LWN.net

The callfor nominees for the 2021 Linux Foundation Technical Advisory Boardelection has gone out.

On August 25, 1991, Linus Torvalds posted his famousmessage to thecomp.os.minix USENET group:

Users often store a lot of sensitive information on their computers—fromcredentials to banned texts to family photos—that they might normally expect to be protected by the login password of their account. Under somecircumstances, though, users can be required to log into their system sothat some third party (e.g. government agent) can examine and potentiallycopy said data. A new project, PAM Duress, provides a wayto add other passwords to an account, each with its own behavior, whichmight be a way to avoid granting full access to the system, though thelegality is in question.

Security updates have been issued by Debian (ledgersmb, tnef, and tor), Fedora (nodejs-underscore and tor), openSUSE (aws-cli, python-boto3, python-botocore,, fetchmail, firefox, and isync), SUSE (aws-cli, python-boto3, python-botocore, python-service_identity, python-trustme, python-urllib3 and python-PyYAML), and Ubuntu (linux-aws-5.8, linux-azure-5.8, linux-gcp-5.8, linux-oracle-5.8).

The first installment in this two-partseries looked at the difficulties that arise when Btrfs filesystemscontaining subvolumes are exported via NFS. Btrfs has a couple of quirksthat complicate life in this situation: the use of separate device numbersfor subvolumes and the lack of unique inode numbers across the filesystemas a whole. Recently, Neil Brown set off on an effort to tryto solve these problems, only to discover that the situation was evenmore difficult than expected and that many attempts would be required.

Security updates have been issued by Debian (ffmpeg, ircii, and scrollz), Fedora (kernel, krb5, libX11, and rust-actix-http), Mageia (kernel and kernel-linus), openSUSE (aspell, chromium, dbus-1, isync, java-1_8_0-openjdk, krb5, libass, libhts, libvirt, prosody, systemd, and tor), SUSE (cpio, dbus-1, libvirt, php7, qemu, and systemd), and Ubuntu (inetutils).

The 5.14-rc7 kernel prepatch has beenreleased. "So things continue to look normal, and unless there isany last-minute panic this upcoming week, this is likely the last rc beforea final 5.14."

OpenSSH 8.7 has been released. Changes includesteps toward deprecating scp andusing the SFTP protocol for file transfers instead, changes toremote-to-remote copies (they go through the local host by default now), astricter configuration-file parser, and more.

Unix-like systems — and their users — tend to expect all filesystems tobehave in the same way. But those users are also often interested in fancynew filesystems offering features that were never envisioned by thedevelopers of the Unix filesystem model; that has led to a number ofinteresting incompatibilities over time. Btrfs is certainly one of thosefilesystems; it provides a long list of features that are found in fewother systems, and some of those features interact poorly with thetraditional view of how filesystems work. Recently, Neil Brown has beentrying to resolve a specific source of confusion relating to how Btrfshandles inode numbers.

Luis Villa writesabout increasing demands on open-source maintainers on opensource.com.

Security updates have been issued by Fedora (libtpms and mingw-exiv2), openSUSE (389-ds, aspell, c-ares, fetchmail, firefox, go1.15, go1.16, haproxy, java-1_8_0-openjdk, krb5, libass, libmspack, libsndfile, openexr, php7, qemu, and tor), Oracle (compat-exiv2-023 and compat-exiv2-026), and SUSE (389-ds, aspell, djvulibre, fetchmail, firefox, go1.15, go1.16, java-1_8_0-openjdk, krb5, libass, libmspack, nodejs8, openexr, postgresql10, qemu, and spice-vdagent).

Unix-like systems abound with ways to confuse new users, many of which havebeen present since long before Linux entered the scene. One consistentsource of befuddlement is the "text file is busy" (ETXTBSY) errormessage that is delivered in response to an attempt to overwrite anexecutable image file. Linux is far less likely to deliverETXTBSY results than it once was, but they do still happen onoccasion. Recent work to simplify the mechanism behind ETXTBSYhas raised a more fundamental question: does this error check have anyvalue at all?

The Document Foundation has announced the latest release of LibreOffice:

Security updates have been issued by CentOS (exiv2, firefox, and thunderbird), Fedora (libsndfile, python-docx, and xscreensaver), openSUSE (haproxy), and SUSE (haproxy).

