LWN.net

The6.0.9,5.15.79, and5.10.155stable kernel updates have been released; each contains another set ofimportant fixes.

Security updates have been issued by Debian (grub2, nginx, and wordpress), Red Hat (389-ds-base, bind, buildah, curl, device-mapper-multipath, dnsmasq, dotnet7.0, dpdk, e2fsprogs, grafana-pcp, harfbuzz, ignition, Image Builder, kernel, keylime, libguestfs, libldb, libtiff, libvirt, logrotate, mingw-zlib, mutt, openjpeg2, podman, poppler, python-lxml, qt5, rsync, runc, samba, skopeo, toolbox, unbound, virt-v2v, wavpack, webkit2gtk3, xorg-x11-server, xorg-x11-server-Xwayland, and yajl), SUSE (389-ds, bluez, dhcp, freerdp, jackson-databind, kernel, LibVNCServer, libX11, nodejs12, nodejs16, php7, php8, python-Mako, python-Twisted, python310, sudo, systemd, and xen), and Ubuntu (mako).

The scalability of Linus Torvalds was arecurring theme during Linux's early years; these days maintainer strugglesare a recognized problem within open-sourcecommunities in general. It is thus not surprising that Sean Christophersongave a talk at Open Source Summit Europe (and KVM Forum) with the title"Scaling KVM and its community". The talk mostly focused on KVM for thex86 architecture—the largest and most mature KVM architecture—whichChristopherson co-maintains. But it was not a technical talk: most of the content can beapplied to other KVM architectures, or even other Linux subsystems, so thatthey can avoid making the same kinds of mistakes.

Version 37of the Fedora family of distributions has been released, a few weeks laterthan originally intended.

Security updates have been issued by Fedora (kernel and webkit2gtk3), Red Hat (dhcp, dovecot, flac, freetype, fribidi, frr, gimp, grafana, guestfs-tools, httpd, kernel-rt, libtirpc, mingw-gcc, mingw-glib2, pcs, php, protobuf, python3.9, qemu-kvm, redis, speex, and swtpm), SUSE (chromium, containerized-data-importer, jhead, kubevirt stack, nodejs14, nodejs16, python-Werkzeug, and xen), and Ubuntu (golang-1.13, nginx, and vim).

NLnet Labs has put up ablog entry warning about the possible effects of the "Cyber ResilienceAct" proposal in the European Commission.

As a general rule, one need not have worked in the technology industry forlong before the value of good data backups becomes clear. Creating abackup that is truly good, though, can be a challenge if the filesystem inquestion is actively being changed while the backup process runs. Over theyears, various ways of addressing this problem have been developed, rangingfrom simply shutting down the system while backups run to a variety ofsnapshotting mechanisms. The kernel may be about to get another approachto snapshots should the blksnappatch set from Sergei Shtepa find its way into the mainline.

Security updates have been issued by Debian (dropbear, php7.4, pixman, sysstat, and xorg-server), Fedora (mingw-expat, mingw-libtasn1, and mingw-pixman), Mageia (binutils/gdb, chromium-browser-stable, exiv2, libtiff, nodejs, pcre, pixman, wayland, and webkit2), Red Hat (device-mapper-multipath and libksba), SUSE (autotrace, busybox, libmodbus, php72, python-numpy, rustup, samba, varnish, xen, and xterm), and Ubuntu (thunderbird).

Linus has released 6.1-rc5 for testing.

The Git source-code management system exists to track changes to a set offiles; the stream of commits in a Git repositoryreflects the change history of those files. What is seen in Git, though, is thefinal form of those commits; the changes that the patches themselves wentthrough on their way toward acceptance are not shown there. That historycan have value, especially while changes are still under consideration.The proposed gitevolve subcommand is a recognition that changes themselves gothrough changes and that this process might benefit from tooling support.

Security updates have been issued by Debian (chromium and exiv2), Fedora (curl, device-mapper-multipath, dotnet6.0, mediawiki, mingw-gcc, and php-pear-CAS), Gentoo (lesspipe), Slackware (php), SUSE (git, glibc, kernel, libarchive, python, python-rsa, python3-lxml, rpm, sudo, xen, and xwayland), and Ubuntu (wavpack).

The5.4.224,4.19.265,4.14.299, and4.9.333stable kernel updates have been released; each contains another set ofimportant fixes.Note that 6.0.8,5.15.78,5.10.154went into the review process at the same time, but have not yet been released.

