LWN.net

Paul McKenney looks ata couple of Rust crates in an attempt to determine whether theyactually implement the read-copy-update algorithm; in the process, he givesan overview of the numerous RCU variants in the kernel.

Security updates have been issued by Debian (git), Fedora (libXpm and redis), Oracle (bind, firefox, grub2, java-1.8.0-openjdk, java-11-openjdk, kernel, libtasn1, libXpm, and sssd), Red Hat (thunderbird), SUSE (freeradius-server, kernel, libzypp-plugin-appdata, python-certifi, and xen), and Ubuntu (bind9, krb5, linux-raspi, linux-raspi-5.4, and privoxy).

The LWN.net Weekly Edition for January 26, 2023 is available.

While there are still systems with both byte orders,little-endian has largely "won" the battle at this point since the vast majority of today'ssystems store data with the least-significant byte first (at the lowestaddress). But when the X11 protocol was developed in the 1980s, there were lots of systems of each byte order, so the X protocol allowed either orderand the server (display side) would swap the bytes to its byte order asneeded. Over time, the code for swapping data in the messages, which was written in amore-trusting era, has bit-rotted so that it is now alargely untested attack surface that is nearly always unused. PeterHutterer has been doing some work to stop using that code by default, bothin upstream X.org code and in downstream Fedora.

The Free Software Foundation has announceda bylaw change requiring a 66% vote by the FSF board for any new or revisedcopyright licenses. The FSF has also announcedan expansion of its board of directors and a call for nominations fromamong its associate members.

Kostya Shishkov has just posted theconcluding installment of an extensive history of the FFmpeg project:

Users of the openSUSE Leap 15.3 distribution will want to be looking atmoving on; support for that release has come to an end. "The currentlymaintained stable release is openSUSE Leap 15.4, which will be maintaineduntil around end of 2023 (same lifetime as SLES 15 SP4 regularsupport)".

Security updates have been issued by Debian (libde265, nodejs, and swift), Fedora (nautilus), Oracle (bash, bind, curl, dbus, expat, firefox, go-toolset, golang, java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, libreoffice, libtiff, libxml2, libXpm, nodejs, nodejs-nodemon, postgresql-jdbc, qemu, ruby:2.5, sqlite, sssd, sudo, and usbguard), Red Hat (bind, go-toolset-1.18, go-toolset:rhel8, kernel, kernel-rt, kpatch-patch, pcs, sssd, and virt:rhel, virt-devel:rhel), Scientific Linux (bind, java-1.8.0-openjdk, kernel, and sssd), SUSE (mozilla-nss, rubygem-websocket-extensions, rust1.65, rust1.66, and samba), and Ubuntu (mysql-5.7, mysql-5.7, mysql-8.0, pam, and samba).

The Python community is currently struggling with a longtime difficulty inits ecosystem: how to develop, package, distribute, and maintain librariesand applications. The current situation is sub-optimal in severaldimensions due, at least in part, to the existence of multiple,non-interoperable mechanisms and tools to handle some of those needs. Lastweek, we had an overview of Pythonpackaging as a prelude to starting to dig into the discussions. Inthis installment, we start to look at the kinds of problems that exist—andthe barriers to solving them.

Version 8.0 of the WINEWindows compatibility layer has been released. The headline featureappears to be the conversion to PE ("portable executable") modules:

The Open Source Technology Improvement Fund has announced thecompletion of a security audit of the Git source.

The6.1.8,5.15.90,5.10.165,5.4.230,4.19.271, and4.14.304stable kernel updates have all been released; each contains another set ofimportant fixes.

Security updates have been issued by Debian (kernel and spip), Fedora (kernel), Mageia (chromium-browser-stable, docker, firefox, jpegoptim, nautilus, net-snmp, phoronix-test-suite, php, php-smarty, samba, sdl2, sudo, tor, viewvc, vim, virtualbox, and x11-server), Red Hat (bash, curl, dbus, expat, firefox, go-toolset, golang, java-1.8.0-openjdk, java-17-openjdk, kernel, kernel-rt, kpatch-patch, libreoffice, libtasn1, libtiff, libxml2, libXpm, nodejs, nodejs-nodemon, pcs, postgresql-jdbc, sqlite, sssd, sudo, systemd, and usbguard), Scientific Linux (firefox, java-11-openjdk, and sudo), SUSE (freeradius-server, python-mechanize, and upx), and Ubuntu (exuberant-ctags, haproxy, ruby2.5, ruby3.0, and wheel).

Back in 2019, a high-profile containervulnerability led to the adoption of some complex workarounds and afrenzy of patching. The immediate problem wasfixed, but the incident was severe enough that security-consciousdevelopers have continued to look for ways to prevent similarvulnerabilities in the future. Thispatch set from Giuseppe Scrivano takes a rather simpler approach to theproblem.

Jamie Zawinski remindsus that the 25th anniversary of the Netscape open-source announcement —a crucial moment in free-software history — has just passed.

