LWN.net

Stable kernels 5.14.14, 5.10.75, 5.4.155, 4.19.213, and 4.14.252 have been released. They all containimportant fixes and users of those series should upgrade.

Security updates have been issued by Debian (ffmpeg, smarty3, and strongswan), Fedora (udisks2), openSUSE (flatpak, strongswan, util-linux, and xstream), Oracle (redis:5), Red Hat (java-1.8.0-openjdk, java-11-openjdk, openvswitch2.11, redis:5, redis:6, and rh-redis5-redis), SUSE (flatpak, python-Pygments, python3, strongswan, util-linux, and xstream), and Ubuntu (linux, linux-aws, linux-aws-5.11, linux-azure, linux-azure-5.11, linux-gcp, linux-gcp-5.11, linux-hwe-5.11, linux-kvm, linux-raspi and strongswan).

Over at the Project Zero blog, Jann Horn has a lengthy post on a kernel bug, ways to exploit it, and various ideas on mitigation. While the exploitation analysis is highly detailed, more than half of the post looks at various defenses to this kind of bug.

On October 11, the first release candidate for Qubes OS version 4.1 was announced. Qubes OSis a security-oriented desktop operating system that uses multiple virtualmachines (VMs or "qubes") to isolatevarious types of functionality. The idea is to compartmentalize differentapplications and operating-system subsystems to protect them from eachother and to limit access to the user's data if an application iscompromised. Version 4.1 will bring several important enhancements tohelp Qubes OS continue to live up to its motto: "A reasonably secure operatingsystem".

Software Freedom Conservancy has announced that it filed suit against TV maker Vizio over "repeated failures to fulfill even the basic requirements of the General Public License (GPL)". The organization raised the problems with Vizio in August 2018, but the company stopped responding in January 2020, according to the announcement.

Security updates have been issued by Debian (redmine and strongswan), Fedora (containerd, fail2ban, grafana, moby-engine, and thunderbird), openSUSE (curl, firefox, glibc, kernel, libqt5-qtsvg, rpm, ssh-audit, systemd, and webkit2gtk3), Red Hat (389-ds:1.4, curl, kernel, kernel-rt, redis:5, and systemd), SUSE (util-linux), and Ubuntu (ardour, linux-azure, linux-azure-5.11, and strongswan).

Differences of opinion over which kernel symbols should be exported toloadable modules have been anything but uncommon over the years. Often,these disagreements relate to which kernel capabilities should be availableto proprietary modules. Sometimes, though, it hinges on the disagreementsover the best way to solve a problem. The recent discussion around theremoval of an export for a core kernel function is a case in point.

Security updates have been issued by Debian (amd64-microcode, libreoffice, linux-4.19, and nghttp2), Fedora (chromium, libopenmpt, vim, and xen), openSUSE (firefox, kernel, krb5, libaom, and opera), Oracle (thunderbird), SUSE (firefox, firefox, rust-cbindgen, iproute2, javapackages-tools, javassist, mysql-connector-java, protobuf, python-python-gflags, and krb5), and Ubuntu (nginx).

The 5.15-rc6 kernel prepatch is out."I'd love to say that it's all looking average, but rc6 is actuallybigger than rc5 was, and larger than normal for this time in therelease cycle.It's not _enormously_ larger than normal, and it's not the largest rc6we've had, but it's still slightly worrisome."

Greg Kroah-Hartman has released the5.14.13,5.10.74,5.4.154,4.19.212,4.14.251,4.9.287, and4.4.289stable kernel updates. Each contains another set of important fixes.

The name Debian brings to mind a Linuxdistribution, but the Debian project is far more than that; it is anongoing experiment in democratic project governance. Debian's processescan result in a lot of public squabbling; one should not lose track,though, of the fact that those processes have enabled a large community tomaintain and grow a complex distribution for decades without the benefit ofan overseeing corporate overlord. Processes can be improved, though; arecent proposalfrom Russ Allbery gives an interesting picture of where the pain pointsare and what can be made better.

