LWN.net

Despite its generally fast-moving nature, the kernel project relies on anumber of old tools. While critics like to focus on the community'sextensive use of email, a possibly more significant anachronism is the useof the 1989 version of the C language standard for kernel code — a standardthat was codified before the kernel project even began over 30 years ago.It is looking like that longstanding practice could be coming to an end assoon as the 5.18 kernel, which can be expected in May of this year.

The Inside Rust Blog has posted theRust compiler team's goals for this year in the hope of encouragingothers to help.

Security updates have been issued by Debian (thunderbird), Fedora (php), openSUSE (jasper and thunderbird), Oracle (389-ds-base, kernel, openldap, and python-pillow), Red Hat (cyrus-sasl and samba), and SUSE (cyrus-sasl, firefox, jasper, kernel-rt, nodejs10, nodejs14, nodejs8, and thunderbird).

The LWN.net Weekly Edition for February 24, 2022 is available.

Over the past seven years or so, Python has slowly been moving itsdevelopment infrastructure to GitHub; we covered some of the early discussions at theend of 2014. One piece of that infrastructure, bug tracking, has not beenmoved from bugs.python.org, but plansare underway to make that happen soon. It is not a simple orstraightforward process to do so, however, so the transition will take upto a week to complete; there are a number of interesting facets to theswitch, as it entails clearing some technical, and even legal, hurdles.

Ard Biesheuvel writesabout 32-bit Arm systems on the Google Security Blog, with a focus onwhy these processors are still in use and what is being done to increasetheir security at the kernel level.

Intel has announcedthe acquisition of Linutronix.

The5.16.11,5.15.25,5.10.102,5.4.181,4.19.231,4.14.268, and4.9.303stable kernel updates have all been released; each contains another set ofimportant fixes.

OpenSSH 8.9 has been released. This version includes a fix for a"security near miss" and removes support for MD5-hashedpasswords. It also includes a new mechanism torestrict the forwarding of keys in ssh-agent, various FIDO improvements, a new"post-quantum" key-exchange algorithm, and more.

Security updates have been issued by Debian (expat), Fedora (php and vim), Mageia (cpanminus, expat, htmldoc, nodejs, polkit, util-linux, and varnish), Red Hat (389-ds-base, curl, kernel, kernel-rt, openldap, python-pillow, rpm, sysstat, and unbound), Scientific Linux (389-ds-base, kernel, openldap, and python-pillow), and Ubuntu (cyrus-sasl2, linux-oem-5.14, and php7.0).

Regularexpressions are a common feature of computer languages, especially higher-level languages like Ruby, Perl, Python, and others, for doingfairly sophisticated text-pattern matching. Some languages, includingPerl, incorporate regular expressions into the language itself,while others have classes or libraries that come with the languageinstallation. Python's standard library has the re module,which provides facilities for working with regular expressions; as a recentdiscussion on the python-ideas mailing shows, though, that module hassomewhat fallen by the wayside in recent times.

Security updates have been issued by Fedora (java-1.8.0-openjdk-aarch32, radare2, and zsh), openSUSE (ImageMagick and systemd), Red Hat (kpatch-patch, Service Telemetry Framework 1.3 (sg-core-container), and Service Telemetry Framework 1.4 (sg-core-container)), SUSE (ImageMagick, kernel-rt, nodejs12, php74, systemd, ucode-intel, and xerces-j2), and Ubuntu (c3p0, expat, linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-dell300x, linux-gcp, linux-gcp-4.15, linux-hwe, linux-oracle, linux-snapdragon, linux, linux-aws, linux-gcp, linux-kvm, linux-oracle, linux-raspi, linux, linux-aws, linux-kvm, linux-lts-xenial, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-azure-fde, linux-gcp, linux-gcp-5.4, linux-gkeop, linux-gkeop-5.4, linux-hwe-5.4, linux-ibm, linux-ibm-5.4 linux-oracle, linux-oracle-5.4, and linux-gke).

The call stack is a favorite target for attackers attempting to compromisea running process; if an attacker finds a way to overwrite a return addresson the stack, they can redirect control to code of their choosing, leadingto a situation best described as "game over". As a result, a great deal ofeffort has gone into protecting the stack. One technique that offerspromise is a shadow stack; support for shadow stacks is thus duly showing up invarious processors. Support for protecting user-space applications withshadow stacks is taking a bit longer; it is currently under discussionwithin the kernel community, but adding this feature is trickier than onemight think. Among other things, these patches have been around for longenough that they have developed some backward-compatibility problems oftheir own.

