LWN.net

Python's super()built-in function can be somewhat confusing, as highlighted by a hugepython-ideas thread that we started lookingat last week. It is used by methods in class hierarchies to accessmethods and attributes in a parent class, but exactly which classthat super() resolves to is perhaps a bit unclear in multiple-inheritance hierarchies.The discussion in the second "half" of the thread further highlighted somelesser-known parts of the language.

Version 19 of theAndroid-based LineageOS distribution has been released.

Security updates have been issued by Debian (ffmpeg), Fedora (htmldoc, moby-engine, plantuml, and zchunk), Oracle (java-1.8.0-openjdk, java-17-openjdk, and kernel), Red Hat (java-1.8.0-openjdk), Scientific Linux (java-1.8.0-openjdk), Slackware (freerdp), SUSE (kernel, mutt, SUSE Manager Client Tools, and xen), and Ubuntu (barbican and git).

The kernel gained support for the TLSprotocol in the 4.13 release, which came out in September 2017. Thatsupport is incomplete, though, in that it does not provide the kernel witha way to initiate a TLS connection on its own. Instead, user space createsa socket and performs the TLS handshake before handing the socket to thekernel, which can then transfer data using TLS. The situation may be aboutto change as a result of thispatch series from Chuck Lever — though user space will still need toremain in the picture.

Dave Täht has put together a summary of thestate of fair queuing and the fight against bufferbloat in general.

Security updates have been issued by Fedora (kernel, kernel-headers, kernel-tools, libinput, podman-tui, and vim), Mageia (git, gzip/xz, libdxfrw, libinput, librecad, and openscad), and SUSE (dnsmasq, git, libinput, libslirp, libxml2, netty, podofo, SDL, SDL2, and tomcat).

The 5.18-rc4 kernel prepatch is out fortesting. "Fairly slow and calm week - which makes me just suspectthat the other shoe will drop at some point. But maybe things are justgoing really well this release. It's bound to happen _occasionally_, afterall."

Subsystem maintainers routinely use gitrequest-pull as part of the process of sending work upstream. Normally, the result includes a list ofcommits included in the request and a nicediffstat that shows which files will be touched and how much of each willbe changed; examplesabound on the kernel mailing lists. Occasionally, though, a repository with a relativelycomplicated development history will yield a massive diffstat containing agreat deal of unrelated work. The result looks ugly and obscures what thepull request is actually doing. This document describes what is happeningand how to fix things up; it is derived from The Wisdom of Linus Torvalds,which has been posted numerous times over the years (example 1,example 2).

Security updates have been issued by Fedora (composer, golang-x-crypto, rubygem-nokogiri, wavpack, xen, and xz) and SUSE (dnsmasq, openjpeg, swtpm, tomcat, and xen).

OpenBSD 7.1 has been released. The list of changes and new features islong, as usual; see the full text, below, for all the details.

The Ubuntu 22.04 LTS release, codenamed "Jammy Jellyfish", is now available. It comes in several editions (Desktop, Server, Cloud, and Core) and multiple flavors (Ubuntu Budgie, Kubuntu, Lubuntu, Ubuntu Kylin, Ubuntu MATE,UbuntuStudio, and Xubuntu). Lots more information can be found in the release notes.

The Debian project leader election has completed and Jonathan Carter has been reelected for his third term. For more information, see the Debian vote page. We looked at the candidates back in March.

The world of music and audio production is largely dominated byproprietary software vendors. Among them, Steinberg stands out as a companythat created some of the most-used software, including the Cubase and Nuendo digital audioworkstations. Steinberg is also known as the creator of the VST plugin APIthat, largely due to its licensing policy, has irritated developers enough toinspire multiple attempts at creating an open-source alternative. Even now,when the VST3 SDK is available under theGPLv3 license, the way the company exercises its control over the SDKkeeps pushing developers away toward other open-source solutions.This is an introduction to open-source pluginAPIs for musicians and sound engineers alike. It focuses on the options inthe larger ecosystem and how their shortcomings led to the creation of newalternatives with liberal licensing.

Security updates have been issued by Fedora (frr, grafana, gzip, and pdns), Oracle (java-11-openjdk), Red Hat (java-11-openjdk and kernel), Scientific Linux (java-11-openjdk), SUSE (dcraw, GraphicsMagick, gzip, kernel, nbd, netty, qemu, SDL, and xen), and Ubuntu (libinput, linux, linux-aws, linux-aws-5.13, linux-azure, linux-azure-5.13, linux-gcp, linux-gcp-5.13, linux-hwe-5.13, linux-kvm, linux-oracle, linux-oracle-5.13, linux-raspi, linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-dell300x, linux-gcp, inux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, linux-snapdragon, linux, linux-aws, linux-azure, linux-azure-5.4, linux-azure-fde, linux-gcp, linux-gcp-5.4, linux-gke, linux-gke-5.4, linux-gkeop, linux-gkeop-5.4, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, and linux-oem-5.14).

The OpenWrt 21.02.3and 19.07.10updates have been released. These updates contain some security fixes andimproved device support. It's noting that this is the last 19.07 update:

The LWN.net Weekly Edition for April 21, 2022 is available.

