LWN.net

Version100.0 of the Firefox browser has been released. New features includevideo caption display on various proprietary sites, multiple-languagespelling checking, invisible scrollbars, and more.

Python's match statement, which provides a long-sought C-likeswitch statement—though it is far more than that—has now been part of thelanguage for more than six months. One of the authors of the series of PythonEnhancement Proposals (PEPs) that described the feature, Brandt Bucher, came to PyCon 2022 in Salt Lake City, Utah to talkabout the feature. He gave an overview of its history, some of its many-facetedabilities, a bit about how it was implemented, and some thoughts on itsfuture, in a presentation onApril 29, which was the first day of talks for the conference.

Version 4.7 of the SystemTap tracing system is out. "Enhancements to this release include: a new stap-profile-annotatetool, a new --sign-module module signing option, -d is now implied forprocesses specified with -c/-x".

Security updates have been issued by Debian (jackson-databind, kernel, openvpn, and twisted), Fedora (xz), Mageia (chromium-browser-stable and curl), Oracle (vim and xmlrpc-c), Red Hat (gzip), Slackware (libxml2), SUSE (git, python39, and subversion), and Ubuntu (libvirt and mysql-5.7, mysql-8.0).

The classic NUMA architecture is built around nodes, each of which containsa set of CPUs and some local memory; all nodes are more-or-less equal.Recently, though, "tiered-memory" NUMA systems have begun to appear; theseinclude CPU-less nodes that contain persistent memory rather than (faster,but more expensive) DRAM. One possible use for thatmemory is to hold less-frequently-used pages rather than forcing them outto a backing-store device. There is an interesting problem that emergesfrom this use case, though: how does the kernel manage the movement ofpages between faster and slower memory? Several recent patch sets havetaken differing approaches to the problem of rebalancing memory on thesesystems.

Richard Hughes announcesthe fwupd 1.8.0 release and notes that the associated Linux Vendor Firmware Service has now shippeda minimum of 50 million firmware updates.

Security updates have been issued by Debian (ffmpeg, ghostscript, libarchive, and tinyxml), Fedora (CuraEngine, epiphany, gzip, usd, vim, xen, and xz), Oracle (maven-shared-utils and qemu), Red Hat (gzip, python27-python and python27-python-pip, rh-maven36-maven-shared-utils, rh-python38-python, rh-python38-python-lxml, and rh-python38-python-pip, and zlib), Slackware (pidgin), SUSE (jasper, java-11-openjdk, libcaca, libslirp, mariadb, mutt, nodejs12, opera, and python-Twisted), and Ubuntu (libinput).

Drew DeVault has announcedthe existence of a new programming language called "Hare".

Nathan Willis tooka long look at the Open Source Initiative's 2022 board election andwasn't entirely pleased with what he saw.

The 5.18-rc5 kernel prepatch is out fortesting. "So if rc4 last week was tiny and smaller than usual, it seems to havebeen partly timing, and rc5 is now a bit larger than usual.But only a very tiny bit larger - certainly not outrageously so, andnot something that worries me."

The 5.15.37 and4.19.241stable kernel updates have been released; each contains a relatively smallnumber of important fixes.

TechRepublic has published aninterview with Fedora project leader Matthew Miller.

One of the changes merged for the 5.18 kernel was a specialized memory allocator for BPFprograms that have been loaded into the kernel. Since then, though, thisfeature has run into a fair amount of turbulence and will almost certainly be disabledin the final 5.18 release. This outcome is partly a result of bugs in theallocator itself, but this work also had the bad luck to trip some olderand deeper bugs within the kernel's memory-management subsystem.

Security updates have been issued by Fedora (dhcp, gzip, podman, rsync, and usd), Mageia (firefox/nss/rootcerts, kernel, kernel-linus, and thunderbird), Oracle (container-tools:2.0, container-tools:3.0, mariadb:10.3, and zlib), Red Hat (Red Hat OpenStack Platform 16.2 (python-twisted), xmlrpc-c, and zlib), SUSE (glib2, nodejs12, nodejs14, python-paramiko, python-pip, and python-requests), and Ubuntu (curl, ghostscript, libsdl1.2, libsdl2, mutt, networkd-dispatcher, and webkit2gtk).

