LWN.net

On August 8, the US government sanctionedthe Tornado Cashcryptocurrency mixer for money laundering. The sanction means that no US citizen orcompany can interact with Tornado Cash in any way, all assets of theorganization are to be reported so that they can be seized, and more. Butat the core of Tornado Cash is a chunk of open-source code for "smart contracts"that run in the Ethereum blockchain; thatcode was "seized" as well. There are some disturbing implications here for our communities.

The massive5.19.2 (1,157 patches),5.18.18 (1,094 patches), and5.15.61 (778 patches)stable updates have been released; each contains a lot of importantfixes.

Security updates have been issued by Debian (epiphany-browser, net-snmp, webkit2gtk, and wpewebkit), Fedora (python-yara and yara), Red Hat (kernel and kpatch-patch), SUSE (ceph, compat-openssl098, java-1_8_0-openjdk, kernel, python-Twisted, rsync, and webkit2gtk3), and Ubuntu (pyjwt and unbound).

Back in November, we looked at a Python proposalto have function arguments with defaults that getevaluated when the function is called, rather than when it is defined.The article suggested that the discussion surrounding the proposal waslikely to continue on for a ways—which it did—but it had died down by theend of last year. That all changed in mid-June, when the already voluminousdiscussion of the feature picked up again; once again, some people thought thatapplying the idea only to function arguments was too restrictive. Instead,a more general mechanism to defer evaluation was touted as something thatcould work for late-bound arguments while being useful for other use cases aswell.

Security updates have been issued by CentOS (kernel), Debian (kernel), Fedora (webkit2gtk3), Oracle (.NET 6.0, .NET Core 3.1, kernel, and kernel-container), Slackware (rsync), and SUSE (canna, ceph, chromium, curl, kernel, opera, python-Twisted, and seamonkey).

Version 13 of the Android system has landedin the Android Open Source Project; the list of changes is long.

Linus Torvalds released6.0-rc1 and closed the merge window onAugust 14, as expected; by then, 13,543 non-merge changesetshad found their way into the mainline repository. Just over half of thosewere pulled after our first 6.0 merge-windowsummary was written. The latter part of the merge window tends to bemore focused on fixes than new features, but there were still a number ofinteresting changes added during this time.

Security updates have been issued by Debian (trafficserver), Fedora (freeciv, gnutls, kernel, libldb, mingw-gdk-pixbuf, owncloud-client, rust-ffsend, samba, thunderbird, and zlib), Gentoo (apache, binutils, chromium, glibc, gstreamer, libarchive, libebml, nokogiri, puma, qemu, xen, and xterm), Mageia (golang, libtiff, poppler, python-django, and ruby-sinatra), Red Hat (.NET 6.0 and .NET Core 3.1), SUSE (chromium, cifs-utils, kernel, open-iscsi, and trousers), and Ubuntu (webkit2gtk).

Linus has released 6.0-rc1 and closed themerge window for this release.

Fuzz testing is the process of supplying a program with random inputs andwatching to see what breaks; it has been responsible for the identificationof vast numbers of bugs in recent years — and the fixing of many of them.Developers generally appreciate bug reports, but they can sometimes be abit less enthusiastic about a flood of reports from automated fuzzingsystems. A recent discussion around filesystem fuzzing highlighted twopoints of view on whether the current fuzz-testing activity is a goodthing.

Security updates have been issued by Debian (gnutls28, libtirpc, postgresql-11, and samba), Fedora (microcode_ctl, wpebackend-fdo, and xen), Oracle (.NET 6.0, galera, mariadb, and mysql-selinux, and kernel), SUSE (dbus-1 and python-numpy), and Ubuntu (booth).

Version1.63.0 of the Rust language has been released. Changes include theaddition of scoped threads, a new ownership model for raw file descriptors,and the completion of the borrow-checker transition:

The Project Zero blog has posted adetailed look at CVE-2021-0920 in the first of a two-part series on howthis bug created a vulnerability that was subsequently exploited.

We live in a 64-bit world, to the point that many distributors want to stopsupporting 32-bit systems at all. However, lurking within our 64-bitkernels is a subsystem that has not really managed to move past 32-bitaddresses. The quick merge-window failure of an attempt to use64-bit addresses in the I/O memory-management unit (IOMMU) subsystem showshow hard it can be to leave all of one's 32-bit history behind.

Greg Kroah-Hartman has announced the release of the 5.19.1, 5.18.17, 5.15.60, 5.10.136, 5.4.210, and 4.19.255 stable kernels.They contain a fairly small set of important fixes; users should upgrade.