Security updates have been issued by Debian (squashfs-tools, tomcat9, and wordpress), Fedora (openssh), openSUSE (kernel, mbedtls, and rpm), Oracle (httpd, kernel, and kernel-container), SUSE (firefox, kernel, and rpm), and Ubuntu (linux-azure, linux-azure-5.4).

The latest release of the Ubuntu Linux distribution is out: Ubuntu 21.10, code named "Impish Indri". The release notes fills in all of the details for the new features in this version, but the announcement lists some as well:

Version 4.0 of the Devuan distribution has been released; it is code-namedChimaera. This release is based on Debian Bullseye, has improved desktopsupport, and benefits from more accessibility work. See therelease notes for details.

Concerns over the performance of programs written in Python are oftenoverstated — for some use cases, at least. But there is no getting aroundthe problem imposed by the infamous global interpreter lock (GIL), whichseverely limits the concurrency of multi-threaded Python code. Variousefforts to remove the GIL have been madeover the years, but none have come anywhere near the point where they wouldbe considered for inclusion into the CPython interpreter. Now, though, SamGross has enteredthe arena with a proof-of-concept implementation that may solve theproblem for real.

The KDE project is celebrating its 25th anniversary with a special releaseof the Plasma desktop.

Security updates have been issued by Mageia (golang, grilo, mediawiki, plib, python-flask-restx, python-mpmath, thunderbird, and xstream/xmlpull/mxparser), Oracle (389-ds-base, grafana, httpd:2.4, kernel, libxml2, and openssl), Red Hat (httpd), and SUSE (kernel).

The LWN.net Weekly Edition for October 14, 2021 is available.

The syzbotkernel-fuzzing system finds an enormous number of bugs, but, since many of them may seem to be of a relatively low severity, they have a lower prioritywhen contending for the attention of developers. A talkat the recent Linux Security Summit North America reported on some research thatdug further into the bugs that syzbot hasfound; the results are rather worrisome. Rather than a pile ofdifficult- or impossible-to-exploit bugs, there are numerous, more seriousproblems lurking within.

Stable kernels 5.14.12, 5.10.73, 5.4.153, and 4.19.211 have been released with importantfixes. Users of those series should upgrade.

We recently looked atsome of the changes and new features arriving with the upcomingversion 1.7 release of the Julia programming language.The package system provided by the language makes it easier toexplore new language versions, while still preserving multiple versions of various parts of the ecosystem. This flexible systemtakes care of dependency management, both for writing exploratory code in the REPL and fordeveloping projects or libraries.

Security updates have been issued by Debian (flatpak and ruby2.3), Fedora (flatpak, httpd, mediawiki, redis, and xstream), openSUSE (kernel, libaom, libqt5-qtsvg, systemd, and webkit2gtk3), Red Hat (.NET 5.0, 389-ds-base, httpd:2.4, kernel, kernel-rt, libxml2, openssl, and thunderbird), Scientific Linux (389-ds-base, kernel, libxml2, and openssl), SUSE (apache2-mod_auth_openidc, curl, glibc, kernel, libaom, libqt5-qtsvg, systemd, and webkit2gtk3), and Ubuntu (squashfs-tools).

There are many barriers to producing software that is reliable andmaintainable over the long term. One of those is software complexity. Atthe recently concluded 2021 KVMForum, Paolo Bonziniexploredthis topic, using QEMU, the open source emulatorand virtualizer, as a case study. Drawing on his experience asa maintainer of several QEMU subsystems, he made some concretesuggestions on how to defend against undesirable complexity. Bonziniused QEMU as a running example throughout the talk, hoping to make iteasier for future contributors to modify QEMU. However, thelessons he shared are equally applicable to many other projects.

Security updates have been issued by Debian (firefox-esr, hiredis, and icu), Fedora (kernel), Mageia (libreoffice), openSUSE (chromium, firefox, git, go1.16, kernel, mbedtls, mupdf, and nodejs8), Oracle (firefox and kernel), Red Hat (firefox, grafana, kernel, kpatch-patch, and rh-mysql80-mysql), and SUSE (apache2, containerd, docker, runc, curl, firefox, kernel, libqt5-qtsvg, and squid).

