LWN.net

Part of the early appeal of the World Wide Web was the promise that anybodycould create a site and publish interesting content to the world. A fewdecades later, that promise seems to have been transformed into the ability toprovide content for a small number of proprietary platforms run by hugecorporations.But, arguably, the dream of widespread independent publishing is enjoying aresurgence. The Ghost publishing platformis built around the goal of making publishing technology — and the abilityto make money from it — available with free software.

Ubuntu22.10 has been released. "Codenamed 'Kinetic Kudu', this interimrelease improves the experience of enterprise developers and ITadministrators. It also includes the latest toolchains and applicationswith a particular focus on the IoT ecosystem." See therelease notes for details.

Security updates have been issued by Debian (firefox-esr), Red Hat (java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, OpenShift Container Platform 4.9.50 bug fix and, and rh-nodejs14-nodejs), SUSE (buildah, clone-master-clean-up, go1.18, go1.19, helm, jasper, libostree, nodejs16, php8, qemu, and xen), and Ubuntu (libxdmcp, linux, linux-aws, linux-aws-5.15, linux-azure, linux-azure-5.15, linux-gcp, linux-gcp-5.15, linux-gke, linux-gke-5.15, linux-gkeop, linux-hwe-5.15, linux-ibm, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-oem-5.14, linux-oracle, linux-raspi, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-bluefield, linux-gcp, linux-gcp-5.4, linux-gke, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux-oem-5.17, and perl).

The LWN.net Weekly Edition for October 20, 2022 is available.

Unlike many other architectures, x86 systems support atomic operations thataffect more than one cache line. This support comes at a cost, though, interms of overall system performance and, even, security. Over the last fewyears, kernel developers have worked to discourage the use of this sort of"split-lock" operation. Now, though, one group of users is feelinga little too discouraged, leading to a discussion of how much misery canappropriately be inflicted upon users who use problematic butarchitecturally legal operations.

Security updates have been issued by Debian (bcel, kernel, node-xmldom, and squid), Mageia (chromium-browser-stable, dhcp, dokuwiki, firefox, golang, python-joblib, sos, and unzip), Oracle (nodejs and nodejs:16), Red Hat (firefox, kernel, kernel-rt, nodejs, nodejs:14, and thunderbird), Scientific Linux (firefox and thunderbird), Slackware (git and mozilla), SUSE (amazon-ssm-agent, caasp-release, cri-o, patchinfo, release-notes-caasp, skuba, enlightenment, libreoffice, netty, nodejs12, nodejs14, nodejs16, pngcheck, postgresql-jdbc, python-waitress, rubygem-activesupport-5_1, and tcl), and Ubuntu (frr, git, libksba, and linux-azure-4.15).

Since its inclusion in the Linux kernel, the WireGuard VPN tunnel has becomeincreasingly popular. In general, WireGuard is simpler to configure thanother VPNs, but the approach that it takes to authentication can presentsome challenges. Each node in a WireGuard network has a cryptographic keythat serves as the node's identity; nodes that do not know each other's keys cannot directly communicate.Keepingtrack of these keys and distributing them to the other nodesin a mesh network quickly becomes a chore as the network grows.Fortunately, there are now several open-source tools that can automate the management of these keys and make usingWireGuard easier for both administrators and end users.

Version106.0 of the Firefox browser has been released. There are several newfeatures, including PDF editing, FirefoxView (an overview of recently closed tabs), and a set of new colorschemes.

Security updates have been issued by Debian (glibc and libksba), Fedora (dhcp and kernel), Red Hat (.NET 6.0, .NET Core 3.1, compat-expat1, kpatch-patch, and nodejs:16), Slackware (xorg), SUSE (exiv2, expat, kernel, libreoffice, python, python-numpy, squid, and virtualbox), and Ubuntu (linux-azure and zlib).

Version5.5 of the Tor-centered Tails distribution is out. The biggest changeappears to be a significant update to the Thunderbird email client.

The5.10.149 and5.4.219stable kernel updates have been released. These small updates contain only afew more WiFi fixes and one revert.

