LWN.net

The GitHub blog has adetailed look at garbage collection in Git and the work that has beendone to make it faster.

Version15 of the Unicode standard has been released.

Typically, an urgent security release of a project is not for atwo-year-old CVE, but such is the case for a recentPython release of four versions of the language. The bug is adenial of service (DoS) that can be caused by converting enormous numbers tostrings—or vice versa—but it was not deemed serious enough to fixwhen it was first reported. Evidently more recent reports, including a remote exploit of thebug, have raised its importance—causing a rushed-out fix. But thefix breaks some existing Python code, and the process of handling theincident has left something to be desired, leading the project to look atways to improve its processes.

Security updates have been issued by CentOS (open-vm-tools), Debian (freecad and sqlite3), Fedora (qt5-qtwebengine and vim), SUSE (firefox, kernel, libzapojit, perl, postgresql14, and samba), and Ubuntu (dotnet6, dpdk, gdk-pixbuf, rust-regex, and systemd).

Security updates have been issued by Debian (connman and python-oslo.utils), Fedora (libapreq2), Red Hat (booth, gnupg2, kernel, kernel-rt, mariadb:10.3, nodejs:14, nodejs:16, python3, ruby:2.7, and ruby:3.0), SUSE (chromium, opera, python2-numpy, and rubygem-kramdown), and Ubuntu (poppler).

Security updates have been issued by Debian (gdk-pixbuf, libxslt, linux-5.10, paramiko, and zlib), Fedora (webkit2gtk3), Mageia (gstreamer1.0-plugins-good, jupyter-notebook, kernel, and rpm), Slackware (vim), SUSE (bluez, clamav, freetype2, frr, gdk-pixbuf, keepalived, libyang, nodejs16, python-PyYAML, qpdf, samba, and vim), and Ubuntu (linux-azure-fde and tiff).

Linus has released 6.0-rc5 for testing."Nothing looks particularly scary, so jump right in".

While the Rust language has appeal for kernel development, many developers areconcerned by the fact that there is only one compiler available; there aremany reasons why a second implementation would be desirable. At the 2022Kangrejos gathering, three developersdescribed projects to build Rust programs with GCC in two different ways. A fully featured, GCC-based Rustimplementation is still going to take some time, but rapid progress isbeing made.

Security updates have been issued by Fedora (mediawiki), SUSE (libEMF, libnl-1_1, libnl3, mariadb, nodejs16, php8-pear, postgresql12, and rubygem-rake), and Ubuntu (linux-raspi, linux-raspi-5.4, and tiff).

Greg Kroah-Hartman has announced the release of the 5.19.8, 5.15.66, and 5.10.142. As usual, those contain importantfixes throughout the kernel tree. Immediately thereafter, he released5.15.67 to fix a permissions problem on akernel build script.

Huge pages are a mechanism implemented by the CPU that allows the managementof memory in larger chunks. Use of huge pages can increase performancesignificantly, which is why the kernel has a "transparent huge page"mechanism to try to create them when possible. But a huge page will onlybe helpful if most of the memory contained within it is actually in use;otherwise it is just an expensive waste of memory. This patchset from Alexander Zhu implements a mechanism to detect underutilizedhuge pages and recover that wasted memory for other uses.

Security updates have been issued by Debian (libgoogle-gson-java), Fedora (autotrace, insight, and open-vm-tools), Oracle (open-vm-tools), Red Hat (open-vm-tools, openvswitch2.13, openvswitch2.15, openvswitch2.16, openvswitch2.17, ovirt-host, and rh-nodejs14-nodejs and rh-nodejs14-nodejs-nodemon), Scientific Linux (open-vm-tools), Slackware (python3), SUSE (clamav, gdk-pixbuf, gpg2, icu, ImageMagick, java-1_8_0-ibm, libyajl, mariadb, udisks2, webkit2gtk3, and yast2-samba-provision), and Ubuntu (dnsmasq).

The LWN.net Weekly Edition for September 8, 2022 is available.

