LWN.net

Security updates have been issued by Debian (libgc and pjproject), Fedora (cobbler, mingw-openjpeg2, and openjpeg2), Mageia (openvpn), openSUSE (abcm2ps, fish3, icingaweb2, kernel-firmware, nextcloud, openSUSE-build-key, python2-numpy, salt, and zlib), Slackware (vim), SUSE (kernel-firmware, opensc, python2-numpy, python3, salt, and zlib), and Ubuntu (dosbox, linux, linux-aws, linux-azure, linux-gcp, linux-hwe-5.13, linux-hwe-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux, linux-aws, linux-azure-4.15, linux-dell300x, linux-hwe, linux-kvm, linux-snapdragon, rsync, twisted, and zlib).

The LWN.net Weekly Edition for March 31, 2022 is available.

A query regarding the possibility of dropping support for older kernels in systemd ledto some discussion on the systemd-devel mailing list recently. As might beguessed, exactly which kernel would be the minimumsupported, what kernel features systemd is using, and when those kernelfeatures became available, were all part of that conversation.A component like systemd that is closely tied to the kernel, and the interfacesdifferent versionsprovide, has a number of different factors to consider when making adecision of this sort.

The openSUSE project has announcedthe adoption of a newcode of conduct:"We hope that by having a clear and concise Code of Conduct for theproject, the openSUSE Community can continue to grow and prosper inthe years to come".

Security updates have been issued by CentOS (expat, firefox, httpd, openssl, and thunderbird), Debian (cacti), Fedora (kernel, rsh, unrealircd, and xen), Mageia (kernel and kernel-linus), openSUSE (apache2, java-1_8_0-ibm, kernel, openvpn, and protobuf), Oracle (openssl), Red Hat (httpd:2.4, kernel, kpatch-patch, and openssl), SUSE (apache2, java-1_7_1-ibm, java-1_8_0-ibm, kernel, openvpn, protobuf, and zlib), and Ubuntu (chromium-browser and paramiko).

In mid-February, we reported on the plan tounite the two kernel devices that provide random numbers;/dev/urandom was to effectively just be another way to access therandom numbers provided by /dev/random. That change made it asfar as the mainline during the Linux 5.18 merge window, but it wasquickly reverted when problems were found. It may be possible todo that unification someday, but, for now, there are environments that needtheir random numbers early on—without entropy or the "Linus jitter dance"being available on the platform.

The Fedora36 beta release has been announced.

Security updates have been issued by Debian (libdatetime-timezone-perl, pjproject, and tzdata), Mageia (chromium-browser-stable, docker, graphicsmagick, and libtiff), Oracle (expat), Red Hat (expat, httpd:2.4, openssl, and screen), Scientific Linux (expat and openssl), and Ubuntu (libtasn1-6, linux-oem-5.14, openjdk-lts, and paramiko).

Anew set of vulnerabilities has been disclosed in the nftablessubsystem; these lead fairly easily to a local system compromise, on someconfigurations at least. Fixes for these vulnerabilities were present inthe March 28 stable updates; upgradingseems like a good idea.

Pointers are a fact of life for developers working in numerous languages.It is often convenient to be able to associate a small amount — a few bits at most — of ancillary information with a pointer.This can often be done within the pointer value itself with some carefulmasking and shifting. CPU manufacturers have been adding ways to supportthe addition of this sort of "tag" to pointers; the most recent may beAMD's "upper address ignore" (UAI) feature, support for which wasrecently postedby Bharata B Rao. This feature has an uncertain future in Linux, though,as the result of a fundamental design decision.

The Debian project has been voting on a generalresolution that would allow secret voting on future issues. The results havebeen posted in unofficial form, and the winner was "proposal B": "Hide identities ofDevelopers casting a particular vote and allow verification". One mightthink that closes the discussion, but Debian project leader candidate FelixLechner is questioningthe election and calling for it to be redone — something that theDebian constitution lacks provisions for.

