LWN.net

Security updates have been issued by Fedora (pdns-recursor, thunderbird, and vim), Gentoo (firefox, thunderbird-bin, virtualbox, and webkit-gtk), Red Hat (convert2rhel), SUSE (gstreamer-plugins-good, open-vm-tools, postgresql12, rsync, and ucode-intel), and Ubuntu (linux-azure, linux-gcp, linux-hwe).

The LWN.net Weekly Edition for September 1, 2022 is available.

A fairly lengthy discussion of whether there should be a way tobreak out of (or continue) more than one level of nested loops in Python recentlytook place in the Ideascategory of the language's discussion forum. The idea isattractive, at least in an abstract sense—some other languages supportjumping out of multiple loops at once—but it seems unlikely to go anywhere for Python.The barrier to new features is fairly high, for sure, but there is also aneed for proponents to provide real-world examples that demonstrate theiradvantages. That, too, is a difficult bar to clear, as was seen in thediscussion.

The5.19.6,5.15.64, and5.10.140stable kernel updates have been released; each contains another set ofimportant fixes, as usual.

The GitHub blog series on how the Git database works continues with thislook at file-history queries.

Security updates have been issued by Debian (dpdk, net-snmp, php-horde-mime-viewer, php-horde-turba, and webkit2gtk), Fedora (rsync), Oracle (openssl and systemd), Red Hat (booth, kernel, kernel-rt, and openssl), Slackware (vim), SUSE (bluez, java-1_8_0-ibm, postgresql10, and zlib), and Ubuntu (kernel, linux, linux-raspi, linux-aws, and linux-oem-5.14).

Dealing with the non-free firmware that is increasingly needed to installDebian has been a hot topic for thedistribution over the past few months. The problem goes back further still, of course, but Steve McIntyre re-raised the issue in April, which resulted in a predictable lengthy discussionthread on the debian-devel mailing list. Now McIntyre has proposed ageneral resolution (GR) with the intent of resolving how to give users a way toinstall the distribution on their hardware while trying to avoid tramplingon the "100% free" guarantee in the Debian SocialContract. Finding the right balance is going to be tricky as is shownby the multiple GR options that have been proposed in the discussion.

Sourceware.org has long hosted therepositories for many important free-software projects, including much ofthe GNU toolchain. Frank Ch. Eigler has postedabout some changes coming to Sourceware:

The GitHub blog has posted adetailed look at how Git stores the commit history to be able toquickly answer queries.

Security updates have been issued by Debian (thunderbird), Fedora (ctk, dcmtk, OpenImageIO, and varnish-modules), Red Hat (systemd), SUSE (libslirp, open-vm-tools, and opera), and Ubuntu (jupyter-notebook, libsdl1.2, and systemd).

Greg Kroah-Hartman has released the 5.19.5and 5.10.139 stable kernels to fix a problemstemming from an incorrect merge of a patchto the dummy-tools used for building kernels.

Security updates have been issued by Debian (curl, exim4, maven-shared-utils, ndpi, puma, webkit2gtk, and wpewebkit), Fedora (dotnet3.1, firefox, and webkit2gtk3), Mageia (clamav, mariadb, net-snmp, postgresql, python-ldap, and thunderbird), SUSE (freeciv, gnutls, keepalived, libyang, nim, python-Django, and varnish), and Ubuntu (schroot).

The 6.0-rc3 kernel prepatch is out fortesting.

Filesystems maintain a lot of metadata about the files they hold; most ofthis metadata is for consumption by user space. Some metadata, though,stays buried within the filesystem and is not visible outside of thekernel. One such piece of metadata is the file version count, known as i_version.Current efforts to change how i_version is managed — and to makeit visible to user space — have engendered a debate on whati_version actually means and what its behavior should be.

Security updates have been issued by Debian (zlib), Fedora (dotnet3.1, firefox, java-1.8.0-openjdk-aarch32, thunderbird, and zlib), Mageia (canna, chromium-browser-stable, dovecot, firefox/nss, freeciv, freetype2, gnutls, kernel, kernel-linus, kicad, ldb/samba/sssd, libgsasl, microcode, nodejs, rsync, thunderbird, and unbound), Oracle (php:7.4 and systemd), Scientific Linux (firefox, rsync, systemd, and thunderbird), Slackware (vim), and SUSE (bluez, gstreamer-plugins-good, java-1_7_1-ibm, java-1_8_0-ibm, kernel, libcroco, postgresql10, postgresql13, python-lxml, and webkit2gtk3).

With all of the complex problems that must be solved in the kernel, onemight think that copying a string would draw little attention. Even withthe hazards that C strings present, simply moving some bytes should not beall that hard. But string-copy functions have been a frequent subject ofdebate over the years, with different variants being in fashion at times.Now it seems that the BSD-derived strlcpy() functionmay finally be on its way out of the kernel.

Greg Kroah-Hartman has released the 5.19.4,5.15.63, 5.10.138, 5.4.211, 4.19.256, 4.14.291, and 4.9.326 stable kernels. They all containimportant fixes throughout the kernel tree; users should upgrade.