A proposal to "deprecate" support for BIOS-only systems for Fedora, by no longersupporting new installations on those systems, led to a predictably longdiscussion on the Fedora devel mailing list. There are, it seems, quite a fewusers who still have BIOS-based systems; many do not want tohave to switch away from Fedora simply to keep their systems up to date.But, sometime in the future, getting rid of BIOS support seems inevitable since theburden on those maintaining the tools for installing and bootingthose systems is non-trivial and likely to grow over time. To headthat off, a special interest group (SIG) may form to help keep BIOS supportalive until it really is no longer needed.

On his blog, Tom Tromey writes about speeding up the startup of the GDB debugger. He sees 7x improvements in startup time (e.g. 2.2 to 0.3 seconds) for C++ code.

Security updates have been issued by Debian (condor), Red Hat (389-ds:1.4, container-tools:2.0, kernel, kernel-rt, and kpatch-patch), SUSE (chrony, containerd, expat, git, icedtea-web, jsoup, jsr-305, kernel, libeconf, shadow and util-linux, protobuf, python-libxml2-python, python3, slirp4netns, sssd, vim, and wpa_supplicant), and Ubuntu (bash).

The5.17.4,5.15.35,5.10.112,5.4.190,4.19.239,4.14.276,and 4.9.311 stable kernel updates have all beenreleased; each contains another relatively large set of important fixes.

The Google Project Zero blog is carrying areport on zero-day vulnerabilities found to be exploited during 2021.

A mega-thread in the python-ideas mailing list is hardly surprising, ofcourse; wehave covered quite a few of them over the years. A recent examplehelps shine a light into a dark—or at least dim—corner of the Pythonlanguage: the super()built-in function for use by methods in class hierarchies.There are some, perhaps surprising, aspects to super() along withwrinkles in how to properly use it. But it has been part of the languagefor a long time, so changes to its behavior, as was suggested in thethread, are pretty unlikely.

Luis Falcon brings the sad news that Pedro Francisco haspassed on. "Pedro created and managed MasGNULinux, a Spanish blog with news about FreeSoftware and GNU/Linux. MasGNULinux was the best reference in the latestFree Software projects for the Spanish speaking community."

Security updates have been issued by Debian (gzip and xz-utils), Fedora (dhcp and rsync), Mageia (chromium-browser-stable), openSUSE (chromium), SUSE (gzip, openjpeg2, and zabbix), and Ubuntu (klibc).

Steve McIntyre argues thatDebian needs to rethink its approach to non-free firmware.

Over on the blog for the GNU Guix project, which is a "transactional package manager and an advanced distribution of the GNU system that respects user freedom", the project reflects on its ten-year journey. The post consists of personal accounts from around two dozen contributors about the project, its history, and its community.

Version 2.36.0 of the Gitsource-code management system is out. As usual, the list of new featuresis long; this GitHubblog post covers some of the highlights:

The ftrace and perf subsystems provide visibility into the workings of thekernel; by activating existing tracepoints, interested developers can seewhat is happening at specific points in the code. As much as kerneldevelopers may resist the notion, though, not all events of interest on asystem happen within the kernel. Administrators will often want to lookinside user-space processes as well; they would be even happier with amechanism that allows the simultaneous tracing of events in both the kerneland user space. The user-eventssubsystem, developed by Beau Belgrave and addedduring the 5.18 merge window, promises that capability, but users will almost certainly have to waitanother cycle to gain access to it.

Security updates have been issued by Debian (abcm2ps and chromium), Fedora (cacti, cacti-spine, and fribidi), and Mageia (crun, docker-containerd, libarchive, mediawiki, and ruby).

The 5.18-rc3 kernel prepatch is out fortesting. "It's Sunday afternoon, and you all know what that means. It's time foranother release candidate.(Yes, yes, it's also Easter Sunday, but priorities, people!)"

Anybody who might be considering acquiring a "Freedom Phone" might want to havea look at MatthewGarrett's analysis first.

Version 9.1 of the GNU coreutils package has been released with lots ofsmall tweaks and improvements. "ls no longer colors files withcapabilities by default, as file-based capabilities are very rarely used,and lookup increases processing per file by about 30%. It's best to usegetcap [-r] to identify files with capabilities."

Your editor has a certain tendency to accumulate books, to the point thatthey crowd everything else out of the house. There is a lot to be said forbooks: a physical book has auser interface that has been optimized over centuries, and one can have areasonably high degree of certainty that any given book will still work afew decades from now. Neither of those can be said for electronic books,but they do have the advantages of taking less shelf space and being moreportable. So electronic books are part of the reading menu, whichnaturally leads to the search for a free reader for those books; KOReader turns out to be an interestingalternative.

Greg Kroah-Hartman has announced the release of the 5.4.189 and 4.19.238 stable kernels. As usual, theycontain important fixes throughout the tree and users should upgrade.