After a brief break of ... a dozen years or so ... Jon Masters has announcedthe return of his kernel podcast:

Security updates have been issued by Debian (powerline-gitstatus, tiff, and trafficserver), Fedora (dotnet6.0, firefox, git, kernel, libXpm, rust, sudo, upx, and yarnpkg), Mageia (kernel and kernel-linus), Red Hat (firefox, java-11-openjdk, and sudo), Slackware (mozilla and seamonkey), SUSE (cacti, cacti-spine, samba, and tor), and Ubuntu (firefox, php7.2, php7.4, php8.1, and python-setuptools, setuptools).

The 6.2-rc5 kernel prepatch is out.

Security updates have been issued by Debian (lava and libitext5-java), Oracle (java-11-openjdk, java-17-openjdk, and libreoffice), SUSE (firefox, git, mozilla-nss, postgresql-jdbc, and sudo), and Ubuntu (git, linux-aws-5.4, linux-gkeop, linux-hwe-5.4, linux-oracle, linux-snapdragon, linux-azure, linux-gkeop, linux-intel-iotg, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-oracle-5.15, and linux-bluefield).

The Google Project Zero page showshow to compromise the kernel by using a NULL pointer to repeatedlyforce an oops and overflow a reference count.

Code that is added to the kernel can stay there for a long time; there iscode in current kernels that has been present for over 30 years.Nothing is forever, though. The kernel development community is currentlydiscussing the removal of two architectures and one filesystem, all ofwhich seem to have mostly fallen out of use. But, as we will see, removalof code from the kernel is not easy and is subject to reconsideration evenafter it happens.

Version 3.0 of the Pandocdocument-conversion tool has been released; the list of new features isquite long, including "chunked" HTML output, support for complex figures,and much more.

Security updates have been issued by Debian (firefox-esr, libitext5-java, sudo, and webkit2gtk), Fedora (firefox and qemu), Red Hat (java-11-openjdk and java-17-openjdk), Slackware (sudo), SUSE (sudo), and Ubuntu (python-urllib3 and sudo).

The LWN.net Weekly Edition for January 19, 2023 is available.

On today's Fedora systems, a reboot cycle—for a kernel update,say—is normally a fairly quick affair, but that is not always true. Thesystem will wait for services to shut down cleanly and will wait for up to two minutesbefore killing a service and moving on. A recent proposal to change thedefault timeout to 15 seconds, while still allowing some services torequire more time, ran into more opposition than was perhaps anticipated.Not everyone was comfortable shortening the timeout period, though thedecision has now been made to reduce it, but not as far as was proposed.

The6.1.7,5.15.89,5.10.164,5.4.229,4.19.270, and4.14.303stable kernels have all been released; each contains another big set ofimportant fixes.

Security updates have been issued by Fedora (awstats), Oracle (dpdk, libxml2, postgresql:10, systemd, and virt:ol and virt-devel:rhel), Red Hat (kernel), Slackware (git, httpd, libXpm, and mozilla), SUSE (libzypp-plugin-appdata), and Ubuntu (git, libxpm, linux-ibm-5.4, linux-oem-5.14, and ruby2.3).

Over the past several months, there have been wide-ranging discussions inthe Python community about difficulties users have with installing packagesfor the language. There is a bewildering array of options forpackage-installation tools and Python distributions focused on particular usecases (e.g. scientific computing); many of those options do notinteroperate well—or at all—so they step on each others' toes.The discussions have focused on where solutions might be found to make iteasier on users, but lots of history and entrenched use cases need to beovercome in order to get there—or even to make progress in that direction.

Git 2.39.1 has been released with a set of security fixes; there are alsoupdated versions of many older Git releases available. A pair of integeroverflow vulnerabilities can lead to code execution in some scenarios; seethe announcement and thisGitHub blog entry for more information.

Version109.0 of the Firefox browser has been released. The headline featurethis time is the enabling of ManifestVersion 3 support — a new extension mechanism that, among otherthings, gives a higher degree of control over what extensions can do.

Security updates have been issued by Debian (tor) and SUSE (python-setuptools, python36-setuptools, and tor).

It is rare to see an extensive and unhappy discussion over the selection ofcompiler options used to build a distribution, but it does happen. A casein point is the debate over whether Fedora should be built with framepointers or not. It comes down to a tradeoff between a performance loss oncurrent systems and hopes for gains that exceed that loss in the future —and somedisagreements over how these decisions should be made within the Fedoracommunity.

Dave Täht describesthe Flent network-testing tool and its use in great detail.

Security updates have been issued by Debian (chromium, lava, libapreq2, net-snmp, node-minimatch, and openvswitch), Fedora (jpegoptim, kernel, kernel-headers, kernel-tools, and python2.7), Mageia (ctags, ffmpeg, minetest, python-gitpython, w3m, and xrdp), Oracle (kernel), Red Hat (dpdk and libxml2), Slackware (netatalk), SUSE (apptainer, chromium, libheimdal, python-wheel, python310-setuptools, and SDL2), and Ubuntu (linux-aws, linux-gcp-4.15, maven, and net-snmp).

The fourth 6.2 kernel prepatch is out fortesting.

Libre Arts looksforward to progress in a long list of creative-art projects this year.

The6.1.6,5.15.88, and5.10.163stable kernel updates have been released; each contains another set ofimportant fixes.

