LWN.net

The 5.19-rc8 kernel prepatch is out fortesting. "There's nothing really surprising in here - a few smaller fixups forthe retbleed mess as expected, and the usual random one-linerselsewhere."

The5.18.14 and5.15.57stable kernels have been released; these consist almost entirely of theRetbleed hardware-vulnerability mitigations.The 5.10.133update will be next to get those fixes; it is in the review process and isdue on July 25.[Update: 5.10.133 has been released.]

"Retbleed"is the name given to a class of speculative-execution vulnerabilitiesinvolving return instructions. Mitigations for Retbleed have found theirway into the mainline kernel but, as of this writing, some remainingproblems have kept them from the stable update releases. MitigatingRetbleed can impede performance severely, especially on some Intelprocessors. Thomas Gleixner and Peter Zijlstra think they have found a betterway that bypasses the existing mitigations and misleads the processor'sspeculative-execution mechanisms instead.

Security updates have been issued by Fedora (gnupg2, oci-seccomp-bpf-hook, suricata, and vim), Oracle (java-11-openjdk), Slackware (net), and SUSE (kernel, nodejs16, rubygem-rack, and webkit2gtk3).

The 5.15.56, 5.10.132, 5.4.207, 4.19.253, 4.14,289, and 4.9.324 stable kernels have been released.The 5.18.13 stable kernel has been delayed due to some problems found during review; 5.18.13-rc3is out for review and is due on July 23. Note that none of thesekernels has mitigations for the Retbleedvulnerabilities; those are still in the works for the stable kernels.Update: Seemingly a day early, 5.18.13 was released on July 22.

The intersection of free software and trademark law has not always beensmooth. Free-software licenses have little to say about trademarks but,sometimes, trademark licenses can appear to take away some of the freedomsthat free-software licenses grant. The Firefox browser has often been the focal point for trademark-relatedcontroversy; happily, those problems appear to be in the past now. Instead,the increasing popularity of the Rustlanguage is drawing attention to its trademark policies.

Security updates have been issued by Mageia (kernel and kernel-linus), SUSE (dovecot23), and Ubuntu (freetype, libxml-security-java, and linux-oem-5.17).

The LWN.net Weekly Edition for July 21, 2022 is available.

It was not all that long ago that Python began its experiment withreplacing one of its mailing lists with a forum on its Discourse discussion site. Overtime, the Discourse instance has become more and more popular within thePython community. It would seem that another mailing list will soon besubsumed within Discourse as the Python steering council is planning toeffectively retire the venerable python-dev mailing list soon.

Martin Heinz encourages Pythondevelopers to move on to a number of newer modules.

Security updates have been issued by Fedora (golang-github-gosexy-gettext, golang-github-hub, oci-seccomp-bpf-hook, and popub), Oracle (kernel and kernel-container), SUSE (python2-numpy), and Ubuntu (check-mk and pyjwt).

Google has released Cirq1.0 for developers working with leading-edge computers:

It is not uncommon for users to want to run a program targeted to oneoperating system on another type of system. With the increasing prevalence ofsmartphones, Android has become the world's most widely used operatingsystem. So users may want to run Android apps on Linux systems in orderto get access to a game or other app that is not available in aLinux version or to develop mobile apps on their desktop system.The Waydroid project provides a way to run thoseapps on Linux, which means they can run on a variety of devices, includingLinux-based smartphones like the PinePhone.

From Berkeley comes thesad news of the passing of Tom Lord, a longtime free-software developerand the original author of GNU arch. He will bemissed.

Security updates have been issued by Fedora (buildah), SUSE (dovecot23 and nodejs12), and Ubuntu (harfbuzz, libhttp-daemon-perl, tiff, and webkit2gtk).

The Ubuntu 21.10 ("Impish Indri") release is no longer supported as ofJuly 14; users who are on that version will want to look intoupgrading soon.

