LWN.net

The eBPF in-kernel virtual machine isapproaching its tenth anniversary as part of Linux; it has grown into atool with many types of uses in the ecosystem. Alexei Starovoitov, whowas the creator of eBPF and did much of the development of it, especiallyin the early going, gave the opening talk atLinuxSecurity Summit Europe2023 on the relationship between BPF andsecurity. In it, he related some interesting history, from a somewhatdifferent perspective than what is often described, he said. Among otherthings, it shows how BPFhas been both a security problem and a security solution along the way.

OpenSSH 9.5 is out. Significant changes include a transport-level pingmechanism and keystroke timing obfuscation:

Security updates have been issued by Debian (glibc, postgresql-11, and thunderbird), Fedora (openmpi, pmix, prrte, and slurm), Gentoo (glibc and libvpx), Oracle (kernel), Red Hat (kernel), Slackware (libX11 and libXpm), SUSE (firefox, kernel, libeconf, libqb, libraw, libvpx, libX11, libXpm, mdadm, openssl-1_1, poppler, postfix, python311, rubygem-puma, runc, and vim), and Ubuntu (freerdp2, glibc, grub2-signed, grub2-unsigned, libx11, libxpm, linux-intel-iotg, linux-intel-iotg-5.15, linux-oracle, linux-oracle-5.15, and mozjs102).

The SteamOS Linuxdistribution is focused on gaming, naturally, but the effort to build ithas resulted in contributions to multiple areas in the Linux ecosystem. Alberto Garciahas been working on SteamOS and came to Bilbao, Spain to describe some of thosecontributions at Open Source Summit Europe2023. There are some obviousareas where a gaming-focused OS might contribute upstream, such asgraphics, but the talk showed contributions in several other areas as well.

Qualys has posted anadvisory for a vulnerability in the GNU C Library related to thehandling of the GLIBC_TUNABLES environment variable:

Ars technica reportson an Arm advisory regarding exploitable vulnerabilities in a number ofits GPU drivers.

Security updates have been issued by Debian (exim4), Fedora (firecracker, rust-aes-gcm, rust-axum, rust-tokio-tungstenite, rust-tungstenite, and rust-warp), Gentoo (nvidia-drivers), Mageia (chromium-browser-stable, glibc, and libwebp), Red Hat (kernel), SUSE (ghostscript and python3), and Ubuntu (firefox, libtommath, libvpx, and thunderbird).

In last week's episode, a need to preemptkernel code that is executing long-running instructions led to a deeperreexamination of how the kernel handles preemption. There are a number ofsupported preemption modes, varying from "none" (kernel code is neverpreemptible) to realtime (where the kernel is almost always preemptible).Making better use of the kernel's preemption machinery looked like apossible solution to the immediate problem, but it seems that there arebetter options in store. In short, kernel developers would like to givethe scheduler complete control over CPU-scheduling decisions.

For those who are curious about the recently concluded Git Contributor'sSummit, Taylor Blau has posted an extensive set of notesfrom the event. Topics include next-generation backends, libification,backward compatibility, project management, and more.

Version 3.12 of the Python programming language has been released. The "What's New In Python 3.12" page has plenty of details. Highlights of the release include isolated subinterpreter support, more improvements to error messages, more flexible f-strings, Linux perf support for profiling, and lots more.

Security updates have been issued by Debian (chromium, cups, firefox-esr, firmware-nonfree, gerbv, jetty9, libvpx, mosquitto, open-vm-tools, python-git, python-reportlab, and trafficserver), Fedora (firefox, giflib, libvpx, libwebp, webkitgtk, and xen), Gentoo (Chromium, Google Chrome, Microsoft Edge, ClamAV, GNU Binutils, and wpa_supplicant, hostapd), Mageia (flac, giflib, indent, iperf, java, libvpx, libxml2, quictls, wireshark, and xrdp), Oracle (kernel), Slackware (libvpx and mozilla), and SUSE (bind, python, python-bugzilla, roundcubemail, seamonkey, and xen).

Linus has released 6.6-rc4 for testing."There's nothing particularly odd in here, if you don't count a week ofno networking pull as being odd. That does result in rc4 being fairlysmall, but I suspect we'll just see a bigger rc5 to compensate."

The "Zero Day Initiative" site has posted a number of advisories (1, 2, 3, 4, 5, 6)describing a number of flaws in the Exim mail server, some of which areexploitable remotely. These problems, allegedly, were first reported tothe project in June 2022, well over one year ago. There is somedisagreement over the timing of events, with Exim developer HeikoSchlittermann claimingthat no actual information was received until last May, and an anonymousZDI representative disputingthat story.Either way, the vulnerabilities are now disclosed, but patches are not yeton offer; Schlittermann said that "Fixes are available in a protectedrepository and are ready to be applied by the distributionmaintainers", so hopefully that situation will change soon.

