LWN.net

Security updates have been issued by Debian (libtasn1-6), Fedora (nautilus), Oracle (kernel, kernel-container, nodejs:14, tigervnc, and xorg-x11-server), Red Hat (grub2, nodejs:14, tigervnc, and xorg-x11-server), Scientific Linux (tigervnc and xorg-x11-server), SUSE (systemd), and Ubuntu (firefox, linux-aws, linux-aws-5.15, linux-azure, linux-azure-5.15, linux-azure-fde, linux-azure, w3m, and webkit2gtk).

The kernel's memory-management developers have been busy before and duringthe holidays; the result is a number of patch sets making significantchanges to that subsystem. It is time for a quick look at three of thoseprojects. Two of them aim to increase the sharing of page tables betweenprocesses, while the third takes advantage of the multi-generational LRU to create a betterpicture of what a process's working set actually is.

Security updates have been issued by Fedora (python2.7), SUSE (ca-certificates-mozilla, libksba, and ovmf), and Ubuntu (linux, linux-aws, linux-aws-5.4, linux-gcp, linux-gcp-5.4, linux-gke, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-dell300x, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, linux-raspi2, linux-snapdragon, linux, linux-aws, linux-kvm, linux-lowlatency, linux-raspi, linux, linux-gcp, linux-gke, linux-gkeop, linux-hwe-5.15, linux-ibm, linux-kvm, linux-lowlatency, linux-oracle, linux-raspi,, and linux-aws).

Linus has released 6.2-rc3 for testing."Here we are, another week done, and things are starting to look a lotmore normal after that very quiet holiday week that made rc2 so verysmall".

The6.1.4,6.0.18, and4.9.337stable kernel updates have been released; each contains another set ofimportant fixes.Greg Kroah-Hartman has also let it be knownthat 4.9.337 is the end of the line for the 4.9 kernel, which was releasedjust over six years ago. "This kernel is now END-OF-LIFE and you should move to 4.14.y at theleast, 6.1.y is the better option."

Most developers probably do not see the generation of random numbers asbeing a performance bottleneck for their programs, but there are seeminglyexceptions. Over the last few years, Jason Donenfeld has brought a newlevel of energy to the development of the kernel's random-number generator;he is now directing his efforts toward improving performance for user spacewith this patchseries that provides an implementation of the getrandom()system call in the kernel's "virtual dynamicshared object" (vDSO) area. The result is, indeed, better performance,but not all developers see this benefit as being worth the additionalcomplexity required to achieve it.

Security updates have been issued by Debian (libetpan and smarty3), SUSE (libksba, rpmlint-mini, tcl, and xrdp), and Ubuntu (curl, firefox, and linux-oem-5.14).

Peter Hutterer writesabout the disabling of support for byte-swapped clients in the X.org serverand the reasons why this was done.

The kernel's fscryptsubsystem enables filesystems to store files and directories in encrypted form, protecting them against offline attacks. Afew filesystems support encryption with fscrypt currently, but Btrfs is anexception, despite a number of attempts to add this feature. The problemis that, as so often seems to be the case, Btrfs works differently and doesnot fit well with one of the key assumptions in the design of fscrypt. With thispatch series, Sweet Tea Dorminy is working to enhance fscrypt to be abetter fit for filesystems like Btrfs.

Security updates have been issued by Fedora (binwalk), Oracle (kernel and webkit2gtk3), Red Hat (webkit2gtk3), Slackware (vim), and Ubuntu (libksba and nautilus).

The LWN.net Weekly Edition for January 5, 2023 is available.

The Linux security module (LSM) subsystem has long had limitations onwhich modules could be combined in a given running kernel. Some parts ofthe problem have been solved over the years—"smaller" LSMs can be combinedat will with a single, more complex LSM—but combining (or "stacking")SELinux with, say, Smack or AppArmor has never been possible. Back inOctober, we looked at the most recentattempt to add that ability, which resulted in patches to add two new systemcalls for LSM. By the end of December, the number of new system calls hadrisen to three.

The6.1.3,6.0.17, and5.10.162stable kernel updates have been released. Each contains a moderate set ofimportant fixes.

