LWN.net

Collabora Office 5.3 has been releasedwith all the fixes and several backported features from the upstreamLibreOffice 5.3 release. "The biggest change in this release is the inclusion of a long list of new features, combined with many User Interface improvements, making Collabora Office more powerful and at the same time faster and more comfortable to work with."

The multiqueue block layer subsystem,introduced in 2013, was a necessary step for the kernel to scale to the fasteststorage devices on large systems. The implementation in current kernels isincomplete, though, in that it lacks an I/O scheduler designed to work withmultiqueue devices. That gap iscurrently set to be closed in the 4.12 development cycle when the kernelwill probably get not just one, but two new multiqueue I/O schedulers.

Stable kernel 3.18.50 has been releasedwith many important fixes. Users should upgrade.

Security updates have been issued by Arch Linux (firefox and weechat), Debian (chicken, firefox-esr, libcroco, libreoffice, and tiff), Fedora (backintime, bind, firefox, libarchive, libnl3, pcre2, php-pear-CAS, and python-django), Mageia (icu and proftpd), openSUSE (mozilla-nss and wireshark), Red Hat (java-1.6.0-sun, java-1.7.0-oracle, and java-1.8.0-oracle), Scientific Linux (firefox and java-1.8.0-openjdk), Slackware (mozilla, ntp, and proftpd), and Ubuntu (firefox).

The openSUSE project has announced that the release following openSUSE Leap42 will be called openSUSE Leap 15. "SUSE have decided that their next version of SLE will be 15, not 13.Upon learning of SUSE's plans the Board and Leap release team havebeen considering our options.This included ignoring the changes to SLE and releasing Leap 43 asplanned, at the cost of the link between SLE versions and Leapversions.45 was also considered, as were some frankly hilarious ideas that mademe worry about my own sanity and that of my fellow contributors.After considering the pros and cons of all the options however, thedecision has been that Leap 15 will be our next version."

Linus has released 4.11-rc8 instead of theexpected 4.11 final. "So originally I was just planning on releasing the final 4.11 today,but while we didn't have a *lot* of changes the last week, we had acouple of really annoying ones, so I'm doing another rc releaseinstead. I did get fixes for the issues that popped up, so I couldhave released 4.11 as-is, but it just doesn't feel right."

Over at Opensource.com, Rich Bowen looks at some of the new features in OpenStack Ocata, which was released back in February."First, it's important to remember that the Ocata cycle was very short. We usually do a release every six months, but with the rescheduling of the OpenStack Summit and OpenStack PTG (Project Team Gathering) events, Ocata was squeezed into 4 months to realign the releases with these events. So, while some projects squeezed a surprising amount of work into that time, most projects spent the time on smaller features and finishing up tasks leftover from the previous release.At a high level, the Ocata release was all about upgrades and containers, themes that I heard from almost every team I interviewed. Developers spoke of how we can make upgrades smoother, and how we can deploy bits of the infrastructure in containers. These two things are closely related, and there seems to be more cross-project collaboration this time around than I've noticed in the past."

The 4.10.12, 4.9.24, and 4.4.63 stable kernels have been released.Users of those series should upgrade.

Security updates have been issued by CentOS (bind, firefox, java-1.8.0-openjdk, and nss and nss-util), Debian (icedove), Fedora (jenkins-xstream and xstream), Mageia (chromium-browser-stable, flash-player-plugin, gimp, and wireshark), openSUSE (gstreamer-0_10-plugins-base), Oracle (bind, firefox, java-1.8.0-openjdk, and nss and nss-util), Red Hat (firefox and java-1.8.0-openjdk), Scientific Linux (bind, firefox, nss and nss-util, and nss-util), SUSE (xen), and Ubuntu (bind9, curl, freetype, and qemu).