On September 27, 1983, Richard Stallman announced thefounding of the GNU project. His goal, which seemed wildly optimisticand unattainable at the time, was to write a complete Unix-like operatingsystem from the beginningand make it freely available. Exactly 40years later, the GNU projectcelebrated with a hacker meeting inSwitzerland. Your editor had the good fortune to be able to attend.

Security updates have been issued by Debian (firefox-esr, jetty9, and vim), Gentoo (Fish, GMP, libarchive, libsndfile, Pacemaker, and sudo), Oracle (nodejs:16 and nodejs:18), Red Hat (virt:av and virt-devel:av), Slackware (mozilla), SUSE (chromium, firefox, Golang Prometheus, iperf, libqb, and xen), and Ubuntu (linux-raspi).

While the CVE process was created in response to real problems, it's increasingly clear that CVE numbers arecreating problems of their own. At the 2023 GNU Tools Cauldron,Siddhesh Poyarekar expressed the frustration that toolchain developers havefelt as the result of arguing with security researchers about CVE-numberassignments. In response, the GNU toolchain community is trying to bettercharacterize what is - and is not - considered to be a security-relevantbug in its software.

Security updates have been issued by Debian (ncurses), Fedora (emacs, firecracker, firefox, libkrun, python-oauthlib, and virtiofsd), Mageia (glibc and vim), Oracle (18), SUSE (bind, binutils, busybox, cni, cni-plugins, container-suseconnect, containerd, curl, exempi, ffmpeg, firefox, go1.19-openssl, go1.20-openssl, gpg2, grafana, gsl, gstreamer-plugins-bad, gstreamer-plugins-base, libpng15, libwebp, mutt, nghttp2, open-vm-tools, pmix, python-brotlipy, python3, python310, qemu, quagga, rubygem-actionview-5_1, salt, supportutils, xen, and xrdp), and Ubuntu (libwebp, minidlna, puma, and python2.7, python3.5).

The LWN.net Weekly Edition for September 28, 2023 is available.

Using larger block sizes in the kernel for I/O is a recurring topic instorage and block-layer circles. The topic came up in discussions at the Linux Storage, Filesystem, Memory-Management and BPF Summit (LSFMM)back in May. One of the participants in those discussions, Hannes Reinecke, gavea talk at Open Source Summit Europe 2023 with an overview of the reasonsbehind using larger blocks for I/O, the current status of that work, andwhere it all might lead from here.

Security updates have been issued by Oracle (libtiff), Red Hat (libtiff, nodejs:16, and nodejs:18), Slackware (mozilla), SUSE (bind, cacti, cacti-spine, ImageMagick, kernel, libwebp, netatalk, open-vm-tools, postfix, quagga, wire, and wireshark), and Ubuntu (cups, linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-gcp, linux-gcp-4.15, linux-hwe, linux-oracle, linux-bluefield, and linux-bluefield, linux-raspi, linux-raspi-5.4).

The AI boom is clearly upon us, but there are still plenty of questionsswirling around this technology. Some of those questions are legal onesand there have been lawsuits filed to try to get clarification-and perhapsmonetary damages. Van Lindberg is a lawyer who is well-known in theopen-source world; he came to OpenSource Summit Europe2023 in Bilbao, Spain to try to put the currentwork in AI into its legal context.

Version118.0 of the Firefox browser has been released. Changes includeimproved fingerprinting prevention and automated translation: "Automatedtranslation of web content is now available to Firefox users! Unlikecloud-based alternatives, translation is done locally in Firefox, so thatthe text being translated does not leave your machine."

Security updates have been issued by Debian (exempi, glib2.0, lldpd, and netatalk), Fedora (curl, libppd, and linux-firmware), Oracle (kernel), and SUSE (Cadence, frr, modsecurity, python-CairoSVG, python-GitPython, and tcpreplay).

The 1.0 version of the LibrePCB "free, cross-platform, easy-to-use electronic design automation suite to draw schematics and design printed circuit boards". As noted in a blog post back in May, a grant has helped spur development of the tool. The focus for the release has been in adding features that were needed so that "there should be no show stopper anymore which prevents you from using LibrePCB for more complex PCB [printed circuit board] designs". New features include a 3D viewer and export format for working with designs in a mechanical computer aided design (CAD) tool, support for manufacturer part number (MFN) management, and lots of board editor features such as thermal relief pads in planes, blind & buried vias,keepout zones, and more. [Thanks to Alphonse Ogulla.]

