LWN.net

Security updates have been issued by Debian (apache-log4j2, libextractor, libpcap, and wireshark), Fedora (grub2, kernel, libopenmpt, log4j, mingw-binutils, mingw-python-lxml, and seamonkey), Mageia (golang, lapack/openblas, and samba), and openSUSE (go1.16, libaom, log4j12, logback, and runc).

The Jami communication tool has released a major new stable version called "Taranis"; the blog post announcement explains: "Taranis, the Gallic and Celtic god of the sky, lightning and thunder, will be the baptismal name of this new version of Jami." The mailing-list announcement describes the tool this way:

Security updates have been issued by Debian (webkit2gtk and wpewebkit), Fedora (httpd and singularity), Mageia (ldns, netcdf, php, ruby, thrift/golang-github-apache-thrift, thunderbird, and webkit2), openSUSE (go1.16, go1.17, libaom, and p11-kit), and SUSE (go1.16, go1.17, htmldoc, libaom, libvpx, logstash, openssh-openssl1, python3, and runc).

Version3.8.0 of the Darktable photo-processing application has been released.Significant changes include a new keyboard shortcut system, a newdiffuse-or-sharpen module, a new "scene-referred" blurs module "tosynthesize motion and lens blurs in a parametric and physically accurateway", support for the Canon CR3 raw format, and more.

Systemd 250 has been released. To say that the list of new features islong would be a severe understatement; the developers have clearly beenbusy.

Version 5.0 ofthe Krita painting program has been released."This is a huge release, with a lot of new features andimprovements". Changes include a reworkedresource system, dithered gradients, faster color management, a reworkedanimation subsystem, and more; see the release notesfor details.

Security updates have been issued by Debian (openjdk-11), Fedora (keepalived and tang), openSUSE (openssh, p11-kit, runc, and thunderbird), Oracle (postgresql:12, postgresql:13, and virt:ol and virt-devel:ol), Red Hat (rh-maven36-log4j12), and SUSE (ansible, chrony, logstash, elasticsearch, kafka, zookeeper, openstack-monasca-agent, openstack-monasca-persister-java, openstack-monasca-thresh, openssh, p11-kit, python-Babel, and thunderbird).

The LWN.net Weekly Edition for December 23, 2021 is available.

It may have seemed questionable at times, but we have indeed survived yetanother year — LWN's 22nd year of publication. That can only mean onething: it is time to take a look back at ourill-advised attempt to make predictions in January and see how it allworked out. Shockingly, some of those predictions were at least partiallyon the mark. Others were ... not quite so good.

Back at the beginning of 2020, it was predicted that retirements would increaseduring this decade. In 2021, the predictionwas that retirements would increase over the next couple of years. It ishappening and LWN is no exception. I am retiring at the end of this yearafter more than 20 years with LWN.So who am I and how did I get here? To some, I'm a name at the bottom ofsome LWN page. To a few, I'm the one that reminds them when their LWN groupsubscription is about to expire. You might have even met me at aconference. Not that I have been to very many. Mostly I tend to be quietlyin the background watching the LWN mailbox, looking for brief items andquotes of the week (sorry I haven't found much lately), proofreadingarticles, managing subscriptions, and more. But I'm older than most of youand this is my last LWN weekly edition. Getting here is a bit of story.

Today's stable kernel updates are5.15.11,5.10.88,5.4.168,4.19.222,4.14.259,4.9.294, and4.4.296.Each contains another set of important fixes.

Security updates have been issued by CentOS (firefox, ipa, log4j, and samba), Debian (sogo, spip, and xorg-server), Fedora (jansi and log4j), Mageia (apache, apache-mod_security, kernel, kernel-linus, and x11-server), openSUSE (log4j and xorg-x11-server), Oracle (kernel, log4j, and openssl), and SUSE (libqt4 and xorg-x11-server).

Fedora is among the group of Linux distributions that, by default, lockout the root account such that it does not have a password and cannot belogged into. But, traditionally, "rescue mode" boots the system intosingle-usermode, which requires a root password—difficult to provide if it does not exist. A Fedora proposal to remove the need for the password inthat case, and just drop into a root shell, does not seem likely to go farin that form,but it would seem to have pointed toward some better solutions for theunderlying problem.

The Linux Foundation has announcedthe posting of a report on its research into diversity, equity, andinclusion in open-source communities.

Security updates have been issued by Mageia (log4j), openSUSE (chromium, log4j, netdata, and nextcloud), Oracle (kernel and kernel-container), Red Hat (kernel, kernel-rt, log4j, openssl, postgresql:12, postgresql:13, and virt:rhel and virt-devel:rhel), Slackware (httpd), SUSE (xorg-x11-server), and Ubuntu (firefox).