The LWN.net Weekly Edition for August 19, 2021 is available.

As part of the ramp-up to the 2021Linux Plumbers Conference, LWN editor Jonathan Corbet will bepresenting a version of "The kernel report" at 9:00AM US/Mountain time(15:00 UTC) on Thursday, August 26. Registration for LPC is notrequired; all are welcome for an update on the state of kernel developmentand a perspective on 30 years of the Linux kernel. Please come for aninteresting discussion and to help the LPC crew stress-test the 2021infrastructure. The talk will be happening at meet.lpc.events; the more the merrier.

Back in June, we looked at a change toPython annotations, which provide a way to associate metadata, such as typeinformation, with functions. That changewas planned for the upcoming Python 3.10 release, but was deferred due toquestions about it and its impact on run-time uses of the feature.The Python steering council feltthat more time was needed to consider all of the different aspects of theproblem before deciding on the right approach; the feature freeze for Python 3.10 was onlyaround two weeks off when the decision was announced on April 20. But now, there is most of a yearbefore another feature freeze, which gives the council (and the greaterPython development community) some time to discuss it at a more leisurely pace.

Stable kernels 5.13.12, 5.10.60, 5.4.142 have been released. As usual, thereare important fixes and users should upgrade.

Security updates have been issued by Debian (haproxy), Fedora (c-ares, hivex, kernel, libtpms, newsflash, python-django, rust-gettext-rs, and rust-gettext-sys), openSUSE (c-ares and libsndfile), Scientific Linux (cloud-init, edk2, exiv2, firefox, kernel, kpatch-patch, microcode_ctl, sssd, and thunderbird), SUSE (c-ares, fetchmail, haproxy, kernel, libmspack, libsndfile, rubygem-puma, spice-vdagent, and webkit2gtk3), and Ubuntu (exiv2, haproxy, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gcp, linux-gcp-5.4, linux-gke, linux-gke-5.4, linux-gkeop, linux-gkeop-5.4, linux-hwe-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, linux-raspi2, linux-snapdragon, and linux, linux-aws, linux-azure, linux-gcp, linux-hwe-5.11, linux-oracle, linux-raspi).

The use of TransportLayer Security (TLS) encryption is ubiquitous on today's internet,though that has largely happened over the last 20 years or so; the firstpublic version of its predecessor, Secure Sockets Layer (SSL), appeared in1995. Before then, internet protocols were generally not encrypted, thus providingfertile ground for various types of "meddler-in-the-middle" (MitM) attacks.Later on, theSTARTTLS command was added to some protocols as abackward-compatible way to add TLS support, but the mechanism has suffered from anumber of flaws and vulnerabilities over the years. Some recent research,going by the name "NO STARTTLS", describes more, similarvulnerabilities and concludes that it is probably time to avoid usingSTARTTLS altogether.

These releases of Firefox91.0.1 and Firefox ESR91.0.1 fix two issues; one caused buttons on the tab bar to be resizedand the other caused tabs from private windows to be visible in non-privatewindows. There is also a fix for a headersplitting attack, and fixes for various stability issues.

Security updates have been issued by Fedora (firefox), openSUSE (cpio and rpm), Oracle (compat-exiv2-026, exiv2, firefox, kernel, kernel-container, qemu, sssd, and thunderbird), Red Hat (cloud-init, edk2, kernel, kpatch-patch, microcode_ctl, and sssd), and SUSE (cpio, firefox, and libcares2).

Version 2.33.0of the Git source-code management system has been released.

The Go blog has announced the release of version 1.17 of the Go programming language. The new version has some fairly small changes to the language, support for the Arm 64-bit architecture on Windows, along with other features, bug fixes, and more:

Even in the dog days of (northern-hemisphere) summer, the kernel communityis a busy place. There are many developments that show up on your editor'sradar, but which, for whatever reason, do not find their way into afull-length feature article. The time has come to catch up with a few ofthose topics; read on for updates on the realtime patch set, the effort toreinvent futexes, and the ntfs3 filesystem.

