LWN.net

Fedora's objective to become the desktop Linux distribution of choice haslong been hampered by Red Hat's risk-averse legal department, whichstrictly limits the type of software that Fedora can ship. Specifically,anything that might be encumbered by patents is off-limits, with the resultthat much of the media that users might find on the net is unplayable. Thissituation has improved over the years as the result of a lot of work withinthe Fedora project, but it still puts Fedora at a disadvantage relative tosome other distributions. A recentdiscussion on video support, though, shines a light on how some surprisinglegal reasoning may be providing a way out of this problem; that waymay not be pleasing to all involved, however.

Seven new stable kernels have been released: 5.18.5, 5.15.48, 5.10.123, 5.4.199, 4.19.248, 4.14.284, and 4.9.319. All contain a small set of patchesto address the recently disclosed processorMMIO stale-data vulnerabilities; users of those series should upgrade.

Security updates have been issued by Fedora (containerd, golang-github-containerd-cni, golang-github-containernetworking-cni, golang-x-sys, kernel, and qt5-qtbase), Oracle (kernel, kernel-container, microcode_ctl, subversion:1.14, and xz), Red Hat (.NET 6.0, .NET Core 3.1, cups, and xz), Scientific Linux (xz), SUSE (caddy, chromium, librecad, libredwg, varnish, and webkit2gtk3), and Ubuntu (bluez).

The LWN.net Weekly Edition for June 16, 2022 is available.

As with many conferences these days, the2022 Linux Storage,Filesystem, Memory-management and BPF Summit (LSFMM) had a virtualcomponent. The main rooms were equipped with a camera trained on thepodium, thus the session leader, so thatremote participants could watch; this camera connected into a Zoomconference that allowed participation from afar. In a session near theend of the conference, led by conference organizer Josef Bacik, remoteparticipants were invited to share their experiences—on camera—with those who were there in person. It was anopportunity to discuss what went right—and wrong—with an eye towardimproving the experience for future events.

Readahead is an I/Ooptimization that causes the system to read more data than has been requested by an application—in the belief that the extra data willbe requested soon thereafter. At the2022 Linux Storage,Filesystem, Memory-management and BPF Summit (LSFMM), Matthew Wilcoxled a session to discuss readahead, especially as it relates to networkfilesystems, with assistance from Steve French andDavid Howells. The latency of the underlying storage needs to factor intothe calculation of how much data to read in advance, but it is not entirelyclear how to do so.

The mainline kernel has just received a set of patches addressing a new setof (seemingly) Intel-specific hardware vulnerabilities.

The 2022 Kernel Summit and Maintainers Summit will be held in Dublin; theKernel Summit will run as part of the Linux Plumbers Conference (September 12-14)while the Maintainers Summit will be on September 15. The call for proposals for both events has been posted. The deadline for the KernelSummit is tight (June 19), so this is not the time for anybody wantingto speak to procrastinate.

Security updates have been issued by Red Hat (.NET 6.0 and log4j), SUSE (389-ds, grub2, kernel, openssl-1_1, python-Twisted, webkit2gtk3, and xen), and Ubuntu (php7.2, php7.4, php8.0, php8.1 and util-linux).

Today's branded, logo-equipped vulnerability is known as Hertzbleed; it affects x86processors (at least) and can be exploited in some situations to extractcryptographic keys from a remote server.

5.18.4,5.17.15,5.15.47,5.10.122,5.4.198,4.19.247,4.14.283, and4.9.318 stable updates have all been released; eachcontains another large set of important fixes.Note that 5.17.15 will be the last release in the 5.17.x stable series.

Zoned storage is a form of storage that offers higher capacities by making tradeoffs in the kindsof writes that are allowed to the device. It was the topic of a storage andfilesystem session led by LuisChamberlain at the2022 Linux Storage,Filesystem, Memory-management and BPF Summit (LSFMM). Over the years,zoned storage has been a frequent topic at LSFMM, going back to LSFMM 2013, where support forshingled magnetic recording (SMR) devices, which were the starting point forzoned storage, was discussed.