Here's anopensource.com article describing how the Python global interpreterlock works and some nuances of writing threaded Python code."Although the GIL does not excuse us from the need for locks, it doesmean there is no need for fine-grained locking. In a free-threaded languagelike Java, programmers make an effort to lock shared data for the shortesttime possible, to reduce thread contention and allow maximumparallelism. Because threads cannot run Python in parallel, however,there's no advantage to fine-grained locking. So long as no thread holds alock while it sleeps, does I/O, or some other GIL-dropping operation, youshould use the coarsest, simplest locks possible."

The scheduler is a topic of keen interest for the desktop user;the scheduling algorithm partially determines the responsiveness ofthe Linux desktop as a whole. Con Kolivas maintains a series of scheduler patch setsthat he has tuned considerably over the years for his own use, focusingprimarily on latency reduction for a better desktop experience. Inearly October 2016, Kolivas updated the design of his popular desktopscheduler patch set, which he renamed MuQSS. It is an update (and a namechange) from his previous scheduler, BFS, and it is designed to addressscalability concerns that BFS had with an increasing number of CPUs.

Security updates have been issued by Arch Linux (chromium and nss), CentOS (bind and qemu-kvm), Debian (firefox-esr, ghostscript, hunspell-en-us, and uzbek-wordlist), Fedora (php-onelogin-php-saml), openSUSE (bind, gstreamer-plugins-good, and xen), Red Hat (bind, firefox, nss, nss and nss-util, and nss-util), and SUSE (ruby2.1).

The LWN.net Weekly Edition for April 20, 2017 is available.

Linux usage in networking hardware has been on the rise for sometime. During the latest Netdevconference held in Montreal this April, people talked seriously aboutLinux running on high end, "top of rack" (TOR) networking equipment. Thosedevices have long been the realm of proprietary hardware and softwarecompanies like Cisco or Juniper, but Linux seems to be making somesignificant headway into the domain. Are we really seeingthe rise of Linux in high-end networking hardware?

Mozilla has released Firefox 53.0. From the releasenotes: "Today's Firefox release makes Firefox faster and morestable with a separate process for graphics compositing (the QuantumCompositor). Compact themes and tabs save screen real estate, and theredesigned permissions notification improves usability. Learn more on the Mozilla Blog."

Linus Torvalds recently let it be knownthat the 4.11-rc7 kernel prepatch had a good chance of being the last forthis development series. So the time has come to look at this developmentcycle and the contributors who made it happen.

Security updates have been issued by CentOS (libreoffice), Debian (icedove, icu, and imagemagick), Fedora (bind, bind99, ghostscript, libxml2, ming, ntp, proftpd, and qemu), Oracle (bind and libreoffice), Red Hat (bind, qemu-kvm, and qemu-kvm-rhev), Scientific Linux (bind, libreoffice, and qemu-kvm), Slackware (minicom), and SUSE (xen).

Every conference venue has problems with the mix of room sizes, butI don't recall ever going to a talk that so badly needed to be in abigger room as Jessie Frazelle and Alex Mohr's talkat CloudNativeCon/KubeCon Europe 2017 on securing Kubernetes.The cause of the enthusiasmwas the opportunity to get "best practice" information on securingKubernetes, and how Kubernetes might be evolving to assist with this,directly from the source.

The xda-developers blog looksat Project Halium. "This open-source project is trying to pooldevelopers from Ubuntu Touch ports, Sailfish OS community developers, theopen webOS Lune OS project, and KDE Plasma Mobile contributors, among otherdevelopers (Jolla, we suspect) to put an end to the fragmentation seen intheir respective project’s lower-level base. Currently, Ubuntu Touch,Sailfish OS/Mer, Plasma Mobile, and others use different Android sourcetrees and methods for differently-built stacks. This leads to a lot offragmentation among the most popular non-Android, GNU/Linux-based mobile OSprojects in their use of the Android source tree, how the Android init isstarted, and how images are flashed to the device. Many of these projectsessentially do the same job, but in a different way." The goal ofHalium is to work towards a common Linux base, which can be used byall of these different projects.