There is a long and growing list of options for getting information out ofthe kernel but, in the real world, print statements still tend to be thetool of choice. The kernel's printk()function often comes up short, despite the fact that it provides a set ofkernel-specific features, so there has, for some time, been interest inbetter APIs for textual output from the kernel. The "printbuf"proposal from Kent Overstreet is one step in that direction, but willneed some changes to make it work well with features the kernel alreadyhas.

Security updates have been issued by Debian (chromium, golang-1.7, and golang-1.8), Fedora (bettercap, chisel, containerd, doctl, gobuster, golang-contrib-opencensus-resource, golang-github-appc-docker2aci, golang-github-appc-spec, golang-github-containerd-continuity, golang-github-containerd-stargz-snapshotter, golang-github-coredns-corefile-migration, golang-github-envoyproxy-protoc-gen-validate, golang-github-francoispqt-gojay, golang-github-gogo-googleapis, golang-github-gohugoio-testmodbuilder, golang-github-google-containerregistry, golang-github-google-slothfs, golang-github-googleapis-gnostic, golang-github-googlecloudplatform-cloudsql-proxy, golang-github-grpc-ecosystem-gateway-2, golang-github-haproxytech-client-native, golang-github-haproxytech-dataplaneapi, golang-github-instrumenta-kubeval, golang-github-intel-goresctrl, golang-github-oklog, golang-github-pact-foundation, golang-github-prometheus, golang-github-prometheus-alertmanager, golang-github-prometheus-node-exporter, golang-github-prometheus-tsdb, golang-github-redteampentesting-monsoon, golang-github-spf13-cobra, golang-github-xordataexchange-crypt, golang-gopkg-src-d-git-4, golang-k8s-apiextensions-apiserver, golang-k8s-code-generator, golang-k8s-kube-aggregator, golang-k8s-sample-apiserver, golang-k8s-sample-controller, golang-mongodb-mongo-driver, golang-storj-drpc, golang-x-perf, gopass, grpcurl, onionscan, shellz, shhgit, snowcrash, stb, thunderbird, and xq), Oracle (gzip, kernel, and polkit), Slackware (curl), SUSE (buildah, cifs-utils, firewalld, golang-github-prometheus-prometheus, libaom, and webkit2gtk3), and Ubuntu (nginx and thunderbird).

The LWN.net Weekly Edition for April 28, 2022 is available.

Running code from inside a cloned Git repository is potentially risky, butnormally just inspecting such a repository is considered to be safe. As arecent posting to the Git mailing list shows, however, there are stillrisks lurking inside these repositories; code that lives in them can betriggered in unexpected ways. In particular, malicious "bare" repositoriescan be added as a subdirectory of a repository; they can be configured to runcode whenever Git commands are executed there, which is something that canhappen in surprising ways. There is now an effortunderway to try to address the problem in Git, without breaking thelegitimate need for including bare repositories into a Git tree.

As was recently reported here, the Fedoraproject has been considering dropping support for legacy BIOS systems inupcoming releases. The idea was controversial at best, and the minutes from the April 26 FESCo meetingshow that it has been rejected, for now at least. The BIOS SIG will beasked for a new plan for BIOS support in Fedora.

Version 4.0 of the YoctoProject distribution builder is out. Changes include a move to the 5.15 kernel, reproducibility fixes, improvedoverlayfs support, numerous security updates, and a long list of new recipes.

The5.17.5,5.15.36,5.10.113,5.4.191,4.19.240,4.14.277, and4.9.312stable kernels have all been released, one day earlier than had originallybeen expected.As usual, each contains another set of important fixes.

Security updates have been issued by Mageia (virtualbox), Red Hat (container-tools:2.0, container-tools:3.0, gzip, kernel, kernel-rt, kpatch-patch, mariadb:10.3, mariadb:10.5, maven-shared-utils, polkit, vim, xmlrpc-c, and zlib), Scientific Linux (maven-shared-utils), SUSE (ant, go1.17, go1.18, kernel, and xen), and Ubuntu (fribidi, git, libcroco, libsepol, linux, linux-gcp, linux-ibm, linux-lowlatency, openjdk-17, and openjdk-lts).