Starting a Python application typically results in a flurry of imports asmodules from various locations (and the modules they import) get addedinto the application process. All of that occurs before the applicationeven gets started doing whatever it is the user actually launched it for;that delay can be significant—and annoying. Beyond that, many of thoseimports may not be necessary at all for the code path being followed, soeagerly doing the import is purely wasted time. A proposal back in Maywould add a way for applications to choose lazy imports, where the importis deferred until the module is actually used.

Security updates have been issued by Fedora (curl, protobuf-c, and vim) and SUSE (gimp, java-1_8_0-openj9, libostree, openvswitch, python-bottle, python-Flask-Security-Too, and zabbix).

Linux Mint 21 "Vanessa" was releasedon July 31. There are no real headline-grabbing features that comewith the new release, as the project generally seeks to make incrementalchanges, rather than larger, potentially disruptive ones.Changes in this release include a new Bluetooth manager that brings severalimprovements, driverless printing and scanningby default, a process monitor to inform the userabout resource-intensive background tasks, new functionality for theTimeshift system backup tool, and several major under-the-hood improvementsto the Cinnamon desktop environment.

Version 5.2.0 of the GNU Awk implementation is out. The biggest change,perhaps, is the addition of "persistent memory" support that allows gawk tokeep values around between runs. Old-timers will be disappointed bythe removal of VAX/VMS support.

Security updates have been issued by Red Hat (pcs), SUSE (389-ds and firefox), and Ubuntu (linux-hwe-5.4 and linux-oracle).

Version22.03.0 of the OpenWrt distribution for routers (and beyond) has beenreleased. "It incorporates over 3800 commits since branching theprevious OpenWrt 21.02 release and has been under development for about oneyear". Changes include a new firewall implementation using nftables,year-2038 readiness, dark mode in the LuCI web-based administration tool,and support for many more devices.

The kernel is, in many ways, a marvel of scalability, but there is alongstanding pain point in the memory-management subsystem that hasresisted all attempts at elimination: the mmap_lock. This lockwas inevitably a topic at the 2022 LinuxStorage, Filesystem, Memory-Management and BPF Summit (LSFMM), where the idea ofusing per-VMA locks was raised. Suren Baghdasaryan has postedan implementation of that idea — but with an interesting twist on howthose locks are implemented.

Monday's crop of stable kernels consists of 5.19.7, 5.15.65, 5.10.141, 5.4.212, 4.19.257, 4.14.292, and 4.9.327. They are relatively small updates,but still contain important fixes in various parts of the kernel tree;users of those series should upgrade.

Security updates have been issued by Debian (flac, ghostscript, libmodbus, qemu, rails, ruby-rack, and thunderbird), Fedora (kernel, kernel-headers, kernel-tools, libtar, qt5-qtwebengine, subscription-manager-cockpit, tcpreplay, and vim), Mageia (chromium-browser-stable, webkit2, and ytnef), SUSE (curl, firefox, freerdp, gdk-pixbuf, ImageMagick, json-c, libgda, php-composer2, and python-pyxdg), and Ubuntu (libzstd, linux-aws, linux-aws-5.4, linux-azure-5.4, and linux-oem-5.17).

The 6.0-rc4 kernel prepatch is out fortesting. "We're up to rc4, and things mostly still look fairlynormal".Beyond the usual fixes, 6.0-rc4 includes one feature change: a hook to allowsecurity modules to control access to the io_uring command pass-throughmechanism. See this article for thebackground behind this late-arriving change.

Peter Eckersley, one of the original founders of the Let's Encrypt non-profit TLS certificate authority, has died suddenly, as reported by Seth Schoen:

Arti is a reimplementation of the Tor server in Rust; version 1.0.0 hasjust been released and proclaimed ready for production use.

The kernel's manualpages are in a bit of an interesting position. They are managed as a separate project, distinct from the kernel'sdocumentation, and have the task of documenting both the kernel'ssystem-call interface and the wrappers for that interface provided by the Clibrary. Sometimes the two objectives come into conflict, as can be seenin a discussion that has been playing out over the course of the last yearon whether to use C standard type names to describe kernel-definedstructures.