Linus Torvalds released6.1-rc1 and closed the 6.1 merge window on October 16; at that point, 11,537 non-merge changesets had been pulledinto the mainline repository. That is considerably less than the 13,543changesets pulled during the 6.0 merge window, but quantity is noteverything: there were quite a few significant changes brought in this timearound. Many of those were part of the nearly 5,800 changesets pulledsince our first 6.1 merge window summary;read on for a look at some of the work done in the latter part of thismerge window.

Version 2.3.8 of the GNU Privacy Guard is out. It contains a few newfeatures but the real purpose is to fix CVE-2022-3515,an integer overflow vulnerability that can be exploited remotely for codeexecution via a, for example, malicious S/MIME attachment. Note that theactual vulnerability is in the libksba library, which isnormally packaged separately on Linux systems.

Security updates have been issued by Arch Linux (kernel, linux-hardened, linux-lts, and linux-zen), Debian (python-django), Fedora (apptainer, kernel, python3.6, and vim), Gentoo (assimp, deluge, libvirt, libxml2, openssl, rust, tcpreplay, virglrenderer, and wireshark), Slackware (zlib), SUSE (chromium, python3, qemu, roundcubemail, and seamonkey), and Ubuntu (linux-aws-5.4 and linux-ibm).

Linus has released 6.1-rc1 and closed themerge window for this development cycle.

Google has announcedthe existence of yet another new operating system, called KataOS, aimed atthe creation of secure embedded systems.

The6.0.2,5.19.16,5.15.74,5.10.148, and5.4.218stable kernel updates have all been released. Among other things, theseupdates contain the fixes for the recently disclosed WiFi vulnerabilities.

Software patents affect our systems in many ways, but perhaps moststrongly in the area of codecs — code that creates or plays back audioor video that has been compressed using covered algorithms. For thisreason, certain formats have simply been unplayable on many Linuxdistributions — especially those backed by companies that are bigenough to be worth suing — without installing add-on software fromthird-party repositories. One might think that this problem could beworked around by purchasing hardware that implements the patented algorithms,but recent activity in the Fedora and openSUSE communities shows that lifeis not so simple.

Security updates have been issued by Debian (chromium), Fedora (dbus, dhcp, expat, kernel, thunderbird, vim, and weechat), Mageia (libofx, lighttpd, mediawiki, and python), Oracle (.NET 6.0 and .NET Core 3.1), Slackware (python3), SUSE (chromium, kernel, libosip2, python-Babel, and python-waitress), and Ubuntu (gThumb, heimdal, linux-aws, linux-gcp-4.15, linux-aws-hwe, linux-gcp, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, postgresql-9.5, and xmlsec1).

It would appear that there is a set ofmemory-related vulnerabilities in the kernel's WiFi stack that can beexploited over the air via malicious packets; five CVE numbers have beenassigned to the set. Fixes are headed toward themainline and should show up in stable updates before too long; anybody whouses WiFi on untrusted networks should probably keep an eye out for therelevant updates.

There have been a lot of significant changes merged into the mainline forthe 6.1 release, but one of the changes that has received the mostattention will also have the least short-term effect for users of thekernel: the introduction of support for the Rust programming language. Nosystem with a production 6.1 kernel will be running any Rust code, but thischange does give kernel developers a chance to play with the language inthe kernel context and get a sense for how Rust development feels. Perhapsthe most likely conclusion for most developers, though, will be that thereisn't yet enough Rust in the kernel to do much of anything interesting.

Version 15 of the PostgreSQL database management system is out.

Security updates have been issued by Debian (libreoffice, rexical, ruby-nokogiri, and squid), Fedora (wavpack), Red Hat (expat), SUSE (gdcm, orthanc, orthanc-gdcm, orthanc-webviewer and rubygem-puma), and Ubuntu (GMP and unzip).

The LWN.net Weekly Edition for October 13, 2022 is available.

At the end of September, Victor Stinner reportedon a security bugfix he had been working on for a script from the CPythonTools/scripts directory. As part of that work, he realizedthat there were 74 scripts in that directory that were potentiallyoutdated, unused, unmaintained, trivial, buggy, or some combination of allof those. It is not uncommon for projects to have code that accretes in overlookedcorners of the source tree, but it makes sense to periodically take a lookto see if changes are needed. Stinner seems to have kicked that off for Python with his message.

