LWN.net

The nasty vulnerability in pkexechas been rippling through the Linux world,leading to lots of security updates to the underlying polkitauthorization toolkit. It also led to a recent discussion on the Fedoradevel mailing list about whether pkexec, which runs aprogram as another user, is actuallyneeded—or wanted—in some or all of the distribution's editions. But pkexecis used by quite a few different Fedora components, particularly indesktop-oriented editions, and it could perhaps be a better choice than thealternatives for running programs with the privileges of another user.

Version 7.3 of the LibreOffice "Community" edition is out."In addition to the majority of code commits being focused oninteroperability with Microsoft's proprietary file formats, there is awealth of new features targeted at users migrating from Office, to simplifythe transition".

Security updates have been issued by CentOS (samba), Debian (apache2 and python-django), Fedora (kernel and phpMyAdmin), Mageia (kernel and kernel-linus), openSUSE (samba), Oracle (nginx:1.20 and samba), Red Hat (cryptsetup, java-1.8.0-ibm, kernel, nodejs:14, rpm, and vim), SUSE (kernel, python-Django, python-Django1, and samba), and Ubuntu (cron).

The problem of how to deprecate pieces of the Python languagein a minimally disruptive way has cropped in various guises over the last few years—in truth,it has been wrangled with throughout much of language's 30-year history.The scars of the biggest deprecation, that of Python 2, are still ratherfresh, both for users and the core developers, so no one wants (or plans)a monumental change of that sort. But the language community does want tocontinue evolving Python, which means leaving some "baggage" behind; howto do so without leaving further scars is a delicate balancing act, as yetanother discussion highlights.

The Systems and Network Security Group at Vrije Universiteit Amsterdam hasannounced a tool calledKasper that is able to scan the kernel source and locatespeculative-execution vulnerabilities:

For anybody who feels they haven't had enough stable kernel releasesrecently, the 5.16.5,5.15.19,5.10.96, and5.4.176stable kernel updates have been released; each contains another set ofimportant fixes.

Security updates have been issued by Debian (ipython), Fedora (kernel and usbview), Gentoo (webkit-gtk), Oracle (java-1.8.0-openjdk), Red Hat (kpatch-patch and samba), Scientific Linux (samba), Slackware (kernel), SUSE (kernel and samba), and Ubuntu (samba).

"Restartable sequences" are small segments of user-space code designed toaccess per-CPU data structures without the need for heavyweight locking.It is a relatively obscure feature, despite having been supported by theLinux kernel since the 4.18 release. Among other things, there is nosupport in the GNU C Library (glibc) for this feature. That is about tochange with the upcoming glibc 2.35release, though, so a look at the user-space APIfor this feature is warranted.

The vote hasconcluded in the Debian project on a general resolution affecting theway such resolutions are discussed in the future. The changes, as proposedby Russ Allbery, have been adopted with the required three-to-onesupermajority, though the overall level of voting was low.The new process is mostly as described in this article from Octoberwith a few changes. The end result may be to shorten the discussion periodfor controversial issues and make the end of that period more predictable.

Greg Kroah-Hartman has announced another set of eight stable kernels: 5.16.4, 5.15.18, 5.10.95, 5.4.175, 4.19.227, 4.14.264, 4.9.299, and 4.4.301. These are relatively small updatesthat, as usual, contain important fixes; users should upgrade.

Version2.0.0 of the Debian-based Nitrux distribution is available."This new version brings together the latest software updates, bugfixes, performance improvements, and ready-to-use hardware support."

Security updates have been issued by Debian (apache-log4j1.2, expat, libraw, prosody, and python-nbxmpp), Fedora (chromium, hiredis, java-11-openjdk, java-latest-openjdk, lua, rust-afterburn, rust-ammonia, rust-askalono-cli, rust-below, rust-cargo-c, rust-cargo-insta, rust-fd-find, rust-insta, rust-lsd, rust-oxipng, rust-python-launcher, rust-ripgrep, rust-ron, rust-ron0.6, rust-similar, rust-similar-asserts, rust-skim, rust-thread_local, rust-tokei, vim, wpa_supplicant, and zola), Gentoo (chromium, chrome), openSUSE (log4j12), Oracle (log4j and polkit), Scientific Linux (java-1.8.0-openjdk), SUSE (log4j12), and Ubuntu (ldns).

The 5.17-rc2 kernel prepatch is out fortesting.

