LWN.net

Stable kernels 5.14.15, 5.10.76, 5.4.156, 4.19.214, 4.14.253, 4.9.288, and 4.4.290 have been released. They all containimportant fixes and users should upgrade.

For those of you still using the X.org display server, version 21.1 isout. It includes "fully mature" meson build support, Glamorsupport in Xvfb, variable refresh rate support, touchpad gestures, andmore.

Security updates have been issued by Debian (mosquitto and php7.0), Fedora (python-django-filter and qt), Mageia (fossil, opencryptoki, and qtbase5), openSUSE (apache2, busybox, dnsmasq, ffmpeg, pcre, and wireguard-tools), Red Hat (kpatch-patch), SUSE (apache2, busybox, dnsmasq, ffmpeg, java-11-openjdk, libvirt, open-lldp, pcre, python, qemu, util-linux, and wireguard-tools), and Ubuntu (apport and libslirp).

Uniquely identifying users so that they can be tracked as they go abouttheir business on the internet is, sadly, a major goal for advertisers andothers today. Web browser cookies provide a fairly well-known avenuefor tracking users as they traverse various web sites, but mobile apps arenot browsers, so that mechanism is not available. As it turns out, though,there are ways to "fingerprint" Android devices—and likely those of other mobileplatforms—so that the device owners can be tracked as they hopbetween their apps.

Security updates have been issued by Debian (php7.3 and php7.4), Mageia (kernel and kernel-linus), openSUSE (chromium and virtualbox), Oracle (xstream), Red Hat (kernel, rh-ruby30-ruby, and samba), and Ubuntu (binutils and mysql-5.7).

The 5.15-rc7 kernel prepatch is out, ratherlater than would have normally been expected due to Linus's travel schedule.

Memory management is a balancing act in a number of ways. The kernel mustbalance the needs of current users of memory with anticipated future needs,for example. The kernel must also balance the act of reclaiming memory for other uses, which can involvewriting data to permanent storage, with the rate of data that theunderlying storage devices are able to accept. For years, thememory-management subsystem has used storage-device congestion as a signalthat it should slow down reclaim. Unfortunately, that mechanism, which wasa bit questionable from the beginning, has not worked in a long time. MelGorman is now trying to fix this problem with apatch set that moves the kernel away from the idea of waiting on congestion.

Security updates have been issued by Debian (faad2 and mailman), Fedora (java-11-openjdk, libzapojit, nodejs, python-reportlab, vim, and watchdog), Mageia (ansible, docker-containerd, flatpak, tomcat, and virtualbox), openSUSE (containerd, docker, runc), Oracle (firefox and thunderbird), Red Hat (xstream), Scientific Linux (xstream), SUSE (cairo and containerd, docker, runc), and Ubuntu (apport and mysql-5.7, mysql-8.0).

Since the early days, Unix-like systems have implemented the concept ofprocess priorities, where higher-priority processes are given moreCPU time to get their work done. Implementations have changed, andalternatives (such as deadline scheduling)are available for specialized situations, but the core priority (or, in aninverted sense, "niceness") concept remains essentially the same. What should happen, though, in a world whereincreasing amounts of computing work is done outside of the CPU? TvrtkoUrsulin has put together apatch set showing how the nice mechanism can be extended to GPUs aswell.

Security updates have been issued by Arch Linux (apache, chromium, nodejs, nodejs-lts-erbium, nodejs-lts-fermium, and virtualbox), Fedora (vsftpd and watchdog), Oracle (java-1.8.0-openjdk, java-11-openjdk, and redis:6), and Ubuntu (libcaca, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gke, linux-gke-5.4, linux-gkeop, linux-gkeop-5.4, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux-azure-5.8, and mailman).

The Jalopnik automotive site has posted anarticle on a(relatively) new setof open-source tools that can extract log data from Tesla cars.

The Rust language project has announced the release of stable version 1.56.0 and the Rust 2021 edition.

For those who are curious about where the development of Git is headed:Johannes Schindelin has posted anextensive set of notes from the just-concluded Git Contributors'Summit.

