LWN.net

At the 2022 LinuxSecurity Summit Europe (LSS EU), Gustavo A. R. Silva reported in onwork he has been doing on "flexible" arrays in the kernel. While thesearrays provide some ... flexibility ... they are also a source of bugs,which can often result in security vulnerabilities. He has been working on waysto make the use of flexible arrays safer in the kernel.

Version1.64.0 of the Rust language has been released. Changes include thestabilization of the IntoFuturetrait, easier access to C-compatible types, the availability ofrust-analyzer viarustup, and more.

Security updates have been issued by Debian (e17, fish, mako, and tinygltf), Fedora (mingw-poppler), Mageia (firefox, google-gson, libxslt, open-vm-tools, redis, and sofia-sip), Oracle (dbus-broker, kernel, kernel-container, mysql, and nodejs and nodejs-nodemon), Slackware (bind), SUSE (cdi-apiserver-container, cdi-cloner-container, cdi-controller-container, cdi-importer-container, cdi-operator-container, cdi-uploadproxy-container, cdi-uploadserver-container, containerized-data-importer, go1.18, go1.19, kubevirt, virt-api-container, virt-controller-container, virt-handler-container, virt-launcher-container, virt-libguestfs-tools-container, virt-operator-container, libconfuse0, and oniguruma), and Ubuntu (bind9 and pcre2).

The LWN.net Weekly Edition for September 22, 2022 is available.

Public hosting systems for free software have come and gone over the yearsbut one of them, Sourceware, has beensupporting the development of most of the GNU toolchain for nearly25 years. Recently, an application was made to bringSourceware under the umbrella of the Software Freedom Conservancy (SFC), at least forfundraising purposes. It turns out that there is a separate initiative,developed in secret until now, with a different vision for the future ofSourceware. The 2022 GNUTools Cauldron was the site of an intense discussion on how thisimportant community resource should be managed in the coming years.

Version 43 of the GNOME desktop environment has been released; see the release notes for details.

Konstantin Ryabitsev has announcedthe availability of rendereddocumentation from linux-next on kernel.org. This will be useful foranybody wanting to see what the documentation for the next kernel releasewill look like.

Security updates have been issued by Fedora (libconfuse, moodle, rizin, and thunderbird), Oracle (ELS kernel, gnupg2, ruby, and webkit2gtk3), Red Hat (booth, dbus-broker, gnupg2, kernel, kernel-rt, kpatch-patch, mysql, nodejs, nodejs-nodemon, ruby, and webkit2gtk3), Slackware (expat and mozilla), SUSE (kubevirt, virt-api-container, virt-controller-container, virt-handler-container, virt-launcher-container, virt-libguestfs-tools-container, virt-operator-container and vsftpd), and Ubuntu (bind9, ghostscript, linux, linux-aws, linux-aws-5.15, linux-azure, linux-azure-5.15, linux-kvm, linux-lowlatency, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-bluefield, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux, linux-aws, linux-aws-hwe, linux-azure-4.15, linux-dell300x, linux-gcp, linux-gcp-4.15, lnux-hwe, inux-kvm, linux-oracle, linux-raspi2, linux-snapdragon, linux-hwe-5.15, linux-lowlatency-hwe-5.15, and mako).

The Debian project has begun voting onchanges to its approach to firmware needed to install a workingdistribution. The original ballot options described in this article are still there, but this isDebian so there are several others as well. Some of the additions includechanges to the Debian Social Contract that explicitly allow the shipping offirmware needed to use Debian on hardware requiring that firmware.

The traditional mechanism for launching a program in a new process on Unixsystems—forking and execing—has been with us for decades, but it is notreally the most efficient of operations. Various alternatives have beentried along the way but have not supplanted the traditional approach. A newmechanism created by Josh Triplett adds process creationto the io_uring asynchronous I/O API andshows great promise; he came to the 2022Linux Plumbers Conference (LPC) to introduce io_uring_spawn.

The5.19.10,5.15.69,5.10.144,5.4.214,4.19.259,4.14.294, and4.9.329stable kernel updates have all been released; each contains another set ofimportant fixes.

Security updates have been issued by Fedora (dokuwiki and rizin), SUSE (libcontainers-common, permissions, sqlite3, and wireshark), and Ubuntu (tiff, vim, and xen).

