LWN.net

Over at the SAMBA+ blog, the performance of the new ksmbd kernel SMB server and Samba in user space are compared:

Patrick Horgan explainsthe process of starting a program on Linux in great detail.

As of this writing, Linus Torvalds has pulled exactly 6,800 non-mergechangesets into the mainline repository for the 5.16 kernel release. Thatis probably a little over half of what will arrive during this mergewindow, so this is a good time to catch up on what has been pulled so far.There are many significant changes and some large-scale restructuring ofinternal kernel code, but relatively few ground-breaking newfeatures.

Security updates have been issued by Fedora (ansible, chromium, kernel, mupdf, python-PyMuPDF, rust, and zathura-pdf-mupdf), openSUSE (qemu and webkit2gtk3), Red Hat (firefox and kpatch-patch), Scientific Linux (firefox), SUSE (qemu, tomcat, and webkit2gtk3), and Ubuntu (firefox and thunderbird).

The LWN.net Weekly Edition for November 4, 2021 is available.

A new security vulnerability that was disclosedon November 1 has some interesting properties. "Trojan Source", as it has beendubbed, is effectively an attack on human perceptions, especially as theyare filtered through the tools used for source-code review. While thespecifics of the flaw are new, this kind of trickery is not completelynovel, but Trojan Source finds another way to confuse the humans who arein the loop.

Security updates have been issued by Fedora (CuraEngine, curl, firefox, php, and vim), openSUSE (apache2, pcre, salt, transfig, and util-linux), Oracle (.NET 5.0, curl, kernel, libsolv, python3, samba, and webkit2gtk3), and Red Hat (flatpak).

While it is often relatively straightforward to determine what packageprovided a binary that is misbehaving—crashing for instance—on Fedora andother Linux distributions, there are situations where it may be harder todo so. A feature recently proposed for Fedora 36—currentlyscheduled for the end of April 2022—would embed information into thebinaries themselves to show where they came from. It is part of amulti-distribution effort to standardize how this information is stored inthe binaries (and the libraries they use) to assist crash-reporting and other tools.

Stable kernels 5.14.16, 5.10.77, 5.4.157, 4.19.215, 4.14.254, 4.9.289, and 4.4.291 have been released. They containimportant fixes and users should upgrade.

Firefox 94.0 has beenreleased. Linux users should see improvedWebGL performance and reduced power consumption for many workloads. Theabout:unloadspage shows the user information about open tabs and allows them to releasesystem resources by unloading tabs without closing them. SiteIsolation provides better protection against side-channel attacks. Seethe announcement for more new features in this release.Firefox ESR91.3 is also available, with various stability, functionality, and securityfixes.

Security updates have been issued by Debian (asterisk, bind9, glusterfs, and openjdk-11), Fedora (ansible and CuraEngine), openSUSE (mailman and opera), Oracle (binutils and flatpak), Red Hat (curl, flatpak, java-1.8.0-ibm, kernel, kernel-rt, libsolv, python3, samba, and webkit2gtk3), Scientific Linux (binutils and flatpak), SUSE (binutils and transfig), and Ubuntu (ceph and mailman).

The Fedora 35release has been announced.

The long-running and sometimes acrimonious discussion on the memory folio patch set has come to an end:the folio patches were the first thing pulled into the mainline repositoryfor the 5.16 development cycle. Now the developers involved just have todo all of the other work identified as necessary to clean up thememory-management subsystem and isolate it from other parts of the kernel.

The Free Software Foundation has openednominations for the Free SoftwareAwards. Nominations are open until November 30.

The 5.15 kernel was released onOctober 31, with the code name appropriately changed to "Trick orTreat". By that time, 12,377 non-merge changesets had been merged into themainline, adding a net total of 332,000 lines of code. Read on for a lookat where the contributions to the 5.15 kernel came from.