Python's super()built-in function can be somewhat confusing, as highlighted by a hugepython-ideas thread that we started lookingat last week. It is used by methods in class hierarchies to accessmethods and attributes in a parent class, but exactly which classthat super() resolves to is perhaps a bit unclear in multiple-inheritance hierarchies.The discussion in the second "half" of the thread further highlighted somelesser-known parts of the language.

Version 19 of theAndroid-based LineageOS distribution has been released.

Security updates have been issued by Debian (ffmpeg), Fedora (htmldoc, moby-engine, plantuml, and zchunk), Oracle (java-1.8.0-openjdk, java-17-openjdk, and kernel), Red Hat (java-1.8.0-openjdk), Scientific Linux (java-1.8.0-openjdk), Slackware (freerdp), SUSE (kernel, mutt, SUSE Manager Client Tools, and xen), and Ubuntu (barbican and git).

The kernel gained support for the TLSprotocol in the 4.13 release, which came out in September 2017. Thatsupport is incomplete, though, in that it does not provide the kernel witha way to initiate a TLS connection on its own. Instead, user space createsa socket and performs the TLS handshake before handing the socket to thekernel, which can then transfer data using TLS. The situation may be aboutto change as a result of thispatch series from Chuck Lever — though user space will still need toremain in the picture.

Dave Täht has put together a summary of thestate of fair queuing and the fight against bufferbloat in general.

Security updates have been issued by Fedora (kernel, kernel-headers, kernel-tools, libinput, podman-tui, and vim), Mageia (git, gzip/xz, libdxfrw, libinput, librecad, and openscad), and SUSE (dnsmasq, git, libinput, libslirp, libxml2, netty, podofo, SDL, SDL2, and tomcat).

The 5.18-rc4 kernel prepatch is out fortesting. "Fairly slow and calm week - which makes me just suspectthat the other shoe will drop at some point. But maybe things are justgoing really well this release. It's bound to happen _occasionally_, afterall."

Subsystem maintainers routinely use gitrequest-pull as part of the process of sending work upstream. Normally, the result includes a list ofcommits included in the request and a nicediffstat that shows which files will be touched and how much of each willbe changed; examplesabound on the kernel mailing lists. Occasionally, though, a repository with a relativelycomplicated development history will yield a massive diffstat containing agreat deal of unrelated work. The result looks ugly and obscures what thepull request is actually doing. This document describes what is happeningand how to fix things up; it is derived from The Wisdom of Linus Torvalds,which has been posted numerous times over the years (example 1,example 2).

Security updates have been issued by Fedora (composer, golang-x-crypto, rubygem-nokogiri, wavpack, xen, and xz) and SUSE (dnsmasq, openjpeg, swtpm, tomcat, and xen).

OpenBSD 7.1 has been released. The list of changes and new features islong, as usual; see the full text, below, for all the details.

The Ubuntu 22.04 LTS release, codenamed "Jammy Jellyfish", is now available. It comes in several editions (Desktop, Server, Cloud, and Core) and multiple flavors (Ubuntu Budgie, Kubuntu, Lubuntu, Ubuntu Kylin, Ubuntu MATE,UbuntuStudio, and Xubuntu). Lots more information can be found in the release notes.

The Debian project leader election has completed and Jonathan Carter has been reelected for his third term. For more information, see the Debian vote page. We looked at the candidates back in March.

The world of music and audio production is largely dominated byproprietary software vendors. Among them, Steinberg stands out as a companythat created some of the most-used software, including the Cubase and Nuendo digital audioworkstations. Steinberg is also known as the creator of the VST plugin APIthat, largely due to its licensing policy, has irritated developers enough toinspire multiple attempts at creating an open-source alternative. Even now,when the VST3 SDK is available under theGPLv3 license, the way the company exercises its control over the SDKkeeps pushing developers away toward other open-source solutions.This is an introduction to open-source pluginAPIs for musicians and sound engineers alike. It focuses on the options inthe larger ecosystem and how their shortcomings led to the creation of newalternatives with liberal licensing.

