Libre Arts (formerly Libre Graphics World) has posted a comprehensivesurvey of what 2021 might hold for a wide range of freecontent-creation software.The topic of fullscreen color management implementation in Wayland is back,and it’s a kinda frustrating story. In a nutshell:
The Corellium blog is carrying a description of how the Linuxport to the Apple M1 processor was done. "Many components of theM1 are shared with Apple mobile SoCs, which gave us a good runningstart. But when writing Linux drivers, it became very apparent hownon-standard Apple SoCs really are. Our virtual environment is extremelyflexible in terms of models it can accommodate; but on the Linux side, the64-bit ARM world has largely settled on a well-defined set of buildingblocks and firmware interfaces - nearly none of which were used on theM1."
As a general rule, when one attempts to open a file with a system call likeopenat2(),the expectation is that the call will not return until the job is done.But there are times where the desire to open the file is conditional onbeing able to open it immediately, without blocking. Linux has neversupported that mode well, but that may be about to change with thispatch set from Jens Axboe.
It is an unfortunate fact of life that non-free firmware blobs are requiredto use some hardware, such as network devices (WiFi in particular), audioperipherals, and video cards. Beyond that, those blobs may even berequired in order to install a Linux distribution, so an installation overthe network may need to get non-free firmware directly from the installationmedia. That, as might be guessed, is a bit of a problem for distributionsthat are not willing to officially ship said firmware because of itsnon-free status, as a recent discussion in the Debian community shows.
Back in October, LWN looked at a conversationwithin the Debian project regarding whether it was permissible to shipKubernetes bundled with some 200 dependencies. The Debian technicalcommittee has finally cometo a conclusion on this matter: this bundling is acceptable and themaintainer will not be required to make changes:Our consensus is that Kubernetes ought to be considered special inthe same way that Firefox is considered special -- we treat thepackage differently from most other source packages because (i) itis very large and complex, and (ii) upstream has significantly moreresources to keep all those moving parts up-to-date than Debiandoes.In the end, allowing this vendoring seemed like the only feasible way topackage Kubernetes for Debian.
Shay Banon first announced thatElastic would move its Apache 2.0-licensed source code in Elasticsearch andKibana to be dual licensed under Server Side Public License (SSPL) and theElastic License. "To be clear, our distributions starting with 7.11will be provided only under the Elastic License, which does not have anycopyleft aspects. If you are building Elasticsearch and/or Kibana fromsource, you may choose between SSPL and the Elastic License to govern youruse of the source code."In anotherpost Banon added some clarification. "SSPL, a copyleft licensebased on GPL, aims to provide many of the freedoms of open source, thoughit is not an OSI approved license and is not considered opensource."There is also this articleon why the change was made. "So why the change? AWS and AmazonElasticsearch Service. They have been doing things that we think are just NOT OK since 2015 and it has only gotten worse. If we don’t stand upto them now, as a successful company and leader in the market, whowill?"The FAQ hasadditional information. "While we have chosen to avoid confusion by not using the term open source to refer to these products, we will continue to use the word “Open” and “Free and Open.” These are simple ways to describe the fact that the product is free to use, the source code is available, and also applies to our open and collaborative engagement model in GitHub. We remain committed to the principles of open source - transparency, collaboration, and community."
Security updates have been issued by Fedora (coturn, dovecot, glibc, and sudo), Mageia (openldap and resource-agents), openSUSE (dnsmasq, python-jupyter_notebook, viewvc, and vlc), Oracle (dnsmasq and xstream), SUSE (perl-Convert-ASN1, postgresql, postgresql13, and xstream), and Ubuntu (nvidia-graphics-drivers-418-server, nvidia-graphics-drivers-450-server, pillow, pyxdg, and thunderbird).
