LWN.net

Daniel Vetter continues hisseries on locking in the kernel.

Security updates have been issued by CentOS (389-ds-base, firefox, java-1.8.0-openjdk, java-11-openjdk, kernel, postgresql, python, python-twisted-web, python-virtualenv, squid, thunderbird, and xz), Fedora (ceph, firefox, java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, java-latest-openjdk, and kubernetes), Oracle (firefox, go-toolset and golang, libvirt libvirt-python, openssl, pcre2, qemu, and thunderbird), SUSE (connman, drbd, kernel, python-jupyterlab, samba, and seamonkey), and Ubuntu (linux-oem-5.14, linux-oem-5.17 and ntfs-3g).

Jonathan Blandford, who is alongtime GNOME contributor—and a cruciverbalistfor longer still—thought it was time for GNOME to have acrossword puzzleapplication. So he set out to create one, which turned into something of a yak-shaving exercise,but also, ultimately, into Crosswords. Blandfordcame to GUADEC 2022to give a talk describing his journey bringing this brainexerciser (andproductivity bane) to the GNOME desktop.

Version 1.19 of the Go programminglanguage has been released. "Most of its changes are in theimplementation of the toolchain, runtime, and libraries. As always, therelease maintains the Go 1 promise of compatibility. We expect almost allGo programs to continue to compile and run as before". This releaseincludes some memory-model tweaks, a LoongArch port, improvements in thedocumentation-comment mechanism, and more.

Version2.36 of the GNU C Library has been released. Changes include supportfor the new DT_RELR relocation format,wrappers for theprocess_madvise(),process_mrelease(),pidfd_open(),pidfd_getfd(), andpidfd_send_signal() system calls,wrappers for the new filesystem mounting API,a DNS stub resolver that only does IPv4 queries,support for the BSDarc4random() API (despite some last-minutediscussion),LoongArch architecture support,and more.

Security updates have been issued by Debian (curl and jetty9), Fedora (dovecot), Gentoo (vault), Scientific Linux (java-1.8.0-openjdk, java-11-openjdk, and squid), SUSE (booth, dovecot22, dwarves and elfutils, firefox, gimp, java-11-openjdk, kernel, and oracleasm), and Ubuntu (linux, linux-hwe-5.15, linux-lowlatency, linux-lowlatency-hwe-5.15, net-snmp, and samba).

The 5.19 kernel was released,after a one-week delay to deal with the fallout from the Retbleedmitigations, on July 31. By that time, 16,399 commits (15,134non-merge and 1,265 merges) had found their way into the mainlinerepository, making this development cycle the busiest since 5.13 (16,030non-merge changesets and 1,157 merges). Tradition dictates that now is the time for a lookat where the changes in 5.19 came from, and we've learned not to go againsttradition.

The 2022 Linux Plumbers Conference (LPC) has announced its schedule. The conference will be held in Dublin, Ireland, September 12-14.

Security updates have been issued by Debian (booth, libpgjava, and thunderbird), Fedora (3mux, act, age, antlr4-project, apache-cloudstack-cloudmonkey, apptainer, aquatone, aron, asnip, assetfinder, astral, bettercap, buildah, butane, caddy, cadvisor, cheat, chisel, clash, clipman, commit-stream, containerd, cri-o, darkman, deepin-gir-generator, direnv, dnscrypt-proxy, dnsx, docker-distribution, doctl, douceur, duf, ffuf, fzf, geoipupdate, git-lfs, git-octopus, git-time-metric, glide, gmailctl, gnutls, go-bindata, goaltdns, gobuster, godep, godoctor, godotenv, gojq, golist, goloris, gomtree, google-guest-agent, gotags, gotun, grafana, gron, grpcurl, hakrevdns, hcloud, htmltest, httprobe, hulk, ignition, jid, kata-containers, kiln, kompose, kubernetes, libldb, manifest-tool, mass3, meg, meshbird, micro, mingw-harfbuzz, mingw-poppler, moby-engine, mqttcli, nats-server, nebula, netscanner, oci-seccomp-bpf-hook, ohmybackup, onionscan, open-policy-agent, origin, osbuild-composer, podman-tui, popub, powerline-go, reposurgeon, restic, runc, samba, shellz, shhgit, skopeo, snapd, snowcrash, source-to-image, subfinder, syncthing, sysutil, terrier, thunderbird, tiedot, toolbox, vgrep, vultr, vultr-cli, webanalyze, webkit2gtk3, weldr-client, wgctrl, xe-guest-utilities-latest, xen, xq, yggdrasil, yubihsm-connector, and a vast number of golang packages), Mageia (chromium-browser-stable, firefox, gdk-pixbuf2.0, python-ujson, and webmin), Red Hat (firefox and thunderbird), Slackware (gnutls), and SUSE (chromium, firefox, mozilla-nss, rubygem-tzinfo, samba, and xen).