The last year or so has seen the posting of a few new filesystem types thatare aimed at supporting container workloads. PuzzleFS, presented at the2023 Kangrejos gathering by ArielMiculas, is another contender in this area, but it has some features of itsown, including a novel compression mechanism and an implementation writtenin Rust.

Security updates have been issued by Debian (bind9, elfutils, flac, ghostscript, libapache-mod-jk, lldpd, and roundcube), Fedora (linux-firmware, roundcubemail, and thunderbird), Mageia (curl, file, firefox/thunderbird, ghostpcl, libtommath, and nodejs), Oracle (kernel, open-vm-tools, qemu, and virt:ol and virt-devel:rhel), SUSE (bind, busybox, djvulibre, exempi, ImageMagick, libqb, libssh2_org, opera, postfix, python, python36, renderdoc, webkit2gtk3, and xrdp), and Ubuntu (accountsservice and open-vm-tools).

The third 6.6 kernel prepatch is out fortesting.

The6.5.5,6.1.55,5.15.133,5.10.197,5.4.257,4.19.295, and4.14.326stable kernel updates have all been released; each contains another set ofimportant fixes.

Back in May, Andre Almeida presented somework toward the creation of user-space spinlocks using adaptivespinning. At that time, the work was stalled because there is, in Linux,currently no way to quickly determine whether a given thread is actuallyexecuting on a CPU. Some progress has since been made on that front; atthe 2023Open Source Summit Europe, Almeida returned to discuss how thatdifficulty might be overcome.

Security updates have been issued by Debian (gsl), Fedora (dotnet6.0 and dotnet7.0), Oracle (libwebp), Slackware (bind, cups, and seamonkey), SUSE (kernel and rust, rust1.72), and Ubuntu (cups, flac, gnome-shell, imagemagick, and python3.5).

All that Ankur Arora seemingly wanted to do with thispatch set was to make the process of clearing huge pages on x86systems go a little faster. What resulted was an extensive discussion onthe difficulties of managing preemption correctly in the kernel. It may bethat some changes will come to the plethora of preemption models that thekernel currently offers.

Security updates have been issued by Debian (mutt, netatalk, and python2.7), Fedora (chromium, golang-github-prometheus-exporter-toolkit, golang-github-xhit-str2duration, and golang-gopkg-alecthomas-kingpin-2), Oracle (dmidecode, frr, libwebp, open-vm-tools, and thunderbird), Red Hat (libwebp and open-vm-tools), SUSE (cups, frr, mariadb, openvswitch3, python39, qemu, redis7, rubygem-rails-html-sanitizer, and skopeo), and Ubuntu (bind9, cups, and libppd).

The 5.10.196 stable kernel has beenreleased. It fixes a single regression:

The LWN.net Weekly Edition for September 21, 2023 is available.

The "limited" C API for CPython extensions has been around for well over adecade at this point, but it has not seen much uptake. It is meant to giveextensions an API that will allow binaries built with it to be used formultiple versions of CPython, because those binaries will only access the stableABI that will not change when CPython does. Victor Stinner has beenworking on better definition for the API; as part of that work, he suggested that some of the C extensions in thestandard library start using it in an effort for CPython to "eat itsown dog food". The resulting discussion showed that there is still a fairamount of confusion about this API-and the thrust of Stinner's overall plan.

Security updates have been issued by Debian (frr and libyang), Fedora (golang-github-prometheus-exporter-toolkit, golang-github-xhit-str2duration, golang-gopkg-alecthomas-kingpin-2, libpano13, and open-vm-tools), Oracle (firefox, frr, and thunderbird), Red Hat (dmidecode, kernel, kernel-rt, kpatch-patch, libwebp: critical, linux-firmware, mariadb:10.3, ncurses, postgresql:15, and virt:rhel and virt-devel:rhel), Scientific Linux (firefox, open-vm-tools, and thunderbird), SUSE (binutils, bluez, chromium, curl, gcc7, go1.20, go1.21, grpc, protobuf, python-Deprecated, python-PyGithub, python-aiocontextvars, python-avro, python-bcrypt, python-cryptography, python- cryptography-vectors, python-google-api-core, pyt, gstreamer-plugins-good, kernel, libcares2, libxml2, mdadm, mutt, and python-brotlipy), and Ubuntu (indent, linux, linux-aws, linux-aws-5.15, linux-azure, linux-azure-5.15, linux-azure-fde, linux-azure-fde-5.15, linux-gcp, linux-gcp-5.15, linux-gke, linux-gkeop, linux-gkeop-5.15, linux-hwe-5.15, linux-ibm, linux-ibm-5.15, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gcp, linux-gcp-5.4, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-iot, linux-kvm, linux-oracle, linux-oracle-5.4, linux-xilinx-zynqmp, linux, linux-aws, linux-aws-6.2, linux-azure, linux-azure-6.2, linux-azure-fde-6.2, linux-gcp, linux-gcp-6.2, linux-hwe-6.2, linux-ibm, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-6.2, linux-oracle, linux-raspi, linux-starfive, linux, linux-aws, linux-kvm, linux-lts-xenial, linux-oem-6.0, linux-oem-6.1, and memcached).