The6.0.1,5.19.15, and5.15.73stable kernels have been released; each contains a relatively small set ofimportant fixes.

Security updates have been issued by Debian (mediawiki and twig), Oracle (expat, gnutls and nettle, and kernel), Red Hat (expat, kernel, and kpatch-patch), and Ubuntu (advancecomp and dotnet6).

The kernel's Bugzillainstance is largely unloved and ignored, at least as a bug-reportingtool for the bulk of the upstream kernel. At the recent Maintainers Summit,Bugzilla was discussed during the regression-handling session led by ThorstenLeemhuis. In a followup to that discussion, Leemhuis postedsome ideas for improving the state of bugzilla.kernel.org to theksummit-discuss mailing list recently; the resulting discussion helpedclarify a number of problem areas for it—and for the Bugzilla tool itself.

The Opus codec is an audio codec thatwas designed from the beginning to avoid existing patents in the field andbe royalty-free for all users. It was standardized by the IETF in 2012 asRFC 6716.Now a company called Vectis ("a premierfull-suite IP licensing and consultancy boutique") is collectingpatents that are claimed to read on Opus as a way of demandingroyalties on its use. "The planned Opus program will focus on hardware devices and will not bedirected towards open-source software, applications, services, orcontent". (Thanks to Paul Wise).

Version 7.0.0of the VirtualBox virtualization system is out. Changes include supportfor fully encrypted virtual machines, a new performance-monitoring tool,improved theme support, and a number of new devices.

Security updates have been issued by Debian (connman, dbus, git, isc-dhcp, strongswan, and wordpress), Fedora (rubygem-pdfkit and seamonkey), Red Hat (gnutls, nettle, rh-ruby27-ruby, and rh-ruby30-ruby), SUSE (libgsasl, python, and snakeyaml), and Ubuntu (graphite2, linux, linux-aws, linux-aws-5.15, linux-azure, linux-azure-5.15, linux-gcp, linux-gke, linux-gkeop, linux-hwe-5.15, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-oracle, linux-raspi, linux, linux-aws, linux-bluefield, linux-gke, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-kvm, linux-oracle, linux, linux-dell300x, linux-kvm, linux-oracle, linux-raspi2, linux-snapdragon, linux-hwe, linux-oracle, openssh, and pcre3).

Philip Herron and Arthur Cohen presented anupdate on the "gccrs" GCC front end for the Rust language at the2022 Kangrejos conference. Less thantwo weeks later — and joined by David Faust — they did it again at the 2022 GNU Tools Cauldron.This time, though, they were talking to GCC developers and refocused theirpresentation accordingly; the result was an interesting look into thechallenges of implementing a compiler for Rust.

Security updates have been issued by Debian (knot-resolver and libpgjava), Fedora (booth, dotnet3.1, expat, nheko, php-twig, php-twig2, php-twig3, poppler, python-joblib, and seamonkey), Mageia (colord, dbus, enlightenment, kitty, libvncserver, php, python3, and unbound), Slackware (libksba), SUSE (cyrus-sasl, ImageMagick, and xmlgraphics-commons), and Ubuntu (nginx and thunderbird).

Greg Kroah-Hartman has released the 5.4.217stable kernel with a set of important fixes, as usual.

The 6.1 merge window is well underway: since it opened, 5,752 non-mergechangesets have been pulled into the mainline repository. That isapproximately half of the work that had piled up in linux-next and marks agood time to look at what has been merged so far. Some long-awaited corechanges have landed for the next kernel release, but there are likely to bemore significant changes to come.

Security updates have been issued by Debian (dbus, isc-dhcp, and strongswan), Fedora (booth, php, php-twig, php-twig2, and php-twig3), Oracle (expat, prometheus-jmx-exporter, and squid), Red Hat (expat, openvswitch2.11, and squid), Scientific Linux (expat and squid), SUSE (exiv2, LibVNCServer, postgresql-jdbc, protobuf, python-PyJWT, python3, slurm, squid, and webkit2gtk3), and Ubuntu (libreoffice).