Linus has released the 5.19 kernel.

Version 21 of the Ubuntu-based Linux Mint distribution is out; it isavailable in theCinnamon,MATE, andXfce flavors.This is along-term-support release that will receive updates until 2027.

Jakub Kicinski providesan overview of some changes to the in-kernel TLS implementation comingin the next development cycle:

Greg Kroah-Hartman has announced the release of the 5.18.15, 5.15.58, 5.10.134, 5.4.208, 4.19.254, 4.14.290, and 4.9.325 stable kernels. As usual, thesekernels contain important fixes throughout the tree. Note that theRetbleed mitigations have not been backported any further back thanthe 5.10.x series at this point.

As a general rule, virtualization mechanisms are designed to provide strongisolation between a host and the guest systems that it runs. The guestsare not trusted, and their ability to access or influence anything outsideof their virtual machines must be tightly controlled. So a patch seriesallowing guests to execute arbitrary system calls in the host context mightbe expected to be the cause of significantly elevated eyebrows across thenet. Andrei Vagin has posted such aseries with the expected results.

Security updates have been issued by Fedora (xorg-x11-server and xorg-x11-server-Xwayland), SUSE (aws-iam-authenticator, ldb, samba, libguestfs, samba, and u-boot), and Ubuntu (firefox, intel-microcode, libtirpc, linux, linux-aws, linux-kvm, linux-lts-xenial, linux-azure, linux-bluefield, linux-gcp-5.4, linux-gke-5.4, mysql-5.7, and mysql-5.7, mysql-8.0).

The relatively new io_uring subsystem haschanged the way asynchronous I/O is done on Linux systems and improvedperformance significantly. It has also, however, begun to run up a recordof disagreements with the kernel's security community. A recentdiscussion about security hooks for the new uring_cmd mechanismshows how easily requirements can be overlooked in a complex system with nooverall supervision.

Security updates have been issued by Debian (firefox-esr), Fedora (chromium, gnupg1, java-17-openjdk, osmo, and podman), Oracle (grafana and java-17-openjdk), Red Hat (389-ds:1.4, container-tools:rhel8, grafana, java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, kernel, kernel-rt, kpatch-patch, pandoc, squid, and squid:4), Slackware (samba), and SUSE (crash, mariadb, pcre2, python-M2Crypto, virtualbox, and xen).

The LWN.net Weekly Edition for July 28, 2022 is available.

While GUADEC, the GNOME community's annual conference, has always been heldin Europe (or online-only) since it began in 2000, this year's editionwas held in North America, specifically in Guadalajara, México,July 20-25. Rob McQueen gave a talk on the first day of theconference about providing solutions that bring some level of digitalsafety andautonomy to users—and how GNOME can help make that happen. McQueen is the CEO of the Endless OSFoundation, which is an organization geared toward those goals; he was alsorecently reelected as the president of the GNOME Foundation board of directors.

Daniel Vetter offers someadvice for developers of locking schemes in the kernel.

Nicholas Nethercote marksthe 20th anniversary of the Valgrind 1.0 release.

Security updates have been issued by Debian (kernel and openjdk-17), Fedora (ceph, lua, and moodle), Oracle (java-1.8.0-openjdk), Red Hat (grafana), SUSE (git, kernel, libxml2, nodejs16, and squid), and Ubuntu (imagemagick, protobuf-c, and vim).

Docker has transformed the waymany people develop and deploy software. It wasn't the firstimplementation of containers on Linux, but Docker's ideas about howcontainers should be structured and managed were different from itspredecessors. Those ideas matured into industry standards, and anecosystem of software has grown around them. Docker continues to be amajor player in the ecosystem, but it is no longer the only whale in thesea — Red Hat has also done a lot of work oncontainer tools, and alternative implementations arenow available for many of Docker's offerings.

Security updates have been issued by Debian (spip), Mageia (libtiff and logrotate), Oracle (java-1.8.0-openjdk and java-11-openjdk), SUSE (gpg2, logrotate, and phpPgAdmin), and Ubuntu (python-bottle).