A clarion call from the Electronic Frontier Foundation (EFF) warning about upcoming changes to the Chromebrowser's extension API was not the first such—from the EFF or fromothers. The time of the switch to ManifestV3, as the new API is known, is growing closer; privacy advocates areconcerned that it will preclude a number of techniques that browserextensions use for features like ad and tracker blocking. Part of theconcern stems from the fact that Google is both the developer of a popularweb browser and the operator of an enormous advertising network so itsincentives seem, at least, plausibly misaligned.

Techdirt looksat the problem of copyleft trolls, and those who target users ofCreative Commons materials in particular.

Security updates have been issued by Debian (apache-log4j2, firefox-esr, libssh2, modsecurity-apache, and tang), Fedora (lapack, log4j, rust-libsqlite3-sys, rust-rusqlite, xorg-x11-server, and xorg-x11-server-Xwayland), Mageia (bind, botan2, chromium-browser-stable, dovecot, hiredis, keepalived, log4j, matio, mediawiki, olm, openssh, pjproject, privoxy, vim, and watchdog), openSUSE (barrier, nim, and python-pip), Oracle (ipa and samba), Scientific Linux (ipa and samba), SUSE (log4j), and Ubuntu (apache-log4j2, htmldoc, python3.6, python3.7, python3.8, and python3.8, python3.9).

The 5.16-rc6 kernel prepatch is out fortesting.

Just in time for the upcoming holidays, "KDE's educational suite of more than 170 activities and pedagogical games", GCompris, has released version 2.0. It includes new and updated games and activities, including:

The Google Security Blog looksinto the ripple effects of the Log4j vulnerability.

There are some parts of the kernel where even the most experienced andcapable developers fear to tread; one of those is surely the code thatimplements signals. The nature of the signal API almost guarantees thatany implementation will be full of subtle interactions and complexities,and the version in Linux doesn't disappoint. So the inclusion of asignal-handling change late in the 5.16 merge window might have beenexpected to have the potential for difficulties; it didn't disappointeither.

Greg Kroah-Hartman has announced the release of the 5.15.10, 5.10.87, and 5.4.167 stable kernels. These are fairlysmall updates, but, unlike yesterday's singleself-test bug fix updates, do contain important fixes throughout the tree; usersshould upgrade.

Security updates have been issued by Debian (kernel), Fedora (dr_libs, libsndfile, and podman), openSUSE (fetchmail, log4j, log4j12, logback, python3, and seamonkey), Oracle (go-toolset:ol8, idm:DL1, and nodejs:16), Red Hat (go-toolset-1.16 and go-toolset-1.16-golang, ipa, rh-postgresql12-postgresql, rh-postgresql13-postgresql, and samba), Slackware (xorg), SUSE (log4j, log4j12, and python3), and Ubuntu (apache-log4j2 and openjdk-8, openjdk-lts).

The 5.15.9, 5.10.86, and 5.4.166 stable kernels have beenreleased. "Only change here is a permission setting of a netfilterselftest file. No need to upgrade if this problem is not bothering you."

By now, most readers will likely have seen something about the Log4j vulnerability that has been making life miserable for system administratorssince its disclosure on December 9. This bug is relatively easy toexploit, results in remote code execution, and lurks on servers all acrossthe net; it is not hyperbolic to call it one of the worst vulnerabilitiesthat has been disclosed in some years. In a sense, the lessons from Log4jhave little new to teach us, but this bug does highlight some problems inthe free-software ecosystem in an unambiguous way.

Security updates have been issued by Debian (apache-log4j2 and mediawiki), Fedora (libmysofa, libolm, and vim), Oracle (httpd), Red Hat (go-toolset:rhel8), and Ubuntu (apache-log4j2 and mumble).

The LWN.net Weekly Edition for December 16, 2021 is available.

When last we looked in on the great typing PEPdebate for Python, back in August, two PEPs were still beingdiscussed as alternatives for handling annotations in the language.The steering council was considering the issue after deferring on adecision for the Python 3.10 release, but the question has beendeferred again for Python 3.11. More study is needed and the councilis looking for help from the Python community to guide itsdecision. In the meantime, though, discussion about the deferral has ledto the understanding that annotations are not a general-purpose feature,but are only meant for typing information. In addition, there is a growingrealization that typing information is effectively becoming mandatoryfor Python libraries.

Version1.0 of the mold linker has been released.

Security updates have been issued by Fedora (libopenmpt), openSUSE (icu.691, log4j, nim, postgresql10, and xorg-x11-server), Red Hat (idm:DL1), SUSE (gettext-runtime, icu.691, runc, storm, storm-kit, and xorg-x11-server), and Ubuntu (xorg-server, xorg-server-hwe-18.04, xwayland).

Version21.12 of the Kdenlive video editor is out.

Adding fs-verity file-integrity informationto RPM packages for Fedora 36 is the topic of a recent discussion on the Fedora devel mailing list. The featurewould provide a means to install files from RPM packages as read-only filesthat cannot be read or otherwise operated on if the data in the files changesat any point. The proposal is mostly about making the plumbing availablefor use cases that are not particularly clear—which has led to somequestions and skepticism among those participating in the thread.