Red Hat has announceda new set of options meant to attract current CentOS users who are unhappywith the shift to CentOS Stream."While CentOS Linux provided a no-cost Linux distribution, no-cost RHEL also exists today through the Red Hat Developer program. The program’s terms formerly limited its use to single-machine developers. We recognized this was a challenging limitation.We’re addressing this by expanding the terms of the Red Hat Developer program so that the Individual Developer subscription for RHEL can be used in production for up to 16 systems. That’s exactly what it sounds like: for small production use cases, this is no-cost, self-supported RHEL."
SciPy is a collection of Pythonlibraries for scientific and numerical computing. Nearly every serious userof Python for scientific research uses SciPy. Since Python is popular acrossall fields of science, and continues to be a prominent language in someareas of research, such as data science, SciPy has a large userbase. On New Year's Eve, SciPyannouncedversion 1.6 of the scipy library, which is the centralcomponent in the SciPy stack. That release gives us a good opportunity to delveinto this software and givesome examples of its use.
Security updates have been issued by Debian (gst-plugins-bad1.0), Fedora (flatpak), Red Hat (dnsmasq, kernel, kpatch-patch, libpq, linux-firmware, postgresql:10, postgresql:9.6, and thunderbird), SUSE (dnsmasq), and Ubuntu (dnsmasq, htmldoc, log4net, and pillow).
User namespaces provide a number ofinteresting challenges for the kernel. They give a user the illusion ofowning the system, but must still operate within the restrictions thatapply outside of the namespace. Resourcelimits represent one type of restriction that, it seems, is proving too restrictive for some users. Thispatch set from Alexey Gladkov attempts to address the problem by way ofa not-entirely-obvious approach.
Version3.9.0.0 of the GNU Radio software-defined radio system has beenreleased. "All in all, the main breaking change for pure GRC userswill consist in a few changed blocks – an incredible feat, considering theamount of shift under the hood."
The 5.11-rc4 kernel prepatch is outfor testing. "Things continue to look fairly normal for this release:5.11-rc4 is solidly average in size, and nothing particularly scary standsout."
Daniel Stenberg writesabout getting paid to work on curl — 21 years after starting theproject. "I ran curl as a spare time project for decades. Over theyears it became more and more common that users who submitted bug reportsor asked for help about things were actually doing that during their paidwork hours because they used curl in a commercial surrounding – whichsometimes made the situation almost absurd. The ones who actually got paidto work with curl were asking the unpaid developers to help themout."
The Linux 5.10 release included a changethat is expected to significantly increase the performance of the ext4filesystem; it goes by the name "fast commits" and introduces a new,lighter-weight journaling method. Let us look into how the feature works, whocan benefit from it, and when its use may be appropriate.
Since the release of the 5.5 kernel in January 2020, there have been almost87,000 patches from just short of 4,600 developers merged into the mainlinerepository. Reviewing all of those patches would be a tall order for eventhe most prolific of kernel developers, so decisions on patch acceptanceare delegated to a long list of subsystem maintainers, each of whom takespartial or full responsibility for a specific portion of the kernel. Thesemaintainers are documented in a file called, surprisingly, MAINTAINERS.But the MAINTAINERS file, too, must be maintained; how well doesit reflect reality?
Version 6.0 of the WineWindows not-an-emulator has been released. "This release isdedicated to the memory of Ken Thomases, who passed away just beforeChristmas at the age of 51. Ken was an incredibly brilliant developer, andthe mastermind behind the macOS support in Wine. We all miss his skills,his patience, and his dark sense of humor." Significant featuresinclude core modules built as PE executables, an experimental Direct3Drenderer, DirectShow support, a new text console, and more.
Security updates have been issued by Fedora (adplug, audacious-plugins, cpu-x, kernel, kernel-headers, ocp, php, and python-lxml), openSUSE (crmsh, firefox, and hawk2), Oracle (thunderbird), Red Hat (kernel-rt), SUSE (kernel and rubygem-archive-tar-minitar), and Ubuntu (openvswitch and tar).
It may be kind of an obvious statement, but licensing terms matter in ourcommunities. Even a misplaced word or three can be fatal for a license,which is part of the motivation for the efforts to reduce licenseproliferation in free-software projects. Over the last few months, variousdistribution projects have been discussing changes made to the license forthe Nmap network scanner; those changesseemed to be adding restrictions that would make the software non-free, thoughthat was not the intent. But the incident does serve to show the importance oflicense clarity.
