LWN.net

David Rowley looksdeeply into the improvements coming to the query planner inPostgreSQL16.

Security updates have been issued by Debian (webkit2gtk), Fedora (atril, chromium, gnutls, python-aiohttp, and webkitgtk), Gentoo (libxml2), Mageia (gnutls, gpac, kernel, kernel-linus, microcode, pam, and postfix), Red Hat (container-tools:2.0, container-tools:3.0, container-tools:4.0, container-tools:rhel8, gimp, libmaxminddb, python-pillow, runc, and unbound), SUSE (cosign, netpbm, python, python-Pillow, python3, and python36), and Ubuntu (libde265, linux-gcp, linux-gcp-5.4, and linux-intel-iotg).

On February 2, Google announced this year's "Season of Docs", a program complementing its Summer of Code programby providing funding to open source projects to hire technical writers to improvetheir documentation. Interested projects have until April 2 to apply.

Stephen Brennan describeskernel core dumps in excruciating detail.

Mitchell Baker has announcedthat she is stepping down from the role of Mozilla CEO, effectiveimmediately. Laura Chambers will be the new CEO "for the remainder ofthe year".

The generation of random (or, at least, unpredictable) numbers is key tomany security technologies. For this reason, the provision of random dataas a CPU feature has drawn a lot of attention over the years. A properhardware-based random-number generator can address the problems that makerandomness hard to obtain in some systems, but only if the manufacturer canbe trusted to not have compromised that generator in some way. A recentdiscussion has brought to light a different problem, though: what happensif a hardware random-number generator can be simply driven into exhaustion?

The GNU C Library project hasbeen accepted as a CVE Numbering Authority (CNA), meaning that theproject is now in control of the CVE numbers assigned to its code.

Security updates have been issued by Debian (chromium), Red Hat (gimp, kernel, kernel-rt, and runc), Slackware (expat), SUSE (libavif), and Ubuntu (linux, linux-aws, linux-aws-5.15, linux-gcp, linux-gcp-5.15, linux-gke, linux-gkeop, linux-gkeop-5.15, linux-hwe-5.15, linux-ibm, linux-ibm-5.15, linux-kvm, linux-lowlatency-hwe-5.15, linux-nvidia, linux-oracle, linux-oracle-5.15, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-bluefield, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-iot, linux-kvm, linux-oracle, linux-oracle-5.4, linux-xilinx-zynqmp, and linux, linux-aws, linux-gcp, linux-hwe-6.5, linux-laptop, linux-lowlatency, linux-lowlatency-hwe-6.5, linux-oem-6.5, linux-oracle, linux-raspi, linux-starfive).

The LWN.net Weekly Edition for February 8, 2024 is available.

At the beginning of November, we let it beknown that we were looking to hire a writer/editor to augment the LWNteam. In past attempts, we have found it difficult to attract writers whocould produce the kind of content that LWN readers expect. This timearound, as we have said before, was different; we had a number ofcandidates who could have filled the bill and were forced to make somedifficult choices.While "hire them all" was an attractive idea, it was not one that ourbudget would support. We did conclude, however, that we could stretch to asecond hire. So we are pleased to announce that the opportunity to bringJoe Brockmeier on board was too good to pass up - so we didn't. You willstart to see his work return to LWN within the next few days.

Go 1.22, the most recent version of the Go programming language, has been released. It comes with two language changes to for loops: a fix for a longstanding "gotcha" with accidentally sharing loop variables between iterations and adding the ability to range over integer values. There are also additions to the standard library, improved performance, and more. See the release notes for further information.

What is IP fragmentation, why is it important, and do people understandit? The answer to that last question is "not as well as they think". Thisarticle will also answer the rest of thosequestions and introduce fragquiz, a game that Iwrote to allow players to guess how IP packets will behave when they aretoo large for the network. As evidence that IP fragmentation is notwell-understood, a room full of networking experts played fragquiz and gota score that wasnowhere close to perfect. In addition, I will describe a new algorithm forfragmentation avoidance, which some colleagues and Ideveloped, that helped motivate development of fragquiz.

Security updates have been issued by Red Hat (gimp) and Ubuntu (firefox, linux-oracle, linux-oracle-5.15, and python-django).

The GNU C Library (glibc)released version 2.39 on January 31, includingseveral new features. Notable highlights include new functions for spawningchild processes, support for shadow stacks on x86_64, new security features, andthe removal of libcrypt. The glibc maintainers had also hoped to includeimprovements to qsort(), which ended up not making it into thisrelease. Glibc releases are made every six months.