Security updates have been issued by CentOS (firefox, rsync, systemd, and thunderbird), Debian (chromium, dpdk, and sofia-sip), Fedora (kernel, thunderbird, and zlib), Red Hat (pcs and rh-mariadb103-galera and rh-mariadb103-mariadb), Slackware (poppler), SUSE (cifs-utils, curl, dwarves and elfutils, firefox, flatpak, gnutls, gpg2, harfbuzz, ignition, kernel, ldb, samba, libslirp, libsolv, libzypp, zypper, libtirpc, logrotate, mozilla-nss, ncurses, open-vm-tools, openssl-1_1, p11-kit, pcre, pcre2, podman, postgresql12, postgresql13, postgresql14, python-M2Crypto, python3, rsync, salt, spice, systemd-presets-common-SUSE, tiff, ucode-intel, xen, and zlib), and Ubuntu (curl, linux, linux-aws, linux-aws-5.15, linux-azure, linux-azure-5.15, linux-gcp, linux-gcp-5.15, linux-gke, linux-gke-5.15, linux-gkeop, linux-ibm, linux-kvm, linux-lowlatency, linux, linux-azure-4.15, linux-dell300x, linux-gcp-4.15, linux-kvm, linux-snapdragon, linux-aws, linux-azure, linux-bluefield, linux-gcp, linux-gcp-5.4, linux-gke, linux-gkeop, linux-ibm, linux-ibm-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, and linux-aws-hwe).

Kernel code can, at times, be quite inward looking; it often refers toitself. To enable this introspection, the kernel has evolved severalmechanisms for identifying specific locations in the code and carrying outactions related to those locations. The code-taggingframework patch set, posted by Suren Baghdasaryan and Kent Overstreet,is an attempt to replace various ad hoc implementations with asingle framework, and to add some new applications as well.

Security updates have been issued by Fedora (pdns-recursor, thunderbird, and vim), Gentoo (firefox, thunderbird-bin, virtualbox, and webkit-gtk), Red Hat (convert2rhel), SUSE (gstreamer-plugins-good, open-vm-tools, postgresql12, rsync, and ucode-intel), and Ubuntu (linux-azure, linux-gcp, linux-hwe).

The LWN.net Weekly Edition for September 1, 2022 is available.

A fairly lengthy discussion of whether there should be a way tobreak out of (or continue) more than one level of nested loops in Python recentlytook place in the Ideascategory of the language's discussion forum. The idea isattractive, at least in an abstract sense—some other languages supportjumping out of multiple loops at once—but it seems unlikely to go anywhere for Python.The barrier to new features is fairly high, for sure, but there is also aneed for proponents to provide real-world examples that demonstrate theiradvantages. That, too, is a difficult bar to clear, as was seen in thediscussion.

The5.19.6,5.15.64, and5.10.140stable kernel updates have been released; each contains another set ofimportant fixes, as usual.

The GitHub blog series on how the Git database works continues with thislook at file-history queries.

Security updates have been issued by Debian (dpdk, net-snmp, php-horde-mime-viewer, php-horde-turba, and webkit2gtk), Fedora (rsync), Oracle (openssl and systemd), Red Hat (booth, kernel, kernel-rt, and openssl), Slackware (vim), SUSE (bluez, java-1_8_0-ibm, postgresql10, and zlib), and Ubuntu (kernel, linux, linux-raspi, linux-aws, and linux-oem-5.14).

Dealing with the non-free firmware that is increasingly needed to installDebian has been a hot topic for thedistribution over the past few months. The problem goes back further still, of course, but Steve McIntyre re-raised the issue in April, which resulted in a predictable lengthy discussionthread on the debian-devel mailing list. Now McIntyre has proposed ageneral resolution (GR) with the intent of resolving how to give users a way toinstall the distribution on their hardware while trying to avoid tramplingon the "100% free" guarantee in the Debian SocialContract. Finding the right balance is going to be tricky as is shownby the multiple GR options that have been proposed in the discussion.

Sourceware.org has long hosted therepositories for many important free-software projects, including much ofthe GNU toolchain. Frank Ch. Eigler has postedabout some changes coming to Sourceware:

The GitHub blog has posted adetailed look at how Git stores the commit history to be able toquickly answer queries.