The CreativeCommons CC0 license is essentially a public-domain declaration (or asclose as is possible in jurisdictions that lack a public domain). TheFedora project has allowed the distribution of code under this license,but, as announcedby Richard Fontana, that policy is changing and CC0 will no longer beallowed for code:

A 64-bit pointer can address a lot of memory — far more than just about anyapplication could ever need. As a result, there are bits within that pointer thatare not really needed to address memory, and which might be put to otherneeds. Storing a few bits of metadata within a pointer is a common enoughuse case that multiple architectures are adding support for it at thehardware level. Intel is no exception; support for its "Linear AddressMasking" (LAM) feature has been slowly making its way toward the mainlinekernel.

Security updates have been issued by Debian (chromium, djangorestframework, gsasl, and openjdk-11), Fedora (giflib, openssl, python-ujson, and xen), Mageia (virtualbox), SUSE (git, gpg2, java-1_7_1-ibm, java-1_8_0-ibm, java-1_8_0-openjdk, mozilla-nspr, mozilla-nss, mozilla-nss, python-M2Crypto, and s390-tools), and Ubuntu (php8.1).

The Debian project, Debian.ch, and Software in the Public Interest recentlyfiled a WIPO action to take control of the "debian.community" domain name,which has been used by Daniel Pocock to attackthe Debian project and its members. Red Hat had made a similar attempt to take control ofWeMakeFedora.org earlier this year, but that attempt failed. The Debianaction succeeded, though; on July 19, WIPO decidedin favor of the action and ordered the domain name transferred.That domain name can no longer be used, but the attacks seem certain tocontinue.

The 5.19-rc8 kernel prepatch is out fortesting. "There's nothing really surprising in here - a few smaller fixups forthe retbleed mess as expected, and the usual random one-linerselsewhere."

The5.18.14 and5.15.57stable kernels have been released; these consist almost entirely of theRetbleed hardware-vulnerability mitigations.The 5.10.133update will be next to get those fixes; it is in the review process and isdue on July 25.[Update: 5.10.133 has been released.]

"Retbleed"is the name given to a class of speculative-execution vulnerabilitiesinvolving return instructions. Mitigations for Retbleed have found theirway into the mainline kernel but, as of this writing, some remainingproblems have kept them from the stable update releases. MitigatingRetbleed can impede performance severely, especially on some Intelprocessors. Thomas Gleixner and Peter Zijlstra think they have found a betterway that bypasses the existing mitigations and misleads the processor'sspeculative-execution mechanisms instead.

Security updates have been issued by Fedora (gnupg2, oci-seccomp-bpf-hook, suricata, and vim), Oracle (java-11-openjdk), Slackware (net), and SUSE (kernel, nodejs16, rubygem-rack, and webkit2gtk3).

The 5.15.56, 5.10.132, 5.4.207, 4.19.253, 4.14,289, and 4.9.324 stable kernels have been released.The 5.18.13 stable kernel has been delayed due to some problems found during review; 5.18.13-rc3is out for review and is due on July 23. Note that none of thesekernels has mitigations for the Retbleedvulnerabilities; those are still in the works for the stable kernels.Update: Seemingly a day early, 5.18.13 was released on July 22.

The intersection of free software and trademark law has not always beensmooth. Free-software licenses have little to say about trademarks but,sometimes, trademark licenses can appear to take away some of the freedomsthat free-software licenses grant. The Firefox browser has often been the focal point for trademark-relatedcontroversy; happily, those problems appear to be in the past now. Instead,the increasing popularity of the Rustlanguage is drawing attention to its trademark policies.

Security updates have been issued by Mageia (kernel and kernel-linus), SUSE (dovecot23), and Ubuntu (freetype, libxml-security-java, and linux-oem-5.17).

The LWN.net Weekly Edition for July 21, 2022 is available.

It was not all that long ago that Python began its experiment withreplacing one of its mailing lists with a forum on its Discourse discussion site. Overtime, the Discourse instance has become more and more popular within thePython community. It would seem that another mailing list will soon besubsumed within Discourse as the Python steering council is planning toeffectively retire the venerable python-dev mailing list soon.

Martin Heinz encourages Pythondevelopers to move on to a number of newer modules.

Security updates have been issued by Fedora (golang-github-gosexy-gettext, golang-github-hub, oci-seccomp-bpf-hook, and popub), Oracle (kernel and kernel-container), SUSE (python2-numpy), and Ubuntu (check-mk and pyjwt).

Google has released Cirq1.0 for developers working with leading-edge computers:

It is not uncommon for users to want to run a program targeted to oneoperating system on another type of system. With the increasing prevalence ofsmartphones, Android has become the world's most widely used operatingsystem. So users may want to run Android apps on Linux systems in orderto get access to a game or other app that is not available in aLinux version or to develop mobile apps on their desktop system.The Waydroid project provides a way to run thoseapps on Linux, which means they can run on a variety of devices, includingLinux-based smartphones like the PinePhone.