Security updates have been issued by CentOS (firefox, gstreamer1-plugins-bad-free, and tigervnc), Debian (ruby-sanitize), Fedora (kernel, kernel-headers, qt5-qtwebengine, and runc), Oracle (gnutls, kernel, libssh, rpm, runc, and tigervnc), Red Hat (runc), and SUSE (bouncycastle, jsch, python, and runc).

Greg Kroah-Hartman has announced the release of the 6.7.4, 6.6.16,and 6.1.77 stable kernels. As usual, theycontain important fixes all over the kernel tree.

A common problem in kernel development is controlling when aspecific task should be done. Kernel code often executes in contexts wheresome actions (sleeping, for example, or calling into filesystems) are notpossible. Other actions, while possible, may prevent the kernel fromtaking care of a more important task in a timely manner. The kernelcommunity has developed a number of deferred-execution mechanisms designedto ensure that every task is handled at the right time. One of thosemechanisms, tasklets, has been eyed for removal for years; that removalmight just happen in the near future.

Security updates have been issued by Debian (rear, runc, sudo, and zbar), Fedora (chromium, grub2, libebml, mingw-python-pygments, and python-aiohttp), Gentoo (FreeType, GNAT Ada Suite, Microsoft Edge, NBD Tools, OpenSSL, QtGui, SDDM, Wireshark, and Xen), Mageia (dracut, glibc, nss and firefox, openssl, packages, perl, and thunderbird), Slackware (libxml2), SUSE (java-11-openjdk, java-17-openjdk, perl, python-uamqp, slurm, and xerces-c), and Ubuntu (libssh and openssl).

The 6.8-rc3 kernel prepatch is out fortesting. "A slightly larger rc3 that I'd have hoped for, although atthis stage in the release process it's not something that really worries meyet."

The Zig language2024 roadmapwas presented in a talk last week onZig Showtime (a show coveringZig news). Andrew Kelley, the benevolent dictator for life of the Zig project,presented his goalsfor the language, largely focusing on compiler performance and continuingprogress toward stabilization for the language. He discussed details of his planfor incremental compilation, and addressed the sustainability of the project interms of both code contributions and financial support.

Simon Phipps writeson the Open Source Initiative blog that the latest version of theEuropean Cyber Resilience Act is much improved: "As a result of all thiseffort from so many people, the final text of the CRA mitigated pretty muchall the risks we had identified to individual developers and to Open Sourcefoundations."

Security updates have been issued by Debian (chromium, man-db, and openjdk-17), Fedora (chromium, indent, jupyterlab, kernel, and python-notebook), Gentoo (glibc), Oracle (firefox, thunderbird, and tigervnc), Red Hat (rpm), SUSE (cpio, gdb, gstreamer, openconnect, slurm, slurm_18_08, slurm_20_02, slurm_20_11, slurm_22_05, slurm_23_02, squid, webkit2gtk3, and xerces-c), and Ubuntu (imagemagick and xorg-server, xwayland).

Filesystem development is not an easy task; the performance demands aretypically high, and the consequences for mistakes usually involve lost dataand irate users. The implementation of a virtual (or "pseudo") filesystem- a filesystem implemented within the kernel and lacking a normal backingstore - can also be challenging, but for different reasons. A series ofconversations around the eventfs virtual filesystem has turned a spotlighton the difficulty of creating a virtual filesystem for Linux.

A new version of the Damn SmallLinux distribution has come out with an updated definition of "damnsmall":

The 6.7.3, 6.6.15, and 6.1.76 stable kernels have been released.These contain a large number of important fixes throughout the tree, as isthe norm.

Security updates have been issued by Debian (debian-security-support, firefox-esr, openjdk-11, and python-asyncssh), Fedora (glibc, python-templated-dictionary, thunderbird, and xorg-x11-server-Xwayland), Gentoo (Chromium, Google Chrome, Microsoft Edge and WebKitGTK+), Red Hat (firefox, gnutls, libssh, thunderbird, and tigervnc), SUSE (mbedtls, rear116, rear1172a, runc, squid, and tinyssh), and Ubuntu (glibc and runc).

The LWN.net Weekly Edition for February 1, 2024 is available.

Version 2.39of the GNU C Library has been released. Changes include integration withthe x86 shadow-stack mechanism, a couple ofnew posix_spawn() variants for working with control groups, pidfd_spawn() andpidfd_spawnp(), the C2X stdbit.h header, the removalof the libcrypt library, and more. See the release notesfor details.

Version24.2 of the LibreOffice office suite is available. Changes includeAutoRecovery enabled by default, styling of comments, better floating-tablesupport, improved accessibility, and more. See the releasenotes for details.