Greg Kroah-Hartman has announced the release of new stable kernels: 5.17.1, 5.16.18, 5.15.32, 5.10.109, 5.4.188, 4.19.237, 4.14.274, and 4.9.309. They contain a relatively small setof important fixes throughout the three; users of those series should upgrade.

Security updates have been issued by Debian (chromium and faad2), Fedora (dotnet3.1, libass, linux-firmware, python-paramiko, seamonkey, and xen), openSUSE (perl-DBD-SQLite and wavpack), Slackware (seamonkey), SUSE (perl-DBD-SQLite and wavpack), and Ubuntu (binutils, python2.7, python3.4, python3.5, python3.6, python3.8, and smarty3).

As of this writing, 4,127 non-merge changesets have found their way intothe mainline repository for the 5.18 development cycle. That may seem likea relatively slow start to the merge window, but there are a lot of changespacked into those commits. Read on for a summary of the mostsignificant changes to land in the first half of the 5.18 merge window.

Security updates have been issued by Debian (tiff), Fedora (nicotine+ and openvpn), openSUSE (bind, libarchive, python3, and slirp4netns), Oracle (cyrus-sasl, httpd, httpd:2.4, and openssl), Red Hat (httpd and httpd:2.4), Scientific Linux (httpd), SUSE (bind, libarchive, python3, and slirp4netns), and Ubuntu (firefox).

Jann Horn describesin great detail the process he went through to exploit a tiny racewindow in the kernel.

Over on the Collabora blog, Jason Ekstrand has a detailed look at writing a Vulkan graphics driver in today's world. "Not only has Vulkan grown, but Mesa has as well, and we've built up quite a suite of utilities and helpers for making writing Vulkan drivers easier." The blog post takes the form of a tutorial of sorts, though the end result is not a functioning Vulkan driver, the framework of one is shown.

The a.out executableformat dates back to the earliest days of Linux — and before. It hasnot been used in any serious way for decades, but support still exists inthe Linux kernel and has resisted all attempts at its removal. Back inJanuary, Borislav Petkov tried yetagain to delete support for this format, leading to another extendeddiscussion. There is one difference this time around, though: the effortto get rid of a.out support might just succeed.

Security updates have been issued by Debian (php-twig), Mageia (abcm2ps, libpano13, and pesign), openSUSE (nextcloud and xen), Oracle (kernel, kernel-container, and openssl), SUSE (java-1_7_1-ibm and xen), and Ubuntu (linux-oem-5.14, openvpn, and thunderbird).

The LWN.net Weekly Edition for March 24, 2022 is available.

A recent discussion on the python-ideas mailing list gives some insightinto how to—or how not to—propose a feature to be added to the language. At firstblush, adding a method to Python's immutable tupletype for replacing one of its elements is not a particularly strange idea,nor one that would cause much in the way of backward-compatibilityconcerns. Even though there was some evidence offered that such a method might beuseful, it seems pretty unlikely that the idea will go anywhere, at leastin part because of the repetitive, bordering on aggressive, manner in which itsbenefits were argued.

Version 42 of the GNOME desktop environment is out.

The5.16.17,5.15.31,5.10.108,5.4.187,4.19.236,4.14.273, and4.9.308stable kernels have all been released; each contains another set ofimportant fixes.

Security updates have been issued by Mageia (cyrus-sasl, openssl, sphinx, and swtpm), openSUSE (qemu), Red Hat (expat, rh-mariadb103-mariadb, and rh-mariadb105-mariadb), SUSE (apache2, binutils, java-1_7_0-ibm, kernel-firmware, nodejs12, qemu, and xen), and Ubuntu (ckeditor and linux, linux-aws, linux-kvm, linux-lts-xenial).

Three candidates have thrown their hat into the ring as candidates for the2022 Debian projectleader (DPL) election. One is Jonathan Carter, who is now in hissecond term as DPL, while the other two are Felix Lechner and HidekiYamane. As is the norm, the candidates self-nominated during thenomination period and are now in the campaigning phase until April 1.The vote commences April 2 and runs for two weeks; the results will beannounced shortly thereafter and the new DPL term will start onApril 21. The candidates have put out platforms and are fieldingquestions from the voters, Debian developers, thus it seems like a goodtime to look in on the election.

