LWN.net

The 6.2-rc5 kernel prepatch is out.

Security updates have been issued by Debian (lava and libitext5-java), Oracle (java-11-openjdk, java-17-openjdk, and libreoffice), SUSE (firefox, git, mozilla-nss, postgresql-jdbc, and sudo), and Ubuntu (git, linux-aws-5.4, linux-gkeop, linux-hwe-5.4, linux-oracle, linux-snapdragon, linux-azure, linux-gkeop, linux-intel-iotg, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-oracle-5.15, and linux-bluefield).

The Google Project Zero page showshow to compromise the kernel by using a NULL pointer to repeatedlyforce an oops and overflow a reference count.

Code that is added to the kernel can stay there for a long time; there iscode in current kernels that has been present for over 30 years.Nothing is forever, though. The kernel development community is currentlydiscussing the removal of two architectures and one filesystem, all ofwhich seem to have mostly fallen out of use. But, as we will see, removalof code from the kernel is not easy and is subject to reconsideration evenafter it happens.

Version 3.0 of the Pandocdocument-conversion tool has been released; the list of new features isquite long, including "chunked" HTML output, support for complex figures,and much more.

Security updates have been issued by Debian (firefox-esr, libitext5-java, sudo, and webkit2gtk), Fedora (firefox and qemu), Red Hat (java-11-openjdk and java-17-openjdk), Slackware (sudo), SUSE (sudo), and Ubuntu (python-urllib3 and sudo).

The LWN.net Weekly Edition for January 19, 2023 is available.

On today's Fedora systems, a reboot cycle—for a kernel update,say—is normally a fairly quick affair, but that is not always true. Thesystem will wait for services to shut down cleanly and will wait for up to two minutesbefore killing a service and moving on. A recent proposal to change thedefault timeout to 15 seconds, while still allowing some services torequire more time, ran into more opposition than was perhaps anticipated.Not everyone was comfortable shortening the timeout period, though thedecision has now been made to reduce it, but not as far as was proposed.

The6.1.7,5.15.89,5.10.164,5.4.229,4.19.270, and4.14.303stable kernels have all been released; each contains another big set ofimportant fixes.

Security updates have been issued by Fedora (awstats), Oracle (dpdk, libxml2, postgresql:10, systemd, and virt:ol and virt-devel:rhel), Red Hat (kernel), Slackware (git, httpd, libXpm, and mozilla), SUSE (libzypp-plugin-appdata), and Ubuntu (git, libxpm, linux-ibm-5.4, linux-oem-5.14, and ruby2.3).

Over the past several months, there have been wide-ranging discussions inthe Python community about difficulties users have with installing packagesfor the language. There is a bewildering array of options forpackage-installation tools and Python distributions focused on particular usecases (e.g. scientific computing); many of those options do notinteroperate well—or at all—so they step on each others' toes.The discussions have focused on where solutions might be found to make iteasier on users, but lots of history and entrenched use cases need to beovercome in order to get there—or even to make progress in that direction.

Git 2.39.1 has been released with a set of security fixes; there are alsoupdated versions of many older Git releases available. A pair of integeroverflow vulnerabilities can lead to code execution in some scenarios; seethe announcement and thisGitHub blog entry for more information.

Version109.0 of the Firefox browser has been released. The headline featurethis time is the enabling of ManifestVersion 3 support — a new extension mechanism that, among otherthings, gives a higher degree of control over what extensions can do.

Security updates have been issued by Debian (tor) and SUSE (python-setuptools, python36-setuptools, and tor).

It is rare to see an extensive and unhappy discussion over the selection ofcompiler options used to build a distribution, but it does happen. A casein point is the debate over whether Fedora should be built with framepointers or not. It comes down to a tradeoff between a performance loss oncurrent systems and hopes for gains that exceed that loss in the future —and somedisagreements over how these decisions should be made within the Fedoracommunity.

Dave Täht describesthe Flent network-testing tool and its use in great detail.

Security updates have been issued by Debian (chromium, lava, libapreq2, net-snmp, node-minimatch, and openvswitch), Fedora (jpegoptim, kernel, kernel-headers, kernel-tools, and python2.7), Mageia (ctags, ffmpeg, minetest, python-gitpython, w3m, and xrdp), Oracle (kernel), Red Hat (dpdk and libxml2), Slackware (netatalk), SUSE (apptainer, chromium, libheimdal, python-wheel, python310-setuptools, and SDL2), and Ubuntu (linux-aws, linux-gcp-4.15, maven, and net-snmp).

The fourth 6.2 kernel prepatch is out fortesting.

Libre Arts looksforward to progress in a long list of creative-art projects this year.

The6.1.6,5.15.88, and5.10.163stable kernel updates have been released; each contains another set ofimportant fixes.