JDK 21, the reference implementation of the Java 21 language specification,hasbeen released. "This release includes fifteen JEPs [1], includingthe final versions of Record Patterns (440), Pattern Matching for switch(441), and Virtual Threads (444)".

The6.5.4,6.1.54,5.15.132, and5.10.195stable kernel updates have been released; each contains a relatively largeset of important fixes.

The security of digital products has become a topic of regulationin recent years. Currently, the European Union is moving forwardwith another new law, which, if it comes into effect in a formclose to the current draft, will affect software developers worldwide.This new proposal, called the "CyberResilience Act" (CRA), brings mandatory security requirements on alldigital products, both softwareand hardware, that are available in Europe. While it aims at a worthy goal, theproposal is causing a stir among open-source communities.

The Free Software Foundation looksforward to the 40th anniversary of the GNU project, coming soon:

Security updates have been issued by Debian (chromium, flac, gnome-shell, libwebp, openjdk-11, and xrdp), Fedora (giflib), Oracle (kernel), Red Hat (busybox, dbus, firefox, frr, kpatch-patch, libwebp, open-vm-tools, and thunderbird), Slackware (netatalk), SUSE (flac, gcc12, kernel, libeconf, libwebp, libxml2, and thunderbird), and Ubuntu (binutils, c-ares, libraw, linux-intel-iotg, nodejs, python-django, and vsftpd).

Processes in a Linux system run within their own virtual address spaces.Their virtual addresses map to physical pages provided by the hardware, butthe kernel takes pains to hide the physical addresses of those pages;processes normally have no way of knowing (and no need to know) where theirmemory is located in physical memory. As a result, the system calls formemory management also deal in virtual addresses. Gregory Price iscurrently trying to create an exception to this rule with aproposal for a new system call that would operate on memory using physicaladdresses.

Security updates have been issued by Debian (firefox-esr, libwebp, and thunderbird), Fedora (chromium, curl, flac, libtommath, libwebp, matrix-synapse, python-matrix-common, redis, and rust-pythonize), Gentoo (binwalk, ghostscript, python-requests, rar, samba, and wireshark), Oracle (.NET 6.0, kernel, and kernel-container), Slackware (python3), and SUSE (firefox).

The 6.6-rc2 kernel prepatch is out fortesting.

The Debian project is mourning Abraham Raji, who died in an accident on September13.

Much of the kernel's performance is dependent on caching - keeping usefulinformation around for future use to avoid the cost of looking it up again.The kernel aggressively caches pages of file data, directory entries,inodes, slab objects, and much more. Without active measures, though,caches will tend to grow without bounds, leading to memory exhaustion. Thekernel's "shrinker" mechanism exists to be that active measure, butshrinkers have some performance difficulties of their own. Thispatch series from Qi Zheng seeks to address one of the worst of thoseby removing some locking overhead.

Security updates have been issued by Debian (c-ares and samba), Fedora (borgbackup, firefox, and libwebp), Oracle (.NET 6.0 and kernel), Slackware (libwebp), SUSE (chromium and firefox), and Ubuntu (atftp, dbus, gawk, libssh2, libwebp, modsecurity-apache, and mutt).

Version 16of the PostgreSQL database manager has been released.

The Software Freedom Conservancy(SFC) has announcedthe availability of videos from thefirst-ever Free and Open Source Yearly(FOSSY) conference, which was held in July in Portland, Oregon in the US.

The fstat()system call retrieves some of the metadata - owner, size, protections,timestamps, and so on - associated with an open file descriptor. One mightnot think of it as a performance-critical system call, but there areworkloads that make a lot of fstat() calls; it is not somethingthat should be slowed unnecessarily. As it turns out, though, the GNU CLibrary (glibc) has been doing exactly that, but a fix is in the works.