One of the key selling points of the BPF subsystem is that loading a BPFprogram is safe: the BPF verifier ensures that the program cannot hurt thekernel before allowing the load to occur. That guarantee is perhapslosing some of its force as more capabilities are made available to BPF programs but, even so, it may be abit surprising to see thisproposal from Artem Savkov adding a BPF helper that is explicitly designed tocrash the system. If this patch set is merged in something resembling itscurrent form, it will be the harbinger of a new era where BPF programs are,in some situations at least, allowed to be overtly destructive.

Ariadne Conill exploresways to make the Unix cat utility more efficient onLinux.

Security updates have been issued by Debian (mat2 and xen), Fedora (butane, caddy, clash, direnv, geoipupdate, gitjacker, golang-bug-serial-1, golang-github-a8m-envsubst, golang-github-apache-beam-2, golang-github-aws-lambda, golang-github-cespare-xxhash, golang-github-chromedp, golang-github-cloudflare, golang-github-cloudflare-redoctober, golang-github-cockroachdb-pebble, golang-github-cucumber-godog, golang-github-dreamacro-shadowsocks2, golang-github-dustinkirkland-petname, golang-github-etcd-io-gofail, golang-github-facebookincubator-contest, golang-github-facebookincubator-dhcplb, golang-github-facebookincubator-go2chef, golang-github-facebookincubator-ntp, golang-github-facebookincubator-nvdtools, golang-github-goccy-yaml, golang-github-gojuno-minimock, golang-github-google-wire, golang-github-hexdigest-gowrap, golang-github-intel-goresctrl, golang-github-j-keck-arping, golang-github-jamesclonk-vultr, golang-github-liamg-scout, golang-github-liamg-tml, golang-github-mattn-colorable, golang-github-mdlayher-ethernet, golang-github-moby-buildkit, golang-github-mock, golang-github-niklasfasching-org, golang-github-nxadm-tail, golang-github-path-network-mmproxy, golang-github-rakyll-statik, golang-github-shopify-toxiproxy, golang-github-shulhan-bindata, golang-github-skynetservices-skydns, golang-github-sophaskins-efs2tar, golang-github-spf13-cobra, golang-github-spyzhov-ajson, golang-github-task, golang-github-temoto-robotstxt, golang-github-theoapp-theo-agent, golang-github-tinylib-msgp, golang-github-tklauser-numcpus, golang-github-valyala-fasthttp, golang-google-protobuf, golang-honnef-tools, golang-k8s-kube-openapi, golang-k8s-pod-security-admission, golang-k8s-sample-cli-plugin, golang-mvdan-sh-3, golang-storj-drpc, golang-x-tools, gopass, harfbuzz, hcloud, manifest-tool, moby-engine, mqttcli, nex, php-laminas-diactoros2, podman-tui, seamonkey, snapd, tinygo, vgrep, vultr, vultr-cli, weldr-client, xen, and yubihsm-connector), Mageia (golang and java), Oracle (grub2, kernel, kernel-container, and squid), and SUSE (crash, kernel, nodejs12, nodejs14, and nodejs16).

The 5.19-rc7 kernel prepatch is out fortesting.

A page-table entry (PTE) is relatively small, requiring just eight bytes to refer to a4096-byte page on most systems. It thus does not seem like a worrisomelevel of overhead, and little effort has been made over the kernel'shistory to reduce page-table memory consumption. Those eight bytes canhurt, though, if they are replicated across a sufficiently large set ofprocesses. The msharefspatch set from Khalid Aziz is a revised attempt to address thatproblem, but it is proving to be a hard sell in the memory-managementcommunity.

Security updates have been issued by Debian (webkit2gtk and wpewebkit), Fedora (curl, kernel, openssl1.1, php, subversion, xorg-x11-server, and xorg-x11-server-Xwayland), Oracle (grub2), SUSE (gnutls, kernel, logrotate, oracleasm, p11-kit, and python-PyJWT), and Ubuntu (libhttp-daemon-perl and python2.7, python3.10, python3.4, python3.5, python3.6, python3.8, python3.9).

The stable kernel updates that were due on July 14 have been delayed forseveral days, according to GregKroah-Hartman, due to problems that have come up with the Retbleedmitigation patches.

Version9.0 of Rocky Linux, a Red Hat Enterprise Linux clone, has beenreleased. There are a lot of changes, of course; see the release notesfor an overview.