By now, most readers are likely to be familiar with the Polkit vulnerability known as CVE-2021-4034.The fix for Polkit is relatively straightforward and is being rolled outacross the net. The root of this problem, though, lies in amisunderstanding about how programs are run on Unix-like systems. Thisproblem is highly likely to exist in other programs, so it would be nice tofind a more general solution. The best place to address this issue may bein the kernel, but properly working around thismisunderstanding without causing regressions is not an easy task.

Security updates have been issued by CentOS (java-1.8.0-openjdk), Debian (graphicsmagick), Fedora (grafana), Mageia (aom and roundcubemail), openSUSE (log4j and qemu), Oracle (parfait:0.5), Red Hat (java-1.7.1-ibm and java-1.8.0-openjdk), Slackware (expat), SUSE (containerd, docker, log4j, and strongswan), and Ubuntu (cpio, shadow, and webkit2gtk).

Here's awar story from Alyssa Rosenzweig on the process of writing a freedriver for Arm's "Valhall" GPUs without having the hardware to test it on.

The Linux Storage, Filesystem, Memory-Management, and BPF Summit isscheduled for May 2 to 4 in Palm Springs, California; with luckit will actually happen this year. As usual, it is an invitation-onlyevent, with a preference for those who bring interesting topics to discuss.The call forproposals is out now, with a request for proposals to arrive beforeMarch 1.

Version 2.0 of GNU Poke, a binary-data editor, has been released. "Alot of things have changed and improved with respect to the 1.x series; wehave fixed many bugs and added quite a lot of new exciting and usefulfeatures." Look below for an extensive list of changes.

Greg Kroah-Hartman has announced the release of the 5.16.3, 5.15.17, 5.10.94, 5.4.174, 4.19.226, 4.14.263, 4.9.298, and 4.4.300 stable kernels. These all contain ahuge number of fixes all over the tree, so huge that 5.16.3 broke the scriptsused to create stable kernels; users should upgrade.

In mid-December, Thorsten Behrens, a board member for the Document Foundation (TDF),posted aseemingly simple proposal for an "attic" that would become the home ofabandoned projects. No specific projects were named as the first intendedresidents of the attic, but the proposalclearly related to the LibreOfficeOnline (LOOL) project. The followingdiscussion made it clear that the unhappiness around LOOL has yet to fadeaway, and that the Foundation still has some work to do when it comes todefining its relationship with its corporate members.

Security updates have been issued by CentOS (polkit), Debian (uriparser), Fedora (cryptsetup, flatpak, flatpak-builder, and polkit), Gentoo (polkit), Mageia (virtualbox), Red Hat (httpd24-httpd, httpd:2.4, and parfait:0.5), SUSE (clamav, log4j, python-numpy, and strongswan), and Ubuntu (vim).

The LWN.net Weekly Edition for January 27, 2022 is available.

Back in May, we looked at a Google proposalto replace third-partycookies with something called the"Federated Learning of Cohorts"(FLoC). Third-party cookies were once used to track users all over the webso that advertisers could, supposedly, target their ads better, but, of themajor browsers, only Google's Chrome browser fails to block them today. Googletook a fair amount of flak for FLoC, since it was not perceived to be muchof a win for users' privacy—and was mostly a sop to the (Google-dominated)web-advertising industry. Now the company is back with a differentproposal that could, eventually, replace third-party cookies in Chrome: Topics.

Security updates have been issued by CentOS (httpd), Debian (libxfont, lrzsz, nss, openjdk-17, policykit-1, webkit2gtk, and wpewebkit), Mageia (polkit), openSUSE (expat, json-c, kernel, polkit, qemu, rust1.55, rust1.57, thunderbird, unbound, and webkit2gtk3), Oracle (httpd:2.4, java-11-openjdk, and polkit), Red Hat (httpd:2.4, OpenShift Container Platform 3.11.570, polkit, and Red Hat OpenStack Platform 16.1 (etcd)), Scientific Linux (polkit), Slackware (polkit), SUSE (aide, expat, firefox, json-c, kernel, polkit, qemu, rust, rust1.55, rust1.57, thunderbird, unbound, and webkit2gtk3), and Ubuntu (policykit-1 and xorg-server).

A few weeks back, we looked at a proposalto add an integrity-management feature to Fedora. One of the sellingpoints was that the integrity checking could be done using the PGPsignatures that are already embedded into the RPM package files that Fedorauses. But the kernel needs to be able to verify PGP signatures in orderfor the Fedora feature to work. That addition to the kernel has been proposed, butsome in the kernel-development community seem less than completelyenthusiastic about bringing PGP support into the kernel itself.