Speculative-execution vulnerabilities come about when the CPU, while executingspeculatively, is able to access memory that would otherwise be denied toit. Most of these vulnerabilities would go away if the CPU were alwaysconstrained by the established memory protections. An obvious way to fixthese problems would be to make CPUs behave that way, but doing thatwithout destroying performance is not an easy task. So, instead, Intelhas developed a feature called "linear address-space separation" (LASS) topaper over parts of the problem; Yian Chen has posted apatch set adding support for this feature.

Security updates have been issued by Fedora (cacti, cacti-spine, mbedtls, postgresql-jdbc, and rust), Oracle (.NET 6.0, dbus, expat, grub2, kernel, kernel-container, libtasn1, libtiff, sqlite, and usbguard), Red Hat (rh-postgresql10-postgresql), SUSE (php7), and Ubuntu (heimdal, linux, linux-aws, linux-aws-5.15, linux-azure, linux-azure-5.15, linux-gcp, linux-gcp-5.15, linux-hwe-5.15, linux-ibm, linux-kvm, linux-oracle, linux-raspi,, linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-gcp, linux-gcp-5.4, linux-hwe, linux-ibm, linux-kvm, linux-oracle, linux-oracle-5.4,, linux, linux-aws, linux-kvm, linux-lts-xenial, and vim).

The Chromium browser project has announcedthat it will be integrating support for third-party libraries written in Rust.

The release of the 4.9.337 stablekernel update on January 7 marked the end of an era: after just oversix years of maintenance, the 4.9.x series will receive no more updates. Thiskernel saw a lot of change after Linus Torvalds made the "final" releaseand left the building; it's time for a look at the "stable" portion of thiskernel's life to see what can be learned.

Greg Kroah-Hartman has announced the release of the 6.1.5, 6.0.19,and 5.15.87 stable kernels. As usual, theycontain lots of important fixes all over the kernel tree; users shouldupgrade. This is also the last release in the 6.0.y kernel series: "Allusers must move to the 6.1.y branch at this point in time, as this branch is now end-of-life."

Security updates have been issued by Debian (emacs, libxstream-java, and netty), Fedora (mingw-binutils, pgadmin4, phoronix-test-suite, vim, and yarnpkg), Red Hat (.NET 6.0, dbus, expat, java-1.8.0-ibm, kernel, kernel-rt, kpatch-patch, libreoffice, libtasn1, libtiff, postgresql:10, sqlite, systemd, usbguard, and virt:rhel and virt-devel:rhel), and SUSE (net-snmp, openstack-barbican, openstack-barbican, openstack-heat-gbp, openstack-horizon-plugin-gbp-ui, openstack-neutron, openstack-neutron-gbp, php7, php74, php8, python-future, python3, samba, SDL2, and w3m).

The LWN.net Weekly Edition for January 12, 2023 is available.

The PyTorchcompromise that happened right at the end of 2022 was rather ugly, butits impact was not widespread—seemingly, at least. The incident doeshighlight some of the perils of relying on an external "supply chain" for the components thatare used to build one's software. It also would appear to be anothercase of "security researchers" run amok, though perhaps that part of the storyis only meant to cover the tracks—or ass—of the perpetrator.

Version3.0 of the Discourse forum platform is out.

Security updates have been issued by Debian (exiv2, hsqldb, libjettison-java, ruby-sinatra, and viewvc), Fedora (golang-github-docker, mbedtls, and vim), Gentoo (alpine, commons-text, jupyter_core, liblouis, mbedtls, ntfs3g, protobuf-java, scikit-learn, and twisted), Red Hat (kernel and kpatch-patch), SUSE (rubygem-activerecord-5.2, tiff, and webkit2gtk3), and Ubuntu (dotnet6, linux-azure-5.4, linux-azure-fde, linux-gcp, linux-oracle, linux-ibm, and linux-oem-5.17, linux-oem-6.0).

Python's formatted strings, or "f-strings", came relatively late to thelanguage, but have become a popular feature. F-strings allow a compactrepresentation for the common task of interpolating program data intostrings, often in order to output them in some fashion. Somerestrictions were placed on f-strings to simplify the implementation ofthem, but those restrictions are not really needed anymore and, infact, are complicating the CPython parser. That has led to a PythonEnhancement Proposal (PEP) to formalize the syntax of f-strings for thebenefit of Python users while simplifying the maintenance of theinterpreter itself.

In late 2021, LWN covered a plan toeliminate the Python global interpreter lock (GIL), thus improving thelanguage's thread-level concurrency. This plan has now been codified as PEP 703, which includesan extensive discussion of the changes that would be made.

Security updates have been issued by Debian (libtasn1-6), Fedora (nautilus), Oracle (kernel, kernel-container, nodejs:14, tigervnc, and xorg-x11-server), Red Hat (grub2, nodejs:14, tigervnc, and xorg-x11-server), Scientific Linux (tigervnc and xorg-x11-server), SUSE (systemd), and Ubuntu (firefox, linux-aws, linux-aws-5.15, linux-azure, linux-azure-5.15, linux-azure-fde, linux-azure, w3m, and webkit2gtk).