Mozilla has announcedthe enabling of its "total cookie protection" feature in all versions ofthe Firefox browser.

Version 5.25.0of the KDE-based Plasma desktop has been released. New features includesupport for touchpad and touchscreen gestures, an "overview" mode fornavigating between windows, additional color configuration options, and more.

Security updates have been issued by Fedora (golang-github-docker-libnetwork and moby-engine), Mageia (apache, docker-containerd, kernel, kernel-linus, nats-server, and php-smarty), Slackware (php), SUSE (gimp, grub2, thunderbird, u-boot, and xen), and Ubuntu (firefox, liblouis, ncurses, and rsync).

From Sage Sharp comes the sad news that Marina Zhurakhinskaya, the founderof the Outreach Program for Women (now known as Outreachy), has passed away."Marina died on Saturday after winning her struggle with cancer for three years. We would liketo elevate Marina's message to encourage people to test themselves forgenetic markers for breast cancer".

At the 2022 Linux Storage,Filesystem, Memory-management and BPF Summit (LSFMM), Amir Goldsteinand Miklos Szeredi led a discussion on a new interface for extractinginformation from kernel objects using the filesystem extended-attributes(xattr) interface. Since Szeredi was not present in Palm Springs, he co-ledthe session virtually over Zoom audio, which was the onlyfilesystem session with a virtual leader at LSFMM this year. Szeredi's proposalfor an interface of that sort had been posted just the day before the session.

The 2022 sambaXP conference was heldonline at the beginning of June. Videosof the talks given at that event have now been posted on YouTube.Topics covered include Samba in containers, certificate auto-enrollment,symlink races, and more.

For those who would like to know more about how GCC works, David Malcolmhas enhanced his GCCfor new contributors guide with asection on GCC internals. It includes a good overview of the variousGCC passes and the internal representations used to describe a program atvarious stages.

The userfaultfd()system call allows one thread to handle page faults for another in userspace. It has a number of interesting use cases, including the livemigration of virtual machines. There are also some less appealing usecases, though, most of which are appreciated by attackers trying to takecontrol of a machine. Attempts have been made over the years to makeuserfaultfd() less useful as an exploit tool, but thispatch set from Axel Rasmussen takes a different approach bycircumventing the system call entirely.

The Thunderbird project's announcementof its plans for an Android client contain a bit of a surprise:

Security updates have been issued by Debian (chromium, containerd, kernel, ntfs-3g, and vlc), Fedora (buildah and logrotate), Red Hat (xz), and SUSE (google-gson, netty3, rubygem-sinatra, and u-boot).

The second 5.19 kernel prepatch is out fortesting.

Modern language environments make it easy to discover and incorporateexternally written libraries into a program. These same mechanisms canalso make it easy to inadvertently incorporate security vulnerabilities orovertly malicious code, which is rather less gratifying. The stream ofresulting vulnerabilities seems like it will never end, and it afflicts relatively safelanguages like Rust just as much as any other language. In an effortto avoid the embarrassment that comes with shipping vulnerabilities (orworse) by way of its dependencies, the Mozilla project has come up with a new supply-chain management tool known as"cargo vet".

Security updates have been issued by Debian (python-bottle), Fedora (grub2 and kernel), Mageia (python-pypdf2, python-ujson, and vim), and SUSE (fribidi, grub2, mozilla-nss, and webkit2gtk3).

Stable kernels 5.18.3, 5.17.14, 5.15.46, and 5.10.121 have been released.Typically, the stable kernels released right after the merge window closes contain a large number of changes and these updates certainly fit thebill.

Linux distributors are famously averse to shipping packages with bundledlibraries; they would rather ship a single version of each library to beshared by all packages that need it. Many upstream projects, instead, arefond of bundling (or "vendoring") libraries; this leads to tension that hasbeen covered here numerous times in the past (examples:1,23,4,5, ...). The recent Fedora discussion onbundling libraries with its Java implementation would look like justanother in a long series, but it also shines a light on the uniquechallenges of shipping Java in a fast-moving community distribution.