Security updates have been issued by Gentoo (aiohttp, faac, isync, motion, and nextcloud), Red Hat (.NET 6.0), SUSE (libnbd, oracleasm, python-codecov, rubygem-tzinfo, sssd, and thunderbird), and Ubuntu (http-parser, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-bluefield, linux-gcp, linux-gcp-5.4, linux-gke, linux-gke-5.4, linux-gkeop, linux-gkeop-5.4, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux, linux-hwe-5.15, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-aws, linux-aws-5.15, linux-azure, linux-azure-5.15, linux-gcp, linux-gcp-5.15, linux-gke, linux-gke-5.15, linux-ibm, linux-kvm, linux-oracle, linux-raspi, linux-intel-iotg, linux-oem-5.14, linux-oem-5.17, and node-moment).

The LWN.net Weekly Edition for August 11, 2022 is available.

Offline computing and learning was something of a theme at GUADEC 2022 as therewere multiple talks by people from theEndless OS Foundation, whichtargets that use case. Dylan McCall and Manuel Quiñones had a talk on daytwo about a switch that Endless has made over the last few years away fromits home-rolled "knowledge apps" to apps based on the Kolibri learningplatform. While Endless has its roots in GNOME, and Kolibri runs wellin that environment, the switch will allow Endless to reach users who arenot running a GNOME desktop.

Security updates have been issued by Debian (gst-plugins-good1.0), Fedora (firefox and ghostscript), Gentoo (consul, firefox, libass, libraw, lxml, mdbtools, pam_u2f, spice, and thunderbird), Oracle (kernel, kernel-container, and vim), Red Hat (galera, mariadb, and mysql-selinux, kernel, and kernel-rt), Scientific Linux (kernel), SUSE (bind, java-11-openjdk, kernel, mokutil, ncurses, and u-boot), and Ubuntu (epiphany-browser, libcdio, linux, linux-aws, linux-azure-4.15, linux-dell300x, linux-gcp-4.15, linux-kvm, linux-oracle, linux-raspi2, linux-snapdragon, linux, linux-aws, linux-kvm, linux-lts-xenial, and linux-hwe, linux-aws-hwe, linux-azure, linux-gcp, linux-oracle).

A tool to discover known security vulnerabilities in the Python packages installed ona system or required by a project, called pip-audit, was recentlydiscussed on the Python discussionforum. The developers of pip-audit raisedthe idea of adding the functionality directly into the pip package installer, rather thankeeping it as a separately installable tool. While the functionality provided bypip-audit was seen as a clear benefit to the ecosystem, moving itinside the pip "tent" was not as overwhelmingly popular. It is not obvious that auditing is part of the role that the packageinstaller should play.

Security updates have been issued by Debian (gnutls28 and unzip), Fedora (dovecot and net-snmp), Red Hat (kernel-rt and vim), and Ubuntu (gst-plugins-good1.0).

Security updates have been issued by Debian (chromium, libtirpc, and xorg-server), Fedora (giflib, mingw-giflib, and teeworlds), Mageia (chromium-browser-stable, kernel, kernel-linus, mingw-giflib, osmo, python-m2crypto, and sqlite3), Oracle (httpd, php, vim, virt:ol and virt-devel:ol, and xorg-x11-server), SUSE (caddy, crash, dpkg, fwupd, python-M2Crypto, and trivy), and Ubuntu (gdk-pixbuf, libjpeg-turbo, and phpliteadmin).

As Jeff Mahoney notes in thismessage to the openSUSE factory list, the reiserfs filesystem has beenunmaintained for years and lacks many of the features that users have cometo expect. He has thus proposed removing reiserfs from openSUSE Tumbleweedimmediately.

The merge window for the kernel that will probably be called "6.0" hasgotten off to a strong start, with 6,820 non-merge changesets pulled intothe mainline repository in the first few days. The work pulled so farmakes changes all over the kernel tree; read on for a summary of what hashappened in the first half of this merge window.

Security updates have been issued by CentOS (firefox, thunderbird, and xorg-x11-server), Debian (xorg-server), Gentoo (Babel, go, icingaweb2, lib3mf, and libmcpp), Oracle (389-ds:1.4, go-toolset:ol8, httpd, mariadb:10.5, microcode_ctl, and ruby:2.5), Red Hat (xorg-x11-server), Scientific Linux (xorg-x11-server), SUSE (buildah, go1.17, go1.18, harfbuzz, python-ujson, qpdf, u-boot, and wavpack), and Ubuntu (gnutls28, libxml2, mod-wsgi, openjdk-8, openjdk-8, openjdk-lts, openjdk-17, openjdk-18, and python-django).

The Register reportsthat GitLab is planning to start deleting repositories belonging to freeaccounts if they have been inactive for at least a year.