The Docker blog introducesthe Moby Project, which aims to advance the software containerizationmovement. "It provides a “Lego set” of dozens of components, a framework for assembling them into custom container-based systems, and a place for all container enthusiasts to experiment and exchange ideas. Think of Moby as the “Lego Club” of container systems."

Security updates have been issued by Debian (feh, freetype, and radare2), Fedora (kernel and libsndfile), openSUSE (audiofile, dracut, gstreamer, gstreamer-plugins-bad, jasper, libpng15, proftpd, and tigervnc), Oracle (qemu-kvm), Red Hat (kernel, libreoffice, and qemu-kvm-rhev), and SUSE (bind and tiff).

The 4.10.11,4.9.23,4.4.62, and3.18.49 stable kernel updates areavailable. For those who are surprised to see a 3.18 update after thatseries was declared end-of-life, Greg Kroah-Hartman explains it this way: "3.18? Wasn't that kernel dead and forgotten and left torot on the side of the road? Yes, it was, but unfortunately, there's afew million or so devices out there in the wild that still rely on thiskernel. Now, some of their manufacturers and SoC vendors might not bekeeping their kernels up to date very well, but some do actually careabout security and their users, so this release is for them. If youhappen to have a vendor that does not care about their users, gocomplain, as odds are, your device is very insecure right now..."

On April 12 Dmitry Bogatov, a mathematician and Debian maintainer, was arrestedin Russia for "incitation to terrorism" because of some messages thatwent through his Tor exit node. "Though, the very nature of Bogatovcase is a controversial one, as it mixes technical and legal arguments, andmakes necessary both strong legal and technical expertise involved. Indeed,as a Tor exit node operator, Dmitry does not have control andresponsibility on the content and traffic that passes through his node: itwould be the same as accusing someone who has a knife stolen from her housefor the murder committed with this knife by a stranger." The DebianProject made a brief statement.

Scientific Linux 6.9 has been released for i386/x86_64 architectures. Seethe releasenotes and the upstreamrelease notes for details.

The 4.11-rc7 kernel prepatch has beenreleased. "We're in the late rc phase, and thismay be the last rc if nothing surprising happens."

Security updates have been issued by Debian (libosip2, openoffice.org-dictionaries, and qbittorrent), Fedora (kernel, libpng12, libsndfile, libtiff, mediawiki, mupdf, qt5-qtwebengine, samba, xen, xorgxrdp, and xrdp), Mageia (mediawiki, ming, python-django, unshield, and webkit2), and openSUSE (postgresql93).

The 2017 Debian project leader (DPL) election has completed; Chris Lamb won, over incumbent DPL Mehdi Dogguy. Details of the voting can be found on the election web page. Dogguy posted his last "bits from the DPL" congratulating Lamb, filling the project in on what he has been up to over the last month plus, and more: "Serving as DPL for the past year has been a real honour and afantastic experience for me. It also helped me to have a differentperspective on the project and my future involvement.Last but not least, I wanted to confirm to other fellow DebianDevelopers that serving as DPL is not a traumatic experience and I amstill as sane as I was one year ago :-) If you have ideas on how tomake Debian a better place, project, OS, community, FOSS citizen, …please nominate yourself for DPL elections next year! Worst casescenario, you would contribute to the debate about Debian's future."

Registration for the 2017 Linux Plumbers Conference is now open. "Registrationprices and cutoff dates are published in the ATTEND page of theweb site. A reminder that we are following a quota system to releaseregistration slots. Therefore the early registration rate will remainin effect until early registration closes on June 18 2017, or the quotalimit (150) is reached, whatever comes earlier." LPC will be held in Los Angeles, CA, US on 13-15 September inconjunction with The Linux Foundation Open Source Summit.

Security updates have been issued by Oracle (kernel) and Slackware (bind).

The Fedora Project has come up with a new mission statement:"Fedora creates an innovative platform that lights up hardware, clouds, and containers for software developers and community members to build tailored solutions for their users." See the full text for a description of what it means and how they arrived at it.