Security updates have been issued by Arch Linux (bind, chromium, freerdp, opera, webkit2gtk, and wpewebkit), Debian (cron, cups, elfutils, ffmpeg, libmspack, libsdl1.2, libsdl2, opencv, and tiff), Fedora (java-latest-openjdk, stb, and thunderbird), Mageia (cairo, cloud-init, docker, ffmpeg, libcaca, php, squid, and webkit2), openSUSE (busybox, chromium, civetweb, containerd, docker, runc, dnsmasq, fetchmail, flatpak, go1.16, krb5, ncurses, python, python-Pygments, squid, strongswan, transfig, virtualbox, wireguard-tools, and xstream), Red Hat (binutils, devtoolset-10-gcc, and flatpak), SUSE (libvirt, opensc, and transfig), and Ubuntu (webkit2gtk).

The latest branded and trademarked vulnerability type is called "Trojan Source". By playing trickswith Unicode bidirectional support, an attacker can create malicious codethat appears to be benign to reviewers. "The attack is to usecontrol characters embedded in comments and strings to reorder source codecharacters in a way that changes its logic." Various releases,including Rust1.56.1,are being made to address this problem.

Linus has released the 5.15 kernel afteranother nine-week development cycle.

Version 3.4 of The Yocto Project has been released. Yocto provides a system for building embedded Linux distributions. This release comes with "Linux kernel 5.14, glibc 2.34 and ~280 other recipe upgrades", support for building and cross-compiling Rust code, tons of new recipes, a way to create a SPDX bill of materials (BoM), overlayfs and seccomp support, optimizations, bug fixes, and more. The fullrelease notes have further information.

For all of you youngsters out there, the Internet has always beenomnipresent, computers are something you carry in your pocket, the Unixwars are about as relevant as the War of 1812, and the term "NIS" doesn'tring a bell. But, for a certain class of Unix old-timer, NIS has a distinctplace in history — and, perhaps, in still-deployed systems. So thesuggestion that Fedora might drop support for NIS has proved to be a bit ofa wakeup call for some.

Security updates have been issued by Debian (bind9, gpsd, jbig2dec, libdatetime-timezone-perl, tzdata, webkit2gtk, and wpewebkit), Fedora (flatpak, java-1.8.0-openjdk, java-11-openjdk, and php), SUSE (qemu), and Ubuntu (bind9).

Software Freedom Conservancy has had several exemptions granted that it requested to the Digital Millennium Copyright Act (DMCA) by the US Library of Congress for activities of interest to free-software developers:

One does not normally expect to see a great deal of angst over a one-pageshell script, even on the Internet. But Debian is special, so it has beenhaving an extended discussion over the fate of the which commandthat has been escalated to the Debian Technical Committee. The amount ofattention that has been given to a small, nonstandard utility shines alight on Debian's governance processes and the interaction of traditionwith standards.

Security updates have been issued by openSUSE (salt), Slackware (bind), SUSE (salt), and Ubuntu (php5, php7.0, php7.2, php7.4, php8.0).

The LWN.net Weekly Edition for October 28, 2021 is available.

The oss-securitymailing list is specifically set up for reports and discussion of security flaws inopen-source software after their embargo, if any, has expired. But theresponse to a recentreportof the fix for a security flaw in the Linux kernel went in a differentdirection than usual. The report did not break the two-week embargoperiod, instead it was "late", which has highlighted some problems in themanagement of flaws of this nature.

Stable kernels 5.14.15, 5.10.76, 5.4.156, 4.19.214, 4.14.253, 4.9.288, and 4.4.290 have been released. They all containimportant fixes and users should upgrade.

For those of you still using the X.org display server, version 21.1 isout. It includes "fully mature" meson build support, Glamorsupport in Xvfb, variable refresh rate support, touchpad gestures, andmore.

Security updates have been issued by Debian (mosquitto and php7.0), Fedora (python-django-filter and qt), Mageia (fossil, opencryptoki, and qtbase5), openSUSE (apache2, busybox, dnsmasq, ffmpeg, pcre, and wireguard-tools), Red Hat (kpatch-patch), SUSE (apache2, busybox, dnsmasq, ffmpeg, java-11-openjdk, libvirt, open-lldp, pcre, python, qemu, util-linux, and wireguard-tools), and Ubuntu (apport and libslirp).