Longtime FOSS contributor and advocate Sven Guckes has died at 55. A Twitter posting and news article (both in German) describe the Berlin-based Guckes as someone who was always ready to help users get the most out of their systems on Usenet and IRC. His home page and a Hacker News posting have more information as well. RIP.(Thanks to Martin Michlmayr.)

Security updates have been issued by Debian (php7.4, redis, snapd, twisted, webkit2gtk, and wpewebkit), Fedora (cyrus-imapd, nodejs, phpMyAdmin, polkit, snapd, webkit2gtk3, and xen), Gentoo (chromium), openSUSE (jaw, kubevirt, virt-api-container,, opera, polkit, and sphinx), Red Hat (ruby:2.6), Slackware (expat), and SUSE (kubevirt, virt-api-container, virt-controller-container, virt-handler-container, virt-launcher-container, virt-libguestfs-tools-container, virt-operator-container and polkit).

Google's Project Zero blog looksat how quickly the vulnerabilities it has reported over the last three years have been fixed.

The 5.17-rc5 kernel prepatch is out fortesting. "Things continue to look pretty much normal. There arefixes all over the place, but no more than usual for this time of therelease".

People are attracted to free software for a number of reasons, includingprice, overall quality, community support, and available features. But,for many of us, the value of free software is to be found in its ability to allow us toactually own and maintain control over our systems. Antifeatures in freesoftware tend not to last long, and free drivers can often unlock capabilities of thehardware that its vendors may not have seen fit to make available. Intel'supcoming "software defined silicon" (SDSi) mechanism may reduce that control,though, by taking away access to hardware features from anybody who has notpaid the requisite fees.

Security updates have been issued by Debian (chromium and zsh), Fedora (microcode_ctl and zziplib), Mageia (docker-containerd, mariadb, nas, phoronix-test-suite, rlwrap, thunderbird, webkit2, wireshark, zsh, and zxing-cpp), openSUSE (aide, chromium, clamav, expat, htmldoc, libmspack, libsndfile, python-Twisted, qemu, rust, strongswan, tiff, virglrenderer, and xerces-j2), Slackware (mozilla and php), SUSE (aide, clamav, cobbler, expat, kernel, libmspack, libsndfile, python-numpy, python-Twisted, qemu, rust, strongswan, tcpdump, tiff, ucode-intel, virglrenderer, wpa_supplicant, and xerces-j2), and Ubuntu (kernel, libarchive, linux-hwe-5.13, and snapd).

Qualys has discloseda vulnerability in the snap-confine component of Ubuntu's Snappackaging system. "Successful exploitation of this vulnerabilityallows any unprivileged user to gain root privileges on the vulnerablehost". Affected systems with untrusted users should probably beupgraded forthwith.

Linus Torvalds releasedthe 4.4 kernel on January 10, 2016 and promptly left the building forthe greener fields of 4.5. This kernel was finished from his point ofview, but it was just beginning its life in the wider world, and became thefirst long-term-stable release to be supported for more than two years.Indeed, the 4.4 release became one of the longest-supported and most widelyused releases in the history of the kernel project (so far); it wasdeployed in vast numbers of Android devices, among other places. The final 4.4 stablerelease took place on February 3, over six years after 4.4 was"finished"; it is time to take a look at what happened to 4.4 in itsstable life.

Security updates have been issued by Debian (drupal7), Fedora (kernel, lua, vim, and xrdp), openSUSE (firejail, json-c, kafka, webkit2gtk3, and xorg-x11-server), Oracle (bind, firefox, ruby:2.5, ruby:2.6, and thunderbird), Red Hat (ruby:2.5 and ruby:2.6), SUSE (apache2, glibc, json-c, libvirt, webkit2gtk3, xen, and xorg-x11-server), and Ubuntu (linux-raspi, linux-raspi-5.4).

The LWN.net Weekly Edition for February 17, 2022 is available.

Blocking in the kernel's random-number generator (RNG)—causing a process towait for "enough"entropy to generate strong random numbers—has always been controversial. It has also led tovarious kinds of problems over the years, from timeouts and delays causedby misuse in user-spaceprograms to deadlocks and other problems in the bootprocess. That behavior has undergone a number of changes over the last fewyears and it looks possible that the last vestige of the difference betweenmerely "good" and "cryptographic-strength" random numbers may go away in someupcoming kernel version.

