LWN.net

The stable kernel updates that were due on July 14 have been delayed forseveral days, according to GregKroah-Hartman, due to problems that have come up with the Retbleedmitigation patches.

Version9.0 of Rocky Linux, a Red Hat Enterprise Linux clone, has beenreleased. There are a lot of changes, of course; see the release notesfor an overview.

Justine Tunney has created animplementation of the OpenBSD pledge() system call for Linux.

The MIT Technology Review has posted anarticle on a program within the US Defense Advanced Research ProjectsAgency to identify threats to open-source code.

The BPF subsystem allowsprogrammers to write programs that can run safely in kernel space. Allmemory accesses and function calls in BPF programs are statically checkedfor safety using the in-kernel verifier, whichanalyzes programs in their entirety before allowing them to be loaded.While this allows the kernel to safely run BPF programs, it heavilyrestricts what those programs are able to do. Among theseconstraints is a rule that programs cannot store pointers into BPF maps foruse (such as dereferencing them or passing them to the kernel inkfunc and BPF helper invocations) at alater time. Apatch set byKumar Kartikeya Dwivedi adds this capability to BPF.

Security updates have been issued by Debian (request-tracker4), Fedora (kernel and vim), Mageia (gerbv, gnupg2, pgadmin4, and python-coookiecutter), Slackware (xorg), SUSE (cifs-utils, gmp, gnutls, libnettle, kernel, libsolv, libzypp, zypper, logrotate, openssl-1_1, opera, squid, and virglrenderer), and Ubuntu (ca-certificates, git, linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, linux-raspi2, linux-snapdragon, linux, linux-aws, linux-azure, linux-azure-5.4, linux-azure-fde, linux-gke, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-kvm, linux, linux-aws, linux-azure, linux-gcp, linux-gke, linux-ibm, linux-kvm, linux-lowlatency, linux-oracle, linux-aws, linux-oem-5.14, and vim).

The LWN.net Weekly Edition for July 14, 2022 is available.

Over the last five decades or so, free and open-source software (FOSS) hasgone from an almost unknown quantity available to only the most technically savvy to underpinning muchof the infrastructure we rely on today. Much like software itself, FOSS is"eating the world". But that has changed—is changing—the role of themaintainers of all of that code; when "critical" infrastructure uses codefrom a FOSS project, suddenly, and perhaps without warning, that codeitself becomes critical. But many maintainers of that software arevolunteers who did not set out to become beholden to the needs of largecompanies and organizations when they released their code, they were justscratching their itch—now lots of others are clamoring for theirs to bescratched as well.

Security updates have been issued by Fedora (xen), Mageia (x11-server), SUSE (chromium, kernel, pcre, pcre2, squid, and xorg-x11-server), and Ubuntu (gnupg, gnupg2, uriparser, xorg-server, xorg-server-hwe-16.04, and xorg-server, xorg-server-hwe-18.04, xwayland).

Back in April, there was an interesting discussion on the python-ideasmailing list that started as a query about adding support for customliterals, a la C++, but branched off from there. Custom literals arefrequently used for handling units and unit conversion in C++, so thePython discussion fairly quickly focused on that use case. While ideas about apossible feature were batted about, it does not seem like anything that isbeing pursued in earnest, at least at this point. But some of the facetsof the problem are, perhaps surprisingly, more complex than might be guessed.

Some researchers at ETH Zurich have disclosed anew set of speculative-execution vulnerabilities known as "Retbleed". Inshort, the retpoline defenses added when Spectre was initially disclosedturn out to be insufficient on x86 machines because return instructions,too, can be speculatively executed.

The5.18.11,5.15.54,5.10.130,5.4.205,4.19.252,4.14.288, and4.9.323stable kernel updates have been released; each contains another set ofimportant fixes.

Matthew Garrett grumbles about anapparent Microsoft policy change making it harder to boot Linux on somesystems.

Security updates have been issued by Debian (chromium), Mageia (openssl and webkit2), Slackware (seamonkey), SUSE (crash, curl, freerdp, ignition, libnbd, and python3), and Ubuntu (dovecot and python-ldap).

The GCC steering committee has approvedthe contribution of the Rust frontend to the compiler suite. "We lookforward to including a preliminary, beta version of GCC Rust in GCC 13 as anon-default language".

Once upon a time, a simple stack overflow was enough to mount acode-injection attack on a running system. In modern systems, though,stacks are not executable and, as a result, simple overflow-based attacksare no longer possible. In response, attackers have shifted tocontrol-flow attacks that make use of the code already present in thetarget system. Hardware vendors have added a number of features intended tothwart control-flow attacks; some of these features have better supportthan others in the Linux kernel.

Version 6.0 of thecalibre ebook management system is out.