The Linux Security Module (LSM) subsystem works by way of an extensive setof hooks placed strategically throughout the kernel. Any specific securitymodule can attach to the hooks for the behavior it intends to govern and beconsulted whenever a decision needs to be made. The placement of LSM hooksoften comes with a bit of controversy; developers have been known to objectto the performance cost of hooks in hot code paths, and sometimes there are misunderstandings over how integration withLSMs should be handled. The disagreement over a security hook for thecreation of user namespaces, though, is based on a different sort ofconcern.

On his blog, Federico Mena Quintero posted a transcript of his recent talk at GUADEC 2022 on the technical debt in the GNOME accessibility infrastructure—and what he has been doing to help pay that down. He began the talk by describing the infrastructure and how it came about:

Security updates have been issued by Fedora (lua), Oracle (kernel), Red Hat (389-ds:1.4, django, firefox, go-toolset and golang, go-toolset-1.17 and go-toolset-1.17-golang, go-toolset:rhel8, java-1.8.0-ibm, java-17-openjdk, kernel, kernel-rt, kpatch-patch, mariadb:10.5, openssl, pcre2, php, rh-mariadb105-galera and rh-mariadb105-mariadb, ruby:2.5, thunderbird, vim, and virt:rhel and virt-devel:rhel), Scientific Linux (firefox and thunderbird), SUSE (drbd, java-17-openjdk, java-1_8_0-ibm, keylime, ldb, samba, mokutil, oracleasm, pcre2, permissions, postgresql-jdbc, python-numpy, samba, tiff, u-boot, and xscreensaver), and Ubuntu (nvidia-graphics-drivers-390, nvidia-graphics-drivers-450-server, nvidia-graphics-drivers-470, nvidia-graphics-drivers-470-server, nvidia-graphics-drivers-510, nvidia-graphics-drivers-510-server, nvidia-graphics-drivers-515, nvidia-graphics-drivers-515-server).

The LWN.net Weekly Edition for August 4, 2022 is available.

A rural Mexican state was the setting for an initiative to use the GNOME-based Endless OS toimproveeducation in indigenouscommunities. Over the last severalyears, the Endless OS Foundationhas teamed up with the Fundación Alfredo HarpHelú Oaxaca (FAHHO) to deliver offline-first computers to thosecommunities, but also to assist these communities in preserving their nativelanguages. In a talk at GUADEC 2022, Rob McQueenprovided a look at the project and what it has accomplished.

The 5.18.16,5.15.59,5.10.135, and5.4.209stable kernel updates have been released; each contains another set ofimportant fixes.

Daniel Vetter continues hisseries on locking in the kernel.

Security updates have been issued by CentOS (389-ds-base, firefox, java-1.8.0-openjdk, java-11-openjdk, kernel, postgresql, python, python-twisted-web, python-virtualenv, squid, thunderbird, and xz), Fedora (ceph, firefox, java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, java-latest-openjdk, and kubernetes), Oracle (firefox, go-toolset and golang, libvirt libvirt-python, openssl, pcre2, qemu, and thunderbird), SUSE (connman, drbd, kernel, python-jupyterlab, samba, and seamonkey), and Ubuntu (linux-oem-5.14, linux-oem-5.17 and ntfs-3g).

Jonathan Blandford, who is alongtime GNOME contributor—and a cruciverbalistfor longer still—thought it was time for GNOME to have acrossword puzzleapplication. So he set out to create one, which turned into something of a yak-shaving exercise,but also, ultimately, into Crosswords. Blandfordcame to GUADEC 2022to give a talk describing his journey bringing this brainexerciser (andproductivity bane) to the GNOME desktop.

Version 1.19 of the Go programminglanguage has been released. "Most of its changes are in theimplementation of the toolchain, runtime, and libraries. As always, therelease maintains the Go 1 promise of compatibility. We expect almost allGo programs to continue to compile and run as before". This releaseincludes some memory-model tweaks, a LoongArch port, improvements in thedocumentation-comment mechanism, and more.

Version2.36 of the GNU C Library has been released. Changes include supportfor the new DT_RELR relocation format,wrappers for theprocess_madvise(),process_mrelease(),pidfd_open(),pidfd_getfd(), andpidfd_send_signal() system calls,wrappers for the new filesystem mounting API,a DNS stub resolver that only does IPv4 queries,support for the BSDarc4random() API (despite some last-minutediscussion),LoongArch architecture support,and more.

Security updates have been issued by Debian (curl and jetty9), Fedora (dovecot), Gentoo (vault), Scientific Linux (java-1.8.0-openjdk, java-11-openjdk, and squid), SUSE (booth, dovecot22, dwarves and elfutils, firefox, gimp, java-11-openjdk, kernel, and oracleasm), and Ubuntu (linux, linux-hwe-5.15, linux-lowlatency, linux-lowlatency-hwe-5.15, net-snmp, and samba).