After a two-year hiatus, the 2022 Linux Kernel Maintainers Summit returnedto an in-person format in Dublin, Ireland on September 15. Around 30kernel developers discussed a number of process-related issues relating tothe kernel community. LWN had the privilege of being there and is able,once again, to report from the event. This years sessions includeddiscussions of regression handling, the imminent merging of Rust support,BPF, the kernel development process, and more.

Security updates have been issued by Debian (connman and e17), Fedora (curl, open-vm-tools, pcs, and python-lxml), Mageia (curl, dpkg, freecad, gimp, libtar, libtiff, mediawiki, ostree, python-lxml, schroot, SDL12, sdl2, wireshark, and zlib), Oracle (kernel and php:7.4), Red Hat (php:7.4), Slackware (vim), SUSE (chromium, kernel, libarchive, libtirpc, mupdf, python-rsa, ruby2.5, and virtualbox), and Ubuntu (linux-intel-iotg).

The artemis.sh blog has adetailed review of the state of Wayland compared to X.org.

The 6.0-rc6 kernel prepatch is out fortesting.

Nobody should need more memory than a 64-bit pointer can address — or sodevelopers tend to think. The range covered by a pointer of that sizeseems to be nearly infinite. During the Kernel Summit track at the 2022 Linux Plumbers Conference, MatthewWilcox took the stage to make the point that 64 bits may turn out tobe too few — and sooner than we think. It is not too early to startplanning for 128-bit Linux systems, which he termed "ZettaLinux", and wedon't want to find ourselves wishing we'd started sooner.

Security updates have been issued by Debian (bzip2, chromium, glib2.0, libraw, mariadb-10.3, and mod-wsgi), Fedora (kdiskmark, wordpress, and zlib), Oracle (.NET 6.0, .NET Core 3.1, mariadb:10.3, nodejs:14, nodejs:16, ruby:2.7, and ruby:3.0), Red Hat (.NET 6.0, php:7.4, and webkit2gtk3), SUSE (389-ds, flatpak, kernel, libgit2, and thunderbird), and Ubuntu (sqlite3, vim, and wayland).

Parts of the Rust language may look familiar to C programmers, but the twolanguages differ in fundamental ways. One difference that turns out to beproblematic for kernel programming is the stability of data in memory — orthe lack thereof. A challenging session at the 2022 Kangrejos conference wrestled withways to deal with objects that should not be moved behind the programmer'sback.

Greg Kroah-Hartman has announced the release of the 5.19.9, 5.15.68, 5.10.143, 5.4.213, 4.19.258, 4.14.293, and 4.9.328 stable kernels. As usual, theycontain important fixes throughout the kernel tree; users of those seriesshould upgrade.

Security updates have been issued by Debian (nova, pcs, and rails), Fedora (firejail, moby-engine, and pspp), Oracle (.NET 6.0, gnupg2, kernel, python3, and rsyslog rsyslog7), Red Hat (.NET 6.0 and .NET Core 3.1), SUSE (kernel), and Ubuntu (intel-microcode, poppler, and webkit2gtk).

The LWN.net Weekly Edition for September 15, 2022 is available.

The GitHub blog has adetailed look at garbage collection in Git and the work that has beendone to make it faster.

Version15 of the Unicode standard has been released.

Typically, an urgent security release of a project is not for atwo-year-old CVE, but such is the case for a recentPython release of four versions of the language. The bug is adenial of service (DoS) that can be caused by converting enormous numbers tostrings—or vice versa—but it was not deemed serious enough to fixwhen it was first reported. Evidently more recent reports, including a remote exploit of thebug, have raised its importance—causing a rushed-out fix. But thefix breaks some existing Python code, and the process of handling theincident has left something to be desired, leading the project to look atways to improve its processes.

Security updates have been issued by CentOS (open-vm-tools), Debian (freecad and sqlite3), Fedora (qt5-qtwebengine and vim), SUSE (firefox, kernel, libzapojit, perl, postgresql14, and samba), and Ubuntu (dotnet6, dpdk, gdk-pixbuf, rust-regex, and systemd).

Security updates have been issued by Debian (connman and python-oslo.utils), Fedora (libapreq2), Red Hat (booth, gnupg2, kernel, kernel-rt, mariadb:10.3, nodejs:14, nodejs:16, python3, ruby:2.7, and ruby:3.0), SUSE (chromium, opera, python2-numpy, and rubygem-kramdown), and Ubuntu (poppler).