Security updates have been issued by Debian (mailman and python-bottle), Red Hat (java-1.7.1-ibm, java-1.8.0-ibm, subversion:1.14, and xz), Scientific Linux (python-twisted-web), Slackware (httpd), and Ubuntu (ca-certificates, ffmpeg, ghostscript, and varnish).

The LWN.net Weekly Edition for June 9, 2022 is available.

In a combined storage and filesystem session at the2022 Linux Storage,Filesystem, Memory-management and BPF Summit (LSFMM), Luis Chamberlainand James Bottomley led a discussion about the use of ioctl()as a mechanism for configuration. There are plenty of downsides to the useof ioctl() commands, and alternatives exist, but in general kerneldevelopers have chosen to continue using this multiplexing systemcall. While there is interest in changing things, at least in somequarters, the discussion did not seem to indicate major changes on the horizon.

Version15.4 of the openSUSE Leap distribution has been released. "Leap15.4 is a feature release version and provides a significant amount ofupdates from previous Leap 15.x versions along with new offerings".Changes include the addition of openSUSE LeapMicro, improved codec support, KDE Plasma 5.24, and more. This releasealso deprecates Python 2 support.

Security updates have been issued by Debian (avahi), Fedora (firefox), Oracle (grub2, python-twisted-web, shim, shim-signed, and thunderbird), Red Hat (kernel and python-twisted-web), SUSE (gcc48, go1.17, go1.18, and mariadb), and Ubuntu (e2fsprogs, linux, linux-aws, linux-aws-5.13, linux-azure, linux-azure-5.13, linux-gcp, linux-gcp-5.13, linux-hwe-5.13, linux-intel-5.13, linux-kvm, linux-oracle, linux-oracle-5.13, linux-raspi, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-azure-fde, linux-gcp, linux-gke, linux-gke-5.4, linux-gkeop, linux-gkeop-5.4, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-gcp, linux-hwe, linux-kvm, linux-oracle, linux-raspi2, linux-snapdragon, linux, linux-aws, linux-azure, linux-gcp, linux-gke, linux-ibm, linux-intel-iotg, linux-kvm, linux-lowlatency, linux-oracle, linux-raspi, linux, linux-aws, linux-kvm, linux-lts-xenial, linux-oem-5.14, linux-oem-5.17, and ntfs-3g).

As a followup to a session on testingchallenges earlier in the day, Josef Bacik led a discussion on bestpractices for testing in a combined storage and filesystem session at the2022 Linux Storage,Filesystem, Memory-management and BPF Summit (LSFMM). There are anumber of ways that developers can collaborate on improving the testinglandscape using fstests and blktests, starting with gathering and sharinginformation about which tests are expected to pass and fail. Thatinformation depends on a lot of different factors, including kernel versionand configuration, fstest options, and more.

The Fedora 34 distribution release has gone out of the supported mode:"No further updates, including security updates, will be available forFedora 34". Users should update to the Fedora 35 or 36release.

Security updates have been issued by Debian (glib2.0, librecad, and php-horde-mime-viewer), Fedora (vim), and Ubuntu (freerdp2, ruby2.3, ruby2.5, ruby2.7, ruby3.0, and vim).

Alyssa Rosenzweig announcesa milestone for support of Mali GPUs with free software:

The 5.19 merge window was closed with the 5.19-rc1release on June 5 after the addition of 13,124 non-merge changesetsto the mainline kernel. That makes this merge window another busy one, essentiallymatching the 13,204 changesets seen for 5.18. The approximately 8,500changesets merged since our first 5.19merge-window summary contain quite a bit of new functionality; read onfor a summary of the most interesting changes that were pulled during thesecond half of this merge window.

Version 5.1 of theTor-oriented Tails distribution has been released. It includes someimprovements to the Tor connection assistant and to handling ofcaptive-portals, but the most significant change is arguably the delayed fix to asevere securityvulnerability that had sparked suggestions that some users, at least,should stop using Tails temporarily.