Security updates have been issued by Fedora (xorg-x11-server-Xwayland), Red Hat (webkit2gtk3), SUSE (rmt-server), and Ubuntu (freeradius).

The Fedora community is currently discussing a proposal to start supportinga unifiedkernel image (UKI) for the distribution; these images would combineseveral pieces that are generally separate today (e.g. initrd, kernel, andkernelcommand line). There are a number ofadvantages to such a kernel image, at least for some kinds of systems, butthere is worry from some about where the endpoint of this work lies. Thereis a need to ensure that Fedora can still boot non-unified, perhaps locally built,kernels and can support other use cases that unification might preclude.

Security updates have been issued by Oracle (bcel), SUSE (ca-certificates-mozilla, glibc, minetest, multimon-ng, nautilus, ovmf, python-Django, samba, saphanabootstrap-formula, and xrdp), and Ubuntu (usbredir).

Yet another new year is upon us, and that can only mean one thing: the timehas come for your editor to look into his crystal ball and make somepredictions for what 2023 will hold. Said crystal ball is known to sufferfrom speculative-execution problems and parity errors, but it's the bestthat LWN's budget will afford. Read on for a highly unreliable look atwhat's to come.

DistroWatch Weekly celebrates its1000th issue and 20 years of publication.

Anybody who installed a nightly release from the PyTorch machine-learning library betweenDecember 25 and 30 willwant to uninstall it immediately:

Security updates have been issued by Debian (cacti, emacs, exuberant-ctags, libjettison-java, mplayer, node-loader-utils, node-xmldom, openvswitch, ruby-image-processing, webkit2gtk, wpewebkit, and xorg-server), Fedora (OpenImageIO, systemd, w3m, and webkit2gtk3), Mageia (curl, freeradius, libksba, libtar, python-ujson, sogo, thunderbird, and webkit2), Red Hat (bcel), and SUSE (ffmpeg, ffmpeg-4, mbedtls, opera, saphanabootstrap-formula, sbd, vlc, and webkit2gtk3).

The second 6.2 kernel prepatch is out fortesting — but there isn't a lot there.

Vanilla OS is a new, Ubuntu-baseddistribution with an immutable(ish) core and a focus on containers. Version22.10, the first stable release, is out.

Version 20 of theAndroid-based LineageOS distribution has been released.

The6.1.2,6.0.16, and5.15.86stable kernel updates have been released. As is typical for the firstpost-rc1 updates, each of these contains a huge number of important fixes.

Security updates have been issued by Debian (libcommons-net-java), Fedora (python3.6), and SUSE (conmon, polkit-default-privs, thunderbird, and webkit2gtk3).

Security updates have been issued by Debian (multipath-tools), Fedora (containerd and trafficserver), Gentoo (libksba and openssh), and SUSE (webkit2gtk3).

Security updates have been issued by Fedora (curl) and SUSE (curl, freeradius-server, sqlite3, systemd, and vim).

The world got a special Christmas present from Linus Torvalds this year inthe form of the 6.2-rc1kernel prepatch. By the time the merge window closed, 13,687 non-mergechangesets had been pulled into the mainline for the 6.2 release. This wasthe busiest merge window since 5.13 (which brought in 14.231 changesets) inmid-2021, and quite a bit busier than 6.1 was — but comparable to the late5.x releases. Just under 4,000 of those changesets were pulled after the first-half summary was written; there werequite a few significant changes to be found in those late-arriving patches.

Security updates have been issued by Debian (gerbv), Fedora (webkitgtk), and SUSE (ca-certificates-mozilla, freeradius-server, multimon-ng, vim, and vlc).

Security updates have been issued by Debian (kernel, libksba, and mbedtls), Fedora (containerd, curl, firefox, kernel, mod_auth_openidc, and xorg-x11-server), and Mageia (chromium-browser-stable).

Linus has released 6.2-rc1 and closed themerge window for this release. "So it's Christmas Day here, but it's also Sunday afternoon two weeksafter the 6.2 merge window opened. So holidays or not, the kerneldevelopment show must go on."