Security updates have been issued by Debian (fribidi and python-django), Fedora (postgresql-jdbc, stargz-snapshotter, and thunderbird), Slackware (git, gzip, and xz), and SUSE (kernel, SDL2, and tomcat).

Support for developing in the Rustlanguage is headed toward the kernel, though just when itwill land in the mainline is yet to be determined. The Rust patches areprogressing, though, and beginning to attract attention from beyond thekernel community. When two languages — and two different developmentcommunities — come together, the result can be a sort of cultural clash.Some early signs of that are appearing with regard to Rust in the kernel;if the resulting impedance mismatches can be worked out, the result couldbe a better development environment for everybody involved.

Security updates have been issued by Debian (lrzip), Fedora (community-mysql, expat, firefox, kernel, mingw-openjpeg2, nss, and openjpeg2), Mageia (ceph, subversion, and webkit2), openSUSE (chromium), Oracle (httpd:2.4), Red Hat (kpatch-patch), Slackware (ruby), SUSE (kernel and netatalk), and Ubuntu (gzip and xz-utils).

SUSE has begun todiscuss its plans for the next version of SUSE Linux Enterprise on theopenSUSE lists. It appears that there will be some significant changes.

The LWN.net Weekly Edition for April 14, 2022 is available.

Using strings with contents that are supplied by users can be fraught withperil; SQL injection is a well-known technique for attacking applicationsthat stems from that, for example. Generally, database frameworks andlibraries provide mechanisms that seek to lead programmers toward doing TheRight Thing, with parameterized queries and the like, but they cannotenforce that—inventive developers will seemingly always find ways to injectuser input into places it should not go. A recently adopted PythonEnhancement Proposal (PEP) provides a way to enforce the use of strings that are untainted by user input, but it uses the optional typing featuresof the language to do so; those wanting to take advantage of it will needto be running a type-checking program.

The 5.17.3,5.16.20,5.15.34, and5.10.111 stable kernel updates have beenreleased after a relatively quick review cycle. Each contains a relativelylarge set of important fixes. Note that 5.16.20 is the final update in the5.16.x series.

Security updates have been issued by Arch Linux (gzip, python-django, and xz), Debian (chromium, subversion, and zabbix), Red Hat (expat, kernel, and thunderbird), SUSE (go1.16, go1.17, kernel, libexif, libsolv, libzypp, zypper, opensc, subversion, thunderbird, and xz), and Ubuntu (git, linux-bluefield, nginx, and subversion).

Version 6.3 of the Qtgraphics library has been released. "Qt 6.3 also comes with a decentset of new functionality. A total of 250 user stories and tasksimplementing new functionality have been completed for 6.3. Those are ofcourse too many to list individually, and if you want to have all thedetails, have a look at our newfeatures page and our Release Notes."

Git maintainer Junio C Hamano has announced therelease of v2.35.2, along with multiple other Git versions("v2.30.3, v2.31.2, v2.32.1, v2.33.2, and v2.34.2"), to fix a security problem that can happen on multi-usermachines (CVE-2022-24765).This GitHub blogpost has more details, though the GitHub service itself is notvulnerable. The description in the announcement seems a bitWindows-centric, but Linux multi-user systems are apparently vulnerable as well:

When last we looked in on the proposedtrusted_for() system call, which would allow user-space interpretersand other tools to ask the kernel whether a file is "trusted" for execution, itlooked like it was on-track for the mainline. That was back inOctober 2020; the patch has been updated multiple times since then,made its way into linux-next, and a pullrequest was made by Mickaël Salaün for the 5.18 merge window. Butit seems that there will be more to the story of getting this functionalityinto the kernel, as Linus Torvalds declined to pull trusted_for(),at least partly because he did not like the name, but there were otherreasons as well. While he is not opposedto the functionality it would provide, he also had strong feelings that anew system callwas not the right approach.

David Malcolm has posted anupdate on the state of static analysis in GCC 12.

The 4.9.310 stable kernel update has beenreleased; the changes consist mostly of backported Spectre mitigation patches.

Security updates have been issued by Debian (thunderbird and usbguard), Fedora (containerd, firefox, golang-github-containerd-imgcrypt, nss, and vim), Oracle (firefox, kernel, kernel-container, and thunderbird), Red Hat (thunderbird), Scientific Linux (thunderbird), SUSE (libexif, mozilla-nss, mysql-connector-java, and qemu), and Ubuntu (libarchive and python-django).

Filesystems and the virtual filesystem layer are in the business ofmanaging files that actually exist, but the Linux "dentry cache", whichremembers the results of file-name lookups, also keeps track of files thatdon't exist. This cache of "negative dentries" plays an importantrole in the overall performance of the system but, if it is allowed to growtoo large, its role can become negative in its own right. As the 2022 Linux Storage, Filesystem,and Memory-Management Summit (LSFMM) approaches, the subject of negativedentries has come up yet again; whether one can be positive about theprospects for a resolution this time around remains unclear.

The second 5.18 kernel prepatch is out fortesting. "Things look fairly normal here, although it's early in therelease cycle so it's a bit hard to say for sure. But at least it's notlooking particularly odd, and we have fixes all over."