Security updates have been issued by Debian (thunderbird), Fedora (ctk, dcmtk, OpenImageIO, and varnish-modules), Red Hat (systemd), SUSE (libslirp, open-vm-tools, and opera), and Ubuntu (jupyter-notebook, libsdl1.2, and systemd).

Greg Kroah-Hartman has released the 5.19.5and 5.10.139 stable kernels to fix a problemstemming from an incorrect merge of a patchto the dummy-tools used for building kernels.

Security updates have been issued by Debian (curl, exim4, maven-shared-utils, ndpi, puma, webkit2gtk, and wpewebkit), Fedora (dotnet3.1, firefox, and webkit2gtk3), Mageia (clamav, mariadb, net-snmp, postgresql, python-ldap, and thunderbird), SUSE (freeciv, gnutls, keepalived, libyang, nim, python-Django, and varnish), and Ubuntu (schroot).

The 6.0-rc3 kernel prepatch is out fortesting.

Filesystems maintain a lot of metadata about the files they hold; most ofthis metadata is for consumption by user space. Some metadata, though,stays buried within the filesystem and is not visible outside of thekernel. One such piece of metadata is the file version count, known as i_version.Current efforts to change how i_version is managed — and to makeit visible to user space — have engendered a debate on whati_version actually means and what its behavior should be.

Security updates have been issued by Debian (zlib), Fedora (dotnet3.1, firefox, java-1.8.0-openjdk-aarch32, thunderbird, and zlib), Mageia (canna, chromium-browser-stable, dovecot, firefox/nss, freeciv, freetype2, gnutls, kernel, kernel-linus, kicad, ldb/samba/sssd, libgsasl, microcode, nodejs, rsync, thunderbird, and unbound), Oracle (php:7.4 and systemd), Scientific Linux (firefox, rsync, systemd, and thunderbird), Slackware (vim), and SUSE (bluez, gstreamer-plugins-good, java-1_7_1-ibm, java-1_8_0-ibm, kernel, libcroco, postgresql10, postgresql13, python-lxml, and webkit2gtk3).

With all of the complex problems that must be solved in the kernel, onemight think that copying a string would draw little attention. Even withthe hazards that C strings present, simply moving some bytes should not beall that hard. But string-copy functions have been a frequent subject ofdebate over the years, with different variants being in fashion at times.Now it seems that the BSD-derived strlcpy() functionmay finally be on its way out of the kernel.

Greg Kroah-Hartman has released the 5.19.4,5.15.63, 5.10.138, 5.4.211, 4.19.256, 4.14.291, and 4.9.326 stable kernels. They all containimportant fixes throughout the kernel tree; users should upgrade.

Security updates have been issued by Debian (firefox-esr, libxslt, and open-vm-tools), Fedora (dotnet6.0 and firefox), Oracle (curl, firefox, rsync, and thunderbird), Red Hat (curl, firefox, php:7.4, rsync, systemd, and thunderbird), SUSE (bluez, chromium, freerdp, glibc, gnutls, kernel, postgresql10, raptor, rubygem-rails-html-sanitizer, and spice), and Ubuntu (firefox, linux, linux-kvm, linux-lts-xenial, linux-aws, linux-azure-fde, open-vm-tools, and varnish).

The LWN.net Weekly Edition for August 25, 2022 is available.

Discussion on PEP 671 ("Syntaxfor late-bound function argument defaults") has been going on—in fits andstarts—since it was introduced lastOctober. The idea is to provide a way to specify the default for a function argument that is evaluated in thescope of the function call, which will allow more concise, and visible, defaults. But there hasbeen a persistent complaint that what thelanguage needs is a more-general deferred computation feature; late-bound defaults would simply fall out asone specific user of the feature. The arrival of a proposal for deferredcomputation did not really accomplish that goal, however.

Thisblog post on the NGINX corporate site describes the plans for this webserver project in the coming year.

Security updates have been issued by Fedora (vim), SUSE (cosign, dpdk, freeciv, gfbgraph, kernel, nim, p11-kit, perl-HTTP-Daemon, python-lxml, and python-treq), and Ubuntu (linux-oem-5.14, open-vm-tools, and twisted).