Return-oriented programming (ROP) attacks are hard to defend against.Partial mitigations such as address-space layout randomization, stackcanaries, and other techniques are commonly deployed to try and frustrateROP attacks. Now, OpenBSD is experimenting with a newmitigation that makes it harder for attackers to make systemcalls, although some security researchers have expressed doubt that it willprove effective at stopping real-world attacks.In hisannouncement message, Theo de Raadt said that this work"makes some specific low-level attackmethods unfeasable on OpenBSD, which will force the use of other methods."

Qualys has discloseda vulnerability in the GNU C Library that can be exploited by a localattacker for root access. It was introduced in the 2.37 release, and alsobackported to 2.36.

Security updates have been issued by Debian (bind9 and glibc), Fedora (ncurses), Gentoo (containerd, libaom, and xorg-server, xwayland), Mageia (python-pillow and zlib), Oracle (grub2 and tomcat), Red Hat (avahi, c-ares, container-tools:3.0, curl, firefox, frr, kernel, kernel-rt, kpatch-patch, libfastjson, libmicrohttpd, linux-firmware, oniguruma, openssh, perl-HTTP-Tiny, python-pip, python-urllib3, python3, rpm, samba, sqlite, tcpdump, thunderbird, tigervnc, and virt:rhel and virt-devel:rhel modules), SUSE (python-Pillow, slurm, slurm_20_02, slurm_20_11, slurm_22_05, slurm_23_02, and xen), and Ubuntu (libde265, linux-nvidia, mysql-8.0, openldap, pillow, postfix, and xorg-server, xwayland).

EmacsConf2023 was, like itsrecent predecessors, an online conference with lots of talks about variousaspects of the Emacseditor-though, of course, it is way more than just an editor. Last year'sedition was held in early December. One of thetalks that looked interesting was on Emacsdevelopment, which was given live by John Wiegley. In it, he brieflydescribed some of the biggest features coming in Emacs30, which is the next major versioncoming for the tool.

The eBPF Foundation has published a glossy document called TheState of eBPF; it seems mostly concerned with how a small number oflarge companies are using and developing this technology.

Security updates have been issued by Debian (pillow, postfix, and redis), Fedora (python-templated-dictionary and selinux-policy), Red Hat (gnutls, kpatch-patch, libssh, and tomcat), and Ubuntu (amanda, ceph, linux-azure, linux-azure-4.15, linux-kvm, and tinyxml).

In December, the Rust project releaseda call for proposals for inclusion in the 2024 edition. Rust handlesbackward incompatible changes by usingEditions,which permit projects to specify a single stable edition for their codeand allow libraries writtenin different editions to be linked together. Proposals for Rust 2024 arenow in, and have until the end of February to be debated and decided on. Oncethe proposals are accepted, they have until May to be implemented in time forthe 2024 edition to be released in the second half of the year.

Security updates have been issued by CentOS (gstreamer-plugins-bad-free, java-1.8.0-openjdk, java-11-openjdk, kernel, LibRaw, python-pillow, and xorg-x11-server), Debian (gst-plugins-bad1.0, libspreadsheet-parsexlsx-perl, mariadb-10.3, and slurm-wlm), Fedora (atril, dotnet8.0, gnutls, prometheus-podman-exporter, python-jinja2, sudo, and vips), Oracle (frr, kernel, php:8.1, python-urllib3, python3.9, rpm, sqlite, and tomcat), Slackware (pam), SUSE (cpio, rear23a, rear27a, sevctl, and xorg-x11-server), and Ubuntu (exim4 and firefox).

Linus has released 6.8-rc2 for testing."So go out and test. It's safe now. You trust me, right?"

While the mathematical realm of numbers is infinite, computers are onlyable to represent a finite subset of them. That can lead to problems whenarithmetic operations would create numbers that the computer is unable tostore as the intended type. This condition, called "overflow" or"wraparound" depending on the context, can be the source of bugs, including unpleasant securityvulnerabilities, so it is worth avoiding. This patchseries from Kees Cook is intended to improve the kernel's handling ofthese situations, but it is running into a bit of resistance.