Justine Tunney has created animplementation of the OpenBSD pledge() system call for Linux.

The MIT Technology Review has posted anarticle on a program within the US Defense Advanced Research ProjectsAgency to identify threats to open-source code.

The BPF subsystem allowsprogrammers to write programs that can run safely in kernel space. Allmemory accesses and function calls in BPF programs are statically checkedfor safety using the in-kernel verifier, whichanalyzes programs in their entirety before allowing them to be loaded.While this allows the kernel to safely run BPF programs, it heavilyrestricts what those programs are able to do. Among theseconstraints is a rule that programs cannot store pointers into BPF maps foruse (such as dereferencing them or passing them to the kernel inkfunc and BPF helper invocations) at alater time. Apatch set byKumar Kartikeya Dwivedi adds this capability to BPF.

Security updates have been issued by Debian (request-tracker4), Fedora (kernel and vim), Mageia (gerbv, gnupg2, pgadmin4, and python-coookiecutter), Slackware (xorg), SUSE (cifs-utils, gmp, gnutls, libnettle, kernel, libsolv, libzypp, zypper, logrotate, openssl-1_1, opera, squid, and virglrenderer), and Ubuntu (ca-certificates, git, linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, linux-raspi2, linux-snapdragon, linux, linux-aws, linux-azure, linux-azure-5.4, linux-azure-fde, linux-gke, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-kvm, linux, linux-aws, linux-azure, linux-gcp, linux-gke, linux-ibm, linux-kvm, linux-lowlatency, linux-oracle, linux-aws, linux-oem-5.14, and vim).

The LWN.net Weekly Edition for July 14, 2022 is available.

Over the last five decades or so, free and open-source software (FOSS) hasgone from an almost unknown quantity available to only the most technically savvy to underpinning muchof the infrastructure we rely on today. Much like software itself, FOSS is"eating the world". But that has changed—is changing—the role of themaintainers of all of that code; when "critical" infrastructure uses codefrom a FOSS project, suddenly, and perhaps without warning, that codeitself becomes critical. But many maintainers of that software arevolunteers who did not set out to become beholden to the needs of largecompanies and organizations when they released their code, they were justscratching their itch—now lots of others are clamoring for theirs to bescratched as well.

Security updates have been issued by Fedora (xen), Mageia (x11-server), SUSE (chromium, kernel, pcre, pcre2, squid, and xorg-x11-server), and Ubuntu (gnupg, gnupg2, uriparser, xorg-server, xorg-server-hwe-16.04, and xorg-server, xorg-server-hwe-18.04, xwayland).

Back in April, there was an interesting discussion on the python-ideasmailing list that started as a query about adding support for customliterals, a la C++, but branched off from there. Custom literals arefrequently used for handling units and unit conversion in C++, so thePython discussion fairly quickly focused on that use case. While ideas about apossible feature were batted about, it does not seem like anything that isbeing pursued in earnest, at least at this point. But some of the facetsof the problem are, perhaps surprisingly, more complex than might be guessed.

Some researchers at ETH Zurich have disclosed anew set of speculative-execution vulnerabilities known as "Retbleed". Inshort, the retpoline defenses added when Spectre was initially disclosedturn out to be insufficient on x86 machines because return instructions,too, can be speculatively executed.

The5.18.11,5.15.54,5.10.130,5.4.205,4.19.252,4.14.288, and4.9.323stable kernel updates have been released; each contains another set ofimportant fixes.

Matthew Garrett grumbles about anapparent Microsoft policy change making it harder to boot Linux on somesystems.

Security updates have been issued by Debian (chromium), Mageia (openssl and webkit2), Slackware (seamonkey), SUSE (crash, curl, freerdp, ignition, libnbd, and python3), and Ubuntu (dovecot and python-ldap).

The GCC steering committee has approvedthe contribution of the Rust frontend to the compiler suite. "We lookforward to including a preliminary, beta version of GCC Rust in GCC 13 as anon-default language".