Qualys has announcedthe disclosure of a local-root vulnerability in Polkit. They are callingit "PwnKit" and have even provided a proof-of-concept video.

Version 2.35.0 of the Gitsource-code management system has been released. There are a lot ofchanges, as usual; see the announcement and this GitHubblog entry for details.

Security updates have been issued by CentOS (java-11-openjdk), Debian (aide, apr, ipython, openjdk-11, qt4-x11, and strongswan), Fedora (binaryen and rust), Mageia (expat, htmldoc, libreswan, mysql-connector-c++, phpmyadmin, python-celery, python-numpy, and webkit2), openSUSE (kernel and virtualbox), Red Hat (etcd, libreswan, nodejs:14, OpenJDK 11.0.14, OpenJDK 17.0.2, and rpm), Slackware (expat), SUSE (java-1_7_1-ibm, kernel, and zxing-cpp), and Ubuntu (strongswan).

Linus Torvalds released5.17-rc1 and closed the 5.17 merge window on January 23 afterhaving pulled just over 11,000 non-merge changesets into the mainlinerepository. A little over 4,000 of those changesets arrived after our first-half merge-window summary waswritten. Activity thus slowed down, as expected, in the second half of themerge window, but there still a number of significant changes that made itin for the next kernel release.

The netfilter project,which works on packet-filtering for the Linux kernel, has announced that ithas reached a settlement(Englishtranslation) with Patrick McHardy that is "legallybinding and it governs any legal enforcement activities" on netfilter programs and libraries as well as thekernel itself. McHardy has been employingquestionable practices in doing GPL enforcement in Germany over thelast six years or more. The practice has been called "copyright trolling" by some and ispart of what led to the creation of The Principles of Community-Oriented GPL Enforcement.

Security updates have been issued by Debian (chromium, golang-1.7, golang-1.8, pillow, qtsvg-opensource-src, util-linux, and wordpress), Fedora (expat, harfbuzz, kernel, qt5-qtsvg, vim, webkit2gtk3, and zabbix), Mageia (glibc, kernel, and kernel-linus), openSUSE (bind, chromium, and zxing-cpp), Oracle (kernel), Red Hat (java-11-openjdk and kpatch-patch), Scientific Linux (java-11-openjdk), SUSE (bind, clamav, zsh, and zxing-cpp), and Ubuntu (aide, dbus, and thunderbird).

Ariadne Conill writesabout the FSF's policy toward proprietary firmware and, specifically,the rules for "Respects Your Freedom"certification.

The first 5.17 kernel prepatch is out fortesting, and the merge window is closed for this release.

One of your editor's long-time hobbies is photography; it is an activitythat can be rewarding even with the lack of any particular talent — a usefulattribute. Photography has changed greatly over the years; as a result,those hard-earned darkroom skills are of little use, and photo processinghas become yet another software problem. This is a field that supports alot of proprietary software, but there is also no shortage of free softwareavailable. The time has come to combine work and pleasure and catch upwith the state of free software for photography, starting with the darktable raw photo editor.

Anybody who upgraded to the recent Rust 1.58.0 release will probably wantto move on to Rust1.58.1; among other things it contains a fix for a securityvulnerability in the standard library. "We recommend all usersto update their toolchain immediately and rebuild their programs with theupdated compiler".

Security updates have been issued by Debian (aide, flatpak, kernel, libspf2, and usbview), Fedora (kernel, libreswan, nodejs, texlive-base, and wireshark), openSUSE (aide, cryptsetup, grafana, permissions, rust1.56, and stb), SUSE (aide, apache2, cryptsetup, grafana, permissions, rust1.56, and webkit2gtk3), and Ubuntu (aide, thunderbird, and usbview).

The kernel community is a busy place, so it is not even remotely possibleto write full-length articles about everything that is going on. Othertopics may be of interest, but not require a longer treatment. Theanswer is a collection of short topics covering developments that are onthe radar; the selection this time around includes folios, themulti-generational LRU, and Rust in the kernel.

Four new stable kernels have been announced: 5.16.2, 5.15.16, 5.10.93, and 5.4.173. These contain a relatively small setof important fixes; users should upgrade.