Security updates have been issued by Debian (gdk-pixbuf, libxslt, linux-5.10, paramiko, and zlib), Fedora (webkit2gtk3), Mageia (gstreamer1.0-plugins-good, jupyter-notebook, kernel, and rpm), Slackware (vim), SUSE (bluez, clamav, freetype2, frr, gdk-pixbuf, keepalived, libyang, nodejs16, python-PyYAML, qpdf, samba, and vim), and Ubuntu (linux-azure-fde and tiff).

Linus has released 6.0-rc5 for testing."Nothing looks particularly scary, so jump right in".

While the Rust language has appeal for kernel development, many developers areconcerned by the fact that there is only one compiler available; there aremany reasons why a second implementation would be desirable. At the 2022Kangrejos gathering, three developersdescribed projects to build Rust programs with GCC in two different ways. A fully featured, GCC-based Rustimplementation is still going to take some time, but rapid progress isbeing made.

Security updates have been issued by Fedora (mediawiki), SUSE (libEMF, libnl-1_1, libnl3, mariadb, nodejs16, php8-pear, postgresql12, and rubygem-rake), and Ubuntu (linux-raspi, linux-raspi-5.4, and tiff).

Greg Kroah-Hartman has announced the release of the 5.19.8, 5.15.66, and 5.10.142. As usual, those contain importantfixes throughout the kernel tree. Immediately thereafter, he released5.15.67 to fix a permissions problem on akernel build script.

Huge pages are a mechanism implemented by the CPU that allows the managementof memory in larger chunks. Use of huge pages can increase performancesignificantly, which is why the kernel has a "transparent huge page"mechanism to try to create them when possible. But a huge page will onlybe helpful if most of the memory contained within it is actually in use;otherwise it is just an expensive waste of memory. This patchset from Alexander Zhu implements a mechanism to detect underutilizedhuge pages and recover that wasted memory for other uses.

Security updates have been issued by Debian (libgoogle-gson-java), Fedora (autotrace, insight, and open-vm-tools), Oracle (open-vm-tools), Red Hat (open-vm-tools, openvswitch2.13, openvswitch2.15, openvswitch2.16, openvswitch2.17, ovirt-host, and rh-nodejs14-nodejs and rh-nodejs14-nodejs-nodemon), Scientific Linux (open-vm-tools), Slackware (python3), SUSE (clamav, gdk-pixbuf, gpg2, icu, ImageMagick, java-1_8_0-ibm, libyajl, mariadb, udisks2, webkit2gtk3, and yast2-samba-provision), and Ubuntu (dnsmasq).

The LWN.net Weekly Edition for September 8, 2022 is available.

Starting a Python application typically results in a flurry of imports asmodules from various locations (and the modules they import) get addedinto the application process. All of that occurs before the applicationeven gets started doing whatever it is the user actually launched it for;that delay can be significant—and annoying. Beyond that, many of thoseimports may not be necessary at all for the code path being followed, soeagerly doing the import is purely wasted time. A proposal back in Maywould add a way for applications to choose lazy imports, where the importis deferred until the module is actually used.

Security updates have been issued by Fedora (curl, protobuf-c, and vim) and SUSE (gimp, java-1_8_0-openj9, libostree, openvswitch, python-bottle, python-Flask-Security-Too, and zabbix).

Linux Mint 21 "Vanessa" was releasedon July 31. There are no real headline-grabbing features that comewith the new release, as the project generally seeks to make incrementalchanges, rather than larger, potentially disruptive ones.Changes in this release include a new Bluetooth manager that brings severalimprovements, driverless printing and scanningby default, a process monitor to inform the userabout resource-intensive background tasks, new functionality for theTimeshift system backup tool, and several major under-the-hood improvementsto the Cinnamon desktop environment.

Version 5.2.0 of the GNU Awk implementation is out. The biggest change,perhaps, is the addition of "persistent memory" support that allows gawk tokeep values around between runs. Old-timers will be disappointed bythe removal of VAX/VMS support.

Security updates have been issued by Red Hat (pcs), SUSE (389-ds and firefox), and Ubuntu (linux-hwe-5.4 and linux-oracle).

