LWN.net

The LWN.net Weekly Edition for February 17, 2022 is available.

Blocking in the kernel's random-number generator (RNG)—causing a process towait for "enough"entropy to generate strong random numbers—has always been controversial. It has also led tovarious kinds of problems over the years, from timeouts and delays causedby misuse in user-spaceprograms to deadlocks and other problems in the bootprocess. That behavior has undergone a number of changes over the last fewyears and it looks possible that the last vestige of the difference betweenmerely "good" and "cryptographic-strength" random numbers may go away in someupcoming kernel version.

Longtime Unix developer Lorinda Cherry passed away recently; among otherthings, she was the creator of the dc and bc utilitiesstill in use today. See thisposting from Douglas McIlroy for many more details on her life.

Both Firefox and Chrome are racing toward releasing version 100 in the nearfuture, and developers for both browsers are worriedthat web sites with naive code to parse the version number out of theuser-agent string will break.

The5.16.10,5.15.24,5.10.101,5.4.180,4.19.230,4.14.267, and4.9.302stable kernel updates are available. As usual, each contains another setof important fixes.

Security updates have been issued by CentOS (firefox and thunderbird), Debian (librecad, libxstream-java, and zsh), Fedora (expat, util-linux, varnish-modules, xterm, and zsh), Mageia (Intel-nonfree, kernel, kernel-linus, and microcode), openSUSE (zabbix), Red Hat (kernel, kpatch-patch, Red Hat Virtualization Host, and thunderbird), Scientific Linux (thunderbird), and Ubuntu (cryptsetup).

Over on the Bootlin blog, Michael Opdenacker has an introduction to using device tree overlays to support changes to the standard device tree definition for a particular system-on-chip (SoC). This allows users to add new hardware or modify the hardware configuration for their system relatively easily—and without recompiling the kernel or the full device tree source files.

Neil McGovern announces hisdeparture from the helm of the GNOME Foundation.

Sometimes, a kernel-patch series comes with an exciting, sexy title. Othertimes, the mailing lists are full of patches with titles like "remoteper-cpu lists drain support". For many, the patches associated withthat title will be just as dry as the title itself. But, for those who areinterested in such things — a group that includes many LWN readers —this short patch series from Nicolas Saenz Julienne gives someinsight into just what is required to make the kernel's page allocator asfast — and as robust — as developers can make it.

Security updates have been issued by Debian (h2database), Fedora (dotnet-build-reference-packages, dotnet3.1, and firefox), Oracle (.NET 5.0, firefox, kernel, and kernel-container), Red Hat (firefox), Scientific Linux (firefox), SUSE (unbound), and Ubuntu (firefox).

Like most components in the computing landscape, networking hardware hasgrown steadily faster over time. Indeed, today's high-end networkinterfaces can often move data more quickly than the systems they areattached to can handle. The networking developers have been working foryears to increase the scalability of their subsystem; one of the currentprojects is theBIG TCP patch set from Eric Dumazet and Coco Li. BIG TCP isn't foreverybody, but it has the potential to significantly improve networkingperformance in some settings.

Security updates have been issued by Debian (debian-edu-config, expat, minetest, pgbouncer, python2.7, samba, thunderbird, and varnish), Fedora (dotnet-build-reference-packages, dotnet3.1, dotnet6.0, hostapd, libdxfrw, librecad, mingw-expat, mingw-gdk-pixbuf, php-twig2, php-twig3, rust-afterburn, webkit2gtk3, and xstream), Mageia (bluez, firefox, libarchive, php-adodb, thunderbird, and webkit2), openSUSE (ghostscript, openexr, permissions, SDL2, and wireshark), Red Hat (firefox), Slackware (mariadb), and SUSE (busybox, ghostscript, openexr, permissions, SDL2, and wireshark).

The 5.17-rc4 kernel prepatch is out fortesting. "Things continue to look pretty normal for 5.17. Both thediffstat and the number of commits looks pretty much average for an rc4release." The code name for the release has been changed to "SuperbOwl".

The Debian project is known for its commitment to free software, the effortthat it puts into ensuring that its distribution is compliant with thelicenses of the software it ships, and the energy itputs into discussions around that work. A recent (and ongoing) discussionstarted with a query about a relatively obscure aspect of the process by which newpackages enter the distribution, but ended up questioning the project'sapproach toward licensing and copyright issues. While no real conclusionswere reached, it seems likely that the themes heard in this discussion,which relate to Debian's role in the free-software community in general, willplay a prominent part in future debates.