The kernel's memory-management developers have been busy before and duringthe holidays; the result is a number of patch sets making significantchanges to that subsystem. It is time for a quick look at three of thoseprojects. Two of them aim to increase the sharing of page tables betweenprocesses, while the third takes advantage of the multi-generational LRU to create a betterpicture of what a process's working set actually is.

Security updates have been issued by Fedora (python2.7), SUSE (ca-certificates-mozilla, libksba, and ovmf), and Ubuntu (linux, linux-aws, linux-aws-5.4, linux-gcp, linux-gcp-5.4, linux-gke, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-dell300x, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, linux-raspi2, linux-snapdragon, linux, linux-aws, linux-kvm, linux-lowlatency, linux-raspi, linux, linux-gcp, linux-gke, linux-gkeop, linux-hwe-5.15, linux-ibm, linux-kvm, linux-lowlatency, linux-oracle, linux-raspi,, and linux-aws).

Linus has released 6.2-rc3 for testing."Here we are, another week done, and things are starting to look a lotmore normal after that very quiet holiday week that made rc2 so verysmall".

The6.1.4,6.0.18, and4.9.337stable kernel updates have been released; each contains another set ofimportant fixes.Greg Kroah-Hartman has also let it be knownthat 4.9.337 is the end of the line for the 4.9 kernel, which was releasedjust over six years ago. "This kernel is now END-OF-LIFE and you should move to 4.14.y at theleast, 6.1.y is the better option."

Most developers probably do not see the generation of random numbers asbeing a performance bottleneck for their programs, but there are seeminglyexceptions. Over the last few years, Jason Donenfeld has brought a newlevel of energy to the development of the kernel's random-number generator;he is now directing his efforts toward improving performance for user spacewith this patchseries that provides an implementation of the getrandom()system call in the kernel's "virtual dynamicshared object" (vDSO) area. The result is, indeed, better performance,but not all developers see this benefit as being worth the additionalcomplexity required to achieve it.

Security updates have been issued by Debian (libetpan and smarty3), SUSE (libksba, rpmlint-mini, tcl, and xrdp), and Ubuntu (curl, firefox, and linux-oem-5.14).

Peter Hutterer writesabout the disabling of support for byte-swapped clients in the X.org serverand the reasons why this was done.

The kernel's fscryptsubsystem enables filesystems to store files and directories in encrypted form, protecting them against offline attacks. Afew filesystems support encryption with fscrypt currently, but Btrfs is anexception, despite a number of attempts to add this feature. The problemis that, as so often seems to be the case, Btrfs works differently and doesnot fit well with one of the key assumptions in the design of fscrypt. With thispatch series, Sweet Tea Dorminy is working to enhance fscrypt to be abetter fit for filesystems like Btrfs.

Security updates have been issued by Fedora (binwalk), Oracle (kernel and webkit2gtk3), Red Hat (webkit2gtk3), Slackware (vim), and Ubuntu (libksba and nautilus).

The LWN.net Weekly Edition for January 5, 2023 is available.

The Linux security module (LSM) subsystem has long had limitations onwhich modules could be combined in a given running kernel. Some parts ofthe problem have been solved over the years—"smaller" LSMs can be combinedat will with a single, more complex LSM—but combining (or "stacking")SELinux with, say, Smack or AppArmor has never been possible. Back inOctober, we looked at the most recentattempt to add that ability, which resulted in patches to add two new systemcalls for LSM. By the end of December, the number of new system calls hadrisen to three.

The6.1.3,6.0.17, and5.10.162stable kernel updates have been released. Each contains a moderate set ofimportant fixes.

Security updates have been issued by Fedora (xorg-x11-server-Xwayland), Red Hat (webkit2gtk3), SUSE (rmt-server), and Ubuntu (freeradius).

The Fedora community is currently discussing a proposal to start supportinga unifiedkernel image (UKI) for the distribution; these images would combineseveral pieces that are generally separate today (e.g. initrd, kernel, andkernelcommand line). There are a number ofadvantages to such a kernel image, at least for some kinds of systems, butthere is worry from some about where the endpoint of this work lies. Thereis a need to ensure that Fedora can still boot non-unified, perhaps locally built,kernels and can support other use cases that unification might preclude.

Security updates have been issued by Oracle (bcel), SUSE (ca-certificates-mozilla, glibc, minetest, multimon-ng, nautilus, ovmf, python-Django, samba, saphanabootstrap-formula, and xrdp), and Ubuntu (usbredir).

Yet another new year is upon us, and that can only mean one thing: the timehas come for your editor to look into his crystal ball and make somepredictions for what 2023 will hold. Said crystal ball is known to sufferfrom speculative-execution problems and parity errors, but it's the bestthat LWN's budget will afford. Read on for a highly unreliable look atwhat's to come.

DistroWatch Weekly celebrates its1000th issue and 20 years of publication.