Longtime Unix developer Lorinda Cherry passed away recently; among otherthings, she was the creator of the dc and bc utilitiesstill in use today. See thisposting from Douglas McIlroy for many more details on her life.

Both Firefox and Chrome are racing toward releasing version 100 in the nearfuture, and developers for both browsers are worriedthat web sites with naive code to parse the version number out of theuser-agent string will break.

The5.16.10,5.15.24,5.10.101,5.4.180,4.19.230,4.14.267, and4.9.302stable kernel updates are available. As usual, each contains another setof important fixes.

Security updates have been issued by CentOS (firefox and thunderbird), Debian (librecad, libxstream-java, and zsh), Fedora (expat, util-linux, varnish-modules, xterm, and zsh), Mageia (Intel-nonfree, kernel, kernel-linus, and microcode), openSUSE (zabbix), Red Hat (kernel, kpatch-patch, Red Hat Virtualization Host, and thunderbird), Scientific Linux (thunderbird), and Ubuntu (cryptsetup).

Over on the Bootlin blog, Michael Opdenacker has an introduction to using device tree overlays to support changes to the standard device tree definition for a particular system-on-chip (SoC). This allows users to add new hardware or modify the hardware configuration for their system relatively easily—and without recompiling the kernel or the full device tree source files.

Neil McGovern announces hisdeparture from the helm of the GNOME Foundation.

Sometimes, a kernel-patch series comes with an exciting, sexy title. Othertimes, the mailing lists are full of patches with titles like "remoteper-cpu lists drain support". For many, the patches associated withthat title will be just as dry as the title itself. But, for those who areinterested in such things — a group that includes many LWN readers —this short patch series from Nicolas Saenz Julienne gives someinsight into just what is required to make the kernel's page allocator asfast — and as robust — as developers can make it.

Security updates have been issued by Debian (h2database), Fedora (dotnet-build-reference-packages, dotnet3.1, and firefox), Oracle (.NET 5.0, firefox, kernel, and kernel-container), Red Hat (firefox), Scientific Linux (firefox), SUSE (unbound), and Ubuntu (firefox).

Like most components in the computing landscape, networking hardware hasgrown steadily faster over time. Indeed, today's high-end networkinterfaces can often move data more quickly than the systems they areattached to can handle. The networking developers have been working foryears to increase the scalability of their subsystem; one of the currentprojects is theBIG TCP patch set from Eric Dumazet and Coco Li. BIG TCP isn't foreverybody, but it has the potential to significantly improve networkingperformance in some settings.

Security updates have been issued by Debian (debian-edu-config, expat, minetest, pgbouncer, python2.7, samba, thunderbird, and varnish), Fedora (dotnet-build-reference-packages, dotnet3.1, dotnet6.0, hostapd, libdxfrw, librecad, mingw-expat, mingw-gdk-pixbuf, php-twig2, php-twig3, rust-afterburn, webkit2gtk3, and xstream), Mageia (bluez, firefox, libarchive, php-adodb, thunderbird, and webkit2), openSUSE (ghostscript, openexr, permissions, SDL2, and wireshark), Red Hat (firefox), Slackware (mariadb), and SUSE (busybox, ghostscript, openexr, permissions, SDL2, and wireshark).

The 5.17-rc4 kernel prepatch is out fortesting. "Things continue to look pretty normal for 5.17. Both thediffstat and the number of commits looks pretty much average for an rc4release." The code name for the release has been changed to "SuperbOwl".

The Debian project is known for its commitment to free software, the effortthat it puts into ensuring that its distribution is compliant with thelicenses of the software it ships, and the energy itputs into discussions around that work. A recent (and ongoing) discussionstarted with a query about a relatively obscure aspect of the process by which newpackages enter the distribution, but ended up questioning the project'sapproach toward licensing and copyright issues. While no real conclusionswere reached, it seems likely that the themes heard in this discussion,which relate to Debian's role in the free-software community in general, willplay a prominent part in future debates.