Security updates have been issued by Debian (firefox-esr, libxslt, and open-vm-tools), Fedora (dotnet6.0 and firefox), Oracle (curl, firefox, rsync, and thunderbird), Red Hat (curl, firefox, php:7.4, rsync, systemd, and thunderbird), SUSE (bluez, chromium, freerdp, glibc, gnutls, kernel, postgresql10, raptor, rubygem-rails-html-sanitizer, and spice), and Ubuntu (firefox, linux, linux-kvm, linux-lts-xenial, linux-aws, linux-azure-fde, open-vm-tools, and varnish).

The LWN.net Weekly Edition for August 25, 2022 is available.

Discussion on PEP 671 ("Syntaxfor late-bound function argument defaults") has been going on—in fits andstarts—since it was introduced lastOctober. The idea is to provide a way to specify the default for a function argument that is evaluated in thescope of the function call, which will allow more concise, and visible, defaults. But there hasbeen a persistent complaint that what thelanguage needs is a more-general deferred computation feature; late-bound defaults would simply fall out asone specific user of the feature. The arrival of a proposal for deferredcomputation did not really accomplish that goal, however.

Thisblog post on the NGINX corporate site describes the plans for this webserver project in the coming year.

Security updates have been issued by Fedora (vim), SUSE (cosign, dpdk, freeciv, gfbgraph, kernel, nim, p11-kit, perl-HTTP-Daemon, python-lxml, and python-treq), and Ubuntu (linux-oem-5.14, open-vm-tools, and twisted).

Version104 of the Firefox browser has been released. The most interestingnew feature, perhaps, is the ability to analyze a web site's power usage —but that feature is not available on Linux.

Docker and other containerengines can greatly simplify many aspects of deploying a server-sideapplication, but numerous applications consist of more than one container.Managing a group of containers only gets harder as additional applicationsand services are deployed; this has led to the development of a class oftools called container orchestrators. The best-known of these by far is Kubernetes; the history of containerorchestration can be divided into what came before it and what came after.

Security updates have been issued by Oracle (kernel and kernel-container), SUSE (bluez, gimp, rubygem-rails-html-sanitizer, systemd-presets-common-SUSE, and u-boot), and Ubuntu (libxslt).

The Electronic Frontier Foundation has announced that it is representing cryptography professor Matthew Green, who has chosen to republish the sanctioned Tornado Cash open-source code as a GitHub repository.

The 2022 election for members of the Linux Foundation Technical AdvisoryBoard (TAB) will be held during the LinuxPlumbers Conference, September 12 to 14. The TAB representsthe kernel-development community to the Linux Foundation (and beyond) andholds a seat on the Foundation's board of directors. The call for nomineesfor this year's election has gone out; the deadline for nominations isSeptember 12.Serving on the TAB is an opportunity to help the community; interestedmembers are encouraged to send in a nomination.

Version 1.9.0 of the public-inbox email archive manager has been released.Improvements include a POP3 server, a new multi-protocol "superserver",some search improvements, and performance improvements. (LWN looked at public-inbox in 2018).

The DAMONsubsystem, which entered the kernel during the 5.15 release cycle, uses various heuristics to determinewhich pages of memory are in active use. Since the beginning, the intenthas been to use this information to influence memory management. The 6.0kernel contains another step in this direction, giving DAMON the ability toactively reorder pages on the kernel's least-recently-used (LRU) lists.

Security updates have been issued by Debian (jetty9 and kicad), Fedora (community-mysql and trafficserver), Gentoo (chromium, gettext, tomcat, and vim), Mageia (apache-mod_wsgi, libitrpc, libxml2, teeworlds, wavpack, and webkit2), Red Hat (podman), Slackware (vim), SUSE (java-1_8_0-openjdk, nodejs10, open-iscsi, rsync, and trivy), and Ubuntu (exim4).

The second 6.0 kernel prepatch is out fortesting. "The most noticeable fix in here is likely the virtio reverts thatfixed the problem people had with running tests on the google cloudVMs, which was the 'pending issue' that we had noticed just as themerge window was closing".

The5.19.3,5.18.19,5.15.62, and5.10.137stable kernel updates have been released; each contains more importantfixes. The 5.18.x series ends with 5.18.19.

It is fair to say that some projects are rather more concerned aboutpreserving ABI compatibility than others; the GNU C Library (glibc) project stands out even among those that put a lot of effort into preservinginterface stability,So it may be a bit surprising that a recent glibc change is beingblamed for breaking a number of applications, most of which are proprietarygames. There is, it seems, a class of glibc changes that can breakapplications, but which are not deemed to be ABI changes.

Security updates have been issued by Debian (ruby-tzinfo), Mageia (nvidia-current and nvidia390), SUSE (python-PyYAML, ucode-intel, and zlib), and Ubuntu (linux-aws, postgresql-10, postgresql-12, postgresql-14, and rsync).

There was a time when care had to be taken when buying hardware if thegoal was to run Linux on it. The situation has improved considerably inrecent decades, and unsupported hardware is more the exception than therule. That has, for many years, been especially true of Intel hardware;that company has made a point of ensuring that its offerings work withLinux. So it is a bit surprising that the IPU6 image processor shippedwith Alder Lake CPUslacks support in Linux, and is unlikely to get it anytime soon. Theproblem highlighted here goes beyond just Intel, though.

The Document Foundation has announced the release of LibreOffice 7.4 Community, which is the community-supported version of the open-source office suite. Version 7.4 comes with new features for the suite as a whole (WebP and EMZ/WMZ support, ...), the Writer word-processor (better change tracking and hyphenation settings, ...), the Calc spreadsheet (16K columns, ...), and more. "Development is now focused on interoperability with Microsoft’s proprietary file formats, and many new features are targeted at users migrating from MS Office". More information can be found in the release notes.

Version 5.1.0of the Krita painting program is out. "Krita 5.1 comes with a ton ofsmaller improvements and technical polish. This release sees updates tousability across the board, improved file format handling, and a whole lotof changes to the selection and fill tools."

Version1.8 of the Julia language has been released. Changes include typedglobals, a new default thread scheduler, some new profiling tools, andmore.

Security updates have been issued by Debian (chromium, epiphany-browser, freecad, and schroot), Fedora (freeciv, microcode_ctl, qemu, and rsync), Oracle (httpd), SUSE (aws-efs-utils, python-ansi2html, python-py, python-pytest-html, python-pytest-metadata, python-pytest-rerunfailures, python-coverage, python-oniconfig, python-unittest-mixins, bluez, curl, gnutls, kernel, ntfs-3g_ntfsprogs, podman, and ucode-intel), and Ubuntu (zlib).

The LWN.net Weekly Edition for August 18, 2022 is available.

On August 8, the US government sanctionedthe Tornado Cashcryptocurrency mixer for money laundering. The sanction means that no US citizen orcompany can interact with Tornado Cash in any way, all assets of theorganization are to be reported so that they can be seized, and more. Butat the core of Tornado Cash is a chunk of open-source code for "smart contracts"that run in the Ethereum blockchain; thatcode was "seized" as well. There are some disturbing implications here for our communities.

The massive5.19.2 (1,157 patches),5.18.18 (1,094 patches), and5.15.61 (778 patches)stable updates have been released; each contains a lot of importantfixes.

Security updates have been issued by Debian (epiphany-browser, net-snmp, webkit2gtk, and wpewebkit), Fedora (python-yara and yara), Red Hat (kernel and kpatch-patch), SUSE (ceph, compat-openssl098, java-1_8_0-openjdk, kernel, python-Twisted, rsync, and webkit2gtk3), and Ubuntu (pyjwt and unbound).

Back in November, we looked at a Python proposalto have function arguments with defaults that getevaluated when the function is called, rather than when it is defined.The article suggested that the discussion surrounding the proposal waslikely to continue on for a ways—which it did—but it had died down by theend of last year. That all changed in mid-June, when the already voluminousdiscussion of the feature picked up again; once again, some people thought thatapplying the idea only to function arguments was too restrictive. Instead,a more general mechanism to defer evaluation was touted as something thatcould work for late-bound arguments while being useful for other use cases aswell.

Security updates have been issued by CentOS (kernel), Debian (kernel), Fedora (webkit2gtk3), Oracle (.NET 6.0, .NET Core 3.1, kernel, and kernel-container), Slackware (rsync), and SUSE (canna, ceph, chromium, curl, kernel, opera, python-Twisted, and seamonkey).

Version 13 of the Android system has landedin the Android Open Source Project; the list of changes is long.

Linus Torvalds released6.0-rc1 and closed the merge window onAugust 14, as expected; by then, 13,543 non-merge changesetshad found their way into the mainline repository. Just over half of thosewere pulled after our first 6.0 merge-windowsummary was written. The latter part of the merge window tends to bemore focused on fixes than new features, but there were still a number ofinteresting changes added during this time.

Security updates have been issued by Debian (trafficserver), Fedora (freeciv, gnutls, kernel, libldb, mingw-gdk-pixbuf, owncloud-client, rust-ffsend, samba, thunderbird, and zlib), Gentoo (apache, binutils, chromium, glibc, gstreamer, libarchive, libebml, nokogiri, puma, qemu, xen, and xterm), Mageia (golang, libtiff, poppler, python-django, and ruby-sinatra), Red Hat (.NET 6.0 and .NET Core 3.1), SUSE (chromium, cifs-utils, kernel, open-iscsi, and trousers), and Ubuntu (webkit2gtk).

Linus has released 6.0-rc1 and closed themerge window for this release.

Fuzz testing is the process of supplying a program with random inputs andwatching to see what breaks; it has been responsible for the identificationof vast numbers of bugs in recent years — and the fixing of many of them.Developers generally appreciate bug reports, but they can sometimes be abit less enthusiastic about a flood of reports from automated fuzzingsystems. A recent discussion around filesystem fuzzing highlighted twopoints of view on whether the current fuzz-testing activity is a goodthing.