Security updates have been issued by Debian (xorg-server), Fedora (chromium, dotnet8.0, firefox, freeipa, and thunderbird), Red Hat (avahi, c-ares, curl, edk2, expat, freetype, frr, git, gnutls, grub2, kernel, kernel-rt, libcap, libfastjson, libssh, libtasn1, libxml2, linux-firmware, ncurses, oniguruma, openssh, openssl, perl-HTTP-Tiny, protobuf-c, python-urllib3, python3, python3.9, rpm, samba, shadow-utils, sqlite, tcpdump, tomcat, and virt:rhel and virt-devel:rhel modules), SUSE (cpio, jasper, rear23a, thunderbird, and xorg-x11-server), and Ubuntu (jinja2, kernel, linux, linux-aws, linux-aws-5.15, linux-gcp, linux-gcp-5.15, linux-gke, linux-gkeop, linux-gkeop-5.15, linux-hwe-5.15, linux-ibm, linux-ibm-5.15, linux-kvm, linux-lowlatency-hwe-5.15, linux-raspi, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-bluefield, linux-gcp, linux-gcp-5.4, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-iot, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux-xilinx-zynqmp, linux, linux-aws, linux-aws-6.2, linux-azure, linux-azure-6.2, linux-azure-fde-6.2, linux-gcp, linux-hwe-6.5, linux-laptop, linux-lowlatency, linux-lowlatency-hwe-6.5, linux-oem-6.5, linux-oracle, linux-raspi, linux-starfive, linux, linux-aws, linux-aws-hwe, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, linux, linux-aws, linux-kvm, linux-lts-xenial, linux-aws, linux-azure, linux-azure-5.15, linux-azure-fde, linux-azure-fde-5.15, linux-oem-6.1, and mariadb, mariadb-10.3, mariadb-10.6).

Greg Kroah-Hartman has announced the release of the 6.7.2, 6.6.14,6.1.75, 5.15.148, 5.10.209, 5.4.268, and 4.19.306 stable kernels. As usual, theycontain a long list of fixes throughout the kernel tree.

The free-software community has managed to build a body of software that isworth, by most estimates, many billions of dollars; all of this code isfreely available to anybody who wants to use or modify it. It is anunparalleled example of independent actors working cooperatively on acommon resource. Free software is certainly a success story, but all isnot perfect. One of the community's greatest strengths - convincingcompanies to contribute to this common resource - is also part of one ofits biggest weaknesses.

The AdaCore blog describessome hardening features contributed to GCC for the GCC14 release.

Security updates have been issued by Debian (chromium, firefox-esr, php-phpseclib, phpseclib, thunderbird, and zabbix), Fedora (dotnet7.0, firefox, fonttools, and python-jinja2), Mageia (avahi and chromium-browser-stable), Oracle (java-1.8.0-openjdk, java-11-openjdk, LibRaw, openssl, and python-pillow), Red Hat (gnutls, kpatch-patch, php:8.1, and squid:4), SUSE (apache-parent, apache-sshd, bluez, cacti, cacti-spine, erlang, firefox, java-11-openjdk, opera, python-Pillow, tomcat, tomcat10, and xwayland), and Ubuntu (paramiko and puma).

The LWN.net Weekly Edition for January 25, 2024 is available.

Python packaging discussions seem like they often just go around andaround, ending up where they started and recapitulating many of the points thathave come up before. A recent discussion revolves around the pip package installer, as theyoften do. The central role that is occupied by pip has bothgood points and bad. There is a clear need for something thatcan install from the Python Package Index(PyPI) immediately after Python itself is installed. Whether thereshould be additional features, including project management, that come"inside the box", as well, is much less clear-not unlike the question of which project management"style" should be chosen.

Security updates have been issued by Debian (jinja2, openjdk-11, ruby-httparty, and xorg-server), Fedora (ansible-core and mingw-jasper), Gentoo (GOCR, Ruby, and sudo), Oracle (gstreamer-plugins-bad-free, java-17-openjdk, java-21-openjdk, python-cryptography, and xorg-x11-server), Red Hat (kernel, kernel-rt, kpatch-patch, LibRaw, python-pillow, and python-pip), Slackware (mozilla), SUSE (python-Pillow, rear118a, and redis7), and Ubuntu (libapache-session-ldap-perl and pycryptodome).

There are many different Python web frameworks, fromnano-frameworks all the way up to the full-stack variety. One thatrecently caught my eye is Microdot, the"impossibly small web framework for Python and MicroPython"; sinceit targets MicroPython, it isplausible for running the user interface of an "internet of things" (IoT) device, for example. Beyondthat, it is Flask-inspired,which should make it reasonably familiar to many potential webdevelopers.

Version122.0 of the Firefox browser is out. Changes include improved searchsuggestions, improvements to the in-browsertranslation feature, better line-breaking compatibility, and a shinynew .deb package.

Security updates have been issued by Debian (kodi and squid), Fedora (ansible-core, java-latest-openjdk, mingw-python-jinja2, openssh, and pgadmin4), Gentoo (Apache XML-RPC), Red Hat (gnutls and xorg-x11-server), Slackware (postfix), SUSE (bluez and openssl-3), and Ubuntu (gnutls28, libssh, and squid).