Uniquely identifying users so that they can be tracked as they go abouttheir business on the internet is, sadly, a major goal for advertisers andothers today. Web browser cookies provide a fairly well-known avenuefor tracking users as they traverse various web sites, but mobile apps arenot browsers, so that mechanism is not available. As it turns out, though,there are ways to "fingerprint" Android devices—and likely those of other mobileplatforms—so that the device owners can be tracked as they hopbetween their apps.

Security updates have been issued by Debian (php7.3 and php7.4), Mageia (kernel and kernel-linus), openSUSE (chromium and virtualbox), Oracle (xstream), Red Hat (kernel, rh-ruby30-ruby, and samba), and Ubuntu (binutils and mysql-5.7).

The 5.15-rc7 kernel prepatch is out, ratherlater than would have normally been expected due to Linus's travel schedule.

Memory management is a balancing act in a number of ways. The kernel mustbalance the needs of current users of memory with anticipated future needs,for example. The kernel must also balance the act of reclaiming memory for other uses, which can involvewriting data to permanent storage, with the rate of data that theunderlying storage devices are able to accept. For years, thememory-management subsystem has used storage-device congestion as a signalthat it should slow down reclaim. Unfortunately, that mechanism, which wasa bit questionable from the beginning, has not worked in a long time. MelGorman is now trying to fix this problem with apatch set that moves the kernel away from the idea of waiting on congestion.

Security updates have been issued by Debian (faad2 and mailman), Fedora (java-11-openjdk, libzapojit, nodejs, python-reportlab, vim, and watchdog), Mageia (ansible, docker-containerd, flatpak, tomcat, and virtualbox), openSUSE (containerd, docker, runc), Oracle (firefox and thunderbird), Red Hat (xstream), Scientific Linux (xstream), SUSE (cairo and containerd, docker, runc), and Ubuntu (apport and mysql-5.7, mysql-8.0).

Since the early days, Unix-like systems have implemented the concept ofprocess priorities, where higher-priority processes are given moreCPU time to get their work done. Implementations have changed, andalternatives (such as deadline scheduling)are available for specialized situations, but the core priority (or, in aninverted sense, "niceness") concept remains essentially the same. What should happen, though, in a world whereincreasing amounts of computing work is done outside of the CPU? TvrtkoUrsulin has put together apatch set showing how the nice mechanism can be extended to GPUs aswell.

Security updates have been issued by Arch Linux (apache, chromium, nodejs, nodejs-lts-erbium, nodejs-lts-fermium, and virtualbox), Fedora (vsftpd and watchdog), Oracle (java-1.8.0-openjdk, java-11-openjdk, and redis:6), and Ubuntu (libcaca, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gke, linux-gke-5.4, linux-gkeop, linux-gkeop-5.4, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux-azure-5.8, and mailman).

The Jalopnik automotive site has posted anarticle on a(relatively) new setof open-source tools that can extract log data from Tesla cars.

The Rust language project has announced the release of stable version 1.56.0 and the Rust 2021 edition.

For those who are curious about where the development of Git is headed:Johannes Schindelin has posted anextensive set of notes from the just-concluded Git Contributors'Summit.

While the BPF virtual machine has been supported by Linux for most ofthe kernel's existence, its role for much of that time was limited to, asits fullname (Berkeley packet filter) would suggest, filtering packets. That began to change in 2012 with the introductionof seccomp() filtering, and the pace picked up in 2014 with the arrivalof the extended BPF virtual machine. At this point, BPF hooks have found theirway into many kernel subsystems. One area that has remained BPF-free,though, is the CPU scheduler; that could change if some version ofthis patchset from Roman Gushchin finds its way into the mainline.