Once upon a time, a simple stack overflow was enough to mount acode-injection attack on a running system. In modern systems, though,stacks are not executable and, as a result, simple overflow-based attacksare no longer possible. In response, attackers have shifted tocontrol-flow attacks that make use of the code already present in thetarget system. Hardware vendors have added a number of features intended tothwart control-flow attacks; some of these features have better supportthan others in the Linux kernel.

Version 6.0 of thecalibre ebook management system is out.

On his blog, Armin Ronacher comments about a recent security key giveaway by the Python Package Index (PyPI) to provide two-factor authentication (2FA) tokens to the maintainers of the "critical" projects on the index. While (eventually) requiring maintainers to use 2FA before being able to update PyPI packages is reasonable, Ronacher worries about where the idea might lead:

Security updates have been issued by Debian (php7.4), Fedora (gerbv, kernel, openssl, and podman-tui), Oracle (squid:4), Slackware (wavpack), and SUSE (apache2, chafa, containerd, docker and runc, fwupd, fwupdate, libqt5-qtwebengine, oracleasm, and python).

The 5.19-rc6 kernel prepatch is out fortesting.

Linux distributions have changed quite a bit over the last 30 years, butthe way that they package software has been relatively static. While the.deb and RPM formats (and others) have evolved with time, their currentform would not be unrecognizable to their creators. Distributors arepushing for change, though. Both the Fedora and openSUSE projects aremoving to reduce the role of the venerable RPM format and switch to Flatpak for much of their softwaredistribution; some users are proving hard to convince that this is a goodidea, though.

Security updates have been issued by Fedora (direnv, golang-github-mattn-colorable, matrix-synapse, pypy3.7, pypy3.8, and pypy3.9), Oracle (squid), SUSE (curl, openssl-1_1, pcre, python-ipython, resource-agents, and rsyslog), and Ubuntu (nss, php7.2, and vim).

The 5.18.10, 5.15.53, 5.10.129, 5.4.204, 4.19.251, 4.14.287, and 4.9.322 stable kernels have been released. Asusual, they contain important fixes throughout the tree.

Security updates have been issued by Debian (intel-microcode), Fedora (dotnet3.1 and gnupg2), Oracle (grub2, kernel, php:7.4, php:8.0, and qemu-kvm), SUSE (389-ds, apache2, crash, curl, expat, firefox, fwupd, fwupdate, ImageMagick, ldb, samba, liblouis, librttopo, openssl, openssl-1_0_0, openssl-1_1, openssl-3, oracleasm, php7, php8, python-Twisted, python310, rsyslog, s390-tools, salt, thunderbird, and xen), and Ubuntu (linux-lts-xenial, linux-kvm and openssl).

The LWN.net Weekly Edition for July 7, 2022 is available.

A regular feature of the EmbeddedLinux Conference (ELC) has been an update on the state of embedded Linux fromconference organizer Tim Bird. It has been quite a few years since I hadthe opportunity to sit in on one, so I took one at the2022 OpenSource Summit North America (OSSNA) in Austin, Texas. OSSNA is anumbrella conference that contains ELC and a whole lot more these days.Bird gave a look at recent kernel features from an embedded perspective,talked a bit about some different technology areas and their impact onembedded Linux, andalso tried to answer a question that Andrew Morton posed in a keynote at ELC in 2008.

Security updates have been issued by Debian (ldap-account-manager), Fedora (openssl1.1, thunderbird, and yubihsm-connector), Mageia (curl, cyrus-imapd, firefox, ruby-git, ruby-rack, squid, and thunderbird), Oracle (firefox, kernel, and thunderbird), Slackware (openssl), SUSE (dpdk, haproxy, and php7), and Ubuntu (gnupg2 and openssl).

Some system administrators running Ubuntu 20.04 had a rough time onJune 8, when Ubuntu published kernel packages containing a particularlynasty bug that was caused by an Ubuntu-specificpatch to the kernel. The bug led to a kernel panic whenever a Docker containerwas started. Fixed packages were made available on June 10, but thereare questions about what went wrongwith handling the patch; in particular, it is surprising that kernel 5.13,which has been beyond its end-of-lifefor months, made it onto machines running Ubuntu 20.04, which is supposedto be a long-term support release.