While the BPF virtual machine has been supported by Linux for most ofthe kernel's existence, its role for much of that time was limited to, asits fullname (Berkeley packet filter) would suggest, filtering packets. That began to change in 2012 with the introductionof seccomp() filtering, and the pace picked up in 2014 with the arrivalof the extended BPF virtual machine. At this point, BPF hooks have found theirway into many kernel subsystems. One area that has remained BPF-free,though, is the CPU scheduler; that could change if some version ofthis patchset from Roman Gushchin finds its way into the mainline.

Security updates have been issued by Debian (python-babel, squashfs-tools, and uwsgi), Fedora (gfbgraph and rust-coreos-installer), Mageia (aom, libslirp, redis, and vim), openSUSE (fetchmail, go1.16, go1.17, mbedtls, ncurses, python, squid, and ssh-audit), Red Hat (java-1.8.0-openjdk and java-11-openjdk), Scientific Linux (java-1.8.0-openjdk and java-11-openjdk), SUSE (fetchmail, git, go1.16, go1.17, ncurses, postgresql10, python, python36, and squid), and Ubuntu (linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-dell300x, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-raspi2, linux-snapdragon, linux, linux-bluefield, linux-gcp-5.4, linux-hwe-5.4, linux-kvm, linux-oem-5.10, and linux-oem-5.13).

The LWN.net Weekly Edition for October 21, 2021 is available.

A new style of GPL-enforcement lawsuit wasfiled on October 19 by Software Freedom Conservancy (SFC)against television maker Vizio. Unlike previous GPL-enforcement suits, whichhave been pursued on behalf of the developers and copyright holders ofGPL-licensed code, this suit has been filed on behalf of owners of the TVsin question. The idea that owners of devices that contain code under theGPL have the right to access that code seems clearly embodied in thelicense, but it remains to be seen if the courts will decide that thoseowners have the legal standing to sue for relief.

Stable kernels 5.14.14, 5.10.75, 5.4.155, 4.19.213, and 4.14.252 have been released. They all containimportant fixes and users of those series should upgrade.

Security updates have been issued by Debian (ffmpeg, smarty3, and strongswan), Fedora (udisks2), openSUSE (flatpak, strongswan, util-linux, and xstream), Oracle (redis:5), Red Hat (java-1.8.0-openjdk, java-11-openjdk, openvswitch2.11, redis:5, redis:6, and rh-redis5-redis), SUSE (flatpak, python-Pygments, python3, strongswan, util-linux, and xstream), and Ubuntu (linux, linux-aws, linux-aws-5.11, linux-azure, linux-azure-5.11, linux-gcp, linux-gcp-5.11, linux-hwe-5.11, linux-kvm, linux-raspi and strongswan).

Over at the Project Zero blog, Jann Horn has a lengthy post on a kernel bug, ways to exploit it, and various ideas on mitigation. While the exploitation analysis is highly detailed, more than half of the post looks at various defenses to this kind of bug.

On October 11, the first release candidate for Qubes OS version 4.1 was announced. Qubes OSis a security-oriented desktop operating system that uses multiple virtualmachines (VMs or "qubes") to isolatevarious types of functionality. The idea is to compartmentalize differentapplications and operating-system subsystems to protect them from eachother and to limit access to the user's data if an application iscompromised. Version 4.1 will bring several important enhancements tohelp Qubes OS continue to live up to its motto: "A reasonably secure operatingsystem".

Software Freedom Conservancy has announced that it filed suit against TV maker Vizio over "repeated failures to fulfill even the basic requirements of the General Public License (GPL)". The organization raised the problems with Vizio in August 2018, but the company stopped responding in January 2020, according to the announcement.

Security updates have been issued by Debian (redmine and strongswan), Fedora (containerd, fail2ban, grafana, moby-engine, and thunderbird), openSUSE (curl, firefox, glibc, kernel, libqt5-qtsvg, rpm, ssh-audit, systemd, and webkit2gtk3), Red Hat (389-ds:1.4, curl, kernel, kernel-rt, redis:5, and systemd), SUSE (util-linux), and Ubuntu (ardour, linux-azure, linux-azure-5.11, and strongswan).