Greg Kroah-Hartman has announced the release of the 5.18.2, 5.17.13, 5.15.45, 5.10.120, 5.4.197, 4.19.246, 4.14.282, and 4.9.317 stable kernels. Each contains a setof important fixes, as usual; users of those series should upgrade.

In something of a grab-bag session, Josef Bacik led a discussion aboutvarious challenges that Linux kernel maintainers face, some of which lead toburnout. The session was originallygoing to be led by Darrick Wong, but he was unable to come to LSFMM, soBacik gathered some of Wong's concerns and combined them with his own in ajoint storage and filesystem session at the2022 Linux Storage,Filesystem, Memory-management and BPF Summit (LSFMM). As part of thediscussion, Bacik presentedhis view on what the role of a kernel maintainer should be, which seemed toresonate with those present.

Security updates have been issued by Debian (clamav, firefox-esr, pidgin, and thunderbird), Fedora (dotnet3.1, firefox, kernel, vim, and webkit2gtk3), Mageia (firefox/nss/nspr, gimp, logrotate, mariadb, thunderbird, trojita, webkit2, and webmin), Oracle (thunderbird), Red Hat (compat-openssl11, postgresql:10, postgresql:12, and thunderbird), Slackware (pidgin), and SUSE (openvpn).

Linus has released 5.19-rc1 and closed themerge window for this cycle. "Judging by the merge window, this releaseis going to be on the bigger side, but certainly not breaking any records,and nothing looks particularly odd or crazy."

Version22.05 of the NixOS distribution is out. "NixOS is already known asthe most up to date distribution and is the distribution with the mostpackages. This release saw 9345 new packages and 10666 updatedpackages". Significant changes include an update to version 2.8.0 ofthe Nix package manager with experimental support for flakes, GNOME 42, and manynew services; see therelease notes for details.

Opinions differ on the best way to disclose security vulnerabilities, butthere is a general consensus in our community that vulnerabilitiesshould, indeed, be made public at some point. What happens between the discovery of avulnerability and its disclosure can be more controversial. A recentdiscussion on the handling of kernel vulnerabilities has led to change inthe policies of the linux-distros mailing list — all based on the questionof what constitutes "disclosure".

Security updates have been issued by Debian (cifs-utils, debian-security-support, and pypdf2), Fedora (fapolicyd, mariadb, openssl, and qt5-qtbase), Oracle (firefox, maven:3.5, maven:3.6, postgresql:10, postgresql:12, and postgresql:13), Red Hat (.NET 6.0, firefox, gzip, java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, pcs, rsync, subversion, thunderbird, and zlib), Scientific Linux (thunderbird), Slackware (mozilla), SUSE (firefox, hdf5, suse-hpc, kernel-firmware, libarchive, patch, php8, and redis), and Ubuntu (cifs-utils and vim).

Mozilla has announcedthe release of a translation plugin for Firefox as part of the Project Bergamot initiative.

The kernel tries hard to keep memory available for its present and futureneeds. Should that effort fail, though, the tool of last resort is thedreaded out-of-memory (OOM) killer, which is tasked with killing processeson the system to free their memory and alleviate the problem. The resultsof invoking the OOM killer are never going to be good, but they can bedistinctly worse if the wrong processes are chosen for an untimely end. Asone might expect, the effort to properly choose the right processes is anongoing effort. Most recently, ChristianKönig has proposed anew mechanism to address a blind spot in the OOM killer'sdeliberations.

Francesco Mazzoli delvesdeeply into the kernel's implementation of pipes (and more) in anattempt to maximize the throughput of data.

Security updates have been issued by Debian (firefox-esr), Fedora (thunderbird and vim), Red Hat (firefox, postgresql:10, postgresql:12, and postgresql:13), Scientific Linux (firefox and rsyslog), SUSE (hdf5, hdf5, suse-hpc, postgresql14, rubygem-yajl-ruby, and udisks2), and Ubuntu (imagemagick and influxdb).

The LWN.net Weekly Edition for June 2, 2022 is available.