The kernel project tries hard to avoid duplicating functionality within itscode base; whenever possible, a single subsystem is made to serve all usecases. There is one notable exception to this rule, though: there arethree object-level memory allocators ("slab allocators") in the kernel.The desire to reduce the count has been growing stronger over the years,and some steps have been taken in 6.2 to eliminate the least-lovedallocator — SLOB — in the relatively near future.

Security updates have been issued by Debian (node-hawk and node-trim-newlines), Fedora (insight, ntfs-3g, and suricata), and SUSE (conmon, helm, kernel, and mbedtls).

Intel's graphical processors have been well supported in the mainline foryears, but it seems that the i915 driver may be approaching the end of itsdevelopment life. Matthew Brost has just posted a newdriver called "Xe" that looks to be (eventually) a replacement fori915:

The wish for a "None-aware" operator (or operators) islongstanding within the Python community. While there is fairlywidespread interest in more easily handling situations where a value needs to betested for being None before being further processed, there ismuch less agreement on how to "spell" such an operator (or construct) andon whether the language truly needs it. But the idea never seems to goaway, with long discussions erupting every year or two—and no resolutionreally in sight.

Version4.2.0 of the Darktable raw photo editor is out. New features include anew display transform module, a pair of new highlight-reconstructionalgorithms, and more; see the announcement and this Libre Artsarticle for more.

Konstantin Ryabitsev has put up ablog entry showing how to use b4 to submit kernel patcheswithout (directly) using email.

The openSUSE News site coverssome highlights from the second prototyperelease of the upcoming SUSE "ALP" distribution.

Security updates have been issued by Debian (libksba and linux-5.10), Slackware (mozilla), and SUSE (curl, java-1_8_0-ibm, and sqlite3).

The LWN.net Weekly Edition for December 22, 2022 is available.

Yet another year is coming to a close; that can only mean that the time hascome to indulge in a longstanding LWN tradition: looking back at the predictions we made in January and givingthem the mocking that they richly deserve. Read on to see how thosepredictions went, what was missed, and a look back at the year in general.

Andrew 'bunnie' Huang writes about his workwith Cramium to bring more openness to secure elementchips:

The6.1.1,6.0.15,5.15.85, and5.10.161stable kernel updates have been released. Each contains a relatively smallset of important fixes.

Security updates have been issued by Debian (xorg-server), Fedora (samba, snakeyaml, thunderbird, xorg-x11-server, and xrdp), Slackware (libksba and sdl), and SUSE (cni, cni-plugins, java-1_7_1-ibm, kernel, openssl-3, and supportutils).

ActivityPub-enabled microblogs are gainingpopularity as a replacement for Twitter, but ActivityPub is for more thanjust microblogging. Many other popular services also have open-sourcealternatives that speak ActivityPub. Proprietary services operated bycommercial interests usually deliberately limit interoperability, but usersof any ActivityPub-enabled service should be able to communicate with eachother, even if they are using different services. This promise ofinteroperability is often limited in practice, though; while ActivityPubspecifies how multiple types of contentcan be published, the kinds of content that can bedisplayed or interacted with vary from project to project.

Version 2.4.0 of the GNU Privacy Guard has been released. "Exactly 25 years ago the very first release of GnuPG was published. Weare pleased to take this opportunity to announce the availability of anew stable GnuPG release: version 2.4.0." Changes in this releaseinclude full support for the key database daemon, some performanceimprovements, a change to AES256 as the default cipher, and much more.

Security updates have been issued by Fedora (mujs) and SUSE (kernel and thunderbird).

Linux Mint has announced the release of version 21.1 of the distribution in three editions: Cinnamon (what's new), MATE (what's new), and Xfce (what's new).Mint 21.1 is based on Ubuntu 22.04 and uses kernel version 5.15.

The memfd interface is a bit of a strange and Linux-specific beast; it wasinitially created to support the securepassing of data between cooperating processes on a single system. It hassince gained other roles, but it may still come as a surprise to some tolearn that memory regions created for memfds, unlike almost any other dataarea, have the execute permission bit set. That can facilitate attacks; thispatch set from Jeff Xu proposes an addition to the memfd API to closethat hole.

Greg Kroah-Hartman has announced the release of the 6.0.14, 5.15.84, 5.10.160, and 5.4.228 stable kernels. They contain arelatively small number of important fixes throughout the tree.