We have finally added a set of dark mode defaults to the customization options for the site forthose who prefer the dark side. Thanks to all the readers who have askedfor this; apologies for taking so long to do it. The defaults seem good,but we are not dark-mode users, so please let us know if you havesuggestions for improvements.Another new feature that has been requested for some time is the ability toreceive feature articles via email. These emails are currently availableto subscribers at the "Project Leader" level and higher; interestedsubscribers can sign up for the "Features" list on the mailing-lists page.

The GitHub Copilotoffering claims to assist software developers through the application ofmachine-learning techniques. Since its inception, Copilot has beenfollowed by controversies, mostly based onthe extensive use of free software to train the machine-learning engine. The announcement of aclass-action lawsuit against Copilot was thus unsurprising. The lawsuitraises all of the expected licensing questions and more;while some in ourcommunity have welcomed this attack against Copilot,it is not clear that this action will lead to good results.

Security updates have been issued by Debian (libjettison-java and xorg-server), Slackware (sysstat and xfce4), SUSE (python3 and xen), and Ubuntu (firefox).

The LWN.net Weekly Edition for November 10, 2022 is available.

At the end of our earlier article on JohnOusterhout's talk at Netdev 0x16, he had concludedthat TCP was unsuitable for data-center environments for a variety ofreasons. He also argued that there was no way to repair TCP so that itcould serve the needs of data-center networking. In order for software tobe able to use the full potential of today's networking hardware, TCP needs to bereplaced with a protocol that is different in almost every way, he said.The second half of the talk covered the Homatransport protocol that he and others at Stanford have been working onas a possible replacement for TCP in the data center.

Security updates have been issued by Debian (vim, webkit2gtk, and wpewebkit), Fedora (mingw-python3, vim, webkit2gtk3, webkitgtk, and xen), Mageia (389-ds-base, bluez, ffmpeg, libtasn1, libtiff, libxml2, and mbedtls), Red Hat (kpatch-patch and linux-firmware), SUSE (conmon, containerized data importer, exim, expat, ganglia-web, gstreamer-0_10-plugins-base, gstreamer-0_10-plugins-good, gstreamer-plugins-base, gstreamer-plugins-good, kernel, kubevirt, protobuf, sendmail, and vsftpd), and Ubuntu (libzstd, openjdk-8, openjdk-lts, openjdk-17, openjdk-19, php7.2, php7.4, php8.1, and pixman).

SSH is awell-known mechanism for accessing remote computers in asecure way; thanks to its use of cryptography, nobody can alter oreavesdrop on the communication. Unfortunately, SSH is somewhatcumbersome when connecting to a host for the first time; it's also tricky for aserver administrator to provide time-limited access to the server. SSHcertificates can solve these problems.

Version 7.0 of Texinfo, the GNU Project's documentation system, has beenreleased. There are a number of changes here, the biggest of which may bethe ability to produce output in the EPUB format.

Security updates have been issued by Debian (pixman and sudo), Fedora (mingw-binutils and mingw-gdb), Red Hat (bind, bind9.16, container-tools:3.0, container-tools:4.0, container-tools:rhel8, dnsmasq, dotnet7.0, dovecot, e2fsprogs, flatpak-builder, freetype, fribidi, gdisk, grafana, grafana-pcp, gstreamer1-plugins-good, httpd:2.4, kernel, kernel-rt, libldb, libreoffice, libtiff, libxml2, mingw-expat, mingw-zlib, mutt, nodejs:14, nodejs:18, openblas, openjpeg2, osbuild, pcs, php:7.4, php:8.0, pki-core:10.6 and pki-deps:10.6, poppler, protobuf, python27:2.7, python38:3.8 and python38-devel:3.8, python39:3.9 and python39-devel:3.9, qt5, redis:6, rsync, unbound, virt:rhel, virt-devel:rhel, wavpack, webkit2gtk3, xmlrpc-c, xorg-x11-server, xorg-x11-server-Xwayland, and yajl), SUSE (exiv2, expat, rubygem-nokogiri, sudo, and vsftpd), and Ubuntu (isc-dhcp, libraw, sqlite3, and tiff).

On the surface, the kernel's internal timer mechanism would not appear tohave changed much in a long time; the core API looks quite similar to theone present in the 1.0 release. Underneath the API, naturally, quite a bitof complexity has been added over the years. The implementation of thisAPI looks to become even more complex — but faster — if and when this patch set from Anna-Maria Behnsen finds its way into the mainline.

Security updates have been issued by Debian (ffmpeg, libxml2, python-django, python-scciclient, and xen), Fedora (ghc-cmark-gfm, java-latest-openjdk, and vim), Mageia (expat, ntfs-3g, and wkhtmltopdf), Oracle (kernel), Slackware (sudo), and SUSE (expat, libxml2, rubygem-loofah, and xmlbeans).