The Debian project is known for its commitment to free software, the effortthat it puts into ensuring that its distribution is compliant with thelicenses of the software it ships, and the energy itputs into discussions around that work. A recent (and ongoing) discussionstarted with a query about a relatively obscure aspect of the process by which newpackages enter the distribution, but ended up questioning the project'sapproach toward licensing and copyright issues. While no real conclusionswere reached, it seems likely that the themes heard in this discussion,which relate to Debian's role in the free-software community in general, willplay a prominent part in future debates.

The5.16.9,5.15.23,5.10.100,5.4.179,4.19.229,4.14.266,and 4.9.301stable kernel updates have been released; each contains a small number ofimportant fixes.

The5.16.9,5.15.23,5.10.100,5.4.179,4.19.229,4.14.266,and 4.9.301stable kernel updates have been released; each contains a small number ofimportant fixes.

Security updates have been issued by Debian (cryptsetup), Fedora (firefox, java-1.8.0-openjdk, microcode_ctl, python-django, rlwrap, and vim), openSUSE (kernel), and SUSE (kernel and ldb, samba).

Security updates have been issued by Debian (cryptsetup), Fedora (firefox, java-1.8.0-openjdk, microcode_ctl, python-django, rlwrap, and vim), openSUSE (kernel), and SUSE (kernel and ldb, samba).

Well-maintained free-software projects usually make a point of quicklyfixing known security problems, and the Sambaproject, which provides interoperability between Windows and Unixsystems, is no exception. So it is natural to wonder why the fix for CVE-2021-20316,a symbolic-link vulnerability, was well over two years in coming.Sometimes, a security bug can be fixed with a simple tweak to the code.Other times, the fix requires a massive rewrite of much of a projects'sinternal code. This particular vulnerability fell firmly into the lattercategory, necessitating a public rewrite of Samba's virtual filesystem(VFS) layer to address a non-disclosed vulnerability.

Well-maintained free-software projects usually make a point of quicklyfixing known security problems, and the Sambaproject, which provides interoperability between Windows and Unixsystems, is no exception. So it is natural to wonder why the fix for CVE-2021-20316,a symbolic-link vulnerability, was well over two years in coming.Sometimes, a security bug can be fixed with a simple tweak to the code.Other times, the fix requires a massive rewrite of much of a projects'sinternal code. This particular vulnerability fell firmly into the lattercategory, necessitating a public rewrite of Samba's virtual filesystem(VFS) layer to address a non-disclosed vulnerability.

Security updates have been issued by Debian (firefox-esr and openjdk-8), Fedora (phoronix-test-suite and php-laminas-form), Mageia (epiphany, firejail, and samba), Oracle (aide, kernel, kernel-container, and qemu), Red Hat (.NET 5.0 on RHEL 7 and .NET 6.0 on RHEL 7), Scientific Linux (aide), Slackware (mozilla), SUSE (clamav, expat, and xen), and Ubuntu (speex).

Security updates have been issued by Debian (firefox-esr and openjdk-8), Fedora (phoronix-test-suite and php-laminas-form), Mageia (epiphany, firejail, and samba), Oracle (aide, kernel, kernel-container, and qemu), Red Hat (.NET 5.0 on RHEL 7 and .NET 6.0 on RHEL 7), Scientific Linux (aide), Slackware (mozilla), SUSE (clamav, expat, and xen), and Ubuntu (speex).

The LWN.net Weekly Edition for February 10, 2022 is available.

The LWN.net Weekly Edition for February 10, 2022 is available.

The PinePhone is a Linux-basedsmartphone made by PINE64 that runs freeand open-source software (FOSS); it is designed to use a close-to-mainline Linux kernel. While manysmartphones already use the Linux kernel as part of Android, few rundistributions that are actually similar to those used on desktops andlaptops. The PinePhone is different, however; it provides an experiencethat is much closer to normal desktop Linux, though it probably cannotcompletely replace a full-featured smartphone—at least yet.

The PinePhone is a Linux-basedsmartphone made by PINE64 that runs freeand open-source software (FOSS); it is designed to use a close-to-mainline Linux kernel. While manysmartphones already use the Linux kernel as part of Android, few rundistributions that are actually similar to those used on desktops andlaptops. The PinePhone is different, however; it provides an experiencethat is much closer to normal desktop Linux, though it probably cannotcompletely replace a full-featured smartphone—at least yet.

Version 2.38 of the GNU Binutils tool set has been released. Changesinclude new hardware support (including for the LoongArch architecture),various Unicode-handling improvements, a new --thin option toar for the creation of thin archives, and more.