From Berkeley comes thesad news of the passing of Tom Lord, a longtime free-software developerand the original author of GNU arch. He will bemissed.

Security updates have been issued by Fedora (buildah), SUSE (dovecot23 and nodejs12), and Ubuntu (harfbuzz, libhttp-daemon-perl, tiff, and webkit2gtk).

The Ubuntu 21.10 ("Impish Indri") release is no longer supported as ofJuly 14; users who are on that version will want to look intoupgrading soon.

One of the key selling points of the BPF subsystem is that loading a BPFprogram is safe: the BPF verifier ensures that the program cannot hurt thekernel before allowing the load to occur. That guarantee is perhapslosing some of its force as more capabilities are made available to BPF programs but, even so, it may be abit surprising to see thisproposal from Artem Savkov adding a BPF helper that is explicitly designed tocrash the system. If this patch set is merged in something resembling itscurrent form, it will be the harbinger of a new era where BPF programs are,in some situations at least, allowed to be overtly destructive.

Ariadne Conill exploresways to make the Unix cat utility more efficient onLinux.

Security updates have been issued by Debian (mat2 and xen), Fedora (butane, caddy, clash, direnv, geoipupdate, gitjacker, golang-bug-serial-1, golang-github-a8m-envsubst, golang-github-apache-beam-2, golang-github-aws-lambda, golang-github-cespare-xxhash, golang-github-chromedp, golang-github-cloudflare, golang-github-cloudflare-redoctober, golang-github-cockroachdb-pebble, golang-github-cucumber-godog, golang-github-dreamacro-shadowsocks2, golang-github-dustinkirkland-petname, golang-github-etcd-io-gofail, golang-github-facebookincubator-contest, golang-github-facebookincubator-dhcplb, golang-github-facebookincubator-go2chef, golang-github-facebookincubator-ntp, golang-github-facebookincubator-nvdtools, golang-github-goccy-yaml, golang-github-gojuno-minimock, golang-github-google-wire, golang-github-hexdigest-gowrap, golang-github-intel-goresctrl, golang-github-j-keck-arping, golang-github-jamesclonk-vultr, golang-github-liamg-scout, golang-github-liamg-tml, golang-github-mattn-colorable, golang-github-mdlayher-ethernet, golang-github-moby-buildkit, golang-github-mock, golang-github-niklasfasching-org, golang-github-nxadm-tail, golang-github-path-network-mmproxy, golang-github-rakyll-statik, golang-github-shopify-toxiproxy, golang-github-shulhan-bindata, golang-github-skynetservices-skydns, golang-github-sophaskins-efs2tar, golang-github-spf13-cobra, golang-github-spyzhov-ajson, golang-github-task, golang-github-temoto-robotstxt, golang-github-theoapp-theo-agent, golang-github-tinylib-msgp, golang-github-tklauser-numcpus, golang-github-valyala-fasthttp, golang-google-protobuf, golang-honnef-tools, golang-k8s-kube-openapi, golang-k8s-pod-security-admission, golang-k8s-sample-cli-plugin, golang-mvdan-sh-3, golang-storj-drpc, golang-x-tools, gopass, harfbuzz, hcloud, manifest-tool, moby-engine, mqttcli, nex, php-laminas-diactoros2, podman-tui, seamonkey, snapd, tinygo, vgrep, vultr, vultr-cli, weldr-client, xen, and yubihsm-connector), Mageia (golang and java), Oracle (grub2, kernel, kernel-container, and squid), and SUSE (crash, kernel, nodejs12, nodejs14, and nodejs16).

The 5.19-rc7 kernel prepatch is out fortesting.

A page-table entry (PTE) is relatively small, requiring just eight bytes to refer to a4096-byte page on most systems. It thus does not seem like a worrisomelevel of overhead, and little effort has been made over the kernel'shistory to reduce page-table memory consumption. Those eight bytes canhurt, though, if they are replicated across a sufficiently large set ofprocesses. The msharefspatch set from Khalid Aziz is a revised attempt to address thatproblem, but it is proving to be a hard sell in the memory-managementcommunity.

Security updates have been issued by Debian (webkit2gtk and wpewebkit), Fedora (curl, kernel, openssl1.1, php, subversion, xorg-x11-server, and xorg-x11-server-Xwayland), Oracle (grub2), SUSE (gnutls, kernel, logrotate, oracleasm, p11-kit, and python-PyJWT), and Ubuntu (libhttp-daemon-perl and python2.7, python3.10, python3.4, python3.5, python3.6, python3.8, python3.9).