The Debian project is known for its commitment to free software, the effortthat it puts into ensuring that its distribution is compliant with thelicenses of the software it ships, and the energy itputs into discussions around that work. A recent (and ongoing) discussionstarted with a query about a relatively obscure aspect of the process by which newpackages enter the distribution, but ended up questioning the project'sapproach toward licensing and copyright issues. While no real conclusionswere reached, it seems likely that the themes heard in this discussion,which relate to Debian's role in the free-software community in general, willplay a prominent part in future debates.

The5.16.9,5.15.23,5.10.100,5.4.179,4.19.229,4.14.266,and 4.9.301stable kernel updates have been released; each contains a small number ofimportant fixes.

The5.16.9,5.15.23,5.10.100,5.4.179,4.19.229,4.14.266,and 4.9.301stable kernel updates have been released; each contains a small number ofimportant fixes.

Security updates have been issued by Debian (cryptsetup), Fedora (firefox, java-1.8.0-openjdk, microcode_ctl, python-django, rlwrap, and vim), openSUSE (kernel), and SUSE (kernel and ldb, samba).

Security updates have been issued by Debian (cryptsetup), Fedora (firefox, java-1.8.0-openjdk, microcode_ctl, python-django, rlwrap, and vim), openSUSE (kernel), and SUSE (kernel and ldb, samba).

Well-maintained free-software projects usually make a point of quicklyfixing known security problems, and the Sambaproject, which provides interoperability between Windows and Unixsystems, is no exception. So it is natural to wonder why the fix for CVE-2021-20316,a symbolic-link vulnerability, was well over two years in coming.Sometimes, a security bug can be fixed with a simple tweak to the code.Other times, the fix requires a massive rewrite of much of a projects'sinternal code. This particular vulnerability fell firmly into the lattercategory, necessitating a public rewrite of Samba's virtual filesystem(VFS) layer to address a non-disclosed vulnerability.

Well-maintained free-software projects usually make a point of quicklyfixing known security problems, and the Sambaproject, which provides interoperability between Windows and Unixsystems, is no exception. So it is natural to wonder why the fix for CVE-2021-20316,a symbolic-link vulnerability, was well over two years in coming.Sometimes, a security bug can be fixed with a simple tweak to the code.Other times, the fix requires a massive rewrite of much of a projects'sinternal code. This particular vulnerability fell firmly into the lattercategory, necessitating a public rewrite of Samba's virtual filesystem(VFS) layer to address a non-disclosed vulnerability.

Security updates have been issued by Debian (firefox-esr and openjdk-8), Fedora (phoronix-test-suite and php-laminas-form), Mageia (epiphany, firejail, and samba), Oracle (aide, kernel, kernel-container, and qemu), Red Hat (.NET 5.0 on RHEL 7 and .NET 6.0 on RHEL 7), Scientific Linux (aide), Slackware (mozilla), SUSE (clamav, expat, and xen), and Ubuntu (speex).

Security updates have been issued by Debian (firefox-esr and openjdk-8), Fedora (phoronix-test-suite and php-laminas-form), Mageia (epiphany, firejail, and samba), Oracle (aide, kernel, kernel-container, and qemu), Red Hat (.NET 5.0 on RHEL 7 and .NET 6.0 on RHEL 7), Scientific Linux (aide), Slackware (mozilla), SUSE (clamav, expat, and xen), and Ubuntu (speex).

The LWN.net Weekly Edition for February 10, 2022 is available.

The LWN.net Weekly Edition for February 10, 2022 is available.

The PinePhone is a Linux-basedsmartphone made by PINE64 that runs freeand open-source software (FOSS); it is designed to use a close-to-mainline Linux kernel. While manysmartphones already use the Linux kernel as part of Android, few rundistributions that are actually similar to those used on desktops andlaptops. The PinePhone is different, however; it provides an experiencethat is much closer to normal desktop Linux, though it probably cannotcompletely replace a full-featured smartphone—at least yet.

The PinePhone is a Linux-basedsmartphone made by PINE64 that runs freeand open-source software (FOSS); it is designed to use a close-to-mainline Linux kernel. While manysmartphones already use the Linux kernel as part of Android, few rundistributions that are actually similar to those used on desktops andlaptops. The PinePhone is different, however; it provides an experiencethat is much closer to normal desktop Linux, though it probably cannotcompletely replace a full-featured smartphone—at least yet.