Security updates have been issued by Fedora (frr, grafana, gzip, and pdns), Oracle (java-11-openjdk), Red Hat (java-11-openjdk and kernel), Scientific Linux (java-11-openjdk), SUSE (dcraw, GraphicsMagick, gzip, kernel, nbd, netty, qemu, SDL, and xen), and Ubuntu (libinput, linux, linux-aws, linux-aws-5.13, linux-azure, linux-azure-5.13, linux-gcp, linux-gcp-5.13, linux-hwe-5.13, linux-kvm, linux-oracle, linux-oracle-5.13, linux-raspi, linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-dell300x, linux-gcp, inux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, linux-snapdragon, linux, linux-aws, linux-azure, linux-azure-5.4, linux-azure-fde, linux-gcp, linux-gcp-5.4, linux-gke, linux-gke-5.4, linux-gkeop, linux-gkeop-5.4, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, and linux-oem-5.14).

The OpenWrt 21.02.3and 19.07.10updates have been released. These updates contain some security fixes andimproved device support. It's noting that this is the last 19.07 update:

The LWN.net Weekly Edition for April 21, 2022 is available.

A proposal to "deprecate" support for BIOS-only systems for Fedora, by no longersupporting new installations on those systems, led to a predictably longdiscussion on the Fedora devel mailing list. There are, it seems, quite a fewusers who still have BIOS-based systems; many do not want tohave to switch away from Fedora simply to keep their systems up to date.But, sometime in the future, getting rid of BIOS support seems inevitable since theburden on those maintaining the tools for installing and bootingthose systems is non-trivial and likely to grow over time. To headthat off, a special interest group (SIG) may form to help keep BIOS supportalive until it really is no longer needed.

On his blog, Tom Tromey writes about speeding up the startup of the GDB debugger. He sees 7x improvements in startup time (e.g. 2.2 to 0.3 seconds) for C++ code.

Security updates have been issued by Debian (condor), Red Hat (389-ds:1.4, container-tools:2.0, kernel, kernel-rt, and kpatch-patch), SUSE (chrony, containerd, expat, git, icedtea-web, jsoup, jsr-305, kernel, libeconf, shadow and util-linux, protobuf, python-libxml2-python, python3, slirp4netns, sssd, vim, and wpa_supplicant), and Ubuntu (bash).

The5.17.4,5.15.35,5.10.112,5.4.190,4.19.239,4.14.276,and 4.9.311 stable kernel updates have all beenreleased; each contains another relatively large set of important fixes.

The Google Project Zero blog is carrying areport on zero-day vulnerabilities found to be exploited during 2021.

A mega-thread in the python-ideas mailing list is hardly surprising, ofcourse; wehave covered quite a few of them over the years. A recent examplehelps shine a light into a dark—or at least dim—corner of the Pythonlanguage: the super()built-in function for use by methods in class hierarchies.There are some, perhaps surprising, aspects to super() along withwrinkles in how to properly use it. But it has been part of the languagefor a long time, so changes to its behavior, as was suggested in thethread, are pretty unlikely.

Luis Falcon brings the sad news that Pedro Francisco haspassed on. "Pedro created and managed MasGNULinux, a Spanish blog with news about FreeSoftware and GNU/Linux. MasGNULinux was the best reference in the latestFree Software projects for the Spanish speaking community."

Security updates have been issued by Debian (gzip and xz-utils), Fedora (dhcp and rsync), Mageia (chromium-browser-stable), openSUSE (chromium), SUSE (gzip, openjpeg2, and zabbix), and Ubuntu (klibc).

Steve McIntyre argues thatDebian needs to rethink its approach to non-free firmware.

Over on the blog for the GNU Guix project, which is a "transactional package manager and an advanced distribution of the GNU system that respects user freedom", the project reflects on its ten-year journey. The post consists of personal accounts from around two dozen contributors about the project, its history, and its community.

Version 2.36.0 of the Gitsource-code management system is out. As usual, the list of new featuresis long; this GitHubblog post covers some of the highlights:

The ftrace and perf subsystems provide visibility into the workings of thekernel; by activating existing tracepoints, interested developers can seewhat is happening at specific points in the code. As much as kerneldevelopers may resist the notion, though, not all events of interest on asystem happen within the kernel. Administrators will often want to lookinside user-space processes as well; they would be even happier with amechanism that allows the simultaneous tracing of events in both the kerneland user space. The user-eventssubsystem, developed by Beau Belgrave and addedduring the 5.18 merge window, promises that capability, but users will almost certainly have to waitanother cycle to gain access to it.