With the speed of network hardware now reaching 100 Gbpsand distributed denial-of-service (DDoS) attacks going in theTbpsrange, Linux kernel developers are scrambling tooptimize key network paths in the kernel to keep up. Many efforts areactually gearedtoward getting traffic out of the costly Linux TCP stack. We havealready covered the XDP (eXpressData Path) patch set, but two new ideas surfaced during theNetconf and Netdev conferences held in Toronto and Montreal in earlyApril 2017.

The most recent version of the Ubuntu Linux distribution, 17.04 or Zesty Zapus, has been released with multiple flavors (Kubuntu, Lubuntu, Ubuntu GNOME, Ubuntu Kylin, Ubuntu MATE,Ubuntu Studio, Xubuntu, and the most recent addition, Ubuntu Budgie) and several editions (server, desktop, cloud). "Under the hood, there have been updates to many core packages, includinga new 4.10-based kernel, and much more.Ubuntu Desktop has seen incremental improvements, with newer versions ofGTK and Qt, updates to major packages like Firefox and LibreOffice, andstability improvements to Unity.Ubuntu Server 17.04 includes the Ocata release of OpenStack, alongsidedeployment and management tools that save devops teams time whendeploying distributed applications - whether on private clouds, publicclouds, x86, ARM, or POWER servers, z System mainframes, or on developerlaptops. Several key server technologies, from MAAS to juju, have beenupdated to new upstream versions with a variety of new features." See the release notes for more information.

Security updates have been issued by CentOS (389-ds-base, httpd, kernel, libreoffice, tomcat, and util-linux), Fedora (libpng15, php-horde-Horde-Crypt, and python-sleekxmpp), openSUSE (gimp, lxc, and phpMyAdmin), Oracle (389-ds-base, httpd, kernel, libreoffice, tomcat, and util-linux), Red Hat (389-ds-base, flash-plugin, httpd, libreoffice, python-defusedxml and python-pysaml2, tomcat, and util-linux), Scientific Linux (389-ds-base, httpd, kernel, libreoffice, tomcat, and util-linux), and SUSE (bind and flash-player).

The LWN.net Weekly Edition for April 13, 2017 is available.

Simon Fels introduceshis Anbox (Android in a Box) project, which uses LXC containers to bringAndroid applications to your desktop. "Anbox uses Linux namespaces(user, network, cgroup, pid, ..) to isolate the Android operating systemfrom the host. For Open GL ES support Anbox takes code parts from theAndroid emulator implementation to serialize the command stream and send itover to the host where it is mapped on existing Open GL or Open GL ESimplementations." Anbox is still pre-alpha so expect crashes andinstability.

We have seen that a microservicearchitecture is intimately tied to the use of a TCP/IP network as theinterconnecting fabric, so when Bernard Van De Walle from Aporeto gave a talk at CloudNativeConand KubeCon Europe 2017 on why we shouldn't bother securing thatnetwork, it seemed a pretty provocative idea.

The Nginx web server version 1.12 has beenreleased, "incorporating new features and bug fixes from the 1.11.xmainline branch - including variables support and other improvements in thestreammodule, HTTP/2fixes, support for multipleSSL certificates of different types, improved dynamic modules support,and more." The changelog has more details.

Jane Silber announcesthe end of her tenure as CEO of Canonical. "Over the next threemonths I will remain CEO but begin to formally transfer knowledge andresponsibility to others in the executive team. In July, Mark[Shuttleworth] will retake the CEO role and I will move to the Canonical Board of Directors. In termsof a full-time role, I will take some time to recharge and then seek newchallenges."

This article covers the second day of the informal Netconf discussions,held on on April 4, 2017. Topics discussed this day included thebinding of sockets in VRF, identification of eBPF programs, inconsistenciesbetween IPv4 and IPv6, changes to data-center hardware, and more.

Greg KH has released stable kernels 4.10.10, 4.9.22, and 4.4.61. All of them contain important fixesand users should upgrade.

