulnerabilities that afflicted its products and how theywere handled. "Looking only at issues affecting base Red HatEnterprise Linux releases, we released 38 Critical security advisoriesaddressing 50 Critical vulnerabilities. Of those issues, 100% had fixes thesame or next day after the issue was public. During that same timeframe,across the whole Red Hat portfolio, 76% of Critical issues had updates toaddress them the same or next day after the issue was public with 98%addressed within a week of the issue being public."

The deadline CPU scheduler has come a long way, Juri Lelli said in his 2017Linaro Connect session, but there is still quite a bit of work to be done.While this scheduler was originally intended for realtime workloads, there isreason to believe that it is well suited for other settings, including theembedded and mobile world. In this talk, he gave a summary of what thedeadline scheduler provides now and the changes that are envisioned for thenear (and not-so-near) future.

Security updates have been issued by Arch Linux (linux-grsec and linux-lts), Debian (icoutils, imagemagick, and roundcube), Fedora (freetype, libupnp, libwmf, thunderbird, tor, and w3m), Red Hat (chromium-browser and thunderbird), Scientific Linux (thunderbird), and Ubuntu (icoutils, icu, libevent, pidgin, pillow, and python-imaging).

The world wide web has been around for 28 years now. Web inventor Sir TimBerners-Lee writesabout the challenges facing the modern web, including the loss of control ofour personal data, the spread of misinformation, and the lack oftransparency in political advertising. "Political advertising onlinehas rapidlybecome a sophisticated industry. The fact that most people get theirinformation from just a few platforms and the increasing sophistication ofalgorithms drawing upon rich pools of personal data, means that politicalcampaigns are now building individual adverts targeted directly atusers. Onesource suggests that in the 2016 US election, as many as 50,000variations of adverts were being served every single day on Facebook, anear-impossible situation to monitor. And there are suggestions that somepolitical adverts – in the US and around the world – are being used inunethical ways – to point voters to fake news sites, for instance, or to keepothers away from the polls. Targeted advertising allows a campaign tosay completely different, possibly conflicting things to differentgroups. Is that democratic?"

The LLVM 4.0.0 release is out. "This release is the result of the community's work over the past sixmonths, including: use of profile data in ThinLTO, more aggressiveaggressive dead code elimination, experimental support for coroutines,experimental AVR target, better GNU ld compatibility and significantperformance improvements in LLD, as well as improved optimizations,many bug fixes and more." The LLVM compiler project has moved to anew numbering scheme with this release, where the first number incrementswith each major release.

Security updates have been issued by Arch Linux (chromium, firefox, libxslt, and thunderbird), Debian (firefox-esr, icoutils, and pidgin), Fedora (firefox, freetype, GraphicsMagick, kdelibs, kdelibs3, kernel, libupnp, munin, php-pear-PHP-CodeSniffer, thunderbird, and wireshark), Mageia (flac, flash-player-plugin, potrace, and wireshark), openSUSE (bitlbee, cacti, kdelibs4, kio, lynx, openssh, pax-utils, perl-Image-Info, Wireshark, and xen), and SUSE (qemu).

The 4.11-rc2 kernel prepatch is out fortesting. "I think we're in fine shape for this stage in thedevelopment kernel, it shouldn't be particularly scary to just say 'I'll bea bit adventurous and test an rc2 kernel'. Yes, it's early rc time still,but go on, help us make sure we're doing ok."

The 4.10.2,4.9.14, and4.4.53 stable kernel updates are out; eachcontains another relatively large set of important fixes.

Security updates have been issued by Debian (firefox-esr, pidgin, and vim), openSUSE (potrace and sane-backends), SUSE (xen), and Ubuntu (libarchive and lxc).

Ars Technica is reporting that a recently patched vulnerability in the Apache Struts 2 web framework is being actively exploited in the wild."It's not clear why the vulnerability is being exploited so widely 48 hours after a patch was released. One possibility is that the Apache Struts maintainers didn't adequately communicate the risk. Although they categorize the vulnerability security rating as high, they also describe it as posing a 'possible remote code execution' risk. Outside researchers, meanwhile, have said the exploits are trivial to carry out, are highly reliable, and require no authentication. It's also easy to scan the Internet for vulnerable servers. It's also possible to exploit the bug even if a Web application doesn't implement file upload functionality."

Security updates have been issued by CentOS (firefox and kvm), Debian (kernel and wget), Fedora (drupal7-views, firefox, GraphicsMagick, knot, and knot-resolver), Oracle (firefox), Red Hat (firefox), Scientific Linux (firefox), and Ubuntu (kde4libs and linux-aws).

The LWN.net Weekly Edition for March 9, 2017 is available.

Samba 4.6 has been released with many new features and changes. Newfeatures include Kerberos client encryption types, a new option for ownerinheritance, multi-process Netlogon support, new options for controllingTCP ports used for RPC services, and more.

Security updates have been issued by Debian (texlive-base), Fedora (cacti, drupal7-metatag, freeipa, mingw-gtk-vnc, suricata, and xen), Oracle (kvm), Red Hat (java-1.8.0-ibm and kvm), Scientific Linux (kvm), Slackware (firefox and thunderbird), SUSE (qemu), and Ubuntu (firefox, imagemagick, kernel, linux, linux-gke, linux-raspi2, linux-snapdragon, linux, linux-raspi2, linux, linux-ti-omap4, linux-hwe, linux-lts-trusty, linux-lts-xenial, and network-manager-applet).

On February 28th, GitHub publisheda brand new version of its Terms ofService (ToS). While the firstdraft announced earlier in February didn't generate much reaction, thenew ToS raised concerns that they may break at least the spirit, if not theletter, of certain free-software licenses. Digging in further reveals thatthe situation is probably not as dire as some had feared.

Firefox 52.0 has been released. This version features support forWebAssembly, adds user warnings for non-secure HTTP pages with logins,implements the Strict Secure Cookies specification which forbids insecureHTTP sites from setting cookies with the "secure" attribute, and enhancesSync to allow users to send and open tabs from one device to another. Seethe releasenotes for more information.

Security updates have been issued by Debian (freetype and libzip-ruby), Fedora (cacti, canl-c, and mupdf), and openSUSE (bind, munin, and mysql-community-server).

Ars Technica arguesthat Encrypted Media Extensions (EME), a framework that will allow thedelivery of DRM-protected media through the browser, will be good for theweb. "Moreover, a case could be made that EME will make it easier for content distributors to experiment with—and perhaps eventually switch to—DRM-free distribution.Under the current model, whether it be DRM-capable browser plugins or DRM-capable apps, a content distributor such as Netflix has no reason to experiment with unprotected content. Users of the site's services are already using a DRM-capable platform, and they're unlikely to even notice if one or two videos (for example, one of the Netflix-produced broadcasts like House of Cards or the forthcoming Arrested Development episodes) are unprotected. It wouldn't make a difference to them."The Free Software Foundation has adifferent take on EME. "We have been fighting EME since 2013, and we will not back off because the W3C presents weak guidance as a fig leaf for DRM-using companies to hide their disrespect for users' rights. Companies can impose DRM without the W3C; but we should make them do it on their own, so it is seen for what it is—a subversion of the Web's principles—rather than normalize it or give it endorsement."