The 6.1-rc4 kernel prepatch is out fortesting. "So as hoped for (and expected), things seem to be starting to calmdown, and rc4 is a pretty normal size for this stage in the process".

Version 4.8 of the SystemTap tracing tool is out. "Enhancements to this release include: kernel runtime improvementson multi-CPU systems, python3 tapset support through python3.11,tapset and template script for cve livepatching, bpf backendembedded-code assembler improvements".

The search for better performance from the kernel never ends. Recentlythere has been a stream of smaller patches that promise incrementalperformance gains, at least for some types of applications. Read on for anoverview of two of those patches, which make changes to the epoll systemcalls and to NUMA balancing. This work shows where developers are lookingfor performance improvements — and that not everybody measures performancethe same way.

Security updates have been issued by Debian (clickhouse, distro-info-data, and ntfs-3g), Fedora (firefox), Oracle (kernel), Slackware (mozilla), and SUSE (python-Flask-Security-Too).

Security updates have been issued by Debian (pypy3), Fedora (drupal7, git, java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, and php), Oracle (kernel, lua, openssl, pcs, php-pear, pki-core, python3.9, and zlib), Red Hat (kernel, kernel-rt, kpatch-patch, lua, openssl-container, pcs, php-pear, pki-core, python3.9, and zlib), Scientific Linux (kernel, pcs, and php-pear), SUSE (EternalTerminal, hsqldb, ntfs-3g_ntfsprogs, privoxy, rubygem-actionview-4_2, sqlite3, and xorg-x11-server), and Ubuntu (ntfs-3g, python3.10, and sqlite3).

The first Image-Based Linux Summit washeld in Berlin on October 5 and 6, 2022. The main goal of this summit was toagree on common concepts and tooling for how to build, deploy, and run modern,secure, image-based Linux distributions — a project that that the organizers,Christian Brauner, Luca Boccassi, and Lennart Poettering, have been working onfor some time. The result was a more refined vision of how Linux systemscan be built and deployed securely.

Greg Kroah-Hartman has announced the release of the 6.0.7, 5.15.77, 5.10.153, 5.4.223, 4.19.264, 4.14.298, and 4.9.332 stable kernels. As usual, theycontain important fixes throughout the kernel tree.

Version1.65.0 of the Rust language has been released. Improvements includegeneric associated types, a new let...else statement, and theability to break from labeled blocks:

The LWN.net Weekly Edition for November 3, 2022 is available.

It is not often that you see a Fedora change proposal for a version of thedistribution that will not be available for 18 months or so, but thatis exactly what was recently posted to the mailing list. The change targets the C source code in the myriad of packages that thedistribution ships; it would fix code that uses some ancient compatibilityfeatures that were removed by the C99 standard but are still supported byGCC. As might be guessed from the long runway proposed, there is quite a bit of work to do to get there.

Phylum has posted anarticle with a detailed look at a set of malicious packages discoveredby an automated system they have developed.

Security updates have been issued by Debian (ffmpeg and linux-5.10), Fedora (libksba, openssl, and php), Gentoo (openssl), Mageia (curl, gdk-pixbuf2.0, libksba, nbd, php, and virglrenderer), Red Hat (kernel, kernel-rt, libksba, and openssl), SUSE (gnome-desktop, hdf5, hsqldb, kernel, nodejs10, openssl-3, php7, podofo, python-Flask-Security, python-lxml, and xorg-x11-server), and Ubuntu (backport-iwlwifi-dkms, firefox, ntfs-3g, and openssl).

The5.4.222,4.19.263, and4.14.297stable kernel updates have been released. The first two contain a singlepatch for a Clang compilation error; 4.14.297, instead, has a number offixes and speculative-execution mitigations.

At the recently concluded Netdev0x16 conference, which was held both in Lisbon, Portugal and virtually,Stanford professor John Ousterhout gave his personal views on wherenetworking in data centers needs to be headed. To solve the problems thathe sees, he suggested some "fairly significant changes" to thoseenvironments, including leaving behind the venerable—ubiquitous—TCPtransport protocol. While LWN was unable to attend the conference itself,due to scheduling and time-zone conflicts, we were able to view the video ofOusterhout's keynote talk to bring you this report.

The much-anticipated OpenSSL 3.0.7 release, which fixes some high-risksecurity problems, is available. The releasenotes list two vulnerabilities (CVE-2022-3786 and CVE-2022-3602) thathave not yet been documented on the OpenSSLvulnerabilities page. LWN commenter mat2 has provided the relevant information, though. Itis worth updating quickly, but many sites do not appear to be at immediaterisk.Update: the associated securityadvisory is now available.