A group of researchers at Trinity College in Dublin has released theresults of a study into the data collected by a number of Androidvariants. There are few surprises here, but the picture is stilldiscouraging.

One does not normally expect a lot of controversy around a patch seriesthat makes changes to platform-specific configurations and drivers.The furor over some work on the Samsung Exynos platform may thus besurprising. When one looks into the discussion, things become more clear;it mostly has to do with disagreements over the best ways to get hardwarevendors to cooperate with the kernel development community.

Security updates have been issued by Debian (apache2, mediawiki, neutron, and tiff), Fedora (chromium, dr_libs, firefox, and grafana), Mageia (apache), openSUSE (chromium and rabbitmq-server), Oracle (kernel), Red Hat (firefox and httpd24-httpd), SUSE (rabbitmq-server), and Ubuntu (libntlm).

Jörg Schilling, a longtime free-software developer, has passed on. Mostpeople will remember him from his work on cdrtools and the seemingly endless drama that surrounded thatwork. He was a difficult character to deal with, but he also contributedsome important code that, for a period, almost all of us depended on. Restwell, Jörg.

The 5.15-rc5 kernel prepatch is out fortesting. "So things continue to look quite normal, and it looks likethe rough patch (hah!) we had early in the release is all behind us. Knockwood."

The5.14.11,5.10.72,5.4.152,4.19.210,4.14.250,4.9.286, and4.4.288stable kernel updates have all been released; each contains another set ofimportant fixes.

For the time being, the effort to add the folioconcept to the memory-management subsystem appears to be stalled, but appearances canbe deceiving. The numerous folio discussions have produced a number ofpoints of consensus, though; one of those is that far too much of thekernel has to work with page structures to get its job done. Asan example of how a subsystem might be weaned off of struct pageusage, Matthew Wilcox has split outthe slab allocators in a 62-part patch set. The result may bea foreshadowing of changes to come in the memory-management subsystem.

Security updates have been issued by Fedora (libssh), Mageia (firefox), Slackware (httpd), SUSE (xen), and Ubuntu (firefox and mysql-5.7).

Stable kernels 5.14.10 and 4.4.287 have been released. 5.14.10 is astandard stable release, with fixes throughout the kernel tree, while4.4.287 is fixing a build problem: "You only need this release if youare building for ARM64 and had build failures with 4.4.286."

Among the many new features pulled into the mainline during the 5.15 mergewindow is the ksmbdnetwork filesystem server. Ksmbd implements the SMB protocol(also known as CIFS, though that name has gone out of favor) that isheavily used in the Windows world. The creation of an in-kernel SMB serveris a bit surprising, given that Linux has benefited greatly from theuser-space Samba solution sinceshortly after thebeginning. There are reasons for this move but, in the short term atleast, they risk being overshadowed by a worrisome stream ofsecurity-related problems in ksmbd.

Security updates have been issued by Debian (firefox-esr), Mageia (cockpit, fail2ban, libcryptopp, libss7, nodejs, opendmarc, and weechat), openSUSE (curl, ffmpeg, git, glibc, go1.16, libcryptopp, and nodejs8), SUSE (apache2, curl, ffmpeg, git, glibc, go1.16, grilo, libcryptopp, nodejs8, transfig, and webkit2gtk3), and Ubuntu (linux-oem-5.10 and python-bottle).

The LWN.net Weekly Edition for October 7, 2021 is available.

Sasha Levin, one of the maintainers of the stable kernels, gave apresentation atOpenSource Summit North America 2021 on a proposal for a different way tohandle the stable tree. He noted that throughout most of the kernel's history,version numbers did not really mean anything, but that the versioningscheme suggests that they do, which leads to a disconnect between how thekernels are seen versus how they are actually maintained. He proposedmaking a "rolling stable" release that provides users what they need—timely fixes to their kernel—without forcingthem to choose to switch to a new version number.