Security updates have been issued by Debian (drupal7), Fedora (kernel, libreswan, nodejs, and wireshark), openSUSE (busybox, firefox, kernel, and python-numpy), Oracle (gegl, gegl04, httpd, java-17-openjdk, kernel, kernel-container, and libreswan), Red Hat (kernel, kernel-rt, and libreswan), Slackware (wpa_supplicant), SUSE (busybox, firefox, htmldoc, kernel, kubevirt, virt-api-container, virt-controller-container, virt-handler-container, virt-launcher-container, virt-operator-container, openstack-monasca-agent, spark, spark-kit, zookeeper, and python-numpy), and Ubuntu (curl, linux, linux-aws, linux-aws-5.11, linux-aws-5.4, linux-azure, linux-azure-5.11, linux-azure-5.4, linux-bluefield, linux-gcp, linux-gcp-5.11, linux-gcp-5.4, linux-gke, linux-gke-5.4, linux-gkeop, linux-gkeop-5.4, linux-hwe-5.4, linux-ibm, linux-kvm, linux-oem-5.10, linux-oem-5.13, linux-oem-5.14, linux-oracle, linux-oracle-5.11, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, openvswitch, and qtsvg-opensource-src).

The LWN.net Weekly Edition for January 20, 2022 is available.

The Linux framebuffer device (fbdev) subsystem has long languished insomething of a purgatory; it was listed as "orphaned" in theMAINTAINERS file and saw fairly minimal maintenance, mostly drivenby developers working elsewhere in the kernel graphics stack. That allchanged, in an eye-opening way, on January 17, when Linus Torvaldsmerged a changeto make Helge Deller the new maintainer of the subsystem. But it turns outthat the problems in fbdev run deep, at least according to much of the restof the kernel graphics community. By seeming to take on the maintainer role in order torevert the removal of some buggy features from fbdev, Deller has createdsomething of a controversy.

Version7.0 of the ONLYOFFICE office suite is available.

Security updates have been issued by CentOS (firefox, gegl, kernel, and thunderbird), Debian (nvidia-graphics-drivers), Fedora (btrbk and thefuck), Mageia (clamav, kernel, kernel-linus, vim, and wpa_supplicant), openSUSE (java-1_8_0-ibm, jawn, nodejs12, nodejs14, SDL2, and virglrenderer), Red Hat (gegl, gegl04, java-17-openjdk, and kernel-rt), Scientific Linux (gegl and httpd), SUSE (apache2, firefox, java-1_7_1-ibm, java-1_8_0-ibm, libvirt, nodejs12, nodejs14, openstack-monasca-agent, spark, spark-kit, zookeeper, python-Django, python-Django1, python-numpy, SDL2, and virglrenderer), and Ubuntu (byobu, clamav, and ruby2.3, ruby2.5, ruby2.7).

A Python "frozenset" is simply a setobject that is immutable—the objects it contains are determined atinitialization time and cannot be changed thereafter. Like sets, frozensets arebuilt into the language, but unlike most of the other standard Pythontypes, there is no way to create a literal frozenset object. Changing that,by providing a mechanism to do so, was the topic of a recent discussion on the python-ideas mailing list.

January 22, 2022 will be the 24th anniversary of the publication of the first LWN.net Weekly Edition. A lot hashappened in the intervening years; the Linux community has grownimmeasurably, and LWN has grown with it. Later this year will also be the20th anniversary of the adoption of our subscription-based model, which hassustained LWN ever since. There is a change coming for our subscribersthat will, with luck, help to set up LWN to thrive in the coming years.

Version 7.0 of theWINE Windows API library has been released.

The Open Invention Network has announcedan expansion of its "Linux System Definition", which is the set of softwarecovered by its patent-protection umbrella.

Security updates have been issued by Debian (slurm-llnl), openSUSE (apache2, ghostscript, and watchman), Red Hat (kernel and telnet), SUSE (apache2, ghostscript, and kernel), and Ubuntu (clamav).

Once again, the COVID pandemic has forced linux.conf.au to go virtual, thusdepriving your editor of a couple of 24-hour, economy-class, middle-seatexperiences. This naturally leads to a set of mixed feelings. LCA hasalways put a priority on interesting keynote talks, and that has carriedover into the online event; the opening keynote for LCA 2022 was given byBrian Kernighan. Despite being seen as a founder of our community,Kernighan is rarely seen at Linux events; he used his LCA keynote toreminisce for a while on where Unix came from and what its legacy is.

Version 5.0 of the FFmpegaudio and video toolkit has been released.