Security updates have been issued by Debian (python3.7), Gentoo (android-tools, expat, firefox, libjxl, libxml2, pjproject, sqlite, thunderbird, and zlib), Oracle (compat-expat1), Slackware (php8 and vim), SUSE (kernel, libtasn1, podman, and pyenv), and Ubuntu (libtasn1-6).

Systemd version 252 has been released. As usual, the list of changes islong. It includes a new systemd-measure tool for the calculation of PCRvalues and a bunch of infrastructure to use the result for disk encryption:

The Linux security module (LSM) mechanism was created as a result of the first Kernel Summit in 2001; it wasdesigned to allow the development of multiple approaches to Linux security.That goal has been met; there are several security modules available withcurrent kernels. The LSM subsystem was not designed, though, to allowmultiple security modules to work together on the same system. Developershave been working to rectify that problem almost since the LSM subsystemwas merged, but with limited success; some small security modules can bestacked on top of the "major" ones, but arbitrary stacking is not possible.Now, a full 20 years aftersecurity-module support went into the 2.5 development kernel series, itlooks like a solution to the stacking problem may finally be gettingcloser.

Security updates have been issued by Debian (batik, chromium, expat, libxml2, ncurses, openvswitch, pysha3, python-django, thunderbird, and tomcat9), Fedora (cacti, cacti-spine, curl, mbedtls, mingw-expat, and xen), Gentoo (apptainer, bind, chromium, exif, freerdp, gdal, gitea, hiredis, jackson-databind, jhead, libgcrypt, libksba, libtirpc, lighttpd, net-snmp, nicotine+, open-vm-tools, openexr, rpm, schroot, shadow, sofia-sip, tiff, and xorg-server), Mageia (libreoffice), Oracle (expat), Red Hat (device-mapper-multipath), and SUSE (cacti, cacti-spine, chromium, exim, jhead, kernel, libmad, opera, and pdns-recursor).

Version 4.4 of the GNU make utility is out. There is a long list ofchanges and a fair number of potential compatibility issues; see theannouncement text for all the details.

The 6.1-rc3 kernel prepatch is out fortesting.

The 5.10.151 kernel was released onOctober 28 with a small fix to the PAHOLE_FLAGS in the kernelbuild. October 29 saw the release of the 6.0.6, 5.15.76, and 5.4.221 stable kernels, each with the usualcollection of important fixes throughout the tree.Update: 5.10.152 has now also beenreleased with another set of important fixes.

The Rust Types Team announcesthat the long-awaited generic associated types feature will be stable in Rust 1.65.

Linux distributions were, as a general rule, designed during an era whenmost software of interest was written in C; as a result, distributionsare naturally able to efficiently package C applications and the librariesthey depend on. Modern languages, though, tend to be built around theirown package-management systems that are designed with different goals inmind. The result is that, for years, distributors have struggled to findthe best ways to package and ship applications written in those languages.A recent discussion in the Fedora community on the packaging of Rustapplications shows that the problems have not yet all been solved.

Security updates have been issued by Debian (expat, ruby-sinatra, and thunderbird), Fedora (glances), Mageia (cups, firefox, git, heimdal, http-parser, krb5-appl, minidlna, nginx, and thunderbird), Oracle (389-ds:1.4, device-mapper-multipath, firefox, mysql:8.0, postgresql:12, and thunderbird), SUSE (dbus-1, libconfuse0, libtasn1, openjpeg2, qemu, and thunderbird), and Ubuntu (dbus, linux-azure-fde, and tiff).

Fedora releases have traditionally happened later than their target date,though the project has done better on that score in recent years. BenCotton has announced inFedora Magazine that the upcoming Fedora 37 release, initially plannedfor October 25, won't be happening until November 15. Theimmediate cause is animpending OpenSSL update which fixes a vulnerability described as"critical".

The practice of requiring copyright assignments for contributions tofree-software projects has been in decline for years; the GNU Binutilsproject may be thelatest domino to fall in that regard. The Linux kernel project,unlike some others, has always allowed contributors to retain their copyrights,resulting in a code base that has widely distributed ownership. In such aproject, who owns the copyright to a given piece of code is not alwaysobvious. Somedevelopers (or their employers) are insistent about the placement ofcopyright notices in the code to document their ownership of parts of thekernel. A series of recent discussions within the Btrfs subsystem, though,has made it clear that there is no project-wide policy on when thesenotices are warranted — or even acceptable.