Security updates have been issued by Debian (bouncycastle), Fedora (flatpak), openSUSE (php7 and slrn), Oracle (389-ds-base and kernel), Red Hat (kernel and kernel-rt), Scientific Linux (389-ds-base and kernel), SUSE (xen), and Ubuntu (dovecot).

Here's thesecond part in the detailed Google Project Zero series on using the BroadcomWiFi stack to compromise the host system. "In this post, we’llexplore two distinct avenues for attacking the host operating system. Inthe first part, we’ll discover and exploit vulnerabilities in thecommunication protocols between the Wi-Fi firmware and the host, resultingin code execution within the kernel. Along the way, we’ll also observe acurious vulnerability which persisted until quite recently, using whichattackers were able to directly attack the internal communication protocolswithout having to exploit the Wi-Fi SoC in the first place! In the secondpart, we’ll explore hardware design choices allowing the Wi-Fi SoC in itscurrent configuration to fully control the host without requiring avulnerability in the first place."

OpenBSD 6.1 has been released.This version adds the arm64 platform, using clang as the base systemcompiler. The loongson platform supports systems with Loongson 3A CPU andRS780E chipset. The armish, sparc, and zaurus platforms have been retired.

Pocl aims to become a performance portable open source (MIT-licensed)implementation of the OpenCL standard. Version0.14 adds support for LLVM/Clang 4.0 and 3.9 and a new binary formatthat enables running OpenCL programs on hosts without online compilersupport. There is also initial support for out-of-order command queue taskscheduling and plenty of bug fixes.

As is becoming traditional, two times a year the kernel networkingcommunity meets in a two-stage conference: an invite-only, informal, two-dayplenary session called Netconf,held in Toronto this year, and a moreconventional one-track conference open to the public called Netdev. This article covers the first day of the conference which consisted ofaround 25 Linux developers meeting under the direction of David Miller, thekernel's networking subsystem maintainer.

Security updates have been issued by Debian (bouncycastle, dovecot, libnl, libnl3, and samba), Fedora (libtiff), Gentoo (chromium, qemu, and xorg-server), openSUSE (pidgin), Red Hat (389-ds-base and kernel), Slackware (vim), and Ubuntu (dovecot and webkit2gtk).

The Mozilla Open Source Support (MOSS) program awards grants to projects"that contribute to our work and to the health of theInternet." Recentrecipients include SecureDrop, libjpeg-turbo, LLVM, LEAP EncryptionAccess Project, and Tokio. There have also been MOSS supported audits ofntp, ntpsec, curl, and more. "We ran a major joint audit on two codebases, one of which is a fork of the other – ntp and ntpsec. ntp is a server implementation of the Network Time Protocol, whose codebase has been under development for 35 years. The ntpsec team forked ntp to pursue a different development methodology, and both versions are widely used. As the name implies, the ntpsec team suggest that their version is or will be more secure. Our auditors did find fewer security flaws in ntpsec than in ntp, but the results were not totally clear-cut."

Daniel Vetter discusses how to getpeople to review code. "The take away from these two articlesseems to be that review is hard, there’s a constant lack of capable andwilling reviewers, and this has been the state of review since forever. I’dlike to counter pose this with our experiences in the graphics subsystem,where we’ve rolled out a well-working review process for the Intel driver,core subsystem and now the co-maintained small driver efforts with success,and not all that much pain."

When a monolithic application is divided up into microservices, one new problem that must be solved is how to connect all those microservicesto provide the old application's functionality. Linkerd, which is now officially a Cloud-Native Computing Foundation project, is a transparent proxy which solves this problem bysitting between those microservices and routing their requests.Two separate CNC/KubeCon events — a talk by Oliver Gould briefly joined by Oliver Beattie, and a salon hosted by Gould — provided a view of linkerd and what it can offer.

Security updates have been issued by Arch Linux (mediawiki, python-django, and python2-django), Debian (jasper, libdatetime-timezone-perl, logback, ming, potrace, and tzdata), Fedora (curl, ghostscript, icecat, and xen), openSUSE (apparmor), and Slackware (libtiff).