Tedium is running ahistory of the Linksys WRT54G router. "But the reason the WRT54Gseries has held on for so long, despite using a wireless protocol that waseffectively made obsolete 12 years ago, might come down to a feature thatwas initially undocumented—a feature that got through amid all thecomplications of a big merger. Intentionally or not, the WRT54G was hidingsomething fundamental on the router’s firmware: Software based onLinux."
Alyssa Rosenzweig presentsa progress report on the Panfrost driver for Arm Mali Midgard andBifrost GPUs, which now provides non-conformant OpenGL ES 3.0 on Bifrostand desktop OpenGL 3.1 on Midgard. "Architecturally, Bifrost shares most of its fixed-function data structures with Midgard, but features a brand new instruction set. Our work for bringing up OpenGL ES 3.0 on Bifrost reflects this division. Some fixed-function features, like instancing and transform feedback, worked without any Bifrost-specific changes since we already did bring-up on Midgard. Other shader features, like uniform buffer objects, required "from scratch" implementations in the Bifrost compiler, a task facilitated by the compiler's maturing intermediate representation with first-class builder support. Yet other features like multiple render targets required some Bifrost-specific code while leveraging other code shared with Midgard. All in all, the work progressed much more quickly the second time around, a testament to the power of code sharing. But there is no need to limit sharing to just Panfrost GPUs; open source drivers can share code across vendors."
Arnd Bergmann stirred up a bit of a discussion with his January 8 "bringout your dead" posting, wherein he raised the idea of removing supportfor a long list of seemingly unloved Arm platforms — and a few non-Arm onesas well. Many of these have seen no significant work in at least sixyears. In aJanuary 13 followup, he notes that several of those platforms willbe spared for now due to ongoing interest. Several others, though (efm32,picoxcell, prima2, tango, u300, and zx) remain on the chopping block, andthe status of another handful remains uncertain. Readers who care aboutold Arm platforms may want to have a look at the list now and speak up ifthey still need support for one of the platforms that might otherwise bedeleted.
Security updates have been issued by Debian (coturn, imagemagick, and spice-vdagent), Fedora (roundcubemail and sympa), Gentoo (asterisk and virtualbox), Oracle (kernel and kernel-container), Red Hat (dotnet3.1, dotnet5.0, and thunderbird), SUSE (crmsh, firefox, hawk2, ImageMagick, kernel, libzypp, zypper, nodejs10, nodejs14, openstack-dashboard, release-notes-suse-openstack-cloud, and tcmu-runner), and Ubuntu (coturn).
The problems with "vendoring" in packages—bundling dependencies rather thangetting them from other packages—seems to crop up frequently these days.We looked at Debian's concerns aboutpackaging Kubernetes and its myriad of Godependencies back in October. A more recent discussion in thatdistribution's community looks at another famously dependency-heavyecosystem: JavaScript libraries from the npm repository. Even C-based ecosystemsare not immune to the problem, as we saw withiproute2 and libbpf back in November; the discussion of vendoring seemslikely to recur over the coming years.
The Google Project Zero blog is carrying asix-part series exploring, in great detail, a set of sophisticatedexploits discovered in the wild. "These exploit chains are designedfor efficiency & flexibility through their modularity. They arewell-engineered, complex code with a variety of novel exploitation methods,mature logging, sophisticated and calculated post-exploitation techniques,and high volumes of anti-analysis and targeting checks. We believe thatteams of experts have designed and developed these exploit chains. We hopethis blog post series provides others with an in-depth look at exploitationfrom a real world, mature, and presumably well-resourced actor."
The kernel project goes out of its way to facilitate building with oldertoolchains. Building a kernel on a new system can be enough of a challengeas it is; being forced to install a custom toolchain first would notimprove the situation. So the kerneldevelopers try to keep it possible to build the kernel with the toolchainsshipped by most distributors. There are costs to this policy though, includingan inability to use newer compiler features. But, as was seen in a recentepisode, building with old compilers can subject developers to old compilerbugs too.