Stable kernels 5.10.71, 5.4.151, 4.19.209, 4.14.249, 4.9.285, and 4.4.286 have been released. They all containimportant fixes and users should upgrade.Note that 5.14.10has been through more than the usual number of release candidates and isnot yet out; it should show up in the next day or so.

Security updates have been issued by Fedora (cryptopp), Mageia (apache), Slackware (httpd), and Ubuntu (squid, squid3).

Two Google engineers came to OpenSource Summit North America 2021 to talk about a project to change theway the company creates and maintains the kernel it runs in its datacenters on its productionsystems. Andrew Delgadillo and Dylan Hatch described the current productionkernel (Prodkernel) and the problems that occur because it is so far fromthe mainline. Project Icebreaker is an effort to change that and toprovide a near-mainline kernel for development and testing within Google;the talk looked at the project, its risks, its current status, and its plans.

The Asahi Linux project has a progressreport on its goal of running Linux on Mac M1 hardware.

The AlmaLinux Foundation has openedmembership to everyone.

Firefox 93.0 has been released. With this version Firefox supports the newAVIF image format, which is based on the modern and royalty free AV1 videocodec. The PDF viewer supports filling more forms, such as XFA-based formsused by multiple governments and banks. Downloads that rely on insecureconnections are blocked, protecting against potentially malicious or unsafedownloads. Details on these features and more can be found in the release notes.

Version 13.0.0 of the LLVM compiler suite is out.There is a long list of changes, as always; see the numerous sets ofrelease notes below for details.

Security updates have been issued by Fedora (cryptopp), Mageia (kernel, kernel-linus, and sqlite), openSUSE (rabbitmq-server), Red Hat (kernel and samba), SUSE (glibc and webkit2gtk3), and Ubuntu (containerd, docker.io, imlib2, ledgersmb, mercurial, mongodb, and node-bl).

Version 3.10.0 of the Python language has been released. There are a lotof significant changes in this release, including the much-discussedstructural pattern-matching feature. Seethis article for an overview of what's in 3.10.

Julia is an open-source programminglanguage and ecosystem for high-performance scientific computing; itsdevelopment team has made the first release candidate for version 1.7available for testing on Linux, BSD, macOS, and Windows. Back in May, we looked at the increased performance thatarrived with Julia 1.6, its last major release. In this article we describe some ofthe changes and new features in the language and its libraries that arecoming in 1.7.

Developers working in languages like C or C++ have access totwo competing compilers — GCC and LLVM — either of which can usually getthe job done. Rust developers, though, are currently limited to theLLVM-based rustc compiler. While rustc works well, thereare legitimate reasons for developers to wish for an alternative. As itturns out, there are two different ways to compile Rust using GCC underdevelopment, though neither is ready at the moment. Developers of bothapproaches came to the 2021 LinuxPlumbers Conference to present the status of their work.

Security updates have been issued by Debian (apache2, fig2dev, mediawiki, plib, and qemu), Fedora (chromium, curl, kernel, kernel-headers, kernel-tools, openssh, rust-addr2line, rust-backtrace, rust-cranelift-bforest, rust-cranelift-codegen, rust-cranelift-codegen-meta, rust-cranelift-codegen-shared, rust-cranelift-entity, rust-cranelift-frontend, rust-cranelift-native, rust-cranelift-wasm, rust-gimli, rust-object, rust-wasmparser, rust-wasmtime-cache, rust-wasmtime-environ, rust-wasmtime-fiber, rust-wasmtime-types, rust-wast, rust-wat, and webkit2gtk3), Mageia (apache-mod_auth_openidc, c-ares, chromium-browser-stable, icu, libspf2, perl-DBI, python, and python-rsa), openSUSE (haproxy and opera), Oracle (kernel), SUSE (firefox and libvirt), and Ubuntu (python3.8).

The 5.15-rc4 kernel prepatch is out fortesting.