The 5.19 kernel was released,after a one-week delay to deal with the fallout from the Retbleedmitigations, on July 31. By that time, 16,399 commits (15,134non-merge and 1,265 merges) had found their way into the mainlinerepository, making this development cycle the busiest since 5.13 (16,030non-merge changesets and 1,157 merges). Tradition dictates that now is the time for a lookat where the changes in 5.19 came from, and we've learned not to go againsttradition.

The 2022 Linux Plumbers Conference (LPC) has announced its schedule. The conference will be held in Dublin, Ireland, September 12-14.

Security updates have been issued by Debian (booth, libpgjava, and thunderbird), Fedora (3mux, act, age, antlr4-project, apache-cloudstack-cloudmonkey, apptainer, aquatone, aron, asnip, assetfinder, astral, bettercap, buildah, butane, caddy, cadvisor, cheat, chisel, clash, clipman, commit-stream, containerd, cri-o, darkman, deepin-gir-generator, direnv, dnscrypt-proxy, dnsx, docker-distribution, doctl, douceur, duf, ffuf, fzf, geoipupdate, git-lfs, git-octopus, git-time-metric, glide, gmailctl, gnutls, go-bindata, goaltdns, gobuster, godep, godoctor, godotenv, gojq, golist, goloris, gomtree, google-guest-agent, gotags, gotun, grafana, gron, grpcurl, hakrevdns, hcloud, htmltest, httprobe, hulk, ignition, jid, kata-containers, kiln, kompose, kubernetes, libldb, manifest-tool, mass3, meg, meshbird, micro, mingw-harfbuzz, mingw-poppler, moby-engine, mqttcli, nats-server, nebula, netscanner, oci-seccomp-bpf-hook, ohmybackup, onionscan, open-policy-agent, origin, osbuild-composer, podman-tui, popub, powerline-go, reposurgeon, restic, runc, samba, shellz, shhgit, skopeo, snapd, snowcrash, source-to-image, subfinder, syncthing, sysutil, terrier, thunderbird, tiedot, toolbox, vgrep, vultr, vultr-cli, webanalyze, webkit2gtk3, weldr-client, wgctrl, xe-guest-utilities-latest, xen, xq, yggdrasil, yubihsm-connector, and a vast number of golang packages), Mageia (chromium-browser-stable, firefox, gdk-pixbuf2.0, python-ujson, and webmin), Red Hat (firefox and thunderbird), Slackware (gnutls), and SUSE (chromium, firefox, mozilla-nss, rubygem-tzinfo, samba, and xen).

Linus has released the 5.19 kernel.

Version 21 of the Ubuntu-based Linux Mint distribution is out; it isavailable in theCinnamon,MATE, andXfce flavors.This is along-term-support release that will receive updates until 2027.

Jakub Kicinski providesan overview of some changes to the in-kernel TLS implementation comingin the next development cycle:

Greg Kroah-Hartman has announced the release of the 5.18.15, 5.15.58, 5.10.134, 5.4.208, 4.19.254, 4.14.290, and 4.9.325 stable kernels. As usual, thesekernels contain important fixes throughout the tree. Note that theRetbleed mitigations have not been backported any further back thanthe 5.10.x series at this point.

As a general rule, virtualization mechanisms are designed to provide strongisolation between a host and the guest systems that it runs. The guestsare not trusted, and their ability to access or influence anything outsideof their virtual machines must be tightly controlled. So a patch seriesallowing guests to execute arbitrary system calls in the host context mightbe expected to be the cause of significantly elevated eyebrows across thenet. Andrei Vagin has posted such aseries with the expected results.

Security updates have been issued by Fedora (xorg-x11-server and xorg-x11-server-Xwayland), SUSE (aws-iam-authenticator, ldb, samba, libguestfs, samba, and u-boot), and Ubuntu (firefox, intel-microcode, libtirpc, linux, linux-aws, linux-kvm, linux-lts-xenial, linux-azure, linux-bluefield, linux-gcp-5.4, linux-gke-5.4, mysql-5.7, and mysql-5.7, mysql-8.0).

The relatively new io_uring subsystem haschanged the way asynchronous I/O is done on Linux systems and improvedperformance significantly. It has also, however, begun to run up a recordof disagreements with the kernel's security community. A recentdiscussion about security hooks for the new uring_cmd mechanismshows how easily requirements can be overlooked in a complex system with nooverall supervision.

Security updates have been issued by Debian (firefox-esr), Fedora (chromium, gnupg1, java-17-openjdk, osmo, and podman), Oracle (grafana and java-17-openjdk), Red Hat (389-ds:1.4, container-tools:rhel8, grafana, java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, kernel, kernel-rt, kpatch-patch, pandoc, squid, and squid:4), Slackware (samba), and SUSE (crash, mariadb, pcre2, python-M2Crypto, virtualbox, and xen).

The LWN.net Weekly Edition for July 28, 2022 is available.