As part of the response to last year's UMNfiasco, Kees Cook and a group of collaborators have put together a setof guidelines for researchers who are studying how the kernel-developmentcommunity (or any development community, really) works. That document hasjust been merged intothe mainline as part of the 5.18 merge window.

The Open Source Initiative has announcedthe results of its 2022 board election.

MIT Technology Review has takena brief look at open-source projects that have added changes protestingthe war in Ukraine and drawn some questionable conclusions:

Security updates have been issued by Debian (apache2 and thunderbird), Fedora (abcm2ps, containerd, dotnet6.0, expat, ghc-cmark-gfm, moodle, openssl, and zabbix), Mageia (389-ds-base, apache, bind, chromium-browser-stable, nodejs-tar, python-django/python-asgiref, and stunnel), openSUSE (icingaweb2, lapack, SUSE:SLE-15-SP4:Update (security), and thunderbird), Oracle (openssl), Slackware (bind), SUSE (apache2, bind, glibc, kernel-firmware, lapack, net-snmp, and thunderbird), and Ubuntu (binutils, linux, linux-aws, linux-aws-5.13, linux-gcp, linux-hwe-5.13, linux-kvm, linux-raspi, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gke, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, and linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-dell300x, linux-hwe, linux-gcp-4.15, linux-kvm, linux-oracle, linux-snapdragon).

The just-completed, online LibrePlanet conference was the venue for awarding this year's Free Software Awards:

At the conclusion of the 5.17 development cycle, 13038 non-mergechangesets had found their way into the mainline repository. That is alower level of activity than was seen for 5.16 (14,190 changesets) but wellabove 5.15 (12,337). In other words, this was a fairly typical kernelrelease. That is true in terms of where the work that made up the releasecame from as well.

Aria Beingessner points out a set ofproblems with Rust's conception of unsafe pointers and proposes somefixes in this highly detailed post.

Security updates have been issued by Debian (bind9, chromium, libgit2, libpano13, paramiko, usbredir, and wordpress), Fedora (expat, kernel, openexr, thunderbird, and wordpress), openSUSE (chromium, frr, and weechat), Red Hat (java-1.7.1-ibm and java-1.8.0-ibm), SUSE (frr), and Ubuntu (imagemagick).

Linus has released the 5.17 kernel.

The firstalpha release of Asahi Linux, a distribution for Apple M1 silicon, hasbeen released.

The5.16.16,5.15.30,5.10.107, and5.4.186stable kernel updates have been released; each contains another set ofimportant fixes.

Over on the Software FreedomConservancy blog, Bradley M. Kuhn considersthe question of the interaction between copyleft and the "ethical source" effort that seeks touse copyleft-like licensing to bring about additional changes, beyond justsoftware freedom; the HippocraticLicense is an example of such a license. In his view, copyleft andethical software are not really compatible, even though many infree-software world (including Kuhn) are highly sympathetic to the goals,especially in light of the recent invasion of Ukraine by Russia.

Jason Donenfeld has published a lengthy look at the changes to the Linux random-number generator (RNG) for Linux 5.17 and the upcoming 5.18 kernel. It covers his efforts "to modernize both the code and the cryptography used" and also peers into the future for changes that may be coming.

The kernel community has a number of excuses for the relative paucity ofregression-test coverage in the project, some of which hold more water thanothers. One of the more convincing reasons is that a great deal of kernelcode is hardware-specific, and nobody can ever hope to put together atesting system with even a small fraction of all the hardware that thekernel supports. A new driver-testing framework called roadtest,posted by Vincent Whitchurch, may make that excuse harder to sustain,though, at least for certain kinds of hardware.