Back in May 2022, a mysterious set of patches titled insufficient TCPsource port randomness crossed the mailing lists and was subsequentlymerged (at -rc6) into the 5.18 kernel. Little information was available atthe time about why significant changes to the networking stack needed to bemade so late in the development cycle. That situation hasfinally changed with the publication of this paper by Moshe Kol,Amit Klein, and Yossi Gilad. It seems that the way the kernel chose portnumbers for outgoing network connections made it possible to uniquelyfingerprint users.

Security updates have been issued by Debian (bind9 and nodejs), Red Hat (prometheus-jmx-exporter and squid), Slackware (dhcp), SUSE (pngcheck and sendmail), and Ubuntu (isc-dhcp, kitty, and linux-gcp-5.4).

The LWN.net Weekly Edition for October 6, 2022 is available.

The release of source code for NVIDIAgraphics hardware was perhaps something of a surprise; at least at a quickglance, it seemslike that could lead to an in-tree, officially supported driver. For manyyears, though, the nouveauproject has been working on an upstream driver for NVIDIA hardware, so anobvious question is what happens with nouveau in light of the NVIDIAannouncement. Kernel graphics maintainer Dave Airlie gave a talk at the2022 Linux Plumbers Conference (LPC) tohelp shed some light on that subject.

The New Yorker has alengthy article on the Network Time Protocol and its creator DavidMills.

Mahmoud Al-Qudsi providesextensive details on what it takes to implement a safe semaphore typein the Rust language.

The5.19.14,5.15.72,5.10.147,5.4.216, and4.19.261stable kernel updates have been released; each contains another set ofimportant fixes.

Security updates have been issued by Debian (barbican, mediawiki, and php-twig), Fedora (bash, chromium, lighttpd, postgresql-jdbc, and scala), Mageia (bash, chromium-browser-stable, and golang), Oracle (bind, bind9.16, and squid:4), Red Hat (bind, bind9.16, RHSSO, and squid:4), Scientific Linux (bind), SUSE (cifs-utils, libjpeg-turbo, nodejs14, and nodejs16), and Ubuntu (jackd2, linux-gke, and linux-intel-iotg).

The kernel's print function, printk(), has been the target ofnumerous improvement efforts over the years for avariety of reasons. One persistent problem with printk() has beenthat its latency is unacceptably high for the realtime Linux kernel; atthis point, printk() represents the last piece needing changesbefore the RT_PREEMPT patches can be fully merged. So there have been effortsto rework printk() for latency and lots of other reasons, butthose have not made it into the mainline; a recent discussion atthe 2022 Linux Plumbers Conference (LPC)seems to have paved the way for new solution to land in the mainline beforetoo long.

Jason Ekstrand announcesa new Vulkan driver for NVIDIA hardware on the Collabora blog. Itseems to be off to a good start, but there is some work yet to do:

The 5.19.13 stable kernel update is out."This release is to resolve a regression on some Intel graphicssystems that had problems with 5.19.12. If you do not have thisproblem with 5.19.12, there is no need to upgrade."

OpenSSH 9.1 has been released. It is advertised as a bug-fix release (andit addresses a few low-priority memory-safety bugs), butthere's also a new option to set the minimum RSA key size forauthentication, a few sftp extensions, and more.

Security updates have been issued by Debian (barbican), Fedora (libdxfrw, librecad, and python-oauthlib), Oracle (bind), Red Hat (bind and rh-python38-python), SUSE (bind, chromium, colord, libcroco, libgit2, lighttpd, nodejs12, python, python3, slurm, slurm_20_02, and webkit2gtk3), and Ubuntu (linux-azure, python-django, strongswan, and wayland).

Version 2.38.0 of the Git distributed version-control system has been released. It comes with lots of new features and bug fixes, some of the former are described in a GitHub blog post by Taylor Blau. Highlights include the promotion of the scalar addition for large repositories into Git core, improvements to multi-branch rebase operations with --update-refs, performance improvements, a bash prompt indication for unmerged indexes, and lots more.