Differences of opinion over which kernel symbols should be exported toloadable modules have been anything but uncommon over the years. Often,these disagreements relate to which kernel capabilities should be availableto proprietary modules. Sometimes, though, it hinges on the disagreementsover the best way to solve a problem. The recent discussion around theremoval of an export for a core kernel function is a case in point.

Security updates have been issued by Debian (amd64-microcode, libreoffice, linux-4.19, and nghttp2), Fedora (chromium, libopenmpt, vim, and xen), openSUSE (firefox, kernel, krb5, libaom, and opera), Oracle (thunderbird), SUSE (firefox, firefox, rust-cbindgen, iproute2, javapackages-tools, javassist, mysql-connector-java, protobuf, python-python-gflags, and krb5), and Ubuntu (nginx).

The 5.15-rc6 kernel prepatch is out."I'd love to say that it's all looking average, but rc6 is actuallybigger than rc5 was, and larger than normal for this time in therelease cycle.It's not _enormously_ larger than normal, and it's not the largest rc6we've had, but it's still slightly worrisome."

Greg Kroah-Hartman has released the5.14.13,5.10.74,5.4.154,4.19.212,4.14.251,4.9.287, and4.4.289stable kernel updates. Each contains another set of important fixes.

The name Debian brings to mind a Linuxdistribution, but the Debian project is far more than that; it is anongoing experiment in democratic project governance. Debian's processescan result in a lot of public squabbling; one should not lose track,though, of the fact that those processes have enabled a large community tomaintain and grow a complex distribution for decades without the benefit ofan overseeing corporate overlord. Processes can be improved, though; arecent proposalfrom Russ Allbery gives an interesting picture of where the pain pointsare and what can be made better.

Security updates have been issued by Debian (squashfs-tools, tomcat9, and wordpress), Fedora (openssh), openSUSE (kernel, mbedtls, and rpm), Oracle (httpd, kernel, and kernel-container), SUSE (firefox, kernel, and rpm), and Ubuntu (linux-azure, linux-azure-5.4).

The latest release of the Ubuntu Linux distribution is out: Ubuntu 21.10, code named "Impish Indri". The release notes fills in all of the details for the new features in this version, but the announcement lists some as well:

Version 4.0 of the Devuan distribution has been released; it is code-namedChimaera. This release is based on Debian Bullseye, has improved desktopsupport, and benefits from more accessibility work. See therelease notes for details.

Concerns over the performance of programs written in Python are oftenoverstated — for some use cases, at least. But there is no getting aroundthe problem imposed by the infamous global interpreter lock (GIL), whichseverely limits the concurrency of multi-threaded Python code. Variousefforts to remove the GIL have been madeover the years, but none have come anywhere near the point where they wouldbe considered for inclusion into the CPython interpreter. Now, though, SamGross has enteredthe arena with a proof-of-concept implementation that may solve theproblem for real.

The KDE project is celebrating its 25th anniversary with a special releaseof the Plasma desktop.

Security updates have been issued by Mageia (golang, grilo, mediawiki, plib, python-flask-restx, python-mpmath, thunderbird, and xstream/xmlpull/mxparser), Oracle (389-ds-base, grafana, httpd:2.4, kernel, libxml2, and openssl), Red Hat (httpd), and SUSE (kernel).

The LWN.net Weekly Edition for October 14, 2021 is available.

The syzbotkernel-fuzzing system finds an enormous number of bugs, but, since many of them may seem to be of a relatively low severity, they have a lower prioritywhen contending for the attention of developers. A talkat the recent Linux Security Summit North America reported on some research thatdug further into the bugs that syzbot hasfound; the results are rather worrisome. Rather than a pile ofdifficult- or impossible-to-exploit bugs, there are numerous, more seriousproblems lurking within.

Stable kernels 5.14.12, 5.10.73, 5.4.153, and 4.19.211 have been released with importantfixes. Users of those series should upgrade.

We recently looked atsome of the changes and new features arriving with the upcomingversion 1.7 release of the Julia programming language.The package system provided by the language makes it easier toexplore new language versions, while still preserving multiple versions of various parts of the ecosystem. This flexible systemtakes care of dependency management, both for writing exploratory code in the REPL and fordeveloping projects or libraries.