Security updates have been issued by Debian (python-treq), Fedora (openvpn, pesign, rust-regex, and thunderbird), Oracle (expat), Red Hat (kpatch-patch-4_18_0-147_58_1), Slackware (bind and openssl), SUSE (python-lxml), and Ubuntu (apache2).

The Open Source Initiative reportson a ruling in the US Court of Appeals reaffirming the meaning of "opensource" in a software license.

CPU scheduling can be a challenging task; the scheduler must ensure thatevery process gets a fair share of the available CPU time while, at thesame time, respecting CPU affinities, avoiding the migration of processesaway from their cached memory contents, and keeping all CPUs in the systembusy. Even then, users can become grumpy if specific processes do not gettheir CPU share quickly; from that comes years of debates over desktopresponsiveness, for example. The latency-nicepriority proposal recently resurrected by Vincent Guittot aims toprovide a new tool to help latency-sensitive applications get their CPUtime more quickly.

Security updates have been issued by Debian (flac, openssl, and openssl1.0), Fedora (nbd, pesign, and rust-regex), openSUSE (ansible, java-1_8_0-openjdk, libreoffice, and stunnel), Oracle (expat, glibc, and virt:ol and virt-devel:rhel), Red Hat (expat, redhat-ds:11.3, and virt:av and virt-devel:av), SUSE (atftp, java-1_8_0-openjdk, libreoffice, python3, and stunnel), and Ubuntu (apache2, bind9, firefox, fuse, and man-db).

The LWN.net Weekly Edition for March 17, 2022 is available.

Python has often been touted as a "batteries included" language because ofits rich standard librarythat provides access to numerous utility modules and is distributed withthe language itself. But those libraries need maintenance, of course, andthat is provided by the Python core development team. Over the years, ithas become clear that some of the modules are not really being maintainedany longer and they probably are not really needed by most Pythonusers—either because better alternatives exist or because they addressextremely niche use cases. A long-running project to start the removal of thosemodules has recently been approved.

Debian's annual ritual of electing a project leader is underway. There arethree candidates this time: Felix Lechner, Hideki Yamane, and incumbentJonathan Carter. Platforms for the candidates are being placed on this page as theybecome available.

The5.16.15,5.15.29,5.10.106,5.4.185,4.19.235,4.14.272,and 4.9.307stable updates have all been released; each contains another set ofimportant fixes.

Security updates have been issued by Debian (openssl and python-scrapy), openSUSE (chrony, expat, java-1_8_0-openj9, libqt5-qtbase, openssl-1_0_0, php7, and rust, rust1.58, rust1.59), Oracle (389-ds:1.4, httpd:2.4, libarchive, libxml2, and vim), Red Hat (389-ds:1.4, glibc, httpd:2.4, kpatch-patch, libarchive, libxml2, vim, and virt:rhel and virt-devel:rhel), SUSE (chrony, compat-openssl098, expat, libqt5-qtbase, openssl, openssl-1_0_0, openssl-1_1, openssl1, php7, rust, rust1.58, rust1.59, and squid3), and Ubuntu (libreoffice, netkit-rsh, openssl, openssl, openssl1.0, tar, and tcpdump).

Disruptive changes are not much fun for anyone involved, though they may benecessary at times. Moving away from the SHA-1 hash function, atleast for cryptographic purposes, is probably one of those necessary disruptivechanges. There are betteralternatives to SHA-1, which has been "broken" from a cryptographic perspective for quite some time now, and most of thesoftware components that make up a distribution can be convinced to useother hash functions. But there are still numerous hurdles to overcome inmaking that kind of a switch as a recent discussion on the Fedora develmailing list shows.

The OpenSSL project has disclosed avulnerability wherein an attacker presenting a malicious certificatecan cause the execution of an infinite loop. It is thus adenial-of-service vulnerability for any application — server or client —that handles certificates from untrusted sources. The OpenSSL 3.0.2 and1.1.1n releases contain fixes for the problem. This advisory makes it clear that LibreSSL,too, suffers from this vulnerability; updated releases are available there too.