Version 2.38 of the GNU Binutils tool set has been released. Changesinclude new hardware support (including for the LoongArch architecture),various Unicode-handling improvements, a new --thin option toar for the creation of thin archives, and more.

Version 2.38 of the GNU Binutils tool set has been released. Changesinclude new hardware support (including for the LoongArch architecture),various Unicode-handling improvements, a new --thin option toar for the creation of thin archives, and more.

Security updates have been issued by CentOS (aide), Debian (connman), Fedora (perl-App-cpanminus and rust-afterburn), Mageia (glibc), Red Hat (.NET 5.0, .NET 6.0, aide, log4j, ovirt-engine, and samba), SUSE (elasticsearch, elasticsearch-kit, kafka, kafka-kit, logstash, openstack-monasca-agent, openstack-monasca-log-metrics, openstack-monasca-log-persister, openstack-monasca-log-transformer, openstack-monasca-persister-java, openstack-monasca-persister-java-kit, openstack-monasca-thresh, openstack-monasca-thresh-kit, spark, spark-kit, venv-openstack-monasca, zookeeper, zookeeper-kit and elasticsearch, elasticsearch-kit, kafka, kafka-kit, logstash, openstack-monasca-agent, openstack-monasca-persister-java, openstack-monasca-persister-java-kit, openstack-monasca-thresh, openstack-monasca-thresh-kit, spark, spark-kit, storm, storm-kit, venv-openstack-monasca, zookeeper, zookeeper-kit), and Ubuntu (bluez, linux, linux-aws, linux-aws-5.4, linux-gcp, linux-gcp-5.4, linux-hwe-5.4, linux-ibm, linux-kvm, linux-oracle, linux-oracle-5.4, nvidia-graphics-drivers-450-server, nvidia-graphics-drivers-470, nvidia-graphics-drivers-470-server, nvidia-graphics-drivers-510, python2.7, and util-linux).

Version 5.24of the KDE-based Plasma desktop is out; this is a long-term-supportrelease. Changes include various task-manager improvements, a new overviewmode, fingerprint-reader support, improved Wayland support, and more.

It's been two whole days since the last set of stable kernel releases, butthe long wait is over:5.16.8,5.15.22,5.10.99,5.4.178,4.19.228,4.14.265, and4.9.300have all been released. Each contains yet another set of important fixes.

This is a few days old, but evidently thereis still need for this message: Konstantin Ryabitsev explainshow it is easy to cause a commit to appear falsely to be part of a GitHubrepository:

Go 1.18, the biggest release of the Go language since Go 1.0 in March 2012, is expectedto be released in February. The first beta was released in December with two features which, each on their own, would havemade the release a big one. It adds support for generic types and nativesupport for fuzz testing.In the blog post announcing thebeta, core developer Russ Cox emphasized that the release "representsan enormous amount of work".

Andrew 'bunnie' Huang introduces PDDB, adatabase meant to allow users to (plausibly) deny the existence of specificdata within it.

Security updates have been issued by CentOS (log4j), Debian (chromium, xterm, and zabbix), Fedora (kate, lua, and podman), Oracle (aide and log4j), and SUSE (xen).

Version 4.1.0 of the secure-desktop-oriented Qubes OS distribution has beenreleased. "Theculmination of years of development, this release brings a host of newfeatures, major improvements, and numerous bug fixes". New featuresan experimental GUI domain separate from dom0, the "Qrexec" policy system,progress toward a reproducible build, and more. See below and this article for more information.

Digital photography opens up a whole new world of photo postprocessingopportunities, especially if the photographer uses their camera's rawformat to take advantage of all of the data collected by the sensor. Onthe other hand, using raw images means doing without all of the processingdone by the camera and taking on a range of complex tasks. Raw photoeditors are designed to work with raw images as a key part of aphotographer's workflow. Your editor recently reviewed the darktable editor, but there areother options available in the free-software community. RawTherapee is a GPLv3-licensed raweditor that is in some ways simpler than darktable — but that is not thesame as saying that it is simple.

Security updates have been issued by Debian (ldns and libphp-adodb), Fedora (kernel, kernel-headers, kernel-tools, mingw-binutils, mingw-openexr, mingw-python3, mingw-qt5-qtsvg, scap-security-guide, stratisd, util-linux, and webkit2gtk3), Mageia (lrzsz, qtwebengine5, and xterm), openSUSE (chromium), and Ubuntu (python-django).