Version22.03.0 of the OpenWrt distribution for routers (and beyond) has beenreleased. "It incorporates over 3800 commits since branching theprevious OpenWrt 21.02 release and has been under development for about oneyear". Changes include a new firewall implementation using nftables,year-2038 readiness, dark mode in the LuCI web-based administration tool,and support for many more devices.

The kernel is, in many ways, a marvel of scalability, but there is alongstanding pain point in the memory-management subsystem that hasresisted all attempts at elimination: the mmap_lock. This lockwas inevitably a topic at the 2022 LinuxStorage, Filesystem, Memory-Management and BPF Summit (LSFMM), where the idea ofusing per-VMA locks was raised. Suren Baghdasaryan has postedan implementation of that idea — but with an interesting twist on howthose locks are implemented.

Monday's crop of stable kernels consists of 5.19.7, 5.15.65, 5.10.141, 5.4.212, 4.19.257, 4.14.292, and 4.9.327. They are relatively small updates,but still contain important fixes in various parts of the kernel tree;users of those series should upgrade.

Security updates have been issued by Debian (flac, ghostscript, libmodbus, qemu, rails, ruby-rack, and thunderbird), Fedora (kernel, kernel-headers, kernel-tools, libtar, qt5-qtwebengine, subscription-manager-cockpit, tcpreplay, and vim), Mageia (chromium-browser-stable, webkit2, and ytnef), SUSE (curl, firefox, freerdp, gdk-pixbuf, ImageMagick, json-c, libgda, php-composer2, and python-pyxdg), and Ubuntu (libzstd, linux-aws, linux-aws-5.4, linux-azure-5.4, and linux-oem-5.17).

The 6.0-rc4 kernel prepatch is out fortesting. "We're up to rc4, and things mostly still look fairlynormal".Beyond the usual fixes, 6.0-rc4 includes one feature change: a hook to allowsecurity modules to control access to the io_uring command pass-throughmechanism. See this article for thebackground behind this late-arriving change.

Peter Eckersley, one of the original founders of the Let's Encrypt non-profit TLS certificate authority, has died suddenly, as reported by Seth Schoen:

Arti is a reimplementation of the Tor server in Rust; version 1.0.0 hasjust been released and proclaimed ready for production use.

The kernel's manualpages are in a bit of an interesting position. They are managed as a separate project, distinct from the kernel'sdocumentation, and have the task of documenting both the kernel'ssystem-call interface and the wrappers for that interface provided by the Clibrary. Sometimes the two objectives come into conflict, as can be seenin a discussion that has been playing out over the course of the last yearon whether to use C standard type names to describe kernel-definedstructures.

Security updates have been issued by CentOS (firefox, rsync, systemd, and thunderbird), Debian (chromium, dpdk, and sofia-sip), Fedora (kernel, thunderbird, and zlib), Red Hat (pcs and rh-mariadb103-galera and rh-mariadb103-mariadb), Slackware (poppler), SUSE (cifs-utils, curl, dwarves and elfutils, firefox, flatpak, gnutls, gpg2, harfbuzz, ignition, kernel, ldb, samba, libslirp, libsolv, libzypp, zypper, libtirpc, logrotate, mozilla-nss, ncurses, open-vm-tools, openssl-1_1, p11-kit, pcre, pcre2, podman, postgresql12, postgresql13, postgresql14, python-M2Crypto, python3, rsync, salt, spice, systemd-presets-common-SUSE, tiff, ucode-intel, xen, and zlib), and Ubuntu (curl, linux, linux-aws, linux-aws-5.15, linux-azure, linux-azure-5.15, linux-gcp, linux-gcp-5.15, linux-gke, linux-gke-5.15, linux-gkeop, linux-ibm, linux-kvm, linux-lowlatency, linux, linux-azure-4.15, linux-dell300x, linux-gcp-4.15, linux-kvm, linux-snapdragon, linux-aws, linux-azure, linux-bluefield, linux-gcp, linux-gcp-5.4, linux-gke, linux-gkeop, linux-ibm, linux-ibm-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, and linux-aws-hwe).

Kernel code can, at times, be quite inward looking; it often refers toitself. To enable this introspection, the kernel has evolved severalmechanisms for identifying specific locations in the code and carrying outactions related to those locations. The code-taggingframework patch set, posted by Suren Baghdasaryan and Kent Overstreet,is an attempt to replace various ad hoc implementations with asingle framework, and to add some new applications as well.