Security updates have been issued by Debian (flatpak and ruby2.3), Fedora (flatpak, httpd, mediawiki, redis, and xstream), openSUSE (kernel, libaom, libqt5-qtsvg, systemd, and webkit2gtk3), Red Hat (.NET 5.0, 389-ds-base, httpd:2.4, kernel, kernel-rt, libxml2, openssl, and thunderbird), Scientific Linux (389-ds-base, kernel, libxml2, and openssl), SUSE (apache2-mod_auth_openidc, curl, glibc, kernel, libaom, libqt5-qtsvg, systemd, and webkit2gtk3), and Ubuntu (squashfs-tools).

There are many barriers to producing software that is reliable andmaintainable over the long term. One of those is software complexity. Atthe recently concluded 2021 KVMForum, Paolo Bonziniexploredthis topic, using QEMU, the open source emulatorand virtualizer, as a case study. Drawing on his experience asa maintainer of several QEMU subsystems, he made some concretesuggestions on how to defend against undesirable complexity. Bonziniused QEMU as a running example throughout the talk, hoping to make iteasier for future contributors to modify QEMU. However, thelessons he shared are equally applicable to many other projects.

Security updates have been issued by Debian (firefox-esr, hiredis, and icu), Fedora (kernel), Mageia (libreoffice), openSUSE (chromium, firefox, git, go1.16, kernel, mbedtls, mupdf, and nodejs8), Oracle (firefox and kernel), Red Hat (firefox, grafana, kernel, kpatch-patch, and rh-mysql80-mysql), and SUSE (apache2, containerd, docker, runc, curl, firefox, kernel, libqt5-qtsvg, and squid).

A group of researchers at Trinity College in Dublin has released theresults of a study into the data collected by a number of Androidvariants. There are few surprises here, but the picture is stilldiscouraging.

One does not normally expect a lot of controversy around a patch seriesthat makes changes to platform-specific configurations and drivers.The furor over some work on the Samsung Exynos platform may thus besurprising. When one looks into the discussion, things become more clear;it mostly has to do with disagreements over the best ways to get hardwarevendors to cooperate with the kernel development community.

Security updates have been issued by Debian (apache2, mediawiki, neutron, and tiff), Fedora (chromium, dr_libs, firefox, and grafana), Mageia (apache), openSUSE (chromium and rabbitmq-server), Oracle (kernel), Red Hat (firefox and httpd24-httpd), SUSE (rabbitmq-server), and Ubuntu (libntlm).

Jörg Schilling, a longtime free-software developer, has passed on. Mostpeople will remember him from his work on cdrtools and the seemingly endless drama that surrounded thatwork. He was a difficult character to deal with, but he also contributedsome important code that, for a period, almost all of us depended on. Restwell, Jörg.

The 5.15-rc5 kernel prepatch is out fortesting. "So things continue to look quite normal, and it looks likethe rough patch (hah!) we had early in the release is all behind us. Knockwood."

The5.14.11,5.10.72,5.4.152,4.19.210,4.14.250,4.9.286, and4.4.288stable kernel updates have all been released; each contains another set ofimportant fixes.

For the time being, the effort to add the folioconcept to the memory-management subsystem appears to be stalled, but appearances canbe deceiving. The numerous folio discussions have produced a number ofpoints of consensus, though; one of those is that far too much of thekernel has to work with page structures to get its job done. Asan example of how a subsystem might be weaned off of struct pageusage, Matthew Wilcox has split outthe slab allocators in a 62-part patch set. The result may bea foreshadowing of changes to come in the memory-management subsystem.

Security updates have been issued by Fedora (libssh), Mageia (firefox), Slackware (httpd), SUSE (xen), and Ubuntu (firefox and mysql-5.7).

Stable kernels 5.14.10 and 4.4.287 have been released. 5.14.10 is astandard stable release, with fixes throughout the kernel tree, while4.4.287 is fixing a build problem: "You only need this release if youare building for ARM64 and had build failures with 4.4.286."