Stable kernels 5.15.8, 5.10.85, 5.4.165, 4.19.221, 4.14.258, 4.9.293, and 4.4.295 have been released. As usual thereare important fixes and users should upgrade.

Security updates have been issued by Debian (libsamplerate and raptor2), Fedora (pam-u2f and python-markdown2), openSUSE (chromium, fetchmail, ImageMagick, and postgresql10), Oracle (samba), SUSE (fetchmail, postgresql10, python-pip, python3, and sles12sp2-docker-image), and Ubuntu (apache-log4j2, flatpak, glib, and samba).

Email is often seen as a technology with a dim future; it is slow, easilyfaked, and buried in spam. Kids These Days want nothing to do with it, andemail has lost its charm with many others as well.But many development projects are still dependent on it, and evennon-developers still cope with large volumes of mail. While developmentforges show one possible path away from email, they are not the only one.What if new structures could be built on top of email to address some ofits worst problems while keeping the good parts that many projects dependon? The "lei" system recently launched by Konstantin Ryabitsev is a hintof how such a future might look.

Security updates have been issued by Arch Linux (chromium, firefox, gitlab, grafana, grafana-agent, thunderbird, and vivaldi), Debian (apache-log4j2, privoxy, and wireshark), Fedora (firefox, grub2, mariadb, mod_auth_openidc, rust-drg, rust-tiny_http, and rust-tiny_http0.6), Mageia (chromium-browser-stable, curaengine, fetchmail, firefox, libvirt, log4j, opencontainers-runc, python-django, speex, and thunderbird), openSUSE (clamav, firefox, glib-networking, glibc, gmp, ImageMagick, log4j, nodejs12, nodejs14, php7, python-Babel, python-pip, webkit2gtk3, and wireshark), Red Hat (mailman:2.1 and samba), and SUSE (bcm43xx-firmware, firefox, glib-networking, ImageMagick, kernel-rt, and python-pip).

The Electronic Frontier Foundation warnsagainst Manifest V3, a set of changes coming to a Chrome browser nearyou.

The 5.16-rc5 kernel prepatch is out fortesting.

For those who have not yet seen it, thisadvisory from Apache describes a nasty vulnerability in the widely usedLog4j package.

Guido van Rossum has posted the sad news that longtime Pythoncontributor Fredrik Lundh has died.

The "Meta for Developers" blog has anintroduction to the drgn kernel debugger.

Regressions are no fun; among other things, finding the source of aregression among thousands of changes can be a needle-in-the-haystack sortof problem. The gitbisect command can help; it is a (relatively) easy way to sift through large numbers of commits to find the one that introduces a regression. When itworks well, it can quickly point out the change that causes a specificproblem. Bisection is not a perfect tool, though; it can go badly wrong insituations where a bug cannot be reliably reproduced. In an attempt tomake bisection more useful in such cases, Jan Kara is proposing to add "stochasticbisection" support to Git.

Security updates have been issued by Debian (python-babel), Fedora (golang-github-opencontainers-image-spec and libmysofa), openSUSE (hiredis), Oracle (firefox and thunderbird), Red Hat (thunderbird and virt:8.2 and virt-devel:8.2), Scientific Linux (thunderbird), SUSE (kernel-rt and xen), and Ubuntu (firefox).

PostgreSQL developer Robert Haas has beguna blog series on what would be needed to allow database administratorsto safely delegate superuser powers.

The Spectre class of vulnerabilities was given that name because, it wasthought, these problems would haunt us for a long time. As the fourthanniversary of the disclosure of Meltdown andSpectre approaches, there is no reason to doubt the accuracy of thatname. One of the more recent Spectre variants goes by the name "straight-linespeculation"; it was first disclosed in June 2020, but fixes are stilltrying to find their way into the compilers and the kernel.

Security updates have been issued by Fedora (firefox, libopenmpt, matrix-synapse, vim, and xen), Mageia (gmp, heimdal, libsndfile, nginx/vsftpd, openjdk, sharpziplib/mono-tools, and vim), Red Hat (java-1.8.0-ibm), Scientific Linux (firefox), SUSE (kernel-rt), and Ubuntu (bluez).

The LWN.net Weekly Edition for December 9, 2021 is available.

Feature deprecations are often controversial, but many projects find itnecessary, or desirable, to lose some of the baggage that has accreted overtime. A mid-November request to get rid of three Python standard librarymodules provides a case in point. It was initially greeted as a good ideasince the modules had been officially deprecated starting withPython 3.6; there are better ways to accomplish theirtasks now. But, of course, removing a module breaks any project that usesit, at least without the project making some, perhaps even trivial,changes. The cost of that is not insignificant, and the value in doing sois not always clear, which led to higher-level conversation about deprecations.

Stable kernels 5.15.7, 5.10.84, 5.4.164, 4.19.220, 4.14.257, 4.9.292, and 4.4.294 have been released. They all containimportant fixes and users of those series should upgrade.