The 5.11-rc3 kernel prepatch is out fortesting. "So in the rc2 announcement notes I thought we might have a slow weekfor rc3 as well due to people just coming back from vacations and ittaking some time for bug reports etc to start tricking in.That turned out to be the incoherent ramblings of a crazy old man."
The5.10.6,5.4.88,4.19.166,4.14.214,4.9.250, and4.4.250stable kernel updates have all been released; each contains a relativelysmall number of important fixes.
The Fedora 34 release is plannedfor April 20 — a plan that may well come to fruition, given that theFedora project appears to have abandoned its tradition of delayedreleases. As part of that schedule, any proposals for system-wide changeswere supposed to be posted by December 29. That has not stopped thearrival of alate proposal to add file signatures to Fedora's RPM packages, though.This proposal, meant to support the use of the integrity measurementarchitecture (IMA) in Fedora, has not been met with universal acclaim.
Security updates have been issued by Debian (firefox-esr and libxstream-java), Fedora (awstats and dia), Mageia (c-ares, dash, and dovecot), openSUSE (dovecot23, gimp, kitty, and python-notebook), Oracle (kernel), SUSE (python-paramiko and tomcat), and Ubuntu (edk2, firefox, ghostscript, and openjpeg2).
A key component of system hardening is restricting access to memory; thisextends to preventing the kernel itself from accessing or modifying much ofthe memory in the system most of the time. Memory that cannot be accessedcannot be read or changed by an attacker. On many systems, though, theserestrictions do not apply to peripheral devices, which can happily usedirect memory access (DMA) on most or all of the available memory. Therecently posted restrictedDMA patch set aims to reduce exposure to buggy or malicious deviceactivity by tightening up control over the memory that DMA operations areallowed to access.
Security updates have been issued by Debian (golang-websocket, nodejs, and pacemaker), Fedora (mingw-binutils and rubygem-em-http-request), and Ubuntu (linux-oem-5.6 and p11-kit).
The idea of ReproducibleBuilds—being able to recreate bit-for-bit identical binaries using thesame source code—has gained momentum over the last few years.Reproducible builds provide some safeguards against bad actorsin the software supply chain. But building software depends on the toolsused to construct the binary, including compilers and build-automation tools, many ofwhich depend on pre-existing binaries. Minimizing the reliance on opaquebinaries for building our software ecosystem is the goal of the Bootstrappable Builds project.
Just because something is traditional does not imply that it is necessarilya good idea. As a case in point, consider LWN's tradition of starting theyear with some predictions for what is to come; some may be obvious whileothers are implausible, but none of them are reliable. Nonetheless, we'vebeen doing this since 2002 so we can't stop now.Read on for our wild guesses as to what might transpire in 2021.
TuxMake is an open-source project fromLinaro that began in May 2020 and is designed to make building Linux kernels easier.It provides a command-line interface and a Python library, along with afull set of curated portable build environments distributed as containerimages.With TuxMake, a developer can build any supported combination of targetarchitecture, toolchain, kernel configuration, and make targets.
Security updates have been issued by Arch Linux (dovecot, poppler, roundcubemail, and rsync), Debian (csync2 and gssproxy), Fedora (grafana, perl-Convert-ASN1, and python-py), openSUSE (privoxy), Oracle (kernel), Red Hat (ImageMagick and kernel), SUSE (ceph, dovecot22, flac, java-1_7_1-ibm, openssh, and python), and Ubuntu (dovecot, horizon, openexr, and python-apt).
The LibreSSL project has beendeveloping a fork of the OpenSSLpackage since 2014; it is supported as part of OpenBSD. Adoption ofLibreSSL on the Linux side has been slow from the start, though, and itwould appear that the situation is about to get worse. LibreSSL isstarting to look like an idea whose time may never come in the Linux world.
LWN.net