Security updates have been issued by Debian (python-babel, squashfs-tools, and uwsgi), Fedora (gfbgraph and rust-coreos-installer), Mageia (aom, libslirp, redis, and vim), openSUSE (fetchmail, go1.16, go1.17, mbedtls, ncurses, python, squid, and ssh-audit), Red Hat (java-1.8.0-openjdk and java-11-openjdk), Scientific Linux (java-1.8.0-openjdk and java-11-openjdk), SUSE (fetchmail, git, go1.16, go1.17, ncurses, postgresql10, python, python36, and squid), and Ubuntu (linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-dell300x, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-raspi2, linux-snapdragon, linux, linux-bluefield, linux-gcp-5.4, linux-hwe-5.4, linux-kvm, linux-oem-5.10, and linux-oem-5.13).

The LWN.net Weekly Edition for October 21, 2021 is available.

A new style of GPL-enforcement lawsuit wasfiled on October 19 by Software Freedom Conservancy (SFC)against television maker Vizio. Unlike previous GPL-enforcement suits, whichhave been pursued on behalf of the developers and copyright holders ofGPL-licensed code, this suit has been filed on behalf of owners of the TVsin question. The idea that owners of devices that contain code under theGPL have the right to access that code seems clearly embodied in thelicense, but it remains to be seen if the courts will decide that thoseowners have the legal standing to sue for relief.

Stable kernels 5.14.14, 5.10.75, 5.4.155, 4.19.213, and 4.14.252 have been released. They all containimportant fixes and users of those series should upgrade.

Security updates have been issued by Debian (ffmpeg, smarty3, and strongswan), Fedora (udisks2), openSUSE (flatpak, strongswan, util-linux, and xstream), Oracle (redis:5), Red Hat (java-1.8.0-openjdk, java-11-openjdk, openvswitch2.11, redis:5, redis:6, and rh-redis5-redis), SUSE (flatpak, python-Pygments, python3, strongswan, util-linux, and xstream), and Ubuntu (linux, linux-aws, linux-aws-5.11, linux-azure, linux-azure-5.11, linux-gcp, linux-gcp-5.11, linux-hwe-5.11, linux-kvm, linux-raspi and strongswan).

Over at the Project Zero blog, Jann Horn has a lengthy post on a kernel bug, ways to exploit it, and various ideas on mitigation. While the exploitation analysis is highly detailed, more than half of the post looks at various defenses to this kind of bug.

On October 11, the first release candidate for Qubes OS version 4.1 was announced. Qubes OSis a security-oriented desktop operating system that uses multiple virtualmachines (VMs or "qubes") to isolatevarious types of functionality. The idea is to compartmentalize differentapplications and operating-system subsystems to protect them from eachother and to limit access to the user's data if an application iscompromised. Version 4.1 will bring several important enhancements tohelp Qubes OS continue to live up to its motto: "A reasonably secure operatingsystem".

Software Freedom Conservancy has announced that it filed suit against TV maker Vizio over "repeated failures to fulfill even the basic requirements of the General Public License (GPL)". The organization raised the problems with Vizio in August 2018, but the company stopped responding in January 2020, according to the announcement.

Security updates have been issued by Debian (redmine and strongswan), Fedora (containerd, fail2ban, grafana, moby-engine, and thunderbird), openSUSE (curl, firefox, glibc, kernel, libqt5-qtsvg, rpm, ssh-audit, systemd, and webkit2gtk3), Red Hat (389-ds:1.4, curl, kernel, kernel-rt, redis:5, and systemd), SUSE (util-linux), and Ubuntu (ardour, linux-azure, linux-azure-5.11, and strongswan).

Differences of opinion over which kernel symbols should be exported toloadable modules have been anything but uncommon over the years. Often,these disagreements relate to which kernel capabilities should be availableto proprietary modules. Sometimes, though, it hinges on the disagreementsover the best way to solve a problem. The recent discussion around theremoval of an export for a core kernel function is a case in point.