On his blog, Armin Ronacher comments about a recent security key giveaway by the Python Package Index (PyPI) to provide two-factor authentication (2FA) tokens to the maintainers of the "critical" projects on the index. While (eventually) requiring maintainers to use 2FA before being able to update PyPI packages is reasonable, Ronacher worries about where the idea might lead:

Security updates have been issued by Debian (php7.4), Fedora (gerbv, kernel, openssl, and podman-tui), Oracle (squid:4), Slackware (wavpack), and SUSE (apache2, chafa, containerd, docker and runc, fwupd, fwupdate, libqt5-qtwebengine, oracleasm, and python).

The 5.19-rc6 kernel prepatch is out fortesting.

Linux distributions have changed quite a bit over the last 30 years, butthe way that they package software has been relatively static. While the.deb and RPM formats (and others) have evolved with time, their currentform would not be unrecognizable to their creators. Distributors arepushing for change, though. Both the Fedora and openSUSE projects aremoving to reduce the role of the venerable RPM format and switch to Flatpak for much of their softwaredistribution; some users are proving hard to convince that this is a goodidea, though.

Security updates have been issued by Fedora (direnv, golang-github-mattn-colorable, matrix-synapse, pypy3.7, pypy3.8, and pypy3.9), Oracle (squid), SUSE (curl, openssl-1_1, pcre, python-ipython, resource-agents, and rsyslog), and Ubuntu (nss, php7.2, and vim).

The 5.18.10, 5.15.53, 5.10.129, 5.4.204, 4.19.251, 4.14.287, and 4.9.322 stable kernels have been released. Asusual, they contain important fixes throughout the tree.

Security updates have been issued by Debian (intel-microcode), Fedora (dotnet3.1 and gnupg2), Oracle (grub2, kernel, php:7.4, php:8.0, and qemu-kvm), SUSE (389-ds, apache2, crash, curl, expat, firefox, fwupd, fwupdate, ImageMagick, ldb, samba, liblouis, librttopo, openssl, openssl-1_0_0, openssl-1_1, openssl-3, oracleasm, php7, php8, python-Twisted, python310, rsyslog, s390-tools, salt, thunderbird, and xen), and Ubuntu (linux-lts-xenial, linux-kvm and openssl).

The LWN.net Weekly Edition for July 7, 2022 is available.

A regular feature of the EmbeddedLinux Conference (ELC) has been an update on the state of embedded Linux fromconference organizer Tim Bird. It has been quite a few years since I hadthe opportunity to sit in on one, so I took one at the2022 OpenSource Summit North America (OSSNA) in Austin, Texas. OSSNA is anumbrella conference that contains ELC and a whole lot more these days.Bird gave a look at recent kernel features from an embedded perspective,talked a bit about some different technology areas and their impact onembedded Linux, andalso tried to answer a question that Andrew Morton posed in a keynote at ELC in 2008.

Security updates have been issued by Debian (ldap-account-manager), Fedora (openssl1.1, thunderbird, and yubihsm-connector), Mageia (curl, cyrus-imapd, firefox, ruby-git, ruby-rack, squid, and thunderbird), Oracle (firefox, kernel, and thunderbird), Slackware (openssl), SUSE (dpdk, haproxy, and php7), and Ubuntu (gnupg2 and openssl).

Some system administrators running Ubuntu 20.04 had a rough time onJune 8, when Ubuntu published kernel packages containing a particularlynasty bug that was caused by an Ubuntu-specificpatch to the kernel. The bug led to a kernel panic whenever a Docker containerwas started. Fixed packages were made available on June 10, but thereare questions about what went wrongwith handling the patch; in particular, it is surprising that kernel 5.13,which has been beyond its end-of-lifefor months, made it onto machines running Ubuntu 20.04, which is supposedto be a long-term support release.

Security updates have been issued by Debian (blender and thunderbird), SUSE (ImageMagick, qemu, and sysstat), and Ubuntu (php7.0).

There has been a fair amount of concern recently about Microsoft's Copilotsystem, which many see as possibly putting its users in violation of free-softwarelicenses. But, naturally, Copilot is not the only offering of this type;Amazon has put out a preview version of "CodeWhisperer", which isalso a machine-learning-based coding tool that was trained on (unspecified)open-source code. From the FAQ:

The kernel has thousands of configuration options, many of which can changethe kernel's behavior in subtle or surprising ways. Among those options isCONFIG_ANDROID,which one might expect to be relatively straightforward; its descriptionreads, in its entirety: "Enable support for various drivers needed onthe Android platform". It turns out that this option does more thanthat, to the surprise of some users. That has led to a plan to remove thisoption, but that has brought a surprise or two of its own — and somedisagreement — as well.