Speculative-execution vulnerabilities come about when the CPU, while executingspeculatively, is able to access memory that would otherwise be denied toit. Most of these vulnerabilities would go away if the CPU were alwaysconstrained by the established memory protections. An obvious way to fixthese problems would be to make CPUs behave that way, but doing thatwithout destroying performance is not an easy task. So, instead, Intelhas developed a feature called "linear address-space separation" (LASS) topaper over parts of the problem; Yian Chen has posted apatch set adding support for this feature.

Security updates have been issued by Fedora (cacti, cacti-spine, mbedtls, postgresql-jdbc, and rust), Oracle (.NET 6.0, dbus, expat, grub2, kernel, kernel-container, libtasn1, libtiff, sqlite, and usbguard), Red Hat (rh-postgresql10-postgresql), SUSE (php7), and Ubuntu (heimdal, linux, linux-aws, linux-aws-5.15, linux-azure, linux-azure-5.15, linux-gcp, linux-gcp-5.15, linux-hwe-5.15, linux-ibm, linux-kvm, linux-oracle, linux-raspi,, linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-gcp, linux-gcp-5.4, linux-hwe, linux-ibm, linux-kvm, linux-oracle, linux-oracle-5.4,, linux, linux-aws, linux-kvm, linux-lts-xenial, and vim).

The Chromium browser project has announcedthat it will be integrating support for third-party libraries written in Rust.

The release of the 4.9.337 stablekernel update on January 7 marked the end of an era: after just oversix years of maintenance, the 4.9.x series will receive no more updates. Thiskernel saw a lot of change after Linus Torvalds made the "final" releaseand left the building; it's time for a look at the "stable" portion of thiskernel's life to see what can be learned.

Greg Kroah-Hartman has announced the release of the 6.1.5, 6.0.19,and 5.15.87 stable kernels. As usual, theycontain lots of important fixes all over the kernel tree; users shouldupgrade. This is also the last release in the 6.0.y kernel series: "Allusers must move to the 6.1.y branch at this point in time, as this branch is now end-of-life."

Security updates have been issued by Debian (emacs, libxstream-java, and netty), Fedora (mingw-binutils, pgadmin4, phoronix-test-suite, vim, and yarnpkg), Red Hat (.NET 6.0, dbus, expat, java-1.8.0-ibm, kernel, kernel-rt, kpatch-patch, libreoffice, libtasn1, libtiff, postgresql:10, sqlite, systemd, usbguard, and virt:rhel and virt-devel:rhel), and SUSE (net-snmp, openstack-barbican, openstack-barbican, openstack-heat-gbp, openstack-horizon-plugin-gbp-ui, openstack-neutron, openstack-neutron-gbp, php7, php74, php8, python-future, python3, samba, SDL2, and w3m).

The LWN.net Weekly Edition for January 12, 2023 is available.

The PyTorchcompromise that happened right at the end of 2022 was rather ugly, butits impact was not widespread—seemingly, at least. The incident doeshighlight some of the perils of relying on an external "supply chain" for the components thatare used to build one's software. It also would appear to be anothercase of "security researchers" run amok, though perhaps that part of the storyis only meant to cover the tracks—or ass—of the perpetrator.

Version3.0 of the Discourse forum platform is out.

Security updates have been issued by Debian (exiv2, hsqldb, libjettison-java, ruby-sinatra, and viewvc), Fedora (golang-github-docker, mbedtls, and vim), Gentoo (alpine, commons-text, jupyter_core, liblouis, mbedtls, ntfs3g, protobuf-java, scikit-learn, and twisted), Red Hat (kernel and kpatch-patch), SUSE (rubygem-activerecord-5.2, tiff, and webkit2gtk3), and Ubuntu (dotnet6, linux-azure-5.4, linux-azure-fde, linux-gcp, linux-oracle, linux-ibm, and linux-oem-5.17, linux-oem-6.0).

Python's formatted strings, or "f-strings", came relatively late to thelanguage, but have become a popular feature. F-strings allow a compactrepresentation for the common task of interpolating program data intostrings, often in order to output them in some fashion. Somerestrictions were placed on f-strings to simplify the implementation ofthem, but those restrictions are not really needed anymore and, infact, are complicating the CPython parser. That has led to a PythonEnhancement Proposal (PEP) to formalize the syntax of f-strings for thebenefit of Python users while simplifying the maintenance of theinterpreter itself.

In late 2021, LWN covered a plan toeliminate the Python global interpreter lock (GIL), thus improving thelanguage's thread-level concurrency. This plan has now been codified as PEP 703, which includesan extensive discussion of the changes that would be made.

Security updates have been issued by Debian (libtasn1-6), Fedora (nautilus), Oracle (kernel, kernel-container, nodejs:14, tigervnc, and xorg-x11-server), Red Hat (grub2, nodejs:14, tigervnc, and xorg-x11-server), Scientific Linux (tigervnc and xorg-x11-server), SUSE (systemd), and Ubuntu (firefox, linux-aws, linux-aws-5.15, linux-azure, linux-azure-5.15, linux-azure-fde, linux-azure, w3m, and webkit2gtk).