The 5.17-rc3 kernel prepatch is out fortesting. Linus says: "Things look fairly normal so far, with apretty average number of commits for an rc3 release".

The5.16.6,5.15.20,5.10.97, and5.4.177stable kernel updates have been released. Unfortunately, aproblem was reported almost immediately after that release, leading tothe reversion of a broken patch and the subsequent release of5.16.7,5.15.21, and5.10.98.It's worth noting that numerous groups tested the first set of releases andreported successful results (they can be seen as replies to the-rc1 posting), but nobody hit this problem in time.

Version1.20.0 of the GStreamer multimedia system is out. Changes include a new high-levelplayback library replacing GstPlayer, decoding support for WebM Alpha,updated Rust bindings, and more; see the announcement for lots of details.

Loading a BPF program into the kernel involves a lot of steps, includingverification, permissions checking, linking to in-kernel helper functions,and compilation to the native instruction format. Underneath all of that,though, lies one other simple task: allocating some memory to store thecompiled BPF program in the kernel's address space. It turns out that thisallocation can be somewhat wasteful of memory in current kernels, especially onsystems where large numbers of BPF programs are loaded. Thispatch set from Song Liu seeks to remedy this problem by introducing yetanother specialized memory allocator into the kernel.

Security updates have been issued by Debian (apng2gif, ruby2.5, ruby2.7, and strongswan), Fedora (389-ds-base, glibc, java-latest-openjdk, keylime, mingw-python-pillow, perl-Image-ExifTool, python-pillow, rust-afterburn, rust-askalono-cli, rust-below, rust-cargo-c, rust-cargo-insta, rust-fd-find, rust-lsd, rust-oxipng, rust-python-launcher, rust-ripgrep, rust-skim, rust-thread_local, rust-tokei, strongswan, vim, xen, and zola), Mageia (cryptsetup and expat), openSUSE (containerd, docker, glibc, and xen), Oracle (firefox, thunderbird, varnish:6, and vim), Red Hat (rh-maven36-log4j12 and varnish:6), SUSE (containerd, docker, glibc, samba, and xen), and Ubuntu (gdisk, graphviz, libdbi-perl, and mysql-5.7).

Version 15 of thevenerable Slackware distribution has been released.

Version2.35 of the GNU C Library has been released. New features includeUnicode 14.0.0 support, support for the C.UTF-8 locale, a bunch of new mathfunctions, support for restartablesequences, and much more; see the announcement for details.

Persistent memory has a number of advantages; it is fast, CPU-addressable,available in large quantities and, of course, persistent. But it also,arguably, poses a higher risk of suffering corruption as a result of bugsin the kernel. Protecting against this possibility is the objective of thispatch set from Ira Weiny, which makes use of Intel's "protection keyssupervisor" (PKS) feature to make it harder for the kernel to inadvertently writeto persistent memory.

With a more lengthy than usual message, Greg Kroah-Hartman has released the4.4.302 stable kernel; it will be the lastfrom the stable kernel team in the 4.4.x series. "Do not use itanymore unless you really know what you are doing." He notes that the Civil Infrastructure Platform (CIP) projectis considering maintaining 4.4 into the future; those interested should contact CIP. He also added some statistics showing a nearly six-year lifetime for the branch with 8.44changes per day from over 3500 developers.

Security updates have been issued by Debian (librecad), Fedora (flatpak, flatpak-builder, and glibc), Mageia (chromium-browser-stable, connman, libtiff, and rust), openSUSE (lighttpd), Oracle (cryptsetup, nodejs:14, and rpm), Red Hat (varnish:6), SUSE (kernel and unbound), and Ubuntu (linux, linux-aws, linux-aws-5.11, linux-aws-5.13, linux-gcp, linux-gcp-5.11, linux-hwe-5.13, linux-kvm, linux-oem-5.13, linux-oracle, linux-oracle-5.11, linux-raspi, linux, linux-aws, linux-aws-5.4, linux-bluefield, linux-gcp, linux-gcp-5.4, linux-gkeop, linux-gkeop-5.4, linux-hwe-5.4, linux-ibm, linux-kvm, linux-oracle, linux-oracle-5.4, linux, linux-aws, linux-aws-hwe, linux-azure, linux-dell300x, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, linux-raspi2, linux-snapdragon, linux-gke, linux-gke-5.4, mysql-5.7, mysql-8.0, python-django, and samba).

The LWN.net Weekly Edition for February 3, 2022 is available.