For those waiting to run Linux on Apple M1 hardware, the theAugust Asahi Linux progress report is out.

Following the Debian "Bullseye" release is a new Skolelinux distributionfor a school near you.

Security updates have been issued by Arch Linux (c-ares, firefox, fossil, gitlab, jupyterlab, loki, lynx, opera, prosody, and vivaldi), Debian (amd64-microcode, exiv2, ffmpeg, thunderbird, and trafficserver), Fedora (libsndfile, rust-argh, rust-argh_derive, rust-argh_shared, rust-askalono-cli, rust-asyncgit, rust-bugreport, rust-crosstermion, rust-diskonaut, rust-dua-cli, rust-fancy-regex, rust-fedora-update-feedback, rust-filetreelist, rust-git-version, rust-git-version-macro, rust-gitui, rust-heatseeker, rust-jql, rust-pulldown-cmark, rust-sd, rust-shadow-rs, rust-skim, rust-textwrap, rust-tokei, rust-tui, rust-tui-react, rust-unicode-linebreak, rust-unicode-truncate, rust-urlencoding, rust-versions, rust-weezl, and zola), Mageia (dino, firefox, glibc, libvirt, mariadb, qtwebengine5, spice, sylpheed, claws-mail, and webkit2), openSUSE (grafana, kernel, libdnf, and openscad), Oracle (.NET 5.0, .NET Core 3.1, and virt:ol and virt-devel:rhel), Red Hat (compat-exiv2-026, exiv2, firefox, sssd, and thunderbird), SUSE (cpio and kernel), and Ubuntu (mariadb-10.3, mariadb-10.5).

The 5.14-rc6 kernel prepatch is out fortesting. "Nothing particular stands out to me. Go test, we should begetting pretty close to done with this release..."

The5.13.11,5.10.59,5.4.141,4.19.204,4.14.244,4.9.280, and4.4.281stable kernel updates have been released; each contains a relatively smallnumber of important fixes.

Debian 11, codenamed "bullseye", has been released after just over two years of development. It has lots of updates, including to half a dozen different desktop environments, lots of tools and programming languages, and, of course, more. It is available for nine different architectures.

The KDE project has announced the release of KDE Gear 21.08, which updates the over 200 apps that are part of the project. The announcement highlights updates in many of the desktop tools that KDE Plasma users are accustomed to, including the Okular document viewer, the Dolphin file manager, Elisa music player, and Gwenview image viewer. The Konsole terminal application got updated as well:

Device drivers, along with the hardware they control, have long beenconsidered to be a trusted part of the system. This faith has been underassault for some time, though, and it fails entirely in some situations,including virtual machines that do not trust the host system they arerunning under. The recently covered virtio-hardening work is one response to thissituation, but that only addresses a small portion of the drivers builtinto a typical kernel. What is to be done about the rest? The driver-filterpatch from Kuppuswamy Sathyanarayanan demonstrates one possibleapproach: disable them altogether.

Security updates have been issued by Debian (commons-io, curl, and firefox-esr), Fedora (perl-Encode), openSUSE (golang-github-prometheus-prometheus, grafana, and python-reportlab), Oracle (.NET Core 2.1, 389-ds:1.4, cloud-init, go-toolset:ol8, nodejs:12, nodejs:14, and rust-toolset:ol8), SUSE (aspell, firefox, kernel, and rpm), and Ubuntu (linux, linux-aws, linux-kvm, linux-lts-xenial and postgresql-10, postgresql-12, postgresql-13).

The Linux Foundation has announced the formation of the eBPF Foundation:

While it may seem like the number of developers would be the limiting factorin a free-software project, the truth of the matter is that, for all butthe smallest of project, the scarcest resource is reviewer time. Lots ofpeople like to crank out code; rather fewer can find the time to take aclose look at somebody else's patches. Free-software projects have takena number of different approaches to address the review problem; the PostgreSQL developercommunity is currently struggling with its review load and consideringchanges to its commitfest process in response.

Greg Kroah-Hartman has announced the release of the 5.13.10, 5.10.58, 5.4.140, and 4.19.203 stable kernels. As usual, they allcontain important fixes throughout the kernel tree; users of those seriesshould upgrade.