The Debian Long Term Support (LTS) team has announced that Debian 9 ("stretch") has "reached its end-of-life on July 1, 2022,five years after its initial release on June 17, 2017". There will be further updates for a subset of the packages in the release through the Extended LTS project. Meanwhile, the LTS team is moving on to Debian 10 ("buster"):

Security updates have been issued by Debian (gnupg2 and kernel), Fedora (golang-github-apache-beam-2, golang-github-etcd-io-gofail, golang-github-intel-goresctrl, golang-github-spf13-cobra, golang-k8s-pod-security-admission, and vim), Oracle (.NET 6.0, compat-openssl10, compat-openssl11, cups, curl, expat, firefox, go-toolset:ol8, grub2,, gzip, java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, kernel, libarchive, libgcrypt, libinput, libxml2, pcre2, postgresql, python, rsync, rsyslog, ruby:2.6, subversion, thunderbird, vim, xz, and zlib), Scientific Linux (firefox and thunderbird), SUSE (python-nltk and salt), and Ubuntu (linux, linux-aws, linux-hwe-5.13, and linux-oem-5.14).

The 5.19-rc5 kernel prepatch is out fortesting. "So everything looks ok - we certainly have some issues stillbeing looked at, but on the whole 5.19 looks normal, and nothingparticularly bad seems to be going on".

Version4.0.0 of the darktable raw photo editor has been released."The UI has been completely revamped again to improve look andconsistency. Padding, margins, color, contrast, alignment, and icons havebeen reworked throughout". Other changes include new exposure andcolor-calibration modules, a reworked "filmic" color-mapping module, guidedlaplacian highlight reconstruction, and more. (LWN looked at darktable in January).

The5.18.9,5.15.52,5.10.128,5.4.203,4.19.250,4.14.286, and4.9.321stable kernel updates have all been released; each contains yet another setof important fixes.

The CPU scheduler's job has never been easy; it must find a way to allocateCPU time to all tasks in the system that is fair, allows all tasks toprogress, and maximizes the throughput of the system as a whole. Morerecently, it has been called upon to satisfy another constraint: minimizingthe system's energy consumption. There is currently apatch set in circulation, posted by Vincent Donnefort with work fromDietmar Eggemann as well, that changes how this constraint is met. Theactual change is small, but it illustrates how hard it can be to get theneeded heuristics right.

Security updates have been issued by Debian (firefox-esr, isync, kernel, and systemd), Fedora (chromium, curl, firefox, golang-github-vultr-govultr-2, and xen), Mageia (openssl, python-bottle, and python-pyjwt), Red Hat (compat-openssl10, curl, expat, firefox, go-toolset-1.17 and go-toolset-1.17-golang, go-toolset:rhel8, kernel, kpatch-patch, libarchive, libgcrypt, libinput, libxml2, pcre2, php:7.4, php:8.0, qemu-kvm, ruby:2.6, thunderbird, and vim), and Ubuntu (curl, libjpeg6b, and vim).

The Software Freedom Conservancy (SFC) has issued a strong call for free software projects to give up GitHub and to move their repositories elsewhere. There are a number of problems that SFC has identified with the GitHub code-hosting service and, in particular, with its Copilot AI-based code-writing tool that was trained on the community's code stored in the company's repositories. Moving away from GitHub will not be easy, SFC said, but it is important to do so lest the free-software community repeat the SourceForge mistake.

Version1.62.0 of the Rust language has been released. Changes include a newcargo add command, default enum variants, an improved Linuxmutex implementation, a number of stabilized APIs, and more.

The kernel does not lack for memory allocators, so one might well questionthe need for yet another one. As thispatch set from Alexei Starovoitov makes clear, though, the BPFsubsystem feels such a need. The proposed new allocator is intended toincrease the reliability of allocations made within BPF programs, which mightbe run in just about any execution context.

Security updates have been issued by Debian (firefox-esr, firejail, and ublock-origin), Fedora (chromium, firefox, thunderbird, and vim), Mageia (kernel and kernel-linus), Oracle (389-ds-base and python-virtualenv), SUSE (chromium), and Ubuntu (cloud-init).

The LWN.net Weekly Edition for June 30, 2022 is available.

On the first day of the 2022 LinuxSecurity Summit North America (LSSNA) in Austin, Texas, Stéphane Graberand Christian Brauner gave a presentation on using system-call interceptionfor container security purposes. The idea is to allow unprivilegedcontainers, those without elevated privileges on the host, to stillaccomplish their tasks, some of which require privileges. A fair amount ofwork has been done to make this viable, but there is still more to do.

CODE22.05 has been released; this is the "developer edition" of theCollabora Online offering formerly known as LibreOffice Online.

Philip Herron has posted an update on the status of the GCC front-endcompiler for the Rust language.

The5.18.8,5.15.51,5.10.127, and5.4.202stable kernel updates have been released; each contains another set ofimportant fixes.

Version102 of the Thunderbird email client has been released.

Security updates have been issued by Debian (blender, libsndfile, and maven-shared-utils), Fedora (openssl), Red Hat (389-ds-base, kernel, kernel-rt, kpatch-patch, and python-virtualenv), Scientific Linux (389-ds-base, kernel, python, and python-virtualenv), and Slackware (curl, mozilla, and openssl).

Version 9.0 of the Vim texteditor has been released. The biggest change would appear to be theaddition of the "Vim9 Script" language for editor customization: