LWN.net

The5.16.17,5.15.31,5.10.108,5.4.187,4.19.236,4.14.273, and4.9.308stable kernels have all been released; each contains another set ofimportant fixes.

Security updates have been issued by Mageia (cyrus-sasl, openssl, sphinx, and swtpm), openSUSE (qemu), Red Hat (expat, rh-mariadb103-mariadb, and rh-mariadb105-mariadb), SUSE (apache2, binutils, java-1_7_0-ibm, kernel-firmware, nodejs12, qemu, and xen), and Ubuntu (ckeditor and linux, linux-aws, linux-kvm, linux-lts-xenial).

Three candidates have thrown their hat into the ring as candidates for the2022 Debian projectleader (DPL) election. One is Jonathan Carter, who is now in hissecond term as DPL, while the other two are Felix Lechner and HidekiYamane. As is the norm, the candidates self-nominated during thenomination period and are now in the campaigning phase until April 1.The vote commences April 2 and runs for two weeks; the results will beannounced shortly thereafter and the new DPL term will start onApril 21. The candidates have put out platforms and are fieldingquestions from the voters, Debian developers, thus it seems like a goodtime to look in on the election.

As part of the response to last year's UMNfiasco, Kees Cook and a group of collaborators have put together a setof guidelines for researchers who are studying how the kernel-developmentcommunity (or any development community, really) works. That document hasjust been merged intothe mainline as part of the 5.18 merge window.

The Open Source Initiative has announcedthe results of its 2022 board election.

MIT Technology Review has takena brief look at open-source projects that have added changes protestingthe war in Ukraine and drawn some questionable conclusions:

Security updates have been issued by Debian (apache2 and thunderbird), Fedora (abcm2ps, containerd, dotnet6.0, expat, ghc-cmark-gfm, moodle, openssl, and zabbix), Mageia (389-ds-base, apache, bind, chromium-browser-stable, nodejs-tar, python-django/python-asgiref, and stunnel), openSUSE (icingaweb2, lapack, SUSE:SLE-15-SP4:Update (security), and thunderbird), Oracle (openssl), Slackware (bind), SUSE (apache2, bind, glibc, kernel-firmware, lapack, net-snmp, and thunderbird), and Ubuntu (binutils, linux, linux-aws, linux-aws-5.13, linux-gcp, linux-hwe-5.13, linux-kvm, linux-raspi, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gke, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, and linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-dell300x, linux-hwe, linux-gcp-4.15, linux-kvm, linux-oracle, linux-snapdragon).

The just-completed, online LibrePlanet conference was the venue for awarding this year's Free Software Awards:

At the conclusion of the 5.17 development cycle, 13038 non-mergechangesets had found their way into the mainline repository. That is alower level of activity than was seen for 5.16 (14,190 changesets) but wellabove 5.15 (12,337). In other words, this was a fairly typical kernelrelease. That is true in terms of where the work that made up the releasecame from as well.

Aria Beingessner points out a set ofproblems with Rust's conception of unsafe pointers and proposes somefixes in this highly detailed post.

Security updates have been issued by Debian (bind9, chromium, libgit2, libpano13, paramiko, usbredir, and wordpress), Fedora (expat, kernel, openexr, thunderbird, and wordpress), openSUSE (chromium, frr, and weechat), Red Hat (java-1.7.1-ibm and java-1.8.0-ibm), SUSE (frr), and Ubuntu (imagemagick).

Linus has released the 5.17 kernel.

The firstalpha release of Asahi Linux, a distribution for Apple M1 silicon, hasbeen released.

The5.16.16,5.15.30,5.10.107, and5.4.186stable kernel updates have been released; each contains another set ofimportant fixes.

Over on the Software FreedomConservancy blog, Bradley M. Kuhn considersthe question of the interaction between copyleft and the "ethical source" effort that seeks touse copyleft-like licensing to bring about additional changes, beyond justsoftware freedom; the HippocraticLicense is an example of such a license. In his view, copyleft andethical software are not really compatible, even though many infree-software world (including Kuhn) are highly sympathetic to the goals,especially in light of the recent invasion of Ukraine by Russia.

Jason Donenfeld has published a lengthy look at the changes to the Linux random-number generator (RNG) for Linux 5.17 and the upcoming 5.18 kernel. It covers his efforts "to modernize both the code and the cryptography used" and also peers into the future for changes that may be coming.

The kernel community has a number of excuses for the relative paucity ofregression-test coverage in the project, some of which hold more water thanothers. One of the more convincing reasons is that a great deal of kernelcode is hardware-specific, and nobody can ever hope to put together atesting system with even a small fraction of all the hardware that thekernel supports. A new driver-testing framework called roadtest,posted by Vincent Whitchurch, may make that excuse harder to sustain,though, at least for certain kinds of hardware.

Security updates have been issued by Debian (python-treq), Fedora (openvpn, pesign, rust-regex, and thunderbird), Oracle (expat), Red Hat (kpatch-patch-4_18_0-147_58_1), Slackware (bind and openssl), SUSE (python-lxml), and Ubuntu (apache2).

The Open Source Initiative reportson a ruling in the US Court of Appeals reaffirming the meaning of "opensource" in a software license.

CPU scheduling can be a challenging task; the scheduler must ensure thatevery process gets a fair share of the available CPU time while, at thesame time, respecting CPU affinities, avoiding the migration of processesaway from their cached memory contents, and keeping all CPUs in the systembusy. Even then, users can become grumpy if specific processes do not gettheir CPU share quickly; from that comes years of debates over desktopresponsiveness, for example. The latency-nicepriority proposal recently resurrected by Vincent Guittot aims toprovide a new tool to help latency-sensitive applications get their CPUtime more quickly.

Security updates have been issued by Debian (flac, openssl, and openssl1.0), Fedora (nbd, pesign, and rust-regex), openSUSE (ansible, java-1_8_0-openjdk, libreoffice, and stunnel), Oracle (expat, glibc, and virt:ol and virt-devel:rhel), Red Hat (expat, redhat-ds:11.3, and virt:av and virt-devel:av), SUSE (atftp, java-1_8_0-openjdk, libreoffice, python3, and stunnel), and Ubuntu (apache2, bind9, firefox, fuse, and man-db).

The LWN.net Weekly Edition for March 17, 2022 is available.

Python has often been touted as a "batteries included" language because ofits rich standard librarythat provides access to numerous utility modules and is distributed withthe language itself. But those libraries need maintenance, of course, andthat is provided by the Python core development team. Over the years, ithas become clear that some of the modules are not really being maintainedany longer and they probably are not really needed by most Pythonusers—either because better alternatives exist or because they addressextremely niche use cases. A long-running project to start the removal of thosemodules has recently been approved.

Debian's annual ritual of electing a project leader is underway. There arethree candidates this time: Felix Lechner, Hideki Yamane, and incumbentJonathan Carter. Platforms for the candidates are being placed on this page as theybecome available.

The5.16.15,5.15.29,5.10.106,5.4.185,4.19.235,4.14.272,and 4.9.307stable updates have all been released; each contains another set ofimportant fixes.

Security updates have been issued by Debian (openssl and python-scrapy), openSUSE (chrony, expat, java-1_8_0-openj9, libqt5-qtbase, openssl-1_0_0, php7, and rust, rust1.58, rust1.59), Oracle (389-ds:1.4, httpd:2.4, libarchive, libxml2, and vim), Red Hat (389-ds:1.4, glibc, httpd:2.4, kpatch-patch, libarchive, libxml2, vim, and virt:rhel and virt-devel:rhel), SUSE (chrony, compat-openssl098, expat, libqt5-qtbase, openssl, openssl-1_0_0, openssl-1_1, openssl1, php7, rust, rust1.58, rust1.59, and squid3), and Ubuntu (libreoffice, netkit-rsh, openssl, openssl, openssl1.0, tar, and tcpdump).

Disruptive changes are not much fun for anyone involved, though they may benecessary at times. Moving away from the SHA-1 hash function, atleast for cryptographic purposes, is probably one of those necessary disruptivechanges. There are betteralternatives to SHA-1, which has been "broken" from a cryptographic perspective for quite some time now, and most of thesoftware components that make up a distribution can be convinced to useother hash functions. But there are still numerous hurdles to overcome inmaking that kind of a switch as a recent discussion on the Fedora develmailing list shows.

The OpenSSL project has disclosed avulnerability wherein an attacker presenting a malicious certificatecan cause the execution of an infinite loop. It is thus adenial-of-service vulnerability for any application — server or client —that handles certificates from untrusted sources. The OpenSSL 3.0.2 and1.1.1n releases contain fixes for the problem. This advisory makes it clear that LibreSSL,too, suffers from this vulnerability; updated releases are available there too.

Red Hat recently filed a request to have the domain name WeMakeFedora.orgtransferred from its current owner, Daniel Pocock, alleging trademarkviolations, bad faith, and more. The judgmentthat came back will not have been to the company's liking:

For those who do everything in the Emacs editor: the ELPA repository hasjust gained an OpenStreetMap viewer. A quick test (example shown on theright) suggests that it works reasonably well; click below for the details.

The gcobol project has announcedits existence; it is a compiler for the COBOL language currentlyimplemented as a fork of GCC.

Security updates have been issued by Debian (spip), Fedora (chromium), Mageia (chromium-browser-stable, kernel, kernel-linus, and ruby), openSUSE (firefox, flac, java-11-openjdk, protobuf, tomcat, and xstream), Oracle (thunderbird), Red Hat (kpatch-patch and thunderbird), Scientific Linux (thunderbird), Slackware (httpd), SUSE (firefox, flac, glib2, glibc, java-11-openjdk, libcaca, SDL2, squid, sssd, tomcat, xstream, and zsh), and Ubuntu (zsh).

Gabriel Krisman Bertazi describesthe new FAN_FS_ERROR event type added to the fanotifymechanism in 5.16.

When the kernel first gained support forhuge pages, most of the work was left to user space. System administratorshad to set aside memory in the special hugetlbfs filesystem for huge pages, andprograms had to explicitly map memory from there. Over time, the transparent huge pages mechanism automated thetask of using huge pages. That mechanism is not perfect, though, and someusers feel that they have better knowledge of when huge-page use makes sensefor a given process. Thus, huge pages are now coming full circle with this patchset from Zach O'Keefe returning huge pages to user-space control.

Security updates have been issued by Debian (expat, haproxy, libphp-adodb, nbd, and vim), Fedora (chromium, cobbler, firefox, gnutls, linux-firmware, radare2, thunderbird, and usbguard), Mageia (gnutls), Oracle (.NET 5.0, .NET 6.0, .NET Core 3.1, firefox, and kernel), SUSE (firefox, tomcat, and webkit2gtk3), and Ubuntu (libxml2 and nbd).

Linus has released 5.17-rc8 rather than thefinal 5.17 kernel.

One of the key characteristics of a random-number generator (RNG) is itsunpredictability; by definition, it should not be possible to know what thenext number to be produced will be. System security depends on this unpredictabilityat many levels. An attacker who knows an RNG's future output may be ableto eavesdrop on (or interfere with) network conversations, compromisecryptographic keys, and more. So it is a bit disconcerting to know thatthere is a common event that can cause RNG predictability: the forking orduplication of avirtual machine. Linux RNG maintainer Jason Donenfeld is working on asolution to this problem.

Greg Kroah-Hartman has announced the release of seven stable kernels—thesecontain mitigations for the Spectre branch history injectionvariant: 5.16.14, 5.15.28, 5.10.105, 5.4.184, 4.19.234, 4.14.271, and 4.9.306. Users should upgrade.

Security updates have been issued by Debian (nbd, ruby-sidekiq, tryton-proteus, and tryton-server), Mageia (shapelib and thunderbird), openSUSE (minidlna, python-libxml2-python, python-lxml, and thunderbird), Oracle (kernel, kernel-container, and python-pip), Red Hat (.NET 5.0, .NET 6.0, .NET Core 3.1, firefox, kernel, and kernel-rt), Scientific Linux (firefox), SUSE (openssh, python-libxml2-python, python-lxml, and thunderbird), and Ubuntu (expat vulnerabilities and, firefox, and subversion).

Linked lists are conceptually straightforward; they tend to be taughttoward the beginning of entry-level data-structures classes. It might thusbe surprising that the kernel community is concerned about its longstandinglinked-list implementation and is not only looking for ways to solve someproblems, but has been struggling to find that solution. It now appearsthat some improvements might be at hand: after more than 30 years, the kerneldevelopers may have found a better way to safely iterate through a linked list.

Security updates have been issued by Debian (firefox-esr and kernel), Fedora (cyrus-sasl, mingw-protobuf, and thunderbird), Mageia (kernel-linus), openSUSE (firefox, kernel, and libcaca), Oracle (.NET 6.0, kernel, kernel-container, and ruby:2.5), Slackware (mozilla-thunderbird), and SUSE (firefox, mariadb, and tomcat).

The LWN.net Weekly Edition for March 10, 2022 is available.

The curl utility is a command-lineprogram (and associated library) for interacting with various network protocols; it is commonly usedto do things like transferring data from a remote server over HTTP or HTTPSusing a URL. But curl also supports a lot more protocols, some of whichare probably rarely used, obsolete, deprecated, or all three. As a recentdiscussion on the Fedora devel mailing list shows, though, it is hard tofind agreement that support for only some of those protocols should be installed by default,while others might be left in an optional package for those who need them.

Version 3.1 ofthe Blender artistic suite is out. The list of changes is long and can beseen in the video-heavy announcement page; it includes Apple Metal support,a new "point cloud" object, and much more.

A few days prior to the expected 5.17 release, the mainline kernel has justreceived a series of Spectre mitigations for the x86 and ARM architectures.The vulnerability this time is called "branch history injection"; it hasbeen deemed CVE-2022-0001 and CVE-2022-0002. Some information can be foundin thisIntel disclosure, thisARM advisory, and this VUSec page:

According to thisreport on The Hacker News, there are a couple of recent Firefoxvulnerabilities that are currently being exploited.

Users of the elementary OSdistribution may want to be aware of the turmoil in its parent company, asreportedby Brian Lunduke. "The Short Version: The company behind elementaryOS has been losing money for quite some time. Two co-founders are notpleased with each other and are attempting to part ways… and it is gettingmessy".

Security updates have been issued by Debian (kernel, linux-4.19, spip, and thunderbird), Fedora (cyrus-sasl and libxml2), Mageia (firefox and thunderbird), openSUSE (buildah and tcpdump), Red Hat (cyrus-sasl, kernel, kernel-rt, and kpatch-patch), Slackware (kernel), SUSE (buildah, kernel, libcaca, and tcpdump), and Ubuntu (linux, linux-aws, linux-aws-5.13, linux-azure, linux-azure-5.13, linux-gcp, linux-gcp-5.13, linux-hwe-5.13, linux-kvm, linux-oem-5.14, linux-oracle, linux-oracle-5.13, linux-raspi, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-azure-fde, linux-bluefield, linux-gcp, linux-gcp-5.4, linux-gke, linux-gke-5.4, linux-gkeop, linux-gkeop-5.4, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, and linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-dell300x, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, ilinux-lts-xenial, linux-oracle, linux-raspi2, linux-snapdragon).

As part of the recent discussion on switchingto secret voting for Debian general resolutions (GRs), which hasresulted in a ongoing GR of its own, thesubject of voting systems that embody various attributes some would like tosee for voting in Debian has been brought up. One of the systems mentioned, Belenios, provides anopen-source "verifiable online voting system". Whether or notDebian chooses to switch to secret voting, Belenios would seem to provide whatother projects or organizations may be looking for as a mechanism to handletheir voting needs.

The5.16.13,5.15.27,5.10.104,5.4.183,4.19.233,4.14.270, and4.9.305stable kernel updates are available; each contains another set of importantfixes.