Security updates have been issued by CentOS (java-1.8.0-openjdk), Debian (firefox-esr, libspf2, and openjdk-11-jre-dcevm), Fedora (bluez, fetchmail, and prosody), Oracle (edk2, glib2, kernel, and libuv), Red Hat (.NET Core 3.1), SUSE (cpio), and Ubuntu (firefox and openssh).

The LWN.net Weekly Edition for August 12, 2021 is available.

Child pornography and other types of sexual abuse of children are unquestionablyheinous crimes; those who participate in them should be caught and severelypunished. But some recent efforts to combat these scourges have gone a goodways down the path toward a kind of AI-driven digital panopticon that willinvade the privacy of everyone in order to try to catch people who areviolating laws prohibiting those activities. It is thus no surprise that privacyadvocates are up in arms about an Apple plan to scan iPhone messages andan EU measureto allow companies to scan private messages, both looking for "child sexual abuse material" (CSAM). As with many things of thisnature, there are concerns about the collateral damage that these efforts willcause—not to mention the slippery slope that is being created.

David A. Wheeler listssome of the security-related projects he is overseeing at the LinuxFoundation. For example:

Security updates have been issued by Debian (ceph), Fedora (buildah, containernetworking-plugins, and podman), openSUSE (chromium, kernel, php7, python-CairoSVG, python-Pillow, seamonkey, and transfig), Red Hat (microcode_ctl), SUSE (kernel and libcares2), and Ubuntu (c-ares).

Version6 of the elementary OS distribution is now available. "It’s beena long road to elementary OS 6—what with a whole global pandemic dropped onus in the middle of development—but it’s finally here. elementary OS 6 Odinis available to download now. And it’s the biggest update to the platformyet!" Headline changes include a new dark-mode theme, a switch toFlatpak for application packaging, arewritten email client, and more.

Linux Mint 20.2 "Uma" wasreleased in Cinnamon,MATE, andXfce editions on July 8. This newversion of the popular desktop-oriented distribution has severalimprovements, including changes to the Update Manager, a new "StickyNotes" app, a bulk file-renaming tool,improved file search, and better memory management inCinnamon. Mint 20.2 is a long-term support (LTS) release that willreceive security updates until 2025.

The 4.4.280 stable kernel update isavailable; it contains a small set of fixes, mostly focused on the futexsubsystem.

The Firefox91 release is available. Changes include stronger tracking-cookieprotection, use of HTTPS within anonymous windows whenever possible, andmore.

Security updates have been issued by CentOS (flatpak and microcode_ctl), Debian (c-ares, lynx, openjdk-8, and tomcat9), Fedora (kernel), openSUSE (apache-commons-compress, aria2, djvulibre, fastjar, kernel, libvirt, linuxptp, mysql-connector-java, nodejs8, virtualbox, webkit2gtk3, and wireshark), Oracle (kernel, kernel-container, and microcode_ctl), Red Hat (glib2, kernel, kernel-rt, kpatch-patch, and rust-toolset-1.52 and rust-toolset-1.52-rust), Scientific Linux (microcode_ctl), SUSE (kernel), and Ubuntu (c-ares, gpsd, and perl).

Traditionally, in virtualized environments, the host is trusted by itsguests, and mustprotect itself from potentially malicious guests. With initiativeslike confidential computing, this rule is extended in the other direction: theguest no longer trusts the host. This change of paradigm requiresadding boundary defenses in places where there have been none before.Recently, Andi Kleen submitted a patchset attempting to add the needed protections in virtio. The discussionthat resulted from this patch set highlighted the need to securevirtio for a wider range of use cases.

Security updates have been issued by Debian (ansible and bluez), Fedora (curl, kernel, mod_auth_openidc, rust-rav1e, and webkit2gtk3), Mageia (kernel and kernel-linus), openSUSE (php7 and python-reportlab), Oracle (ruby:2.7), Red Hat (microcode_ctl), SUSE (fastjar, kvm, mariadb, php7, php72, php74, and python-Pillow), and Ubuntu (docker.io).

The fifth 5.14 prepatch is out for testing."Things are looking perfectly normal. Size is nominal, diffstat lookspretty normal, and the changes are all in the usual places"